HIPAA Privacy Rule To Support Reproductive Health Care Privacy, 32976-33066 [2024-08503]
Download as PDF
<![CDATA[
32976
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
SUPPLEMENTARY INFORMATION:
DEPARTMENT OF HEALTH AND
HUMAN SERVICES
Table of Contents
Office of the Secretary
45 CFR Parts 160 and 164
RIN 0945–AA20
HIPAA Privacy Rule To Support
Reproductive Health Care Privacy
Office for Civil Rights (OCR),
Office of the Secretary, Department of
Health and Human Services.
ACTION: Final rule.
AGENCY:
The Department of Health and
Human Services (HHS or ‘‘Department’’)
is issuing this final rule to modify the
Standards for Privacy of Individually
Identifiable Health Information
(‘‘Privacy Rule’’) under the Health
Insurance Portability and
Accountability Act of 1996 (HIPAA) and
the Health Information Technology for
Economic and Clinical Health Act of
2009 (HITECH Act). The Department is
issuing this final rule after careful
consideration of all public comments
received in response to the notice of
proposed rulemaking (NPRM) for the
HIPAA Privacy Rule to Support
Reproductive Health Care Privacy
(‘‘2023 Privacy Rule NPRM’’) and public
comments received on proposals to
revise provisions of the HIPAA Privacy
Rule in the NPRM for the
Confidentiality of Substance Use
Disorder (SUD) Patient Records (‘‘2022
Part 2 NPRM’’).
DATES:
Effective date: This final rule is
effective on June 25, 2024.
Compliance date: Persons subject to
this regulation must comply with the
applicable requirements of this final
rule by December 23, 2024, except for
the applicable requirements of 45 CFR
164.520 in this final rule. Persons
subject to this regulation must comply
with the applicable requirements of 45
CFR 164.520 in this final rule by
February 16, 2026.
FOR FURTHER INFORMATION CONTACT:
Marissa Gordon-Nguyen at (202) 240–
3110 or (800) 537–7697 (TDD), or by
email at OCRPrivacy@hhs.gov.
SUMMARY:
I. Executive Summary
A. Overview
B. Effective and Compliance Dates
1. 2023 Privacy Rule NPRM
2. Overview of Comments
3. Final Rule
4. Response to Public Comments
II. Statutory and Regulatory Background
A. Statutory Authority and History
1. Health Insurance Portability and
Accountability Act of 1996 (HIPAA)
2. Health Information Technology for
Economic and Clinical Health (HITECH)
Act
B. Regulatory History
1. 2000 Privacy Rule
2. 2002 Privacy Rule
3. 2013 Omnibus Rule
4. 2024 Privacy Rule
III. Justification for This Rulemaking
A. HIPAA Encourages Trust and
Confidence by Carefully Balancing
Individuals’ Privacy Interests With
Others’ Interests in Using or Disclosing
PHI
1. Privacy Protections Ensure That
Individuals Have Access to, and Are
Comfortable Accessing, High-Quality
Health Care
2. The Department’s Approach to the
Privacy Rule Has Long Sought To
Balance the Interests of Individuals and
Society
B. Developments in the Legal Environment
Are Eroding Individuals’ Trust in the
Health Care System
C. To Protect the Trust Between
Individuals and Health Care Providers,
the Department Is Restricting Certain
Uses and Disclosures of PHI for
Particular Non-Health Care Purposes
IV. General Discussion of Public Comments
A. General Comments in Support of the
Proposed Rule
B. General Comments in Opposition to the
Proposed Rule
C. Other General Comments on the
Proposed Rule
V. Summary of Final Rule Provisions and
Public Comments and Responses
A. Section 160.103 Definitions
1. Clarifying the Definition of ‘‘Person’’
2. Interpreting Terms Used in Section
1178(b) of the Social Security Act
3. Adding a Definition of ‘‘Reproductive
Health Care’’
4. Whether the Department Should Define
Any Additional Terms
B. Section 164.502—Uses and Disclosures
of Protected Health Information: General
Rules
1. Clarifying When PHI May Be Used or
Disclosed by Regulated Entities
2. Adding a New Category of Prohibited
Uses and Disclosures
3. Clarifying Personal Representative
Status in the Context of Reproductive
Health Care
4. Request for Comments
C. Section 164.509—Uses and Disclosures
for Which an Attestation is Required
1. Current Provision
2. Proposed Rule
3. Overview of Public Comments
4. Final Rule
5. Responses to Public Comments
D. Section 164.512—Uses and Disclosures
for Which an Authorization or
Opportunity To Agree or Object Is Not
Required
1. Applying the Prohibition and Attestation
Condition to Certain Permitted Uses and
Disclosures
2. Making a Technical Correction to the
Heading of 45 CFR 164.512(c) and
Clarifying That Providing or Facilitating
Reproductive Health Care Is Not Abuse,
Neglect, or Domestic Violence
3. Clarifying the Permission for Disclosures
Based on Administrative Processes
4. Request for Information on Current
Processes for Receiving and Addressing
Requests Pursuant to 164.512(d) Through
(g)(1)
E. Section 164.520—Notice of Privacy
Practices for Protected Health
Information
1. Current Provision
2. CARES Act
3. Proposals in 2022 Part 2 NPRM and 2023
Privacy Rule NPRM
4. Overview of Public Comments
5. Final Rule
6. Responses to Public Comments
F. Section 164.535—Severability
G. Comments on Other Provisions of the
HIPAA Rules
VI. Regulatory Impact Analysis
A. Executive Order 12866 and Related
Executive Orders on Regulatory Review
1. Summary of Costs and Benefits
2. Baseline Conditions
3. Costs of the Rule
B. Regulatory Alternatives to the Final Rule
C. Regulatory Flexibility Act—Small Entity
Analysis
D. Executive Order 13132—Federalism
E. Assessment of Federal Regulation and
Policies on Families
F. Paperwork Reduction Act of 1995
Explanation of Estimated Annualized Burden
Hours
ddrumheller on DSK120RN23PROD with RULES5
TABLE OF ACRONYMS
Term
Meaning
AMA .........................
API ...........................
CARES Act ..............
CDC .........................
CLIA .........................
CMS .........................
DOD .........................
VerDate Sep<11>2014
American Medical Association.
Application Programming Interface.
Coronavirus Aid, Relief, and Economic Security Act.
Centers for Disease Control and Prevention.
Clinical Laboratory Improvement Amendments of 1988.
Centers for Medicare & Medicaid Services.
Department of Defense.
20:54 Apr 25, 2024
Jkt 262001
PO 00000
Frm 00002
Fmt 4701
Sfmt 4700
E:\FR\FM\26APR5.SGM
26APR5
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
32977
TABLE OF ACRONYMS—Continued
Term
Meaning
Department or HHS
EHR .........................
E.O. ..........................
FDA ..........................
FHIR® ......................
FTC ..........................
GINA ........................
Health IT ..................
HIE ...........................
HIPAA ......................
HITECH Act .............
ICR ...........................
IIHI ...........................
NCVHS ....................
NICS ........................
NPP .........................
NPRM ......................
OCR .........................
OHCA ......................
OMB .........................
ONC .........................
PHI ...........................
PRA .........................
RFA ..........................
RIA ...........................
SBA ..........................
SSA ..........................
TPO .........................
UMRA ......................
Department of Health and Human Services.
Electronic Health Record.
Executive Order.
Food and Drug Administration.
Fast Healthcare Interoperability Resources®.
Federal Trade Commission.
Genetic Information Nondiscrimination Act of 2008.
Health Information Technology.
Health Information Exchange.
Health Insurance Portability and Accountability Act of 1996.
Health Information Technology for Economic and Clinical Health Act of 2009.
Information Collection Request.
Individually Identifiable Health Information.
National Committee on Vital and Health Statistics.
National Instant Criminal Background Check System.
Notice of Privacy Practices.
Notice of Proposed Rulemaking.
Office for Civil Rights.
Organized Health Care Arrangement.
Office of Management and Budget.
Office of the National Coordinator for Health Information Technology.
Protected Health Information.
Paperwork Reduction Act of 1995.
Regulatory Flexibility Act.
Regulatory Impact Analysis.
Small Business Administration.
Social Security Act of 1935.
Treatment, Payment, or Health Care Operations.
Unfunded Mandates Reform Act of 1995.
I. Executive Summary
In this final rule, the Department of
Health and Human Services (HHS or
‘‘Department’’) modifies certain
provisions of the Standards for Privacy
of Individually Identifiable Health
Information (‘‘Privacy Rule’’), issued
pursuant to section 264 of the
Administrative Simplification
provisions of title II, subtitle F, of the
Health Insurance Portability and
Accountability Act of 1996 (HIPAA).1
The Privacy Rule 2 is one of several
rules, collectively known as the HIPAA
Rules,3 that protect the privacy and
security of individuals’ protected health
information 4 (PHI), which is
individually identifiable health
information 5 (IIHI) transmitted by or
maintained in electronic media or any
other form or medium, with certain
exceptions.6
The Privacy Rule requires the
disclosure of PHI only in the following
circumstances: when required by the
Secretary to investigate a regulated
entity’s compliance with the Privacy
Rule and to the individual pursuant to
the individual’s right of access and the
individual’s right to an accounting of
disclosures.7 Any other uses or
1 Subtitle F of title II of HIPAA (Pub. L. 104–191,
110 Stat. 1936 (Aug. 21, 1996)) added a new part
C to title XI of the Social Security Act of 1935
(SSA), Public Law 74–271, 49 Stat. 620 (Aug. 14,
1935), (see sections 1171–1179 of the SSA (codified
at 42 U.S.C. 1320d–1320d–8)), as well as
promulgating section 264 of HIPAA (codified at 42
U.S.C. 1320d–2 note), which authorizes the
Secretary to promulgate regulations with respect to
the privacy of individually identifiable health
information. The Privacy Rule has subsequently
been amended pursuant to the Genetic Information
Nondiscrimination Act of 2008 (GINA), title I,
section 105, Public Law 110–233, 122 Stat. 881
(May 21, 2008) (codified at 42 U.S.C. 2000ff), and
the Health Information Technology for Economic
and Clinical Health (HITECH) Act of 2009, Public
Law 111–5, 123 Stat. 226 (Feb. 17, 2009) (codified
at 42 U.S.C. 1390w–4(O)(2)).
2 45 CFR parts 160 and 164, subparts A and E. For
a history of the Privacy Rule, see infra Section II.B.,
‘‘Regulatory History.’’
3 See also the HIPAA Security Rule, 45 CFR parts
160 and 164, subparts A and C; the HIPAA Breach
Notification Rule, 45 CFR part 164, subpart D; and
the HIPAA Enforcement Rule, 45 CFR part 160,
subparts C, D, and E.
4 45 CFR 160.103 (definition of ‘‘Protected health
information’’).
5 42 U.S.C. 1320d. See also 45 CFR 160.103
(definition of ‘‘Individually identifiable health
information’’).
6 At times throughout this final rule, the
Department uses the terms ‘‘health information’’ or
‘‘individuals’ health information’’ to refer
generically to health information pertaining to an
individual or individuals. In contrast, the
Department’s use of the term ‘‘IIHI’’ refers to a
category of health information defined in HIPAA,
and ‘‘PHI’’ is used to refer specifically to a category
of IIHI that is defined by and subject to the privacy
and security standards promulgated in the HIPAA
Rules.
7 See 45 CFR 164.502(2) and (4).
ddrumheller on DSK120RN23PROD with RULES5
A. Overview
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
PO 00000
Frm 00003
Fmt 4701
Sfmt 4700
disclosures described in the Privacy
Rule are either permitted or prohibited,
as specified in the Privacy Rule. For
example, the Privacy Rule permits, but
does not require, a regulated entity to
disclose PHI to conduct quality
improvement activities when applicable
conditions are met, and it prohibits a
regulated entity from selling PHI except
pursuant to and in compliance with 45
CFR 164.508(a)(4).8
In accordance with its statutory
mandate, the Department promulgated
the Privacy Rule and continues to
administer and enforce it to ensure that
individuals are not afraid to seek health
care from, or share important
information with, their health care
providers because of a concern that their
sensitive information will be disclosed
outside of their relationship with their
health care provider. Protecting privacy
promotes trust between health care
providers and individuals, advancing
access to and improving the quality of
health care. To achieve this goal, the
Department generally has applied the
same privacy standards to nearly all
PHI, regardless of the type of health care
at issue. Notably, special protections
were given to psychotherapy notes,
owing in part to the particularly
8 See
E:\FR\FM\26APR5.SGM
45 CFR 164.512(i) and 164.502(a)(5)(ii).
26APR5
32978
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
sensitive information those notes
contain.9
Under its statutory authority to
administer and enforce the HIPAA
Rules, the Department may modify the
HIPAA Rules as needed.10 The Supreme
Court decision in Dobbs v. Jackson
Women’s Health Organization 11
(Dobbs) overturned precedent that
protected a constitutional right to
abortion and altered the legal and health
care landscape. This decision has farreaching implications for reproductive
health care beyond its effects on access
to abortion.12 This changing legal
landscape increases the likelihood that
an individual’s PHI may be disclosed in
ways that cause harm to the interests
that HIPAA seeks to protect, including
the trust of individuals in health care
providers and the health care system.13
The threat that PHI will be disclosed
and used to conduct such an
investigation against, or to impose
liability upon, an individual or another
person is likely to chill an individual’s
willingness to seek lawful health care
treatment or to provide full information
to their health care providers when
obtaining that treatment, and on the
willingness of health care providers to
provide such care.14 These
developments in the legal environment
increase the potential that use and
disclosure of PHI about an individual’s
reproductive health will undermine
access to and the quality of health care
generally.
In order to continue to protect privacy
in a manner that promotes trust between
individuals and health care providers
and advances access to, and improves
9 See
45 CFR 164.501 and 164.508(a)(2).
1174(b)(1) of Public Law 104–191
(codified at 42 U.S.C. 1320d–3).
11 597 U.S. 215 (2022).
12 See Melissa Suran, ‘‘Treating Cancer in
Pregnant Patients After Roe v Wade Overturned,’’
JAMA (Sept. 29, 2022), https://jamanetwork-com.
hhsnih.idm.oclc.org/journals/jama/fullarticle/
2797062?resultClick=1 and Rita Rubin, ‘‘How
Abortion Bans Could Affect Care for Miscarriage
and Infertility,’’ JAMA (June 28, 2022), https://jama
network-com.hhsnih.idm.oclc.org/journals/jama/
fullarticle/2793921?resultClick=1.
13 See infra National Committee on Vital and
Health Statistics (NCVHS) discussion, Section
II.A.1., expressing concern for harm caused by
disclosing identifiable health information for nonhealth care purposes.
14 See Whitney S. Rice et al. ‘‘ ‘Post-Roe’ Abortion
Policy Context Heightens Imperative for Multilevel,
Comprehensive, Integrated Health Education,’’
(Sept. 29, 2022), https://journals.sagepub.com/doi/
full/10.1177/10901981221125399 (‘‘New ethical
and legal complexities around patient counseling
are emerging, particularly in states limiting or
eliminating abortion access, due to more extreme
abortion restrictions. Clinicians in such contexts
may be forced to adhere to legal requirements of
states which run counter to well-being and desires
of patients, violating the medical principles of
beneficence and respect for patient autonomy’’).
ddrumheller on DSK120RN23PROD with RULES5
10 Section
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
the quality of, health care, we have
determined that the Privacy Rule must
be modified to limit the circumstances
in which provisions of the Privacy Rule
permit the use or disclosure of an
individual’s PHI about reproductive
health care for certain non-health care
purposes, where such use or disclosure
could be detrimental to privacy of the
individual or another person or the
individual’s trust in their health care
providers. This determination was
informed by our expertise in
administering the Privacy Rule,
questions we have received from
members of the public and Congress,
comments we received on the 2023
HIPAA Privacy Rule to Support
Reproductive Health Care Privacy notice
of proposed rulemaking (NPRM) (‘‘2023
Privacy Rule NPRM’’),15 and our
analysis of the state of privacy for IIHI.
This final rule (‘‘2024 Privacy Rule’’)
amends provisions of the Privacy Rule
to strengthen privacy protections for
highly sensitive PHI about the
reproductive health care of an
individual, and directly advances the
purposes of HIPAA by setting minimum
protections for PHI and providing peace
of mind that is essential to individuals’
ability to obtain lawful reproductive
health care. This final rule balances the
interests of society in obtaining PHI for
non-health care purposes with the
interests of the individual, the Federal
Government, and society in protecting
individual privacy, thereby improving
the effectiveness of the health care
system by ensuring that persons are not
deterred from seeking, obtaining,
providing, or facilitating reproductive
health care that is lawful under the
circumstances in which such health
care is provided.
The Department carefully analyzed
state prohibitions and restrictions on an
individual’s ability to obtain highquality health care and their effects on
health information privacy and the
relationships between individuals and
their health care providers after Dobbs;
assessed trends in state legislative
activity with respect to the privacy of
PHI; and conducted a thorough review
of the text, history, and purposes of
HIPAA and the Privacy Rule. The
Department also engaged in extensive
discussions with HHS agencies and
other Federal departments, including
the Department of Justice; consulted
with the National Committee on Vital
and Health Statistics (NCVHS) and the
Attorney General as required by section
264(d) of HIPAA, and with Indian
Tribes as required by Executive Order
15 88
PO 00000
FR 23506 (Apr. 17, 2023).
Frm 00004
Fmt 4701
Sfmt 4700
13175; 16 held listening sessions with
and reviewed correspondence from
stakeholders, including covered entities,
states, individuals, and patient
advocates; and reviewed
correspondence to HHS from Members
of Congress.17 The modifications made
to the Privacy Rule by this final rule are
the result of this work.
B. Effective and Compliance Dates
1. 2023 Privacy Rule NPRM
In the 2023 Privacy Rule NPRM, the
Department proposed an effective date
for a final rule that would occur 60 days
after publication, and a compliance date
that would occur 180 days after the
effective date.18 Taken together, the two
dates would give entities 240 days after
publication to implement compliance
measures. In the preamble to the
proposed rule, the Department stated
that it did not believe that the proposed
rule would pose unique implementation
challenges that would justify an
extended compliance period (i.e., a
period longer than the standard 180
days provided in 45 CFR 160.105).19
The Department also asserted that
adherence to the standard compliance
period is necessary to timely address the
circumstances described in the 2023
Privacy Rule NPRM.
2. Overview of Comments
A commenter urged the Department to
move quickly to issue the final rule and
to provide a 180-day compliance period
16 See 65 FR 67249 (Nov. 11, 2000). See also
Presidential Memorandum on Tribal Consultation
and Strengthening Nation-to-Nation Relationships
(Jan. 26, 2021), https://www.whitehouse.gov/
briefing-room/presidential-actions/2021/01/26/
memorandum-on-tribal-consultation-andstrengthening-nation-to-nation-relationships/ and
Dep’t of Health and Human Servs., Tribal
Consultation Policy, https://www.hhs.gov/sites/
default/files/iea/tribal/tribalconsultation/hhsconsultation-policy.pdf. See also 88 FR 23506 (Apr.
17, 2023) (notice of Tribal consultation). The
Department consulted with representatives of Tribal
Nations on May 17, 2023. During the consultation,
the representatives raised issues of health inequities
and privacy of health information, specifically
among American Indians and Alaskan Natives after
Dobbs.
17 Letter from U.S. Senator Tammy Baldwin et al.
to HHS Sec’y Xavier Becerra (Mar. 7, 2023)
(addressing HIPAA privacy regulations and Dobbs
v. Jackson Women’s Health Organization). Letter
from U.S. Senator Patty Murray et al. to HHS Sec’y
Xavier Becerra (Sept. 13, 2022) (addressing HIPAA
privacy regulations and Dobbs v. Jackson Women’s
Health Organization). Letter from U.S.
Representative Earl Blumenauer et al. to HHS Sec’y
Xavier Becerra (Aug. 30, 2022) (addressing HIPAA
privacy regulations and Dobbs v. Jackson Women’s
Health Organization). Letter from U.S. Senator
Michael F. Bennet et al. to HHS Sec’y Xavier
Becerra (July 1, 2022) (addressing HIPAA privacy
regulations and Dobbs v. Jackson Women’s Health
Organization).
18 See 88 FR 23506, 23510 (Apr. 17, 2023).
19 See id.
E:\FR\FM\26APR5.SGM
26APR5
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
ddrumheller on DSK120RN23PROD with RULES5
as proposed. Some commenters
requested that the Department provide
additional time for regulated entities to
comply with the proposed
modifications to the Privacy Rule.
Several commenters requested that the
Department coordinate compliance
deadlines across its rulemakings, while
a few commenters specifically
encouraged the Department to provide
additional time for compliance with the
modifications to the Notice of Privacy
Practices (NPP) requirements proposed
in the 2023 Privacy Rule NPRM.
3. Final Rule
This final rule is effective on June 25,
2024. Covered entities and business
associates of all sizes will have 180 days
beyond the effective date of the final
rule to comply with the final rule’s
provisions, with the exception of the
NPP provisions, which we address
separately below. We understand that
some covered entities and business
associates remain concerned that a 180day period may not provide sufficient
time to come into compliance with the
modified requirements. However, we
believe that providing a 180-day
compliance period best comports with
section 1175(b)(2) of the Social Security
Act of 1935 (SSA), 42 U.S.C. 1320d–4,
and our implementing provision at 45
CFR 160.104(c)(1), which require the
Secretary to provide at least a 180-day
period for covered entities to comply
with modifications to standards and
implementation specifications in the
HIPAA Rules, and also that providing a
180-day compliance period best protects
the privacy and security of individuals’
PHI in a timely manner that reflects the
urgency of addressing the changes in the
legal landscape and their effects on
individuals, regulated entities, and
other persons, while balancing the
burden imposed upon regulated entities
of implementing this final rule.
Section 160.104(a) permits the
Department to adopt a modification to a
standard or implementation
specification adopted under the Privacy
Rule no more frequently than once
every 12 months.20 As discussed above,
we are required to provide a minimum
of a 180-day compliance period when
adopting a modification, but we are
permitted to provide a longer
compliance period based on the extent
of the modification and the time needed
to comply with the modification in
determining the compliance date for the
modification.21 The Department makes
every effort to consider the burden and
cost of implementation for regulated
entities when determining an
appropriate compliance date.
While we recognize that regulated
entities will need to revise and
implement changes to their policies and
procedures in response to the
modifications in this final rule, we do
not believe that these changes are so
significant as to require more than a
180-day compliance period. This final
rule narrowly tailors the application of
its changes to certain limited
circumstances involving lawful
reproductive health care and clarifies
that regulated entities are not expected
to know or be aware of laws other than
those with which they are required to
comply. While it adds a condition to
certain requests for uses and
disclosures, the affected requests
already require careful review by
regulated entities for compliance with
previously imposed conditions. Thus,
we do not believe it will be difficult for
regulated entities to adjust their policies
and procedures to accommodate this
new requirement. The other
modifications finalized in this rule are
in service of implementing the two
changes above and impose minimal
burden on regulated entities.
Additionally, the Department believes,
based on its evaluation of the evolving
privacy landscape, that the changes
made by this final rule are of particular
urgency. Accordingly, we believe that a
180-day compliance period, combined
with a 60-day effective date, is sufficient
for regulated entities to make the
changes required by most of the
modifications in this final rule, with the
exception of the NPP provisions.
We separately consider the question
of the compliance date for the
modifications to the NPP provisions. In
the 2022 Confidentiality of Substance
Use Disorder (SUD) Patient Records
NPRM (‘‘2022 Part 2 NPRM’’),22 the
Department proposed, among other
things, to revise 45 CFR 164.520 as
required by section 3221 of the
Coronavirus Aid, Relief, and Economic
Security (CARES) Act.23 The
Department proposed to provide the
same compliance date for both the
proposed modifications to 45 CFR
164.520 and the more extensive
modifications to 42 CFR part 2 (‘‘Part
2’’).24 The 2024 Confidentiality of
Substance Use Disorder (SUD) Patient
Records Final Rule (‘‘2024 Part 2 Rule’’)
explicitly noted that the Department
was not finalizing the proposed
modifications to the NPP provisions at
22 87
FR 74216 (Dec. 2, 2022).
Law 116–136, 134 Stat. 281 (Mar. 27,
that time, but that we planned to do so
in a future HIPAA final rule.25 The
Department also acknowledged that
some covered entities might have NPPs
that would not reflect updated changes
to policies and procedures addressing
how Part 2 records are used and
disclosed. Rather than requiring covered
entities to revise their NPPs twice in a
short period of time, the Department
announced in the 2024 Part 2 Rule that
it would exercise enforcement
discretion related to the requirement
that covered entities update their NPPs
whenever material changes are made to
privacy practices until the compliance
date established by a future HIPAA final
rule.26 The Department is finalizing the
modifications to the NPP required by
section 3221 of the CARES Act in this
rule and aligning the effective and
compliance dates for all of the modified
NPP requirements with those of the
2024 Part 2 Rule.
The compliance date of the 2024 Part
2 Rule is February 16, 2026,
substantially later than the compliance
date for most of this final rule, because
of the significant changes required for
compliance with the 2024 Part 2 Rule.
Accordingly, in compliance with 45
CFR 160.104 and consistent with the
NPP proposals included in the 2022 Part
2 NPRM and public comment, we are
aligning the compliance date for the
NPP changes required by this final rule
with the compliance date for the 2024
Part 2 Rule so that covered entities
regulated under both rules can
implement all changes to their NPPs at
the same time. Covered entities are
expected to be in compliance with the
modifications to 45 CFR 164.520 on
February 16, 2026.
4. Response to Public Comments
Comment: One commenter expressed
support for the proposal in the 2023
Privacy Rule NPRM to establish a 180day compliance date and urged the
Department to issue a final rule quickly.
Some commenters sought an extension
of the compliance date for twelve to
eighteen months, explaining that
extensive policy and legal work, process
and software changes, documentation
and training would be required to
implement the 2023 Privacy Rule
NPRM.
One commenter suggested phasing in
the attestation requirement so that
‘‘downstream’’ regulated entities, such
as business associates and managed care
organizations, would have a later
compliance date than health care
providers.
23 Public
20 45
21 45
CFR 160.104(a).
CFR 160.104(c)(2).
VerDate Sep<11>2014
20:54 Apr 25, 2024
2020).
24 89 FR 12472 (Feb. 16, 2024).
Jkt 262001
PO 00000
Frm 00005
Fmt 4701
Sfmt 4700
32979
25 Id.
26 Id.
E:\FR\FM\26APR5.SGM
at 12482, 12528, and 12530.
at 12482, 12528, and 12530.
26APR5
32980
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
Response: We appreciate the
commenters’ suggestions, but as
discussed above, based on our
assessment, we do not believe the
modifications required by this final rule
will require longer to implement.
Comment: Some commenters
requested that the Department
coordinate compliance deadlines of
final rules that revise the Privacy Rule
or publish one final rule addressing the
proposals in the NPRMs to enable
regulated entities to leverage the
resources required to implement the
changes to achieve compliance with all
of the new requirements at one time.
One commenter explained that each
NPRM would involve operational
changes requiring significant resources
and effort and expressed their belief that
a single comprehensive final rule would
allow regulated entities to make all of
the required changes, including
revisions to policies and procedures,
development of new or revised
workflows, electronic health record
(EHR) updates, and technology
enhancements.
Response: We appreciate the
commenters’ suggestion, but we do not
believe that it is necessary to fully align
the compliance dates for the 2024 Part
2 Rule and the 2024 Privacy Rule. By
imposing separate compliance
deadlines, we are able to act more
quickly to protect the privacy of PHI.
However, consistent with 45 CFR
160.104 and as requested by public
comment, we are applying the same
compliance date for covered entities to
revise their NPPs to address
modifications made to 45 CFR 164.520
in response to and consistent with the
CARES Act and to support reproductive
health care privacy. The compliance
date for the NPP provisions is February
16, 2026.27 Part 2 programs, including
those that are covered entities, can
choose to implement the changes to
their NPPs that are required by the 2024
Part 2 Rule prior to the compliance date,
but there is no requirement that they do
so.
II. Statutory and Regulatory
Background
A. Statutory Authority and History
ddrumheller on DSK120RN23PROD with RULES5
1. Health Insurance Portability and
Accountability Act of 1996 (HIPAA)
In 1996, Congress enacted HIPAA 28
to reform the health care delivery
system to ‘‘improve portability and
continuity of health insurance coverage
27 89
FR 12472 (Feb. 16, 2024).
Law 104–191, 110 Stat. 1936 (Aug. 21,
28 Public
1996).
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
in the group and individual markets.’’ 29
To enable health care delivery system
reform, Congress included in HIPAA
requirements for standards to support
the electronic exchange of health
information. According to section 261,
‘‘[i]t is the purpose of this subtitle to
improve [. . .] the efficiency and
effectiveness of the health care system,
by encouraging the development of a
health information system through the
establishment of standards and
requirements for the electronic
transmission of certain health
information [. . .].’’ 30 Congress applied
the Administrative Simplification
provisions directly to three types of
entities known as ‘‘covered entities’’—
health plans, health care clearinghouses,
and health care providers who transmit
information electronically in connection
with a transaction for which HHS has
adopted a standard.31
Section 262(a) of HIPAA required the
Secretary to adopt uniform standards
‘‘to enable health information to be
exchanged electronically.’’ 32 Congress
directed the Secretary to adopt
standards for unique identifiers to
identify individuals, employers, health
plans, and health care providers across
the nation 33 and standards for, among
other things, transactions and data
elements relating to health
information,34 the security of that
information,35 and verification of
electronic signatures.36
Congress recognized that the
standardization of certain electronic
health care transactions required by
HIPAA posed risks to the privacy of
confidential health information and
viewed individual privacy,
confidentiality, and data security as
critical for orderly administrative
simplification.37 Thus, as explained in
29 See
H.R. Rep. No. 104–496, at 66–67 (1996).
U.S.C. 1320d note (Statutory Notes and
Related Subsidiaries: Purpose). Subtitle F also
amended related provisions of the SSA.
31 See section 262 of Public Law 104–191, adding
section 1172 to the SSA (codified at 42 U.S.C.
1320d–1). See also section 13404 of the American
Recovery and Reinvestment Act of 2009, Public
Law 111–5, 123 Stat. 115 (Feb. 17, 2009) (codified
at 42 U.S.C. 17934) (applying privacy provisions
and penalties to business associates of covered
entities).
32 42 U.S.C. 1320d2(a)(1).
33 42 U.S.C. 1320d–2(b)(1).
34 42 U.S.C. 1320d–2(a), (c), and (f).
35 42 U.S.C. 1320d–2(d).
36 42 U.S.C. 1320d–2(e).
37 On a resolution waiving points of order against
the Conference Report to H.R. 3103, members
debated an ‘‘erosion of privacy’’ balanced against
the administrative simplification provisions. Thus,
from HIPAA’s inception, privacy has been a central
concern to be addressed as legislative changes eased
disclosures of PHI. See 142 Cong. Rec. H9777 and
H9780; see also H.R. Rep. No. 104–736, at 177 and
264 (1996); 142 Cong. Rec. H9780 (daily ed. Aug.
30 42
PO 00000
Frm 00006
Fmt 4701
Sfmt 4700
the preamble to the 2023 Privacy Rule
NPRM,38 Congress provided the
Department with the authority to
regulate the privacy of IIHI. According
to one Member of Congress, privacy
standards would create an additional
layer of protection beyond the oath
pledged by health care providers to keep
information secure and, as described by
another Member, would further protect
information from being used in a
‘‘malicious or discriminatory
manner.’’ 39 Congress intended for the
law to enhance individuals’ trust in
health care providers, which required
that the law provide additional
protection for the confidentiality of IIHI.
As described by a Member of Congress:
‘‘The bill would also establish strict
security standards for health
information because Americans clearly
want to make sure that their health care
records can only be used by the medical
professionals that treat them. Often, we
assume that because doctors take an
oath of confidentiality that in fact all
who touch their records operate by the
same standards. Clearly, they do not.’’ 40
Moreover, Congress considered that
health care reform required an approach
that would not compromise privacy as
health information became more
accessible.41
Accordingly, section 264(a) directed
the Secretary to submit to Congress
detailed recommendations for Federal
‘‘standards with respect to the privacy
of [IIHI]’’ nationwide within one year of
HIPAA’s enactment.42 The statute made
clear that the Secretary had the
authority to promulgate regulations if
Congress did not enact legislation
covering these matters within three
years.43 Congress directed the Secretary
to ensure that the regulations
promulgated ‘‘address at least’’ the
following three subjects: (1) the rights
that an individual who is a subject of
IIHI should have; (2) the procedures that
should be established for the exercise of
such rights; and (3) the uses and
disclosures of such information that
should be authorized or required.44
Additionally, Congress provided a
clear statement that HIPAA’s provisions
would ‘‘supersede any contrary
1, 1996) (statement of Rep. Sawyer); 142 Cong. Rec.
H9792 (daily ed. Aug. 1, 1996) (statement of Rep.
McDermott); and 142 Cong. Rec. S9515–16 (daily
ed. Aug. 2, 1996) (statement of Sen. Simon).
38 88 FR 23506, 23511 (Apr. 17, 2023).
39 See statement of Rep. Sawyer, supra note 37.
See also statement of Sen. Simon, supra note 37.
40 Statement of Rep. Sawyer, supra note 37.
41 See H.R. Rep. No. 104–496 Part 1, at 99–100
(Mar. 25, 1996).
42 42 U.S.C. 1320d–2 note.
43 Id.
44 Id.
E:\FR\FM\26APR5.SGM
26APR5
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
provision of State law,’’ with certain
limited exceptions.45 One exception to
this general preemption authority is for
‘‘state privacy laws that are contrary to
and more stringent than the
corresponding federal standard,
requirement, or implementation
specification.’’ 46 Thus, Congress
intended for the Department to create
privacy standards to safeguard health
information while respecting the ability
of states to provide individuals with
additional health information privacy.
Congress required the Secretary to
consult with the NCVHS,47 thereby
ensuring that the Secretary’s decisions
reflected public and expert involvement
and advice in carrying out the
requirements of section 264.48 NCVHS
sent its initial recommendations to the
Secretary in a letter to the Secretary on
June 27, 1997. Importantly, NCVHS
advised that ‘‘strong substantive and
procedural protections’’ should be
imposed if health information were to
be disclosed to law enforcement, and,
where identifiable health information
would be made available for non-health
purposes, individuals should be
afforded assurances that their data
would not be used against them.49
Additionally, NCVHS ‘‘unanimously’’
recommended that ‘‘[. . .] the Secretary
and the Administration assign the
highest priority to the development of a
strong position on health privacy that
provides the highest possible level of
protection for the privacy rights of
patients.’’ 50 NCVHS further noted that
failure to do so would ‘‘undermine
public confidence in the health care
system, expose patients to continuing
invasions of privacy, subject record
keepers to potentially significant legal
liability, and interfere with the ability of
45 42
U.S.C. 1320d–7.
FR 82580 (the exception applies under
section 1178(a)(2)(B) of the SSA and section
264(c)(2) of HIPAA).
47 NCVHS serves as the Secretary’s statutory
public advisory body for health data, statistics,
privacy, and national health information policy and
HIPAA. NCVHS also advises the Secretary, ‘‘reports
regularly to Congress on HIPAA implementation,
and serves as a forum for interaction between HHS
and interested private sector groups on a range of
health data issues.’’ Nat’l Comm. On Vital and
Health Statistics, ‘‘About NCVHS,’’ https://
ncvhs.hhs.gov/; see also ‘‘NCVHS 60th Anniversary
Symposium and History,’’ U.S. Dep’t of Health and
Human Servs., at 28–29 (Feb. 2011), https://ncvhs.
hhs.gov/wp-content/uploads/2014/05/60_years_of_
difference.pdf.
48 See section 264(a) and (d) of Public Law 104–
191 (codified at 42 U.S.C. 1320d–2 note).
49 Letter from NCVHS Chair Don E. Detmer to
HHS Sec’y Donna E. Shalala (June 27, 1997)
(forwarding NCVHS recommendations), https://
ncvhs.hhs.gov/rrp/june-27-1997-letter-to-thesecretary-with-recommendations-on-health-privacyand-confidentiality/.
50 Id. at Principal Findings and
Recommendations.
ddrumheller on DSK120RN23PROD with RULES5
46 65
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
health care providers and others to
operate the health care delivery and
payment system in an effective and
efficient manner,’’ which would
undermine what Congress intended.51
NCVHS further recommended that
‘‘any rules regulating disclosures of
identifiable health information be as
clear and as narrow as possible. Each
group of users must be required to
justify their need for health information
and must accept reasonable substantive
and procedural limitations on
access.’’ 52 According to NCVHS, this
would allow for the disclosures that
society deemed necessary and
appropriate while providing individuals
with clear expectations regarding their
health information privacy.
As we noted in the 2023 Privacy Rule
NPRM,53 Congress contemplated that
the Department’s rulemaking authorities
under HIPAA would not be static.
Congress specifically built in a
mechanism to adapt such regulations as
technology and health care evolve,
directing that the Secretary review and
modify the Administrative
Simplification standards as determined
appropriate, but not more frequently
than once every 12 months.54 That
statutory directive complements the
Secretary’s general rulemaking authority
to ‘‘make and publish such rules and
regulations, not inconsistent with this
chapter, as may be necessary to the
efficient administration of the functions
with which each is charged under this
chapter.’’ 55
2. Health Information Technology for
Economic and Clinical Health (HITECH)
Act
On February 17, 2009, Congress
enacted the Health Information
Technology for Economic and Clinical
Health Act of 2009 (HITECH Act) 56 to
promote the widespread adoption and
standardization of health information
technology (health IT). The HITECH Act
included additional HIPAA privacy and
security requirements for covered
entities and business associates and
expanded certain rights of individuals
with respect to their PHI.
Congress understood the importance
of a relationship between a connected
health IT landscape, ‘‘a necessary and
51 Id.
52 Id.
at Third-Party Disclosures.
FR 23506, 23513 (Apr. 17, 2023).
54 See section 1174(b)(1) of Public Law 104–191
(codified at 42 U.S.C. 1320d–3).
55 Section 1102 of the SSA (codified at 42 U.S.C.
1302).
56 Title XIII of Division A and Title IV of Division
B of the American Recovery and Reinvestment Act
of 2009, Public Law 111–5, 123 Stat. 115 (Feb. 17,
2009) (codified at 42 U.S.C. 201 note).
53 88
PO 00000
Frm 00007
Fmt 4701
Sfmt 4700
32981
vital component of health care
reform,’’ 57 and privacy and security
standards when it enacted the HITECH
Act. The Purpose statement of an
accompanying House of Representatives
report 58 on the Energy and Commerce
Recovery and Reinvestment Act 59
recognizes that ‘‘[i]n addition to costs,
concerns about the security and privacy
of health information have also been
regarded as an obstacle to the adoption
of [health IT].’’ The Senate Report for S.
336 60 similarly acknowledges that
‘‘[i]nformation technology systems
linked securely and with strong privacy
protections can improve the quality and
efficiency of health care while
producing significant cost savings.’’ 61
As the Department explained in the
2013 regulation referred to as the
‘‘Omnibus Rule’’ 62 and discussed in
greater detail below, the HITECH Act’s
additional HIPAA privacy and security
requirements 63 supported Congress’
goal of promoting widespread adoption
and interoperability of health IT by
‘‘strengthen[ing] the privacy and
security protections for health
information established by HIPAA.’’ 64
In passing the HITECH Act, Congress
instructed the Department that any new
health IT standards adopted under
section 3004 of the Public Health
Service Act (PHSA) must take into
account the privacy and security
requirements of the HIPAA Rules.65
Congress also affirmed that the existing
HIPAA Rules were to remain in effect to
the extent that they are consistent with
the HITECH Act and directed the
Secretary to revise the HIPAA Rules as
necessary for consistency with the
57 C. Stephen Redhead, Cong. Rsch. Serv.,
R40161, ‘‘The Health Information Technology for
Economic and Clinical Health (HITECH) Act,’’
(2009), https://crsreports.congress.gov/product/pdf/
R/R40161/9 (‘‘[Health IT], which generally refers to
the use of computer applications in medical
practice, is widely viewed as a necessary and vital
component of health care reform.’’).
58 H.R. Rep. No. 111–7, at 74 (2009),
accompanying H.R. 629, 111th Cong.
59 H.R. 629, Energy and Commerce Recovery and
Reinvestment Act of 2009, introduced in the House
on January 22, 2009, contained nearly identical
provisions to subtitle D of the HITECH Act.
60 Congress enacted the American Recovery and
Reinvestment Act of 2009, which included the
HITECH Act, on February 17, 2009. While it was
the House version of the bill, H.R. 1, that was
enacted, the Senate version, S. 336, contained
nearly identical provisions to subtitle D of the
HITECH Act.
61 S. Rep. No. 111–3 accompanying S. 336, 111th
Cong., at 59 (2009).
62 78 FR 5566 (Jan. 25, 2013).
63 Subtitle D of title XIII of the HITECH Act
(codified at 42 U.S.C. 17921, 42 U.S.C. 17931–
17941, and 42 U.S.C. 17951–17953).
64 78 FR 5566, 5568 (Jan. 25, 2013).
65 Section 3009(a)(1)(B) of the PHSA, as added by
section 13101 of the HITECH Act (codified at 42
U.S.C. 300jj–19(a)(1)).
E:\FR\FM\26APR5.SGM
26APR5
32982
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
HITECH Act.66 Congress confirmed that
the new law was not intended to have
any effect on authorities already granted
under HIPAA to the Department,
including section 264 of that statute and
the regulations issued under that
provision.67 Congress thus affirmed the
Secretary’s ongoing rulemaking
authority to modify the Privacy Rule’s
standards and implementation
specifications as often as every 12
months when appropriate, including to
strengthen privacy and security
protections for IIHI.
B. Regulatory History
The Secretary has delegated the
authority to administer the HIPAA
Rules and to make decisions regarding
their implementation, interpretation,
and enforcement to the HHS Office for
Civil Rights (OCR).68 Since the
enactment of the HITECH Act, the
Department has exercised its authority
to modify the Privacy Rule several
times—in 2013, 2014, and 2016.69
ddrumheller on DSK120RN23PROD with RULES5
1. 2000 Privacy Rule
As directed by HIPAA, the
Department provided a series of
recommendations to Congress for a
potential new law that would address
the confidentiality of IIHI.70 Congress
did not act within its three-year selfimposed deadline. Accordingly, the
Department published a proposed rule
on November 3, 1999,71 and issued the
first final rule establishing ‘‘Standards
for Privacy of Individually Identifiable
Health Information’’ (‘‘2000 Privacy
Rule’’) on December 28, 2000.72
The primary goal of the Privacy Rule
was to provide greater protection to
individuals’ privacy to engender a
trusting relationship between
individuals and health care providers.
66 Section 13421(b) of the HITECH Act (codified
at 42 U.S.C. 17951).
67 Section 3009(a)(1)(A) of the PHSA, as added by
section 13101 of the HITECH Act (codified at 42
U.S.C. 300jj–19(a)(1)).
68 See U.S. Dep’t of Health and Hum. Servs., Off.
of the Sec’y, Off. for Civil Rights; Statement of
Delegation of Authority, 65 FR 82381 (Dec. 28,
2000); U.S. Dep’t of Health and Hum. Servs., Off.
of the Sec’y, Off. for Civil Rights; Delegation of
Authority, 74 FR 38630 (Aug. 4, 2009); U.S. Dep’t
of Health and Hum. Servs., Off. of the Sec’y,
Statement of Organization, Functions and
Delegations of Authority, 81 FR 95622 (Dec. 28,
2016).
69 See 78 FR 5566 (Jan. 25, 2013); 79 FR 7290
(Feb. 6, 2014); 81 FR 382 (Jan. 6, 2016).
70 See U.S. Dep’t of Health and Hum. Servs., Off.
of the Assistant Sec’y for Plan. and Evaluation,
‘‘Recommendations of the Secretary of Health and
Human Services, pursuant to section 264 of the
Health Insurance Portability and Accountability Act
of 1996,’’ Section I.A. (Sept. 1997), https://aspe.
hhs.gov/reports/confidentiality-individuallyidentifiable-health-information.
71 64 FR 59918 (Nov. 3, 1999).
72 65 FR 82462 (Dec. 28, 2000).
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
As announced, the final rule set
standards to protect the privacy of IIHI
to ‘‘begin to address growing public
concerns that advances in electronic
technology and evolution in the health
care industry are resulting, or may
result, in a substantial erosion of the
privacy surrounding’’ health
information.73 On the eve of that rule’s
issuance, the President issued an
Executive Order recognizing the
importance of protecting individual
privacy, explaining that ‘‘[p]rotecting
the privacy of patients’ protected health
information promotes trust in the health
care system. It improves the quality of
health care by fostering an environment
in which patients can feel more
comfortable in providing health care
professionals with accurate and detailed
information about their personal
health.’’ 74
Since its promulgation, the Privacy
Rule has protected PHI by limiting the
circumstances under which covered
entities and their business associates
(collectively, ‘‘regulated entities’’) are
permitted or required to use or disclose
PHI and by requiring covered entities to
have safeguards in place to protect the
privacy of PHI. In adopting these
regulations, the Department
acknowledged the need to balance
several competing factors, including
existing legal expectations, individuals’
privacy expectations, and societal
expectations.75 The Department noted
in the preamble that the large number of
comments from individuals and groups
representing individuals demonstrated
the deep public concern about the need
to protect the privacy of IIHI and
constituted evidence of the importance
of protecting privacy and the potential
adverse consequences to individuals
and their health if such protections are
not extended.76 Through its policy
choices in the 2000 Privacy Rule, the
Department struck a balance between
competing interests—the necessity of
protecting privacy and the public
interest in using identifiable health
information for vital public and private
purposes—in a way that was also
workable for the varied stakeholders.77
In the 2000 Privacy Rule, the
Department established ‘‘general rules’’
for uses and disclosures of PHI, codified
at 45 CFR 164.502.78 The 2000 Privacy
Rule also specified the circumstances in
which a covered entity was required to
73 Id.
74 See Executive Order 13181 (Dec. 20, 2000), 65
FR 81321.
75 See 65 FR 82462, 82471 (Dec. 28, 2000).
76 See id. at 82472.
77 See id.
78 65 FR 82462 (Dec. 28, 2000).
PO 00000
Frm 00008
Fmt 4701
Sfmt 4700
obtain an individual’s consent,79
authorization,80 or the opportunity for
the individual to agree or object.81
Additionally, it established rules for
when a covered entity is permitted to
use or disclose PHI without an
individual’s consent, authorization, or
opportunity to agree or object.82 In
particular, the Privacy Rule permits
certain uses and disclosures of PHI,
without the individual’s authorization,
for identified activities that benefit the
community, such as public health
activities, judicial and administrative
proceedings, law enforcement purposes,
and research.83
The Privacy Rule also established the
rights of individuals with respect to
their PHI, including the right to receive
adequate notice of a covered entity’s
privacy practices, the right to request
restrictions of uses and disclosures, the
right to access (i.e., to inspect and obtain
a copy of) their PHI, the right to request
an amendment of their PHI, and the
right to receive an accounting of
disclosures.84
In the 2000 Privacy Rule, the
Secretary exercised her statutory
authority to adopt 45 CFR 160.104(a),
which reserves the Secretary’s ability to
modify any standard or implementation
specification adopted under the
Administrative Simplification
provisions.85 The Secretary first
invoked this modification authority to
amend the Privacy Rule in 2002 86 and
made additional modifications in
2013,87 and 2016,88 as described below.
2. 2002 Privacy Rule
After publication of the 2000 Privacy
Rule, the Department received many
inquiries and unsolicited comments
about the Privacy Rule’s effects and
operation. As a result, the Department
opened the 2000 Privacy Rule for
further comment in February 2001, less
than one month before the effective date
and 25 months before the compliance
date for most covered entities, and
issued clarifying guidance on its
implementation.89 NCVHS’
Subcommittee on Privacy,
Confidentiality and Security held public
79 45 CFR 164.506 was originally titled ‘‘Consent
for uses or disclosures to carry out treatment,
payment, or health care operations.’’
80 45 CFR 164.508.
81 45 CFR 164.510.
82 45 CFR 164.512.
83 See 64 FR 59918, 59955 (Nov. 3, 1999).
84 See 45 CFR 164.520, 164.522, 164.524, 164.526,
and 164.528.
85 See 65 FR 82462, 82800 (Dec. 28, 2000).
86 See 67 FR 53182 (Aug. 14, 2002).
87 78 FR 5566 (Jan. 25, 2013).
88 81 FR 382 (Jan. 6, 2016).
89 66 FR 12738 (Feb. 28, 2001).
E:\FR\FM\26APR5.SGM
26APR5
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
hearings about the 2000 Privacy Rule.
From those hearings, the Department
obtained additional information about
concerns related to key provisions and
their potential unintended
consequences for health care quality
and access.90 On March 27, 2002, the
Department proposed modifications to
the 2000 Privacy Rule to clarify the
requirements and correct potential
problems that could threaten access to,
or quality of, health care.91
In response to comments on the
proposed rule, the Department finalized
modifications to the Privacy Rule on
August 14, 2002 (‘‘2002 Privacy
Rule’’).92 This final rule clarified
HIPAA’s requirements while
maintaining strong protections for the
privacy of IIHI.93 These modifications
addressed certain workability issues,
including but not limited to clarifying
distinctions between health care
operations and marketing; modifying
the minimum necessary standard to
exclude disclosures authorized by
individuals and clarify its operation;
eliminating the consent requirement for
uses and disclosures of PHI for
treatment, payment, or health care
operations (TPO), and to otherwise
clarify the role of consent in the Privacy
Rule; and making other modifications
and conforming amendments consistent
with the proposed rule. The Department
also included modifications to the
provisions permitting the use or
disclosure of PHI for public health
activities and for research activities
without consent, authorization, or an
opportunity to agree or object.
3. 2013 Omnibus Rule
Following the enactment of the
HITECH Act, the Department issued an
NPRM, entitled ‘‘Modifications to the
HIPAA Privacy, Security, and
Enforcement Rules Under the Health
Information Technology for Economic
and Clinical Health [HITECH] Act’’
(‘‘2010 NPRM’’),94 which proposed to
implement certain HITECH Act
requirements. In 2013, the Department
issued the final rule, Modifications to
the HIPAA Privacy, Security,
Enforcement, and Breach Notification
Rules Under the Health Information
Technology for Economic and Clinical
ddrumheller on DSK120RN23PROD with RULES5
90 67
FR 53182, 53183 (Aug. 14, 2002).
FR 14775 (Mar. 27, 2002).
92 67 FR 53182 (Aug. 14, 2002). See the final rule
for changes in the entirety. The 2002 Privacy Rule
was issued before the compliance date for the 2000
Privacy Rule. Thus, covered entities never
implemented the 2000 Privacy Rule. Instead, they
implemented the 2000 Privacy Rule as modified by
the 2002 Privacy Rule.
93 See 67 FR 53182 (Aug. 14, 2002).
94 75 FR 40868 (July 14, 2010).
91 67
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
Health [HITECH] Act and the Genetic
Information Nondiscrimination Act, and
Other Modifications to the HIPAA Rules
(‘‘2013 Omnibus Rule’’),95 which
implemented many of the new HITECH
Act requirements, including
strengthening individuals’ privacy
rights related to their PHI.
The Department also finalized
regulatory provisions that were not
required by the HITECH Act, but were
necessary to address the workability and
effectiveness of the Privacy Rule and to
increase flexibility for and decrease
burden on regulated entities.96 In the
2010 NPRM, the Department noted that
it had not amended the Privacy Rule
since 2002.97 It further explained that
information gleaned from contact with
the public since that time, enforcement
experience, and technical corrections
needed to eliminate ambiguity provided
the impetus for the Department’s actions
to make certain regulatory changes.98
For example, the Department
modified its prior interpretation of the
Privacy Rule requirement at 45 CFR
164.508(c)(1)(iv) that a description of a
research purpose must be study
specific.99 The Department explained
that, under its new interpretation, the
research purposes need only be
described adequately such that it would
be reasonable for an individual to
expect that their PHI could be used or
disclosed for such future research.100 In
the 2013 Omnibus Rule, the Department
explained that this change was based on
the concerns expressed by covered
entities, researchers, and other
commenters on the 2010 NPRM that the
former requirement did not represent
current research practices. The
Department provided a similar
explanation for its modifications to the
Privacy Rule that permit certain
95 78 FR 5566 (Jan. 25, 2013). In addition to
finalizing requirements of the HITECH Act that
were proposed in the 2010 NPRM, the Department
adopted modifications to the Enforcement Rule not
previously adopted in an earlier interim final rule,
74 FR 56123 (Oct. 30, 2009), and to the Breach
Notification Rule not previously adopted in an
interim final rule, 74 FR 42739 (Aug. 24, 2009). The
Department also finalized previously proposed
Privacy Rule modifications as required by GINA, 74
FR 51698 (Oct. 7, 2009).
96 See 78 FR 5566 (Jan. 25, 2013) (explaining that
the Department was using its general authority
under HIPAA to make a number of changes to the
Privacy Rule that were intended to increase
workability and flexibility, decrease burden, and
better harmonize the requirements with those under
other Departmental regulations). The Department’s
general authority to modify the Privacy Rule is
codified in HIPAA section 264(c), and OCR
conducts rulemaking under HIPAA based on
authority granted by the Secretary.
97 See 75 FR 40868, 40871 (July 14, 2010).
98 75 FR 40868, 40871 (July 14, 2010).
99 See 78 FR 5566, 5611 (Jan. 25, 2013).
100 See id. at 5612.
PO 00000
Frm 00009
Fmt 4701
Sfmt 4700
32983
disclosures of student immunization
records to schools without an
authorization.101 Additionally, based on
a recommendation made at an NCVHS
meeting, the Department requested
comment on and finalized proposed
revisions to the definition of PHI to
exclude information regarding an
individual who has been deceased for
more than 50 years.102 For the latter, the
Department noted that it was balancing
the privacy interests of decedents’ living
relatives and other affected individuals
against the legitimate needs of public
archivists to obtain records.103
None of the changes described in the
paragraph above were required by the
HITECH Act. Rather, the Department
determined that it was necessary to
promulgate these changes pursuant to
its existing general rulemaking authority
under HIPAA. NCVHS and the public
also recommended other changes
between the publication of the 2002
Privacy Rule and the 2013 Omnibus
Rule, including the creation of specific
categories of PHI, such as ‘‘Sexuality
and Reproductive Health Information’’
that would allow for special protections
of such PHI.104 The Department
declined to propose specific protections
for certain categories of PHI at that time
because of concerns about the ability of
regulated entities to segment PHI and
the effects on care coordination. Many
of those concerns are still present and
so, the Department did not propose and
determined not to establish a specific
category of particularly sensitive PHI in
this rulemaking. Instead, as discussed
more fully below, the Department is
finalizing a purpose-based prohibition
against certain uses and disclosures.
101 Id.
at 5616–17. See also 45 CFR 164.512(b)(1).
FR 5566, 5614 (Jan. 25, 2013). See also 45
CFR 164.502(f) and the definition of ‘‘Protected
health information’’ at 45 CFR 160.103, excluding
IIHI regarding a person who has been deceased for
more than 50 years.
103 In addition to the rulemakings discussed here,
the Department has modified the Privacy Rule for
workability purposes and in response to changes in
circumstances on two other occasions, and it issued
another notice of proposed rulemaking in 2021 for
the same reasons. See 79 FR 7289 (Feb. 6, 2014),
81 FR 382 (Jan. 6, 2016), and 86 FR 6446 (Jan. 21,
2021).
104 See Letter from NCVHS Chair Simon P. Cohn
to HHS Sec’y Michael O. Leavitt (June 22, 2006),
https://ncvhs.hhs.gov/rrp/june-22-2006-letter-tothe-secretary-recommendations-regarding-privacyand-confidentiality-in-the-nationwide-healthinformation-network/; Letter from NCVHS Chair
Simon P. Cohn to HHS Sec’y Michael O. Leavitt
(Feb. 20, 2008) (listing categories of health
information that are commonly considered to
contain sensitive information), https://ncvhs.
hhs.gov/wp-content/uploads/2014/05/080220lt.pdf;
Letter from NCVHS Chair Justine M. Carr to HHS
Sec’y Kathleen Sebelius (Nov. 10, 2010) (forwarding
NCVHS recommendations), https://ncvhs.hhs.gov/
wp-content/uploads/2014/05/101110lt.pdf.
102 78
E:\FR\FM\26APR5.SGM
26APR5
32984
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
4. 2024 Privacy Rule
III. Justification for This Rulemaking
On April 17, 2023, the Department
issued an NPRM 105 to modify the
Privacy Rule for the purpose of
prohibiting uses and disclosures of PHI
for criminal, civil, or administrative
investigations or proceedings against
persons for seeking, obtaining,
providing, or facilitating reproductive
health care that is lawful under the
circumstances in which it is provided.
To properly execute the HIPAA
statutory mandate, and in accordance
with the regulatory authority granted to
it by Congress, the Department
continually monitors and evaluates the
evolving environment for health
information privacy nationally,
including the interaction of the Privacy
Rule and state statutes and regulations
governing the privacy of health
information. In keeping with the
Department’s practice, this final rule
accommodates state autonomy to the
extent consistent with the need to
maintain rules for health information
privacy that serve HIPAA’s objectives.
The regulation thus preempts state law
only to the extent necessary to achieve
Congress’ directive to establish a
standard for the privacy of IIHI for the
purpose of improving the effectiveness
of the health care system. As discussed
below, achieving that objective requires
individuals to trust that their health care
providers will maintain privacy of PHI
about lawful reproductive health care.
In addition, NCVHS held a virtual
public meeting that included a
discussion about the proposed rule on
June 14, 2023,106 and provided
recommendations to the Department
based on this discussion, briefings at
their July 2022 107 and December
2022 108 meetings, and the expertise of
its members.109 The resultant public
record and subsequent
recommendations submitted to the
Department by NCVHS, along with
other public comments on the 2023
Privacy Rule NPRM, informed the
development of these modifications.
A. HIPAA Encourages Trust and
Confidence by Carefully Balancing
Individuals’ Privacy Interests With
Others’ Interests in Using or Disclosing
PHI
105 88
FR 23506.
Meeting of NCVHS (June 14, 2023),
https://ncvhs.hhs.gov/meetings/full-committeemeeting-13/.
107 See Meeting of NCVHS, Briefing on Legislative
Developments in Data Privacy (July 21, 2022),
https://ncvhs.hhs.gov/meetings/full-committeemeeting-11/.
108 See Meeting of NCVHS, Briefing by Cason
Schmit (Dec. 7, 2022), https://ncvhs.hhs.gov/
meetings/full-committee-meeting-12/.
109 Letter from NCVHS Chair Jacki Monson to
HHS Sec’y Xavier Becerra (June 14, 2023)
(forwarding NCVHS recommendations), https://
ncvhs.hhs.gov/wp-content/uploads/2023/06/
NCVHS-Comments-on-HIPAA-ReproductionHealth-NPRM-Final-508.pdf.
ddrumheller on DSK120RN23PROD with RULES5
106 See
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
1. Privacy Protections Ensure That
Individuals Have Access to, and Are
Comfortable Accessing, High-Quality
Health Care
The goal of a functioning health care
system is to provide high-quality health
care that results in the best possible
outcomes for individuals. To achieve
that goal, a functioning health care
system depends in part on individuals
trusting health care providers. Thus,
trust between individuals and health
care providers is essential to an
individual’s health and well-being.110
Protecting the privacy of an individual’s
health information is ‘‘a crucial element
for honest health discussions.’’ 111 The
original Hippocratic Oath required
physicians to pledge to maintain the
confidentiality of health information
they learn about individuals.112 Without
confidence that private information will
remain private, individuals—to their
own detriment—are reluctant to share
information with health care providers.
When proposing the 2000 Privacy
Rule, the Department recognized that
individuals may be deterred from
seeking needed health care if they do
not trust that their sensitive information
110 See Jennifer Richmond et al., ‘‘Development
and Validation of the Trust in My Doctor, Trust in
Doctors in General, and Trust in the Health Care
Team Scales,’’ 298 Social Science & Medicine
114827 (2022), https://www.sciencedirect.com/
science/article/abs/pii/S0277953622001332?
via%3Dihub; see also Fallon E. Chipidza et al.,
‘‘Impact of the Doctor-Patient Relationship,’’ The
Primary Care Companion for CNS Disorders (Oct.
2015), https://www.psychiatrist.com/pcc/delivery/
patient-physician-communication/impact-doctorpatient-relationship/. See Testimony (transcribed)
of William G. Plested, III, M.D., Member, Board of
Trustees, American Medical Association, Hearing
on Confidentiality of Patient Medical Records
before House of Representatives Committee on
Ways and Means, Subcommittee on Health (Feb. 17,
2000), https://www.govinfo.gov/content/pkg/CHRG106hhrg66897/html/CHRG-106hhrg66897.htm.
(‘‘Trust is the foundation of the patient/physician
relationship.’’)
111 See Am. Med. Ass’n, ‘‘Patient Perspectives
Around Data Privacy,’’ (2022), https://www.amaassn.org/system/files/ama-patient-data-privacysurvey-results.pdf.
112 See John C. Moskop et al., ‘‘From Hippocrates
to HIPAA: Privacy and Confidentiality in
Emergency Medicine—Part I: Conceptual, Moral,
and Legal Foundations,’’ 45 Ann Emerg. Med.1 (Jan.
2005) (quoting the Oath of Hippocrates, ‘‘What I
may see or hear in the course of the treatment or
even outside of the treatment in regard to the life
of men, which on no account one must spread
abroad, I will keep to myself [. . .].’’), https://
www.ncbi.nlm.nih.gov/pmc/articles/PMC7132445/
#bib1.
PO 00000
Frm 00010
Fmt 4701
Sfmt 4700
will be kept private.113 The Department
described its policy choices as
stemming from a motivation to develop
and maintain a relationship of trust
between individuals and health care
providers. The Department explained
that a fundamental assumption of the
2000 Privacy Rule was that the greatest
benefits of improved privacy protection
would be realized in the future as
individuals gain increasing trust in their
health care provider’s ability to
maintain the confidentiality of their
health information.114 As a result, the
Privacy Rule strengthened protections
for health information privacy,
including the right of individuals to
determine who has access to their
health information.
Despite the Privacy Rule’s rights and
protections, individuals do not have
confidence that their IIHI is being
protected adequately. In a 2022 survey
on patient privacy, the American
Medical Association (AMA) found that,
of 1,000 patients surveyed: (1) nearly
75% were concerned about protecting
the privacy of their own health
information; and (2) 59% of patients
worried about health data being used by
companies to discriminate against them
or their loved ones.115 According to the
AMA, a lack of health information
privacy raises many questions about
circumstances that could put
individuals and health care providers in
legal peril, and that the ‘‘primary
purpose of increasing [health
information] privacy is to build public
trust, not inhibit data exchange.’’ 116
The Federal Government also has a
strong interest in ensuring that
individuals have access to high-quality
health care.117 This is true at both an
113 See 64 FR 59918, 60006 (Nov. 3, 1999) (In the
1999 Privacy Rule NPRM, the Department
discussed confidentiality as an important
component of trust between individuals and health
care providers and cited a 1994 consumer privacy
survey that indicated that a lack of privacy may
deter patients from obtaining preventive care and
treatment.). See id. at 60019.
114 See 64 FR 59918, 60006 (Nov. 3, 1999).
115 See ‘‘Patient Perspectives Around Data
Privacy,’’ supra note 111.
116 Id. at 2.
117 See Testimony (transcribed) of Peter R. Orszag,
Director, Congressional Budget Office, Hearing on
Comparative Clinical Effectiveness before House of
Representatives Committee on Ways and Means,
Subcommittee on Health, 2007 WL 1686358 (June
12, 2007) (‘‘because federal health insurance
programs play a large role in financing medical care
and represent a significant expenditure, the federal
government itself has an interest in evaluations of
the effectiveness of different health care
approaches’’); Statement of Sen. Durenberger
introducing S.1836, American Health Quality Act of
1991 and reading bill text, 137 Cong. Rec. S26720
(Oct. 17, 1991) (‘‘[T]he Federal Government has a
demonstrated interest in assessing the quality of
care, access to care, and the costs of care through
E:\FR\FM\26APR5.SGM
26APR5
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
ddrumheller on DSK120RN23PROD with RULES5
individual and population level. In the
2000 Privacy Rule, the Department
noted that high-quality health care
depends on an individual being able to
share sensitive information with their
health care provider based on the trust
that the information shared will be
protected and kept confidential.118 An
effective health care system requires an
individual to share sensitive health
information with their health care
providers. They do so with the
reasonable expectation that this
information is going to be used to treat
them. The prospect of the disclosure of
highly sensitive PHI by regulated
entities can result in medical mistrust
and the deterioration of the confidential,
safe environment that is necessary to
provide high-quality health care,
operate a functional health care system,
and improve the public’s health
generally.119 High-quality health care
cannot be attained without patient
candor. Health care providers rely on an
individual’s health information to
diagnose them and provide them with
appropriate treatment options and may
not be able to reach an accurate
diagnosis or recommend the best course
of action for the individual if the
individual’s medical records lack
complete information about their health
history. However, an individual may be
unwilling to seek treatment or share
highly sensitive PHI when they are
concerned about the confidentiality and
security of PHI provided to treating
health care providers.120 The
the evaluative activities of several Federal
agencies.’’).
118 See 65 FR 82462, 82463 (Dec. 28, 2000).
119 See, e.g., Brooke Rockwern et al., Medical
Informatics Committee and Ethics, Professionalism
and Human Rights Committee of the American
College of Physicians, ‘‘Health Information Privacy,
Protection, and Use in the Expanding Digital Health
Ecosystem: A Position Paper of the American
College of Physicians,’’ 174 Ann Intern Med. 994
(Jul. 2021) (discussing the need for trust in the
health care system as necessary to mitigate a global
pandemic); Johanna Birkha¨uer et. al, ‘‘Trust in the
Health Care Professional and Health Outcome: A
Meta-Analysis,’’ 12 PLoS One e0170988 (Feb. 7,
2017). See also Eric Boodman, ‘‘In a doctor’s
suspicion after a miscarriage, a glimpse of
expanding medical mistrust,’’ STAT News (June 29,
2022), https://www.statnews.com/2022/06/29/
doctor-suspicion-after-miscarriage-glimpse-ofexpanding-medical-mistrust/ (Sarah Prager,
professor of obstetrics and gynecology at the
University of Washington, stating that it is a bad
precedent if clinical spaces become unsafe for
patients because, ‘‘[a health care provider’s] ability
to take care of patients relies on trust, and that will
be impossible moving forward.’’).
120 See ‘‘Development and Validation of the Trust
in My Doctor, Trust in Doctors in General, and
Trust in the Health Care Team Scales,’’ supra note
110; Bradley E. Iott et al., ‘‘Trust and Privacy: How
Patient Trust in Providers is Related to Privacy
Behaviors and Attitudes,’’ 2019 AMIA Annu Symp
Proc 487 (Mar. 2020), https://www.ncbi.
nlm.nih.gov/pmc/articles/PMC7153104/; Pamela
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
Department has long recognized that
health care professionals who lose the
trust of their patients cannot deliver
high-quality care.121 Similarly, if a
health care provider does not trust that
the PHI they include in an individual’s
medical records will be kept private, the
health care provider may leave gaps or
include inaccuracies when preparing
medical records, creating a risk that
ongoing or future health care would be
compromised. In contrast, heightened
confidentiality and privacy protections
enable a health care provider to feel
confident maintaining full and complete
medical records.
Incomplete medical records and
health care avoidance not only inhibit
the quality of health care an individual
receives; they are also detrimental to
efforts to improve public health. The
objective of public health is to prevent
disease in and improve the health of
populations. Barriers that undermine
the willingness of individuals to seek
health care in a timely manner or to
provide complete and accurate health
information to their health care
providers undermine the overall
objective of public health. For example,
individuals who are not candid with
their health care providers because of
concerns about potential negative
consequences of a loss of privacy may
withhold information about a variety of
health matters that have public health
implications, such as communicable
diseases or vaccinations.122 Experience
also shows that medical mistrust—
especially in communities of color and
other communities that have been
marginalized or negatively affected by
historical and current health care
disparities—can create damaging and
chilling effects on individuals’
willingness to seek appropriate and
lawful health care for medical
conditions that can worsen without
treatment.123
Sankar et al., ‘‘Patient Perspectives of Medical
Confidentiality: a Review of the Literature,’’ 18 J. of
Gen. Internal Med. 659 (Aug. 2003), https://
pubmed.ncbi.nlm.nih.gov/12911650/.
121 See 65 FR 82462, 82468 (Dec. 28, 2000).
122 See Letter from NCVHS Chair Simon P. Cohn,
supra note 104, at 2 (2006) (with forwarded NCVHS
recommendations, ‘‘Individual trust in the privacy
and confidentiality of their personal health
information also promotes public health, because
individuals with potentially contagious or
communicable diseases are not inhibited from
seeking treatment.’’).
123 See Texas Dep’t of State Health Servs., ‘‘Texas
Maternal Mortality and Morbidity Review
Committee and Department of State Health Services
Joint Biennial Report 2022,’’ at 41 (Dec. 2022)
https://www.dshs.texas.gov/sites/default/files/
legislative/2022-Reports/2022-MMMRC-DSHS-JointBiennial-Report.pdf; Lynn M. Paltrow et al.,
‘‘Arrests of and forced interventions on pregnant
women in the United States, 1973–2005:
implications for women’s legal status and public
PO 00000
Frm 00011
Fmt 4701
Sfmt 4700
32985
2. The Department’s Approach to the
Privacy Rule Has Long Sought To
Balance the Interests of Individuals and
Society
While recognizing the importance of
preserving individuals’ trust, the
Department has consistently taken the
approach of balancing the interests of
the individual in the privacy of their
PHI with society’s interests, including
in the free flow of information that
enables the provision of effective and
efficient health care services. Such an
approach derives from Congress’s
direction, in 1996, to improve the
efficiency and effectiveness of the
health care system by encouraging the
development of a health information
system while taking into account the
privacy of IIHI and the uses and
disclosures of such information that
should be authorized or required.124 In
past rulemakings, the Department has
made revisions to the Privacy Rule to
balance an individual’s privacy
expectations with a covered entity’s
need for information for reimbursement
and quality purposes.125 As the
Department previously explained,
‘‘Patient privacy must be balanced
against other public goods, such as
research and the risk of compromising
such research projects if researchers
could not continue to use such data.’’ 126
The 2000 Privacy Rule included
permissions for regulated entities to
disclose PHI under certain conditions,
including for judicial and
administrative proceedings and law
enforcement purposes, because an
individual’s right to privacy in
information about themselves is not
absolute. For example, it does not
prevent reporting of public health
information on communicable diseases,
nor does it prevent law enforcement
health,’’ 38 J. Health Pol. Pol’y Law 299 (2013)
(finding that hospital staff are most likely to report
pregnant low-income and patients of color,
especially Black women, to the authorities.); Terriann Monique Thompson et al., ‘‘Racism Runs
Through It: Examining the Sexual and Reproductive
Health Experience of Black Women in the South,’’
41 Health Affairs 195 (Feb. 2022) (discussing how
individual racism affects reproductive health care
use by undermining the patient-doctor
relationship), https://www.healthaffairs.org/doi/
10.1377/hlthaff.2021.01422); Joli Hunt, ‘‘Maternal
Mortality among Black Women in the United
States,’’ Ballard Brief (July 2021), https://ballard
brief.byu.edu/issue-briefs/maternal-mortalityamong-black-women-in-the-united-states/
(discussing the disproportionately high rate of
Black maternal mortality and morbidity); Austin
Frakt, ‘‘Bad Medicine: The Harm that Comes from
Racism,’’ The New York Times (July 8, 2020),
https://www.nytimes.com/2020/01/13/upshot/badmedicine-the-harm-that-comes-from-racism.html.
124 42 U.S.C. 1320d note and 1320d–2 note.
125 See 67 FR 53182, 53216 (Aug. 14, 2002).
126 Id. at 53226.
E:\FR\FM\26APR5.SGM
26APR5
32986
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
from obtaining information when due
process has been observed.127
In more recent rulemakings revising
the Privacy Rule, the Department has
continued its efforts to build and
maintain individuals’ trust in the health
care system while balancing the
interests of individuals with those of
others. For example, in explaining
revisions made as part of the 2013
Omnibus Rule, the Department
recognized that covered entities must
balance protecting the privacy of health
information with sharing health
information with those responsible for
ensuring public health and safety.128
The Privacy Rule was also revised in
2016 (‘‘2016 Privacy Rule’’) in
accordance with an administration-wide
effort to curb gun violence across the
nation.129 The 2016 Privacy Rule was
tailored to authorize the disclosure of a
limited set of PHI 130 for a narrow,
specific purpose, that is, to permit only
regulated entities that are state agencies
or other entities designated by a state to
collect and report information to the
National Instant Criminal Background
Check System (NICS) or a lawful
authority making an adjudication or
commitment as described by 18 U.S.C.
922(g)(4) to disclose to NICS the
identities of individuals who are subject
to a Federal ‘‘mental health prohibitor,’’
that disqualifies them from shipping,
transporting, possessing, or receiving a
firearm. As explained in the 2016
Privacy Rule, the Federal mental health
prohibitor applies only to the extent that
the individual is involuntarily
committed or determined by a court or
other lawful authority to be a danger to
self or others, or is unable to manage
their own affairs because of a mental
illness or condition.131 Similar to this
final rule, the 2016 Privacy Rule
balanced public safety goals with
individuals’ privacy interests by clearly
limiting permissible disclosures to those
127 65
FR 82462, 82464 (Dec. 28, 2000).
78 FR 5566, 5616 (Jan. 25, 2013).
129 81 FR 382 (Jan. 6, 2016); see, e.g., 78 FR 4297
(Jan. 22, 2013) and 78 FR 4295 (Jan. 22, 2013); see
also Colleen Curtis, ‘‘President Obama Announces
New Measures to Prevent Gun Violence,’’ The
White House President Barack Obama (Jan. 16,
2013), https://obamawhitehouse.archives.gov/blog/
2013/01/16/president-obama-announces-newmeasures-prevent-gun-violence.
130 This PHI includes limited demographic and
certain other information needed for the purposes
of reporting to NICS. 45 CFR 164.512(k)(7)(iii)(A).
In preamble, the Department explained that
generally the information described at 45 CFR
164.512(k)(7)(iii)(A) would be limited to the data
elements required to create a NICS record and
certain other elements to the extent that they are
necessary to exclude false matches: Social Security
number, State of residence, height, weight, place of
birth, eye color, hair color, and race. 81 FR 382, 390
(Jan. 6, 2016).
131 81 FR 382, 386–388 (Jan. 6, 2016).
ddrumheller on DSK120RN23PROD with RULES5
128 See
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
that are necessary to ensure that
individuals are not discouraged from
seeking lawful health care, in this case,
voluntary treatment for mental health
needs.132 In the 2013 Omnibus Rule and
2016 Privacy Rule, the Department
ensured that the disclosures were
necessary for the public good and were
not for the purpose of harming the
individual. This approach is consistent
with the NCVHS recommendations to
the Secretary relating to health
information privacy: ‘‘The Committee
strongly supports limiting use and
disclosure of identifiable information to
the minimum amount necessary to
accomplish the purpose. The Committee
also strongly believes that when
identifiable health information is made
available for non-health uses, patients
deserve a strong assurance that the data
will not be used to harm them.’’ 133
Consistent with Congress’s directive
to promulgate ‘‘standards with respect
to the privacy of [IIHI]’’ that, among
other things, address the ‘‘uses and
disclosures of such information that
should be authorized or required,’’ 134
the Department recognizes a variety of
interests with respect to health
information. These include individuals’
interests in the privacy of their health
information, society’s interests in
ensuring the effectiveness of the health
care system, and other interests of
society in using IIHI for certain nonhealth care purposes. As part of
balancing these interests, the
Department has also recognized that it
may be necessary to afford additional
protection to certain types of health
information because those types of
information are particularly sensitive
and often involve highly personal health
care decisions. For example, the
Department affords special privacy
protections to psychotherapy notes.
These protections are afforded in part
because of the particularly sensitive
132 Id. The Department addressed concerns about
the possible chilling effect on individuals seeking
health care by explaining that (1) the permission is
limited to only those covered entities that order the
involuntary commitments or make the other
adjudications that cause individuals to be subject to
the Federal mental health prohibitor, or that serve
as repositories of such information for NICS
reporting purposes; (2) the specified regulated
entities are permitted to disclose NICS data only to
designated repositories or the NICS; (3) the
information that may be disclosed is limited to
certain demographic or other information that is
necessary for NICS reporting; and (4) the
rulemaking did not expand the permission to
encompass State law prohibitor information.
133 Letter from NCVHS Chair Don E. Detmer to
HHS Sec’y Donna E. Shalala (June 27, 1997)
(forwarding NCVHS recommendations), https://
ncvhs.hhs.gov/rrp/june-27-1997-letter-to-thesecretary-with-recommendations-on-health-privacyand-confidentiality/.
134 42 U.S.C. 1320d–2 note.
PO 00000
Frm 00012
Fmt 4701
Sfmt 4700
information those notes contain and in
part because of the unique function of
these records, which are by definition
maintained separately from an
individual’s medical record.135 As we
previously explained, the primary value
of psychotherapy notes is to the specific
provider, and the promise of strict
confidentiality helps to ensure that the
patient will feel comfortable freely and
completely disclosing very personal
information essential to successful
treatment.136 The Department
elaborated that even the possibility of
disclosure may impede development of
the confidential relationship necessary
for successful treatment because of the
sensitive nature of the problems for
which individuals consult
psychotherapists and the potential
embarrassment that may be engendered
by the disclosure of confidential
communications made during
counseling sessions.137 Therefore, to
support the development and
maintenance of an individual’s trust and
protect the relationship between an
individual and their therapist, the
Privacy Rule permits the disclosure of
psychotherapy notes without an
individual’s authorization only in
limited circumstances, such as to avert
a serious and imminent threat to health
or safety. Those limited circumstances
do not include judicial and
administrative proceedings or law
enforcement purposes unless the
disclosure is ‘‘necessary to prevent or
lessen a serious and imminent threat to
the health or safety of a person or the
public.’’ 138
Information about an individual’s
reproductive health and associated
health care is also especially sensitive
and has long been recognized as such.
As stated in the AMA’s Principles of
Medical Ethics, the ‘‘decision to
terminate a pregnancy should be made
privately within the relationship of trust
between patient and physician in
keeping with the patient’s unique values
and needs and the physician’s best
professional judgment.’’ 139 NCVHS first
noted reproductive health information
as an example of a category of health
information commonly considered to
contain sensitive information in
135 See 45 CFR 164.501 (definition of
‘‘Psychotherapy notes’’).
136 See 64 FR 59918, 59941 (Nov. 3, 1999).
137 See id.
138 45 CFR 164.508(a)(2).
139 Council on Ethical and Judicial Affairs,
‘‘Ethics, Amendment to Opinion 4.2.7, Abortion H–
140.823,’’ Am. Med. Ass’n (2022), https://policy
search.ama-assn.org/policyfinder/detail/
%224.2.7%20Abortion%22?uri=%2FAMADoc
%2FHOD.xml-H-140.823.xml.
E:\FR\FM\26APR5.SGM
26APR5
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
2006.140 Between 2005 and 2010,
NCVHS held nine hearings that
addressed questions about sensitive
information in medical records and
identified additional categories of
sensitive information beyond those
addressed in Federal and state law,
including ‘‘sexuality and reproductive
health information.’’ In several letters to
the Secretary during that period,
NCVHS recommended that the
Department identify and define
categories of sensitive information,
including ‘‘reproductive health.’’ 141 In a
2010 letter to the Secretary, NCVHS
elaborated that, after extensive
testimony on sensitive categories of
health information, ‘‘reproductive
health’’ should be expanded to
‘‘sexuality and reproductive health
information,’’ because:
Information about sexuality and
reproductive history is often very sensitive.
Some reproductive issues may expose people
to political controversy (such as protests from
abortion proponents), and public knowledge
of an individual’s reproductive history may
place [them] at risk of stigmatization.’’
Additionally, individuals may wish to have
their reproductive history segmented so that
it is not viewed by family members who
otherwise have access to their records.
Parents may wish to delay telling their
offspring about adoption, gamete donation, or
the use of other forms of assisted
reproduction technology in their conception,
and, thus, it may be important to have the
capacity to segment these records.142
ddrumheller on DSK120RN23PROD with RULES5
The Department did not provide
specific protections for certain
categories of PHI upon receipt of the
recommendation or as part of the 2013
Omnibus Rule because of concerns
about the ability of regulated entities to
segment PHI and the effects on care
coordination. While we recognized the
sensitive nature of reproductive health
information before this rulemaking, the
Department believed that the Supreme
Court’s recognition of a constitutional
right to abortion coupled with the
privacy protections afforded by the
HIPAA Rules provided the necessary
trust to promote access to and quality of
health care. As a result of the changed
legal landscape for reproductive health
care broadly, including abortion, the
range of circumstances in which PHI
about legal reproductive health care
could be sought and used in
investigations or to impose liability
140 See Letter from NCVHS Chair Simon P. Cohn
(2006), supra note 104.
141 See Letter from NCVHS Chair Simon P. Cohn
(2006), supra note 104; Letter from NCVHS Chair
Simon P. Cohn (2008), supra note 104; Letter from
NCVHS Chair Justine M. Carr (2010), supra note
104.
142 See Letter from NCVHS Chair Justine M. Carr
(2010), supra note 104.
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
expanded significantly. Now that states
have much broader power to criminalize
and regulate reproductive choices—and
that some states have already exercised
that power in a variety of ways 143—
individuals legitimately have a far
greater fear that especially sensitive
information about lawful health care
will not be kept private. This changed
environment requires additional privacy
protections to help restore the Privacy
Rule’s carefully-struck balance between
individual and societal interests.
Because the concerns regarding
segmentation and the negative impact
on care coordination remain, the
Department did not propose and is not
establishing a new category of
particularly sensitive PHI in this final
rule. Instead, as discussed more fully
below, the Department is finalizing its
proposed purpose-based prohibition
against certain uses and disclosures.
B. Developments in the Legal
Environment Are Eroding Individuals’
Trust in the Health Care System
The Supreme Court’s decision in
Dobbs overturned Roe v. Wade 144 and
Planned Parenthood of Southeastern
Pennsylvania v. Casey,145 thereby
enabling states to significantly restrict
access to abortion.146 Following the
Supreme Court’s decision, the legal
landscape has shifted as laws
significantly restricting access to
abortion have in fact become effective in
some jurisdictions. This change has also
led to questions about both the current
and future lawfulness of other types of
reproductive health care, and therefore,
the ability of individuals to access such
health care.147 Thus, this shift may
interfere with the longstanding
expectations of individuals, established
by HIPAA and the Privacy Rule, with
respect to the privacy of their PHI.148
For example, while the Privacy Rule
currently permits, but does not require,
143 See LePage v. Center for Reproductive
Medicine, SC–2022–0515 (Feb. 16, 2024).
144 410 U.S. 113 (1973).
145 505 U.S. 833 (1992).
146 Dobbs, 597 U.S. 299–302.
147 See, e.g., Carmel Shachar et al., ‘‘Informational
Privacy After Dobbs,’’ 75 Ala. L. Rev. 1 (2023),
https://papers.ssrn.com/sol3/papers.cfm?abstract_
id=4570500 and Andrzej Kulczycki, ‘‘Dobbs:
Navigating the New Quagmire and Its Impacts on
Abortion and Reproductive Health Care,’’ Health
Education & Behavior (2022), https://doi.org/
10.1177/10901981221125430.
148 See, e.g., Kayte Spector-Bagdady & Michelle
M. Mello, ‘‘Protecting the Privacy of Reproductive
Health Information After the Fall of Roe v. Wade,’’
3 JAMA Network e222656 (June 30, 2022), https://
jamanetwork.com/journals/jama-health-forum/full
article/2794032; Lisa G. Gill, ‘‘What does the
overturn of Roe v. Wade mean for you?,’’ Consumer
Reports (June 24, 2022), https://www.consumer
reports.org/health-privacy/what-does-the-overturnof-roe-v-wade-mean-for-you-a1957506408/.
PO 00000
Frm 00013
Fmt 4701
Sfmt 4700
32987
uses and disclosures of PHI for certain
purposes,149 including when another
law requires a regulated entity to make
the use or disclosure,150 regulated
entities after Dobbs may feel compelled
by other applicable law to use or
disclose PHI to law enforcement or
other persons who may use that health
information against an individual, a
regulated entity, or another person who
has sought, obtained, provided, or
facilitated reproductive health care,
even when such health care is lawful in
the circumstances in which the health
care is obtained.151
As a consequence of these
developments in Federal and state law,
an individual’s expectation of privacy of
their health information (irrespective of
whether an individual is or was
pregnant) is threatened by the potential
use or disclosure of PHI to identify
persons who seek, obtain, provide, or
facilitate lawful reproductive health
care. Thus, these developments have
created an environment in which
individuals are more likely to fear that
their PHI will be requested from
regulated entities for use against
individuals, health care providers, and
others, merely because such persons
sought, obtained, provided, or
facilitated lawful reproductive health
care.152 The potential increased demand
for PHI for these purposes is not limited
to states in which providing or
obtaining certain reproductive health
care is no longer legal. Rather, the
changes in the legal landscape have
nationwide implications, not only
because of their effects on the
relationship between health care
providers and individuals, but also
because of the potential effects on the
flow of health information across state
lines. For example, an individual who
travels out-of-state to obtain
reproductive health care that is lawful
under the circumstances in which it is
provided may now be reluctant to have
that information disclosed to a health
care provider in their home state if they
149 45
CFR 164.502(a)(1).
CFR 164.512(a).
151 See Laura J. Faherty et al. ‘‘Consensus
Guidelines and State Policies: The Gap Between
Principle and Practice at the Intersection of
Substance Use and Pregnancy,’’ American Journal
of Obstetrics & Gynecology Maternal-Fetal Medicine
(Aug. 2020) (discussing a concern raised by
multiple organizations that pregnant women will
hesitate to seek prenatal care and addiction
treatment during pregnancy because their concerns
that disclosing substance use to health care
providers will increase the likelihood that they will
face legal penalties); see also ‘‘Informational
Privacy After Dobbs,’’ supra note 147.
152 See, e.g., Yvonne Lindgren et al., ‘‘Reclaiming
Tort Law to Protect Reproductive Rights,’’ 75
Alabama L. Rev. 355 (2023), https://papers.
ssrn.com/sol3/papers.cfm?abstract_id=4435834.
150 45
E:\FR\FM\26APR5.SGM
26APR5
32988
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
ddrumheller on DSK120RN23PROD with RULES5
fear that it may then be used against
them or a loved one in their home state.
A health care provider may be unable to
provide appropriate health care if they
are unaware of the individual’s recent
health history, which could have
significant negative health
consequences. Individuals and health
care providers may also be reluctant to
disclose PHI to health plans with a
multi-state presence because of
concerns that one of those states will
seek to obtain that PHI to investigate or
impose liability on the individual or the
health care provider, even if there is no
nexus with that state other than the
presence of the health plan in that state.
Such reluctance may have significant
ramifications for access to reproductive
health care, given the cost associated
with obtaining such health care, and
health care generally.
Additionally, PHI is more likely to be
transmitted across state lines as the
electronic exchange of PHI increases
because it is easier and more efficient to
send information electronically. For
instance, the Trusted Exchange
Framework and Common Agreement
(TEFCA) initiative established under the
21st Century Cures Act and the Centers
for Medicare & Medicaid Services (CMS)
Interoperability and Prior Authorization
Final Rule will spur greater use and
disclosure of PHI by regulated entities
and to health apps and others.153
Different components of a health
information exchange/health
information network (HIE/HIN) may be
located in different states, meaning that
the PHI may be transmitted across state
lines, and thus affected by laws severely
restricting access to reproductive health
care, even where both the health care
and the recipient of the PHI are located
in states where access to such health
care is not substantially restricted.
According to commenters, individuals
are increasingly concerned about the
confidentiality of discussions with their
health care providers. As a result, some
individuals are not confiding fully in
their health care providers, increasing
the risk that their medical records will
not be complete and accurate, leading to
decreases in health care quality and
153 See section 3001(c) of the PHSA, as amended
by section 4003(b) of the 21st Century Cures Act,
Public Law 114–255, 130 Stat. 1165 (codified at 42
U.S.C. 300jj–11(c)). For more information, see
Office of the Nat’l Coordinator for Health Info.
Tech., ‘‘Trusted Exchange Framework and Common
Agreement (TEFCA),’’ https://www.healthit.gov/
topic/interoperability/policy/trusted-exchangeframework-and-common-agreement-tefca; See also
89 FR 8758 (Feb. 8, 2024); ‘‘CMS Interoperability
and Prior Authorization Final Rule CMS–0057–F,’’
Centers for Medicare & Medicaid (Jan. 17, 2024),
https://www.cms.gov/newsroom/fact-sheets/cmsinteroperability-and-prior-authorization-final-rulecms-0057-f.
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
safety. This lack of openness is also
likely to affect the information and
treatment recommendations health care
providers provide to individuals
because health care providers will not
be sufficiently informed to provide
thorough and accurate information and
guidance.154
Individuals are not alone in their
fears. Indeed, according to commenters,
some health care providers are afraid to
provide lawful health care because they
are concerned that in doing so, they risk
being subjected to investigation and
possible liability.155 The Department is
aware that some health care providers,
such as clinicians and pharmacies, are
hesitant to provide lawful health care or
lawfully prescribe or fill prescriptions
for medications that can result in
pregnancy loss, even when the health
care or those prescriptions are intended
to treat individuals for other health
matters, because of fear of law
enforcement action.156 Some health care
154 See Eric Boodman, ‘‘In a doctor’s suspicion
after a miscarriage, a glimpse of expanding medical
mistrust,’’ STAT News (June 29, 2022), https://
www.statnews.com/2022/06/29/doctor-suspicionafter-miscarriage-glimpse-of-expanding-medicalmistrust/#:∼:text=In%20a%20doctor’s
%20suspicion%20after,glimpse
%20of%20expanding%20medical%20mistrust&
text=The%20idea%20that%20
she,used%20contraceptives%20and%20
trusted%20them.
155 See also Melissa Suran, ‘‘As Laws Restricting
Health Care Surge, Some US Physicians Choose
Between Fight or Flight,’’ JAMA, 329(22):1899–
1903 (May 17, 2023) (discussing a maternal-fetal
medicine specialist who stated that she moved to
another state because of legislation that restricts
evidence-based health care and prevents her from
fulfilling her ethical obligation to protect her
patients’ health.), https://pubmed.ncbi.nlm.nih.gov/
37195699/.
156 See Off. for Civil Rights, ‘‘HHS Office for Civil
Rights Resolves Complaints with CVS and
Walgreens to Ensure Timely Access to Medications
for Women and Support Persons with Disabilities,’’
U.S. Dep’t of Health and Human Servs. (June 16,
2023), https://www.hhs.gov/civil-rights/forproviders/compliance-enforcement/agreements/cvswalgreens/. See also Kathryn Starzyk et
al., ‘‘More than half of patients with a rheumatic
disease or immunologic condition undergoing
methotrexate treatment reside in states in which the
overturning of Roe v. Wade can jeopardize access
to medications with abortifacient potential,’’ 75
Arthritis Rheumatol 328 (Feb. 2023); see also Celine
Castronuovo, ‘‘Many Female Arthritis Drug Users
Face Restrictions After Dobbs,’’ Bloomberg Law
(Nov. 14, 2022) (noting that 16 out of 524 patients
responding to a survey indicated that they’ve had
trouble getting methotrexate, their arthritis
medication, since the Dobbs decision.) https://
news.bloomberglaw.com/health-law-and-business/
many-female-arthritis-drug-users-face-restrictionsafter-dobbs; Interview with Donald Miller, PharmD,
‘‘Methotrexate access becomes challenging for some
patients following Supreme Court decision on
abortion,’’ Pharmacy Times (July 20, 2022), https://
www.pharmacytimes.com/view/methotrexateaccess-becomes-challenging-for-patients-followingsupreme-court-decision-on-abortion; Jamie
Ducharme, ‘‘Abortion restrictions may be making it
harder for patients to get a cancer and arthritis
drug,’’ Time (July 6, 2022), https://time.com/
PO 00000
Frm 00014
Fmt 4701
Sfmt 4700
providers are also not providing
individuals with information to address
concerns about their reproductive
health, even where their
communications would be lawful, out of
fear of criminal prosecution, civil suit,
or loss of their clinical license.157 This
may result in individuals making
decisions about their health care with
incomplete information, which could
have serious implications for health
outcomes. These fears also increase the
risk that individual medical records will
not be maintained with completeness
and accuracy, which will in turn affect
the quality of health care provided to
individuals and their safety. Fears about
potential prosecution, even when
Federal law protects the actions of
health care providers, are likely to
negatively affect the accuracy of medical
records maintained by health care
providers and thereby harm individuals.
As explained by commenters and
supported by research, these
impingements on the privacy of health
information about reproductive health
care are likely to have a
disproportionately greater effect on
women, individuals of reproductive age,
and individuals from communities that
have been historically underserved,
marginalized, or subject to
discrimination or systemic disadvantage
by virtue of their race, disability, social
or economic status, geographic location,
or environment.158 Historically
6194179/abortion-restrictions-methotrexate-cancerarthritis/; Katie Shepherd & Frances Stead Sellers,
‘‘Abortion bans complicate access to drugs for
cancer, arthritis, even ulcers,’’ The Washington Post
(Aug. 8, 2022), https://www.washingtonpost.com/
health/2022/08/08/abortion-bans-methotrexatemifepristone-rheumatoid-arthritis/.
157 See Michelle Oberman & Lisa Soleymani
Lehmann, ‘‘Doctors’ duty to provide abortion
information,’’ J. of Law and Biosciences. (Sept. 1,
2023) https://www.ncbi.nlm.nih.gov/pmc/articles/
PMC10474560/; Whitney Arey et al., ‘‘Abortion
Access and Medically Complex Pregnancies Before
and After Texas Senate Bill 8,’’ 141 Obstet Gynecol.
995 (May 1, 2023) (concluding that ‘‘Abortion
restrictions limit shared decision making,
compromise patient care, and put pregnant people’s
health at risk.’’); ‘‘1 Year Without Roe,’’ Center for
American Progress (Jun. 23, 2023) (where a
physician detailed her fear about speaking freely
with her patients after Dobbs ‘‘worried a vigilante
posing as a new patient would attempt to bait her
into talking about abortion and attempt to sue her,
and she sometimes skirts the topic of abortion when
speaking with patients about their health care
options.’’)
158 See Christine Dehlendorf et al., ‘‘Disparities in
Abortion Rates: A Public Health Approach,’’ Am. J.
of Pub. Health (Oct. 2013), https://www.ncbi.nlm.
nih.gov/pmc/articles/PMC3780732/. See also Kiara
Alfonseca, ‘‘Why Abortion Restrictions
Disproportionately Impact People of Color,’’ ABC
News (June 24, 2022), https://abcnews.go.com/
Health/abortion-restrictions-disproportionatelyimpact-people-color/story?id=84467809; Dulce
Gonzalez et al., Robert Wood Johnson Foundation,
‘‘Perceptions of Discrimination and Unfair
Judgment While Seeking Health Care’’ (Mar. 31,
E:\FR\FM\26APR5.SGM
26APR5
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
ddrumheller on DSK120RN23PROD with RULES5
underserved and marginalized
individuals are also more likely to be
the subjects of investigations and other
activities to impose liability for seeking
or obtaining reproductive health care,
even where such health care is lawful
under the circumstances in which it is
provided.159 They are also less likely to
have adequate access to legal counsel to
defend themselves from such actions.160
These inequities may be exacerbated
where individuals face multiple,
intersecting disparities, such as having
limited English proficiency 161 and
2021), https://www.rwjf.org/en/insights/ourresearch/2021/03/perceptions-of-discriminationand-unfair-judgment-while-seeking-healthcare.html; Susan A. Cohen, ‘‘Abortion and Women
of Color: The Bigger Picture,’’ 11 Guttmacher Pol’y
Rev. (Aug. 6, 2008), https://www.guttmacher.org/
gpr/2008/08/abortion-and-women-color-biggerpicture; ‘‘The Disproportionate Harm of Abortion
Bans: Spotlight on Dobbs v. Jackson Women’s
Health,’’ Center for Reproductive Rights (Nov. 29,
2021), https://reproductiverights.org/supremecourt-case-mississippi-abortion-bandisproportionate-harm/ (‘‘Abuses such as forced
sterilization of Black, Indigenous, and other people
of color and individuals with disabilities
specifically exacerbate medical mistrust within
reproductive healthcare.’’).
159 See Brief of Amici Curiae for Organizations
Dedicated to the Fight for Reproductive Justice—
Mississippi in Action, et al. at *35–36, Dobbs, 597
U.S. 215 (discussing the likelihood that individuals,
particularly those from marginalized communities
who terminate their pregnancies and anyone who
assists them may be disproportionally likely to face
criminal investigation or arrest, given the rates of
incarceration of persons from such communities.);
see also Elizabeth Yuko, ‘‘Women of Color Will
Face More Criminalized Pregnancies in Post-‘Roe’
America,’’ Rolling Stone (Jul. 7, 2020)
(‘‘Historically, we’ve seen the criminalization of
people of color, young people, and people with
lower incomes who’ve had miscarriages and other
types of pregnancy losses that the state deemed
were their fault [. . .] These groups are the most
likely to be reported to law enforcement and
investigated’’); see also Sentencing Project, Stateby-State Data, https://www.sentencingproject.org/
research/us-criminal-justice-data/ (last visited Feb.
16, 2024) (U.S. Total: Imprisonment rate per
100,000 residents—355; Black/White disparity—
4.8:1; Latinx/White disparity—1.3:1); Racial
Disparities in Incarceration, Vera Institute of Justice
(Aug. 21, 2023), https://trends.vera.org/ (Prison
population rate per 100,000 residents ages 15 to 64.
U.S. total incarceration rate 2021 Q2—298, Asian
American/Pacific Islander incarceration rate 2021
Q2—100, Black/African American incarceration
rate 2021 Q2—1,310, Latinx incarceration rate 2021
Q2—671, Native American incarceration rate 2021
Q2—1,021, White incarceration rate 2021 Q2—281).
160 See Columbia Law Sch. Hum. Rts. Inst. & and
Ne. Univ. Sch. of Law Program on Hum. Rts. and
the Glob. Econ.,’’ Equal Access to Justice: Ensuring
Meaningful Access to Counsel in Civil Cases,
Including Immigration Proceedings’’ (July 2014),
https://hri.law.columbia.edu/sites/default/files/
publications/equal_access_to_justice_-_cerd_
shadow_report.pdf. See also Lauren Hoffman et al.,
Ctr. For Am. Progress, ‘‘Report: State Abortion Bans
Will Harm Women and Families’ Economic
Security Across the US’’ (Aug. 25, 2022), https://
www.americanprogress.org/article/state-abortionbans-will-harm-women-and-families-economicsecurity-across-the-us/.
161 See Myasar Ihmud, ‘‘Lost in Translation:
Language Barriers to Accessing Justice in the
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
disability.162 Such individuals are thus
especially likely to be concerned that
information they share with their health
care providers about their reproductive
health care will not remain private. This
is particularly true considering the
historic lack of trust, negative
experiences, and fear of discrimination
that many members of historically
underrepresented and marginalized
communities and communities of color
have in the health care system; 163 such
American Court System,’’ UIC Law Review (2023)
(discussing ‘‘access to justice for [limited English
proficient (LEP)] individuals is hindered because
they are unable to communicate with the court or
understand the proceedings. Case law shows that,
when unable to communicate with the court, LEP
litigants are unable to defend themselves
appropriately in criminal or immigration hearings,
protect their homes, or keep custody of their
children.’’), https://repository.law.uic.edu/cgi/
viewcontent.cgi?article=2908&context=lawreview;
see also ‘‘Language Access & Cultural Sensitivity,’’
Legal Services Corporation (last visited Feb. 21,
2024) (describing how legal aid organizations
should plan for providing meaningful access to
language services. As of 2013, ‘‘close to 25 million
people, about 8 percent of the population, has
limited English proficiency.’’), https://www.lsc.gov/
i-am-grantee/model-practices-innovations/
language-access-cultural-sensitivity.
162 See, e.g., Gautam Gulati et al., ‘‘The
experience of law enforcement officers interfacing
with suspects who have an intellectual disability—
A systematic review,’’ International Journal of Law
and Psychiatry (Sept.-Oct. 2020) (‘‘It is not
uncommon for people with [intellectual disability]
to be suspects or accused persons when interfacing
with Law Enforcement Officers (LEOs) and
therefore face arrest, interview and/or custody.’’),
https://www.sciencedirect.com/science/article/pii/
S016025272030073X.
163 See Leslie Read et al., The Deloitte Ctr. for
Health Solutions, ‘‘Rebuilding Trust in Health Care:
What Do Consumers Want—and Need—
Organizations to Do?,’’ at 3 (Aug. 5, 2021) (With
focus groups of 525 individuals in the United States
who identify as Black, Hispanic, Asian, or Native
American, ‘‘[f]ifty-five percent reported a negative
experience where they lost trust in a health care
provider.’’), https://www2.deloitte.com/us/en/
insights/industry/health-care/trust-in-health-caresystem.html; Liz Hamel et al., Kaiser Family
Foundation, ‘‘The Undefeated Survey on Race and
Health,’’ at 23 (Oct. 2020) (Percent who say they can
trust the health care system to do what is right for
them or their community almost all of the time or
most of the time: Black adults: 44%; Hispanic
adults: 50%; White adults: 55%), https://files.
kff.org/attachment/Report-Race-Health-and-COVID19-The-Views-and-Experiences-of-BlackAmericans.pdf; U.S. Dep’t of Health and Hum.
Servs., Assistant Sec’y for Pol. & Eval., Off. of
Health Pol., ‘‘Issue Brief: Health Insurance Coverage
and Access to Care for LGBTQ+ Individuals:
Current Trends and Key Challenges,’’ at 9 (June
2021) (A 2021 survey found that 18 percent of
LGBTQ+ individuals reported avoiding going to a
doctor or seeking health care out of concern that
they would face discrimination or poor treatment
because of their sexual orientation or gender
identity.), https://aspe.hhs.gov/sites/default/files/
2021-07/lgbt-health-ib.pdf; Abigail A. Sewell,
‘‘Disaggregating Ethnoracial Disparities in Physician
Trust,’’ Soc. Science Rsch. (Nov. 2015), https://
pubmed.ncbi.nlm.nih.gov/26463531/; Irena
Stepanikova et al., ‘‘Patients’ Race, Ethnicity,
Language, and Trust in a Physician,’’ J. of Health
and Soc. Behavior (Dec. 2006), https://pubmed.
ncbi.nlm.nih.gov/17240927/.
PO 00000
Frm 00015
Fmt 4701
Sfmt 4700
32989
individuals are more likely to be
deterred from seeking or obtaining
health care—or from giving their health
care providers full information.
Congress contemplated that the
Department would need to modify
standards adopted under HIPAA’s
Administrative Simplification
provisions and directed the Secretary to
review standards adopted under 42
U.S.C. 1320d-2 periodically.164 In
accordance with this directive and
based on the Department’s expertise and
analysis and the recent developments in
the legal landscape, there is a
compelling need to provide additional
protections to PHI about lawful
reproductive health care. Accordingly,
consistent with Congress’s directions to
the Department, in HIPAA, as amended
by Genetic Information
Nondiscrimination Act (GINA) and the
HITECH Act, to establish standards and
requirements for the electronic
transmission of certain health
information, including the privacy
thereof, for the development of a health
information system, the Department is
restricting certain uses and disclosures
of PHI for particular non-health care
purposes to provide such protections.
C. To Protect the Trust Between
Individuals and Health Care Providers,
the Department Is Restricting Certain
Uses and Disclosures of PHI for
Particular Non-Health Care Purposes
As discussed above, Congress enacted
HIPAA to improve the efficiency and
effectiveness of the health care system,
which includes ensuring that
individuals have trust in the health care
system. Congress also directed the
Department to develop standards with
respect to the privacy of IIHI as part of
its decision to encourage the
development of a health information
system. To preserve such trust, and to
encourage the development and use of
a nationwide health information system,
it is appropriate and necessary for
Federal law and policy to protect the
confidentiality of medical records,
especially those that are highly
sensitive. Accordingly, to protect the
trust between individuals and health
care providers, this rule restricts certain
uses and disclosures of PHI for
particular non-health care purposes, i.e.,
for using or disclosing PHI to conduct
a criminal, civil, or administrative
investigation into or to impose criminal,
civil, or administrative liability on any
person for the mere act of seeking,
obtaining, providing, or facilitating
164 Congress’ directions regarding the issuance of
standards for the privacy of IIHI are codified at 42
U.S.C. 1320d–2 note. See also 45 CFR 160.104(a).
E:\FR\FM\26APR5.SGM
26APR5
32990
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
ddrumheller on DSK120RN23PROD with RULES5
lawful reproductive health care, or to
identify any person to initiate such
activities.
Information about reproductive health
care is particularly sensitive and
requires heightened privacy protection.
The Department’s approach is
consistent with efforts across the
Federal Government. For example, the
Department of Defense (DOD) has
recognized such privacy concerns. In a
memorandum to DOD leaders, the
Secretary of Defense directed the DOD
to ‘‘[e]stablish additional privacy
protections for reproductive health care
information’’ for service members and
‘‘[d]isseminate guidance that directs
Department of Defense health care
providers that they may not notify or
disclose reproductive health
information to commanders unless this
presumption is overcome by specific
exceptions set forth in policy.’’ 165 The
Federal Trade Commission (FTC) has
also recognized that information about
personal reproductive matters is
‘‘particularly sensitive’’ and has
committed to using the full scope of its
authorities to protect consumers’
privacy, including the privacy of their
health information and other sensitive
data.166 In business guidance, the FTC
explained that ‘‘[t]he exposure of health
information and medical conditions,
especially data related to sexual activity
or reproductive health, may subject
people to discrimination, stigma, mental
anguish, or other serious harms.’’ 167
As discussed above, the Department
has long provided special protections
for psychotherapy notes because of the
sensitivity around this information.
However, unlike psychotherapy notes,
which by their very nature are easily
segregated, reproductive health
information is not easily segregated.
Additionally, regulated entities
generally do not have the ability to
segment certain PHI such that regulated
entities could afford special protections
for specific categories of PHI.168 Where
165 Dep’t of Defense, Memorandum Re: Ensuring
Access to Reproductive Health Care, at 1 (Oct. 20,
2022) (removed emphasis on ‘‘not’’ in original),
https://media.defense.gov/2022/Oct/20/
2003099747/-1/-1/1/MEMORANDUM-ENSURINGACCESS-TO-REPRODUCTIVE-HEALTH-CARE.PDF.
166 Kristin Cohen, ‘‘Location, health, and other
sensitive information: FTC committed to fully
enforcing the law against illegal use and sharing of
highly sensitive data’’, Federal Trade Commission
Business Blog (July 11, 2022), https://www.ftc.gov/
business-guidance/blog/2022/07/location-healthand-other-sensitive-information-ftc-committedfully-enforcing-law-against-illegal (last accessed
Nov. 15, 2022).
167 Id.
168 See Daniel M. Walker et al., ‘‘Interoperability
in a Post-Roe Era Sustaining Progress While
Protecting Reproductive Health Information,’’
JAMA (Nov. 1, 2022) (discussing that segregation of
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
such technology is available, it is
generally cost prohibitive and
burdensome to implement.169
Therefore, the Department did not
propose, and is not finalizing, a newly
defined subset of PHI. Creating such a
subset would create barriers to
disclosing PHI for care coordination
because the PHI would need to be
segregated from the remaining medical
record. Instead, consistent with the
Privacy Rule’s longstanding overall
approach,170 the Department is
finalizing a purpose-based prohibition
records for reproductive health care is more
difficult than for SUD treatment records because
‘‘reproductive health services are often provided in
the same settings as other primary and acute care
and thus could be inferred or directly reflected in
many parts of the record.’’), https://jamanetworkcom.ezproxyhhs.nihlibrary.nih.gov/journals/jama/
fullarticle/2797865; See, e.g., 87 FR 74216, 74221
(Dec. 2, 2022) (noting that 42 CFR part 2 previously
resulted in the separation of SUD treatment records
previous from other health records, which led to the
creation of data ‘‘silos’’ that hampered the
integration of SUD treatment records into covered
entities’ electronic record systems and billing
processes. When considering amendments to the
relevant statute, some lawmakers argued that the
silos perpetuated negative stereotypes about
persons with SUD and inhibited coordination of
care during the opioid epidemic.). See also Health
Info. Tech. Advisory Comm., ‘‘Health Information
Technology Advisory Committee (HITAC) Annual
Report for Fiscal Year 2019,’’ 2019 ONC Ann. Rep.,
at 37 (Feb. 19, 2020), https://www.healthit.gov/sites/
default/files/page/2020-03/HITAC%20Annual%20
Report%20for%20FY19_508.pdf (‘‘The new
certification criteria that support the sharing of data
via third-party apps will help advance the use of
data segmentation, but adoption of this capability
by the industry is not yet widespread.’’).
169 See 88 FR 23746, 23898 (Apr. 18, 2023)
(explaining that while there are standards for
security labels for document-based exchange that
the Office of the National Coordinator for Health
Information Technology (ONC) adopted in full in
2020 for the criteria in 45 CFR 170.315(b)(7) and
(b)(8) to support the application of security labels
at a granular level for sending in and receiving,
standards to define the technical requirements for
the actions described by the security label
vocabularies do not yet exist. In the 21st Century
Cures Act: Interoperability, Information Blocking,
and the ONC Health IT Certification Program Final
Rule, published in 2020, ONC estimated a cost of
the certification criteria and standards adopted for
security labels in 45 CFR 170.315(b)(7) and (b)(8).
The Department estimated the total cost to
developers could range from $2,910,400 to
$6,933,600 and that it would be a onetime cost. (85
FR 25926) The criteria do not include the ability for
health IT to take the actions described by the
security labels. Additionally, ONC did not require
that health IT be certified to the criteria described
above, making it essentially voluntary. Accordingly,
the estimates for health IT developer and health
care provider costs were likely significantly lower
than they would have been if health IT were
required to be certified to the criteria for
participation. Thus, the total cost of implementing
full segmentation capabilities is likely substantially
higher than the per-product cost estimates provided
by the Department in that rule). See also 88 FR
23746, 23875 (Apr. 18, 2023) (discussing examples
of challenges or technical limitations to electronic
health information segmentation that have been
described to ONC).
170 See 64 FR 59918, at 59924, 59939, and 59955
(Nov. 3, 1999).
PO 00000
Frm 00016
Fmt 4701
Sfmt 4700
against certain uses and disclosures.
This rule seeks to protect individuals’
privacy interests in their PHI about
reproductive health care and the
interests of society in an effective health
care system by enabling individuals and
licensed health care professionals to
make decisions about reproductive
health care based on a complete medical
record, while balancing those interests
with other interests of society in
obtaining PHI for certain non-health
care purposes.
To assist in effectuating this
prohibition, the Department is also
requiring regulated entities to obtain an
attestation in certain circumstances
from the person requesting the use or
disclosure stating that the use or
disclosure is not for a prohibited
purpose. A person (including a
regulated entity or someone who
requests PHI) who knowingly and in
violation of the Administrative
Simplification provisions obtains or
discloses IIHI relating to another
individual would be subject to potential
criminal liability.171 Thus, a person who
knowingly and in violation of HIPAA
falsifies an attestation (e.g., makes a
material misrepresentation about the
intended uses of the PHI requested) to
obtain (or cause to be disclosed) an
individual’s IIHI could be subject to the
criminal penalties provided by the
statute.172 Additionally, a regulated
entity is subject to potential civil
penalties for violations of the HIPAA
Rules, including a failure to obtain a
valid attestation before disclosing PHI,
where an attestation is required.173 The
purpose-based prohibition, in concert
with the attestation, will restrict the use
and disclosure of PHI about lawful
reproductive health care where the use
or disclosure could harm HIPAA’s
overall goals of increasing trust in the
health care system, improving health
care quality, and protecting individual
privacy. At the same time, it will allow
uses and disclosures that either support
those goals or do not substantially
interfere with their achievement.
Consistent with the Privacy Rule’s
approach, the Department is clarifying
that the purpose-based prohibition
applies only in certain circumstances,
recognizing the interests of both the
Federal Government and states while
also protecting the information privacy
interests of persons who seek, obtain,
provide, or facilitate lawful
reproductive health care. Thus, the
Department is finalizing a Rule of
171 See
42 U.S.C. 1320d–6(a).
42 U.S.C. 1320d–6(b).
173 See 42 U.S.C. 1320d–5. See also 45 CFR part
160, subparts A, D, and E.
172 See
E:\FR\FM\26APR5.SGM
26APR5
ddrumheller on DSK120RN23PROD with RULES5
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
Applicability that balances the privacy
interests of individuals and the interests
of society in an effective health care
system with those of society in the use
of PHI for other non-health care
purposes by limiting the new
prohibition to certain circumstances.
The Department’s experience
administering the Privacy Rule, research
cited below, our assessment of the needs
of individuals and health care providers
in light of recent developments to the
legal landscape, public comments, and
the Regulatory Impact Analysis, in
Section VI below, all provide support
for the changes finalized in this
rulemaking. These changes will improve
individuals’ confidence in the
confidentiality of their PHI and their
trust in the health care system, creating
myriad benefits for the health care
system. Balancing the privacy interests
of individuals and the use of PHI for
other societal priorities will continue to
support an effective health care system,
as Congress intended. This final rule
will deter the creation of inaccurate and
incomplete medical records, which will
help to support the provision of
appropriate lawful health care. Health
care providers base their treatment
recommendations on PHI contained
within existing medical records, as well
as information shared with them
directly by the individual. Thus, where
individuals withhold information from
their health care providers about lawful
health care, health care providers may
not be in possession of all of the
necessary information to make an
informed recommendation for an
appropriate treatment plan, which may
result in negative health outcomes at
both the individual and population
level. It will also improve the
confidence of individuals, including
among the Nation’s most vulnerable
communities, that they can securely
seek or obtain or share that they sought
or obtained lawful reproductive health
care without that information being
used or disclosed for the purpose of
investigating or imposing liability on
them for seeking or obtaining that
lawful health care. By improving
individuals’ confidence and trust in
their relationships with their health care
providers, it will make individuals more
likely to, for example, comply with
preventative health screening
recommendations, which will protect
against a decline in individual and
population health outcomes related to
missed preventative health screenings.
Additional intangible benefits from
increased privacy protections in this
area include enhanced support for
survivors of rape, incest, and sex
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
trafficking. The new attestation
requirement discussed in greater detail
below will help to assure regulated
entities of their ability to operationalize
these changes and avoid exposure to
HIPAA liability for impermissible
disclosures.
IV. General Discussion of Public
Comments
The Department received more than
25,900 comments in response to its
proposed rule. Overall, these comments
represent the views of approximately
51,500 individuals and 350
organizations. Slightly more than half of
the individuals and organizations who
shared their views expressed general
support for the 2023 Privacy Rule
NPRM and its objectives. Less than one
percent expressed mixed views.
Organizational commenters included
professional and trade associations,
including those representing medical
professionals, health plans, health care
providers, health information
management professionals, health
information management system
vendors, release-of-information vendors,
employers, epidemiologists, and
attorneys. The Department also received
comments from advocacy organizations,
including those representing patients,
privacy advocates, faith-based
organizations, and civil rights
organizations. The NCVHS also
provided comments, as did members of
Congress, state, local, and Tribal
government officials and public health
authorities. Other commenters included
health care systems, hospitals, and
health care professionals.
A. General Comments in Support of the
Proposed Rule
Comment: Many commenters
expressed general support for the
proposed rule and urged the Department
to protect the privacy of individuals by
limiting uses and disclosures of PHI for
certain purposes where the use or
disclosure of information is about
reproductive health care that is lawful
under the circumstances in which such
health care is provided.
Many health care providers and
individuals emphasized the importance
of trusting relationships between
individuals and their health care
providers. According to individual
commenters, a trusting relationship
permits individuals to participate in
sensitive and difficult conversations
with their health care providers and
enables health care providers to furnish
high-quality and appropriate health care
and to maintain accurate and complete
medical records, including records that
PO 00000
Frm 00017
Fmt 4701
Sfmt 4700
32991
contain information about reproductive
health care.
Many organizations also submitted
comments that expressed agreement
with the Department’s position on the
importance of the relationship between
HIPAA and the HIPAA Rules and trust
between individuals and health care
providers. For example, an organization
commented that privacy has long been
a ‘‘hallmark’’ of medical care and agreed
with the Department that Congress
recognized this principle when it
enacted HIPAA. Some organizations
commented that the HIPAA framework
of law and rules provides individuals
with the necessary trust and confidence
to seek reproductive health care without
fear of being prosecuted or targeted by
law enforcement, including in medical
emergencies.
Other commenters stated that a
trusting confidential relationship
between an individual and a health care
provider is an essential prerequisite to
the delivery of high-quality health care.
They also asserted that protective
privacy laws, including HIPAA, help to
ensure that individuals do not forgo
health care.
Many individuals asserted that the
proposed safeguards are urgently
needed to provide individuals with the
confidence to seek health care.
According to the commenters, the
proposal would increase the likelihood
that pregnant individuals would receive
essential health care, thus improving
their overall well-being. One commenter
expressed support for the proposal
because they believe people should not
be held liable or face punishment for
seeking, obtaining, providing, or
facilitating lawful health care. Another
commenter expressed concerns that the
increase in state legislation targeting
reproductive health care has placed
significant burdens on physicians and
increased the risk of maternal morbidity
and mortality for individuals.
A few commenters also expressed
agreement with the Department’s
assertion that the proposed restrictions
would clarify legal obligations of
regulated entities with respect to the
disclosure of PHI for certain non-health
related purposes and would enable
persons requesting PHI, including
health plans, to better understand when
such disclosures are permitted.
Response: The Department
appreciates these comments and is
finalizing the proposed rule with
modification, as described in greater
detail below. Consistent with HIPAA’s
goals, this final rule will support the
development and maintenance of trust
between individuals and their health
care providers, encouraging individuals
E:\FR\FM\26APR5.SGM
26APR5
ddrumheller on DSK120RN23PROD with RULES5
32992
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
to be forthright with health care
providers regarding their health history
and providing valuable clarity to the
regulated community and individuals
concerning their privacy rights with
respect to lawfully provided health care.
In so doing, the Department helps to
support access to health care by
increasing individuals’ confidence in
the privacy of their PHI about lawfully
provided reproductive health care. We
are taking these actions as a result of our
ongoing evaluation of the environment,
including the legal landscape, and
consistent with the Privacy Rule’s
longstanding balance of individual
privacy and societal interests in PHI for
non-health care purposes.
Comment: A wide cross-section of
commenters, including individuals,
health care providers, patient advocacy
organizations, reproductive rights
organizations, state law enforcement
agencies, and others all agreed that
individuals who frequently experience
discrimination generally also experience
it when seeking health care.
Many of these commenters urged the
Department to recognize that there is a
trust deficit in relationships between
individuals and health care providers in
communities that frequently experience
discrimination. Many commenters cited
scholarly journals and research articles
showing that women of color especially
suffer poorer medical outcomes,
including higher maternal mortality and
denial of medical interventions or
treatments.
Commenters who answered the
Department’s request for comment about
whether members of ‘‘historically
underserved and minority
communities’’ are more likely to be the
subject of investigations into or
proceedings against persons in
connection with seeking, obtaining,
providing, or facilitating lawful
reproductive health care unanimously
responded in the affirmative. Some
commenters expressed concern about
the current legal environment’s
disproportionately negative effect on the
privacy of women and members of
marginalized and historically
underserved communities and
communities of color, such as
immigrants who might avoid obtaining
health care because of fears that their
PHI could be shared with government
officials. In general, commenters
encouraged the Department to consider
the likely negative implications of
reduced health information privacy
when combined with these disparities
on health outcomes for members of
marginalized and historically
underserved communities and
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
communities of color when crafting the
final rule.
Some commenters expressed concern
about the current legal environment’s
disproportionately negative effect on the
privacy of members of marginalized and
historically underserved communities
and communities of color, such as
women of color, immigrants and
American Indians and Alaska Natives,
who might withhold information from
health care providers or avoid obtaining
health care because of fears that their
PHI could be shared with government
officials or used to investigate or impose
liability on them.
Among commenters that addressed
this topic, many supported the
Department’s proposed purpose-based
prohibition. Commenters stated that the
proposed rule would help to mitigate
medical mistrust of individuals in
marginalized and historically
underserved communities and
communities of color and reduce the
racial disparities that result from the
increased criminalization of
reproductive health care.
Several commenters also addressed
the issue of the availability of legal
counsel among these communities. A
few commenters asserted that
individuals who are members of
marginalized and historically
underserved communities and
communities of color are less likely to
have access to legal counsel, despite
being more likely to be subjects of
investigations into or proceedings
against persons in connection with
obtaining providing or facilitating
lawful sexual and reproductive health
care and cited to related studies.
Response: We appreciate these
comments and thank commenters for
sharing these important considerations.
As we discussed in the 2023 Privacy
Rule NPRM and again here, the
experiences of individuals from
communities that have been historically
underserved, marginalized, or subject to
discrimination or systemic disadvantage
by virtue of their race, disability, social
or economic status, geographic location,
or environment have significant
negative effects on their relationships
with health care providers and their
willingness to seek necessary health
care. We agree that the current legal
landscape has exacerbated the health
inequities that these individuals
encounter when seeking reproductive
health care services. The Department
expects that the steps we have taken in
this rule will meaningfully strengthen
the privacy of PHI about lawful
reproductive health care, and as a result,
will help to mitigate the exacerbation of
health disparities for members of
PO 00000
Frm 00018
Fmt 4701
Sfmt 4700
marginalized and historically
underserved communities and
communities of color.
The Department is actively working to
reduce health disparities. In recent
months, we released a new plan to
address language barriers and
strengthen language access in health
care,174 and issued three proposed rules
to address health disparities: one to
revise existing regulations to strengthen
prohibitions against discrimination on
the basis of a disability in health care
and human services programs; 175
another to issue new regulations to
advance non-discrimination in health
and human service programs for the
LGBTQI+ community; 176 and a third to
revise existing regulations to prohibit
discrimination on the basis of race,
color, national origin, sex, age, and
disability in a range of health
programs.177 The Department will
continue to work to address these
concerns, ensure that individuals have
access to and do not forgo necessary
health care, and build individuals’ trust
that health care providers can and will
protect the privacy of individuals’
sensitive health information.
Comment: A few commenters agreed
with the Department’s position that the
proposed rule would appropriately
protect individuals against growing
threats to their privacy with respect to
PHI about reproductive health care
while permitting states to conduct law
enforcement activities.
Response: The Privacy Rule always
has and continues to balance privacy
interests and other societal interests by
permitting disclosures of PHI to support
174 Press Release, ‘‘Breaking Language Barriers:
Biden-Harris Administration Announces New Plan
to Address Language Barriers and Strengthen
Language Access,’’ U.S. Dep’t of Health and Human
Servs. (Nov. 15, 2023), https://www.hhs.gov/about/
news/2023/11/15/breaking-language-barriers-bidenharris-administration-announces-new-planaddress-language-barriers-strengthen-languageaccess.html.
175 Press Release, ‘‘HHS Issues New Proposed
Rule to Strengthen Prohibitions Against
Discrimination on the Basis of a Disability in Health
Care and Human Services Programs,’’ U.S. Dep’t of
Health and Human Servs. (Sept. 7, 2023), https://
www.hhs.gov/about/news/2023/09/07/hhs-issuesnew-proposed-rule-to-strengthen-prohibitionsagainst-discrimination-on-basis-of-disability-inhealth-care-and-human-services-programs.html.
176 Press Release, ‘‘HHS Issues Proposed Rule to
Advance Non-discrimination in Health and Human
Service Programs for LGBTQI+ Community,’’ U.S.
Dep’t of Health and Human Servs. (July 11, 2023),
https://www.hhs.gov/about/news/2023/07/11/hhsissues-proposed-rule-advance-non-discriminationhealth-human-service-programs-lgbtqicommunity.html.
177 Press Release, ‘‘HHS Announces Proposed
Rule to Strengthen Nondiscrimination in Health
Care,’’ U.S. Dep’t of Health and Human Servs. (July
25, 2022), https://www.hhs.gov/about/news/2022/
07/25/hhs-announces-proposed-rule-to-strengthennondiscrimination-in-health-care.html.
E:\FR\FM\26APR5.SGM
26APR5
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
public policy goals, including
disclosures to support certain criminal,
civil, and administrative law
enforcement activities; the operation of
courts and tribunals; health oversight
activities; the duties of coroners and
medical examiners; and the reporting of
child abuse, domestic violence, and
neglect to appropriate authorities. We
appreciate these comments that
recognized the growing threat to the
privacy of PHI and the need to strike an
appropriate balance between ensuring
health care privacy and conducting law
enforcement activities. We are finalizing
the proposed rule with modification as
described in greater detail below.
ddrumheller on DSK120RN23PROD with RULES5
B. General Comments in Opposition to
the Proposed Rule
Comment: Several commenters
generally opposed the proposed rule
because of their opposition to certain
types of reproductive health care. Many
commenters opposed the proposed rule
generally because they believed that it
would harm women and children. Other
commenters expressed concern that the
proposals would increase administrative
burdens and costs for health care
providers; impede parental rights;
prevent mandatory reporting of child
abuse or abuse, domestic violence, and
neglect; infringe upon states’ rights;
thwart law enforcement investigations;
inhibit disclosures for public health
activities; and protect those who engage
in unlawful activities.
Response: The modifications to the
Privacy Rule in this final rule directly
advance Congress’ directive in HIPAA
to improve the efficiency and
effectiveness of the health care system
by encouraging the development of a
health information system through the
establishment of standards and
requirements for the electronic
transmission of certain health
information,178 including a standard for
the privacy of IIHI that, among other
things, addresses the ‘‘uses and
disclosures of such information that
should be authorized or required.’’ 179
As discussed in greater detail elsewhere
in this final rule, a trusting relationship
between individuals and health care
providers is the foundation of effective
health care. A primary goal of the
Privacy Rule is to ensure the privacy of
an individual’s PHI while permitting
necessary uses and disclosures of PHI
that enable high-quality health care and
protect the health and well-being of all
individuals, including women and
children, and the public.
178 See
179 See
42 U.S.C. 1320d note.
42 U.S.C. 1320d-2 note.
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
From the outset, the Department
structured the Privacy Rule to ensure
that individuals do not forgo lawful
health care when needed—or withhold
important information from their health
care providers that may affect the
quality of health care they receive out of
a fear that their sensitive information
would be revealed outside of their
relationship with their health care
provider. The Department has long been
committed to protecting the privacy of
PHI and providing the opportunity for
an authentic, trusting relationship
between individuals and health care
providers. As we discussed in the 2023
Privacy Rule NPRM and again here, this
final rule will help engender trust
between individuals and health care
providers and confidence in the health
care system. We believe that this
confidence will eliminate some of the
burdens health care providers face in
providing high-quality health care,
encourage health care providers to
accurately document PHI in an
individual’s medical record, and
encourage individuals to provide health
care providers with their complete and
accurate health history, all of which will
ultimately support better health
outcomes. Nothing in this final rule sets
forth a particular standard of care or
affects the ability of health care
providers to exercise their professional
judgment.
This final rule protects the
relationship between individuals and
health care providers by protecting the
privacy of PHI in circumstances where
recent legal developments have
increased concerns about that
information being used and disclosed to
harm persons who seek, obtain, provide,
or facilitate reproductive health care
under circumstances in which such
health care is lawful, while continuing
to permit uses and disclosures that
confer other social benefits. It is
narrowly tailored and respects the
interests of both states and the
Department. The final rule continues to
permit regulated entities to use or
disclose PHI to comply with certain
mandatory reporting laws, for public
health activities, and for law
enforcement purposes when the uses
and disclosures are compliant with the
applicable provisions of the Privacy
Rule.
Further, consistent with the
longstanding operation of the Privacy
Rule, this final rule requires that, in
certain circumstances, regulated entities
obtain information from persons
requesting PHI, such as law
enforcement, before the regulated
entities may use or disclose the
requested PHI. The Department
PO 00000
Frm 00019
Fmt 4701
Sfmt 4700
32993
recognizes that this final rule may
increase the burden on those persons
making requests for PHI, such as federal
and state law enforcement officials, by
requiring, in certain circumstances, that
regulated entities obtain more
information from such persons than
previously required, and may, at times,
prevent regulated entities from using or
disclosing PHI that they previously
would have been permitted to use or
disclose. For example, the Department
recognizes that situations may arise
where a regulated entity reasonably
determines that reproductive health care
was lawfully provided, while at the
same time, the person requesting the
PHI (e.g., law enforcement) reasonably
believes otherwise. In such
circumstances, where the regulated
entity provided the reproductive health
care, and upon receiving a request for
the PHI for a purpose that implicates the
prohibition, reasonably determines that
the provision of reproductive health
care was lawful, the final rule would
prohibit the regulated entity from
disclosing PHI for certain types of
investigations into the provision of such
health care. This constitutes a change
from the current Privacy Rule, under
which a regulated entity is permitted,
but not required, to make a use or
disclosure under 45 CFR 164.512(f) of
information that is ‘‘relevant and
material to a legitimate’’ law
enforcement inquiry, provided that
certain conditions are met; these
conditions include, for example, that
the request is specific and limited in
scope to the extent reasonably
practicable given the purpose for which
the information is sought.180 Similarly,
the Department acknowledges that,
where the regulated entity did not
provide the reproductive health care
that is the subject of the investigation or
imposition of liability, the Rule of
Applicability and Presumption,
discussed below, may require regulated
entities to obtain additional
information, that is, factual information
that demonstrates to the regulated entity
a substantial factual basis that the
reproductive health care was not lawful
under the specific circumstances in
which it was provided, from persons
requesting PHI before using or
disclosing the requested PHI.
Consistent with HIPAA and the
Department’s longstanding approach in
the Privacy Rule, the Department is
finalizing an approach that strikes an
appropriate balance between the privacy
interests of individuals and the interests
of law enforcement, and private parties
afforded legal rights of action, in
180 See
E:\FR\FM\26APR5.SGM
45 CFR 164.512(f)(1)(ii)(C).
26APR5
ddrumheller on DSK120RN23PROD with RULES5
32994
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
obtaining PHI for certain non-health
care purposes. While this approach may
adversely affect particular interests of
law enforcement, and private parties
afforded legal rights of action, in some
cases, the Department believes that the
final rule best balances these competing
interests by enhancing privacy
protections without unduly interfering
with legitimate law enforcement
activities and does so in a manner that
is consistent with the approach taken
elsewhere in the Privacy Rule. As
explained above, individual privacy
interests are especially strong where
individuals seek lawful reproductive
health care. In particular, individuals
may forgo lawful health care or avoid
disclosing previous lawful health care to
providers because they fear that their
PHI will be disclosed. The Department
believes these concerns are exacerbated
by the prospect of state investigations
into, and resulting intimidation and
criminalization of, health care providers
for providing lawful reproductive health
care, as well as state laws encouraging
state residents to sue persons who
facilitate individuals’ access to legal
health care. The final rule addresses
these interests by protecting privacy in
situations where the reproductive health
care at issue is especially likely to be
lawful under the circumstances in
which such health care was provided.
Where a regulated entity receives a
request for PHI about reproductive
health care that the regulated entity
provided, such health care is likely to be
lawful where the regulated entity
reasonably determines, based on all
information in its possession, that such
health care was lawful under the
circumstances in which it was provided.
Similarly, where a regulated entity
receives a request for PHI about
reproductive health care that the
regulated entity did not provide, such
health care is likely to be lawful where
law enforcement is unable to provide
factual information that demonstrates to
the regulated entity a substantial factual
basis that the reproductive health care
was not lawful under the specific
circumstances in which such health
care was provided.
The Department recognizes that, in
some cases, the approach adopted in
this final rule may inadvertently
prohibit the disclosure of PHI about
reproductive health care that was
unlawfully provided, such as where a
health care provider reasonably but
incorrectly determines that the
reproductive health care it provided was
lawful under the circumstances in
which such health care was provided.
This is similar to how the Privacy Rule
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
has always potentially prevented the
use or disclosure of PHI that could be
useful to law enforcement in certain
circumstances because the request for
PHI does not meet the conditions of the
applicable permission. Nevertheless,
given the importance of protecting
individual privacy in this area, the
Department has determined that the
final rule adopts the appropriate balance
between individual privacy and the
interests of other persons, such as law
enforcement. Specifically, the
Department believes that the benefits to
individual privacy of a broadly
protective rule outweigh the benefits to
societal interests in the use or disclosure
of PHI from a narrower rule. While a
narrower rule would more broadly
permit disclosures related to PHI that
might concern reproductive health care
that is not lawful under the
circumstances in which it is provided,
such a rule would inadvertently permit
more disclosures of PHI about lawful
reproductive health care. Accordingly,
the Department concludes that the final
rule must be sufficiently broad to
protect against such disclosures, given
the paramount importance of individual
privacy in this area.
Moreover, as explained above,
individual privacy interests are
paramount to promote free and open
communication between individuals
and their health care providers, thereby
ensuring that individuals receive highquality care based on their accurate
medical history. Society has long
recognized that information exchanged
as part of a specific relationship for
which trust is paramount should be
entitled to heightened protection (e.g.,
marital privilege, attorney-client
privilege, doctor-patient privilege).
Similarly, this final rule seeks to
address situations where privacy
interests are especially important, based
both on the content of the information
that is protected from disclosure
(concerning lawful reproductive health
care) and the context in which that
information is shared (concerning a
trust-based relationship between
individuals and their health care
providers).
In contrast, the potential adverse
effects of this final rule on other
interests, such as those of law
enforcement, are limited by the narrow
scope of this final rule. This final rule
does not seek to prohibit disclosures of
PHI where the request is for reasons
other than investigating or imposing
liability on persons for the mere act of
seeking, obtaining, providing, or
facilitating reproductive health care that
is lawful under the circumstances in
which such health care is provided. For
PO 00000
Frm 00020
Fmt 4701
Sfmt 4700
example, as explained in the NPRM and
below, the final rule does not prohibit
the use or disclosure of PHI for
investigating alleged violations of the
Federal False Claims Act or a state
equivalent; conducting an audit by an
Inspector General aimed at protecting
the integrity of the Medicare or
Medicaid program where the audit is
not inconsistent with this final rule;
investigating alleged violations of
Federal nondiscrimination laws or
abusive conduct, such as sexual assault,
that occur in connection with
reproductive health care; or determining
whether a person or entity violated 18
U.S.C. 248 regarding freedom of access
to clinic entrances. In each of these
cases, the request is not made for the
purpose of investigating or imposing
liability on any person for the mere act
of seeking, obtaining, providing, or
facilitating reproductive health care.
Even when the request is for the
purpose of investigating or imposing
liability on the mere act of seeking,
obtaining, providing, or facilitating
reproductive health care, this final rule
does not seek to prohibit disclosures of
PHI about reproductive health care that
is not lawful under the circumstances in
which it was provided. Thus, in most
situations involving reproductive health
care that is not lawful under the
circumstances in which it is provided,
this final rule will not prevent the use
or disclosure of PHI to investigate or
impose liability on persons for such
legal violations, provided such
disclosures are otherwise permitted by
the Privacy Rule. Moreover, where a
regulated entity did not provide the
reproductive health care at issue, this
final rule prohibits the use or disclosure
of PHI where the person making the
request does not provide sufficient
information to overcome the
presumption of legality. In such cases,
law enforcement agencies and other
persons have a reduced interest in
obtaining such PHI where the
information does not demonstrate to the
regulated entity a substantial factual
basis that the reproductive health care
was not lawful under the circumstances
in which such health care was provided.
This final rule does not prohibit the
use or disclosure of PHI to investigate or
impose liability on persons where
reproductive health care is unlawful
under the circumstances in which it is
provided. Instead, the final rule
prohibits the use or disclosure of PHI in
narrowly tailored circumstances (i.e.,
where the use or disclosure is to
conduct an investigation or impose
liability on a person for the mere act of
seeking, obtaining, providing, or
facilitating reproductive health care that
E:\FR\FM\26APR5.SGM
26APR5
ddrumheller on DSK120RN23PROD with RULES5
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
is lawful under the circumstances in
which such health care is provided, or
to identify a person for such activities).
For example, once this final rule is in
effect, a covered health care provider
may still disclose PHI to a medical
licensing board investigating a health
care provider’s actions related to their
obligation to report suspected elder
abuse, assuming the disclosure meets
the conditions of an applicable Privacy
Rule permission. This is because the
final rule does not bar the use or
disclosure of PHI for health oversight
purposes, which is unrelated to the
mere act of seeking, obtaining,
providing, or facilitating reproductive
health care.
Additionally, even where the final
rule prohibits the use or disclosure of
PHI to investigate potentially unlawful
reproductive health care (i.e., where a
regulated entity reasonably determines
that the reproductive health care they
provided was lawful, or where the
presumption of legality is not
overcome), law enforcement retains
other ways of investigating reproductive
health care that they suspect may have
been unlawfully provided. For example,
law enforcement retains the use of other
traditional and otherwise lawful
investigatory means for obtaining
information, such as conducting witness
interviews and accessing other sources
of information not covered by HIPAA.
The final rule is therefore tailored to
protect the relationship between
individuals and their health care
providers specifically, while leaving
unaffected law enforcement’s ability to
conduct investigations using
information from other sources.
With respect to commenters’ concerns
about parental rights, this final rule also
does not interfere with the ability of
states to define the nature of the
relationship between a minor and a
parent or guardian.
Comment: A few commenters that
expressed negative views asserted that
the proposed rule exceeded the
Department’s statutory authority under
HIPAA or was beyond the Department’s
rulemaking authority. Some
commenters stated that the rulemaking
was arbitrary and capricious and would
make it difficult for law enforcement to
investigate reproductive health care and
engage in health oversight activities and
would require health care providers to
provide certain types of health care
against which they have objections.
Some commenters expressed concern
about the balance of powers between the
states and the federal government. Other
commenters suggested that the
proposals preempt state laws serving
public health, safety, and welfare.
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
Response: As discussed above,
Congress explicitly stated that the
purpose of HIPAA’s Administrative
Simplification provisions was to
improve the efficiency and effectiveness
of the health care system. For the health
care system to be effective, individuals
must trust that information that they
share with health care providers about
lawful health care will remain private.
Accordingly, since their inception, the
HIPAA Rules have required that
regulated entities narrowly tailor
disclosures to law enforcement to
protect an individual’s privacy.181
While the Department is adopting an
approach in this final rule that is more
protective of privacy interests than the
current Privacy Rule in certain
circumstances, these changes are
necessary to appropriately balance
privacy interests and the interests of law
enforcement, and private parties
afforded legal rights of action, in light of
the changing legal environment. This is
discussed in detail above. In both the
2023 Privacy Rule NPRM and this final
rule, the Department cited to multiple
studies documenting the real-world
harm to health and health care in the
changing legal environment. As
explained above, the Department
acknowledges that this final rule may
affect certain state interests in obtaining
PHI to investigate potentially unlawful
reproductive health care, but the
Department has tailored the final rule to
strike the appropriate balance between
privacy interests and state interests.
This final rule limits the potential harm
to individuals, health care providers,
and others resulting from the disclosure
of PHI to investigate or punish
individuals for the mere act of seeking,
obtaining, providing, or facilitating
reproductive health care that is lawful
under the circumstances in which such
health care is provided. We emphasize
that nothing in this rule or any of the
HIPAA Rules requires a health care
provider to provide any type of health
care, including any type of reproductive
health care.
Comment: Several commenters
asserted that the proposed rule would
impede states’ enforcement of their own
laws, including those concerning sexual
assault and sex trafficking. Many
commenters opposed the proposed rule
because they believed it would inhibit
the ability of states to investigate or
enforce laws prohibiting minors from
obtaining certain types of health care
and prevent the commenters from
reporting minors who they believe are
181 See, e.g., 45 CFR 164.512(f) and
164.514(d)(3)(iii).
PO 00000
Frm 00021
Fmt 4701
Sfmt 4700
32995
coerced into obtaining such health care
to authorities.
Response: This rule does not prohibit
the disclosure of PHI for investigating
allegations of or imposing liability for
sexual assault, sex trafficking, or
coercing minors into obtaining
reproductive health care. Rather, this
final rule modifies the existing HIPAA
Privacy Rule standards by prohibiting
uses and disclosures of PHI to
investigate or impose liability on
individuals, regulated entities, or other
persons for the mere act of seeking,
obtaining, providing, or facilitating
reproductive health care that is lawful
under the circumstances in which such
reproductive health care is provided, or
to identify any person to investigate or
impose liability on them for such
purposes. Accordingly, requests for the
disclosure of PHI to investigate such
allegations of or impose liability for
such crimes do not fall within the final
rule’s prohibition, and the presumption
of lawfulness likewise would not be
triggered because the prohibition would
not apply. A regulated entity therefore
would not be prohibited from disclosing
an individual’s PHI when subpoenaed
by law enforcement for the purpose of
investigating such allegations, assuming
that law enforcement provided a valid
attestation and met the other conditions
of the applicable permission.
Moreover, as explained above, the
final rule is tailored to prohibit
disclosures related to lawful
reproductive health care, thereby
reducing the interference with law
enforcement interests to create an
appropriate balance with privacy
interests.
Comment: Some states expressed
concern that the proposed rule would
intrude into areas where the HIPAA
Rules have previously acknowledged
state control, such as enforcement of
state and local laws, regulation of the
practice of health care, and reporting of
abuse.
Response: This final rule balances the
interests of individuals in the privacy of
their PHI and of society in an effective
health care system with those of society
in obtaining PHI for certain non-health
care purposes. The Privacy Rule always
has and continues to permit disclosures
of PHI to support public policy goals,
including disclosures to support
criminal, civil, and administrative law
enforcement activities; the operation of
courts and tribunals; health oversight
activities; the duties of coroners and
medical examiners; and the reporting of
child abuse, domestic violence, and
neglect to appropriate authorities. As
explained above, while the final rule
adopts an approach that is more
E:\FR\FM\26APR5.SGM
26APR5
32996
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
ddrumheller on DSK120RN23PROD with RULES5
protective of privacy interests in certain
circumstances than the previous Privacy
Rule, the final rule continues to balance
the interests that HIPAA Rules have
long sought to protect with those of
society in PHI.
C. Other General Comments on the
Proposed Rule
Comment: Commenters urged the
Department to provide enhanced
privacy protections for health
information that is not covered by
existing frameworks or specifically
addressed in the proposed rule. A few
professional associations expressed
support for revising the Privacy Rule to
provide stronger protection for the
privacy of reproductive health care
information and urged the Department
to modify the Privacy Rule to provide
even stronger protections than those
proposed in the 2023 Privacy Rule
NPRM.
Response: The Department’s authority
under HIPAA is limited to protecting
the privacy of IIHI that is maintained or
transmitted by covered entities and, in
some cases, their business associates.
Specific modifications to the Privacy
Rule to protect the privacy of PHI are
described in greater detail below.
Consistent with the Department’s
longstanding approach with respect to
the Privacy Rule, the modifications we
are finalizing in this rule strike a
balance between protecting an
individual’s right to health information
privacy with the interests of society in
permitting the disclosure of PHI to
support the investigation or imposition
of liability for unlawful conduct. In
particular, the final rule does not
prohibit the disclosure of PHI about
reproductive health care that was
unlawfully provided, because an
individual’s privacy interests in
reproductive health care that is not
lawful (e.g., a particular type of
reproductive health care that is
provided by a nurse practitioner in a
state that requires that type of
reproductive health care to be provided
by a physician) are comparatively lower
than a state’s interests in investigating
and imposing liability on persons for
unlawful reproductive health care. We
will continue to monitor legal
developments and their effects on
individual privacy as we consider the
need for future modifications to the
Privacy Rule.
Comment: Several commenters
questioned how the proposed rule
would affect their current business
associate and data exchange agreements.
Response: The modifications in this
final rule may require regulated entities
to revise existing business associate
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
agreements where such agreements
permit regulated entities to engage in
activities that are no longer permitted
under the revised Privacy Rule.
Regulated entities must be in
compliance with the provisions of this
rule by December 23, 2024.
Comment: A few commenters
requested clarification of whether
minors and legal adults have the same
protections under the Privacy Rule and
whether this rule would alter existing
protections.
Response: The final rule does not
change how the Privacy Rule applies to
adults and minors. Thus, all of the
protections provided to PHI by this final
rule apply equally to adults and minors.
For example, under this final rule, a
regulated entity is prohibited from using
or disclosing a minor’s PHI for the
purposes prohibited under 45 CFR
164.502(a)(5)(iii). The Privacy Rule
generally permits a parent to have
access to the medical records about their
child as their minor child’s personal
representative when such access is
consistent with state or other law, with
limited exceptions.182 Additional
information about how the Privacy Rule
applies to minors can be found at 45
CFR 164.502(g) and on the OCR
website.183
Comment: Many commenters urged
the Department to take an educational
approach, rather than a punitive one,
with respect to enforcement against
regulated entities. In addition, many
commenters addressed the need for
resources and education for successful
implementation of the proposed
changes to the Privacy Rule. They called
for the Department to collaborate with
and educate regulated entities,
individuals, and others affected by the
proposed revisions, such as law
enforcement, as well as for the
Department to partner with other
Federal agencies and state governments
to conduct the education. Some
suggested that educational resources
should include multiple media formats
and a centralized platform.
Response: The Department frequently
issues non-binding guidance and
conducts outreach to help regulated
entities achieve compliance. We
appreciate these recommendations and
will consider these topics for future
guidance. Regulated entities are
expected to comply with the Privacy
182 See 45 CFR 164.502(g) (describing personal
representatives) and 164.524(a)(3) (describing
reviewable grounds for denial of access to PHI by
a personal representative).
183 Off. for Civil Rights, ‘‘Health Information
Privacy,’’ U.S. Dep’t of Health and Human Servs.,
https://www.hhs.gov/hipaa/.
PO 00000
Frm 00022
Fmt 4701
Sfmt 4700
Rule as revised once the compliance
date has passed.
V. Summary of Final Rule Provisions
and Public Comments and Responses
The Department is modifying the
Privacy Rule to strengthen privacy
protections for individuals’ PHI by
adding a new category of prohibited
uses and disclosures of PHI. This final
rule prohibits a regulated entity from
using or disclosing an individual’s PHI
for the purpose of conducting a
criminal, civil, or administrative
investigation into or imposing criminal,
civil, or administrative liability on any
person for the mere act of seeking,
obtaining, providing, or facilitating
reproductive health care that is lawful
under the circumstances in which it is
provided, meaning that it is either: (1)
lawful under the circumstances in
which such health care is provided and
in the state in which it is provided; or
(2) protected, required, or authorized by
Federal law, including the United States
Constitution, regardless of the state in
which such health care is provided. In
both of these circumstances, as
explained above, the interests of the
individual in the privacy of their PHI
and of society in ensuring an effective
health care system outweighs those of
society in the use of PHI for non-health
care purposes. To operationalize this
modification, the Department is revising
or clarifying certain definitions and
terms that apply to the Privacy Rule, as
well as other HIPAA Rules. This final
rule also prohibits a regulated entity
from using or disclosing an individual’s
PHI for the purpose of identifying an
individual, health care provider, or
other person for the purpose of
initiating such an investigation or
proceeding against the individual, a
health care provider, or other person in
connection with seeking, obtaining,
providing, or facilitating reproductive
health care that is lawful under the
circumstances in which it is provided.
To effectuate these proposals, the
Department is finalizing conforming and
clarifying changes to the HIPAA Rules.
These changes include, but are not
limited to, clarifying the definition of
‘‘person’’ to reflect longstanding
statutory language defining the term;
adopting new definitions of ‘‘public
health’’ surveillance, investigation, or
intervention, and ‘‘reproductive health
care’’; adding a new category of
prohibited uses and disclosures;
clarifying that a regulated entity may
not decline to recognize a person as a
personal representative for the purposes
of the Privacy Rule because they
provide or facilitate reproductive health
care for an individual; imposing a new
E:\FR\FM\26APR5.SGM
26APR5
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
requirement that, in certain
circumstances, regulated entities must
first obtain an attestation that a
requested use or disclosure is not for a
prohibited purpose; and requiring
modifications to covered entities’ NPPs
to inform individuals that their PHI may
not be used or disclosed for a purpose
prohibited under this final rule.
The Department’s section-by-section
description of the final rule is below.
A. Section 160.103 Definitions
1. Clarifying the Definition of ‘‘Person’’
HIPAA does not define the term
‘‘person.’’ 184 The HIPAA Rules have
long defined ‘‘person’’ to mean ‘‘a
natural person, trust or estate,
partnership, corporation, professional
association or corporation, or other
entity, public or private.’’ 185 This
meaning was based on the definition of
‘‘person’’ adopted by Congress in the
original SSA, as an ‘‘individual, a trust
or estate, a partnership, or a
corporation.’’ 186
In 2002, Congress enacted 1 U.S.C. 8,
which defines ‘‘person,’’ ‘‘human
being,’’ ‘‘child,’’ and ‘‘individual.’’ 187
The statute specifies that these
definitions shall apply when
‘‘determining the meaning of any Act of
Congress, or of any ruling, regulation, or
interpretation of the various
administrative bureaus and agencies of
the United States.’’ 188 The Department
understands 1 U.S.C. 8 to provide
definitions of ‘‘person,’’ ‘‘individual,’’
and ‘‘child’’ that do not include a
fertilized egg, embryo, or fetus, and are
consistent with the Department’s
understanding of those terms, as used in
the SSA, HIPAA, and the HIPAA Rules.
The Department proposed to clarify
the term ‘‘natural person’’ in a manner
consistent with 1 U.S.C. 8.189 Thus, the
Department proposed to clarify that all
terms subsumed within the definition of
‘‘natural person,’’ such as
‘‘individual,’’ 190 are limited to the
confines of the term ‘‘person.’’ 191 As
ddrumheller on DSK120RN23PROD with RULES5
184 See
42 U.S.C. 1320d–1320d–8.
185 45 CFR 160.103.
186 See section 1101(3) of Public Law 74–271, 49
Stat. 620 (Aug. 14, 1935) (codified at 42 U.S.C.
1301(3)).
187 1 U.S.C. 8(a). The Department is not opining
on whether any state law confers a particular legal
status upon a fertilized egg, embryo, or fetus.
Rather, the Department cites to this statute to help
define the scope of privacy protections that attach
pursuant to HIPAA and its implementing
regulations.
188 Id.
189 88 FR 23506, 23523 (Apr. 17, 2023).
190 45 CFR 160.103 (definition of ‘‘Individual’’).
191 See Sharon T. Phelan, ‘‘The Prenatal Record
and the Initial Prenatal Visit,’’ The Glob. Libr. of
Women’s Med. (last updated Jan. 2008) (PHI about
the fetus is included in the mother’s PHI), https://
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
discussed in the 2023 Privacy Rule
NPRM, the purpose of this proposal was
to better explain to regulated entities
and other stakeholders the parameters of
an ‘‘individual’’ whose PHI is protected
by the HIPAA Rules.
Many individuals and organizations
commented on the proposal to clarify
the definition ‘‘person.’’ Organizational
commenters, including professional
associations representing health care
providers, advocacy groups, and
academic departments, generally
supported the proposal. Several
commenters applauded the proposed
clarification because they believed it
would limit disclosures of PHI in cases
where no individual has been harmed.
Most opponents of the proposed
clarification were individuals
participating in form letter campaigns
who expressed concern that the
proposal might diminish access to
prenatal care. Others asserted that the
proposed clarification would contradict
or conflict with existing laws, such as
mandatory reporting laws and Federal
statutes that rely upon a different
definition of ‘‘person.’’
The final rule adopts the proposed
clarification of the definition of person,
to mean a ‘‘natural person (meaning a
human being who is born alive), trust or
estate, partnership, corporation,
professional association or corporation,
or other entity, public or private.’’
Therefore, an ‘‘individual,’’ ‘‘child,’’ or
‘‘victim’’ (e.g., a victim of crime) under
the HIPAA Rules must be a natural
person. As we explained in the 2023
Privacy Rule NPRM, this clarification is
consistent with the SSA, HIPAA, and 1
U.S.C. 8. This clarification applies only
to regulations issued pursuant to the
Administrative Simplification
provisions of HIPAA.192
This clarification is consistent with
the Privacy Rule’s longstanding
definitions of ‘‘person’’ 193 and
‘‘individual,’’ 194 as applied to Privacy
Rule provisions permitting certain types
www.glowm.com/section-view/heading/
The%20Prenatal%20Record%20and%20the
%20Initial%20Prenatal%20Visit/item/107#.
Y7WRKofMKUl.
192 See 42 U.S.C. 1320d.
193 45 CFR 160.103 (definition of ‘‘Person’’). The
Department first defined the term ‘‘person’’ in the
HIPAA Rules as part of the 2003 Civil Money
Penalties: Procedures for Investigations, Imposition
of Penalties, and Hearings Interim Final Rule (2003
Interim Final Rule) to distinguish a ‘‘natural
person’’ who could testify in the context of
administrative proceedings from an ‘‘entity’’
(defined therein as a ‘‘legal person’’) on whose
behalf a person would testify. See 45 CFR 160.502
of the 2003 Interim Final Rule, 68 FR 18895, 18898
(Apr. 17, 2003) (Person is defined to mean a natural
person or a legal person).
194 45 CFR 160.103 (definition of ‘‘Individual’’).
The definition of ‘‘individual’’ in the HIPAA Rules
was first adopted in the 2000 Privacy Rule.
PO 00000
Frm 00023
Fmt 4701
Sfmt 4700
32997
of reports or other disclosures of PHI.
For example, a regulated entity is
permitted to disclose PHI about an
individual who the regulated entity
reasonably believes to be a victim of
abuse, neglect, or domestic violence
only where the individual is a ‘‘natural
person.’’ 195 In addition, because a
‘‘victim’’ necessarily is a natural person,
the permission to disclose PHI to avert
a serious threat to health or safety at 45
CFR 164.512(j)(i) does not permit
disclosures when the perceived threat
does not involve the health or safety of
a natural person or the public, or when
an individual has not caused serious
physical harm to a natural person.
Comment: Many organizational
commenters expressed support for the
proposal to clarify the definition of
‘‘person.’’
One commenter stated that this
clarification should prevent law
enforcement from attempting to avoid
the proposed prohibition. According to
another commenter, this proposed
clarification is crucial as stakeholders
adapt to the current reproductive health
landscape.
Several commenters expressed
support for the Department’s proposal
but requested additional clarifications.
For example, one commenter
recommended that the Department
clarify whether the definition would
preempt state laws.
Response: We take the opportunity to
emphasize here that the clarification
only applies to the HIPAA Rules and
explains certain terms that apply to the
permissions for uses and disclosures of
PHI by regulated entities. We do not
believe it is necessary to further clarify
the final regulatory text because the
current definition remains unchanged
other than to incorporate the plain
wording of 1 U.S.C. 8.
Comment: A few commenters
expressed opposition to the
Department’s proposed clarification of
‘‘person’’ as tantamount to eliminating
legal protections for and recognition of
categories of human beings based on
developmental stage. Some commenters
maintained that the proposed
clarification of ‘‘person’’ was inaccurate.
Several commenters opposed the
proposed clarification of ‘‘person’’
because it would affect the provision of
prenatal care.
A few commenters asserted that the
proposed clarification would prevent
the collection of medical information
about reproductive health care for
195 See 45 CFR 164.512(c)(1). This provision
explicitly excludes reports of child abuse, which
are addressed by 45 CFR 164.512(b)(1).
E:\FR\FM\26APR5.SGM
26APR5
32998
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
ddrumheller on DSK120RN23PROD with RULES5
important purposes, such as public
health and research.
Response: We are clarifying the
definition of person consistent with
applicable Federal law only for the
purpose of applying HIPAA’s
Administrative Simplification
provisions. This clarification will not
affect how the term ‘‘person’’ is applied
for purposes of other laws, affect any
rights or protections provided by any
other law, or affect standards of health
care, including prenatal care.
This final rule does not affect the
reporting of vital statistics, nor does it
affect the ability of regulated entities to
use and disclose PHI for research. The
Privacy Rule’s standards for uses and
disclosures for public health
surveillance, investigations, and
interventions, or for health oversight
activities, are discussed elsewhere.
Comment: Several commenters
requested additional clarifications to the
Department’s proposed clarification of
‘‘person.’’ A few commenters asserted
that the proposed clarification would be
overly expansive. Most of these same
commenters disagreed with the
Department’s interpretation of 1 U.S.C.
8.196 Commenters asserted that the
clarification was inconsistent or
conflicted with other laws.
Response: The clarified definition of
person that we are finalizing in this rule
does not change the Department’s
interpretation of the term or change
definitions under other law, such as
state law. It also is consistent with
Federal law, including 1 U.S.C. 8, which
specifically applies to Federal
regulations, and other examples cited by
commenters. For example, both GINA
and the Privacy Rule protect the genetic
information of a fetus carried by a
pregnant individual as the PHI of the
pregnant individual.197
The other laws cited by commenters
address policy concerns that are
different from those health information
privacy issues addressed under HIPAA
and do not address personhood. Even if
those statutes did adopt different
understandings of who is a ‘‘person,’’
the Department has the authority to
clarify or define terms that apply to the
Administrative Simplification
regulations issued pursuant to HIPAA.
Additionally, the definition in the final
196 1
U.S.C. 8(a).
Law 110–233, 122 Stat. 881. See
generally Off. for Civil Rights, ‘‘Health Information
Privacy, Genetic Information,’’ U.S. Dep’t of Health
and Human Servs. (Content last reviewed June 16,
2017), https://www.hhs.gov/hipaa/forprofessionals/special-topics/genetic-information/
index.html#:∼:text=The%20Genetic%20
Information%20Nondiscrimination%20
Act,into%20two%20sections%2C%20or%20Titles.
197 Public
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
rule of 1 U.S.C. 8 is appropriate because
it is consistent with the Department’s
longstanding interpretation of the term
in the context of HIPAA’s
Administrative Simplification
provisions and associated regulations.
Many Federal and state laws operate
with differing definitions of common
terms, to which existing legal standards
that govern how such differences are to
be interpreted would apply.198
Comment: A few commenters asserted
that the proposal would expand minors’
access to hormone therapy or surgeries
without requiring parental consent.
Response: The final rule’s
clarification to define the term ‘‘person’’
does not affect the ability of a parent to
make decisions related to health care for
an individual who is an unemancipated
minor,199 and nothing in this rule
dictates a standard of care. The
application of this definition is limited
to the HIPAA Rules.
Comment: A few commenters asserted
that the proposed clarification would
help to prevent the misapplication of
child abuse laws to individuals who
engage in certain behaviors while
pregnant (e.g., use of an illicit substance
or alcohol). Several other commenters
expressed concern that this definition
would limit the ability of a regulated
entity to apply the Privacy Rule
permission to use or disclose PHI to
prevent a serious and imminent threat
to a fertilized egg, embryo, or fetus.
Response: Under this final rule, a
regulated entity would continue to be
permitted to disclose PHI about an
individual who the covered entity
reasonably believes is a victim of child
abuse or neglect, consistent with 45 CFR
164.512(b)(1)(ii), or a victim of abuse,
neglect, or domestic violence, consistent
with 45 CFR 164.512(c), to a
government authority, including a social
service or protective services agency,
authorized by law to receive reports of
such abuse, neglect, or domestic
violence under the circumstances set
forth under 45 CFR 164.512(c) where
the individual meets the clarified
definition of person. The Privacy Rule
permission concerning serious and
imminent threats 200 applies to threats to
a person, consistent with the definition
as clarified by this final rule, or the
public.
198 See 45 CFR 164.524. See also William Baude
& Stephen E. Sachs, ‘‘The Law of Interpretation,’’
130 Harv. L. Rev. 1079 (2017).
199 45 CFR 164.502(g).
200 See 45 CFR 164.512(j)(1)(i).
PO 00000
Frm 00024
Fmt 4701
Sfmt 4700
2. Interpreting Terms Used in Section
1178(b) of the Social Security Act
Reporting of Disease or Injury, Birth, or
Death
Section 1178(a) of the SSA provides
that HIPAA generally preempts contrary
state laws with certain limited
exceptions, such as those described in
section 1178(b).201 Specifically, section
1178(b) excepts from HIPAA’s general
preemption authority laws that provide
for certain public health reporting, such
as the reporting of disease or injury,
birth, or death.202 HIPAA does not
define the terms in section 1178(b) that
govern the scope of this exception to
HIPAA’s general preemption authority,
nor has the Department previously
defined such terms through rulemaking.
The Department recognizes that such
public health reporting activities are an
important means of identifying threats
to the health and safety of the public.
Accordingly, when a public health
authority 203 has furnished
documentation of its authority 204 to
collect or receive such information, the
Privacy Rule permits a regulated entity,
without an individual’s authorization,
to use or disclose PHI to specified
persons for public health activities.205
These activities include all of the vital
statistics reporting activities described
in section 1178(b), including reporting
of diseases and injuries, birth, or
death.206
The Department proposed to interpret
in preamble key terms used in section
1178(b) to clarify when HIPAA’s general
preemption authority applies.
Specifically, the Department proposed
an interpretation of section 1178(b) that
would clarify that HIPAA’s general
preemption authority applies to laws
that require regulated entities to use or
disclose PHI for a purpose that would be
prohibited under the proposed rule.
Under this interpretation, the Privacy
Rule permission to use or disclose PHI
without an individual’s authorization
for the reporting of disease or injury,
birth, or death 207 would not permit the
use or disclosure of PHI for a criminal,
civil, or administrative investigation
into or proceeding against a person in
connection with seeking, obtaining,
201 42
U.S.C. 1320d–7(a)
U.S.C. 1320d–7(b).
203 45 CFR 164.501 (definition of ‘‘Public health
authority’’).
204 45 CFR 164.514(h).
205 This is unchanged by this final rule.
206 See 45 CFR 164.512(b). The Privacy Rule
addresses its interactions with laws governing
excepted public health activities in two sections: 45
CFR 164.512(a), Standard: Uses and disclosures
required by law, and 45 CFR 164.512(b), Standard:
Uses and disclosures for public health activities.
207 45 CFR 164.512(b).
202 42
E:\FR\FM\26APR5.SGM
26APR5
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
ddrumheller on DSK120RN23PROD with RULES5
providing, or facilitating reproductive
health care. The Department did not
intend this clarification to prevent
disclosures of PHI from regulated
entities to public health authorities for
public health purposes that have been
and continue to be permitted under the
Privacy Rule. Nor did the Department
intend for this proposed clarification to
prevent disclosures of PHI by regulated
entities under other permissions in the
Privacy Rule, such as for law
enforcement purposes,208 when made
consistent with the conditions of the
relevant permission and where the
purpose of the disclosure is not one for
which a use or disclosure would have
been prohibited under 45 CFR
164.502(a)(5)(iii) as proposed.
The Department did not propose to
define ‘‘disease or injury,’’ ‘‘birth,’’ or
‘‘death,’’ because we believed that these
terms, when read with the definition of
‘‘person’’ and in the broader context of
HIPAA, would exclude information
about reproductive health care without
the need for further clarification.209
However, the Department invited public
comment on whether it would be
beneficial to make such clarification.
Few commenters addressed
interpretation of these terms. Some
commenters expressed concern that the
Department’s interpretation would
prevent beneficial public health
reporting about certain types of
reproductive health care, while others
requested that the Department prohibit
public health reporting about certain
types of reproductive health care. Some
commenters on this issue agreed with
the Department’s interpretation and
clarification of the terms used in
1178(b). Several of these commenters
requested that the Department define or
clarify these terms because reporting
standards are inconsistent across states.
The Department declines to add
definitions for ‘‘disease or injury,’’
‘‘birth,’’ or ‘‘death’’ to the Privacy Rule
in this final rule. However, we offer the
discussion below to provide additional
context on our interpretation of these
terms.
At the time of HIPAA’s enactment,
state laws provided for the reporting of
disease or injury, birth, or death by
covered health care providers and other
persons.210 State public health reporting
208 45
CFR 164.512(f).
FR 23506, 23523 (Apr. 17, 2023).
210 The 1996–98 Report of the NCVHS to the
Secretary describes various types of activities
considered to be public health during the era in
which HIPAA was enacted, such as the collection
of public health surveillance data on health status
and health outcomes and vital statistics
information. See Nat’l Comm. On Vital and Health
Stats., Report of The National Committee on Vital
209 88
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
systems were well established and
involved close collaboration between
the state, local, or territorial jurisdiction
and the Federal Government.211 Reports
generally were made to public health
authorities or, in some specific cases,
law enforcement (e.g., reporting of
gunshot wounds).212 Similar public
health reporting systems continue to
exist today.
Reporting of ‘‘disease or injury’’
commonly refers to diagnosable health
conditions reported for limited purposes
such as workers’ compensation, tort
claims, or communicable or other
disease or injury tracking efforts. States,
territories, and Tribal governments
require health care providers (e.g.,
physicians, laboratories) and some
others (e.g., medical examiners,
coroners, veterinarians,213 local boards
of health) to report cases of certain
diseases or conditions that affect public
health, such as coronavirus disease 2019
(COVID–19), malaria, and foodborne
illnesses.214 Such reporting enables
public health practitioners to study and
explain diseases and their spread, along
with determining appropriate actions to
prevent and respond to outbreaks.215
States also require health care providers
to report incidents of certain types of
injuries, such as those caused by
gunshots, knives, or burns.216 Various
Federal statutes use the phrase ‘‘disease
or injury’’ similarly to refer to events
such as workplace injuries for purposes
of compensation.217
and Health Statistics, 1996–98, (Dec. 1999), https://
ncvhs.hhs.gov/wp-content/uploads/2018/03/
90727nv-508.pdf.
211 Id.
212 Id.
213 Richard N. Danila et al., ‘‘Legal Authority for
Infectious Disease Reporting in the United States:
Case Study of the 2009 H1N1 Influenza Pandemic,’’
105 a.m. J. Public Health 13 (Jan. 2015).
214 See ‘‘Reportable Diseases,’’ MedlinePlus,
https://medlineplus.gov/ency/article/001929.htm
(accessed Oct. 19, 2022). See also Nat’l Notifiable
Diseases Surveillance Sys., ‘‘What is Case
Surveillance?,’’ Ctrs. for Disease Control and
Prevention (July 20, 2022), https://www.cdc.gov/
nndss/about/.
215 See ‘‘Reportable Diseases,’’ supra note 215.
Such reporting is a type of public health
surveillance activity.
216 See Victims Rts. Law Ctr., ‘‘Mandatory
Reporting of Non-Accidental Injuries: A State-byState Guide’’ (May 2014), https://4e5ae7d17e.nxcli.
net/wp-content/uploads/2021/01/MandatoryReporting-of-Non-Accidental-Injury-Statutes-byState.pdf.
217 See, e.g., 38 U.S.C. 1110 (referring to an
‘‘injury suffered or disease contracted’’); 10 U.S.C.
972 (discussing time lost as a result of ‘‘disease or
injury’’); 38 U.S.C. 3500 (providing education for
certain children whose parent suffered ‘‘a disease
or injury’’ incurred or aggravated in the Armed
Forces); see also 5 U.S.C. 8707 (insurance provision
discussing compensation as a result of ‘‘disease or
injury’’); 33 U.S.C. 765 (discussing retirement for
disability as a result of ‘‘disease or injury’’); 15
U.S.C. 2607(c) (requiring chemical manufacturers to
PO 00000
Frm 00025
Fmt 4701
Sfmt 4700
32999
The limited meaning given to the
terms ‘‘disease’’ and ‘‘injury’’ for
purposes of public health reporting is
clear from HIPAA’s broader context. For
instance, interpreting ‘‘injury’’ reporting
to include disclosures about all
instances of suspected criminal abuse
would render the specific permission to
report ‘‘child abuse’’ superfluous.218
And interpreting ‘‘disease’’ reporting to
include disclosures about any sort of
disease for any purpose would both
eviscerate HIPAA’s general provisions
protecting PHI and make superfluous
the statutory requirement to not
invalidate laws providing for public
health surveillance, or public health
investigation or intervention. For
example, ‘‘disease management
activities’’ constitute ‘‘health care’’
under the Privacy Rule. As such, a
broad interpretation of ‘‘disease or
injury’’ reporting could make
potentially all the health records
detailing a particular individual’s
treatment for any disease or injury
disclosable to a public health authority
or others unrelated to the health care.219
Consequently, the Department has long
understood ‘‘disease or injury’’ to
narrowly refer to diagnosable health
conditions reported for limited purposes
such as workers’ compensation, tort
claims or in compliance with Federal
laws that require states to conduct
surveillance of specific diseases and
injuries related to public health or
Federal funding.220
With respect to reporting of ‘‘births’’
and ‘‘deaths,’’ such vital statistics are
reported by health care providers to the
vital registration systems operated in
maintain records of ‘‘occupational disease or
injury’’).
218 45 CFR 164.512(b)(ii).
219 See 65 FR 82462, 82571 (Dec. 28, 2000)
(recognizing that ‘‘disease management activities’’
often constitute ‘‘health care’’ under HIPAA); Id. at
82777 (discussing the importance of privacy for
information about cancer, a ‘‘disease’’ that causes
an ‘‘indisputable’’ ‘‘societal burden’’); Id. at 82778
(discussing the importance of privacy for
information about sexually transmitted diseases,
including Human Immunodeficiency Virus/
Acquired Immunodeficiency Syndrome (HIV/
AIDS)); Id. at 82463–64 (noting that numerous
states adopted laws protecting health information
relating to certain health conditions such as
communicable diseases, cancer, HIV/AIDS, and
other stigmatized conditions.); Id. at 82731 (finding
that there are no persuasive reasons to provide
information contained within disease registries
with special treatment as compared with other
information that may be used to make decisions
about an individual).
220 See, e.g., 65 FR 82462, 82517 (Dec. 28, 2000)
(discussing tort litigation as information that could
implicate IIHI); Id. at 82542 (discussing workers’
compensation); Id. at 82527 (separately addressing
disclosures about ‘‘abuse, neglect or domestic
violence’’ and limiting such disclosures to only two
circumstances, even if expressly authorized by state
statute or regulation).
E:\FR\FM\26APR5.SGM
26APR5
33000
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
ddrumheller on DSK120RN23PROD with RULES5
various jurisdictions 221 legally
responsible for the registration of vital
events.222 State laws require birth
certificates to be completed for all
births, and Federal law mandates the
national collection and publication of
births and other vital statistics data.223
Tracking and reporting death is a
complex and decentralized process with
a variety of systems used by more than
6,000 local vital registrars.224 When
HIPAA was enacted, the Model State
Vital Statistics Act and Regulations,
which is followed by most states,225
included distinct categories for ‘‘live
births,’’ ‘‘fetal deaths,’’ and ‘‘induced
terminations of pregnancy,’’ with
instructions that abortions ‘‘shall not be
reported as fetal deaths.’’ 226 In light of
that common understanding at the time
of HIPAA’s enactment, it is clear that
the reporting of abortions is not
included in the category of reporting of
deaths for the purposes of HIPAA and
does not fall within the scope of state
death reporting activities that Congress
specifically designated as excepted from
preemption by HIPAA.
More generally, while Congress
exempted certain ‘‘[p]ublic health’’ laws
from preemption,227 Congress chose not
to create a general exception for
criminal laws or other laws that address
the disclosure of information about
similar types of activities outside of the
public health context.
For all these reasons, state laws
requiring the use or disclosure of PHI
for the purpose of investigating or
imposing liability on a person for the
mere act of seeking, obtaining,
providing, or facilitating health care, or
221 See ‘‘Public Health Professionals Gateway,
Public Health Systems & Best Practices, Health
Department Governance,’’ Ctrs. for Disease Control
and Prevention (Nov. 25, 2022), https://
www.cdc.gov/publichealthgateway/sites
governance/.
222 See the list of events included in vital events,
Nat’l Ctr. for Health Stats., ‘‘About the National
Vital Statistics System,’’ Ctrs. for Disease Control
and Prevention (Jan. 4, 2016), https://www.cdc.gov/
nchs/nvss/about_nvss.htm.
223 See Nat’l Ctr. for Health Stats., ‘‘Birth Data,’’
Ctrs. for Disease Control and Prevention (Dec. 6,
2022), https://www.cdc.gov/nchs/nvss/births.htm.
224 See Ctrs. For Disease Control and
Surveillance, ‘‘How Tracking Deaths Protects
Health,’’ (July 2018), https://www.cdc.gov/
surveillance/pdfs/Tracking-Deaths-protectshealthh.pdf.
225 See Nat’l Ctr. for Health Stats., Ctrs. for
Disease Control and Prevention, ‘‘State Definitions
and Reporting Requirements: For Live Births, Fetal
Deaths, and Induced Terminations of Pregnancy,’’
at 5 (1997), https://www.cdc.gov/nchs/data/misc/
itop97.pdf.
226 Nat’l Ctr. for Health Stats., Ctrs. for Disease
Control and Prevention, ‘‘Model State Vital
Statistics Act and Regulations,’’ at 8 (1992), https://
www.cdc.gov/nchs/data/misc/mvsact92b.pdf.
227 42 U.S.C. 1178(b) (codified in HIPAA at 42
U.S.C. 1320d-7).
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
identifying a person for such activities,
are subject to HIPAA’s general
preemption provision. Similarly, the
Privacy Rule’s public health provisions
that permit the disclosure of PHI for the
reporting of disease or injury, birth, or
death do not include permission to use
or disclose PHI for the purpose of
investigating or imposing liability on a
person for the mere act of seeking,
obtaining, providing, or facilitating
health care, or identifying a person for
such activities. This general distinction
between public health activities and
investigation and enforcement activities
is not limited to reproductive health
care. Nevertheless, as discussed
elsewhere in this final rule, the
Department has chosen to strike a
balance between privacy interests and
other public policy interests. Consistent
with the Department’s longstanding
approach that has allowed disclosures
for law enforcement purposes in certain
circumstances, the new prohibitions set
forth in this rule apply only to lawful
reproductive health care. State
authorities cannot rely on the Privacy
Rule’s permissions for disclosures
related to disease or injury, birth, or
death to obtain PHI for the purpose of
investigating or imposing liability for
the provision of reproductive health
care. However, as discussed above, state
authorities may be able to invoke other
permissions, such as the permission for
disclosures for law enforcement
purposes, to obtain such PHI where
such disclosure is to investigate or
impose liability on a person when the
reproductive health care at issue is
unlawful under the circumstances in
which it is provided.
Comment: A few commenters
expressed support for the Department’s
interpretation and clarification of the
terms used in section 1178(b) of the
SSA. A few commenters recommended
that the Department define, rather than
clarify, these terms. Some commenters
requested that the Department further
clarify the terms ‘‘disease or injury,’’
‘‘birth,’’ and ‘‘death,’’ to explicitly
exclude information about reproductive
health care. Other commenters
expressed opposition to the
Department’s clarifications.
Response: We decline to define
‘‘disease or injury,’’ ‘‘birth,’’ or ‘‘death’’
in this final rule. The Department’s
understanding of these terms is
consistent with the Model State Vital
Statistics Act and Regulations and its
application in the context of the passage
of HIPAA. We believe that the 2023
Privacy Rule NPRM preamble
discussion is sufficient to clarify that
such reporting does not include the use
or disclosure of PHI for investigating or
PO 00000
Frm 00026
Fmt 4701
Sfmt 4700
imposing liability on a person for the
mere act of seeking, obtaining,
providing, or facilitating health care,
including reproductive health care, or to
identify a person for such activities.
Defining ‘‘Public health,’’ as used in
the terms ‘‘public health surveillance,’’
‘‘public health investigation,’’ and
‘‘public health intervention.’’
Section 1178(b) also excepts state
laws providing for ‘‘public health
surveillance, or public health
investigation or intervention’’ from
HIPAA’s general preemption
authority.228 Neither HIPAA nor the
Privacy Rule currently defines ‘‘public
health surveillance’’ or ‘‘public health
investigation or intervention.’’
Consistent with the statute, the Privacy
Rule expressly permits a regulated
entity to use or disclose PHI for ‘‘public
health’’ surveillance, investigation, or
intervention.229 The Department
proposed to define public health, as
used in the terms ‘‘public health
surveillance,’’ ‘‘public health
investigations,’’ and ‘‘public health
interventions,’’ to mean populationlevel activities to prevent disease and
promote health of populations. In
preamble to the 2023 Privacy Rule
NPRM, the Department described public
health surveillance as the ongoing,
systematic collection, analysis, and
interpretation of health-related data
essential to planning, implementation,
and evaluation of public health
practice.230 The Department explained
that public health investigations or
interventions include monitoring realtime health status and identifying
patterns to develop strategies to address
chronic diseases and injuries, as well as
using real-time data to identify and
respond to acute outbreaks,
emergencies, and other health
hazards.231 Public health surveillance,
investigations, or interventions
safeguard the health of the community
by addressing ongoing or prospective
population-level issues such as the
spread of communicable diseases, even
where these activities involve
228 Section
1178(a) of HIPAA.
45 CFR 164.512(b)(1)(i); Off. for Civil
Rights, ‘‘Disclosures for Public Health Activities,’’
U.S. Dep’t of Health and Human Servs., https://
www.hhs.gov/hipaa/for-professionals/privacy/
guidance/disclosures-public-health-activities/
index.html (accessed Oct. 19, 2022).
230 See ‘‘Introduction to Public Health
Surveillance,’’ Ctrs. for Disease Control and
Prevention (Nov. 15, 2018), https://www.cdc.gov/
training/publichealth101/surveillance.html.
231 See ‘‘Public Health Professionals Gateway,
Ten Essential Public Health Services,’’ Ctrs. for
Disease Control and Prevention (Dec. 1, 2022),
https://www.cdc.gov/publichealthgateway/public
healthservices/essentialhealthservices.html.
229 See
E:\FR\FM\26APR5.SGM
26APR5
ddrumheller on DSK120RN23PROD with RULES5
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
individual-level investigations or
interventions.
The Department also proposed to
expressly exclude certain activities from
the definition of public health to
distinguish between public health
activities and certain criminal
investigations. Specifically, the
Department proposed to provide in
regulatory text that the Privacy Rule’s
permissions to use and disclose PHI for
the ‘‘public health’’ activities of
surveillance, investigations, or
interventions do not include criminal,
civil, or administrative investigations
into, or proceedings against, any person
in connection with seeking, obtaining,
providing, or facilitating reproductive
health care, nor do they include
identifying any person for the purpose
of initiating such investigations or
proceedings. The Department stated that
any such actions are not public health
activities that would be subject to the
exception to HIPAA’s general
preemption authority for state laws
providing for ‘‘public health
surveillance, or public health
investigation or intervention.’’ 232
Commenters expressed mixed views
on the proposal to define ‘‘public
health’’ in the context of ‘‘public health
surveillance,’’ ‘‘public health
investigations’’ or ‘‘public health
interventions.’’ Commenters expressing
opposition to the proposal either
disagreed with the Department’s
assertion that public health activities do
not involve uses and disclosures that
would be prohibited by the rule or
asserted that the proposal would
prevent public health reporting of
reproductive health care. Some
commenters generally supported the
goal of the proposal but expressed
concern that inclusion of the proposed
language about ‘‘population-level’’
activities could prevent essential public
health activities that involve specific
persons, such as reporting data about
specific health care services provided to
specific persons that have a
‘‘population-level’’ effect and
investigating the spread of
communicable diseases.
Some commenters asserted that the
proposal would frustrate states’ ability
to enforce their laws not related to
public health, such as laws banning
health care such as abortion. Supporters
asserted that the proposal would help to
prevent PHI from being disclosed for a
purpose that would be prohibited under
the proposed rule. Supportive
commenters also expressed concern
about states obtaining PHI based on an
interpretation of ‘‘public health
232 Section
1178(a) of SSA.
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
investigations’’ that includes the
mandatory reporting of pregnant
individuals who engage in certain
activities, such as substance use. Other
commenters asserted that disclosures of
PHI to public health authorities should
be limited because of the potential for
PHI to be redisclosed for purposes that
otherwise would be prohibited under
the Privacy Rule.
The final rule adopts the proposed
definition with some modifications. The
final rule maintains the proposed rule’s
focus on activities aimed at preventing
disease and improving the health of
populations. This definition does not
prevent disclosures of PHI by covered
entities to public health authorities for
public health activities that have long
been permitted under the Privacy Rule.
As discussed in the 2023 Privacy Rule
NPRM, since the time of HIPAA’s
enactment, public health activities
related to surveillance, investigation, or
intervention have been widely
understood to refer to activities aimed at
improving the health of a population.
For example, legal dictionaries define
‘‘public health’’ as ‘‘[t]he health of the
community at large,’’ or ‘‘[t]he healthful
or sanitary condition of the general body
of people or the community en masse;
esp., the methods of maintaining the
health of the community, as by
preventive medicine or organized care
for the sick.’’ 233 Stedman’s Medical
Dictionary defines ‘‘public health’’ as
‘‘the art and science of community
health, concerned with statistics,
epidemiology, hygiene, and the
prevention and eradication of epidemic
diseases; an effort organized by society
to promote, protect, and restore the
people’s health; public health is a social
institution, a service, and a practice.’’ 234
The Centers for Disease Control and
Prevention (CDC) and the Agency for
Toxic Substances and Disease Registry
have described ‘‘public health
surveillance’’ as ‘‘the ongoing
systematic collection, analysis and
interpretation of outcome-specific data
for use in the planning, implementation,
and evaluation of public health
practice.’’ 235 And many states similarly
define ‘‘public health’’ to mean
activities to support population
233 ‘‘Health, Public Health,’’ Black’s Law
Dictionary (11th ed. 2019).
234 ‘‘Public Health,’’ Stedman’s Medical
Dictionary 394520.
235 Jonathan Weinstein, In Re Miguel M., 55
N.Y.L. Sch. L. Rev. 389, 390 (2010) (citing Stephen
B. Thacker, ‘‘Historical Development,’’ in Principles
and Practice of Public Health Surveillance 1 (Steven
M. Teutsch & R. Elliott Churchill eds., 2d ed.,
2000)), https://digitalcommons.nyls.edu/cgi/
viewcontent.cgi?article=1599&context=nyls_law_
review.
PO 00000
Frm 00027
Fmt 4701
Sfmt 4700
33001
health.236 The Department likewise has
used the term public health in this way
since it first adopted the Privacy
Rule.237
Public health surveillance, public
health investigations, and public health
interventions are activities that address
population health concerns and have
generalized public benefit 238 to the
health of a population, including
activities that involve specific persons.
Examples of activities that prevent
disease in and promote the health of
populations include vaccination
campaigns to eradicate communicable
disease, surveillance of a community’s
use of emergency services after a natural
disaster to improve allocation of
resources to meet health needs, and
investigation of the source of an
outbreak of food poisoning. As
explained in the preamble to the 2023
Privacy Rule NPRM,239 there is a widely
recognized distinction between public
health activities, which primarily focus
on improving the health of populations,
and criminal investigations, which
primarily focus on identifying and
imposing liability on persons who have
236 See, e.g., Richard A. Goodman et al., ‘‘Forensic
Epidemiology: Law at the Intersection of Public
Health and Criminal Investigations,’’ 31 J. of Law,
Med. & Ethics 684, 689–90 (2003); La. Rev. Stat.
Ann. Sec. 40:3.1 (2011) (defining threats to public
health as nuisances ‘‘including but not limited to
communicable, contagious, and infectious diseases,
as well as illnesses, diseases, and genetic disorders
or abnormalities’’); N.C. Gen. Stat. sec. 130A–
141.1(a) (2010) (defining public health
investigations as the ‘‘surveillance of an illness,
condition, or symptoms that may indicate the
existence of a communicable disease or condition’’).
237 See, e.g., 65 FR 82462, 82464 (Dec. 28, 2000)
(noting that reporting of public health information
on communicable diseases is not prevented by
individuals’ right to information privacy); Id. at
82467 (discussing the importance of accurate
medical records in recognizing troubling public
health trends and in assessing the effectiveness of
public health efforts); Id. at 82473 (discussing
disclosure to ‘‘a department of public health’’); Id.
at 82525 (recognizing that it may be necessary to
disclose PHI about communicable diseases when
conducting a public health intervention or
investigation); Id. at 82526 (recognizing that an
entity acts as a ‘‘public health authority’’ when, in
its role as a component of the public health
department, it conducts infectious disease
surveillance); Stephen B. Thacker, Epidemiology
Program Office, Ctrs. for Disease Control and
Prevention, ‘‘HIPAA Privacy Rule and Public
Health: Guidance from CDC and the U.S.
Department of Health and Human Services,’’ 52
MMWR 1 (Apr. 11, 2003), https://www.cdc.gov/
mmwr/preview/mmwrhtml/m2e411a1.htm
(describing what traditionally are considered to be
‘‘public health activities’’ that require PHI).
238 See Miguel M. v. Barron, 950 NE2d 107, at 111
(2011) (explaining ‘‘[t]he apparent purpose of the
public health exception is to facilitate government
activities that protect large numbers of people from
epidemics, environmental hazards, and the like, or
that advance public health by accumulating
valuable statistical information.’’).
239 88 FR 23510, 23525 (Apr. 17, 2023).
E:\FR\FM\26APR5.SGM
26APR5
33002
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
ddrumheller on DSK120RN23PROD with RULES5
violated the law.240 States and other
local governing authorities maintain
criminal codes that are distinct and
separate from public health reporting
laws,241 although some jurisdictions
enforce required public health reporting
through criminal statutes. Different
governmental bodies are responsible for
enforcing these separate codes, and
public health officials do not typically
investigate activities enforced under
criminal statutes or laws.242 Federal
laws also generally treat public health
investigations as distinct from criminal
investigations.243 Maintaining a clear
distinction between public health
investigations and criminal
investigations serves HIPAA’s broader
purposes.244
The Department concludes that
neither section 1178(b) nor the Privacy
Rule’s permissions to use and disclose
PHI for the ‘‘public health’’ activities of
surveillance, investigation, or
intervention include conducting
criminal, civil, or administrative
240 See Miguel M. v. Barron at 111, supra note 239
(concluding that ‘‘[t]o disclose private information
about particular people, for the purpose of
preventing those people from harming themselves
or others, effects a very substantial invasion of
privacy without the sort of generalized public
benefit that would come from, for example, tracing
the course of an infectious disease.’’).
241 For example, traditional public health
reporting laws grew from colonial requirements that
physicians report disease. These requirements
transitioned to state regulatory requirements
imposed by public health departments on authority
granted to them by states. See Ctrs. for Disease
Control and Prevention, ‘‘Public Health Law 101,
Disease Reporting and Public Health Surveillance,’’
at 12 and 14 (Jan. 16, 2009), https://www.cdc.gov/
phlp/docs/phl101/PHL101-Unit-5-16Jan09Secure.pdf. See also, e.g., Code of Georgia 31–12–
2 (2021) (authority to require disease reporting).
242 See ‘‘Public Health,’’ supra note 235 (‘‘Many
cities have a ‘public health department’ or other
agency responsible for maintaining the public
health; Federal laws dealing with health are
administered by the Department of Health and
Human Services.’’); see also ‘‘Forensic
Epidemiology: Law at the Intersection of Public
Health and Criminal Investigations,’’ supra note
237, at 689.
243 See Camara v. Municipal Ct. of City & Cty. of
S.F., 387 U.S. 523, 535–37 (1967) (discussing
administrative inspections under the Fourth
Amendment, such as those aimed at addressing
‘‘conditions which are hazardous to public health
and safety,’’ and not ‘‘aimed at the discovery of
evidence of crime’’); 42 U.S.C. 241(d)(D)
(prohibiting disclosure of private information from
research subjects in ‘‘criminal’’ and other
proceedings); 42 U.S.C. 290dd–2(c) (prohibiting
substance abuse records from being used in
criminal proceedings).
244 See ‘‘Forensic Epidemiology: Law at the
Intersection of Public Health and Criminal
Investigations,’’ supra note 237, at 687 (discussing
reasons why ‘‘an association of public health with
law enforcement’’ may be ‘‘to the detriment of
routine public health practice’’). See also 45 CFR
164.512(b)(1)(i) (including ‘‘public health
investigations’’ as an activity carried out by a public
health authority that is authorized by law to carry
out public health activities).
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
investigations into, or imposing
criminal, civil, or administrative
liability on any person for the mere act
of seeking, obtaining, providing, or
facilitating health care, including
reproductive health care, nor do they
include the identification of any person
for such purposes. Such actions are not
public health activities. As described
above, this distinction between public
health activities and other investigation
and enforcement activities is not limited
to reproductive health care. Public
health surveillance, investigations, or
interventions ensure the health of the
community as a whole by addressing
ongoing or prospective population-level
issues such as the spread of
communicable diseases, even where
they involve interventions involving
specific individuals. Such surveillance
systems provide the necessary data to
examine and potentially develop
interventions to improve the public’s
health, such as providing education or
resources to support individuals’ access
to health care and improve health
outcomes and are not affected by this
final rule.245 U.S. states, territories, and
Tribal governments participate in
bilateral agreements with the Federal
Government to share data on conditions
that affect public health.246 The CDC’s
Division of Reproductive Health collects
reproductive health data in support of
national and state-based population
surveillance systems to assess maternal
complications, mortality and pregnancyrelated disparities, and the numbers and
characteristics of individuals who
obtain legal induced abortions.247 This
final rule does not affect CDC’s ability
to collect this information now or in the
future. Importantly, disclosures to
public health authorities permitted by
the Privacy Rule are limited to the
‘‘minimum necessary’’ to accomplish
the public health purpose.248 In some
cases, regulated entities need disclose
only de-identified data 249 to meet the
public health purpose.
245 See ‘‘Improving the Role of Health
Departments in Activities Related to Abortion,’’
Am. Pub. Health Ass’n (Oct. 26, 2021), https://
www.apha.org/Policies-and-Advocacy/PublicHealth-Policy-Statements/Policy-Database/2022/01/
07/Improving-Health-Department-Role-inActivities-Related-to-Abortion.
246 See ‘‘Reportable diseases,’’ supra note 215. See
also ‘‘What is Case Surveillance?,’’ supra note 215.
247 See ‘‘Reproductive Health, About Us,’’ Ctrs.
for Disease Control and Prevention (Apr. 20, 2022),
https://www.cdc.gov/reproductivehealth/drh/aboutus/index.htm; and ‘‘Reproductive Health, CDCs
Abortion Surveillance System FAQs,’’ Ctrs. for
Disease Control and Prevention (Nov. 17, 2022),
https://www.cdc.gov/reproductivehealth/data_stats/
abortion.htm.
248 See 45 CFR 164.502(b).
249 See 45 CFR 164.514(a).
PO 00000
Frm 00028
Fmt 4701
Sfmt 4700
By contrast, efforts to conduct
criminal, civil, and administrative
investigations or impose criminal, civil,
and administrative liability on any
person for the mere act of seeking,
obtaining, providing, or facilitating
health care generally target specific
persons for particular conduct; they are
not designed to address populationlevel health concerns and are not
limited to information authorized to be
collected by a public health or similar
government authority for a public health
activity. Thus, the exceptions in section
1178(b) for ‘‘public health’’
investigations, interventions, or
surveillance do not limit the
Department’s ability to prohibit uses or
disclosures of PHI for other purposes,
such as judicial and administrative
proceedings or law enforcement
purposes. While the Department has
chosen as a policy matter to continue to
permit uses or disclosures of PHI for law
enforcement and other purposes in
certain contexts, it is adopting a
different balance where such uses or
disclosures are about reproductive
health care that is lawful under the
circumstances in which it was provided.
While retaining the focus on activities
to prevent disease and promote the
health of populations, this final rule
clarifies that population-level activities
‘‘include identifying, monitoring,
preventing, or mitigating ongoing or
prospective threats to the health or
safety of a population, which may
involve the collection of protected
health information.’’ This clarification
addresses commenters’ concerns that
regulated entities would no longer be
able to report information that states
need to conduct public health functions
intended to protect against prospective
or ongoing threats at the population
level, even if at times they necessarily
will focus on individuals while doing so
(through contact tracing, quarantine or
isolation, and the like). The Department
does not intend this clarification to
prevent disclosures of PHI from covered
entities to public health authorities for
public health activities that have long
been and continue to be permitted
under the Privacy Rule. These changes
clarify that public health, as used in the
specified terms, broadly includes
activities to prevent disease in and
promote the health of populations. The
changes also confirm that the
Department does not require a public
health authority to supply an attestation
to a covered entity to receive PHI of an
individual where that disclosure is
intended to prevent disease in or
promote the health of populations.
The intended purpose of including
‘‘population-level’’ was to facilitate
E:\FR\FM\26APR5.SGM
26APR5
ddrumheller on DSK120RN23PROD with RULES5
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
public health activities that protect large
numbers of people from epidemics,
environmental hazards, and the like.
However, we believe that the language
that clarifies that population-level
activities ‘‘include identifying,
monitoring, preventing, or mitigating
ongoing or prospective threats to the
health or safety of a population, which
may involve the collection of protected
health information,’’ sufficiently serves
this purpose of addressing uses and
disclosures of PHI that are necessary to
accomplish the overarching goals of
public health.
The last sentence of the proposed
definition, which described what are
not public health activities, is also
revised in the final rule for consistency
with the general distinction between
activities of public health surveillance,
investigation, and intervention and
activities of investigating or imposing
liability on a person for the mere act of
seeking, obtaining, providing, or
facilitating health care, or identifying a
person for such activities, as well as the
standard the Department is adopting at
45 CFR 164.502(a)(5)(iii), which is
discussed further in that section of this
rule. Thus, while a state might assert
that investigating or imposing liability
on persons for the mere act of seeking,
obtaining, providing, or facilitating
health care satisfies the definition of
‘‘public health,’’ their interpretation
would not supersede the definition of
‘‘public health’’ in the context of public
health surveillance, investigations, or
interventions that the Department is
adopting under its own Federal
statutory authority to administer the
HIPAA Rules.
Comment: A few organizations
expressed support for the proposed
definition of ‘‘public health’’ without
further elaboration. Several commenters
expressed support for the proposed
definition of ‘‘public health’’ because it
would prevent PHI from being disclosed
for a prohibited purpose. A few
commenters expressed support for the
proposal because they believed that
information reported for public health
purposes could be requested, reidentified (in the case of de-identified
information), or further disclosed to law
enforcement for purposes for which the
Department proposed to prohibit uses
and disclosures.
Several commenters expressed
support for the proposed definition of
‘‘public health’’ and the existing
standard that limits public health
disclosures of PHI to the minimum
necessary information to achieve the
purpose.
Response: Consistent with the NPRM,
the Department agrees with the
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
commenters who stated that it is
important to define ‘‘public health’’ in
the context of public health
surveillance, investigation, or
intervention to ensure that PHI is not
disclosed for a purpose prohibited
under 45 CFR 164.502(a)(5)(iii).
Disclosures of PHI for public health
purposes continue to be subject to the
minimum necessary standard, which
limits the use and disclosure of PHI to
the minimum necessary to achieve the
specified purpose; in some
circumstances, de-identified
information may suffice. However,
many public health activities do require
identifiable data, such as for
interventions involving individuals, to
protect against prospective or ongoing
threats to health or safety at the
population level, and the Privacy Rule
does not prohibit such uses and
disclosures.
When making disclosures to public
officials that are permitted under 45
CFR 164.512, if the public official
represents that the information
requested is the minimum necessary for
the stated purpose, regulated entities are
permitted, but not required, to rely on
that representation, if such reliance is
reasonable under the circumstances.250
Such reliance may not be reasonable
where the request appears to be overly
broad when compared to the stated
purpose of the request (e.g., where a
public health authority requests the
disclosure of PHI of all individuals who
received treatment for uterine bleeding
when the stated purpose is to
investigate infection control practices by
an obstetrician/gynecologist in a state
where law enforcement has publicly
announced its intention to investigate
individuals for traveling out of state to
seek or obtain reproductive health care
that is lawful under the circumstances
in which it is provided).
Comment: A few commenters asserted
that law enforcement generally
interprets public health investigations to
include criminal investigations and
prosecutions and the NPRM proposed
definition would complicate such
investigations by limiting the amount of
PHI that could be disclosed to law
enforcement.
Response: The Department has
adopted a definition of ‘‘public health’’
in the context of public health
surveillance, investigation, and
intervention that sets clear parameters
between such activities and law
enforcement activities conducted to
impose liability for the mere act of
seeking, obtaining, providing, or
250 45 CFR 164.514(d)(3)(iii)(A); see also 45 CFR
164.514(h)(2)(ii) and (iii).
PO 00000
Frm 00029
Fmt 4701
Sfmt 4700
33003
facilitating health care. Public health
surveillance, investigation, and
intervention do not include efforts to
attach liability to persons for specific
acts of seeking, obtaining, providing, or
facilitating health care.
This definition is consistent with the
longstanding distinction made by the
Department between public health
activities and law enforcement activities
as described above.
Comment: Several commenters
expressed support for the Department’s
proposal generally but recommended
further clarifications or revisions to it,
especially regarding the limitation to
‘‘population-level’’ activities. A few
commenters raised questions about the
difference between the proposed
definition of ‘‘public health’’ and the
permission for public health activities
under 45 CFR 164.512(b)(1)(i) and
recommended that the Department
clarify the definition to ensure that
public health agencies are able to obtain
health information for administrative or
civil proceedings, such as quarantine or
isolation in cases involving infectious
diseases.
Response: The Department has
modified the definition of ‘‘public
health’’ in the context of public health
surveillance, investigation, or
intervention to clarify that such
activities include identifying,
monitoring, preventing, or mitigating
ongoing or prospective threats to the
health or safety of a population, which
may involve the collection of PHI. This
change addresses commenters’ concerns
that under the proposed definition,
regulated entities would no longer be
able to report PHI that is required to
address population-level concerns.
Comment: Several commenters raised
concerns that the proposed definition of
‘‘public health’’ would circumvent
states’ interests related to public health.
A few commenters expressed opposition
to the Department’s clarification of
public health because they believed that
states should have the ability to conduct
surveillance, investigations, or
interventions concerning certain types
of health care for public health
purposes. Several commenters asserted
that the proposal would frustrate the
ability of states to enforce their laws
prohibiting access to certain types of
health care. Conversely, a commenter
requested that the Department explicitly
exclude reproductive health care from
the proposed definition of ‘‘public
health,’’ so it would not be reportable to
public health agencies.
Response: We disagree with
commenters’ assertions that this final
rule will prevent the reporting of vital
statistics or other public health
E:\FR\FM\26APR5.SGM
26APR5
33004
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
ddrumheller on DSK120RN23PROD with RULES5
activities. A covered entity may
continue to use or disclose PHI for all
the public health activities and
purposes listed in section 1178(b). We
also decline to explicitly exclude
reproductive health care from the
definition of ‘‘public health’’ because
doing so could hinder beneficial public
health activities. Instead, this definition
supports this final rule’s prohibition
against certain uses and disclosures of
PHI by clarifying that public health
surveillance, investigation, and
intervention exclude conducting a
criminal, civil, or administrative
investigation into any person, or the
imposing criminal, civil, or
administrative liability on any person
for the mere act of seeking, obtaining,
providing, or facilitating health care, or
identifying any person for such
activities. Such excluded activities
include those with the purposes that are
prohibited at 45 CFR 164.502(a)(5)(iii).
Comment: A few commenters
believed that defining ‘‘investigation,’’
‘‘intervention,’’ or ‘‘surveillance’’ was
unnecessary or recommended against
doing so and requested that the
Department clarify that such terms do
not encompass any prohibited purposes.
One commenter requested that the
Department define these terms to
expressly exclude information related to
reproductive health care.
Response: We are not defining the
terms ‘‘investigation,’’ ‘‘intervention,’’
or ‘‘surveillance’’ in this rule. However,
we are providing extensive
interpretation in the preamble to clarify
that such activities in the public health
context do not encompass conducting a
criminal, civil, or administrative
investigation into any person, or
imposing criminal, civil, or
administrative liability on any person
for the mere act of seeking, obtaining,
providing, or facilitating health care, or
identifying any person for such
activities, including those for which use
or disclosure of PHI is prohibited by 45
CFR 164.502(a)(5)(iii).
Reporting of Child Abuse
In accordance with section 1178(b) of
HIPAA, the Privacy Rule permits a
regulated entity to use or disclose PHI
to report known or suspected child
abuse or neglect if the report is made to
a public health authority or other
appropriate government authority that is
authorized by law to receive such
reports.251 The Privacy Rule limits
disclosures of PHI made pursuant to this
permission to the minimum necessary
to make the report.252
251 See
252 See
45 CFR 164.512(b)(1)(ii).
45 CFR 164.502(b) and 164.514(d).
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
As the Department explained in the
2023 Privacy Rule NPRM, at the time
HIPAA was enacted, ‘‘most, if not all,
states had laws that mandated reporting
of child abuse or neglect to the
appropriate authorities.’’ 253
Additionally, when Congress enacted
HIPAA, it had already addressed child
abuse reporting in other laws, such as
the Victims of Child Abuse Act of
1990 254 and the Child Abuse Prevention
and Treatment Act.255 For example, 34
U.S.C. 20341(a)(1), a provision of the
original Victims of Child Abuse Act of
1990 that is still in place today, requires
certain professionals to report suspected
abuse when working on Federal land or
in a federally operated (or contracted)
facility.256 As used in these statutes, the
term ‘‘child abuse’’ does not include
activities related to reproductive health
care, such as abortion.
In the 2023 Privacy Rule NPRM, the
Department discussed that it has long
interpreted ‘‘child abuse,’’ as used in the
Privacy Rule and section 1178(b) of
HIPAA, to exclude conduct based solely
on a person seeking, obtaining,
providing, or facilitating reproductive
health care.257 This interpretation is
consistent with the public health aims
of improving access to health care for
individuals, including reproductive
health care, and with relevant statutes at
the time HIPAA was enacted, as
described above. The Department also
stated that this interpretation prohibits
a regulated entity from disclosing PHI in
reliance on the permission for reporting
‘‘child abuse’’ where the alleged victim
does not meet the definition of ‘‘person’’
or ‘‘child,’’ consistent with both 1 U.S.C.
8 and section 1178(b). Additionally,
consistent with previous rulemaking
under HIPAA, the Department clarified
in the preamble that it did not intend for
the interpretation to disrupt
longstanding state or Federal child
abuse reporting requirements that apply
to regulated entities.258
The Department also made several
clarifications in preamble concerning
our interpretation of section 1178(b) and
the Privacy Rule’s public health
permission and how we distinguish
between public health reporting and
253 65
FR 82462, 82527 (Dec. 28, 2000).
Law 101–647, 104 Stat. 4789 (codified
at 18 U.S.C. 3509).
255 Public Law 93–247, 88 Stat. (codified at 42
U.S.C. 5101 note).
256 See 34 U.S.C. 20341(a)(1), originally enacted
as part of the Victims of Child Abuse Act of 1990
and codified at 42 U.S.C. 13031, which was
editorially reclassified as 34 U.S.C. 20341, Crime
Control and Law Enforcement. For the purposes of
such mandated reporting, see 34 U.S.C. 20341(c)(1)
for definition of ‘‘child abuse.’’
257 88 FR 23506, 23526 (Apr. 17, 2023).
258 65 FR 82462, 82527 (Dec. 28, 2000).
254 Public
PO 00000
Frm 00030
Fmt 4701
Sfmt 4700
disclosures for law enforcement
purposes or judicial and administrative
proceedings.
Comment: Many commenters
supported the Department’s clarification
and agreed that it would preserve trust
between individuals and health care
providers, but also requested additional
clarification from the Department on its
implementation. Few opposed the
clarification; those who did expressed
concerns about the potential for the
clarification to prevent state-mandated
reporting in certain circumstances.
Many commenters expressed mixed
views about the Department’s
interpretation.
Response: The Department is moving
forward with its interpretation as
described in the NPRM. As noted above,
this final rule does not alter the Privacy
Rule’s reliance on other applicable law
with respect to determining who has the
authority to act on behalf of an
individual who is an unemancipated
minor in making decisions related to
health care, including lawful
reproductive health care.259 The Privacy
Rule does not permit a regulated entity
to disclose PHI as part of a report of
suspected child abuse based solely on
the fact that a parent seeks reproductive
health care (e.g., treatment for a sexually
transmitted infection) for a child.
However, the regulated entity is
permitted to make such disclosure
where there is suspicion of sexual abuse
that could be the basis of permitted
reporting.
Congress defined the term ‘‘child’’ in
1 U.S.C. 8, and the term ‘‘child’’ in the
Privacy Rule is consistent with that
definition. As such, the Department
believes that to the extent this
clarification prohibits a regulated entity
from disclosing PHI to report ‘‘child
abuse’’ under this permission in the
Privacy Rule where the alleged victim
does not meet the definition of
‘‘person,’’ it is consistent with both 1
U.S.C. 8 and section 1178(b).
The Department also reaffirms its
clarification that the Privacy Rule
permission to report known or
suspected child abuse or neglect permits
a disclosure only for the purpose of
making a report, and the PHI disclosed
must be limited to the minimum
necessary information for the purpose of
making a report.260 These provisions do
not permit the covered entity to disclose
PHI in response to a request for the use
or disclosure of PHI to conduct a
criminal, civil, or administrative
investigation into or impose criminal,
civil, or administrative liability on a
259 See
260 See
E:\FR\FM\26APR5.SGM
45 CFR 164.502(g).
45 CFR 164.502(b) and 164.514(d).
26APR5
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
person based on suspected child abuse.
Instead, as we explained in the 2023
Privacy Rule NPRM, any disclosure of
PHI in response to this type of request
from an investigator, must meet the
applicable Privacy Rule conditions for
disclosures for judicial and
administrative proceedings or law
enforcement purposes, as applicable.261
That is the case whether such disclosure
is in follow up to the report made by the
covered entity (other than to clarify the
PHI provided on the report) or part of
an investigation initiated based on an
allegation or report made by a person
other than the covered entity.262
Moreover, this clarification does not
affect the ability of state authorities to
invoke other permissions for disclosure
under the Privacy Rule, such as the
permission for disclosures for law
enforcement purposes, where they are
seeking PHI related to unlawful
reproductive health care.263 Thus, the
Department’s interpretation of ‘‘child
abuse’’ continues to support the
protection of children while also serving
HIPAA’s objectives of protecting the
privacy of PHI to promote individuals’
trust in the health care system and
preserving the relationship between
individuals and their health care
providers.
Comment: A few commenters
recommended that the Department
expand the clarification of child abuse
to broadly address providing or
facilitating all health care, rather than
just reproductive health care.
Response: It is beyond the scope of
this rule making to expand the
clarification to include the provision or
facilitation of all lawful health care. We
appreciate the recommendations of
commenters and will take them under
advisement for potential future
rulemaking.
3. Adding a Definition of ‘‘Reproductive
Health Care’’
Section 160.103 of the HIPAA Rules
defines ‘‘health care’’ as ‘‘care, services,
or supplies related to the health of an
individual.’’ 264 The definition clarifies
that the term ‘‘includes but is not
limited to’’ several identified types of
care, services, and procedures 265 and
261 See
45 CFR 164.512(e) and (f).
45 CFR 164.512(e) and (f).
263 65 FR 82462, 82527 (Dec. 28, 2000).
264 45 CFR 160.103 (definition of ‘‘Health care’’).
265 These groupings are (1) ‘‘[p]reventive,
diagnostic, therapeutic, rehabilitative, maintenance,
or palliative care, and counseling, service,
assessment, or procedure with respect to the
physical or mental condition, or functional status,
of an individual or that affects the structure or
function of the body’’ and (2) ‘‘[the s]ale or
dispensing of a drug, device, equipment, or other
item in accordance with a prescription.’’ It would
ddrumheller on DSK120RN23PROD with RULES5
262 See
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
includes examples such as therapeutic,
rehabilitative, or maintenance care, as
well as sale or dispensing of drugs or
devices.
The Department proposed to add and
define a new term, ‘‘reproductive health
care,’’ that would be a subset of the term
‘‘health care.’’ 266 The Department
proposed to define ‘‘reproductive health
care’’ as ‘‘care, services, or supplies
related to the reproductive health of the
individual.’’ The Department noted in
the NPRM preamble that the HIPAA
Rules define ‘‘health care’’ broadly.267
Consistent with the definition of
‘‘health care’’ in the HIPAA Rules, the
proposed definition of ‘‘reproductive
health care’’ would have applied
broadly and included not only
reproductive health care and services
furnished by a health care provider and
supplies furnished in accordance with a
prescription, but also care, services, or
supplies furnished by other persons and
non-prescription supplies purchased in
connection with an individual’s
reproductive health. The Department
proposed to use the term ‘‘reproductive
health care’’ rather than ‘‘reproductive
health services’’ to ensure that the term
was interpreted broadly to capture all
health care that could be furnished to
address reproductive health, including
the provision of medications and
devices, whether prescription or overthe-counter.
The Department discussed in
preamble some of the types of care,
services, and supplies that were
included in the proposed term. In
keeping with the Department’s intention
for ‘‘reproductive health care’’ to be
inclusive of all types of health care
related to an individual’s reproductive
system, the 2023 Privacy Rule NPRM
preamble indicated that the term would
include, but not be limited to:
contraception, including emergency
contraception; pregnancy-related health
care; fertility or infertility-related health
care; and other types of care, services,
or supplies used for the diagnosis and
treatment of conditions related to the
reproductive system. We also provided
a non-exhaustive list of examples of
health care within each of these
categories of reproductive health care.
Consistent with the definition of
‘‘health care’’ adopted in 2000 in the
HIPAA Rules, the Department did not
propose a specific definition of
‘‘reproductive health’’ but invited
also include supplies purchased over the counter or
furnished to the individual by a person that does
not meet the definition of a health care provider
under the HIPAA Rules. 45 CFR 164.103 (definition
of ‘‘Health care provider’’).
266 88 FR 23506, 23527–28 (Apr. 17, 2023).
267 88 FR 23506, 23527 (Apr. 17, 2023).
PO 00000
Frm 00031
Fmt 4701
Sfmt 4700
33005
comment on whether including a
particular definition of ‘‘reproductive
health’’ would be beneficial.
Many commenters supported the
proposal and agreed that it would
provide the necessary protections for
individuals and others. Some referenced
existing definitions used by other legal
authorities and recommended the
Department consider adopting or
incorporating them in some manner.
Some commenters opposed the
proposal to provide an inclusive
definition of reproductive health care.
Some commenters asserted that the
proposal lacked clarity and was too
open-ended, making it difficult to
operationalize. Other commenters
expressed concern that the proposed
definition would permit minors to
consent to reproductive health care
without parental consent.
The final rule adopts the new term
‘‘reproductive health care’’ and
definition with three modifications.
First, we replace ‘‘care, services, or
supplies related to the reproductive
health of the individual’’ with ‘‘health
care’’ and add a citation to the HIPAA
Rules’ definition of that term to clarify
that reproductive health care is a subset
of ‘‘health care.’’
Second, we specify that the term
means health care ‘‘that affects the
health of the individual in all matters
relating to the reproductive system and
to its functions and processes.’’ In
keeping with the Department’s intention
for ‘‘reproductive health care’’ to be
interpreted broadly and inclusive of all
types of health care related to an
individual’s reproductive system, this
additional language clarifies that the
definition encompasses the full range of
health care related to an individual’s
reproductive health.
Third, we add a statement reaffirming
that the definition should not be
construed to establish a standard of care
for or regulate what constitutes
clinically appropriate reproductive
health care.
As discussed in the NPRM, this
approach is consistent with the
approach the Department took when it
adopted the definition of ‘‘health care’’
in the HIPAA Rules. At that time, the
Department explained that listing
specific activities would create the risk
that important activities would be left
out and could also create confusion.268
By describing more fully the breadth
of reproductive health care, the
definition may decrease the perceived
burden to regulated entities of
complying with the rule by helping
them determine whether a request for
268 65
E:\FR\FM\26APR5.SGM
FR 82571 (Dec. 28, 2000).
26APR5
33006
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
ddrumheller on DSK120RN23PROD with RULES5
the use or disclosure of PHI includes
PHI that is implicated by this final rule.
To further clarify what is included in
reproductive health care for regulated
entities, we provide a non-exclusive list
of examples that fit within the
definition: contraception, including
emergency contraception;
preconception screening and
counseling; management of pregnancy
and pregnancy-related conditions,
including pregnancy screening, prenatal
care, miscarriage management,
treatment for preeclampsia,
hypertension during pregnancy,
gestational diabetes, molar or ectopic
pregnancy, and pregnancy termination;
fertility and infertility diagnosis and
treatment, including assisted
reproductive technology and its
components 269 (e.g., in vitro
fertilization (IVF)); diagnosis and
treatment of conditions that affect the
reproductive system (e.g.,
perimenopause, menopause,
endometriosis, adenomyosis); and other
types of care, services, and supplies
used for the diagnosis and treatment of
conditions related to the reproductive
system (e.g., mammography, pregnancyrelated nutrition services, postpartum
care products).
Additionally, the language in the
definition stating that the definition
should not be construed to set forth a
standard of care or regulate what
constitutes clinically appropriate
reproductive health care should not be
read as limiting ‘‘reproductive health
care’’ to only health care that is
determined to be appropriate by a
health care professional. Rather, it may
be the individual who determines
whether the health care they receive,
such as over-the-counter contraceptives,
is appropriate. Like the definition of
‘‘health care,’’ the definition of
reproductive health care is intended to
be broad. Finally, we clarify that
meeting the definition is not sufficient
for information about such health care
to be protected under the HIPAA Rules
or this final rule. Rather, the
information about such health care still
needs to meet the definition of PHI.270
Comment: Some commenters
expressed support for the proposed
definition of ‘‘reproductive health care.’’
Several commenters specifically
269 See ‘‘What is Assisted Reproductive
Technology?’’ Centers for Disease Control and
Prevention (Oct. 8, 2019), https://www.cdc.gov/art/
whatis.html and ‘‘Fact Sheet: In Vitro Fertilization
(IVF) Use Across the United States,’’ U.S. Dep’t of
Health and Human Servs. (Mar. 13, 2024), https://
www.hhs.gov/about/news/2024/03/13/fact-sheet-invitro-fertilization-ivf-use-across-united-states.html.
270 45 CFR 160.103 (definition of ‘‘Protected
health information’’).
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
expressed their support for a broad
definition of the term for various
reasons, including: ensuring that
providers of reproductive health care
can continue to serve vulnerable
communities and reduce health care
disparities; providing clarity; and
mitigating the need for clinical expertise
and interpretation for each request for
reproductive health information. Other
commenters expressed support for the
term because it would improve access to
care and better reflect the breadth of
services that support an individual’s
reproductive health, enable health care
providers to continue to maintain
appropriate data safeguards, and enable
individuals to feel comfortable
disclosing their information without
fear of incrimination.
Many other commenters expressed
opposition to the proposed definition
because it was too expansive and would
encompass procedures that they did not
consider to be reproductive health care.
Many commenters explicitly requested
that the definition exclude certain types
of health care. A few commenters
recommended that the Department
narrow the proposed definition to apply
only to records directly involving
certain specified services and clarify
that the final definition does not include
other procedures or treatments related
to pregnancy or contraception. Another
commenter expressed opposition to the
proposed definition of ‘‘reproductive
health care’’ because they believe that
reproductive health information is no
more sensitive than other medical
information and should not be treated
differently.
One commenter opposed the
proposed definition of ‘‘reproductive
health care’’ because they thought it
would prevent health care providers
from disclosing PHI to other health care
providers for treatment, which would
erode individual trust.
Several commenters requested that
the Department expand the proposed
definition, be more specific in its
meaning (e.g., provide additional
information about the types of care,
services, or supplies included in the
definition), or replace it with a more
expansive term (e.g., ‘‘sensitive personal
health care’’ meaning ‘‘care, services, or
supplies related to the health of the
individual which could expose any
person to civil or criminal liability for
the mere act of seeking, obtaining,
providing, or facilitating such health
care’’). A commenter urged the
Department to define the term ‘‘sexual
and reproductive health care’’ to ensure
that individuals have reproductive
health care privacy, regardless of their
sexual orientation or gender identity.
PO 00000
Frm 00032
Fmt 4701
Sfmt 4700
Commenters offered several
alternative definitions or terms, such as
‘‘including but not limited to services
related to contraception, sterilization,
preconception care, maternity care,
abortion care, and counseling regarding
reproductive health care’’; the definition
of ‘‘reproductive health care services’’ at
18 U.S.C. 248(e)(5); ‘‘reproductive and
sexual health care services’’ as defined
in California Health and Safety Code
section 1367.31; and limiting the
definition to capture only health care
that is at risk of being investigated or
prosecuted because of Dobbs. Other
commenters requested additional
precision or clarity in the definition. For
example, a commenter recommended
that the definition include the specific
codes and data points that would
constitute reproductive health care that
would be prohibited from disclosure
under the proposed rule (e.g.,
International Classification of Diseases
(ICD) codes related to reproductive
health, ABO blood type and Rh factor).
Several commenters urged the
Department to narrow the proposed
definition because of operational
concerns, including the redirection of
resources to making or obtaining legal
determinations about whether a
particular type of care was reproductive
health care. Some explained that health
information management staff generally
do not have the clinical expertise to
determine what would constitute
‘‘reproductive health care,’’ while
another stated that physicians would
also have trouble discerning what health
care would meet the proposed
definition. Another commenter
recommended that the Department
include only PHI that is already reliably
segregated in EHRs in the definition.
Many commenters requested that the
Department further explain the
proposed definition either in preamble
or the regulatory text. One commenter
suggested that in lieu of a definition of
‘‘reproductive health care,’’ the
Department include an extensive
discussion of examples in the preamble
and provide entities flexibility to
implement policies or procedures that
may be affected by the definition of
‘‘reproductive health care’’ in
accordance with their operational
structures. A few commenters also
recommended that the Department
provide examples in preamble
discussion, rather than regulatory text.
One commenter recommended that the
Department provide specific examples
to illustrate its meaning where there
could be ambiguity. Several commenters
recommended that examples be
included in the regulatory text and
provided specific examples of the types
E:\FR\FM\26APR5.SGM
26APR5
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
ddrumheller on DSK120RN23PROD with RULES5
of health care they thought should be
included. Some commenters
recommended the Department include
examples but did not specify whether
they should be in the preamble or in the
regulatory text, while other commenters
requested that the Department include a
non-exhaustive list of examples of
reproductive health care in both the
regulation and preamble.
Response: After consideration, we
have finalized a definition grounded in
the Privacy Rule’s long-established term
‘‘health care.’’ We provide a nonexhaustive list of examples in preamble
above. We do not explicitly address all
of the many types of health care
suggested in comments to avoid creating
the impression of a complete list. This
is also consistent with our approach
regarding the definition of ‘‘health
care.’’ We emphasize that this definition
does not set or affect standards of care,
nor does it affect uses and disclosures
of PHI for treatment purposes.
Operational concerns expressed by
some commenters are addressed in
response to comments on the
prohibition.
4. Whether the Department Should
Define Any Additional Terms
The Department requested comments
about whether it would be helpful for
the Department to define ‘‘reproductive
health’’ or any additional terms.271
Comment: Several commenters
recommended that the Department
define ‘‘reproductive health’’ because it
would ensure that all covered entities
would be required to implement
changes, or that the PHI of individuals
receiving certain types of health care
would not be disclosed to states where
individuals who receive such health
care is being penalized.
Several commenters urged the
Department to add the definition of
reproductive health adopted by the
United Nations and World Health
Organization, while others
recommended the adoption of the
definition articulated by the
International Conference on Population
and Development in 1994. One
commenter expressed opposition to
adding a definition of reproductive
health as unnecessary, and another
instead recommended adoption of a
precise definition of ‘‘reproductive
health care.’’
Another commenter recommended
expanding the definition of PHI to
include certain digital data of entities
not regulated under HIPAA (e.g.,
information from period tracking apps).
One commenter recommended revising
271 88
FR 23506, 23528 (Apr. 17, 2023).
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
the definition of ‘‘health oversight
agency’’ to exclude agencies that
investigate or prosecute activities
related to reproductive health care.
Some commenters requested that the
Department define additional terms or
clarify existing terms.
Rather than define additional terms,
one commenter recommended that the
Department ensure that all the proposed
definitions would be aligned with the
Office of the National Coordinator for
Health Information Technology (ONC)
and CMS-mandated data elements for
Certified Electronic Health Record
Technology products and in the
electronic clinical quality measures that
health care providers are required to
report to CMS.
Response: We appreciate the feedback
from commenters, but upon further
consideration, have concluded that
defining any of the additional terms or
clarifying additional existing ones is not
necessary to support the
implementation of this final rule. We
also clarify that because HIPAA only
authorizes the Department to protect
IIHI used or disclosed by covered
entities and their business associates,
we are not able to regulate information
that individuals themselves store and
share using consumer health apps.
B. Section 164.502—Uses and
Disclosures of Protected Health
Information: General Rules
Section 164.502 of the Privacy Rule
contains the general rules governing
uses and disclosures of PHI. Paragraph
(a)(1) of this section sets forth the list of
permitted uses and disclosures.
1. Clarifying When PHI May Be Used or
Disclosed by Regulated Entities
Section 164.502(a)(1)(iv) generally
permits a regulated entity to use or
disclose PHI pursuant to and in
compliance with a valid authorization
under 45 CFR 164.508, except for uses
and disclosures of genetic information
by a health plan for underwriting
purposes prohibited under 45 CFR
164.502(a)(5)(i). Thus, an authorization
that purports to allow a health plan to
use or disclose PHI for that prohibited
purpose is not valid under the Privacy
Rule.
The Department proposed to modify
45 CFR 164.502(a)(1)(iv) to incorporate
an additional limitation on the ability of
a regulated entity to use and disclose
PHI pursuant to an individual’s
authorization.272 Specifically, the
Department’s proposal would prohibit a
regulated entity from using or disclosing
PHI pursuant to an individual’s
272 88
PO 00000
FR 23506, 23528–29 (Apr. 17, 2023).
Frm 00033
Fmt 4701
Sfmt 4700
33007
authorization where the purpose of the
disclosure is for a criminal, civil, or
administrative investigation or
proceeding against any person in
connection with seeking, obtaining,
providing, or facilitating reproductive
health care that is lawful under the
circumstances in which such health
care is provided, or to identify any
person for the purpose of initiating such
activities. As explained in the 2023
Privacy Rule NPRM, the proposed
modification was intended to prevent
the misuse of the general permission for
a regulated entity to use or disclose PHI
pursuant to an individual’s
authorization to bypass the proposed
prohibition against using and disclosing
PHI for purposes that would be
prohibited by proposed 45 CFR
164.502(a)(5)(iii).
The Department explained in the
proposed rule that this change to the
authorization permission was necessary
to protect individuals’ privacy by
precluding any possibility that a third
party, such as a law enforcement
official, could coerce or attempt to
coerce an individual into signing an
authorization, thereby enabling the third
party to circumvent the prohibition
proposed at 45 CFR 164.502(a)(5)(iii).
The Department also proposed to
modify the general rules in 45 CFR
164.502(a)(1)(vi) to expressly condition
certain uses and disclosures made under
45 CFR 164.512 on the receipt of an
attestation pursuant to proposed 45 CFR
164.509, which is discussed below in
greater detail. For clarity, the
Department proposed to revise 45 CFR
164.502(a)(1)(vi) by replacing the
sentence containing the conditions for
certain permitted uses and disclosures
with a lettered list.
Public comments about the use of
authorization to use and disclose PHI
for the purposes the Department
proposed to prohibit in the 2023 Privacy
Rule NPRM were generally divided
between opposing views and supportive
views, although only a few comments
expressed full support for the proposal,
as drafted. While many commenters
shared the Department’s concerns about
the potential for individuals to be
coerced into providing an authorization,
some of these commenters nonetheless
opposed the proposal because it could
limit beneficial disclosures, cause
uncertainty about the validity of an
authorization, increase the burden on
regulated entities, or seem to conflict
with state laws that permit the
disclosure of certain health information
with the individual’s explicit written
consent.
The Department received no
comments on its proposal to replace the
E:\FR\FM\26APR5.SGM
26APR5
ddrumheller on DSK120RN23PROD with RULES5
33008
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
sentence at 45 CFR 164.502(a)(1)(vi)
with a lettered list. Comments on the
Department’s proposal to condition
certain disclosures made under 45 CFR
164.512 on the receipt of an attestation
as required by proposed 45 CFR 164.509
are discussed below in greater detail.
The Department is not finalizing its
proposal to prohibit a regulated entity
from using or disclosing an individual’s
PHI for the specified purposes pursuant
to and in compliance with an
individual’s authorization. We agree
with the majority of public comments
discussed in detail below that generally
expressed the view that the Privacy
Rule’s authorization requirements
empower individuals to make decisions
about who has access to their PHI. We
acknowledge that maintaining the
permission for regulated entities to
obtain an individual’s authorization to
use and disclose PHI could leave an
individual exposed to the potential for
duress or coercion by a third party. It
could also expose a health care provider
or other person who provides or
facilitates reproductive health care to
liability in the event the authorization is
used to affect a disclosure for a
prohibited purpose in connection with
lawful reproductive health care.
However, we believe that continuing to
permit uses and disclosures pursuant to
an individual’s authorization best
preserves individual autonomy
concerning uses and disclosures of their
PHI. Consistent with our practice
described above, the Department will
monitor closely the interaction of the
revised Privacy Rule and the evolving
legal landscape to ensure an appropriate
balance of protecting the privacy
interests of individuals and permitting
access to PHI for non-health care
purposes.
As we discussed in the proposed rule,
there is a relationship between the
provision allowing an individual to
authorize a regulated entity to use or
disclose the individual’s PHI to a third
party and the HITECH Act requirement
that a regulated entity comply with an
individual’s direction to transmit to
another person an electronic copy of the
individual’s PHI in an EHR (‘‘individual
access right to direct’’).273 Both enhance
an individual’s autonomy by providing
them with the ability to determine who
can access the individual’s PHI as
specified in the authorization or access
request. Both also create an opportunity
for coercion or attempted coercion of an
individual by another person (e.g., a law
enforcement official could attempt to
coerce an individual into providing the
law enforcement official with access to
273 42
U.S.C. 17935(e).
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
the individual’s PHI by offering the
individual a reduced sentence for an
alleged crime). And while we remain
concerned about the potential for
coercion or attempted coercion, even if
the Department were to finalize the
proposed limitation on uses and
disclosures with an authorization, the
individual would retain the individual
access right to direct, which is
enshrined in statute. We also believe it
would be inconsistent with the spirit of
individual access right to direct for the
Department to limit the ability of an
individual to authorize a regulated
entity to disclose their PHI to another
person.
For the foregoing reasons, we are not
finalizing this proposal, and the
language in 45 CFR 164.502(a)(1)(iv)
remains unchanged.
Comment: While some commenters
expressed concern about the potential
for coercion described in the proposed
rule, they did not all agree that it would
be appropriate to address this concern
by prohibiting such disclosures
pursuant to an authorization. Some
commenters asserted that coercion
concerns would not be eliminated by
curtailing the ability of individuals to
authorize disclosures of their PHI in
certain circumstances.
Some commenters explained that
prohibiting individuals from requesting
disclosures of their PHI pursuant to an
authorization for prohibited purposes
would create a significant burden for
regulated entities, primarily because of
the frequent failure of persons
requesting the use or disclosure of PHI
to provide sufficient detail regarding the
purpose of the request to allow them to
determine if it would be for a prohibited
purpose.
A few commenters asserted that a
HIPAA authorization is the safest
approach to ensuring an individual is
aware of and agrees to the use or
disclosure of their PHI. One of those
commenters recommended that the
Department permit a regulated entity to
disclose PHI pursuant to a valid
authorization unless the covered entity
has actual knowledge that an
authorization was not voluntary. A
commenter recommended adding a
disclaimer or warning to the
authorization to provide assurances that
an individual was not coerced into
disclosing their PHI to law enforcement
or other third party that might seek to
use the PHI for improper purposes. Still
another commenter recommended that
the Department require the
authorization to indicate the types of
sensitive information the individual
intends to share. One commenter
recommended that certain disclosures
PO 00000
Frm 00034
Fmt 4701
Sfmt 4700
be accompanied by a notice of the
individual’s rights under the Privacy
Rule.
Response: We appreciate comments
concerning this proposal and the
restriction of individuals’ ability to
maintain control over their PHI by
prohibiting the use of written
authorization. The Privacy Rule’s
written authorization requirements are
the most objective means by which an
individual can provide direction to a
regulated entity about the use and
disclosure of their PHI known to a
regulated entity. The right of
individuals to access their PHI and
choose to disclose their PHI to another
person is a cornerstone of HIPAA, and
as such, we are not proceeding with this
proposal. The Department will continue
to monitor complaints we receive and
the outcome of enforcement actions to
identify potential coercion and the
effect of permitting individuals to
authorize the disclosure of PHI for
purposes that are prohibited under 45
CFR 164.502(a)(5)(iii) on the
relationship between health care
providers and individuals.
We also appreciate the comments that
asserted that restricting the ability of
regulated entities to use an
authorization to obtain PHI for the
purposes prohibited in this rulemaking
could create a burden for the regulated
entities.
To the extent that individuals wish to
authorize the use and disclosure of their
PHI, particularly when a request is not
clear, or when a request seeks only
partial parts of a record, a written
authorization provides the regulated
entity with the opportunity to clarify,
with both the individual and the person
requesting the disclosure, the PHI that
will be disclosed. State laws that require
regulated entities to obtain an
individual’s written consent are
generally considered more privacy
protective, and thus are not preempted.
Comment: Several commenters
expressed support for eliminating the
ability of regulated entities to use or
disclose PHI pursuant to an
authorization in certain circumstances
because of the potential for harm to
individuals as proposed. One
commenter described the potential
negative effects of permitting uses and
disclosures pursuant to an authorization
in certain circumstances on individuals
from historically marginalized
communities. Another commenter
asserted that individuals frequently do
not read consent forms provided to
them for signature for a variety of
reasons, including proficiency. Some
commenters expressed concerns that
individuals who are the subject of a
E:\FR\FM\26APR5.SGM
26APR5
ddrumheller on DSK120RN23PROD with RULES5
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
criminal investigation or prosecution
would be placed in situations where it
would not be possible to obtain a
voluntary authorization (e.g., a custodial
situation), or that law enforcement
could seek to persuade an individual to
provide them with access to the
individual’s PHI through improper
means.
Response: We continue to share the
concern expressed by commenters about
the potential for coercion or harassment
of individuals, particularly those in
marginalized or underserved
communities, to provide authorization
for the use or disclosure of their PHI.
According to many reports and data
cited by the Department and
commenters, such individuals more
often experience negative interactions
with law enforcement or other
prosecutorial authorities. We urge
HIPAA regulated entities to be mindful
of Privacy Rule requirements that could
help mitigate the potential for harm
resulting from coercion or difficulties
individuals may experience in
understanding an authorization. For
example, 45 CFR 164.508(b)(2)(v) holds
invalid authorizations that include
‘‘material information [. . .] known by
the covered entity to be false’’; 45 CFR
164.508(c)(1)(iv) requires that every
authorization include a description of
each purpose of the requested use or
disclosure; and 45 CFR 164.508(c)(3),
requires the authorization be written in
plain language.274 The Department will
continue to monitor complaints,
questions, and enforcement outcomes
for potential harm from disclosures
resulting from authorizations.
Comment: A few commenters
requested clarifications of how the
proposal would affect other disclosures
made pursuant to the Privacy Rule,
including disclosures to the individual’s
attorney, and whether the Department
intended it to apply to other consumerinitiated requests, such as part of an
Application Programming Interface
(API).
A commenter recommended that
health care providers be permitted to
refuse to release PHI to any consumer
health app when the information could
lead to civil or criminal repercussions
for the health care provider unless the
app developer signs a binding
agreement that protects them.
Response: We are not finalizing the
proposal, but state here that the
274 In the preamble to the 2000 Privacy Rule, we
explained that a covered entity could meet HIPAA
plain language requirements by organizing material
to serve the reader; writing short sentences in the
active voice; using pronouns; using common,
everyday language; and dividing material into short
sections. 65 FR 82462, 82548 (Dec. 28, 2000).
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
Department did not intend to affect or
disrupt the ability of covered entities to
make other disclosures of PHI pursuant
to a written authorization under the
Privacy Rule. Additionally, as discussed
above, individuals have the right to
obtain a copy of their PHI and the
individual access right to direct, which
could involve releasing PHI to a
consumer health app or an API. With
respect to EHR and technology vendors
and other third parties who facilitate the
exchange of PHI on behalf of covered
entities, we continue to stress that valid
business associate agreements are
required by the Privacy Rule and
necessary to protect the privacy of the
individuals who are the subject of the
PHI. ONC also has made clear that it
intends to advance technologies that
support requirements already extant
under the HIPAA Privacy Rule.275
Additionally, the Department continues
to urge covered entities that have direct
contact with individuals to educate
such individuals on the risks of
disclosing their PHI to persons that are
not regulated by HIPAA.276 We will
continue to ensure that regulated
entities enter into business associate
agreements as required by the Privacy
Rule.277 We will continue to monitor
complaints, questions, and enforcement
outcomes.
Comment: Many commenters
addressed the relationship between the
Department’s proposal to eliminate the
option for an individual to request
disclosure of their information for the
prohibited purposes pursuant to an
authorization and the individual right of
access, particularly, the right of an
individual to direct a regulated entity to
transmit to a third party an electronic
copy of their PHI in an EHR. Several
commenters recommended that the
Department curtail the individual access
right to direct. Some commenters
expressed concern about the potential
for individuals to be coerced into
providing access to their PHI to third
275 89 FR 1192, 1302 (Jan. 9, 2024). See also Off.
for Civil Rights, ‘‘Information Blocking Regulations
Work In Concert with HIPAA Rules and Other
Privacy Laws to Support Health Information
Privacy,’’ U.S. Dep’t of Health and Human Servs.
(Apr. 12, 2023), https://www.healthit.gov/buzzblog/information-blocking/information-blockingregulations-work-in-concert-with-hipaa-rules-andother-privacy-laws-to-support-health-informationprivacy.
276 See, e.g., Off. for Civil Rights, ‘‘Resource for
Health Care Providers on Educating Patients about
Privacy and Security Risks to Protected Health
Information when Using Remote Communication
Technologies for Telehealth,’’ U.S. Dep’t of Health
and Human Servs., https://www.hhs.gov/hipaa/forprofessionals/privacy/guidance/resource-healthcare-providers-educating-patients/.
277 See 45 CFR 164.502(a)(3) and (e). See also 45
CFR 164.504(e).
PO 00000
Frm 00035
Fmt 4701
Sfmt 4700
33009
parties. A few commenters expressed
concerns that some third parties sell PHI
for purposes adverse to individuals’
interests, including some of the
purposes described in the 2023 Privacy
Rule NPRM.
A few commenters provided
recommendations for ways to educate
individuals regarding their rights under
the Privacy Rule.
Response: Although we appreciate the
comments on this topic, any
modifications to the individual access
right to direct are beyond the scope of
this rulemaking. We reiterate here that
covered entities and their technology
vendors that meet the definition of
business associates must ensure that
valid business associate agreements are
in place,278 and we urge them to
facilitate individuals’ awareness of the
risks of using third-party consumer apps
that are not regulated by HIPAA.279 The
Department continues to appreciate the
identification of better education
resources for individuals and health
care providers and commits to
providing educational resources through
its website, regional offices, and
webinars.
2. Adding a New Category of Prohibited
Uses and Disclosures
Generally, the Privacy Rule prohibits
the use or disclosure of PHI except as
permitted or required by the Privacy
Rule. Paragraph (a)(5) of section 164.502
contains specific purposes for which the
Privacy Rule explicitly prohibits the use
and disclosure of PHI. Section
164.502(a)(5)(i) prohibits most health
plans from using or disclosing PHI that
is genetic information for underwriting
purposes, while 45 CFR 164.502(a)(5)(ii)
prohibits a regulated entity from selling
PHI, except when they have obtained a
valid authorization from the individual
who is the subject of the PHI.
The Department proposed to add a
new paragraph, 45 CFR
164.502(a)(5)(iii), to prohibit regulated
entities from using or disclosing an
individual’s PHI for certain additional
purposes, and to describe the scope,
applicability, and limitations of the
prohibition. Similar to most other
278 For information about what a business
associate is and the requirements for business
associate agreements, see Off. for Civil Rights,
‘‘Business Associate Contracts,’’ U.S. Dep’t of
Health and Human Servs. (Jan. 25, 2013), https://
www.hhs.gov/hipaa/for-professionals/coveredentities/sample-business-associate-agreementprovisions/.
279 Off. for Civil Rights, ‘‘Protecting the Privacy
and Security of Your Health Information When
Using Your Personal Cell Phone or Tablet,’’ U.S.
Dep’t of Health and Human Servs. (June 29, 2022),
https://www.hhs.gov/hipaa/for-professionals/
privacy/guidance/cell-phone-hipaa/.
E:\FR\FM\26APR5.SGM
26APR5
ddrumheller on DSK120RN23PROD with RULES5
33010
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
prohibitions within the Privacy Rule,
this prohibition would be purposebased, rather than a blanket prohibition
against uses and disclosures of certain
types of PHI.280 The Department’s
rationale for this approach was fourfold: (1) to be consistent with the
existing Privacy Rule permissible use
and disclosure structure with which
regulated entities are familiar, including
the permission to disclose to law
enforcement for certain purposes; (2) to
avoid imposing a requirement on
regulated entities that would necessitate
the adoption and implementation of
costly technology upgrades to enable
data segmentation; 281 (3) to recognize
that PHI about an individual’s
reproductive health care may be used or
disclosed for a wide variety of purposes,
and permitting the use or disclosure of
PHI for some of those purposes would
erode individuals’ ability to trust in the
health care system; and (4) to avoid any
misperception that the Department is
setting a standard of care or substituting
its judgment for that of individuals and
licensed health care professionals.
Proposed 45 CFR 164.502(a)(5)(iii)(A)
would establish a new prohibition
against the use or disclosure of PHI.
Section (a)(5)(iii)(A)(1) would prohibit
the use or disclosure of PHI where the
use or disclosure is for a criminal, civil,
or administrative investigation into or
proceeding against any person in
connection with seeking, obtaining,
providing, or facilitating reproductive
health care. Section
164.502(a)(5)(iii)(A)(2) would prohibit
the use or disclosure of PHI to identify
any person for the purpose of initiating
a criminal, civil, or administrative
investigation into or proceeding against
any person in connection with seeking,
obtaining, providing, or facilitating
reproductive health care.
The Department proposed 45 CFR
164.502(a)(5)(iii)(B) to explain that
‘‘seeking, obtaining, providing, or
facilitating’’ would include, but not be
limited to, expressing interest in,
inducing, using, performing, furnishing,
paying for, disseminating information
about, arranging, insuring, assisting, or
otherwise taking action to engage in
reproductive health care; or attempting
any of the same. As the Department
explained in the 2023 Privacy Rule
NPRM, the proposed prohibition would
apply to any request for PHI to facilitate
a criminal, civil, or administrative
280 88
FR 23506, 23529–33 (Apr. 17, 2023).
281 The Department does not oppose efforts to
implement or employ technology that is capable of
segmenting data. Rather, the Department’s proposal
was informed by the recognition that the technology
deployed by most regulated entities today is not
capable of doing so.
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
investigation or proceeding against any
person, or to identify any person to
initiate an investigation or proceeding,
where the basis for the investigation,
proceeding, or identification is that the
person sought, obtained, provided, or
facilitated reproductive health care that
is lawful under the circumstances in
which such health care is provided. The
Department further explained that,
consistent with its HIPAA authority, the
prohibition would preempt state or
other laws requiring a regulated entity
to use or disclose PHI in response to a
court order or other type of legal process
for a purpose prohibited under the
proposed rule. Conversely, the
prohibition would not preempt laws
that require the use or disclosure of PHI
for other purposes, such as: public
health activities; 282 investigations of
sexual assault committed against an
individual where such use or disclosure
is conditioned upon the receipt of an
attestation; or investigations into human
and sex trafficking, child abuse, or
professional misconduct or licensing
inquiries.283
The Department also proposed to
subject this prohibition to a Rule of
Applicability in 45 CFR
164.502(a)(5)(iii)(C). As the Department
explained, the proposed prohibition in
45 CFR 164.502(a)(5)(iii) would prohibit
a regulated entity from using or
disclosing PHI for certain purposes
against any person in connection with
seeking, obtaining, providing, or
facilitating reproductive health care that
is ‘‘lawful under the circumstances in
which such health care is provided.’’ 284
The Department further explained that
it proposed a framework for regulated
entities to determine whether the
reproductive health care at issue was
lawful under the circumstances in
which such health care was provided.
The proposed language of the Rule of
Applicability under this rule would
apply where one or more of three
specified conditions exist.
The first condition, as proposed in 45
CFR 164.502(a)(5)(iii)(C)(1), addressed
reproductive health care provided
outside of the state that authorized the
investigation or proceeding where such
health care is lawful in the state where
it is provided. In the proposed rule, we
also clarified that the proposal would
apply the prohibition in a situation in
which the health care is ongoing, has
been completed, or has not yet been
obtained, provided, or facilitated. The
282 See supra discussion of ‘‘Public health’’ for
more information on what constitutes a ‘‘public
health activity’’ under the Privacy Rule.
283 88 FR 23506, 23532 (Apr. 17, 2023).
284 Id. at 23510, 23522, and 23531.
PO 00000
Frm 00036
Fmt 4701
Sfmt 4700
proposed prohibition would recognize
that any interest of society in
conducting an investigation or
proceeding against a person would
require balancing with, and generally be
outweighed by, the interests of society
in protecting the privacy interests of
individuals when they access lawful
health care. As discussed above, privacy
interests are heightened with respect to
reproductive health care that is lawful
under the circumstances in which it is
provided as compared to the interests of
law enforcement, and private parties
afforded legal rights of action, in
investigating or imposing liability for
actions related to lawful reproductive
health care.
The second condition, proposed in 45
CFR 164.502(a)(5)(iii)(C)(2), addressed
reproductive health care protected,
required, or authorized by Federal law,
regardless of the state in which such
health care is provided. It would apply
the prohibition to reproductive health
care that is lawful under the applicable
Federal law and where the investigation
or proceeding is against any person in
connection with seeking, obtaining,
providing, or facilitating reproductive
health care. It would apply, for example,
where the underlying reproductive
health care continues to be protected by
the Constitution, such as contraception,
or is expressly required or authorized
under Federal law.285
The third condition, proposed in 45
CFR 164.502(a)(5)(iii)(C)(3), would
apply the prohibition when the relevant
criminal, civil, or administrative
investigation or proceeding is in
connection with any person seeking,
obtaining, providing, or facilitating
reproductive health care that is
provided in a state consistent with and
permitted by the law of that same state.
The Department also proposed a Rule
of Construction in 45 CFR
164.502(a)(5)(iii)(D) that provided that
the proposed prohibition should not be
construed to prohibit a use or disclosure
of PHI otherwise permitted by the
Privacy Rule unless such use or
disclosure is primarily for the purpose
of investigating or imposing liability on
any person for the mere act of seeking,
obtaining, providing, or facilitating
reproductive health care.286 The
Department proposed the Rule of
Construction to avoid an erroneous
interpretation of the prohibition
285 See Griswold v. Connecticut, 381 U.S. 479
(1965); Eisenstadt v. Baird, 405 U.S. 438 (1972);
Dobbs, 597 U.S. 345 (Kavanaugh, J., concurring)
(Dobbs ‘‘does not threaten or cast doubt on’’ the
precedents providing constitutional protection for
contraception).
286 See proposed 45 CFR 164.502(a)(5)(iii)(D). See
also 88 FR 23506, 23552–53 (Apr. 17, 2023).
E:\FR\FM\26APR5.SGM
26APR5
ddrumheller on DSK120RN23PROD with RULES5
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
standard, which otherwise could have
been construed to prevent regulated
entities from using or disclosing PHI for
the purpose of defending themselves or
others against allegations that they
sought, obtained, provided, or
facilitated reproductive health care that
was not lawful under the circumstances
in which it was provided.
Most of the comments addressing the
proposed prohibition expressed support
for the Department’s purpose-based
approach and the principle that the
Privacy Rule should prohibit the use
and disclosure of PHI for a criminal,
civil, or administrative investigation
into or proceeding against any person,
or to identify any person to initiate a
criminal, civil, or administrative
investigation into or proceeding against
any person, in connection with seeking,
obtaining, providing, or facilitating
lawful reproductive health care. At the
same time, the Department received
many comments that expressed concern
about the proposal’s clarity and
regulated entities’ ability to
operationalize the Rule of Applicability
and Rule of Construction. For example,
commenters asserted that to the extent
the proposed rule would require
regulated entities to determine whether
the requested PHI was about
reproductive health care that was lawful
under the circumstances in which it was
provided, making such a determination
could be unduly burdensome when the
request was about reproductive health
care that was not provided by the
regulated entity that received the
request and could expose them to legal
risk in the absence of additional
guidance or a safe harbor. Other
commenters expressed concern that
applying the prohibition would
undermine the ability of states to
enforce their own health care laws.
Commenters who addressed the
proposed Rule of Construction also
expressed confusion about how the
Department intended ‘‘primarily’’ or
‘‘primarily for the purpose of’’ to be
interpreted. Many either requested
examples of uses and disclosures that
were ‘‘primarily’’ for the underlying
prohibited purposes. In lieu of the
proposal to avoid liability based on ‘‘the
mere act of’’ seeking, obtaining,
providing, or facilitating reproductive
health care, a few commenters suggested
expanding the proposed definition or
modifying existing permissions to
explicitly exclude conduct based solely
on seeking, obtaining, providing, or
facilitating certain types of health care.
The Department is finalizing the
proposed prohibition that restricts the
ability of regulated entities to use or
disclose PHI for activities with the
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
purpose of investigating or imposing
liability on any person for the mere act
of seeking, obtaining, providing, or
facilitating reproductive health care that
is lawful under the circumstances in
which it was provided, or to identify
any person for such purposes, with
modifications to improve clarity and
ease implementation for regulated
entities.
The Department is retaining its
purpose-based approach in the final rule
in light of concerns about the ability of
regulated entities to segment certain
types of data and in recognition that PHI
about an individual’s reproductive
health may be reflected throughout an
individual’s longitudinal health record,
in addition to being maintained by a
wide variety of regulated entities.
As we discussed in the 2023 Privacy
Rule NPRM, the Department recognizes
that diseases and conditions that are not
directly related to an individual’s
reproductive health may be affected by
or have bearing on the individual’s
reproductive health and the
reproductive health care they are
eligible to receive, and vice versa. Thus,
it may be necessary for all types of
health care providers to maintain
complete and accurate medical records
to ensure that subsequent health care
providers are adequately informed in
making diagnoses or recommending
courses of treatment. For example, an
individual with a chronic cardiac or
endocrine condition may become
pregnant, placing additional strain on
the individual’s cardiovascular or
endocrine system. In such cases, it is
essential that their cardiologist or
endocrinologist be informed of the
pregnancy and consulted as necessary to
ensure appropriate health care is
provided to the individual because such
conditions may have bearing on their
pregnancy.
Additionally, the final rule revises the
prohibition standard at 45 CFR
164.502(a)(5)(iii) by incorporating
language from the proposed Rule of
Construction to clarify the purposes for
which the Department prohibits uses or
disclosures of PHI. In 45 CFR
164.502(a)(5)(iii)(A)(1) and (2), the
Department incorporates the ‘‘mere act
of’’ language of the proposed Rule of
Construction to clarify that the
prohibited uses and disclosures of PHI
are tied to imposing criminal, civil, or
administrative liability for the ‘‘mere act
of’’ seeking, obtaining, providing, or
facilitating reproductive care and not
just ‘‘in connection to’’ such acts.287
287 Section 164.502(a)(5)(iii)(A)(3) incorporates
the same language by reference to 45 CFR
164.502(a)(5)(iii)(A)(1) and (A)(2).
PO 00000
Frm 00037
Fmt 4701
Sfmt 4700
33011
Section 164.502(a)(5)(iii)(A)(1)
combines the criminal, civil, or
administrative investigations language
from the proposed prohibition standard
with the proposed Rule of Construction
to prohibit regulated entities from using
or disclosing PHI for activities
conducted for the purpose of a criminal,
civil, or administrative investigation
into any person for the mere act of
seeking, obtaining, providing, or
facilitating reproductive health care.
Section 164.502(a)(5)(iii)(A)(2) separates
and replaces the ‘‘or proceeding
against’’ language from the first
condition of the proposed prohibition
standard with ‘‘to impose criminal,
civil, or administrative liability on’’ and
incorporates language from the
proposed Rule of Construction to
prohibit regulated entities from using or
disclosing PHI for activities conducted
for the purpose of imposing criminal,
civil, or administrative liability on any
person for the mere act of seeking,
obtaining, providing, or facilitating
reproductive health care. Similar to
proposed 45 CFR
164.502(a)(5)(iii)(A)(2), 45 CFR
164.502(a)(5)(iii)(A)(3) now addresses
the use or disclosure of PHI to identify
any person for the activities described
in the other conditions of the
prohibition standard. To the extent the
purpose in 45 CFR
164.502(a)(5)(iii)(A)(1) relates to
activities conducted for an
investigation, the purpose in 45 CFR
164.502(a)(5)(iii)(A)(2) relates to the
activities to impose liability, including
activities that would flow from that
investigation, whether it be in the form
of proceedings to consider censure,
medical license revocation, the
imposition of fines or other penalties, or
detainment or imprisonment, or the
actual imposition of such liability.
The prohibition against the uses and
disclosures of PHI finalized in 45 CFR
164.502(a)(5)(iii)(A) is subject to the
Rule of Applicability that the
Department is finalizing in 45 CFR
164.502(a)(5)(iii)(B). As discussed in the
proposed rule and finalized herein, the
Rule of Applicability modifies the
prohibition standard to make clear that
the prohibition encompasses the use or
disclosure of PHI for any activities
conducted for the purpose of
investigating or imposing liability on
any person for the mere act of seeking,
obtaining, providing, or facilitating
reproductive health care that the
regulated entity that has received the
request for PHI has reasonably
determined is lawful under the
circumstances in which such health
care is provided. The prohibition’s
E:\FR\FM\26APR5.SGM
26APR5
ddrumheller on DSK120RN23PROD with RULES5
33012
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
reference to the ‘‘mere act’’ of seeking,
obtaining, providing, or facilitating
lawful reproductive health care includes
the reasons that the reproductive health
care was sought or provided (e.g., an
investigation into whether a particular
abortion was necessary to save a
pregnant person’s life would constitute
an investigation into the ‘‘mere act’’ of
seeking, obtaining, providing, or
facilitating reproductive health care).
The reference to ‘‘mere act’’ operates the
same way with respect to activities
conducted to identify any individual for
the purposes described above. This
includes but is not limited to law
enforcement investigations, third party
investigations in furtherance of civil
proceedings, state licensure
proceedings, criminal prosecutions, and
family law proceedings. Examples of
criminal, civil, or administrative
investigations or activities to impose
liability for which regulated entities
would be prohibited from using or
disclosing PHI would also include a
civil suit brought by a person exercising
a private right of action provided for
under state law against an individual or
health care provider who obtained,
provided, or facilitated a lawful
abortion, or a law enforcement
investigation into a health care provider
for lawfully providing or facilitating the
disposal of an embryo at the direction
of the individual.
The Department acknowledges that
this final rule will not prohibit the use
or disclosure of PHI in all instances in
which persons request the use or
disclosure of PHI for an investigation or
to impose liability on a person for
seeking, obtaining, providing, or
facilitating reproductive health care. As
discussed extensively in Section III of
this rule, the Privacy Rule has long
balanced the privacy interests of
individuals with that of society in
obtaining PHI for certain non-health
care purposes. Accordingly, we
acknowledge that in some
circumstances, an individual’s privacy
interest in obtaining lawful care will
outweigh law enforcement’s interests in
the PHI for certain non-health care
purposes, while in others, law
enforcement’s interests in the PHI will
outweigh the privacy interests of
individuals. As we discussed above in
Section III and in the proposed rule,
recent developments in the legal
landscape have made information about
an individual’s reproductive health
more likely to be sought for punitive
non-health care purposes, such as
targeting individuals for seeking lawful
reproductive health care outside of their
home state, and therefore more likely to
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
be subject to disclosure by regulated
entities if the requested disclosure is
permitted under the Privacy Rule. The
Department’s approach in this
rulemaking limits the application of the
prohibition to situations in which
reproductive health care meets one of
the conditions of the Rule of
Applicability. Accordingly, the
prohibition applies only where
individuals’ privacy interests outweigh
the interests of law enforcement, and
private parties afforded legal rights of
action, in obtaining individuals’ PHI for
the non-health care purpose of
investigating or imposing liability for
reproductive health care that was not
lawful under the circumstances in
which it was provided.
We also acknowledge, as we did in
the proposed rule, that in some
circumstances, the Privacy Rule
imposes greater restrictions on uses and
disclosures of PHI than state privacy
laws, and the prohibition may delay or
hamper enforcement of certain other
state laws (e.g., laws governing access to
reproductive health care). Such
circumstances were contemplated by
Congress when it enacted HIPAA.288 For
example, a state law might require a
covered entity to disclose PHI to law
enforcement in furtherance of an
investigation, while the final rule may
prohibit such a disclosure. In such
cases, the provisions of the Privacy Rule
would preempt the application of
contrary provisions of state law, and the
regulated entity could not disclose the
PHI.289 However, as discussed above in
section III, we reiterate that not all
methods to investigate the lawfulness of
reproductive health care are foreclosed
by this rule.
The Department emphasizes that the
prohibition does not apply in
circumstances that fall outside of its
terms. Where a person requesting PHI
identifies a legal basis for the request
beyond the mere act of a person having
sought, obtained, provided, or
facilitated reproductive health care that
was lawful under the circumstances in
which it was provided, the prohibition
at 45 CFR 164.502(a)(5)(iii) would not
apply. Similarly, if a person obtains
reproductive health care that was
unlawful, such health care would not be
lawful under the circumstances in
which it was provided, and the
prohibition would not apply. Where the
288 42 U.S.C. 1320d–7(a)(1) (providing the general
rule that, with limited exceptions, a provision or
requirement under HIPAA supersedes any contrary
provision of state law); see also section 264(c)(2) of
Public Law 104–191 (codified at 42 U.S.C. 1320d–
2 note) and 45 CFR 160.203.
289 See final 45 CFR 164.509, and discussion
below.
PO 00000
Frm 00038
Fmt 4701
Sfmt 4700
prohibition does not apply, the Privacy
Rule permits the requested PHI to be
used or disclosed, provided that the use
or disclosure is otherwise permitted by
the Privacy Rule (i.e., the request meets
the requirements of an applicable
permission and is accompanied by a
valid attestation as described by 45 CFR
164.509, where required). The
Department reminds the public that
persons who request PHI under false
pretenses may be subject to criminal
penalties under HIPAA.290
The Rule of Applicability, as
discussed below, vests the
determination of whether the
reproductive health care was lawful
under the circumstances it was
provided with the regulated entity that
receives the request for PHI and requires
that such determination be reasonable.
The regulatory presumption, also
discussed below, replaces the proposed
requirement that a regulated entity make
a determination regarding the
lawfulness of the reproductive health
care where someone other than the
regulated entity that receives the request
provided such health care. The new
language requires that the reproductive
health care at issue be presumed lawful
under the circumstances in which such
health care is provided when provided
by a person other than the regulated
entity receiving the request. This helps
to ensure that the regulated entity is not
required to make a determination about
the lawfulness of such health care. The
presumption may be overcome if certain
conditions are met.
In the proposed rule, the Department
provided examples that remain helpful
in illustrating the operation of the
clarified prohibition and how it
continues to permit uses and
disclosures for legitimate interests.291
For example, the prohibition does not
restrict a regulated entity from using or
disclosing PHI to a health oversight
agency conducting health oversight
activities, such as investigating whether
reproductive health care was actually
provided or appropriately billed in
connection with a claim for such
services, or investigating substandard
medical care or patient abuse.292
However, as discussed above,
investigating substandard medical care
290 See
42 U.S.C. 1320d–6.
FR 23506, 23532–33 (Apr. 17, 2023).
292 See 45 CFR 164.512(d)(1)(i) through (iv) for
health oversight activities for which the Privacy
Rule permits uses and disclosures of PHI. See also
the National Association of Medicaid Fraud Control
Units, described at https://www.naag.org/aboutnaag/namfcu/. All 53 federally certified Medicaid
Fraud Control Units voluntarily subscribe to this
organization. This final rule does not interfere with
any State’s ability to meet their statutory obligations
to combat health care fraud related to Medicaid.
291 88
E:\FR\FM\26APR5.SGM
26APR5
ddrumheller on DSK120RN23PROD with RULES5
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
or patient abuse may not be used as a
pretext for investigating reproductive
health care for purposes that are
otherwise prohibited by this final rule.
In another example, the rule does not
bar a regulated entity from using or
disclosing PHI to investigate an alleged
violation of the Federal False Claims
Act or a state equivalent based on
unusual prescribing or billing patterns
for erectile dysfunction medication.
This final rule also does not prohibit
the use or disclosure of PHI where the
PHI is sought to investigate or impose
liability on a person for submitting a
false claim for reproductive health care
for payment to the government. In such
a case, the request is not made for the
purpose of investigating or imposing
liability on a person for the mere act of
seeking, obtaining, providing, or
facilitating reproductive health care.
Instead, the purpose of the request for
PHI is to investigate or impose liability
on a person for an alleged violation of
the Federal False Claims Act or a state
equivalent.293 As another example, the
revised prohibition standard generally
does not prohibit the disclosure of PHI
to an Inspector General where the PHI
is sought to conduct an audit aimed at
protecting the integrity of the Medicare
or Medicaid Program where the audit is
not inconsistent with this final rule.
This is because the request is generally
not being made for the purpose of
investigating or imposing liability on a
person for the mere act of providing the
reproductive health care itself. The
prohibition also makes clear that the use
or disclosure of PHI is permitted where
the purpose of the use or disclosure is
to investigate alleged violations of
Federal nondiscrimination laws or
abusive conduct, such as sexual assault,
that may occur in connection with
reproductive health care. The
prohibition likewise makes clear that
the use or disclosure of PHI is permitted
where the purpose of the use or
disclosure is to penalize the provision of
reproductive health care that is not
lawful, as defined by the Rule of
Applicability at 45 CFR
164.502(a)(5)(iii)(B), as long as a Privacy
Rule permission applies.
Under the prohibition, a regulated
entity could respond to a request for
relevant records in a criminal or civil
investigation pursuant to 18 U.S.C. 248
regarding freedom of access to clinic
entrances. Investigations under this
provision are conducted for the purpose
of determining whether a person
physically obstructed, intimidated, or
interfered with persons providing
293 31
U.S.C. 3729–3733.
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
‘‘reproductive health services,’’ 294 or
attempted to do so. Thus, they do not
involve investigating or imposing
liability on a person for the mere act of
seeking, obtaining, providing, or
facilitating reproductive health care that
was reasonably determined to be lawful
under the circumstances in which such
health care was provided by the
regulated entity that received the
request for PHI.
The final rule retains the proposal’s
prohibition against the use or disclosure
of PHI for activities conducted for the
purpose of investigating or imposing
liability on ‘‘any person’’ for the mere
act of seeking, obtaining, providing, or
facilitating reproductive health care that
is lawful under the circumstances in
which such health care is provided, or
for identifying ‘‘any person’’ for such
activities. ‘‘Any person’’ means, based
on the HIPAA Rules’ definition of
‘‘person,’’ 295 that the prohibition is not
limited to use or disclosure of PHI for
use against the individual; rather, the
prohibition applies to the use or
disclosure of PHI against a regulated
entity, or any other person, including an
individual or entity, who may have
obtained, provided, or facilitated lawful
reproductive health care.296
The Department has always and
continues to recognize that there may be
a public interest and benefit in
disclosing PHI for limited non-health
care purposes, including enforcing duly
enacted laws. The Department has also
always sought to balance competing
interests in individual privacy and the
use and disclosure of PHI for particular
purposes in the Privacy Rule. We
balance these competing interests by
considering both the harm to
individuals that results from the use or
disclosure of PHI (e.g., loss of trust in
the health care system, potential for
financial liability or detainment) and
the countervailing interests in
disclosure. As discussed above, the
Department finds that the final rule
reflects the appropriate balance between
these interests by prohibiting the use
and disclosure of PHI for activities
conducted for the purpose of
investigating or imposing liability on
‘‘any person’’ for the mere act of
seeking, obtaining, providing, or
facilitating reproductive health care that
is lawful under the circumstances in
which such health care is provided, or
294 18 U.S.C. 248(e)(5) (definition of
‘‘Reproductive health services’’).
295 45 CFR 160.103 (definition of ‘‘Person’’).
296 Note that in Section V.A.1, the Department is
clarifying the definition of ‘‘person,’’ although that
clarification does not affect the analysis in this
paragraph.
PO 00000
Frm 00039
Fmt 4701
Sfmt 4700
33013
for identifying ‘‘any person’’ for such
activities.
Accordingly, the final rule adopts,
with modifications discussed below, the
proposed Rule of Applicability and redesignates it as 45 CFR
164.502(a)(5)(iii)(B). The final rule text
also adds the word ‘‘only’’ in 45 CFR
164.502(a)(5)(iii)(B) to make clear that
the prohibition’s application is limited
to the use or disclosure of PHI ‘‘only’’
where one or more of the conditions set
forth in the Rule of Applicability exists.
To address concerns from
commenters about how to determine
whether reproductive health care is
‘‘lawful,’’ the Department finalizes a
revised Rule of Applicability at 45 CFR
164.502(a)(5)(iii)(B). Specifically, the
Rule of Applicability, as finalized,
requires that a regulated entity that
receives a request for PHI make a
reasonable determination about the
lawfulness of the reproductive health
care in the circumstances in which such
health care was provided, where
lawfulness is described by 45 CFR
164.502(a)(5)(iii)(B)(1)–(3). Thus, a
regulated entity that receives the request
for PHI must decide whether it would
be reasonable for a similarly situated
regulated entity to determine, as
provided in the Rule of Applicability,
that the reproductive health care is
lawful under the circumstances in
which such health care is provided.
To make the reasonableness
determination, that is, to determine
whether it would be reasonable for a
similarly situated regulated entity to
determine that one or more of the
conditions of the Rule of Applicability
applies, a regulated entity receiving the
request for PHI must evaluate the facts
and circumstances under which the
reproductive health care was provided.
Such facts and circumstances include
but are not limited to the individual’s
diagnosis and prognosis, the time such
health care was provided, the location
where such health care was provided,
and the particular health care provider
who provided the health care. This
approach is consistent with the current
and longstanding practice under the
Privacy Rule, whereby a covered entity
is responsible for determining whether
a requested use or disclosure is
permitted under one or more of the
permissions set forth in the Privacy
Rule. For example, a regulated entity is
permitted to make a use or disclosure of
PHI where ‘‘required by law’’ pursuant
to 45 CFR 164.512(a). To make a use or
disclosure under that permission, the
regulated entity cannot rely on
assertions from the person making the
request, but rather, must itself evaluate
the relevant law to determine whether
E:\FR\FM\26APR5.SGM
26APR5
ddrumheller on DSK120RN23PROD with RULES5
33014
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
the use or disclosure is ‘‘required by
law’’ and thus permitted under that
permission. As discussed above, the
Department recognizes that this
approach may prevent uses or
disclosures in support of some law
enforcement investigations (e.g., where
a health care provider reasonably
determines that its provision of
reproductive health care was lawful, but
where law enforcement reasonably
disagrees or does not provide sufficient
factual information for a regulated entity
to determine that there is a substantial
factual basis that the reproductive
health care was not lawful under the
circumstances in which such health
care was provided). However, we
believe that, in these narrow
circumstances, the interests of law
enforcement, and private parties
afforded legal rights of action, are
outweighed by privacy interests and
that the current approach strikes the
appropriate balance between these
competing interests.
The Department is retaining the
proposed framework for identifying the
circumstances in which reproductive
health care is lawful, and thus the
prohibition applies. However, we are
modifying the regulatory text of the Rule
of Applicability to clarify its conditions.
As revised, the regulatory text combines
the first and third conditions of the Rule
of Applicability into a revised 45 CFR
164.502(a)(5)(iii)(B)(1) that focuses on
whether the reproductive health care at
issue is lawful under the circumstances
in which such health care is provided.
Under the revised condition, the
circumstances in which the prohibition
applies are determined by the law of the
state in which the health care is
provided.
As proposed in the 2023 Privacy Rule
NPRM, the first and third conditions,
when considered together, would have
given the impression that the
Department was drawing a distinction
between reproductive health care
provided in-state or out-of-state,
although outcomes would have been the
same. As the Department explained in
the proposed rule, both the first and
third conditions would have prohibited
a regulated entity from using or
disclosing PHI where the reproductive
health care was permitted by the law of
the state in which it was provided (e.g.,
for pregnancy termination that occurs
before a state-specific gestational limit
or under a relevant exception in a state
law restricting pregnancy termination
such as when the pregnancy is the result
of rape or incest or because the life of
the pregnant individual is endangered,
for reproductive health care that is
generally permitted but must be
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
provided by a specific type of health
care professional or in a certain place of
service). The outcome of the analysis
remains the same under this final rule,
which combines the first and third
conditions of the Rule of Applicability
into one condition. Thus, the revision
improves the clarity of the Rule of
Applicability by focusing solely on
whether the reproductive health care
was lawful under the circumstances in
which it was provided.
Additionally, the final rule modifies
the regulatory text in 45 CFR
164.502(a)(5)(iii)(B)(2) to include an
express reference to the U.S.
Constitution as a source of Federal law
for determining whether reproductive
health care is lawful under the
circumstances in which such health
care is provided. The Department has
always intended to include the U.S.
Constitution as a source of Federal law,
and the final regulatory text now
explicitly reflects this. The regulatory
text also makes clear that the U.S.
Constitution is not the sole source of
Federal law and that Federal statutes,
regulations, and policies may be the
relevant legal authority for determining
whether the reproductive health care is
protected, required, or authorized under
Federal law. This final rule in no way
supersedes applicable state law
pertaining to the lawfulness of
reproductive health care.
To address commenters’ concerns
about obligating regulated entities to
determine whether reproductive health
care that occurred outside of the
regulated entity is lawful, the
Department is adding a new
presumption provision at 45 CFR
164.502(a)(5)(iii)(C). It presumes the
reproductive health care at issue was
lawful under the circumstances in
which such health care was provided
when it was provided by a person other
than the regulated entity receiving the
request. The presumption can be
overcome where the regulated entity has
either actual knowledge, or factual
information supplied by the person
requesting the use or disclosure, that
demonstrates a substantial factual basis
that the reproductive health care was
not lawful under the specific
circumstances in which it was provided.
The first ground to overcome the
presumption—concerning ‘‘actual
knowledge’’—accounts for situations
where the regulated entity has actual
knowledge that the reproductive health
care was not lawful. The second ground
to overcome the presumption—
concerning ‘‘factual information’’—
accounts for situations where the person
making the request has demonstrated to
the regulated entity that there is a
PO 00000
Frm 00040
Fmt 4701
Sfmt 4700
substantial factual basis that the
reproductive health care was unlawful
under the circumstances in which such
health care was provided. To satisfy the
second ground, the regulated entity
must obtain from the person making the
request sufficient threshold factual
evidence that demonstrates to the
regulated entity a substantial factual
basis that the reproductive health care
was not lawful under the circumstances
in which such health care was provided.
For example, an investigator requests
information from a health plan about
claims for coverage of certain
reproductive health care provided by a
particular health care provider. The
health plan must presume that the
reproductive health care was lawful
unless the health plan has actual
knowledge that the reproductive health
care was not lawful or the investigator
supplied information that demonstrates
a substantial factual basis to believe that
the reproductive health care was not
lawful under these circumstances. The
latter condition could be met where the
investigator provides the regulated
entity with various types of
documentation. For example, persons
requesting PHI could provide the
regulated entity with affidavits supplied
by complainants that contain the
circumstances under which the
reproductive health care was provided.
In this example, the presumption would
be overcome, and the health plan would
be permitted to use or disclose the PHI,
assuming that all applicable conditions
of the Privacy Rule were otherwise met.
In contrast, if the investigator requests
the same information but only provides
an anonymous report of a particular
health care provider providing
reproductive health care that is not
lawful under the circumstances in
which it is provided, the health plan
would not have a substantial factual
basis to believe that the reproductive
health care was not lawful. Accordingly,
this final rule would prohibit the health
plan from disclosing the requested PHI
unless the investigator provides
sufficient information to overcome the
presumption and the use or disclosure
is otherwise permitted by the Privacy
Rule. The conditions of making the use
or disclosure would include, as
described elsewhere in this final rule,
obtaining a valid attestation if the
relevant permission requires one.
The Department emphasizes that, as
demonstrated by the numerous
comments on this issue, this regulatory
presumption is necessary for
workability by the regulated entities
subject to this final rule. We recognize
that when a regulated entity did not
provide the reproductive health care at
E:\FR\FM\26APR5.SGM
26APR5
ddrumheller on DSK120RN23PROD with RULES5
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
issue, it may not have access to all of the
relevant information, including medical
records with the necessary information,
to determine whether prior reproductive
health care obtained by an individual
was lawful. We clarify that regulated
entities are not expected to conduct
research or perform an analysis of an
individual’s PHI to determine whether
prior reproductive health care was
lawful under the circumstances in
which it was provided when such
health care was provided by someone
other than the regulated entity that
receives the request for the use or
disclosure of PHI.
We also reiterate that this final rule is
intended to support and clarify the
privacy interests of individuals availing
themselves of lawful reproductive
health care, and not to thwart the
interests of states in conducting lawful
investigations or imposing liability on
the provision of unlawful reproductive
health care. While this new regulatory
presumption may make it more difficult
for a state to investigate whether
reproductive health care was unlawful
under the circumstances in which it was
provided (e.g., when other sources of
information that is not PHI are
unavailable), as discussed above, the
Department has considered those
interests and determined that the effects
are justified by countervailing privacy
benefits. Moreover, as also explained
above, society’s interest in obtaining
PHI in such circumstances is reduced,
particularly in light of its continued
ability to obtain information from other
sources. The Department also
emphasizes that it is not applying a
blanket presumption that all
reproductive health care reflected in a
regulated entity’s records was lawful
under the circumstances in which it was
provided. Instead, the presumption
applies only where the reproductive
health care at issue is provided by
someone other than the regulated entity
that received the request for the use or
disclosure of PHI, and it may be
overcome in the circumstances
identified above.
In contrast, where a request for PHI is
made to the regulated entity that
provided the relevant reproductive
health care, the regulated entity is
responsible for determining whether it
provided reproductive health care that
was lawful under the circumstances in
which it was provided, including, as
discussed above, a review of all
available relevant evidence bearing on
whether the reproductive health care
was lawful under the circumstances in
which it was provided. If the regulated
entity reasonably determines that the
health care was lawfully provided, the
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
prohibition applies, and the regulated
entity may not make the use or
disclosure.
To illustrate how the presumption
would apply, consider a hospital that
has PHI about the provision of
reproductive health care by a different
facility. The hospital is not expected to
conduct research or perform analysis
into whether reproductive health care
obtained at a different facility from
another health care provider was lawful
under the circumstances in which such
health care was provided. Accordingly,
the regulated entity, if they receive a
request for PHI to which the prohibition
at 45 CFR 164.502(a)(5)(iii) may apply,
is not expected to review the
individual’s PHI to determine the
lawfulness of the prior reproductive
health care. In such situations, the
regulated entity is also not expected to
research other states’ laws to determine
whether the reproductive health care
was lawful under the circumstances in
which it was provided, nor are they
expected to consult with an attorney to
do the same. Rather, the presumption
standard allows the regulated entity to
limit their review to information
supplied by the person making the
request for the use or disclosure of PHI
where the request addresses
reproductive health care provided by
someone other than the regulated entity
receiving the request. Thus, a regulated
entity that did not provide the
reproductive health care must presume
that the reproductive health care was
lawful under the circumstances in
which it was provided unless the
conditions of rebutting the presumption
are met.
Consider a different example in which
a law enforcement official from State A
issues a subpoena to a hospital in State
A to request the PHI of an individual
from State A who is suspected of
obtaining reproductive health care in
State B that would have been unlawful
under the law of State A if provided
there. The hospital did not provide the
reproductive health care in question,
nor did the individual provide
information to the hospital about who
may have provided such health care. At
the time the law enforcement official
issues the subpoena, the individual is
no longer in the hospital, nor is the
individual receiving treatment at the
hospital. Additionally, the law
enforcement official provided no
information in the subpoena that would
make it reasonable for the hospital to
determine that the reproductive health
care at issue was not lawful in the
circumstances in which it was provided,
that is, to determine that the
reproductive health care was not lawful
PO 00000
Frm 00041
Fmt 4701
Sfmt 4700
33015
under the law of State B or was not
protected, required, or authorized by
Federal law. In this case, the hospital
did not have actual knowledge that, nor
did the information supplied to it by the
law enforcement official making the
request demonstrate to the hospital a
substantial factual basis that, the
individual had previously received
unlawful reproductive health care;
therefore, the reproductive health care is
presumed to have been provided under
circumstances in which it was lawful to
provide such health care. Accordingly,
this final rule would prohibit the
hospital from disclosing the requested
PHI unless the law enforcement official
provides sufficient information to
overcome the presumption and the use
or disclosure is otherwise permitted by
the Privacy Rule. This includes, as
described elsewhere in this final rule,
receipt of a valid attestation if the
relevant permission requires one.
Conversely, if the hospital is provided
with factual information that
demonstrates a substantial factual basis
that the reproductive health care at
issue was not lawful under the specific
circumstances in which such health
care was provided, the presumption
would be overcome. When a
presumption is overcome or rebutted,
the Rule of Applicability at 45 CFR
164.502(a)(5)(iii)(B) cannot be satisfied
(i.e., the regulated entity has actual
knowledge, or has received factual
information from the person requesting
the PHI to determine that there is
substantial factual basis to believe, that
the reproductive health care was not
lawful under the circumstances in
which it was provided), and thus, the
use or disclosure would not be
prohibited under the final rule. As such,
the Privacy Rule would permit, but
would not require, the hospital to
disclose the PHI in response to the
subpoena where the use or disclosure
meets the requirements of an applicable
permission, including the receipt of a
valid attestation where required.
In another example, a law
enforcement agency presents a covered
entity’s business associate, such as a
cloud service provider, with a subpoena
for the PHI of an individual who
received reproductive health care as
part of its investigation into the health
care provider who provided such health
care for the provision of that health care.
The PHI is encrypted, and the business
associate does not have the key to
decrypt it or is not permitted under the
terms of its business associate
agreement with the covered entity to
decrypt the PHI. Thus, the business
associate lacks a complete view of the
individual’s PHI and did not provide
E:\FR\FM\26APR5.SGM
26APR5
ddrumheller on DSK120RN23PROD with RULES5
33016
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
the underlying reproductive health care.
Additionally, the business associate has
no actual knowledge that the
reproductive health care was unlawful,
nor did the person requesting the PHI
supply it with information that
demonstrates to the business associate a
substantial factual basis that the
reproductive health care was not lawful
under the specific circumstances in
which such health care was provided. In
such a case, the presumption that the
reproductive health care at issue was
lawful applies. If the law enforcement
agency does not present more
information to overcome the
presumption, the Privacy Rule prohibits
the business associate from disclosing
the requested PHI in response to the
subpoena, even if the law enforcement
agency has provided an attestation; in
this circumstance, the attestation would
not be valid because the disclosure is for
a purpose that is prohibited by 45 CFR
164.502(a)(5)(iii).
The presumption serves a different
purpose than the attestation, which is
required when there is a request for PHI
potentially related to reproductive
health care for certain permitted
purposes under the Privacy Rule, as
discussed further below. In contrast
with the attestation, the presumption
applies only where a request for PHI
involves a purpose prohibited under 45
CFR 164.502(a)(5)(iii) and the
reproductive health care at issue was
provided by someone other than the
regulated entity that received the
request for PHI, so the regulated entity
does not have first-hand knowledge of
the circumstances in which the
reproductive health care was provided.
Because the situations in which the
presumption applies involve purposes
prohibited under 45 CFR
164.502(a)(5)(iii), it is not reasonable for
a regulated entity to rely, without
additional information, on a statement
from the person requesting the use or
disclosure, including the statement
required in the attestation by 45 CFR
164.509(b)(1)(ii), that the request is not
made for a prohibited purpose or that
the underlying reproductive health care
was unlawful. Thus, such statement
alone does not satisfy 45 CFR
164.502(a)(5)(iii)(C)(2). However, if a
person requesting the use or disclosure
of PHI provides the regulated entity
with sufficient information, separate
and distinct from the attestation itself,
that demonstrates to the regulated entity
a substantial factual basis that the
reproductive health care was not lawful
under the specific circumstances in
which such health care was provided,
the presumption would be overcome; in
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
this scenario, the Privacy Rule would
permit, but would not require, the
regulated entity to disclose the PHI in
response to the subpoena. The
presumption may also be overcome by,
for example, a spontaneous statement
from the individual about the
circumstances under which they
obtained reproductive health care.
As we explained above, this final rule,
consistent with the Department’s
longstanding approach to the Privacy
Rule, balances competing interests
between the privacy expectations of
individuals and society’s interests in
PHI for certain non-health care
purposes. For example, since its
inception, the Privacy Rule has
permitted a covered entity to rely, if
such reliance is reasonable under the
circumstances, on a requested
disclosure as the minimum necessary
for the stated purpose when making
disclosures to public officials that are
permitted under 45 CFR 164.512, if the
public official represents that the
information requested is the minimum
necessary for the stated purpose(s).297
Elsewhere in the Privacy Rule, covered
entities are required to make a
determination of whether it is
‘‘reasonable under the circumstances’’
to rely on documentation, statements, or
representations from a person
requesting PHI to verify the identity of
the person requesting PHI and the
authority of the person to access the
PHI.298 In the case of public officials, we
have previously explained that covered
entities must verify the identity of the
request by examination of reasonable
evidence, such as written statement of
identity on agency letterhead, an
identification badge, or similar proof of
official status. In addition, where
explicit written evidence of legal
process or other authority is required
before disclosure may be made, a public
official’s proof of identity and oral
statement that the request is authorized
by law are not sufficient to constitute
the required reasonable evidence of the
legal process or authority.299 In both
instances, the Privacy Rule permits
regulated entities to rely on
representations made by public officials
where it is reasonable to do so but
makes clear that in some instances,
documentary or other evidentiary proof
is needed.300
297 See 45 CFR 164.514(d)(3)(iii)(A) and 65 FR
82462, 82545, and 82547 (Dec. 28, 2000).
298 45 CFR 164.514(h)(2) and 65 FR 82462,
82546–47 (Dec. 28, 2000).
299 See 45 CFR 164.514(h) and 65 FR 82462,
82546–47 (Dec. 28, 2000).
300 See 65 FR 82462, 82545 (Dec. 28, 2000)
(‘‘[. . .] covered entities making disclosures to
public officials that are permitted under § 164.512
PO 00000
Frm 00042
Fmt 4701
Sfmt 4700
In this final rule, the Department has
enshrined the requirement that a
regulated entity make a reasonable
determination of whether PHI should be
disclosed in response to a request from
law enforcement, or other official, in
regulatory text and determined that is
not reasonable to rely solely on
representations of law enforcement or
other officials without a written
attestation. This approach is due to the
high potential for harm to the individual
who is the subject of the PHI or to
persons who are subject to liability for
the mere act of seeking, obtaining,
providing or facilitating reproductive
health care.
Further, as we discussed above, even
in the scenario where a state official
seeks PHI to investigate whether the
underlying reproductive health care was
unlawful, a regulated entity’s reasonable
determination that the conditions of the
prohibition set forth in the Rule of
Applicability are met means that the
prohibition applies and the regulated
entity is prohibited from using or
disclosing the PHI. This does not
foreclose the ability of state officials to
investigate the circumstances
surrounding the provision of the
reproductive health care, including
through the collection of information
from sources that are not regulated
under HIPAA, to determine whether a
health care provider or other person
may have acted unlawfully. Rather, this
final rule prohibits the use or disclosure
of PHI when it is being used to
investigate or impose liability on a
person for the mere act of seeking,
obtaining, providing, or facilitating
lawful reproductive health care, or to
identify any person to initiate such
activities. Indeed, the individual’s
privacy interests are especially strong
where individuals seek lawful
reproductive health care and risk either
avoiding such lawful health care or
being less than truthful with their health
care providers because they fear that
their PHI will be disclosed.
The Department is re-designating
proposed 45 CFR 164.502(a)(5)(iii)(B) as
45 CFR 164.502(a)(5)(iii)(D) and
modifying it in response to the
may rely on the representations of a public official
that the information requested is the minimum
necessary.’’); see also id. at 82547 (further
discussing verification of identity and authority of
persons requesting PHI in 45 CFR 164.514(h) and
the requirements in 45 CFR 164.512 for the
circumstances under which covered entities must
make reasonable determinations about the
sufficiency of proof of identify and authority based
on documentary evidence, contrasted with a
reasonable reliance on verbal representations when
necessary to avert a pending emergency or
imminent threat to the health or safety of a person
or the public pursuant to 45 CFR 164.512(j)(1)(i)).
E:\FR\FM\26APR5.SGM
26APR5
ddrumheller on DSK120RN23PROD with RULES5
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
commenters who provided examples of
situations where they could reasonably
expect to receive a request for PHI that
might relate to ‘‘seeking, obtaining,
providing, or facilitating reproductive
health care.’’ To address these concerns,
the Department is revising the list of
activities in 45 CFR 164.502(a)(5)(iii)(D)
that explain the scope of actions taken
by persons that the Department is
protecting against impermissible
requests for PHI. Specifically, the
Department is adding the terms
‘‘administering,’’ ‘‘authorizing,’’
‘‘providing coverage for,’’ ‘‘approving,’’
and ‘‘counseling about’’ to the current
list of descriptive activities in the
proposed rule and removing ‘‘inducing’’
from the list. We are removing
‘‘inducing’’ from the list in response to
concerns from commenters that the
prohibition might apply in
circumstances where individuals are
coerced to obtain reproductive health
care. It was never the Department’s
intention for the prohibition on the use
or disclosure of PHI to apply in such
circumstances. Rather, we intended it to
refer to situations in which a health care
provider ‘‘induces’’ labor under
circumstances in which such health
care is lawful; however, we believe our
intended meaning of ‘‘inducing’’ is
encompassed in other terms in the list.
The revised list better explains the type
of activities in which a person may be
engaged and about which the
Department intends to prevent the use
or disclosure of PHI.
The Department is not finalizing a
separate Rule of Construction because
the need is obviated by incorporating
the key content into the prohibition
itself at 45 CFR 164.502(a)(5)(iii). The
Department proposed the Rule of
Construction to clarify that 45 CFR
164.502(a)(5)(iii) should not be
construed to prohibit a use or disclosure
of PHI otherwise permitted by the
Privacy Rule unless such use or
disclosure is ‘‘primarily for the purpose
of’’ investigating or imposing liability
on any person for the mere act of
seeking, obtaining, providing, or
facilitating reproductive health care. By
incorporating the Rule of Construction
into the main standard and removing
the proposed ‘‘primarily for the purpose
of’’ language, the Department now more
clearly conveys its intent to prohibit the
use and disclosure of PHI for the
specified purposes only when it relates
to the ‘‘mere act of’’ seeking, obtaining,
providing, or facilitating reproductive
health care. As discussed in greater
detail below in our responses to
comments, this change is designed to
reduce confusion for regulated entities
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
about how to reconcile and apply the
Rule of Construction with the main
prohibition standard and does not
change the scope of the prohibition as
proposed. The revisions and
restructuring of regulatory text formerly
included in the Rule of Construction
improve readability and reduce
redundancy. Likewise, the final rule
incorporates other minor wording
changes to improve readability and
updates regulatory text references to
other paragraphs to accurately reflect
the organization of this section.
Comment: Many commenters
expressed support for the Department’s
proposal to create a new category of
prohibited uses and disclosures about
reproductive health care. A few of these
commenters explained the rationale for
their support as based on the proposed
approach’s balance of preventing harm
to individuals from certain uses and
disclosures and permitting beneficial
uses and disclosures, while providing
regulated entities with clarity with
respect to when uses and disclosures of
PHI would be permitted.
A few commenters agreed with the
Department’s view that a purpose-based
prohibition is preferable to other
approaches to protecting the privacy of
individuals that would require labeling
or segmenting of PHI. Other commenters
focused on how the proposal would
better facilitate HIPAA’s goals of
providing high-quality health care and
encouraging the flow of information to
covered entities.
Response: The approach we are taking
in this final rule preserves the ability of
regulated entities to use and disclose
PHI for permitted purposes while also
enhancing protections for PHI, to strike
the appropriate balance between privacy
interests and other societal interests,
including law enforcement. As
discussed above, the Department’s
approach will lead to numerous benefits
associated with enhanced privacy
protections.
Comment: A few commenters asserted
that the Department’s proposal would
provide a consistent standard for all
states to follow.
Response: The Department believes
this final rule will provide clear
standards for regulated entities,
especially health care providers, by
incorporating the prohibition into the
Privacy Rule. However, we stress that
the prohibition attaches to only requests
for uses and disclosures that are for a
prohibited purpose where the
reproductive health care is lawful under
the circumstances in which such health
care is provided. Different states and
localities have promulgated different
PO 00000
Frm 00043
Fmt 4701
Sfmt 4700
33017
standards for the lawfulness of
reproductive health care.
Comment: A few commenters
expressed their appreciation that the
proposal encompassed a broad range of
reproductive health care and explained
the importance of ensuring that a final
rule protects any health information
about reproductive health care.
Response: As the Department
acknowledged in the 2023 Privacy Rule
NPRM, many routine medical
examinations and treatments could
involve PHI about an individual’s
reproductive health or reproductive
organs and systems. This final rule is
not limited to PHI about abortion. The
Department recognized the
impracticability of attempting to parse
out the types of reproductive health care
that should be subject to the prohibition
and those that should not be. For this
reason, and in keeping with the existing
scheme of the Privacy Rule, the
Department proposed and is finalizing a
purpose-based approach to prohibiting
the use and disclosure of any PHI for
use against any person for seeking,
obtaining, providing, or facilitating
reproductive health care that is lawful
under the circumstances in which such
health care is provided. A regulated
entity that receives a request for PHI is
charged with making a reasonable
determination of whether the conditions
of lawfulness set forth in the Rule of
Applicability apply. To further assist
regulated entities in understanding the
broad scope of ‘‘reproductive health
care,’’ we provide in the preamble a
non-exclusive list of examples that fit
within the definition.
Comment: Some commenters
expressed opposition to this proposal,
asserting that the proposed new
category would interfere with the
enforcement of state laws that restrict or
regulate abortion or that the proposal
would make it more difficult for
regulated entities to determine whether
a requested use or disclosure of PHI is
permitted under the Privacy Rule
because it lacked sufficient specificity.
Response: The Department is
finalizing a narrowly tailored
prohibition that will only apply when
an individual’s privacy interest in
lawfully obtained reproductive health
care outweighs society’s interest in
obtaining PHI for non-health care
purposes. As discussed above, the
Department has adopted an approach
that strikes the appropriate balance
between privacy interests and other
interests, including law enforcement
interests in accessing PHI to investigate
or impose liability on persons for
seeking, obtaining, providing, or
facilitating reproductive health care that
E:\FR\FM\26APR5.SGM
26APR5
ddrumheller on DSK120RN23PROD with RULES5
33018
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
is unlawful under the circumstances in
which such health care is provided. To
help regulated entities operationalize
the prohibition, the Department is
finalizing an attestation requirement in
45 CFR 164.509 in which persons
requesting PHI under a permission that
is mostly likely to be used to request
PHI for a purpose prohibited by 45 CFR
164.502(a)(5)(iii) must attest that the
request is not subject to the prohibition.
The Department acknowledges that
requests for a purpose prohibited by 45
CFR 164.502(a)(5)(iii) may be made
pursuant to another applicable
permission and reminds regulated
entities that they must evaluate all
requests made by a third party for the
use or disclosure of PHI to ensure that
they are not for a prohibited purpose.
Requests not subject to the prohibition
would still be subject to the conditions
of the relevant permissions in the
Privacy Rule. When requests for PHI
meet the conditions for permissions in
the Privacy Rule, including conditions
specified in 45 CFR 164.512, regulated
entities are permitted to use and
disclose PHI in accordance with such
permissions.
Moreover, as we describe above, the
Department is modifying the final rule
to clarify that the prohibition restricts
the use and disclosure of PHI for the
enumerated purposes when connected
to the ‘‘mere act of’’ seeking, obtaining,
providing, or facilitating reproductive
health care. Thus, the prohibition does
not prevent the use or disclosure of the
PHI about reproductive health care
obtained by an individual in all
circumstances. Rather, it prevents the
use or disclosure of PHI when the
purpose of the disclosure is to
investigate or impose liability on a
person because they sought, obtained,
provided, or facilitated reproductive
health care that was lawful under the
circumstances in which such health
care was provided, as determined by the
regulated entity that received the
request for PHI. For example, a
regulated entity would not be prohibited
from disclosing an individual’s PHI
when subpoenaed by law enforcement
for the purpose of investigating
allegations of sexual assault by or of the
individual, assuming that law
enforcement provided a valid attestation
and met the other conditions of the
permission under which the request was
made.
Comment: A commenter expressed
opposition to the proposal and asserted
that it relied on the assumption that it
would be readily apparent or
ascertainable whether particular
reproductive health care was lawfully
provided. According to this commenter,
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
persons who violate the law have an
interest in concealing their activity, and
the proposal would impede law
enforcement investigations to determine
whether lawbreaking has occurred.
Additionally, the commenter expressed
their concern that the proposal would
represent a departure from the Privacy
Rule’s existing approach to law
enforcement investigations and
proceedings.
Response: The Department is
finalizing a regulatory presumption to
address the narrow circumstance of
when lawfulness is not readily apparent
to a regulated entity who is the recipient
of a request for the use or disclosure PHI
when the regulated entity did not
provide the underlying reproductive
health care. As we explained above, this
final rule is intended to support and
clarify the privacy interests of
individuals availing themselves of
lawful reproductive health care, and not
to thwart the interests of states and the
Federal government in conducting
lawful investigations or imposing
liability on the provision of unlawful
reproductive health care. While this
new regulatory presumption may make
it more difficult for law enforcement
officials to investigate whether
reproductive health care was unlawful
under the circumstances in which it was
provided (e.g., when other sources of
information that is not PHI are
unavailable), the Department has
considered those interests and
determined that the effects are justified
by countervailing privacy benefits. We
also reiterate here that the presumption
is not a blanket presumption. It only
applies where the reproductive health
care at issue is provided by someone
other than the regulated entity that
received the request for the use or
disclosure of PHI, and it may be
overcome in the circumstances
identified above.
We note that the Privacy Rule has
always and continues to permit
regulated entities to disclose PHI for law
enforcement purposes, subject to certain
conditions or limitations. In this final
rule, the Department has found that
changes in the legal landscape now
necessitate codifying a prohibition
against uses and disclosures for the
purposes specified in 45 CFR
164.502(a)(5)(iii)(A), subject to the Rule
of Applicability in 45 CFR
164.502(a)(5)(iii)(B). The Department is
not otherwise changing the existing
permissions in the Privacy Rule that
permit regulated entities to use or
disclose PHI for law enforcement
purposes and other important nonhealth care purposes, except as
discussed elsewhere in this rule. These
PO 00000
Frm 00044
Fmt 4701
Sfmt 4700
purposes include when PHI is required
by law to be disclosed for purposes
other than those prohibited by this final
rule, for public health and health
oversight activities, for other law
enforcement purposes not in conflict
with this rulemaking, for reports of
child abuse, about decedents when not
prohibited by this final rule, and other
purposes specified in the Privacy Rule.
In particular, in the 2023 Privacy Rule
NPRM, the Department discussed the
interaction of this rule with HIPAA’s
statutory preemption provisions 301 and
explained that it was necessary to
preempt state laws that require the use
and disclosure of PHI for the purposes
prohibited by this rule to give effect to
the prohibition consistent with HIPAA.
As discussed above, to achieve the
purpose for which HIPAA was enacted,
to enable the electronic exchange of
identifiable health information, we must
protect the privacy of that information
to further individuals’ trust in the health
care system. As finalized, the
prohibition is limited only to
circumstances in which the privacy
interests of an individual and the
interests of society in an effective health
care system outweigh society’s interest
in obtaining PHI for non-health care
purposes.
Comment: A commenter stated that,
to the extent the ability of a state to
determine whether to investigate or
bring a proceeding is based on
information in the possession of a
regulated entity, the proposed rule did
not adequately address a state’s need to
regulate the medical profession and
health care facilities.
Response: As finalized, the
prohibition prevents the use and
disclosure of PHI for certain purposes
where a person sought, obtained,
provided, or facilitated reproductive
health care that is lawful under the
circumstances in which such health
care is provided. As discussed above,
the final rule strikes the appropriate
balance between privacy interests and
other interests. Public officials remain
free to investigate the provision of
health care by seeking information from
non-covered entities. Moreover, the
prohibition does not prevent a state
from enforcing its laws. Instead, it
protects the privacy of individuals’ PHI
in certain circumstances.
Comment: A few commenters
expressed concern that the proposed
prohibition may also affect the
enforcement of Federal laws.
Response: The Department has
consulted extensively with other
Federal agencies and officials in the
301 See
E:\FR\FM\26APR5.SGM
88 FR 23506, 23530 (Apr. 17, 2023).
26APR5
ddrumheller on DSK120RN23PROD with RULES5
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
development of this rule, including the
Attorney General, and does not believe
that this rule will impede the
enforcement of Federal laws. As
discussed above, this rule carefully
balances privacy and other interests,
applying only in certain narrowly
tailored situations.
Comment: Numerous commenters
recommended that the Department
expand the scope of the proposed
prohibition to include other or all types
of stigmatized health care. A few
commenters recommended expanding
the proposed prohibition to all health
care or to provide individuals the ability
to prevent the disclosure of their PHI
through HIEs.
Generally, commenters supporting
expansion of the proposal’s scope
expressed the belief that it was
necessary for HIPAA to promote trust
between individuals and health care
providers and to improve health care
quality and outcomes.
Several commenters explained that
persons seeking, obtaining, providing,
or facilitating other types of health care
are facing the same challenges as
described in the proposal with respect
to reproductive health care, including
health care obtained outside of the
health care system, and provided
examples of such challenges. Many
commenters also made
recommendations for how the
Department should address those
challenges.
Response: The Department is issuing
this final rule to protect the privacy of
PHI when it is sought for activities to
investigate or impose liability on
persons for the mere act of seeking,
obtaining, providing, or facilitating
lawful reproductive health care.
Lawfulness is based on a reasonable
determination made by a regulated
entity that has received a request for PHI
for one of the purposes specified at 45
CFR 164.502(a)(5)(iii)(A) that at least
one of the conditions in the Rule of
Applicability applies. We are finalizing
a prohibition that is not specific to
certain procedures, laws, or types of
providers. Rather, the prohibition we
finalize here requires regulated entities
to consider the purpose of the requested
use or disclosure. To the extent that the
specific types of health care referenced
by commenters above meet the
definition of reproductive health care,
this final rule will prevent the
disclosure of PHI where it is sought for
activities with the purpose of
investigating or imposing liability on
any person for the mere act of seeking,
obtaining, providing, or facilitating
reproductive health care that is lawful
under the circumstances in which it is
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
provided. In adopting a purpose-based
prohibition, the Department has chosen
an administrable standard that reflects
the appropriate balance between
protecting individuals’ privacy interests
and allowing the use or disclosure of
PHI in support of other important
societal interests. Additional privacy
protections for information about SUD
treatment may be afforded to PHI in Part
2 records under Part 2.302
Comment: In response to the
Department’s specific request about
whether it should require a regulated
entity to obtain an individual’s
authorization for any uses and
disclosures of ‘‘highly sensitive PHI’’ or
otherwise address such a defined
category of PHI in the Privacy Rule, a
few commenters urged the Department
to expand the proposed prohibition to
protect all people at risk of criminal or
other investigation for use of essential
health care or care, services, or supplies
related to the health of the individual
that could expose any person to civil or
criminal liability. Several commenters
recommended that the Department
expand the scope of the proposed
prohibition to, variously, all ‘‘highly
sensitive health information,’’ ‘‘sensitive
personal health care,’’ ‘‘highly sensitive
PHI,’’ or ‘‘highly sensitive PHI and
restricted health care service’’ because
of the potential harms that could result
if such health information were to be
disclosed without stringent privacy
safeguards.
Several commenters asserted that
creating a category of or separate
standard for ‘‘highly sensitive PHI’’
would cause significant confusion
because it would be difficult to define
in a commonly understood manner.
According to these commenters, this
would make compliance more
challenging and costly and further
decrease the individual’s privacy. A few
commenters expressed concern that
creating a special category of highly
sensitive PHI would further stigmatize
certain types of health care.
Several commenters expressed
concern that prohibiting or limiting uses
or disclosures of highly sensitive PHI for
certain purposes may negatively affect
efforts to eliminate the need for data
segmentation, such as efforts to align the
Privacy Rule and Part 2; reduce or
eliminate stigmatization of certain
health conditions and diagnoses; and
improve health care management and
health care coordination.
Response: We appreciate these
comments and generally agree with
302 See 42 CFR part 2 and the 2024 Part 2 Rule
for more information about Part 2 and the
protections afforded to Part 2 records.
PO 00000
Frm 00045
Fmt 4701
Sfmt 4700
33019
commenters who expressed concern
that the Privacy Rule should address the
shifting legal landscape to ensure that it
continues to protect PHI, regardless of
how the PHI is transmitted or
maintained. We also agree that to the
extent possible, the Privacy Rule should
promote administrative efficiency and
disincentivize adverse actions by health
care providers grounded in fear of
prosecution or legal risks borne from
providing lawful health care to
individuals, which may erode patients’
trust and confidence in the health care
system and deter them from seeking
lawful health care. The Department’s
approach to promulgating a narrowly
tailored prohibition focused on
clarifying the use and disclosure of PHI
for the purposes prohibited by this final
rule accomplishes these goals. As we
explained in the 2023 Privacy Rule
NPRM and re-affirm in this final rule,
recent developments in the legal
environment have made information
about lawful reproductive health care
sought by or provided to an individual
more likely to be of interest for punitive
non-health care purposes, and thus
more likely to be used or disclosed if
sought for a purpose permitted under
the Privacy Rule today. As explained,
the Department has identified concerns
that the use or disclosure of PHI for the
prohibited purposes in this rule would
erode individuals’ trust in the privacy of
legal reproductive health care. Such
erosion would negatively affect
relationships between individuals and
their health care providers, result in
individuals forgoing needed treatment,
and make individuals less likely to
share pertinent health concerns with
their health care providers. Modifying
the Privacy Rule to focus on and address
this shifting landscape is the most
efficient way to return to a regulatory
landscape that is balanced and
consistent with the goals of HIPAA.
We do not believe that it is necessary
to modify the Privacy Rule to prohibit
the use and disclosure of PHI for any
criminal, civil, or administrative
investigation or effort to impose
criminal, civil, or administrative
liability related to all health care,
services, or supplies. Sections
164.512(e) and (f) already set forth the
specified conditions under which
regulated entities may disclose PHI for
judicial and administrative proceedings
and law enforcement purposes.
We decline to modify the prohibition
to apply it to the use and disclosure of
‘‘highly sensitive PHI.’’ We are
persuaded by commenters who voiced
concern about the feasibility of defining
the phrase such that regulated entities
would be able to understand and
E:\FR\FM\26APR5.SGM
26APR5
33020
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
ddrumheller on DSK120RN23PROD with RULES5
operationalize it. We also find
persuasive comments about the
compliance burden that would result
from implementing such a prohibition.
While PHI about reproductive health
care may be found throughout an
individual’s record and may be
collected or maintained by multiple
types of providers, the term
‘‘reproductive health care’’ is defined in
a manner that is clearly connected to the
reproductive system, its functions, and
processes.303
In contrast, applying the prohibition
to all ‘‘highly sensitive PHI’’ or any use
or disclosure of PHI that results in harm,
stigma, or adverse result for an
individual would be unworkable
because of lack of consensus about how
to define such categories and would
likely create the issues with
segmentation and care coordination
discussed above. As discussed above,
the purpose of this final rule and
narrowly crafted prohibition is to adopt
the appropriate balance in the Privacy
Rule between protecting individuals’
privacy and permitting PHI to be used
and disclosed for other societal benefits.
The commenters’ objectives reflect a
desire to protect individuals, but their
discussion does not properly account
for other societal interests that are
supported by certain disclosures of PHI,
interests that the Privacy Rule has
balanced since its inception.
Comment: A commenter requested
that the Department clarify that state
laws may protect the privacy of health
information when the Privacy Rule does
not apply, such as when individuals’
health information is in the possession
of a person that is not a regulated entity,
such as a friend or family member, or
is stored on a personal cellular phone or
tablet.
Response: HIPAA provides the
Department with the authority to protect
the privacy and security of IIHI that is
maintained or transmitted by covered
entities, and in some cases, their
business associates. Other laws may
apply where the HIPAA Rules do not.
Guidance on protecting the privacy and
security of health information when
using a personal cell phone or tablet is
available on OCR’s website.304
Comment: Many commenters cited
potential operational challenges with
the proposed prohibition and confirmed
303 See the finalized definition of ‘‘Reproductive
health care’’ at 45 CFR 160.103.
304 See Off. for Civil Rights, ‘‘Protecting the
Privacy and Security of Your Health Information
When Using Your Personal Cell Phone or Tablet,’’
U.S. Dep’t of Health and Human Servs. (June 29,
2022), https://www.hhs.gov/hipaa/forprofessionals/privacy/guidance/cell-phone-hipaa/
index.html.
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
that current health IT generally does not
provide regulated entities with the
ability to segment PHI into specific
categories afforded special protections.
A few commenters recommended that
the Department work with EHR vendors
to modernize health care data
management platforms to better address
data segmentation, while others
recommended that the Department
ensure interagency coordination of data
segmentation policies and provide
individuals with granular level of
control over their PHI.
A few commenters requested that the
Department address concerns about the
interaction between the minimum
necessary standard and this final rule.
A commenter asserted that privacy
protections that do not account for
individual privacy preferences would
result in individuals withholding
information from their health care
providers, and some health care
providers electing not to generate or
document certain information from or
about individuals.
Response: The prohibition, as
finalized, should not implicate
additional data segmentation concerns
beyond those that already exist. We
acknowledge the low adoption rate of
data segmentation standards and
challenges related to the technical and
administrative feasibility of data
segmentation (e.g., costs), and as
discussed above, are finalizing a
purpose-based approach to address such
concerns. The Department continues its
active engagement, particularly through
ONC, to identify robust data sharing
standards that facilitate appropriate
privacy controls.
With respect to concerns about the
Privacy Rule minimum necessary
standard, we do not anticipate that this
final rule will affect the ability of
regulated entities subject to the standard
to comply. First, the prohibition is
applicable only for the purposed uses
and disclosures specified in 45 CFR
164.502(a)(5)(iii). Regulated entities
must make reasonable efforts to limit
the use or disclosure of PHI pursuant to
45 CFR 164.512, other than 45 CFR
164.512(a), to the minimum amount of
PHI necessary to accomplish the
intended purpose of the use, disclosure,
or request.305 Regulated entities are
required to have in place policies and
procedures that outline how the entity
complies with the standard.306
Comment: A few commenters
requested that the Department clarify
305 See 45 CFR 164.502(b). Uses and disclosures
of PHI pursuant to 45 CFR 164.512(a) are limited
to the relevant requirements of such law. 45 CFR
164.512(a)(1).
306 45 CFR 164.514(b).
PO 00000
Frm 00046
Fmt 4701
Sfmt 4700
the roles and responsibilities of covered
entities and business associates with
respect to compliance with the
proposed prohibition and attestation
requirements and whether business
associate agreements would need to be
amended to reflect the requirements of
the final rule.
Response: The prohibition standard
finalized in 45 CFR 164.502(a)(5)(iii)(A)
applies directly to all regulated entities;
meaning, all HIPAA covered entities
and business associates. We also note
that the finalized presumption of
lawfulness for the underlying health
care, when applicable, directly applies
to business associates, as does the
attestation requirement in 45 CFR
164.509. As such, business associates of
covered entities that hold PHI by virtue
of their business associate relationship
with the covered entity are subject to
the express prohibition on using or
disclosing PHI for the specified
purposes, regardless of whether the
prohibition is specified in the business
associate agreement. The attestation
requirement and its application to
business associates are discussed in
greater detail below.
Comment: A commenter expressed
support for the application of the
proposal to health care providers, but
also recognized states’ interest in
ensuring that health care providers
render health care in accordance with
the standard of care in that state.
Another commenter questioned the
Department’s authority under HIPAA to
implement this provision.
Response: The Department is
modifying the proposed definition of
‘‘Reproductive health care’’ to explicitly
clarify that the definition does not set a
standard of care for or determine what
constitutes clinically appropriate
reproductive health care. Additionally,
as discussed above, the application of
this rule is limited to reproductive
health care that is lawful under the
circumstances in which such health
care is provided as described at 45 CFR
164.502(a)(5)(iii)(B). Lawfulness is
determined by the regulated entity that
receives the request for PHI, after a
reasonable determination that at least
one of the conditions in the Rule of
Applicability apply. As explained
above, the prohibition is carefully
tailored to protect the privacy of
individuals’ health information in
circumstances where the reproductive
health care at issue was lawful under
the circumstances such care was
provided, reflecting the appropriate
balance between privacy interests and
other societal interests.
Comment: Many commenters
recommended alternative or additional
E:\FR\FM\26APR5.SGM
26APR5
ddrumheller on DSK120RN23PROD with RULES5
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
approaches to the purpose-based
prohibition, such as eliminating or
narrowing the permissions for use or
disclosure of PHI without an
individual’s authorization or limiting
disclosures to third parties subject to an
individual’s authorization.
A few commenters recommended that
the Department revise specific Privacy
Rule permissions to clarify the use and
disclosure of PHI for certain
administrative or law enforcement
requests, instead of promulgating a new
prohibition.
Response: The Department’s approach
to prohibit the uses and disclosures of
PHI for the purposes described in this
final rule is consistent with the Privacy
Rule’s longstanding balancing of
individual privacy interests with
society’s interests in PHI for non-health
care purposes. Adopting the correct
balance is necessary to preserve and
promote trust between individuals and
health care providers. Instead of
modifying specific permissions at 45
CFR 164.512, we are finalizing
modifications that prohibit the use or
disclosure of PHI to ensure the correct
balance, instead of modifying specific
permissions at 45 CFR 164.512.
Recognizing that requests that fall under
these permissions represent important
public policy objectives (e.g., health
oversight, law enforcement, protection
of individuals subject to abuse), the
Department is imposing a new
attestation requirement, as described in
greater detail below, to protect against
harm that may arise from the use or
disclosure of PHI for a purpose
prohibited under 45 CFR
164.502(a)(5)(iii), which is more likely
to occur when a person requesting the
use or disclosure of PHI relies on certain
permissions. The new attestation
condition will also provide a
mechanism that will enable a regulated
entity to better evaluate the request. The
Department declines to make additional
changes at this time and will consider
these topics for future guidance. The
Department also declines to finalize its
proposal to prevent an individual from
requesting that a regulated entity use or
disclose PHI pursuant to a valid
authorization.
Comment: A few commenters
questioned the ability of regulated
entities to use or disclose PHI in
compliance with mandatory reporting
laws, such as laws requiring the
reporting of suspected child abuse or
domestic violence.
A few of these commenters
questioned whether mandatory
reporting requirements would change a
regulated entity’s duty to apply the
minimum necessary standard.
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
A few commenters asserted that
mandatory reporting laws dissuade
individuals from seeking health care,
prevent the development of trust
between individuals and health care
providers, and generally are
implemented in an inequitable fashion
that disproportionately apply to
individuals from marginalized or
historically underserved communities
or communities of color.
Response: The Department
acknowledges that there may be some
mandatory reporting laws that require a
regulated entity to determine whether a
request for PHI is for a purpose
prohibited by this rule. However,
whether in response to a mandatory
reporting law or routine request, the
final rule’s operation remains the same,
that is, it prohibits a regulated entity
from using or disclosing PHI for a
prohibited purpose when the
reproductive health care under
investigation or at the center of the
activity to impose liability is lawful
under the circumstances that it was
provided.
To the extent mandatory reporting
requirements apply to the reporting of
PHI to public health authorities for
public health purposes, including PHI
about reproductive health care, this
final rule does not prevent a regulated
entity from complying with such
mandate.
To aid stakeholders in understanding
how the prohibition operates with
respect to public health reporting, the
Department is clarifying that the term
‘‘Public health,’’ as used in public
health surveillance, investigation, and
intervention, includes identifying,
monitoring, preventing, or mitigating
ongoing or prospective threats to the
health or safety of a population, which
may involve the collection of PHI. In so
doing, we are clarifying that public
health surveillance, investigation, and
intervention are outside of the scope of
activities prohibited by 45 CFR
164.502(a)(5)(iii). These changes will
offer additional protection to
individuals who would otherwise be
subject to having their PHI disclosed for
a prohibited purpose because the
underlying mandatory reporting
requirement did not clearly specify its
relationship to public health. This final
rule does not change the minimum
necessary standard or the circumstances
in which the Privacy Rule requires a
regulated entity to apply the minimum
necessary standard.
Comment: Many commenters
expressed concern that the purposes for
which the Department proposed to
prohibit uses or disclosures would
interfere with the ability of law
PO 00000
Frm 00047
Fmt 4701
Sfmt 4700
33021
enforcement to conduct investigations,
including into coercion, child abuse,
and sex trafficking and assault, would
prevent states from verifying state
licensure requirements, and would
hamper the ability of health care
professionals to report illegal behavior
by other health care professionals.
Response: As discussed above, the
prohibition applies only to activities
conducted for the purpose of
investigating or imposing liability on a
person for the mere act of seeking,
obtaining, providing, or facilitating
reproductive health care that is
provided under circumstances in which
such health care is lawful. A regulated
entity is permitted to disclose PHI to a
person who requests PHI for other
purposes if a permission applies and the
underlying conditions of the relevant
permission are met, including the
attestation condition, if applicable.
Comment: A few commenters
recommended that the Department
establish a safe harbor for the use or
disclosure of PHI by regulated entities
for TPO.
Response: We appreciate the
comment but do not believe such a safe
harbor is necessary. The Privacy Rule
permits the disclosure of an individual’s
PHI for TPO when the conditions set
forth in the TPO provisions of the rule
are met.307 The prohibited uses and
disclosures codified in this rulemaking
would rarely intersect with uses and
disclosures that qualify as TPO
activities. As explained above, to the
extent a person requesting the use or
disclosure of PHI reasonably articulates
a basis for a request that is not related
to the mere act of seeking, obtaining,
providing, or facilitating reproductive
health care, a regulated entity may use
or disclose the PHI where otherwise
permitted by the Privacy Rule.
Comment: A commenter
recommended that the Department
clarify that the prohibition applies to
the activities of insurers and third-party
administrators of self-funded plans by
adding ‘‘administering, authorizing,
covering, approving, or gathering or
providing information about’’ to the
explanation of ‘‘seeking, obtaining,
providing, or facilitating.’’
Response: The prohibition applies to
all activities that a person could
reasonably be expected to engage in
with a regulated entity that could result
in a use or disclosure of PHI that might
be sought for prohibited purposes,
including activities conducted or
performed by or on behalf of a health
307 See
E:\FR\FM\26APR5.SGM
45 CFR 164.506.
26APR5
ddrumheller on DSK120RN23PROD with RULES5
33022
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
plan, including a group health plan.308
Accordingly, the Department has
modified the scope of activities initially
proposed in the 2023 Privacy Rule
NPRM to better explain what it meant
by seeking, obtaining, providing, or
facilitating reproductive health care.
The modified text is finalized at 45 CFR
164.502(a)(5)(iii)(D),309 and adds
administering, authorizing, providing
coverage for, approving, counseling
about to the non-exhaustive list of
example activities.
Comment: Several commenters
expressed support for the proposed Rule
of Applicability. A few commenters
expressed support for the proposed Rule
of Applicability because it would
reassure residents of the state in which
the lawful health care is provided and
individuals who travel to such states for
lawful health care that their medical
records will not be disclosed for
prohibited purposes.
Response: We are finalizing a
modified Rule of Applicability as
described above.
Comment: Some comments expressed
varying levels of support for the
Department’s references to ‘‘substantial
interests’’ by states or superseding state
laws. A few commenters disagreed with
the Department’s assertion that states
lack a legitimate interest in conducting
a criminal, civil, or administrative
investigation or proceeding into lawful
reproductive health care where the
investigation is based on the mere fact
that reproductive health care was or is
being provided. Others asserted that the
proposed rule would be unworkable and
would assign health care providers and
the Department the power to determine
whether reproductive health care was
provided lawfully, thereby affording
them the authority to enforce certain
state laws.
Response: As explained above, the
Rule of Applicability reflects the
Department’s careful balancing of
privacy interests and other societal
interests. For the reasons explained
above, the Department has determined
that the privacy interest of an individual
and the interest of society in an effective
health care system outweigh the
interests of society in seeking the use of
PHI for non-health care purposes that
could result in harm to the individual
where a regulated entity that receives a
request for PHI reasonably determines
that at least one of the conditions in the
Rule of Applicability applies. To help
308 See 45 CFR 160.103 (definitions of ‘‘health
plan’’ and ‘‘group health plan’’).
309 In the 2023 Privacy Rule NPRM, we proposed
the Scope of prohibition in 45 CFR
164.502(a)(5)(iii)(B).
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
clarify this discussion further, the
Department provides examples where
the Rule of Applicability applies in this
section of this final rule.
Comment: Several commenters
recommended that the Department
eliminate the distinction between health
care that is lawful and health care that
is not and that all forms of reproductive
health care should be protected from
criminalization and government
investigation.
Several commenters stated that the
term ‘‘lawful’’ would incorrectly suggest
that receiving certain types of
reproductive health care could be
unlawful, even though most
prohibitions on reproductive health care
apply to providing or performing the
health care, rather than receiving it.
They also questioned whether the
proposed Rule of Applicability would
protect individuals who obtained
reproductive health care in another
state.
Response: We are finalizing a Rule of
Applicability at 45 CFR
164.502(a)(5)(iii)(B) that ensures the
privacy of PHI when it is sought to
conduct an investigation into or impose
liability on any person for the mere act
of seeking, obtaining, providing or
facilitating reproductive health care that
is lawful under the circumstances in
which such health care is provided,
consistent with applicable Federal or
state law. A regulated entity that
receives a request for PHI must make a
reasonable determination that at least
one of the conditions in the Rule of
Applicability applies. As discussed
above, this approach reflects a careful
balance between privacy interests and
other societal interests.
Comment: Some commenters asserted
that medical records should not be used
for purposes outside of the health care
setting in ways that could harm the
subject of the records, particularly for
law enforcement or other governmental
purposes. One commenter expressed
concern that disclosures of PHI would
not be limited for all purposes, and that
the proposal would not prevent a state
from pursuing actions where the health
care is later found to be unlawful.
Another commenter asserted that
disclosing PHI to law enforcement in
connection with an investigation into
reproductive health care is a secondary
use of PHI that would be directly at
odds with the purpose for which the
PHI was collected, while others stated
that the proposal risks deterring
individuals from seeking or obtaining
necessary health care.
A few commenters expressed
concerns that health care providers
could be inhibited from providing
PO 00000
Frm 00048
Fmt 4701
Sfmt 4700
necessary health care, fully educating
individuals about their options, or
documenting the health care provided.
Response: When the Department
promulgated the 2000 Privacy Rule, we
acknowledged that the rule balanced the
privacy interests of individuals with the
interests of the public in ensuring PHI
was available for non-health purposes.
As we explained in the 2023 Privacy
Rule NPRM, ‘‘individuals’ right to
privacy in information about themselves
is not absolute. It does not, for instance,
prevent reporting of public health
information on communicable diseases
or stop law enforcement from getting
information when due process has been
observed.’’ 310 At the same time, in the
2023 Privacy Rule NPRM, the
Department acknowledged that adverse
consequences do result when
individuals question the privacy of their
health information and explained that
the purpose of HIPAA is to protect the
privacy of information and promote
trust in the health care system to ensure
that individuals do not forgo lawful
health care when needed or withhold
important information that may affect
the quality of their health care.311
Accordingly, the Privacy Rule
provides a clear framework to
operationalize these principles, and this
final rule is intended to balance these
interests. The Privacy Rule does not
protect information received or
maintained by entities other than those
that are regulated under HIPAA,
including information that is used for a
purpose other than the purpose for
which it was initially requested. This
final rule provides heightened
protection, as necessary, to the privacy
of PHI where its use or disclosure may
result in harm to a person in connection
with seeking, obtaining, providing, or
facilitating reproductive health care that
is lawful under the circumstances in
which such health care is provided.
With respect to other disclosures to law
enforcement or to other governmental
interests, the Privacy Rule includes
other carefully crafted permissions that
specify the conditions under which
such disclosures must be made to
ensure a reasonable balance between
privacy and the public policies that
disclosure would serve.
Comment: Several commenters
asserted that the proposed Rule of
Applicability would not protect all PHI
pertaining to lawful health care. For
example, commenters suggested that the
proposed Rule of Applicability would
be unlikely to protect individuals who
310 88 FR 23506, 23509 (Apr. 17, 2023) (citing 65
FR 82464 (Dec. 28, 2000)).
311 Id.
E:\FR\FM\26APR5.SGM
26APR5
ddrumheller on DSK120RN23PROD with RULES5
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
obtain care outside of the health care
system and urged the Department to
clarify the final rule to strengthen
protections for individuals who receive
care in this manner. As another
example, a commenter expressed
concern that the proposal would not
protect PHI for individuals who obtain
legal reproductive health care, but as a
result of complications, subsequently
access health care in a state where the
same reproductive health care is illegal.
Response: The definition of
‘‘reproductive health care’’ is discussed
in greater detail above. As noted above,
this final rule does not establish a
standard of care, nor does it regulate
what constitutes clinically appropriate
health care.
Commenters who point out that
different results may arise in different
states are correct, but this has been true
since the inception of the Privacy Rule
because it sets a national floor for
privacy standards, rather than a
universal rule. The prohibition applies,
and therefore liability attaches, when
the prohibition is violated, based on the
‘‘circumstances in which such health
care is provided.’’ Thus, a regulated
entity is not permitted to disclose PHI
about reproductive health care that was
provided in another state where such
health care was provided under
circumstances in which it was lawful to
provide such health care, even where
the individual subsequently accesses
related health care in a state where it
would have been unlawful to provide
the underlying health care under the
circumstances in which such health
care was provided. HIPAA liability
attaches in cases where attempts to
circumvent the Privacy Rule result in
impermissible or wrongful uses or
disclosures.312
We remind regulated entities that the
Privacy Rule permits the use or
disclosure of PHI, without an
individual’s signed authorization, only
as expressly permitted or required by
the Privacy Rule. For example, where
state or other applicable law prohibits
certain reproductive health care but
does not expressly require a regulated
entity to report that an individual
obtained the prohibited health care, the
Privacy Rule would not permit a
disclosure to law enforcement or other
investigative body pursuant to the
‘‘required by law’’ permission (but
could potentially allow it pursuant to
other provisions).313
Comment: One commenter
recommended the Department add
language to the proposed Rule of
312 See
313 See
42 U.S.C. 1320d–5 and 6.
45 CFR 164.512(a).
VerDate Sep<11>2014
20:54 Apr 25, 2024
Applicability or elsewhere to ensure
that there would be protections for PHI
where a health care provider believes
the health care is legal, even when the
person requesting the use or disclosure
of PHI disputes the legality. A few
commenters asserted that the health
care provider making the decision could
be a party to the reproductive health
care at issue, making it a conflict of
interest for the health care provider to
make the determination regarding the
lawfulness of the reproductive health
care.
Response: We do not believe
additional language is necessary
because, under the prohibition, the
regulated entity—and not the person
making the request—is responsible for
reasonably determining whether health
care was lawful before making a
disclosure. As explained above, this
framework is consistent with how the
Privacy Rule’s permissions are
administered, whereby regulated
entities must determine whether a use
or disclosure is permitted under the
relevant permission. For example, when
evaluating whether a use or disclosure
of PHI is permitted because the use or
disclosure is required by law, the
regulated entity must look to the
relevant law to determine whether the
use or disclosure falls within that
permission.314 Furthermore, as with
other use and disclosure provisions in
the Privacy Rule, regulated entities
remain subject to HIPAA liability for
impermissible or wrongful disclosures.
Neither the statute nor the Privacy Rule
provides an exception to such liability
for circumstances involving conflicts of
interest.
Comment: Many commenters
expressed concern regarding the burden
imposed upon and resources that would
be required for regulated entities to
determine whether the reproductive
health care at issue was lawful if they
did not provide the health care at issue,
particularly considering the evolving
nature of state law in this area. Several
commenters expressed concern that the
proposal incorrectly assumes that
regulated entities would know where
the reproductive health care at issue
occurred and inquired about specific
scenarios, such as where requests for
PHI are received by clinical laboratories
that have no face-to-face interaction
with individuals and that rely on
information provided by other covered
entities. A few commenters asserted that
requiring regulated entities to make the
required legal determinations would not
be conducive to building a trusting
314 See
Jkt 262001
PO 00000
45 CFR 164.512(a).
Frm 00049
Fmt 4701
Sfmt 4700
33023
relationship between individuals and
health care providers.
Some commenters offered
recommendations to the Department,
such as providing guidance for health
care providers regarding their rights and
responsibilities under a final rule,
revising the proposal to clarify that
there would be a presumption that
reproductive health care occurred under
lawful circumstances, absent
compelling evidence to the contrary,
particularly when an individual travels
for health care, and clarifying the Rule
of Applicability by including examples
in the regulatory text.
Some commenters asserted that
regulated entities in different states or
with different interpretations of certain
state requirements could reach different
determinations about whether the
reproductive health care was provided
lawfully, in part because of the lack of
clarity or consistency in the
interpretation in these laws. Yet another
commenter recommended that the
Department add an express directive
that, in the event of any ambiguity or
unsettled law, the scope of what is
considered lawful should be interpreted
consistently with the intent of the rule
to protect the privacy of PHI to the
maximum extent possible. A commenter
recommended that where the regulated
entity decides in good faith, it should
not be subject to penalties or
enforcement action if their
determination is incorrect or if the
Department disagrees with the
determination. Another commenter
recommended that the Department
clarify that regulated entities may use a
reasonableness standard when making
the determination about whether state
laws conflict with the Privacy Rule and
are therefore preempted by HIPAA.
A few commenters expressed concern
about the potential interpretation or
application of the proposed Rule of
Applicability, particularly when the
laws at issue are ambiguous.
Commenters recommended inclusion of
language that PHI need not be disclosed
to a government agency or law
enforcement if the health care provider
deems, in good faith, that the
reproductive health care is lawful under
the circumstances in which it is
provided, and that the Department
clarify the application of preemption or
provide in preamble examples of each
condition of the proposed Rule of
Applicability.
Response: We appreciate the many
comments the Department received in
response to its inquiry asking whether
the proposed Rule of Applicability
would be sufficiently clear to
individuals and covered entities, and
E:\FR\FM\26APR5.SGM
26APR5
ddrumheller on DSK120RN23PROD with RULES5
33024
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
whether the provision should be made
more specific or otherwise modified.
Considering the many comments
expressing concern about the burden
associated with, the difficulty of, or the
liability that could attach when
someone other than the person who
provided the health care must
determine whether the underlying
reproductive health care is lawful, the
Department is adding a regulatory
presumption in the final rule.
As discussed above, the regulatory
presumption in 45 CFR
164.502(a)(5)(iii)(C) will permit a
regulated entity receiving a PHI request
that may be subject to the prohibition to
presume the reproductive health care at
issue was lawful under the
circumstances in which such health
care was provided when provided by a
person other than the regulated entity
receiving the request. The presumption
includes a knowledge requirement such
that the regulated entity must not have
actual knowledge that the reproductive
health care was unlawful under the
circumstances in which such health
care was provided or factual
information supplied by the person
requesting the use or disclosure of PHI
that demonstrates to the regulated entity
a substantial factual basis that the
reproductive health care was not lawful
under the specific circumstances in
which such health care was provided.
Comment: A commenter asserted that
the proposed rule would unlawfully
thwart enforcement of Federal criminal
laws on reproductive health care
because the proposed rule would be
limited to circumstances where
reproductive health care is permitted by
state law, thereby prohibiting
disclosures for the purpose of enforcing
Federal laws pertaining to reproductive
health care when they conflict with
state law. A few commenters expressed
their support for the Department’s
proposal that the prohibition against the
use or disclosure of PHI apply where
certain Federal laws apply. A few
commenters requested greater
specificity with respect to the
application of Federal and state laws on
abortion.
Response: Federal laws that involve
reproductive health care form the
underlying basis for examining whether
reproductive health care was protected,
required, or authorized by Federal law
under the circumstances in which it was
provided, pursuant to the 45 CFR
164.502(a)(5)(iii)(B)(2). Under this final
rule, Federal and state authorities retain
the ability to investigate or impose
liability on persons where the
investigation or imposition of liability is
centered upon the provision of
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
reproductive health care that is
unlawful under the circumstances in
which it is provided. As discussed
above, this rule reflects a careful balance
between privacy interests and other
societal interests, and the prohibition is
tailored to cover situations where the
reproductive health care was lawfully
provided, whether state or Federal law
is at issue.
Comment: A few commenters
provided examples of and expressed
concerns about the electronic
availability of PHI about health care
lawfully provided in one state to health
care providers in another state where
such health care would not have been
lawful.
A few commenters requested that the
Department clarify that clinical
laboratory testing involving a validated
laboratory-developed test used within a
single laboratory certified pursuant to
the Clinical Laboratory Improvement
Amendments of 1988 315 (CLIA) and the
implementing regulations, an in vitro
diagnostic test cleared or approved by
the Food and Drug Administration
(FDA), or a validated laboratorydeveloped test that is an in vitro
diagnostic test cleared or approved by
the FDA and used within a single CLIAcertified laboratory would fall within
the scope of reproductive health care
that would be ‘‘authorized by Federal
law’’ for the purposes of the Rule of
Applicability. The commenters also
recommended that a clinical laboratory
test furnished under the authority of a
state with legal requirements that are
equal to or more stringent than CLIA’s
statutory and regulatory requirements,
and is therefore exempt from CLIA
requirements, also be considered
‘‘authorized by Federal law’’ for the
purposes of the Rule of Applicability.
Response: We interpret the language
‘‘authorized by Federal law’’ in the Rule
of Applicability to include activities,
including clinical laboratory activities,
that are conducted as allowed under
applicable Federal law, in
circumstances where there is no
conflicting state restriction on the
Federally authorized activity or where
applicable Federal law preempts a
contrary state restriction. In such
circumstances, these activities are
lawfully conducted because there either
is no relevant state restriction or Federal
law preempts a contrary state
restriction. This provision thus reflects
the Department’s careful balancing of
privacy interests and other societal
interests in disclosure. As explained
above, in circumstances where
315 Public Law 100–578, 102 Stat. 2903 (Oct. 31,
1988) (codified at 42 U.S.C. 201 note).
PO 00000
Frm 00050
Fmt 4701
Sfmt 4700
reproductive health care is lawfully
provided, privacy interests are
heightened while other societal interests
in disclosure are reduced. This final
rule and the operation of HIPAA’s
general preemption authority do not
supersede applicable state law
pertaining to the lawfulness of
reproductive health care.
Comment: One commenter expressed
support for including the phrase ‘‘based
primarily’’ to clarify that the proposed
Rule of Construction would only
address situations where the purpose of
the disclosure is to investigate or
impose liability because reproductive
health care was provided, rather than
for an issue related to, but not focused
on the provision of such health care,
such as the quality of the health care
provided or whether claims for certain
health care were submitted
appropriately.
All other commenters recommended
removing ‘‘primarily’’ to ensure that
there is consistent implementation. In
the alternative, the commenters
recommended that the Department
provide additional examples of
scenarios in which a situation would
and would not be considered ‘‘primarily
for the purposes of’’ or ‘‘primarily based
on’’ the provision of reproductive health
care. One commenter asserted that the
definition is uncertain and could be
interpreted as permitting secondary or
additional uses or disclosures. Another
commenter explained that permitting a
use or disclosure where conducting the
investigation or imposing liability is
only for a secondary or incidental
purpose would create too much risk for
individuals and health care providers
and would undermine the intent of the
proposed prohibition. And another
stated it is foreseeable that a requesting
entity could still use the PHI for one of
the purposes for which the Department
proposed to prohibit uses or disclosures
of PHI once they have it if it was not the
primary purpose of their request. A
commenter expressed concern that the
language could be exploited to
manufacture a ‘‘primary’’ purpose that
would be permissible to permit PHI to
be used or disclosed for a prohibited
purpose, particularly because the PHI
would lose the protections of the
Privacy Rule once it is disclosed to
another person, unless that person is
also a regulated entity. Another
commenter asserted that the proposed
rule did not define ‘‘primarily’’ or ‘‘mere
act,’’ nor did it provide sufficient
examples to provide regulated entities
with sufficient information to
understand the proposal.
A commenter explained that a request
for PHI is often for multiple purposes
E:\FR\FM\26APR5.SGM
26APR5
ddrumheller on DSK120RN23PROD with RULES5
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
and recommended that the Department
revise the proposed Rule of
Construction to allow the proposed
prohibition to apply where at least one
of the purposes for which PHI is sought
is to use or disclose the information for
a prohibited purpose. Similarly, this
commenter recommended the proposed
attestation requirement in 45 CFR
164.509(b)(1) be revised to state that
‘‘one of the uses or disclosures’’ is not
prohibited by 45 CFR 164.502(a)(5)(iii).
Response: We agree with the
commenter that explained that a request
for PHI may be multi-purposed. We also
agree with commenters that pointed out
that as proposed, the regulatory Rule of
Construction appeared to create a
secondary standard to consider whether
a regulated entity should be prohibited
from using or disclosing PHI. As
discussed above, the Department is not
finalizing a separate Rule of
Construction and is not incorporating
the phrase ‘‘primarily for the purpose
of’’ originally proposed in 45 CFR
164.502(a)(5)(iii)(D) into the final
prohibition standard. The modified
prohibition standard more clearly
conveys that it only prohibits the use
and disclosure of PHI for the specified
purposes when it relates to the mere act
of seeking, obtaining, providing, or
facilitating lawful reproductive health
care in certain circumstances.
Comment: Commenters also
recommended that the proposed Rule of
Construction prohibit health care
providers from reporting individuals for
the sole reason of having received
health care in a state where it was not
lawful. They described concerns about
the effect of interoperability and data
sharing rules that give health care
providers ready access to individuals’
full medical records and urged the
Department to expand the proposed
Rule of Construction to mitigate the
risks created by the electronic exchange
of PHI.
Response: The prohibition, as
finalized, is narrowly tailored to operate
in a manner that protects the interests
of individuals and society in protecting
the privacy of PHI while still allowing
the use or disclosure of PHI for certain
non-health care purposes. We remind
regulated entities that they are generally
prohibited from disclosing PHI unless
there is a specific provision of the
Privacy Rule that permits (or, in limited
instances, requires) such disclosure. For
example, the Privacy Rule permits but
does not require regulated entities to
disclose PHI about an individual,
without the individual’s authorization,
when such disclosure is required by
another law and the disclosure complies
with the requirements of the other
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
law.316 The permission to disclose PHI
as ‘‘required by law’’ is limited to a
‘‘mandate contained in law that compels
an entity to use or disclose PHI and that
is enforceable in a court of law.’’ 317
Further, where a disclosure is required
by law, the disclosure is limited to the
relevant requirements of such law.318
Disclosures that do not meet the
‘‘required by law’’ definition of the
HIPAA Rules,319 or that exceed what is
required by such law,’’ 320 are not
permissible disclosures under the
required by law permission.
Accordingly, regulated entities are
prohibited from proactively disclosing
PHI under the required by law
permission at 45 CFR 164.512(a) absent
a law requiring mandatory reporting of
such PHI.
Comment: A few commenters asserted
that the Department should modify the
regulatory text of the proposed
prohibition to eliminate the need for the
proposed Rule of Construction because
it is confusing and appears to set forth
two different standards.
Response: For the reasons discussed
above, we agree and have incorporated
the Rule of Construction into the
prohibition standard as described above.
Comment: A commenter expressed
concerns that beneficial uses or
disclosures, such as for conducting
investigations into health care fraud,
would be too limited and would not
address criminal, civil and
administrative proceedings, which are
not related to receiving, obtaining,
facilitating, or providing reproductive
health services where the receipt or
provision of these services could serve
as evidence of another crime.
Response: We disagree with concerns
that beneficial uses or disclosures
would be too limited under the changes.
If PHI is requested for a purpose that is
not prohibited and the request complies
with the conditions of an applicable
permission, including the requirements
of the attestation condition are met,
316 See
45 CFR 164.512(a)(1).
45 CFR 164.103 (definition of ‘‘Required
by law’’). The definition provides additional
explanation about what constitutes a mandate
contained in law.
318 See 45 CFR 164.512(a)(1).
319 See 45 CFR 164.103 (definition of ‘‘Required
by law’’).
320 The Privacy Rule permits but does not require
covered entities to disclose PHI in response to an
order of a court or administrative tribunal. The
Privacy Rule also permits but does not require
covered entities to disclose PHI in response to a
subpoena, discovery request, or other lawful
process, but only when certain conditions are met.
See 45 CFR 164.512(e)(1). These provisions cannot
be used to make disclosures to law enforcement
officials that are restricted by 45 CFR 164.512(f).
See 45 CFR 164.512(e)(2).
317 See
PO 00000
Frm 00051
Fmt 4701
Sfmt 4700
33025
where applicable, the regulated entity is
permitted to comply with the request.
Comment: Another commenter cited
studies to assert that the proposed Rule
of Construction would continue to
permit health care providers to
proactively report on individuals. The
commenter also stated that the proposed
rule would not clarify how it would
interact with mandatory reporting laws
that could expose individuals and
health care providers to investigations
based on the provision of reproductive
health care.
Response: The Privacy Rule does not
permit a regulated entity to disclose PHI
for law enforcement purposes,
proactively or otherwise, without an
individual’s authorization when the
disclosure is not made pursuant to
process or as otherwise required by
law.321 This is true currently and
remains true under this final rule.
As discussed above, HIPAA generally
preempts state laws requiring the use or
disclosure of PHI, except in limited
circumstances. Where such mandatory
reporting laws are not preempted by
HIPAA, regulated entities are limited to
disclosing the minimum amount of PHI
necessary to comply with the mandatory
reporting requirement or the relevant
requirements of such law.322
Comment: Several commenters
responded to the question about
whether it would be beneficial for the
Department to further clarify or provide
examples of uses or disclosures of PHI
that would be permitted under a final
rule. All of these commenters agreed
that it would be beneficial for the
Department to do so. Of those, several
commenters specified that the
Department should provide such
examples in the final regulatory text. A
few commenters who requested
examples be provided within the
regulatory text also recommended that
the language make clear that the
examples are illustrative.
Response: The Department declines to
include examples of uses or disclosures
of PHI that would be permitted in this
rule, in regulatory text. We have
provided illustrative examples above.
3. Clarifying Personal Representative
Status in the Context of Reproductive
Health Care
Section 164.502(g) of the Privacy Rule
contains the standard for personal
321 45
CFR 164.512(f)(1).
the regulated entity is limited by the
minimum necessary standard or the relevant
requirements of the law that requires the reporting
depends upon whether the regulated entity is
making the disclosure pursuant to 45 CFR
164.512(a) or some other permission under 45 CFR
164.512. See 45 CFR 164.502(b)(v).
322 Whether
E:\FR\FM\26APR5.SGM
26APR5
33026
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
ddrumheller on DSK120RN23PROD with RULES5
representatives and generally requires a
regulated entity to treat an individual’s
personal representative as the
individual if that person has authority
under applicable law (e.g., state law,
court order) to act on behalf of the
individual in making decisions related
to health care.323 For example, the
Privacy Rule would treat a legal
guardian of an individual who has been
declared incompetent by a court as the
personal representative of that
individual, if consistent with applicable
law.324 In this and certain other
provisions, the Department seeks to
maintain the longstanding balance
HIPAA strikes between the interest of a
state or other authorities to regulate
health and safety and protect vulnerable
individuals 325 with the goal of
maintaining the privacy protections
established in the Privacy Rule.326
In the 2023 Privacy Rule NPRM, the
Department expressed concern that
some regulated entities may interpret
the Privacy Rule as providing them with
the ability to refuse to recognize as an
individual’s personal representative a
person who makes reproductive health
care decisions, on behalf of the
individual, with which the regulated
entity disagrees.327 Under these
circumstances, current section 45 CFR
164.502(g)(5) of the Privacy Rule could
be interpreted to permit a regulated
entity to assert that, by virtue of the
personal representative’s involvement
in the reproductive health care of the
individual, the regulated entity believes
that the personal representative is
subjecting the individual to abuse.
Further, this regulated entity might
exercise its professional judgment and
decide that it is in the best interest of
the individual to not recognize the
personal representative’s authority to
make health care decisions for that
individual.
To protect the balance of interests
struck by the Privacy Rule, the
Department proposed to modify 45 CFR
164.502 by adding a new paragraph
(g)(5)(iii). Proposed 45 CFR
164.502(g)(5)(iii) would ensure that a
regulated entity could not deny personal
representative status to a person where
such status would otherwise be
consistent with state and other
applicable law primarily because that
323 See
45 CFR 164.502(g).
45 CFR 164.502(g)(3)(i). See also Off. for
Civil Rights, ‘‘Personal Representatives,’’ U.S. Dep’t
of Health and Human Servs., https://www.hhs.gov/
hipaa/for-individuals/personal-representatives/
index.html.
325 See, e.g., 45 CFR 164.510(b)(3) and
164.512(j)(1)(i)(A).
326 See 65 FR 82462, 82471 (Dec. 28, 2000).
327 88 FR 23506, 23533–34 (Apr. 17, 2023).
324 See
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
person provided or facilitated
reproductive health care for an
individual. The Department expressed
its belief that this proposal was
narrowly tailored and respected the
interests of states and the Department by
not unduly interfering with the ability
of states to define the nature of the
relationship between an individual and
another person, including between a
minor and a parent, upon whom the
state deems it appropriate to bestow
personal representative status. The
proposal would, however, maintain the
existing HIPAA standard by ensuring
personal representative status, when
otherwise consistent with state law,
would not be affected by the type of
underlying health care sought.
Several commenters supported the
Department’s proposal to clarify that the
covered entity’s reasonable basis for
electing not to treat a person as a
personal representative of an individual,
despite state law or other requirements
of the Privacy Rule, cannot be primarily
because the person has provided or
facilitated reproductive health care.
Other commenters expressed concern
about their ability to determine what
constitutes reproductive health care, as
would be required to ascertain whether
the covered entity had a reasonable
basis to elect not to treat a person as an
individual’s personal representative.
These commenters requested that the
Department provide additional clarity in
regulatory text or through examples.
Other commenters questioned how the
Department’s proposal would align with
existing state law on parental rights.
As discussed throughout this final
rule, reproductive health care is
uniquely sensitive and must be treated
accordingly. Thus, we are finalizing 45
CFR 164.502(g)(5) with additional
modifications as follows. This final rule
precludes the denial of personal
representative status where the basis of
the denial is that the person provided or
facilitated reproductive health care
instead of the proposed standard that
would have precluded denial
‘‘primarily’’ based on these actions. This
change clarifies that the covered entity
does not have to determine whether the
reproductive health care is the
‘‘primary’’ basis for denying a person
personal representative status.
Additionally, the final rule adds the
term ‘‘reasonable’’ before ‘‘belief’’ to
align with 45 CFR 164.502(g)(5)(i)(A),
clarifying that the basis of the covered
entity’s belief must be reasonable in the
circumstances. We are also renumbering
paragraphs. Collectively, these changes
clarify that it is not reasonable to elect
not to treat a person as an individual’s
personal representative because the
PO 00000
Frm 00052
Fmt 4701
Sfmt 4700
person provides or facilitates
reproductive health care for and at the
request of the individual. The
Department is making these changes in
response to comments received on the
2023 Privacy Rule NPRM, which are
further discussed below.
Comment: Several commenters
supported the Department’s proposal to
clarify that the covered entity’s basis for
electing not to treat a person as a
personal representative of an individual,
despite state law or other requirements
of the Privacy Rule, cannot be primarily
because the person has provided or
facilitated reproductive health care.
Response: As explained throughout
this final rule, reproductive health care
is uniquely sensitive and must be
treated as such. Accordingly, we are
finalizing this proposal with
modifications as described above.
Comment: A commenter expressed
concerns that regulated entities would
have difficulty determining whether the
‘‘primary’’ basis for the belief that the
individual has been or may be subjected
to domestic violence, abuse, or neglect
by such person, or that treating such
person as the personal representative
could endanger the individual related to
the provision or facilitation of the
reproductive health care, in some
circumstances. The commenter
requested that the Department provide
additional clarity in the regulatory text
or through examples.
Response: As discussed above, we
have removed the term ‘‘primary’’
before ‘‘basis’’ and reorganized the
provision. We believe this change
clarifies that the covered entity does not
have to determine whether the
provision or facilitation of reproductive
health care is the ‘‘primary’’ basis for
believing that a person who is an
individual’s personal representative
under applicable law has abused,
neglected, or endangered the individual,
or may do so in the future, such that the
covered entity would be permitted to
deny the person personal representative
status.
Comment: A few commenters
requested that the Department clarify
that other existing provisions pertaining
to personal representatives continue to
apply, including the provision that a
covered entity should not treat a parent
or guardian as a personal representative
where state law does not require a
minor to obtain parental consent to
lawfully obtain health care.
Response: As discussed above, the
Privacy Rule generally requires a
covered entity to treat a person who,
under applicable law, has the authority
to act on behalf of an individual in
making decisions related to health care
E:\FR\FM\26APR5.SGM
26APR5
ddrumheller on DSK120RN23PROD with RULES5
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
as the individual’s personal
representative with respect to PHI
relevant to such personal
representation, with limited
exception.328 In this final rule, we are
clarifying those limited exceptions
apply to this general rule.329 We did not
propose, nor are we making any
additional changes to the Privacy Rule’s
provisions on personal representatives.
Nothing in this final rule is intended to
alter any other use or disclosure
permissions for personal
representatives, nor does it interfere
with the ability of states to define the
nature of the relationship between a
minor and a parent or guardian.
Comment: A commenter asserted that
the proposal could lead to situations in
which someone pretending to be a
personal representative of the
individual would consent to
reproductive health care for the
individual. According to a few
commenters, the proposal would make
it easier for a person abusing an
individual to obtain access to an
individual’s PHI because of the limits
imposed on the reasonable belief
provisions by the proposal. Another
commenter asserted that the proposal
would hinder state investigations into
crimes that affect an individual’s
reproductive health where such crimes
are committed by a person meeting a
state’s definition of a personal
representative.
Response: The Department has no
reason to believe, and commenters
provided no evidence to suggest, that
the final rule will lead to abuse or
undermine parental consent. Rather, the
final rule will protect sensitive PHI by
clarifying that a regulated entity must
treat a person as a personal
representative of an individual with
respect to PHI relevant to such personal
representation if such person is, under
applicable law, authorized to act on
behalf of the individual in making
decisions related to health care. This
includes a court-appointed guardian, a
person with a power of attorney, or
other persons with legal authority to
make health care decisions. Further,
under 45 CFR 164.514(h), a covered
entity must verify the identity of a
person requesting PHI and the authority
of any such person to have access to
PHI, if the identity is not already known
to the covered entity.
Additionally, the final rule allows a
covered entity to elect not to treat a
person as a personal representative of an
individual if the covered entity, in the
exercise of professional judgment, has a
328 See
329 See
45 CFR 164.502(g).
45 CFR 164.502(g)(3)(i).
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
reasonable belief that the individual has
been or may be subjected to domestic
violence, abuse, or neglect by such
person, or that treating such person as
the personal representative could
endanger the individual. The final rule
only clarifies that the reasonable basis
cannot be the provision or facilitation of
reproductive health care by the person
authorized by applicable law.
Comment: A few commenters
recommended that the Department
define and interpret personal
representative status in the context of
reproductive health care consistent with
its current interpretation.
Response: We appreciate the
comments but decline to specifically
define ‘‘personal representative’’ in the
context of reproductive health care. We
are reducing compliance burdens by
eliminating the need for covered entities
to determine whether the provision or
facilitation of reproductive health care
was the ‘‘primary’’ basis for their belief
that an individual has been or may be
subjected to domestic violence, abuse,
or neglect, or may be endangered by a
person authorized by applicable law to
act as an individual’s personal
representative if the covered entity
treats the person as such, with respect
to PHI relevant to such personal
representation.
Comment: A covered entity
recommended that the Department set
reasonable threshold standards that
covered entities would be required to
meet if they deny personal
representative status to a person because
of any legal, social, or professional
liability that could attach based on such
denials. The commenter further
recommended that the Department set
objective universal thresholds for
denials that are clear, concise, and
easily defined.
Response: We appreciate the
comment but decline to set a reasonable
threshold standard that covered entities
would be required to meet if they deny
personal representative status to a
person. As discussed above, the
Department gives covered entities
discretion to elect not to treat a person
as a personal representative of an
individual if the covered entity has a
reasonable belief that the individual has
been subjected to domestic violence,
abuse, or neglect by or would be in
danger from a person seeking to act as
the personal representative, except
where the basis of the denial is that the
person provided or facilitated
reproductive health care.
Response: As discussed above, a
personal representative, with authority
under applicable law, stands in the
shoes of the individual and has the
PO 00000
Frm 00053
Fmt 4701
Sfmt 4700
33027
ability to act for the individual and
exercise the individual’s rights. Thus,
with very limited exceptions, covered
entities must provide the personal
representative access to the individual’s
PHI in accordance with 45 CFR 164.524
to the extent such information is
relevant to such representation.
4. Request for Comments
The Department requested comment
on whether to eliminate or narrow any
existing permissions to use or disclose
‘‘highly sensitive PHI.’’ 330 Most of the
comments on this question are
discussed in the context of the
prohibition.
C. Section 164.509—Uses and
Disclosures for Which an Attestation Is
Required
1. Current Provision
The Privacy Rule currently separates
uses and disclosures into three
categories: required, permitted, and
prohibited. Permitted uses and
disclosures are further subdivided into
those to carry out TPO; 331 those for
which an individual’s authorization is
required; 332 those requiring an
opportunity for the individual to agree
or object; 333 and those for which an
authorization or opportunity to agree or
object is not required.334 For an
individual’s authorization to be valid,
the Privacy Rule requires that it contain
certain specific information to ensure
that an individual authorizing a
regulated entity to use or disclose their
PHI to another person knows and
understands to what it is they are
agreeing.335
2. Proposed Rule
As we described in the 2023 Privacy
Rule NPRM, a regulated entity
presented with a request for PHI would
need to discern whether using or
disclosing PHI in response to the
request would be prohibited. To
facilitate compliance with the proposed
prohibition at 45 CFR 164.502(a)(5)(iii)
while also providing a pathway for
regulated entities to disclose PHI for
certain permitted purposes, the
Department proposed to require that a
covered entity obtain an attestation from
a person requesting the use or
disclosure of PHI in certain
circumstances.336
330 88
FR 23506, 23534 (Apr. 17, 2023).
CFR 164.506.
332 45 CFR 164.508.
333 45 CFR 164.510.
334 45 CFR 164.512.
335 45 CFR 164.508(b).
336 88 FR 23506, 23534–37 (Apr. 17, 2023).
331 45
E:\FR\FM\26APR5.SGM
26APR5
33028
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
ddrumheller on DSK120RN23PROD with RULES5
Specifically, the Department proposed
to add a new section 45 CFR 164.509,
‘‘Uses and disclosures for which an
attestation is required.’’ This proposed
condition would require a regulated
entity to obtain certain assurances from
the person requesting PHI potentially
related to reproductive health care
before the PHI is used or disclosed, in
the form of a signed and dated written
statement attesting that the use or
disclosure would not be for a purpose
prohibited under 45 CFR
164.502(a)(5)(iii), where the person is
making the request under the Privacy
Rule permissions at 45 CFR 164.512(d)
(disclosures for health oversight
activities), (e) (disclosures for judicial
and administrative proceedings), (f)
(disclosures for law enforcement
purposes), or (g)(1) (disclosures about
decedents to coroners and medical
examiners).
The proposed new section included a
description of the proposed attestation
contents, including a statement that the
use or disclosure is not for a purpose the
Department proposed to prohibit as
described at 45 CFR 164.502(a)(5)(iii).
The 2023 Privacy Rule NPRM also
included a discussion about how the
Department anticipated the proposed
attestation requirement would work in
concert with Privacy Rule permissions.
Additionally, the proposed attestation
provision would also include the
general requirements for a valid
attestation, and defects of an invalid
attestation.337 The Department also
proposed to require that an attestation
be written in plain language 338 and to
prohibit it from being ‘‘combined with’’
any other document. Further, the
Department’s proposal would explicitly
permit the attestation to be in an
electronic format, as well as
electronically signed by the person
requesting the disclosure.339 Under the
proposal, the attestation would be
facially valid when the document meets
the required elements of the attestation
proposal and includes an electronic
signature that is valid under applicable
Federal and state law.340
337 Pursuant to 45 CFR 164.530(j), regulated
entities would be required to maintain a written or
electronic copy of the attestation.
338 The Federal plain language guidelines under
the Plain Writing Act of 2010 only applies to
Federal agencies, but it serves as a helpful resource.
See 5 U.S.C. 105 and ‘‘Federal plain language
guidelines,’’ U.S. Gen. Servs. Admin., https://
www.plainlanguage.gov/guidelines/.
339 Proposed 45 CFR 164.509(b)(1)(iv) and
(c)(1)(iv).
340 While not explicitly stated in the Privacy Rule,
the Department previously issued guidance
clarifying that authorizations are permitted to be
submitted and signed electronically. See Off. for
Civil Rights, ‘‘Is a copy, facsimile, or electronically
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
Additionally, the proposal specified
that each use or disclosure request
would require a new attestation.
The Department proposed that a
regulated entity would be able to rely on
the attestation provided that it is
objectively reasonable under the
circumstances for the regulated entity to
believe the statement required by 45
CFR 164.509(c)(1)(iv) that the requested
disclosure of PHI is not for a purpose
prohibited by 45 CFR 164.502(a)(5)(iii),
rather than requiring a regulated entity
to investigate the validity of an
attestation.341 We explained that it
would not be objectively reasonable for
a regulated entity to rely on the
representation of the person requesting
PHI about whether the reproductive
health care was provided under
circumstances in which it was lawful to
provide such health care. This is
because we believed that the regulated
entity, not the person requesting the
disclosure of PHI, has the information
about the provision of such health care
that is necessary to make this
determination. Therefore, we explained
that this determination would need to
be made by the regulated entity prior to
using or disclosing PHI in response to
a request for a use or disclosure of PHI
that would require an attestation under
the proposal.
The attestation proposal also would
require a regulated entity to cease use or
disclosure of PHI if the regulated entity
develops reason to believe, during the
course of the use or disclosure, that the
representations contained within the
attestation were materially incorrect,
leading to uses or disclosures for a
prohibited purpose.342 Relatedly, the
transmitted version of a signed authorization valid
under the Privacy Rule?,’’ U.S. Dep’t of Health and
Human Servs., HIPAA FAQ #475 (Jan. 9, 2023),
https://www.hhs.gov/hipaa/for-professionals/faq/
475/is-a-copy-of-a-signed-authorization-valid/
index.html and Off. for Civil Rights, ‘‘How do
HIPAA authorizations apply to an electronic health
information exchange environment?,’’ U.S. Dep’t of
Health and Human Servs., HIPAA FAQ #554 (July
26, 2013), https://www.hhs.gov/hipaa/forprofessionals/faq/554/how-do-hipaaauthorizations-apply-to-electronic-healthinformation/.
341 This approach is consistent with 45 CFR
164.514(h), which requires a regulated entity to
verify the identity and legal authority of a public
official or a person acting on behalf of a public
official, and describes the type of documentation
upon which a regulated entity may rely, if such
reliance is reasonable under the circumstances, to
do so. See also 45 CFR 164.514(d)(3)(iii)(A), which
permits a covered entity to rely, if such reliance is
reasonable under the circumstances, on a requested
disclosure as the minimum necessary for the stated
purpose when making disclosures to public officials
that are permitted under 45 CFR 164.512, if the
public official represents that the information
requested is the minimum necessary for the stated
purpose(s).
342 Proposed 45 CFR 164.509(d).
PO 00000
Frm 00054
Fmt 4701
Sfmt 4700
2023 Privacy Rule NPRM included a
discussion of the consequences of
material misrepresentations that cause
the impermissible use or disclosure of
IIHI relating to another individual under
HIPAA.
To reduce the burden on regulated
entities implementing this proposed
attestation, the Department requested
comment on whether it should develop
a model attestation that a regulated
entity may use when developing its own
attestation templates. The Department
did not propose to require that regulated
entities use the model attestation.
3. Overview of Public Comments
Most commenters expressed support
for the proposal to require an attestation
for certain uses and disclosures. Some
commenters questioned why the
Department did not extend the
attestation requirement directly to
business associates, consistent with the
general prohibition and recommended
that the attestation requirements be
applied to business associates.
Some of those commenters that
supported the proposal to require an
attestation expressed concern or made
additional recommendations about its
components, content, and scope, and
the consequences for covered entities
that make inadvertent disclosures of PHI
without an attestation. A small number
of opposing commenters also expressed
concerns about the effectiveness and
administrative burden of the proposed
attestation requirement.
About half of the commenters
concerned about the administrative
burden of the attestation expressed
support for limiting the applicability of
the proposed attestation to certain types
of uses and disclosures of information,
while the other half recommended
expanding the scope of the proposed
attestation requirement to mitigate
burdens on covered entities or to
increase privacy protections for
individuals.
Many commenters expressed concern
about the Department’s statement in the
2023 Privacy Rule NPRM that it would
not be objectively reasonable for a
regulated entity to rely on the
representation of a person requesting
the use or disclosure of PHI about
whether the PHI sought was related to
lawful health care. Specifically,
commenters asserted that regulated
entities may have difficulties
determining whether an attestation is
‘‘objectively reasonable’’ and were
unlikely to possess the information
necessary to determine the purpose of a
person’s request for the use or
disclosure of PHI.
E:\FR\FM\26APR5.SGM
26APR5
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
ddrumheller on DSK120RN23PROD with RULES5
Most commenters urged the
Department to expand the proposal
beyond requests for PHI potentially
related to reproductive health care to
requests for any PHI because of the
associated administrative burden of
identifying and segmenting PHI about
reproductive health care from other
types of PHI. These commenters
asserted that the burden would be
significant because such PHI can be
found throughout the medical record.
Commenters also expressed concerns
about the ability of EHRs to segment
data.
Most commenters recommended that
the Department add to or modify the
content of the proposed attestation,
including to add a statement that the
recipient pledges not to redisclose PHI
to another party for any of the
prohibited purposes or that the request
is for the minimum amount of
information necessary. Many supported
the inclusion of a signed declaration
under penalty of perjury and a
statement regarding the penalties for
perjury to add a layer of accountability.
4. Final Rule
As we explained in the 2023 Privacy
Rule NPRM, it may be difficult for
regulated entities to distinguish between
requests for the use and disclosure of
PHI based on whether the request is for
a permitted or prohibited purpose,
which could lead regulated entities to
deny use or disclosure requests for
permitted purposes. Additionally,
absent an enforcement mechanism, it is
likely that persons requesting the use or
disclosure of PHI could seek to use
Privacy Rule permissions for purposes
that are prohibited under the new 45
CFR 164.502(a)(5)(iii). Accordingly, the
Department is finalizing the proposed
attestation requirement, with
modification, as described below. We
intend to publish a model attestation
prior to the compliance date for this
final rule.
First, the Department is renumbering
the attestation provision such that the
requirement is now 45 CFR
164.509(a)(1) and modifying that
requirement to hold business associates
directly liable for compliance with the
attestation requirement. This change
was made to address concerns raised by
commenters who questioned why the
Department did not extend the
attestation requirement directly to
business associates, consistent with the
general prohibition and with revisions
made to the HIPAA Rules in the 2013
Omnibus Rule, as required by the
HITECH Act. The Department has
authority to take enforcement action
against business associates only for
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
requirements for which the business
associate is directly liable.343 Thus,
under the proposed attestation
requirement, a business associate would
only have been required to comply with
the proposed 45 CFR 164.509 if such
obligation was explicitly included
within its business associate
agreement.344
Both covered entities and business
associates process requests for PHI. The
Privacy Rule permits regulated entities
to determine whether a business
associate can respond to such requests
or whether they are required to defer to
the covered entity.345 As noted by
commenters, while many PHI requests
processed by a business associate
pursuant to 45 CFR 164.512(d)–(g)(1) are
processed on behalf of the covered
entity, persons may elect to request PHI
directly from the business associate.
Thus, the Department has determined
that it is appropriate to hold both
covered entities and business associates
directly liable for compliance with the
attestation requirement. Expanding the
attestation requirement to apply to
business associates will ensure that the
business associate is directly liable for
compliance with it, regardless of
whether compliance with 45 CFR
164.509 is explicitly included in a BAA.
The Department is also adopting the
proposed attestation requirement that a
regulated entity obtain an attestation
only for PHI ‘‘potentially related to
reproductive health care.’’ As discussed
in the 2023 Privacy Rule NPRM, this
will limit the number of requests that
require an attestation, and therefore, the
burden of the attestation requirement on
regulated entities and persons
requesting PHI. The Department
reminds regulated entities that they are
permitted, but not required, to respond
to law enforcement requests for PHI
where the purpose of the request is not
one for which regulated entities are
prohibited from disclosing PHI. By
343 Business associates became directly liable for
compliance with certain requirements of the HIPAA
Rules under the HITECH Act. Consistent with the
HITECH Act, the 2013 Omnibus Rule identified the
portions of the HIPAA Rules that apply directly to
business associates and for which business
associates are directly liable. Prior to the HITECH
Act and the Omnibus Rule, these requirements
applied to business associates and their
subcontractors indirectly through the requirements
under 45 CFR 164.504(e) and 164.314(a), which
require that covered entities by contract require
business associates to limit uses and disclosures
and implement HIPAA Security Rule-like
safeguards. See 78 FR 5566 (Jan. 25, 2013). See also
Off. for Civil Rights, ‘‘Direct Liability of Business
Associates Fact Sheet,’’ U.S. Dep’t of Health and
Human Servs. (July 16, 2021), https://www.hhs.gov/
hipaa/for-professionals/privacy/guidance/businessassociates/factsheet/.
344 45 CFR 164.504(e) and 164.314(a).
345 45 CFR 164.504(e)(2)(i)(E).
PO 00000
Frm 00055
Fmt 4701
Sfmt 4700
33029
narrowing the scope of the attestation to
PHI ‘‘potentially related to reproductive
health care,’’ the attestation requirement
will not unnecessarily interfere with or
delay law enforcement investigations
that do not involve PHI ‘‘potentially
related to reproductive health care.’’
While in practice this scope may be
wide, we believe the privacy interests of
individuals who have obtained
reproductive health care necessitates the
inclusion of ‘‘potentially related’’ PHI.
We are concerned that extending the
attestation requirement to all PHI could
unnecessarily delay law enforcement
investigations that are not for a purpose
prohibited under 45 CFR
164.502(a)(5)(iii). We acknowledge
commenters’ concerns about the ability
of regulated entities to operationalize
the attestation condition and note that
the requirement to obtain an attestation
applies where the request is for PHI
‘‘potentially related to reproductive
health care,’’ as opposed to PHI ‘‘related
to reproductive health care.’’ Consistent
with the Department’s instructions to
regulated entities since the Privacy
Rule’s inception, we have taken a
flexible approach to allow scalability
based on a regulated entity’s activities
and size. All regulated entities must
take appropriate steps to address
privacy concerns. Regulated entities
should weigh the costs and benefits of
alternative approaches when
determining the scope and extent of
their compliance activities, including
when developing policies and
procedures to comply with the Privacy
Rule.346 The Department will assess the
progress of regulated entities’
compliance with this requirement and
promulgate guidance as appropriate.
The Department also notes that with
limited exceptions, the Privacy Rule
generally permits but does not require
the use or disclosure of PHI when the
conditions set by the Privacy Rule for
the specific use or disclosure of PHI are
met.
The Department is adopting the
proposed requirement that an attestation
be obtained where a request is made
under the Privacy Rule permissions at
45 CFR 164.512(d) (disclosures for
health oversight activities), (e)
(disclosures for judicial and
administrative proceedings), (f)
(disclosures for law enforcement
purposes), or (g)(1) (disclosures about
decedents to coroners and medical
examiners). This requirement will help
ensure that these Privacy Rule
permissions cannot be used to
circumvent the new prohibition at 45
346 65 FR 82462, 82471, and 82875 (Dec. 28,
2000).
E:\FR\FM\26APR5.SGM
26APR5
ddrumheller on DSK120RN23PROD with RULES5
33030
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
CFR 164.502(a)(5)(iii) and continue
permitting essential disclosures, while
also limiting the attestation’s burden on
regulated entities by providing a
standard mechanism by which the
regulated entity can ascertain whether a
requested use or disclosure is prohibited
under this final rule. The attestation
requirement is intended to reduce the
burden of determining whether the PHI
request is for a purpose prohibited
under 45 CFR 164.502(a)(5)(iii), but it
does not absolve regulated entities of
the responsibility of making this
determination, nor does it absolve
regulated entities of the responsibility
for ensuring that such requests meet the
other conditions of the relevant
permission.
We are modifying the proposal by
revising 45 CFR 164.509(a)(1) to clarify
that a regulated entity may not use or
disclose PHI where the use or disclosure
does not meet all of the Privacy Rule’s
applicable conditions, including the
attestation requirement. While this is
consistent with the existing
requirements of the Privacy Rule, we
determined that it was necessary to
reiterate this requirement here based on
comments we received. Thus, when this
final rule is read holistically, a regulated
entity is not permitted to use or disclose
PHI where such disclosure does not
meet all of the Privacy Rule’s applicable
conditions, including the attestation
requirement.
We are also modifying the proposal by
adding 45 CFR 164.509(a)(2) to clarify
that the use or disclosure of PHI based
on a defective attestation does not meet
the attestation requirement. For
example, the attestation requirement
would not be met if a regulated entity
relies on an attestation where it is not
reasonable to do so because the
attestation would be defective under 45
CFR 164.509(b)(2)(v). Accordingly, it
would be a violation of the Privacy Rule
if the regulated entity makes a use or
disclosure in response to a defective
attestation.
The Department is modifying the
proposal to prohibit inclusion in the
attestation of any elements that are not
specifically required by 45 CFR
164.509(c). This provision addresses
concerns that regulated entities might
require persons requesting PHI to
provide information beyond that which
is required under 45 CFR 164.509(c).
Such additional requirements could
make it burdensome for persons
requesting PHI to submit a valid
attestation when they make a request
pursuant to 45 CFR 164.512(d), (e), (f),
or (g)(1). Additionally, a person
requesting PHI is not required to use the
specific attestation form provided by a
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
regulated entity, as long as the
attestation provided by such person is
compliant with the requirements of 45
CFR 164.509.
Additionally, the Department is
modifying the proposed prohibition on
compound attestations. Specifically, the
final rule prohibits the attestation from
being ‘‘combined with’’ any other
document. The modification clarifies
that while an attestation may not be
combined with other ‘‘forms,’’
additional documentation to support the
information provided in the attestation
may be submitted. This additional
documentation may not replace or
substitute for any of the attestation’s
required elements. The attestation itself
must be clearly labeled, distinct from
any surrounding text, and completed in
its entirety, but documentation to
support the statement at 45 CFR
164.509(c)(1)(iv) or to overcome the
presumption at 45 CFR
164.502(a)(5)(iii)(C) may be appended to
the attestation. Thus, a regulated entity
must ensure that the required elements
of the attestation are met, and should
review any additional documents
provided by the person making the
request when making the required
determinations.
A regulated entity may use this
information—the information on the
attestation combined with any
additional documentation provided by
the person making the request for PHI—
to make a reasonable determination that
the attestation is true, consistent with 45
CFR 164.509(b)(2)(v). For example, an
attestation would not be impermissibly
‘‘combined with’’ a subpoena if it is
attached to it, provided that the
attestation is clearly labeled as such. As
another example, an electronic
attestation would not be impermissibly
‘‘combined with’’ another document
where the attestation is on the same
screen as the other document, provided
that the attestation is clearly and
distinctly labeled as such.
The Department is finalizing the
proposed content requirements with
modifications as follows. Specifically,
the Department is finalizing the
proposal that an attestation must
include that the person requesting the
disclosure confirm the types of PHI that
they are requesting; clearly identify the
name of the individual whose PHI is
being requested, if practicable, or if not
practicable, the class of individuals
whose PHI is being requested; and
confirm, in writing, that the use or
disclosure is not for a purpose
prohibited under 45 CFR
164.502(a)(5)(iii). For purposes of the
‘‘class of individuals’’ described in 45
CFR 164.509(c)(1)(i)(B), the Department
PO 00000
Frm 00056
Fmt 4701
Sfmt 4700
clarifies that the requesting entity may
describe such a class in general terms—
for example, as all individuals who
were treated by a certain health care
provider or for whom a certain health
care provider submitted claims, all
individuals who received a certain
procedure, or all individuals with given
health insurance coverage.
As we proposed, we are finalizing a
requirement that the attestation include
a clear statement that the use or
disclosure is not for a purpose
prohibited under 45 CFR
164.502(a)(5)(iii). This requirement may
be satisfied with a series of checkboxes
that identifies why the use or disclosure
is not prohibited under 45 CFR
164.502(a)(5)(iii) (i.e., the use or
disclosure is not for a purpose specified
in 45 CFR 164.502(a)(5)(iii)(A); or the
use or disclosure is for a purpose that
would be prohibited under 45 CFR
164.502(a)(5)(iii)(A), but the
reproductive health care at issue was
not lawful under the circumstances in
which it was provided so the Rule of
Applicability is not satisfied, and thus
the prohibition does not apply).
The Department is adding another
new required element, a statement that
the attestation is signed with the
understanding that a person who
knowingly and in violation of HIPAA
obtains or discloses IIHI relating to
another individual, or discloses IIHI to
another person, may be subject to
criminal liability.347 We believe that
adding this language satisfies the intent
that led us to consider including a
penalty of perjury requirement and with
applicable law. The statement does not
impose new liability on persons who
sign an attestation; instead, including
the statement in the attestation ensures
that persons who request the use or
disclosure of PHI for which an
attestation is required are on notice of
and acknowledge the consequences of
making such requests under false
pretenses.
The Department is also finalizing the
proposed requirement that the
attestation must be written in plain
language. Additionally, the Department
is finalizing its proposal to permit the
attestation to be in electronic format and
for it to be electronically signed by the
person requesting the disclosure where
such electronic signature is valid under
applicable law.348 The Department
declines to mandate a specific electronic
format for the attestation.
As we proposed, an attestation will be
limited to the specific use or disclosure.
Accordingly, each use or disclosure
347 See
348 45
E:\FR\FM\26APR5.SGM
42 U.S.C. 1320d–6(a).
CFR 164.509(b)(1)(iii) and (c)(1)(vi).
26APR5
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
ddrumheller on DSK120RN23PROD with RULES5
request for PHI will require a new
attestation.
There is no exception to the minimum
necessary standard for uses and
disclosures made pursuant to an
attestation under 45 CFR 164.509.349
Thus, a regulated entity will have to
limit a use or disclosure to the
minimum necessary when provided in
response to a request that would be
subject to the proposed attestation
requirement, unless one of the specified
exceptions to the minimum necessary
standard in 45 CFR 164.502(b)(2)
applies. Where the person requesting
the PHI is also a regulated entity, that
person will also need to make
reasonable efforts to limit their request
to the minimum necessary to
accomplish the intended purpose of the
use, disclosure, or request.350
The Department is not requiring a
regulated entity to investigate the
validity of an attestation provided by a
person requesting a use or disclosure of
PHI. Rather, a regulated entity is
generally permitted to rely on the
attestation if, under the circumstances,
a regulated entity reasonably determines
that the request is not for investigating
or imposing liability for the mere act of
seeking, obtaining, providing, or
facilitating allegedly unlawful
reproductive health care. In addition, a
regulated entity is generally permitted
to rely on the attestation and any
accompanying material if, under the
circumstances, a regulated entity
reasonably could conclude (e.g., upon
examination of adequate supporting
documentation provided by the person
making the request) that the requested
disclosure of PHI is not for a purpose
prohibited by 45 CFR 164.502(a)(5)(iii),
consistent with the approach taken in
the Privacy Rule 351 and elsewhere in
this final rule. If such reliance is not
reasonable, then the regulated entity
may not rely on the attestation. This is
a change from the proposed language,
which permitted reliance based on an
349 45 CFR 164.502(b). The minimum necessary
standard of the Privacy Rule applies to all uses and
disclosures where a request does not meet one of
the specified exceptions in paragraph (b)(2).
350 45 CFR 164.502(b)(1).
351 This approach is consistent with 45 CFR
164.514(h), which requires a covered entity to
verify the identity and legal authority of a public
official or a person acting on behalf of the public
official and describes the type of documentation
upon which regulated entities can rely, if such
reliance is reasonable under the circumstances, to
do so. See also 45 CFR 164.514(d)(3)(iii)(A), which
permits a covered entity to rely, if such reliance is
reasonable under the circumstances, on a requested
disclosure as the minimum necessary for the stated
purpose when making disclosures to public officials
that are permitted under 45 CFR 164.512, if the
public official represents that the information
requested is the minimum necessary for the stated
purpose(s).
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
‘‘objectively reasonable’’ standard. The
proposed standard was modified
because a reasonable person standard is
inherently objective.352 Thus, including
‘‘objectively’’ in the description of the
standard was redundant.
For requests involving allegedly
unlawful reproductive health care, the
extent to which a regulated entity may
reasonably rely on an attestation
depends in part on whether the
regulated entity provided the
reproductive health care at issue. Under
the final rule, it would not be reasonable
for a regulated entity to rely on the
representation made by a person
requesting the use or disclosure of PHI
that the reproductive health care was
unlawful under the circumstances in
which it was provided unless such
representation meets the conditions set
forth in the presumption at 45 CFR
164.502(a)(5)(iii)(C). As discussed
above, under the presumption,
reproductive health care is presumed to
be lawful under the circumstances in
which such health care is provided
unless a regulated entity has actual
knowledge, or information from the
person making the request that
demonstrates to the regulated entity a
substantial factual basis that the
reproductive health care was not lawful
under the specific circumstances in
which such health care was provided.
Where the reproductive health care at
issue was provided by a person other
than the regulated entity receiving the
request for the use or disclosure of PHI
and the presumption is overcome, the
regulated entity is permitted to use or
disclose PHI in response to the request
upon receipt of an attestation where it
is reasonable to rely on the
representations made in the attestation.
It is not reasonable for the regulated
entity to rely solely on a statement of
the person requesting the use or
disclosure of PHI that the reproductive
health care was unlawful under the
circumstances in which such health
care was provided. Instead, the person
requesting the use or disclosure of PHI
must provide the regulated entity with
information such that it would
constitute actual knowledge or that
demonstrates to the regulated entity a
substantial factual basis that the
reproductive health care was not lawful
under the specific circumstances in
which such health care was provided. A
regulated entity that receives a request
for PHI involving reproductive health
care provided by that regulated entity
should review the relevant PHI in its
possession and other related
352 E.g., Restatement (Second) Torts § 283,
comment b (Am. L. Inst. 1965).
PO 00000
Frm 00057
Fmt 4701
Sfmt 4700
33031
information (e.g., license of health care
provider that provided the health care,
operating license for the facility in
which such health care was provided) to
determine whether the reproductive
health care was lawful under the
circumstances in which it was provided
prior to using or disclosing PHI in
response to a request for PHI that
requires an attestation. Where the
request is about reproductive health
care that is provided by the regulated
entity receiving the request, it would
not be reasonable for a regulated entity
to automatically rely on a representation
made by a person requesting the use or
disclosure of PHI about whether the
reproductive health care was provided
under the circumstances in which it was
lawful to provide such health care.
Rather, the regulated entity must review
the individual’s PHI to consider the
circumstances under which it provided
the reproductive health care to
determine whether such reliance is
reasonable. Therefore, where the request
involves the use or disclosure of PHI
potentially related to reproductive
health care that was provided by the
recipient of the request, the regulated
entity must make the determination
about whether it provided the health
care lawfully prior to using or disclosing
PHI in response to a request that
requires an attestation.
For example, if a law enforcement
official requested PHI potentially related
to reproductive health care to
investigate a person for the mere act of
seeking, obtaining, providing or
facilitating allegedly unlawful
reproductive health care, it would not
be reasonable for a regulated entity that
receives such a request to rely solely on
a signed attestation that states that the
reproductive health care was not lawful
under the circumstances in which it was
provided, as set forth in 45 CFR
164.502(a)(5)(iii)(B), and therefore, that
the requested disclosure is not for a
purpose prohibited under 45 CFR
164.502(a)(5)(iii)(A). This is regardless
of whether the regulated entity receiving
the request for PHI provided the
reproductive health care at issue.
Assuming that the attestation is not
facially deficient, a regulated entity
must consider the totality of the
circumstances surrounding the
attestation and whether it is reasonable
to rely on the attestation in those
circumstances. To determine whether it
is reasonable to rely on the attestation,
a regulated entity should consider,
among other things: who is requesting
the use or disclosure of PHI; the
permission upon which the person
making the request is relying; the
E:\FR\FM\26APR5.SGM
26APR5
ddrumheller on DSK120RN23PROD with RULES5
33032
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
information provided to satisfy other
conditions of the relevant permission;
the PHI requested and its relationship to
the stated purpose of the request; and,
where the reproductive health care was
supplied by another person, whether the
regulated entity has: (1) actual
knowledge that the reproductive health
care was not lawful under the
circumstances in which it was provided;
or (2) factual information supplied by
the person requesting the use or
disclosure of PHI that would
demonstrate to a reasonable regulated
entity a substantial factual basis that the
reproductive health care was not lawful
under the specific circumstances in
which such health care was provided.
For example, a regulated entity
receives an attestation from a Federal
law enforcement official, along with a
court ordered warrant demanding PHI
potentially related to reproductive
health care. The law enforcement
official represents that the request is
about reproductive health care that was
not lawful under the circumstances in
which such health care was provided,
but the official will not divulge more
information because they allege that
doing so would jeopardize an ongoing
criminal investigation. In this example,
if the regulated entity itself provided the
reproductive health care and, based on
the information in its possession,
reasonably determines that such health
care was lawful under the
circumstances in which it was provided,
the regulated entity may not disclose the
requested PHI.
If the regulated entity did not provide
the reproductive health care, it may not
disclose the requested PHI absent
additional factual information because
the official requesting the PHI has not
provided sufficient information to
overcome the presumption at 45 CFR
164.502(a)(5)(iii)(C). Further, it also
would not be reasonable under the
circumstances for the regulated entity to
rely on the attestation that the
information would not be used for a
purpose prohibited by 45 CFR
164.502(a)(5)(iii) because of the
presumption that the reproductive
health care was lawfully provided.
However, in cases where the
presumption of lawfulness applies, the
regulated entity would be permitted to
make the disclosure, for example, where
the law enforcement official provides
additional factual information for the
regulated entity to determine that there
is a substantial factual basis that the
reproductive health care was not lawful
under the circumstances in which such
health care was provided. As another
example, a regulated entity could rebut
the presumption of lawfulness by
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
relying on a sworn statement by a law
enforcement official that the PHI is
necessary for an investigation into
violations of specific criminal codes
unrelated to the provision of
reproductive health care (e.g., billing
fraud) or an affidavit from an individual
that the individual obtained unlawful
reproductive health care from a different
health care provider and the requested
PHI is relevant to that investigation.
Similarly, if a regulated entity receives
an attestation from a Federal law
enforcement official, along with a courtordered warrant demanding PHI
potentially related to reproductive
health care, that both specify that the
purpose of the request is not for a
purpose prohibited by 45 CFR
164.502(a)(5)(iii), the regulated entity
may rely on the attestation and warrant,
subject to the requirements of 45 CFR
164.512(f)(1)(ii)(A).
Lastly, this final rule requires a
regulated entity to cease use or
disclosure of PHI if the regulated entity,
during the course of the use or
disclosure, discovers information
reasonably showing that the
representations contained within the
attestation are materially incorrect,
leading to uses or disclosures for a
prohibited purpose.353 As we explained
in the 2023 Privacy Rule NPRM,
pursuant to HIPAA, a person who
knowingly and in violation of the
Administrative Simplification
provisions obtains or discloses IIHI
relating to another individual or
discloses IIHI to another person would
be subject to criminal liability.354 Thus,
a person who knowingly and in
violation of HIPAA 355 falsifies an
attestation (e.g., makes material
misrepresentations about the intended
uses of the PHI requested) to obtain (or
cause to be disclosed) an individual’s
IIHI could be subject to criminal
penalties as outlined in the statute.356
Additionally, a disclosure made based
on an attestation that contains material
misrepresentations after the regulated
entity becomes aware of such
misrepresentations constitutes an
impermissible disclosure, which
requires notifications of a breach to the
353 45
CFR 164.509(d).
42 U.S.C. 1320d–6(a).
355 A person (including an employee or other
individual) shall be considered to have obtained or
disclosed individually identifiable health
information in violation of this part if the
information is maintained by a covered entity (as
defined in the HIPAA privacy regulation described
in section 1320d–9(b)(3) of this title) and the
individual obtained or disclosed such information
without authorization. Id.
356 See 42 U.S.C. 1320d–6(b).
354 See
PO 00000
Frm 00058
Fmt 4701
Sfmt 4700
individual, the Secretary, and in some
cases, the media.357
The attestation requirement does not
replace the conditions of the Privacy
Rule’s permissions for a regulated entity
to disclose PHI, including in response to
a subpoena, discovery request, or other
lawful process, or administrative
request. Instead, the attestation is
designed to work with the permissions
and their requirements. If PHI is
disclosed pursuant to 45 CFR
164.512(e)(1)(ii) or (f)(1)(ii)(C), a
regulated entity will need to verify that
the requirements of each provision are
met, in addition to satisfying the
requirements of the new attestation
provision under 45 CFR 164.509.
Furthermore, the requirements of 45
CFR 164.528, the right to an accounting
of disclosures of PHI made by a covered
entity, are not affected by the attestation
requirement. Thus, disclosures made
pursuant to a permission under 45 CFR
164.512(d), (e), (f), or (g) must be
included in the accounting, including
when they are made pursuant to an
attestation.
5. Responses to Public Comments
Comment: Most commenters
supported the proposal to require an
attestation for certain uses and
disclosures. A few commenters
recognized the benefits of the attestation
requirement, despite the potential
increase in administrative burden for
regulated entities.
Many commenters opposed the
proposal for what they described as
administrative burden, questionable
effectiveness, and lack of clarity. A few
commenters stated that the
requirements imposed an inappropriate
compliance burden on covered entities
that would need to determine whether
a PHI request was ‘‘potentially related’’
to sensitive personal health care, and,
along with a health care provider who
otherwise supported the attestation,
they recommended instead that the
Department impose requirements on the
person requesting the use or disclosure
of PHI. Many commenters expressed
concerns about the ability of covered
entities to operationalize the proposed
requirement with the limitation to PHI
potentially related to reproductive
health care because it would require the
ability to segment PHI, which the
Department previously acknowledged is
generally unavailable. A few
commenters questioned the
effectiveness of the proposed attestation
357 45 CFR 164.400 et seq. The HIPAA Breach
Notification Rule, 45 CFR 164.400–414, requires
HIPAA covered entities and their business
associates to provide notification following a breach
of unsecured PHI.
E:\FR\FM\26APR5.SGM
26APR5
ddrumheller on DSK120RN23PROD with RULES5
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
requirement, as compared to its
potential burden, enforceability, and
effects on access to maternal and
specialty health care.
Response: We agree with commenters
that the attestation requirement will
bolster the privacy of PHI and
acknowledge that implementation of
this important safeguard requires
additional administrative activities by
regulated entities. The Department
considered removing the limitation on
the application of the attestation
condition to PHI ‘‘potentially related to
reproductive health care,’’ but we are
concerned that expanding it to apply to
all requests for PHI made for specified
purposes would impose even more
burden on regulated entities. The
requirement is to determine whether the
requested PHI is ‘‘potentially related to
reproductive health care,’’ not whether
it is ‘‘related to reproductive health
care.’’ Thus, regulated entities are not
required to make an affirmative
determination that the requested PHI is
in fact related to reproductive health
care before requiring a person
requesting PHI to provide an attestation.
We note that the focus of the attestation
requirement has been limited to PHI
potentially related to reproductive
health care because the changes to the
legal landscape have heighted privacy
concerns about reproductive health care
that is lawful under the circumstances
in which such health care is provided.
We also note that the provision of an
attestation itself is not determinant of
whether the request is for a prohibited
purpose. Rather, regulated entities must
consider whether a request for PHI is for
a prohibited purpose, regardless of
whether the request is made for a
purpose for which the Privacy Rule
requires an attestation.
The Department is limited to applying
the HIPAA Rules to those entities
covered by HIPAA (i.e., health plans,
health care clearinghouses, and health
care providers that conduct covered
transactions) and to business associates,
as provided under the HITECH Act.
Accordingly, the Department is limited
to imposing obligations on persons
requesting the use or disclosure of PHI
to those who are also regulated entities.
The attestation condition has been
drafted to promote the privacy of
information about lawful reproductive
health care, including maternal and
specialty health care, while still
permitting certain uses of PHI.
Regulated entities, including covered
entities that specialize in providing
reproductive health care may determine,
based on their assessment of what PHI
is potentially related to reproductive
health care, that an attestation must
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
accompany all requests they receive for
the use or disclosure of any PHI made
pursuant to and in compliance with 45
CFR 164.512(d)–(g)(1). Further, the
attestation requirement only applies to
the specified requests for PHI and
should not affect any intake of new
patients or provision of maternal health
care.
The Department is not requiring a
regulated entity to investigate the
veracity of the information provided in
support of an attestation because doing
so would impose a significant
administrative burden on regulated
entities and persons requesting the use
or disclosure of PHI without
proportional benefit. Additionally,
requiring such an investigation by the
regulated entity may cause unnecessary
delays to law enforcement activities.
Rather, the Department is finalizing a
regulated entity’s ability to rely on the
attestation provided that it is reasonable
under the circumstances for the
regulated entity to believe the statement
required by 45 CFR 164.509(c)(1)(iv)
that the requested disclosure of PHI is
not for a purpose prohibited by 45 CFR
164.502(a)(5)(iii). If such reliance is not
reasonable, then the regulated entity
may not rely on the attestation.
A regulated entity that receives a
request for PHI potentially related to
reproductive health care for purposes
specified in 45 CFR 164.512(d), (e), (f),
or (g)(1) may accept information, in
addition to the attestation, from the
person requesting the PHI to support its
ability to make the determinations
required by 45 CFR 164.502(a)(5)(iii)
and 45 CFR 164.509(b)(v).
For example, it likely would not be
reasonable for a regulated entity to rely
on an attestation from a public official
who represents that their request is for
a purpose that is not prohibited, if the
request for PHI is overly broad for its
purported purpose and the public
official has publicly stated that they will
be investigating health care providers
for providing reproductive health care.
In such cases, regulated entities should
consider the circumstances surrounding
an attestation to determine whether they
can reasonably rely on the attestation.
Although we have modified the
regulatory text by removing
‘‘objectively,’’ the standard remains
unchanged in practice because a
reasonableness standard is an objective
standard. As we also discussed above, it
is not reasonable for a regulated entity
that provided the reproductive health
care at issue to rely on a representation
made by a person requesting the use or
disclosure of PHI that the reproductive
health care at issue was unlawful under
the circumstance in which such health
PO 00000
Frm 00059
Fmt 4701
Sfmt 4700
33033
care was provided. A regulated entity
that makes a disclosure where it was not
reasonable to rely on the representation
made by the person requesting the use
or disclosure may be subject to
enforcement action by OCR.
Additionally, as discussed in greater
detail above, a person who knowingly
and in violation of the Administrative
Simplification provisions obtains or
discloses IIHI relating to another
individual or discloses IIHI to another
person would be subject to criminal
liability.358 We believe that this
provision serves as a deterrent for those
who otherwise might request PHI in
violation of this final rule. It also will
continue to permit essential disclosures
while ensuring that Privacy Rule
permissions cannot be used to
circumvent the new prohibition, thereby
enhancing the privacy of individuals’
PHI and protecting other important
interests.
Comment: Several commenters
opposed the attestation proposal
because they believed that the proposal
would make it more difficult for law
enforcement to request PHI and for
entities to respond to such requests,
potentially putting them in situations
where they need to choose between
complying with a court order and
impermissibly disclosing PHI. A few
individuals stated that the proposal
would have a chilling effect on the
ability of a state to conduct
investigations or proceedings for which
the use or disclosure of PHI could be
beneficial, particularly in cases
involving rape, incest, sex trafficking,
domestic violence, abuse, and neglect.
Response: We acknowledge that the
attestation provision may require
regulated entities to obtain additional
information from persons requesting
PHI in certain circumstances. As
discussed above, this condition is
consistent with the operation of the
Privacy Rule since its inception, which
has always required regulated entities to
obtain additional information from
persons requesting PHI in certain
circumstances, such as where the use or
disclosure is one for which an
authorization or opportunity to agree or
object is not required.359 However, as
also discussed above, any burden the
attestation may impose on persons
requesting PHI is outweighed by the
privacy interests that this final rule is
designed to protect.
A person requesting PHI pursuant to
45 CFR 164.512(d)–(g)(1) may elect to
provide an attestation with their
request, even if a determination has not
358 See
359 See
E:\FR\FM\26APR5.SGM
42 U.S.C. 1320d–6(a).
45 CFR 164.512.
26APR5
ddrumheller on DSK120RN23PROD with RULES5
33034
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
yet been made concerning whether such
request is for PHI potentially related to
reproductive health care. Similarly, the
Privacy Rule does not require a
regulated entity to respond to requests
for PHI.
Comment: Some commenters were
concerned about the effect of the
attestation requirement on the electronic
exchange of PHI and recommended
approaches for incorporating
attestations into a HIE environment. A
commenter expressed concern that the
requirement for an attestation would
delay or prevent automated data
exchange using Fast Healthcare
Interoperability Resources® (FHIR®)
APIs and might impede innovation.
They requested guidance on how to
implement the attestation condition in
an HIE environment without impeding
regulated exchanges or industry
innovations using extensive data
exchange via FHIR APIs. Commenters
also recommended that the Department
issue guidance on implementing
attestation policies in circumstances not
required by this rule that would not
constitute information blocking. A
commenter encouraged the Department
to implement processes that limit the
liability of health care providers for the
actions of third parties. For example, the
commenter requested that the
Department clarify that a refusal to
disclose PHI absent an attestation is
protected from a finding of information
blocking.
Response: We do not believe that this
final rule prevents the disclosure of PHI
via a HIE. We disagree that this
requirement prevents the exchange of
data using FHIR APIs under these
permissions or for automated health
data exchange more broadly. PHI can be
disclosed as requested if the regulated
entity obtains a valid attestation and the
request meets the conditions of an
applicable permission. The attestation
requirement does not affect any requests
via FHIR API that fall outside of the 45
CFR 164.512(d)–(g)(1) permissions. For
example, a disclosure of PHI from a
covered health care provider to another
health care provider for care
coordination purposes would not
require an attestation because the
disclosure would not be for a purpose
addressed by 45 CFR 164.512(d)–(g)(1).
The importance of ensuring the
protection of an individual’s interests in
the privacy of their PHI and society in
improving the effectiveness of the
health care system far outweigh any
potential administrative burdens or
delays in the electronic exchange of PHI
for non-health care purposes. Further,
compliance with applicable law does
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
not constitute information blocking.360
Thus, we do not believe additional
regulatory language is necessary at this
time. OCR regularly collaborates with
other Federal agencies, including ONC,
to develop guidance on compliance
with Federal standards and to address
questions that arise about the ability of
regulated entities to comply with
applicable laws.
The permissions for which the
Department is requiring that a regulated
entity obtain an attestation prior to
using or disclosing PHI are already
conditioned upon meeting certain
requirements, which generally require
manual review. The Department
acknowledges that certain persons may
need to adjust their workflows to
account for the attestation requirement.
While there may be some delays until
new processes are implemented, any
disruptions will decrease over time.
Thus, we do not anticipate that this
final rule will contribute to additional
delays in the disclosure of PHI.
The Department is finalizing a new
regulatory presumption that permits a
regulated entity to presume
reproductive health care provided by
another person was lawful unless the
regulated entity has actual knowledge or
factual information supplied by the
person requesting the use or disclosure
of PHI that demonstrates to the
regulated entity a substantial factual
basis that the reproductive health care
was not lawful under the specific
circumstances in which such health
care was provided. This presumption
will facilitate the determination by the
regulated entity about whether a request
for the use or disclosure of PHI would
be subject to the prohibition, and thus
will reduce the risk of an impermissible
use or disclosure of the requested PHI,
thereby reducing the liability of
regulated entities that receive requests
for PHI to which the prohibition may
apply, but where they did not provide
the reproductive health care at issue.
Comment: Many commenters
questioned the Department’s rationale
for not extending the attestation
requirement directly to business
associates, consistent with the general
360 See 42 U.S.C. 300jj–52(a)(1) (excluding from
the definition of ‘‘information blocking’’ practices
that are likely to interfere with, prevent, or
materially discourage access, exchange, or use of
electronic health information if they are ‘‘required
by law’’; 85 FR 25642, 25794 (May 1, 2020)
(explaining that ‘‘required by law’’ specifically
refers to interferences that are explicitly required by
state or Federal law). See also 89 FR 1192, 1351
(Jan. 9, 2024) (affirming that where applicable law
prohibits access, exchange, or use of information,
practices in compliance with such law are not
considered to be information blocking and citing to
compliance with the Privacy Rule as an example of
an applicable law).
PO 00000
Frm 00060
Fmt 4701
Sfmt 4700
prohibition. Some commenters
recommended that the attestation
requirement be applied to business
associates because persons requesting
the use or disclosure of PHI may
directly approach a business associate
for this PHI (and the business associate
agreement may permit such disclosures
or be silent regarding whether the
business associate may respond to
them). Commenters also requested
clarification of the responsibilities of
business associates with respect to
attestations and questioned whether the
proposal would require amendment of
their business associate agreements.
Response: As discussed above, we
agree with the commenters that the
attestation requirement should apply
directly to business associates because
they receive direct requests for PHI and
are subject to the general prohibition in
the same manner as covered entities.
Therefore, we are modifying 45 CFR
164.509 to ensure that it expressly
applies to both covered entities and
their business associates.
Comment: Although a few
commenters expressed support for
limiting the attestation condition to
requests regarding ‘‘PHI potentially
related to reproductive health care,’’
many commenters recommended that
the proposed requirement to obtain an
attestation be broadly applied to
requests for any PHI. Many stated that
it would be easier and more efficient for
regulated entities if all requests related
to a prohibited purpose required the
attestation, regardless of the PHI being
requested. According to these
commenters, this would allow the
regulated entity to avoid making any
determinations regarding the PHI. A few
explained that expanding the
requirement to all PHI would
appropriately place the burden of
demonstrating that the requested
disclosure was permissible on the
person making request.
Several commenters asserted that
information related to reproductive
health care is potentially found in every
department, record, and system,
including those that may not have a
readily apparent relationship to
reproductive health care. As a result,
according to these commenters, it would
be onerous and costly to separate
different types of health information in
a medical record. According to other
commenters, the volume of records
requests received by health systems
would render any requirement on a
health care provider to redact PHI from
an individual’s medical record in the
absence of an attestation overly
burdensome and increase the risk of
unauthorized disclosure. Some
E:\FR\FM\26APR5.SGM
26APR5
ddrumheller on DSK120RN23PROD with RULES5
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
commenters explained that staff
managing health information generally
do not have the legal or medical training
to determine whether a PHI request may
be for PHI potentially related to
reproductive health care, particularly
given the breadth of most requests (e.g.,
for all medical records of an entity, of
a particular health care provider or a
particular individual). These
commenters also raised concerns that
the lack of legal or medical training
could lead to inconsistent application of
the rule, the inadvertent disclosure of
PHI potentially related to reproductive
health care, or delay the use or
disclosure of PHI, even when the
individual has not sought or obtained
reproductive health care. Many
commenters asserted that determining
whether a request for the use or
disclosure of PHI includes PHI
potentially related to reproductive
health care is difficult and a significant
burden on health information
professionals, particularly where the
covered entity did not provide or
facilitate the health care. According to
some commenters, some business
associates, such as cloud services
providers, may not have the ability to
determine whether the PHI that they
maintain includes PHI potentially
related to reproductive health care.
Some commenters posited that the
result of this requirement would be that
health care providers would refuse to
provide any PHI in response to a request
for the use or disclosure PHI on any
matter that could possibly be construed
as potentially related to reproductive
health care. They and others stated that
limiting the proposed prohibition to one
category of PHI would require regulated
entities to label or segment certain PHI
within medical records, which would be
impractical and costly because EHRs are
unable to reliably segregate or flag PHI
retrospectively.
Response: We acknowledge the
comments from regulated entities that
expressed concerns about the effects of
the limitation of the attestation
requirement to PHI potentially related to
reproductive health care. However, the
Department is concerned that extending
the attestation requirement to all PHI
could result in unintended
consequences, such as the potential
delay of law enforcement investigations
that do not require PHI potentially
related to reproductive health care. By
contrast, an attestation requirement is
necessary for PHI potentially related to
reproductive health care because of
recent changes to the legal landscape
that make it more likely that PHI will be
sought for punitive non-health care
purposes, and thus more likely to be
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
subject to disclosure by regulated
entities if the requested disclosure is
permissible under the Privacy Rule,
thereby harming the interests that
HIPAA seeks to protect. Accordingly,
the Department is not modifying the
attestation requirement that a regulated
entity obtain an attestation only for PHI
potentially related to reproductive
health care.
The Department acknowledges that
the attestation requirement may increase
the burden on regulated entities, but we
disagree that regulated entities are
unable to make the required
assessments of attestations. Regulated
entities currently conduct similar
assessments when determining whether
PHI may be disclosed to a personal
representative, when making
disclosures that are required by law or
for public health purposes, and for
various other permitted purposes.
Regulated entities also regularly review
medical records to comply with
minimum necessary requirements. The
Department is cognizant that an
expanded attestation requirement could
significantly increase burden if it were
to expand this requirement to all
disclosures in the absence of the
sensitivities described in this final rule.
Comment: Many commenters
supported the proposal to limit the
requirement to obtain an attestation
with a request for uses and disclosures
for certain permissions, namely that
have the greatest potential to be
connected with a purpose for which the
Department proposed to prohibit the use
and disclosure of PHI. Some
commenters expressed their belief that
the Department had identified the
appropriate permissions for which the
attestation would provide additional
safeguards.
Many commenters suggested
modifications, primarily expansions or
clarifications of the types of permitted
uses and disclosures that would be
subject to the attestation. Generally,
commenters explained their belief that
their recommended modifications
would either mitigate the burden of the
requirement to ascertain the purposes of
the requested disclosure or increase
privacy protections for individuals.
Commenters recommended multiple
ways to expand the attestation
requirement, such as extending it to all
permissions in 45 CFR 164.512;
disclosures required by law, for public
health activities, and to avert a serious
threat to health or safety; disclosures for
treatment purposes to a person not
regulated by HIPAA or disclosures to
any person who might use the PHI for
a prohibited purpose; and any
PO 00000
Frm 00061
Fmt 4701
Sfmt 4700
33035
disclosure at the discretion of the
covered entity.
Response: The Department declines to
expand the permissions for which an
attestation is required at this time. The
Department specifically chose to limit
the attestation condition to the
permissions at 45 CFR 164.512(d)–(g)(1)
because these permissions have the
greatest potential to result in the use or
disclosure of an individual’s PHI for a
purpose prohibited at 45 CFR
164.502(a)(5)(iii). In the context of other
permissions, where the risk of improper
use or disclosure is less, the benefits of
an attestation condition would be
outweighed by the administrative
burden of compliance. Accordingly, any
disclosures made pursuant to 45 CFR
164.512(b), which includes disclosures
for public health surveillance,
investigations, or interventions, do not
require an attestation. However, we note
that requests made pursuant to other
permissions of the rule remain subject
to and must be evaluated for compliance
with the prohibition at 45 CFR
164.502(a)(5)(iii).
Comment: A commenter stated that
no attestation should be needed for
judicial and administrative proceedings
because current requirements are
adequate. Instead, the commenter
requested that the Department consider
expanding procedural protections.
Response: We are finalizing the
requirement that regulated entities
obtain an attestation as a condition of a
use or disclosure of PHI for judicial and
administrative proceedings. As
previously discussed, the attestation
requirement ensures that certain Privacy
Rule permissions are not used to
circumvent the prohibition. The
attestation requirement also reduces the
burden on regulated entities because it
is specifically designed to facilitate
compliance with the prohibition under
45 CFR 164.502(a)(5)(iii) by helping
regulated entities determine whether the
use or disclosure of the requested PHI
is permitted. Although a court order,
qualified protective order, satisfactory
assurance, or subpoena may have a
restriction that prevents information
requested from being further disclosed,
it protects PHI only after it has been
used or disclosed. Thus, the regulated
entity’s use or disclosure of PHI could
still violate the prohibition at 45 CFR
164.502(a)(5)(iii), even if that disclosure
is made in response to a court order,
qualified protective order, satisfactory
assurance, or subpoena. The attestation
requirement helps to mitigate the risk of
violations in these circumstances.
Comment: A few commenters
expressed concerns about their ability to
implement the attestation requirement
E:\FR\FM\26APR5.SGM
26APR5
ddrumheller on DSK120RN23PROD with RULES5
33036
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
in circumstances where the use or
disclosure is triggered by a mandatory
reporting law or verbal request and
recommended that no attestation should
be required in any case where
disclosure of PHI is required by law.
According to the commenters, an
attestation requirement could require a
significant change to operational
workflows for permitted disclosures and
significantly impede operations for state
and local agencies that conduct death
investigations and perform public
health studies and initiatives.
Response: The Privacy Rule at 45 CFR
164.512(a) permits certain uses and
disclosures of PHI that are required by
law, including notification of certain
deaths by a covered health care provider
to a medical examiner, when those uses
and disclosures are limited to the
requirements of such law. The
attestation condition does not apply to
the mandatory disclosures made
pursuant to 45 CFR 164.512(a). Other
mandatory reporting that is subject to 45
CFR 164.512(a)(2) has always been
subject to the additional requirements of
45 CFR 164.512(c), (e), or (f). Further,
mandatory reporting for public health
activities pursuant to 45 CFR 164.512(b)
do not require an attestation.
The attestation condition applies if
the regulated entity is making a use or
disclosure to a coroner or medical
examiner pursuant to 45 CFR
164.512(g)(1). We understand that this
may require regulated entities to adjust
their workflows to comply with this
requirement. For example, regulated
entities could consider having an
electronic attestation form readily
available for persons that request the
use or disclosure of PHI potentially
related to reproductive health care
because doing so may reduce delays in
the regulated entity’s response time
related to the attestation condition.
Thus, this condition will not
significantly impede operations for
persons who request information
because the interruptions will decrease
as they adjust their workflows to
accommodate the new condition.
We remind regulated entities that the
prohibition in 45 CFR 164.502(a)(5)(iii)
applies, regardless of whether the
request for PHI is made pursuant to a
permission for which an attestation is
required or another permission.
Comment: Many commenters urged
the Department to implement a
reasonable, good faith standard or a safe
harbor for situations in which a
regulated entity discloses PHI and the
person requesting the PHI either uses or
rediscloses it for a purpose that would
be prohibited under the proposed rule.
Some commenters were concerned that
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
a covered entity will be liable for
inadvertent disclosures of PHI and
sought the benefit of the affirmative
defense afforded at 45 CFR
160.410(b)(2).
Response: The Department declines to
add a ‘‘good faith’’ standard or safe
harbor to this final rule. As discussed
above, the Department is not finalizing
a separate Rule of Construction and is
not incorporating the phrase ‘‘primarily
for the purpose of’’ into the final
prohibition standard.
As we explained in the 2023 Privacy
Rule NPRM, 45 CFR 164.509 requires a
new attestation for each use or
disclosure request; a single attestation
would not be sufficient to permit
multiple uses or disclosures. This
requirement is unlike the authorization,
where generally, when a regulated
entity receives a valid authorization,
they may continue to use or disclose
PHI to the person requesting the use or
disclosure of PHI pursuant to that
authorization after the initial disclosure,
provided that such subsequent uses and
disclosures are valid and related to that
authorization. We understand that this
may constitute an additional
administrative burden for both the
regulated entity and the person or entity
requesting the information; however,
requiring an attestation for each use or
disclosure is necessary to ensure that
certain Privacy Rule permissions are not
used to circumvent the new prohibition
at 45 CFR 164.502(a)(5)(iii), and to
permit essential disclosures.
Comment: Some commenters
expressed support for permitting a
regulated entity to rely on an attestation
if ‘‘it appears objectively reasonable’’ or
‘‘when objectively reasonable’’ and not
requiring covered entities to investigate
the accuracy of an attestation, thereby
mitigating liability to the regulated
entity, if not fully protecting an
individual. Many commenters
expressed concern that it would not be
objectively reasonable for a regulated
entity to rely on a representation made
by the person requesting the use or
disclosure of PHI that the PHI sought
was related to unlawful health care. The
commenters requested a guarantee that
a health care provider’s reliance on a
‘‘facially valid’’ attestation would be
objectively reasonable without requiring
the entity to investigate the intentions of
the person requesting the use or
disclosure of PHI and the validity of
their attestation. A commenter
recommended that the final rule direct
regulated entities to take attestations at
face value and hold harmless regulated
entities in the event of a false
attestation.
PO 00000
Frm 00062
Fmt 4701
Sfmt 4700
Commenters offered several reasons
for these recommendations, including
the burden on covered entities where
they are required to determine: (1) the
veracity of every attestation; (2) whether
an attestation is required; and (3)
whether the statement that the request
for the use or disclosure is not for a
purpose prohibited under 45 CFR
164.502(a)(5)(iii) is objectively
reasonable.
Response: To assist in effectuating the
prohibition, this Final Rule requires an
attestation in some circumstances. We
recognize the potential burden on
regulated entities to investigate the
validity of every attestation and do not
require that they conduct a full
investigation in each instance. However,
as discussed above, if an attestation, on
its face, meets the requirements at 45
CFR 164.509(c), a regulated entity must
consider the totality of the
circumstances surrounding the
attestation and whether it is reasonable
to rely on the attestation in those
circumstances. To determine whether it
is reasonable to rely on the attestation,
a regulated entity should consider,
among other things: who is requesting
the use or disclosure of PHI; the
permission upon which the person
making the request is relying; the
information provided to satisfy other
conditions of the relevant permission;
the PHI requested and its relationship to
the purpose of the request (i.e., does the
request meet the minimum necessary
standard in relation to the purpose of
the request); and, where the
presumption at 45 CFR
164.502(a)(5)(iii)(C) applies, information
provided by the person requesting the
use or disclosure of PHI to overcome
that presumption.
For example, as discussed above, it
may not be reasonable for a regulated
entity to rely on an attestation filed by
a public official that a request for PHI
potentially related to reproductive
health care is not for a prohibited
purpose when that public official has
publicly stated their interest in
investigating or imposing liability on
those who seek, obtain, provide, or
facilitate certain types of lawful
reproductive health care. If a regulated
entity concludes that it would not
reasonable to rely on the attestation in
this instance, the regulated entity would
be prohibited from disclosing the
requested PHI unless and until the
public official provided additional
information that enables the regulated
entity to assess the veracity of its
attestation. In contrast, it may be
reasonable to rely on the representation
of a public official that a request for PHI
potentially related to reproductive
E:\FR\FM\26APR5.SGM
26APR5
ddrumheller on DSK120RN23PROD with RULES5
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
health care is not for a prohibited
purpose if the stated purpose for the
request is to investigate insurance fraud
and the public official making the
request is expressly authorized by law
to conduct insurance fraud
investigations as part of their legal
mandate. Therefore, as discussed above,
the Department is balancing these
considerations by finalizing language
that generally permits a regulated entity
to rely on the attestation if it is
reasonable for the regulated entity to
believe the statement that the requested
disclosure of PHI is not for a purpose
prohibited by 45 CFR
164.502(a)(5)(iii).361 To further assist
regulated entities in determining
whether it is reasonable to rely on the
attestation, the requirement that the
attestation include a clear statement that
the use or disclosure is not for a
prohibited purpose under 45 CFR
164.502(a)(5)(iii) may be satisfied with a
statement that identifies why the use or
disclosure is not prohibited, which
could be checkboxes that indicate that
the use or disclosure is not for a purpose
described in 45 CFR
164.502(a)(5)(iii)(A), or that the
reproductive health care does not satisfy
the Rule of Applicability at 45 CFR
164.502(a)(5)(iii)(B).
Where the request for the use or
disclosure of PHI is made of the
regulated entity that provided the
reproductive health care at issue, the
regulated entity should ensure that the
reproductive health care was not lawful
under the circumstances in which such
health care was provided before using or
disclosing the requested PHI. If the
reproductive health care at issue was
provided under circumstances in which
such health care was lawful, the
regulated entity must obtain an
attestation and determine whether it is
reasonable to rely on the attestation that
the use or disclosure is not being
requested to conduct an investigation
into or impose liability on any person
for the mere act of seeking, obtaining,
providing, or facilitating such
reproductive health care. If the
reproductive health care at issue was
provided under circumstances in which
such health care was unlawful, the
regulated entity is permitted, but not
required, to disclose the PHI if the
disclosure is meets the conditions of an
applicable Privacy Rule permission,
which may include an attestation.
Regulated entities will not generally
be held liable for disclosing PHI to a
person who signed the attestation under
false pretenses, provided that the
requirements of 45 CFR 164.509 are met,
and it is reasonable under the
circumstances for the regulated entity to
believe the statement that the requested
disclosure of PHI is not for a purpose
prohibited by 45 CFR 164.502(a)(5)(iii).
Comment: A commenter
recommended that the rule clarify the
relationship between the attestation and
45 CFR 164.514(h) regarding verification
requirements. They requested that the
Department consider making explicit in
the Final Rule that reliance on legal
process would not be appropriate in the
absence of an attestation.
Response: The verification
requirement under 45 CFR
164.514(h) 362 is separate from the
attestation requirement, and a regulated
entity must still comply with 45 CFR
164.514(h) when processing an
attestation. The final rule makes clear
that the attestation requirement will
apply if the request for PHI potentially
related to reproductive health care is
made pursuant to permissions under 45
CFR 164.512(d)–(g)(1), which may
include disclosing PHI pursuant to a
legal process.
Comment: Some commenters stated
that it is difficult to determine the
purpose of a request for the use or
disclosure of PHI because many requests
include only a general purpose. A
commenter asserted that staff would
need to screen all incoming requests, a
task that may require legal or clinical
expertise. Further, some commenters
stated that regulated entities may
experience conflict with persons
requesting the use or disclosure of PHI
about signing the form.
Response: This final rule prohibits the
use and disclosure of PHI for certain
361 This approach is consistent with 45 CFR
164.514(h), which requires a regulated entity to
verify the identity and legal authority of a public
official or a person acting on behalf of the public
official and describes the type of documentation
upon which the regulated entity can rely, if such
reliance is reasonable under the circumstances, to
do so. See also 45 CFR 164.514(d)(3)(iii)(A), which
permits a covered entity to rely, if such reliance is
reasonable under the circumstances, on a requested
disclosure as the minimum necessary for the stated
purpose when making disclosures to public officials
that are permitted under 45 CFR 164.512, if the
public official represents that the information
requested is the minimum necessary for the stated
purpose(s).
362 45 CFR 164.514(h)(1) requires a regulated
entity to verify both the identity of the person
requesting PHI and the authority of any such person
to have access to PHI, if the identity or authority
of such person is not known to the regulated entity.
45 CFR 164.514(h)(2)(ii) describes the information
upon which a regulated entity may rely, if such
reliance is reasonable under the circumstances, to
verify the identity of a public official requesting PHI
or a person acting on behalf of a public official,
while 45 CFR 164.514(h)(2)(iii) describes the
information upon which a regulated entity may
rely, if such reliance is reasonable under the
circumstances, to verify the authority of the public
official requesting PHI or a person acting on behalf
of a public official.
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
PO 00000
Frm 00063
Fmt 4701
Sfmt 4700
33037
purposes and conditions disclosures for
certain purposes upon the receipt of an
attestation. Thus, it is incumbent upon
the regulated entity receiving the
request to determine whether disclosure
is in compliance with the Privacy Rule.
To help the regulated entity make such
a determination, the Department is
adding to the required elements of the
attestation a description of the purpose
of the request that is sufficient for the
regulated entity to determine whether
the prohibition at 45
CFR164.502(a)(5)(iii) may apply to the
request. Requests for the use or
disclosure of PHI for the specified
purposes are likely subject to
heightened scrutiny by the regulated
entity currently because of other
conditions imposed upon such
disclosures by the Privacy Rule, so
additional expertise will not always be
required when processing a request for
the use or disclosure of PHI and the
accompanying attestation. For example,
under the Privacy Rule, a regulated
entity must determine whether a request
for the use or disclosure of PHI for a
judicial or administrative proceeding
made using a subpoena, discovery
request, or other lawful process, that is
not accompanied by an order of a court
or administrative tribunal contains
‘‘satisfactory assurances’’ that
reasonable efforts have been made by
the person making the request either: (1)
to ensure that the individual who is the
subject of the PHI that has been
requested has been given notice of the
request; 363 or (2) to secure a qualified
protective order that meets certain
requirements specified in the Privacy
Rule.364 The Privacy Rule further details
how regulated entities are to determine
whether they have received
‘‘satisfactory assurances’’ for both
options described above.365 Such
requirements ensure that a regulated
entity must already carefully review
requests for such purposes, such that
the attestation condition likely poses
minimal additional burden for such
requests. In any event, the Department
believes that these administrative
burdens are outweighed by the privacy
interests that this final rule seeks to
protect.
Comment: Many commenters asserted
that it would be reasonable to require
affirmative verification under penalty of
perjury that the request for the use or
disclosure of PHI is not for a purpose
prohibited under 45 CFR
164.502(a)(5)(iii) because it would
signal an intent to penalize requests
363 45
CFR 164.512(e)(1)(ii)(A).
CFR 164.512(e)(1)(ii)(B).
365 45 CFR 164.512(e)(1)(iii) and (iv).
364 45
E:\FR\FM\26APR5.SGM
26APR5
ddrumheller on DSK120RN23PROD with RULES5
33038
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
made to contravene the prohibition;
would incentivize persons requesting
the use or disclosure of PHI to consider
whether their request is for a purpose
prohibited under 45 CFR
164.502(a)(5)(iii); deter unlawful
‘‘fishing expeditions’’ or conceal
improper intent; and add a layer of
accountability. Another commenter
stated this heightened standard would
enable the covered entity to reasonably
rely in good faith on the substance of
the attestation without further
investigation, delay, cost, burden, or
dispute. According to the commenter, a
person making a request for the use or
disclosure of PHI in good faith should
have minimal to no concern when
providing a statement signed under
penalty of perjury. Another commenter
supported a requirement that a person
requesting the use or disclosure of PHI
provide an affirmative verification made
under penalty of perjury that the use or
disclosure is not for purpose prohibited
under 45 CFR 164.502(a)(5)(iii) because
it would suggest that evidence obtained
falsely would not be admissible in a
legal proceeding. A commenter asserted
that it is important to ensure that the
proposed attestations would be as
effective as possible, and including a
signed declaration made under penalty
of perjury is critical to ensuring their
effectiveness in the current legal
environment. A commenter endorsed
adding a statement regarding perjury to
the proposed attestation because it
would place the person requesting the
use or disclosure of PHI on notice of the
criminal penalties if the person were to
violate the proposed requirement.
A commenter asserted that the
penalty of perjury requirement is a
common signature standard for legal
and administrative proceedings and
expressed support for expanding it to
other proceedings. The commenter also
expressed support for considering other
options because of concerns that the
application and consequences of making
a statement under a penalty of perjury
may lack clarity outside of certain
proceedings.
Response: We appreciate commenters’
suggestions; however, the Department
ultimately decided that the addition of
a penalty of perjury would be
unnecessary in light of the statutory
criminal and civil penalties under
HIPAA. 42 U.S.C. 1320d–6 provides that
any person who knowingly and in
violation of the Administrative
Simplification provisions obtains IIHI
relating to another individual or
discloses IIHI to another person is
subject to criminal liability.366 A
366 See
42 U.S.C. 1320d–6(a).
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
regulated entity is also subject to civil
penalties for violations of requirements
of the HIPAA Rules.367 Thus, a person
that requests PHI who knowingly
falsifies an attestation (e.g., makes
material misrepresentations as to the
intended uses of the PHI requested) to
obtain PHI or cause PHI to be disclosed
would be in violation of HIPAA and
could be subject to criminal
penalties.368
Comment: Some commenters
expressed support for requiring that the
attestation include a statement that a
person signing an attestation is doing so
under penalty of perjury, but they also
questioned its ability to prevent a
person from requesting the use or
disclosure of PHI for a purpose
prohibited under 45 CFR
164.502(a)(5)(iii) and recommended
additional requirements or alternatives.
One commenter expressed concern that
there would be no disincentive for the
recipient to submit an attestation signed
under false pretenses in the absence of
enforceable penalties. A different
commenter questioned the efficacy of a
penalty of perjury requirement because
the person requesting the use or
disclosure may not be the person that
uses the PHI for a purpose prohibited
under 45 CFR 164.502(a)(5)(iii); it might
be another person who uses the
information for a purpose prohibited
under that provision. According to the
commenter, no criminal or other penalty
would attach because that other person
did not sign the attestation. The
commenter also expressed concern that
an attestation signed on behalf of an
entity may not be enforceable because
the person who signed the attestation
did not have authority to bind the
entity.
Commenters variously recommended
that the Department include language
that the person requesting the use or
disclosure of PHI would not further use
or disclose the PHI for a purpose
prohibited under 45 CFR
164.502(a)(5)(iii) and that the requested
information is the minimum necessary,
or require a search warrant or data use
agreement instead of an attestation. A
commenter recommended that the
Department provide individuals with an
actionable remedy, such as the right to
receive a portion of any civil money
penalty assessed to the regulated entity
or the right to ‘‘claw back’’ the
disclosure from the receiving entity if
the party that signed the attestation later
violates its terms.
367 See 42 U.S.C. 1320d–5. See also 45 CFR part
160, subparts A, D, and E.
368 See 42 U.S.C. 1320d–6(b).
PO 00000
Frm 00064
Fmt 4701
Sfmt 4700
Response: The Department
understands and shares commenters’
concerns about redisclosures that would
be prohibited by this rule if the
disclosure was made by a regulated
entity. However, HIPAA limits the
Department’s authority to regulating PHI
maintained or transmitted by a
regulated entity, that is a covered entity
or their business associate. Accordingly,
a person that is not a regulated entity
generally may use or disclose such
information without further limitation
by the HIPAA Rules.
Requiring search warrants or data use
agreements as a condition of the use or
disclosure of PHI is beyond the scope of
this final rule.
With respect to the commenter’s
concern about situations in which a
person who does not have the
appropriate authority requests PHI on
behalf of a public official, the Privacy
Rule generally requires that a regulated
entity verify the identity and legal
authority of persons requesting PHI
prior to making the disclosure.369 Where
a disclosure of PHI is to a public official
or person acting on behalf of a public
official who has the authority to request
the information, a regulated entity may
verify the authority of that public
official by relying on, if reliance is
reasonable under the circumstances,
either a written statement of legal
authority under which the information
is requested (or an oral statement, if the
written statement is impracticable).370
Alternatively, a regulated entity may
presume the public official’s legal
authority if a request is made pursuant
to legal process, warrant, subpoena,
order, or other legal process issued by
a grand jury or judicial administrative
tribunal.371 We remind regulated
entities that a determination that a
public official has the authority to make
a request for the use or disclosure does
not mean that the Privacy Rule permits
them to obtain any and all information
that the official requests. In such
circumstances, the regulated entity
should carefully review the conditions
of the applicable permission to ensure
that they are met. Where the condition
involves a warrant, subpoena, or similar
instrument, the regulated entity must
also review the scope of the authority
granted by the warrant, subpoena, or
order to determine the extent of the PHI
that it is permitted to disclose.372
Further, a regulated entity may rely, if
such reliance is reasonable under the
369 See 45 CFR 164.514(h); see also 65 FR 82462,
82541, and 82547 (Dec. 28, 2000).
370 45 CFR 164.514(h)(2)(iii)(A).
371 45 CFR 164.514(h)(2)(iii)(B).
372 45 CFR 164.512(a)(1).
E:\FR\FM\26APR5.SGM
26APR5
ddrumheller on DSK120RN23PROD with RULES5
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
circumstances, on a requested
disclosure by a public official as the
minimum necessary if the public official
represents that the requested PHI is the
minimum necessary for the stated
purpose.373
HIPAA specifies the remedies
available to the Federal Government
where persons violate the statute’s
Administrative Simplification
provisions: civil monetary penalties 374
and criminal fines and
imprisonment.375 HIPAA does not
include a private right of action.
Comment: One commenter asked the
Department to clarify that anyone
providing a false attestation would be
held accountable for false statements
with appropriate or significant civil
fines or criminal penalties for the
material misrepresentation. Another
commenter specifically recommended
that the Department consider it a
material misrepresentation for a person
to sign an attestation without an
objectively reasonable basis to suspect
that the reproductive health care of
interest was unlawful under the
circumstances in which such health
care was provided. The commenter
asserted that the attestation should
include specific language that any
person who is requesting the use or
disclosure of PHI because they believe
the reproductive health care was not
lawful under the circumstances in
which such health care was provided
must have a reasonable basis for that
belief (e.g., a statement from a witness)
and that the absence of an articulable,
fact-based reasonable suspicion would
constitute a material misrepresentation.
According to the commenter, such a
requirement would prevent fishing
expeditions because persons requesting
the use or disclosure of PHI would be
required to have an actual, objective
reason for believing that a person
provided health care in violation of state
or Federal law.
Response: The Department agrees that
it would be a material misrepresentation
if a person who signs an attestation does
not have an objectively reasonable basis
to suspect that the reproductive health
care was provided under circumstances
in which it was unlawful, and that an
objectively reasonable basis of suspicion
requires specific and articulable facts
associated with the individual whose
PHI is requested and the health care
they received. We decline to include a
statement of this position on the
attestation because it is encompassed in
the language that requires persons
CFR 164.514(d)(3)(iii)(A).
U.S.C. 1320d–5.
375 42 U.S.C. 1320d–6.
making a request for PHI to attest that
they are not making the request for a
prohibited purpose and the language
ensuring that persons making such
requests are aware of the potential
liability for knowingly and in violation
of HIPAA obtaining IIHI relating to an
individual or disclosing IIHI to another
person.
Comment: Some commenters urged
the Department to include additional
provisions to monitor and enforce the
attestation condition, including
requiring that a court order, written
attestation, or valid authorization
accompany requests for the use or
disclosure of PHI for legal or
administrative proceedings or law
enforcement investigations.
Response: The attestation condition
does not replace the conditions of the
Privacy Rule’s permissions for a
regulated entity to disclose PHI in
response to a subpoena, discovery
request, or other lawful process,376 or
administrative request.377 Instead, it is
designed to work with these
permissions and associated condition.
For PHI to be disclosed pursuant to 45
CFR 164.512(e)(1)(ii) and (f)(1)(ii)(C), a
regulated entity must verify that the
relevant conditions are met and also
satisfy the attestation condition at 45
CFR 164.509. We do not believe it is
necessary to include additional
requirements to monitor and enforce
implementation of the attestation
condition because a person who
knowingly and in violation of the
Administrative Simplification
provisions obtains or discloses IIHI
relating to another individual or
discloses IIHI to another person would
be subject to criminal liability.378
Comment: Almost all commenters
responding to the Department’s request
for comment expressed support for a
Department-developed model
attestation or sample language that
could be used by regulated entities to
reduce the implementation burden of
the attestation condition. A large health
care provider expressed appreciation for
options that would simplify the process
for reviewing requests for the use or
disclosure of PHI made pursuant to 45
CFR 164.512(d)–(g)(1). Other
commenters asserted that a standard
form would reduce unnecessary
variation, support a consistent
approach, decrease implementation
costs, and make it easier for a regulated
entity to identify requests for the use or
disclosure of PHI for purposes
373 45
376 45
374 42
377 45
VerDate Sep<11>2014
20:54 Apr 25, 2024
CFR 165.512(e)(1)(ii).
CFR 164.512(f)(1)(ii)(C).
378 See 42 U.S.C. 1320d–6(a).
Jkt 262001
PO 00000
Frm 00065
Fmt 4701
Sfmt 4700
33039
prohibited under 45 CFR
164.502(a)(5)(iii).
Several commenters suggested that a
universal or standardized attestation
form would reduce the burden of the
attestation requirement, especially for
smaller health care providers, and
reduce delays in the disclosure of PHI
resulting from the need for legal review
or unfamiliarity with the format of an
attestation provided by a person
requesting the use or disclosure of PHI.
One of these commenters stated this
would also support electronic data
exchange by standardizing attestation
fields and the format. Most commenters
expressed opposition to a Departmentrequired format and recommended that
the Department permit covered entities
to modify the language of the
attestation.
Some commenters requested that the
model attestation include a plain
language explanation and a tip sheet or
guidance for completion. They also
requested that the model be an
electronic, fillable form with a clear
heading and that the editing capabilities
be limited to the specific required fields.
Some commenters recommended that
the model attestation contain an outline
of penalties for misuse of PHI.
A commenter requested that the
Department guarantee that a health care
provider’s good faith reliance on a
model attestation form would be
objectively reasonable.
Response: We appreciate these
recommendations and intend to publish
model attestation language before the
compliance date of this final rule. As
discussed above, if an attestation, on its
face, meets the requirements at 45 CFR
164.509(c), a regulated entity must
consider the totality of the
circumstances surrounding the
attestation and whether it is reasonable
to rely on the attestation in those
circumstances.
Comment: In response to the
Department’s request for comment on
how the proposed attestation would
affect a regulated entity’s process for
responding to regular or routine
requests from certain persons, a few
commenters explained their current
workflows and the resource
requirements for managing these
requests.
Some commenters suggested that an
attestation requirement might require
changes to workflows and discussed the
changes that might be made.
Response: The Department
appreciates these insights into how
regulated entities currently respond to
certain requests for the use or disclosure
of PHI. We confirm that a person
requesting the use or disclosure of PHI
E:\FR\FM\26APR5.SGM
26APR5
ddrumheller on DSK120RN23PROD with RULES5
33040
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
pursuant to 45 CFR 164.512(d), (e), (f),
or (g)(1) must provide the regulated
entity a signed and truthful attestation
where the request is for PHI potentially
related to reproductive health care
before the regulated entity is permitted
to use or disclose the requested PHI.
The Department will consider
developing guidance and technical
assistance as needed on these topics in
the future as necessary to ensure
compliance with the Privacy Rule,
including both the prohibition at 45
CFR 164.502(a)(5)(iii) and 164.509. It
may benefit a regulated entity to require
such documentation where the
requested use or disclosure is for TPO
or in response to a valid authorization
or individual right of access request.
Comment: A few commenters
recommended imposing obligations to
limit redisclosures of PHI for certain
purposes.
A few commenters stated that a
person requesting the use or disclosure
of PHI could seek a court order or
provide a written attestation to permit
the regulated entity to make the
disclosure in question in the event they
were unable to obtain an authorization.
Response: While we understand
commenters’ concerns regarding the
uses and disclosures of health
information by entities not covered by
the Privacy Rule, the Department is
limited to applying the HIPAA Rules to
those entities covered by HIPAA (i.e.,
health plans, health care clearinghouses,
and health care providers that conduct
covered transactions) and to business
associates, as provided under the
HITECH Act.
In the 2023 Privacy Rule NPRM, the
Department considered permitting
regulated entities to make uses or
disclosures of PHI only after obtaining
a valid authorization. However, the
Department rejected the approach
because requiring an authorization in all
circumstances would not reflect the
appropriate balance between individual
privacy interests and other societal
interests in disclosure. In particular,
individuals may decline to authorize
disclosure of PHI even in circumstances
where their privacy interests are
reduced and societal interests in
disclosure are heightened, such as
where the reproductive health care was
unlawful under the circumstances in
which it was provided.
Comment: Some commenters
requested that the Department provide
educational resources for regulated
entities to implement the attestation. A
commenter encouraged the Department
to strongly enforce the attestation
provision.
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
Response: We appreciate these
recommendations and commit to
providing additional resources to assist
regulated entities with implementation
of this rule.
Comment: In response to the
Department’s request for comment on
alternative documentation that could
assist regulated entities in complying
with the proposed limitations on the use
and disclosure of PHI, some
commenters recommended that an
attestation always be required, even if
additional documentation is mandated,
because the attestation would place the
person requesting the use or disclosure
of PHI on notice of the prohibition and
to hold them accountable if they use the
PHI for a purpose prohibited by 45 CFR
164.502(a)(5)(iii), in addition to helping
a covered entity to determine whether
the PHI is being requested for a
legitimate or prohibited purpose. Others
agreed because of the risk of coercion
when authorizations are sought from
individuals for certain purposes.
Some commenters suggested that the
Department require that a court order,
written attestation, or valid
authorization accompany a request for
the use or disclosure of any PHI for legal
or administrative proceedings or law
enforcement investigations because
there are circumstances under which it
would be unlikely for a person to obtain
an authorization. Some commenters
recommended that the Department not
require an attestation when the
disclosure of PHI is required by law, or
when so ordered by a court of
competent jurisdiction. A commenter
proposed that the Department permit
regulated entities to make the specified
uses and disclosures with a written
attestation, a HIPAA authorization, or
alternative documentation described by
the Department, including a court order,
to minimize the administrative burden.
Response: The Department
appreciates the approaches
recommended by commenters to ensure
that PHI requested is not for a
prohibited purpose. We also believe that
the attestation will place the person
requesting the use or disclosure of PHI
on notice of the prohibition and serve to
hold them accountable if they use the
PHI for a purpose prohibited by 45 CFR
164.502(a)(5)(iii). However, we have
limited the attestation requirement to
requests for PHI that is potentially
related to reproductive health care. In
addition, as discussed above, because
the Privacy Rule’s authorization
requirements empower individuals to
make decisions about who has access to
their PHI, we are not adopting the
proposed exception to the permission to
use or disclose PHI pursuant to a valid
PO 00000
Frm 00066
Fmt 4701
Sfmt 4700
authorization, nor are we adopting the
other recommendations made by
commenters. The Department is not
finalizing its proposal to prohibit the
disclosure of PHI for a purpose
prohibited by 45 CFR 164.502(a)(5)(iii)
pursuant to an authorization.
Accordingly, the final rule permits the
disclosure of an individual’s PHI to
another person pursuant to a valid
authorization, even if the disclosure
would otherwise be prohibited under
this rule. Therefore, a regulated entity
may disclose PHI for a purpose that
otherwise would be prohibited under 45
CFR 164.502(a)(5)(iii) by obtaining a
valid authorization or pursuant to the
individual right of access. We reiterate
that in all cases, the conditions of the
underlying permission must be met
before a regulated entity is permitted to
use or disclose the requested PHI.
D. Section 164.512—Uses and
Disclosures for Which an Authorization
or Opportunity To Agree or Object Is
Not Required
1. Applying the Prohibition and
Attestation Condition to Certain
Permitted Uses and Disclosures
Section 164.512 of the Privacy Rule
contains the standards for uses and
disclosures for which an authorization
or opportunity to agree or object is not
required. Many of the uses and
disclosures addressed by 45 CFR
164.512 relate to government or
administrative functions and are
described in the 2000 Privacy Rule
preamble as ‘‘national priority
purposes.’’ 379 These permissions for
uses and disclosures were not required
by HIPAA; instead they represented the
Secretary’s previous balancing of the
privacy interests and expectations of
individuals and the interests of
communities in making certain
information available for community
purposes, such as for certain public
health, health care oversight, and
research purposes.380 As discussed
previously, the Department, in its
implementation of HIPAA, has sought to
ensure that individuals do not forgo
health care when needed—or withhold
important information from their health
care providers that may affect the
quality of health care they receive—out
of a fear that their sensitive information
would be revealed outside of their
relationships with their health care
providers.
To clarify that the proposal at 45 CFR
164.502(a)(5)(iii) would prohibit the use
and disclosure of PHI in some
379 65
FR 82462, 82524 (Dec. 28, 2000).
id. at 82471.
380 See
E:\FR\FM\26APR5.SGM
26APR5
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
ddrumheller on DSK120RN23PROD with RULES5
circumstances where such uses or
disclosures are currently permitted, the
Department proposed to cite the
proposed prohibition at the beginning of
the introductory text of 45 CFR 164.512
and condition certain disclosures on the
receipt of the attestation proposed at 45
CFR 164.509.381 The proposed
modification would add the clause,
‘‘Except as provided by 45 CFR
164.502(a)(5)(iii), [. . .]’’ and add ‘‘and
45 CFR 164.509’’ to ‘‘subject to the
applicable requirements of this section.’’
This would create a new requirement to
obtain an attestation from the person
requesting the use and disclosure of PHI
as a condition of making certain types
of permitted uses and disclosures of
PHI. Thus, under the proposal and
subject to the Department finalizing the
prohibition at paragraph (a)(5)(iii) of 45
CFR 164.502, uses and disclosures of
PHI for certain purposes would be
prohibited unless a regulated entity first
obtained an attestation from the person
requesting the use and disclosure under
proposed 45 CFR 164.509.
The Department also proposed to
replace ‘‘orally’’ with ‘‘verbally’’ at the
end of the introductory paragraph for
clarity.
Overview of Public Comments
While many commenters addressed
the proposals to add a prohibition on
the use and disclosure of PHI and to
require an attestation in certain
circumstances, few commenters
addressed the proposal to modify the
introductory paragraph to 45 CFR
164.512. Such commenters either
expressed support for it or requested
additional guidance on the
Department’s intention or the proposal’s
operation.
The Department is adopting its
proposal without modification. As
discussed above, this change creates a
new requirement for a regulated entity
to obtain an attestation from a person
requesting the use or disclosure of PHI
as a condition of making certain types
of permitted uses and disclosures of
PHI. For example, the Privacy Rule
currently permits uses and disclosures
for health care oversight,382 judicial and
administrative proceedings,383 law
enforcement purposes,384 and about
decedents to coroners and medical
examiners,385 provided specified
conditions are met. When read in
conjunction with the new prohibition at
45 CFR 164.502(a)(5)(iii), uses and
381 88
FR 23506, 23537–38 (Apr. 17, 2023).
CFR 164.512(d).
383 45 CFR 164.512(e).
384 45 CFR 164.512(f).
385 45 CFR 164.512(g)(1).
382 45
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
disclosures of PHI for these purposes
will be subject to an additional
condition that the regulated entity first
obtain an attestation from the person
requesting the use and disclosure under
the new attestation requirement at 45
CFR 164.509.
The Department assumes that there
will be instances in which state or other
law requires a regulated entity to use or
disclose PHI for health care oversight,
judicial and administrative proceedings,
law enforcement purposes, or about
decedents to coroners and medical
examiners for a purpose not related to
one of the prohibited purposes in 45
CFR 164.502(a)(5)(iii). The Department
believes that a regulated entity will be
able to comply with such laws and the
attestation requirement. For example, a
regulated entity may continue to
disclose PHI without an individual’s
authorization to a state medical board,
a prosecutor, or a coroner, in accordance
with the Privacy Rule, when the request
is accompanied by the required
attestation. As a result, a regulated
entity generally may continue to assist
the state in carrying out its health care
oversight, judicial and administrative
functions, law enforcement, and coroner
duties with the use or disclosure of PHI
once a facially valid attestation has been
provided to the regulated entity from
whom PHI is sought. However, where
an attestation is required but not
obtained, a state seeking information
about an individual’s reproductive
health or reproductive health care
would need to obtain such information
from an entity not regulated under the
Privacy Rule 386 or demonstrate that the
regulated entity has actual knowledge
that the reproductive health care was
not lawful under the circumstances in
which such health care was provided,
thereby reversing the presumption
described at 45 CFR
164.502(a)(5)(iii)(C).
Additionally, we are replacing
‘‘orally’’ with ‘‘verbally’’ for clarity. No
substantive change is intended.
Comment: One commenter expressed
support for the Department’s proposed
revision to 45 CFR 164.512, while
another commenter requested additional
examples or detail in preamble about
386 The Privacy Rule only applies to PHI, which
is IIHI that is maintained or transmitted by, for, or
on behalf of a covered entity. Thus, it does not
apply to individuals’ health information when it is
in the possession of a person that is not a regulated
entity, such as a friend, family member, or is stored
on a personal cellular telephone or tablet. See Off.
for Civil Rights, ‘‘Protecting the Privacy and
Security of Your Health Information When Using
Your Personal Cell Phone or Tablet,’’ U.S. Dep’t of
Health and Human Servs. (June 29, 2022), https://
www.hhs.gov/hipaa/for-professionals/privacy/
guidance/cell-phone-hipaa/.
PO 00000
Frm 00067
Fmt 4701
Sfmt 4700
33041
what the Department intends by this
revision.
Response: The Department intends
that the uses and disclosures of PHI
made in accordance with 45 CFR
164.512 would be subject to both the 45
CFR 164.502(a)(5)(iii) prohibition and
the 45 CFR 164.509 attestation, when
applicable, specifically uses or
disclosures made for health oversight
activities,387 judicial and administrative
proceedings,388 law enforcement
purposes,389 and about decedents to
coroners and medical examiners.390 For
example, a regulated entity may disclose
PHI for law enforcement purposes,
subject to the conditions of the
permission at 45 CFR 164.512(f), where
the purpose of the request for the use or
disclosure is to investigate a sexual
assault and the person requesting the
PHI provides the regulated entity with
a valid attestation signifying that the
purpose of the request is not for a
prohibited purpose. Similarly, where a
request meets the requirements of 45
CFR 164.502(a)(5)(iii), a regulated entity
may disclose PHI for law enforcement
purposes, subject to the conditions of
the permission at 45 CFR 164.512(f),
where the purpose of the request for the
use or disclosure is to investigate the
unlawful provision of reproductive
health care with a valid attestation
signifying that the purpose of the
request is not one that is prohibited (i.e.,
that the purpose of the use or disclosure
is not to investigate or impose liability
on any person for the lawful provision
of reproductive health care). As another
example, a regulated entity may disclose
PHI to a state Medicaid agency in
accordance with 45 CFR 164.512(d)
where the purpose of the request is to
ensure that the regulated entity is
providing the reproductive health care
for which the regulated entity has
submitted claims for payment to
Medicaid after obtaining an attestation
that meets the requirements of 45 CFR
164.509 from the state Medicaid agency.
Comment: One commenter requested
clarification regarding the intersection
between the Department’s proposed
Rule of Construction at 45 CFR
164.502(a)(5)(iii)(D) and its proposal at
45 CFR 164.512.
Response: The Department is not
adopting the proposed Rule of
Construction. Rather, the language of
the proposal has been integrated into
the prohibition standard at 45 CFR
164.502(a)(5)(iii)(A). The finalized
prohibition standard requires a
387 45
CFR 164.512(d).
CFR 164.512(e).
389 45 CFR 164.512(f).
390 45 CFR 164.512(g)(1).
388 45
E:\FR\FM\26APR5.SGM
26APR5
33042
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
regulated entity to ensure that they
obtain a valid attestation from a person
requesting the use or disclosure of PHI
for health oversight activities, judicial
and administrative proceedings, law
enforcement purposes, or about
decedents to coroners or medical
examiners, assuring the regulated entity
that the purpose of the request is not for
a purpose prohibited under 45 CFR
164.502(a)(5)(iii).
ddrumheller on DSK120RN23PROD with RULES5
2. Making a Technical Correction to the
Heading of 45 CFR 164.512(c) and
Clarifying That Providing or Facilitating
Reproductive Health Care Is Not Abuse,
Neglect, or Domestic Violence
Paragraph (c) of 45 CFR 164.512
permits a regulated entity to disclose
PHI, under specified conditions, to an
authorized government agency where
the regulated entity reasonably believes
the individual is a victim of abuse,
neglect, or domestic violence. The
regulatory text includes a serial comma,
which clearly indicates that the
provision addresses victims of three
different types of crimes, but the
heading of this standard does not
include the serial comma.
For grammatical clarity, the
Department proposed to add the serial
comma after the word ‘‘neglect’’ in the
heading of the standard contained at 45
CFR 164.512(c).391
The Department also proposed to add
a new paragraph (c)(3) to 45 CFR
164.512(c), with the heading ‘‘Rule of
construction,’’ to clarify that the
permission to use or disclose PHI in
reports of abuse, neglect, or domestic
violence does not permit uses or
disclosures based primarily on the
provision or facilitation of reproductive
health care to the individual.392 The
Department intended the proposed
provision to safeguard the privacy of
individuals’ PHI against claims that uses
and disclosures of that PHI are
warranted because the provision or
facilitation of reproductive health care,
in and of itself, may constitute abuse,
neglect, or domestic violence.
A few commenters supported the
proposal because it would clarify that
providing or facilitating access to health
care is not itself abuse, neglect, or
violence, while others expressed
opposition to the proposal because they
believed it would prevent health care
providers from reporting abuse based on
the provision of reproductive health
care, including potentially coerced
reproductive health care. Commenters
both supported and opposed the
391 88
FR 23506, 23538 (Apr. 17, 2023).
392 Id.
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
inclusion of the phrase ‘‘based
primarily.’’
The Department is finalizing the
proposal to add the serial comma after
the word ‘‘neglect’’ in the heading of the
standard contained at 45 CFR
164.512(c).
As we explained in the 2023 Privacy
Rule NPRM, the Department is
concerned that recent state actions may
lead regulated entities to believe that
they are permitted to make disclosures
of PHI when they believe that persons
who provide or facilitate access to
reproductive health care are
perpetrators of a crime simply because
they provide or facilitate access to
reproductive health care. Thus, the
Department is clarifying that providing
or facilitating access to lawful
reproductive health care itself is not
abuse, neglect, or domestic violence for
purposes of the Privacy Rule. This is
consistent with the Department’s
understanding that the provision or
facilitation of lawful health care is not
itself abuse, neglect, or domestic
violence. Such clarification has not
previously been required, but recent
developments in the legal landscape
have made it necessary for us to codify
this interpretation in the context of
reproductive health care.
Accordingly, the Department is
finalizing the proposed Rule of
Construction at 45 CFR 164.512(c)(3),
with modification as follows. The
modification clarifies the circumstances
under which regulated entities that are
mandatory reporters of abuse, neglect,
or domestic violence are permitted to
make such reports. Specifically, we are
replacing ‘‘based primarily on’’ with
language specifying that the prohibition
at 45 CFR 164.502(a)(5)(iii) cannot be
circumvented by the permission to use
or disclose PHI to report abuse, neglect,
or domestic violence where the ‘‘sole
basis of’’ the report is the provision or
facilitation of reproductive health care.
Thus, the Department makes clear that
it may be reasonable for a covered entity
that is a mandatory reporter to believe
that an individual is the victim of abuse,
neglect, or domestic violence and to
make such report to the government
authority authorized by law to receive
such reports in circumstances where the
provision of reproductive health care to
the individual is but one factor
prompting the suspicion. For example,
it would not be reasonable for a covered
entity to believe that an individual is
the victim of domestic violence solely
because the individual’s spouse
facilitated the covered entity’s provision
of reproductive health care to the
individual.
PO 00000
Frm 00068
Fmt 4701
Sfmt 4700
Comment: A few commenters
supported the Department’s proposal.
One commenter asserted that providing
or facilitating access to any type of
health care is not in and of itself abuse,
neglect, or domestic violence and urged
the Department to expand the scope of
this language, particularly if the
prohibition is similarly expanded in the
final rule.
Response: The Department
appreciates the comments about the
modifications to 45 CFR 164.512(c). As
discussed above, the scope of the
prohibition is limited to reproductive
health care. The proposed and final
regulations are narrowly tailored and
limited in scope to not increase
regulatory burden beyond appropriate
public policy objectives. Thus, we
decline to expand the scope of this
provision, as well.
Comment: A large coalition expressed
concerns about mandatory domestic
violence and sexual assault reporting
laws. According to the coalition,
mandatory reporting laws reduce the
willingness of domestic violence
survivors to seek help, including health
care, and that the reports themselves
worsen the situation for most survivors.
The coalition asserted that permitting
the disclosure of PHI to law
enforcement and other agencies for
reports of abuse, neglect, or domestic
violence isolates survivors of such abuse
and puts them at risk of losing their
children. These commenters
recommended that the Department
prevent such disclosures.
Some commenters expressed
opposition to the proposal because they
believe it would put victims of domestic
abuse at risk because it would prevent
health care providers from reporting
abuse, including child abuse, based on
the provision or facilitation of
reproductive health care. A commenter
asserted that the proposal would
circumvent the exception prohibiting
disclosures to abusive persons at 45 CFR
164.512(b)(1)(ii). According to another
commenter, the change would chill the
willingness of covered entities to
cooperate with investigations and
judicial proceedings concerning
individuals who may have used
reproductive health care, regardless of
the matter being adjudicated.
According to another commenter, the
proposal is aimed at undermining state
laws and shielding persons who provide
or facilitate reproductive health care.
Commenters expressed concern that the
proposal would prohibit reports of
abuse, neglect, or domestic violence
because such reports are made for the
purpose of investigating or prosecuting
a person for providing or facilitating
E:\FR\FM\26APR5.SGM
26APR5
ddrumheller on DSK120RN23PROD with RULES5
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
unlawful reproductive health care, and
for committing sexual assault.
Response: The Department
appreciates the concerns raised by the
commenters. Since publication of the
final Privacy Rule in 2000, the
Department has acknowledged that
covered entities, including covered
health care providers, may have legal
obligations to report PHI in certain
circumstances, including about
suspected victims of abuse, neglect, or
domestic violence. The Department did
not propose to modify the Privacy
Rule’s permission to disclose PHI at 45
CFR 164.512(c). The Department
declines to expand its proposal to
eliminate the permission for covered
entities to disclose PHI to public health
authorities, law enforcement, and other
government authority authorized by law
to receive reports of abuse, neglect, or
domestic violence.
Additionally, the Department does
not agree that covered entities will be
prevented from reporting PHI about
victims of abuse, neglect, or domestic
violence. The new language at 45 CFR
164.512(c)(3) is narrowly tailored to
reduce the conflation between lawfully
provided reproductive health care and
the view that such lawful health care,
on its own, is abuse. Readers are
referred to the preamble discussion of
45 CFR 164.502(a)(5)(iii) that describes
the scope of disclosure changes which
are being made applicable to 45 CFR
164.512(c).
The Department does not agree that
the modifications circumvent the
exception prohibiting disclosures to
abusive persons at 45 CFR
164.512(b)(1)(ii). The new language at
45 CFR 164.512(c)(3) does not modify or
change the current Privacy Rule
provision for disclosures to a public
health authority or other appropriate
government authority authorized by law
to receive reports of child abuse or
neglect. We believe the commenter is
referring to 45 CFR 164.512(c)(2), which
requires a covered entity to inform an
individual that a report has been or will
be made, and 45 CFR 164.512(c)(2)(ii),
which removes the requirement to
inform the individual when the covered
entity would be informing a personal
representative and the covered entity
reasonably believes the personal
representative is responsible for the
abuse, neglect, or other injury, and that
informing such person would not be in
the best interests of the individual as
determined by the covered entity, in the
exercise of professional judgment.
Because the new language at 45 CFR
164.512(c)(3) operates as a limitation on
disclosure, it is not possible for the new
provision to permit disclosures in more
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
circumstances than previously
permitted, and therefore does not
circumvent the existing provision.
Comment: A commenter
recommended that the Department
clarify that the proposed Rule of
Applicability would not prohibit
disclosure and use of such records when
they are sought for a defensive purpose
by revising the proposed Rule of
Construction at 45 CFR 164.512(c)(3) to
more explicitly state that it permits such
use or disclosure.
Response: The adopted Rule of
Construction at 45 CFR 164.512(c)(3)
applies to disclosures permitted by 45
CFR 164.512(c), which are explicitly to
a government authority, including a
social service or protective services
agency, authorized by law to receive
reports of abuse, neglect, or domestic
violence. The Department is not aware
of a disclosure that otherwise meets the
requirements specified at 45 CFR
164.512(c)(1) that would constitute a
disclosure for defensive purposes.
Rather, disclosures of PHI for defensive
purposes, such as a disclosure to defend
against a prosecution for criminal
prosecution for allegations of providing
unlawful health care, are permitted by
45 CFR 164.512(f), as well as for health
care operations when obtaining legal
services. To the extent that a disclosure
for a defensive purpose meets the
applicable requirements and is
permitted, the Department confirms that
the final rule language generally would
not prohibit a disclosure.
Comment: A few commenters
requested clarification of the standard
for determining what would constitute a
report of abuse, neglect, or domestic
violence that is based primarily on the
provision of reproductive health care.
Commenters also requested clarification
about the interaction between the
proposed prohibition and the
permission at 45 CFR 164.512(c).
Response: The Privacy Rule permits
but does not require the reporting of
abuse, neglect, or domestic violence
under certain conditions.393 Under the
final rule, the Department is clarifying
that this permission does not apply
where the sole basis of the report is the
provision or facilitation of reproductive
health care. With this modification, the
Department makes clear that it may be
reasonable for a covered entity that is a
mandatory reporter to believe that an
individual is the victim of abuse,
neglect, or domestic violence and to
make such report to the government
authority authorized by law to receive
such reports in circumstances where the
provision or facilitation of reproductive
health care is but one factor prompting
the suspicion. We also note, as
discussed above with respect to 45 CFR
164.512(b)(1)(i), this permission allows
a covered entity to report known or
suspected abuse, neglect, or domestic
violence only for the purpose of making
a report. The PHI disclosed must be
limited to the minimum necessary
information for the purpose of making a
report.394 These provisions do not
permit the covered entity to disclose
PHI in response to a request for the use
or disclosure of PHI to conduct a
criminal, civil, or administrative
investigation into or impose criminal,
civil, or administrative liability on a
person based on suspected abuse,
neglect, or domestic violence. Thus, any
disclosure of PHI in response to a
request from an investigator, whether in
follow up to the report made by the
covered entity (other than to clarify the
PHI provided on the report) or as part
of an investigation initiated based on an
allegation or report made by a person
other than the covered entity, must meet
the conditions of disclosures for law
enforcement purposes or judicial and
administrative proceedings.395
3. Clarifying the Permission for
Disclosures Based on Administrative
Processes
Under 45 CFR 164.512(f)(1), a
regulated entity may disclose PHI
pursuant to an administrative request,
provided that: (1) the information
sought is relevant and material to a
legitimate law enforcement inquiry; (2)
the request is specific and limited in
scope to the extent reasonably
practicable in light of the purpose for
which the information is sought; and (3)
de-identified information could not
reasonably be used. Examples of
administrative requests include
administrative subpoena or summons, a
civil or an authorized investigative
demand, or similar process authorized
under law. The examples of
administrative requests provided in the
regulatory text include only requests
that are enforceable in a court of law,
and the catchall ‘‘or similar process
authorized by law’’ similarly is intended
to include only requests that, by law,
require a response. This interpretation is
consistent with the Privacy Rule’s
definition of ‘‘required by law,’’ which
enumerates these and other examples of
administrative requests that constitute
‘‘a mandate contained in law that
compels an entity to make a use or
disclosure of protected health
394 See
393 45
PO 00000
CFR 164.512(c).
Frm 00069
Fmt 4701
395 See
Sfmt 4700
33043
E:\FR\FM\26APR5.SGM
45 CFR 164.502(b) and 164.514(d).
45 CFR 164.512(e) and (f).
26APR5
33044
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
information and that is enforceable in a
court of law.’’
As we explained in the 2023 Privacy
Rule NPRM, the Department has become
aware that some regulated entities may
be interpreting 45 CFR 164.512(f)(1) in
a manner that is inconsistent with the
Department’s intent. Therefore, the
Department proposed to clarify the
types of administrative processes that
this provision was intended to
address.396
Specifically, the Department proposed
to insert language to clarify that the
administrative processes that give rise to
a permitted disclosure include only
requests that, by law, require a regulated
entity to respond. Accordingly, the
proposal would specify that PHI may be
disclosed pursuant to an administrative
request ‘‘for which a response is
required by law.’’ The Department does
not consider this to be a substantive
change because the proposal was
consistent with express language of the
preamble discussion on this topic in the
2000 Privacy Rule.397 The Department
intends that the express inclusion of
this language will ensure that regulated
entities more fully appreciate the
permitted uses and disclosures pursuant
to 45 CFR 164.512(f)(1)(ii)(C).
The Department received few
comments on the proposal to clarify the
permission at 45 CFR
164.512(f)(1)(ii)(C). Comments were
mixed, with some support, some
opposition, and some requesting
additional modifications or additional
examples or guidance.
While the Department received few
comments on this clarification, the
Department is aware of reports that
covered entities are misinterpreting the
intention of the requirements of 45 CFR
164.512(f)(1)(ii)(C) that disclosures of
PHI to law enforcement be necessary
and limited in scope. For example, a
congressional inquiry recently
highlighted concerns about disclosures
of PHI to law enforcement from retail
pharmacy chains. The inquiry found
that some pharmacy staff are providing
PHI directly to law enforcement without
advice from their legal departments in
part because their staff ‘‘face extreme
pressure to immediately respond to law
enforcement demands.’’ 398 Based on
396 88
FR 23506, 23538–39 (Apr. 17, 2023).
65 FR 82462, 82531 (Dec. 28, 2000).
398 See U.S. Senate Committee on Finance News
Release (Dec. 12, 2023), https://www.finance.
senate.gov/chairmans-news/wyden-jayapal-andjacobs-inquiry-finds-pharmacies-fail-to-protect-theprivacy-of-americans-medical-records-hhs-mustupdate-health-privacy-rules (describing legislative
inquiry into pharmacy chains and release of health
information in response to law enforcement). See
also Letter from Sen. Wyden and Reps. Jayapal and
Jacobs to HHS Sec’y Xavier Becerra (Dec. 12, 2023),
ddrumheller on DSK120RN23PROD with RULES5
397 See
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
this inquiry, these disclosures often are
made without a warrant or subpoena
issued by a court.399
The Department is adopting the
clarification as proposed because
regulated entities are misinterpreting
the requirements of 45 CFR
164.512(f)(1)(ii)(C) that ensure that
disclosures of PHI to law enforcement
are necessary and limited in scope.
Accordingly, the Department is adding
to 45 CFR 164.512(f)(1)(ii)(C) language
that specifies that PHI may be disclosed
pursuant to an administrative request
‘‘for which a response is required by
law.’’ Thus, the regulatory text now
clearly states that the administrative
processes for which a disclosure is
permitted are limited to only requests
that, by law, require a regulated entity
to respond, consistent with preamble
discussion on this topic in the 2000
Privacy Rule.400
Comment: A few commenters
supported the Department’s proposed
clarification of 45 CFR
164.512(f)(1)(ii)(C). A commenter
recommended that the Department
revise the language to refer to an
administrative subpoena or summons, a
civil or other ‘‘expressly’’ authorized
demand, or other similar process. The
commenter recommended that, at a
minimum, the Department prohibit
disclosures in response to oral requests,
require all informal administrative
requests be in writing, and require
qualifying administrative requests to
obtain express supervisory approval.
A commenter asserted, without
providing examples, that there are many
disclosures currently made under
Federal agencies’ interpretations of the
Privacy Act of 1974 401 that would not
be permitted under the NPRM proposal.
Response: The Department
appreciates the comments on this
clarification. The Department
understands the commenter’s request to
add language identifying specific
processes but declines to make the
suggested modification at this time. The
Department is concerned that references
to specific items or actions could be
https://www.finance.senate.gov/imo/media/doc/
hhs_pharmacy_surveillance_letter_signed.pdf
(describing findings from Congressional oversight,
including survey of chain pharmacies about their
processes for responding to law enforcement
requests for PHI).
399 See U.S. Senate Committee on Finance News
Release, supra note 399 and Letter from Sen.
Wyden and Reps. Jayapal and Jacobs, supra note
399; see also Remy Tumin, ‘‘Pharmacies Shared
Patient Records Without a Warrant, an Inquiry
Finds,’’ The New York Times (Dec. 13, 2023),
https://www.nytimes.com/2023/12/13/us/
pharmacy-records-abortion-privacy.html.
400 See 65 FR 82462, 82531 (Dec. 28, 2000).
401 Public Law 93–579, 88 Stat. 1896 (Dec. 31,
1974) (codified at 5 U.S.C. 552a).
PO 00000
Frm 00070
Fmt 4701
Sfmt 4700
understood to not apply to similarly
situated administrative requests
understood by different names. In
guidance for law enforcement, the
Department has provided its
interpretation that administrative
requests must be accompanied by a
written statement.402
In addition, the Department does not
control whether a verbal or other nonwritten request is sufficient to meet the
standards of various jurisdictions for an
administrative process that would
require a responding covered entity to
be legally required to respond. The
Department understands that valid,
justiciable reasons for responding to a
verbal or other non-written request may
exist, such as an emergent situation that
requires an immediate response to avoid
an adverse outcome. The Department
believes the additional text sufficiently
clarifies the misunderstandings of some
regulated entities about what constitutes
administrative process for the purposes
of this permission.
4. Request for Information on Current
Processes for Receiving and Addressing
Requests Pursuant to 164.512(d)
Through (g)(1)
The Department requested
information and comments on certain
considerations to help inform
development of the final rule.403 In
particular, the Department asked how
regulated entities currently receive and
address requests for PHI when requested
pursuant to the Privacy Rule
permissions at 45 CFR 164.512(d), (e),
(f), or (g)(1), and what effect expanding
the scope of the proposed prohibition to
include any health care would have on
the proposed attestation requirement
and the ability of regulated entities to
implement it. Comments submitted in
response to the question about the
effects of expanding the scope of the
proposed prohibition have been
included in prior discussions of the
specific policy issues elsewhere, as
applicable.
Comment: Several commenters
responded to this request for
information concerning current
processes for receiving certain requests
pursuant to 45 CFR 164.512 by
providing specific information about
how they receive such requests. Some
requests for PHI are received in hard
copy, either by mail or hand delivery,
while others are received via email. Still
402 Off. for Civil Rights, ‘‘Health Insurance
Portability and Accountability Act (HIPAA) Privacy
Rule: A Guide for Law Enforcement,’’ https://
www.hhs.gov/sites/default/files/ocr/privacy/hipaa/
understanding/special/emergency/final_hipaa_
guide_law_enforcement.pdf.
403 88 FR 23506, 23539 (Apr. 17, 2023).
E:\FR\FM\26APR5.SGM
26APR5
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
others are received through the
regulated entities online portal or
facsimile. In emergency circumstances,
such requests may be received verbally.
Commenters generally receive
assurances through hard copy, email,
their patient portal, and fax. A few
commenters seek assurances for every
subsequent related request, while
another commenter stated that it does
not require or obtain assurances for
every subsequent related request if the
subsequent request is related to the
initial request for which the initial
assurance was received.
A commenter asserted that the
privacy interests at stake outweigh
potential administrative burdens and
provided examples of state laws that are
more privacy protective than the
Privacy Rule. The commenter explained
that the privacy landscape is constantly
evolving, as do the HIPAA Rules, and as
such, regulated entities must adapt in
response.
Response: The Department
appreciates the information provided by
commenters explaining the processes by
which regulated entities currently
receive requests for the use or disclosure
of PHI for certain purposes and the
workflows of regulated entities to
ensure that such requests comply with
the conditions of the applicable Privacy
Rule permissions. We reviewed and
considered this information when
evaluating the burden of the proposed
modifications to the Privacy Rule during
the development of this final rule.
ddrumheller on DSK120RN23PROD with RULES5
E. Section 164.520—Notice of Privacy
Practices for Protected Health
Information
1. Current Provision
The Privacy Rule generally requires
that a covered entity provide
individuals with an NPP to ensure that
they understand how a covered entity
may use and disclose their PHI, as well
as their rights and the covered entity’s
legal duties with respect to PHI.404
Section 164.520(b)(1)(ii) of the Privacy
Rule describes the required contents of
the NPP, including descriptions of the
types of permitted uses and disclosures
of their PHI. More specifically, the NPP
must describe the ways in which the
covered entity may use and disclose PHI
for TPO, as well as each of the other
purposes for which the covered entity is
permitted or required to use or disclose
PHI without the individual’s written
authorization. Additionally, the NPP
must state the covered entity’s duties to
404 45 CFR 164.520. Unlike many provisions of
the Privacy Rule, 45 CFR 164.520 applies only to
covered entities, as opposed to both covered entities
and their business associates.
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
protect privacy, provide a copy of the
NPP, and abide by the terms of the
current notice. The NPP must also
describe individuals’ rights, including
the right to complain to HHS and to the
covered entity if they believe their
privacy rights have been violated, as
well as other statements if the covered
entity uses PHI for certain activities,
such as fundraising. The Privacy Rule
does not, however, currently require a
covered entity to provide information
about specific prohibited uses and
disclosures of PHI.
2. CARES Act
Section 3221(i) of the CARES Act
directs the Secretary to modify the NPP
provisions at 45 CFR 164.520 to include
new requirements for covered entities
that create or maintain PHI that is also
a record of SUD treatment provided by
a Part 2 program (i.e., covered entities
that are Part 2 programs and covered
entities that receive Part 2 records from
a Part 2 program). The CARES Act
amended 42 U.S.C. 290dd–2 to require
the Department to revise Part 2 to more
closely align with the Privacy Rule.
3. Proposals in 2022 Part 2 NPRM and
2023 Privacy Rule NPRM
The Department proposed in
December 2022 to modify both the
Patient Notice requirements at 42
CFR 2.22 and the NPP requirements at
45 CFR 164.520 to provide consistent
notice requirements for all Part 2
records. Revisions to the Patient Notice
requirements were addressed and
finalized in the 2024 Part 2 Rule, while
modifications to the NPP provisions
proposed in the 2022 Part 2 NPRM were
deferred to a future rulemaking. The
Department also separately proposed to
modify the NPP provisions to support
reproductive health care privacy as part
of the 2023 Privacy Rule NPRM.
As part of the 2022 Part 2 NPRM, the
Department proposed several changes to
the NPP provisions. We proposed in a
new paragraph (2) to 45 CFR 164.520(a)
that individuals with Part 2 records that
are created or maintained by covered
entities would have a right to adequate
notice of uses and disclosures, their
rights, and the responsibilities of
covered entities with respect to such
records. The Department also proposed
to remove 45 CFR 164.520(a)(3), the
exception for providing inmates a copy
of the NPP, which would require
covered entities that serve correctional
facilities to provide inmates with a copy
of the NPP. Additionally, the
Department proposed revising 45 CFR
164.520(b)(1) to specifically clarify that
covered entities that maintain or receive
Part 2 records would need to provide an
PO 00000
Frm 00071
Fmt 4701
Sfmt 4700
33045
NPP that is written in plain language
and contains the notice’s required
elements. We also proposed to modify
45 CFR 164.520(b)(1)(i) to replace
‘‘medical’’ with ‘‘health’’ information.
The Department also proposed in the
2022 Part 2 NPRM to incorporate
changes proposed to the NPP
requirements in the 2021 Privacy Rule
NPRM,405 such as adding a requirement
to include the email address for a
designated person who would be
available to answer questions about the
covered entity’s privacy practices;
adding a permission for a covered entity
to provide information in its NPP
concerning the individual access right
to direct copies of PHI to third parties
when the PHI is not in an EHR and the
ability to request the transmission using
an authorization; and removing the
requirement for a covered entity to
obtain a written acknowledgment of
receipt of the NPP. The Department is
finalizing certain changes proposed in
the 2022 Part 2 NPRM and the 2023
Privacy Rule NPRM that directly
support the two final rules.
In both the 2022 Part 2 NPRM and
2023 Privacy Rule NPRM, the
Department proposed to modify 45 CFR
164.520(b)(1)(ii), which requires
covered entities to describe for
individuals the purposes for which a
covered entity is permitted to use and
disclose PHI. Consistent with the
CARES Act, we proposed in the 2022
Part 2 NPRM to modify paragraph (C) to
clarify that where uses and disclosures
are prohibited or materially limited by
other applicable law, ‘‘other applicable
law’’ would include Part 2, while the
Department proposed to clarify at
paragraph (D) that the requirement for a
covered entity to include in the NPP
sufficient detail to place an individual
on notice of the uses and disclosures
that are permitted or required by the
Privacy Rule and other applicable laws,
including Part 2.
The Department further proposed to
require in 45 CFR 164.520(b)(1)(iii),
which requires covered entities to
include descriptions of certain activities
in which the covered entity intends to
engage, in a new paragraph (D) the
inclusion of a statement that Part 2
records created or maintained by the
covered entity will not be used in
certain proceedings against the
individual without the individual’s
written consent or a court order
consistent with 42 CFR part 2.
Additionally, we proposed to require in
a new paragraph (E) that covered
entities that intend to use Part 2 records
for fundraising include a statement that
405 86
E:\FR\FM\26APR5.SGM
FR 6446 (Jan. 21, 2021).
26APR5
33046
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
ddrumheller on DSK120RN23PROD with RULES5
such records may be used or disclosed
for fundraising purposes only if the
individual grants written consent as
provided in 42 CFR 2.31.
In 45 CFR 164.520(b)(1)(v)(C), which
addresses a covered entity’s right to
change the terms of its notice, we also
proposed to simplify and modify the
regulatory text to clarify that this right
is limited to circumstances where such
changes are not material or contrary to
law. The Department also proposed to
add a new paragraph (4) to 45 CFR
164.520(d) to prohibit construing
permissions for covered entities
participating in organized health care
arrangements 406 (OHCAs) to disclose
PHI between participants as negating
obligations relating to Part 2 records.
The 2023 Privacy Rule NPRM also
proposed modifications to the NPP
requirements.407 Specifically, the
Department proposed to modify 45 CFR
164.520(b)(1)(ii) by adding a new
paragraph (F) to require a covered entity
to describe and provide an example of
the types of uses or disclosures
prohibited by 45 CFR 164.502(a)(5)(iii),
and to do so in sufficient detail for an
individual to understand the
prohibition. We also proposed adding a
new paragraph (G) to 45 CFR
164.502(b)(1)(ii) to describe each type of
use and disclosure for which an
attestation is required under 45 CFR
164.509, with an example. Additionally,
the Department requested comment on
whether it would benefit individuals for
the Department to require that covered
entities include a statement in the NPP
that would explain that the recipient of
the PHI would not be bound by the
proposed prohibition because the
Privacy Rule would no longer apply
after PHI is disclosed for a permitted
purpose to an entity other than a
regulated entity (e.g., disclosed to a noncovered health care provider for
treatment purposes).
4. Overview of Public Comments
We received many comments on the
proposed NPP changes in both the 2022
Part 2 NPRM and the 2023 Privacy Rule
NPRM. Some of the comments on the
2022 Part 2 NPRM addressed both the
NPP and the Patient Notice. Comments
concerning the Patient Notice are
discussed in the 2024 Part 2 Rule.408
Commenters on the NPP proposals in
the 2022 Part 2 NPRM urged the
Department to coordinate revisions to
the NPP provisions across its proposed
and final rules. Commenters also
406 45 CFR 160.103 (definition of ‘‘Organized
health care arrangement’’).
407 88 FR 23506, 23539 (Apr. 17, 2023).
408 89 FR 12472 (Feb. 16, 2024).
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
requested guidance about their ability to
use a single form to satisfy both the NPP
and Patient Notice requirements.
Commenters generally expressed
support for the Department’s proposals
to modify 45 CFR 164.520(a) and
164.520(b)(1) to apply the NPP
requirements to certain entities, in
coordination with changes required by
the CARES Act and consistent with
Part 2.
Commenters to the 2022 Part 2 NPRM
generally did not express opposition to
the Department’s proposed changes to
paragraph (b)(iii) of 45 CFR 164.520,
although some did request additional
guidance. We received no comments on
our proposed modifications to add a
new paragraph concerning OHCAs to 45
CFR 164.520(d).
Most commenters expressed support
for the Department’s 2023 Privacy Rule
NPRM proposals to revise the NPP
requirements. Many also recommended
additional modifications to the NPP
requirements or clarifications to the
requirements. Most also recommended
that the Department add a requirement
that NPPs include a statement that
would explain that the recipient of PHI
would not be bound by the proposed
prohibition because the Privacy Rule
would no longer apply after PHI is
disclosed for a permitted purpose to an
entity other than a regulated entity (e.g.,
disclosed to a non-covered health care
provider for treatment purposes).
5. Final Rule
The Department published the 2024
Part 2 Rule on February 16, 2024. It
included modifications to the Patient
Notice in 42 CFR 2.22 and reserved
modifications to the HIPAA NPP for a
forthcoming HIPAA rule. We address
the modifications proposed in the 2022
Part 2 NPRM here, in concert with the
modifications proposed in the 2023
Privacy Rule NPRM.
As required by the CARES Act and in
alignment with the Privacy Rule, we are
modifying the NPP provisions in
multiple ways. First, we are requiring in
45 CFR 164.520(a)(2) that covered
entities that create or maintain Part 2
records provide notice to individuals of
the ways in which those covered
entities may use and disclose such
records, and of the individual’s rights
and the covered entities’ responsibilities
with respect to such records. Second,
we are revising 45 CFR 164.520(b)(1) to
clarify that a covered entity that receives
or maintains records subject to Part 2
must provide an NPP that is written in
plain language and that contains the
elements required. For clarity, we have
reordered wording within this
paragraph to refer to ‘‘receiving or
PO 00000
Frm 00072
Fmt 4701
Sfmt 4700
maintaining’’ records, rather than
‘‘maintaining or receiving’’ records as
initially proposed.
Third, the Department is modifying
45 CFR 164.520(b)(1)(ii) to revise
paragraphs (C) and (D), and to add
paragraphs (F), (G), and (H) to clarify
certain statements and add new
statements that must be included in an
NPP. Consistent with the CARES Act,
we are modifying paragraph (C) to
clarify that where NPP’s descriptions of
uses or disclosures that are permitted
for TPO or without an authorization
must reflect ‘‘other applicable law’’ that
is more stringent than the Privacy Rule,
other applicable law includes Part 2.
Likewise, we are modifying paragraph
(D) to clarify that Part 2 is specifically
included in the ‘‘other applicable law’’
referenced in the requirement to
describe uses and disclosures that are
permitted for TPO or without an
authorization sufficiently to place an
individual on notice of the uses and
disclosures that are permitted or
required by the Privacy Rule and other
applicable law.
New paragraphs (F) and (G) provide
individuals with additional information
about how their PHI may or may not be
disclosed for purposes addressed in this
rule, furthering trust in the relationship
between regulated entities and
individuals by ensuring that individuals
are aware that certain uses and
disclosures of PHI are prohibited.
Specifically, paragraph (F) requires that
the NPP contain a description,
including at least one example, of the
types of uses and disclosures prohibited
under 45 CFR 164.502(a)(5)(iii) in
sufficient detail for an individual to
understand the prohibition, while
paragraph (G) requires that the NPP
contain a description, including at least
one example, of the types of uses and
disclosures for which an attestation is
required under new 45 CFR 164.509.
Additionally, based on feedback from
commenters, we are requiring in a new
paragraph (H) that covered entities
include a statement explaining to
individuals that PHI disclosed pursuant
to the Privacy Rule may be subject to
redisclosure and no longer protected by
the Privacy Rule.This will help
individuals to make informed decisions
about to whom they provide access to or
authorize the disclosure of their PHI.
Under new paragraph (D) of 45 CFR
164.520(b)(1)(iii), the Department is
requiring that covered entities provide
notice to individuals that a Part 2
record, or testimony relaying the
content of such record, may not be used
or disclosed in a civil, criminal,
administrative, or legislative proceeding
against the individual absent written
E:\FR\FM\26APR5.SGM
26APR5
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
ddrumheller on DSK120RN23PROD with RULES5
consent from the individual or a court
order, consistent with the requirements
of 42 CFR part 2.
The Department is also finalizing a
requirement at 45 CFR
164.520(b)(1)(iii)(E) that a covered entity
must provide individuals with a clear
and conspicuous opportunity to elect
not to receive any fundraising
communications before using Part 2
records for fundraising purposes for the
benefit of the covered entity.
Lastly, we are finalizing our proposal
to add a new paragraph (4) in 45 CFR
164.520(d) regarding joint notice by
separate covered entities. This
modification clarifies that Part 2
requirements continue to apply to Part
2 records maintained by covered entities
that are part of OHCAs.
We are not finalizing in this rule the
proposal to remove the exception to the
NPP requirements for inmates of
correctional facilities in this rule
because it would be better addressed
within the context of care coordination.
6. Responses to Public Comments
Comment: Commenters on both the
2022 Part 2 NPRM and the 2023 Privacy
Rule NPRM urged the Department to
coordinate any changes made to the
NPP provisions based on proposals
made in the separate rulemakings.
According to the commenters,
coordinating the changes to the NPP
requirements would help to ensure
consistency, reduce the administrative
burden on covered entities, and ensure
individual understanding of the
permitted uses and disclosures of their
PHI, including PHI that is also a Part 2
record. A few commenters on the 2022
Part 2 NPRM explained the different
concerns that updates to the NPP pose
to covered entities of differing sizes,
based on resource constraints directly
related to their size. Several commenters
on the 2023 Privacy Rule NPRM
requested that the Department provide
sample language and examples or
provide an updated model NPP.
Response: As part of this rulemaking,
the Department is finalizing
modifications to certain NPP
requirements that were proposed in the
2022 Part 2 NPRM and the 2023 Privacy
Rule NPRM. Thus, these changes serve
to implement certain requirements of
the CARES Act and to support
reproductive health care privacy. The
Department appreciates the
recommendations and will consider
them for future guidance.
Comment: A few commenters on the
2022 Part 2 NPRM requested that the
Department clarify whether they would
be permitted to use a single document
or form when providing notice
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
statements to individuals to ensure
compliance by regulated entities and
understanding of the notices by
individuals. A few commenters agreed
that a single NPP would reduce the
administrative burden on regulated
entities or be the most effective way to
convey privacy information to
individuals and asked for confirmation
that this was permitted. A commenter
requested that the Department update
the Patient Notice in a manner such that
the NPP header may be used in the
combined notice if they are permitted to
use a combined NPP/Patient Notice.
Response: As we have provided
previously in guidance on the Privacy
Rule and Part 2, notices issued by
covered entities for different purposes
may be separate or combined, as long as
all of the required elements for both are
included.409 Thus, it is acceptable under
both the Privacy Rule and Part 2 to meet
the notice requirements of the Privacy
Rule, Part 2, and state law by either
providing separate notices or combining
the required notices into a single notice,
as long as all of the required elements
are included.
Comment: A few commenters on the
2022 Part 2 NPRM and most of the
commenters on the 2023 Privacy Rule
NPRM suggested the proposed approach
to modifying both the Patient Notice
and NPP would bolster transparency
and the public’s understanding of how
their health information is used or
disclosed and collected. Many
commenters on the 2023 Privacy Rule
NPRM provided recommendations for
ways in which the Department could
improve the NPP, including requiring
that the NPP be in plain language.
Response: The Department
appreciates the comments on its
proposal to modify the NPP to align
with changes made in the Patient Notice
and in support of reproductive health
care privacy. The modifications will
bolster transparency and public
understanding of how information is
used, disclosed, and protected. Covered
entities have long been required under
45 CFR 164.520(b)(1) to provide an NPP
that is written in plain language.
Discussion of this requirement can be
found in the preamble to the 2000
Privacy Rule.410 The Department’s
model NPP forms, available in both
English and Spanish, provide one
example of how the plain language
409 See also 82 FR 6052, 6082–83 (Jan. 18, 2017);
Off. for Civil Rights, ‘‘Notice of Privacy Practices for
Protected Health Information,’’ U.S. Dep’t of Health
and Human Servs. (July 26, 2013), https://
www.hhs.gov/hipaa/for-professionals/privacy/
guidance/privacy-practices-for-protected-healthinformation/.
410 65 FR 82462, 82548–49 (Dec. 28, 2000).
PO 00000
Frm 00073
Fmt 4701
Sfmt 4700
33047
requirement may be met.411As
discussed above, we are modifying 45
CFR 164.520 to clarify that this
requirement applies to covered entities
that use and disclose Part 2 records.
Additional resources on writing in plain
language can be found at https://plain
language.gov. Additionally, covered
entities are required to comply with all
Federal nondiscrimination laws,
including laws that address language
access requirements. Information about
such requirements is available at
www.hhs.gov/hipaa.
Comment: Commenters expressed
concerns about the interplay of the Part
2 Patient Notice requirements with the
NPP, the burden on covered entities to
modify the NPP, and including the
attestation requirement in the NPP.
Response: We have sought to align the
requirements for the Patient Notice as
closely as possible with the NPP
requirements and to modify the NPP
requirements to allow for a combined
Patient Notice and NPP. The changes
the Department is making to the NPP
empower the individual and improve
health outcomes by improving the
likelihood that health care providers
will make accurate diagnoses and
informed treatment recommendations to
individuals. These changes to the NPP
provide the individual with clear
information and reassurance about their
privacy rights and their ability to
discuss their reproductive health and
related health care because they inform
an individual that their PHI may not be
used or disclosed for certain purposes
prohibited by new 45 CFR
164.502(a)(5)(iii). As such, the
qualitative benefits of providing
individuals with information about how
their PHI may be used and disclosed
under the Privacy Rule outweigh the
quantitative burdens for covered entities
to revise their NPPs. Accordingly, we
are finalizing the modifications
proposed to the NPP as part of the 2023
Privacy Rule NPRM.
Comment: A majority of the
commenters on the 2023 Privacy Rule
NPRM who expressed support for
revising the NPP also recommended that
the Department require that the NPP
include an explanation that the
prohibition or Privacy Rule generally
would no longer apply to PHI that has
been disclosed for a permitted purpose
to a person that is not a regulated entity.
A few commenters opposed the addition
as unnecessary or expressed concern
about the potential length of the NPP. A
411 Off. for Civil Rights, ‘‘Model Notices of
Privacy Practices,’’ U.S. Dep’t of Health and Human
Servs. (Apr. 8, 2013), https://www.hhs.gov/hipaa/
for-professionals/privacy/guidance/model-noticesprivacy-practices/.
E:\FR\FM\26APR5.SGM
26APR5
33048
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
ddrumheller on DSK120RN23PROD with RULES5
few of the commenters opposed adding
such a statement because they believed
it could deter individuals from seeking
reproductive health care, increase
individuals’ mistrust of health care
providers, or not add to individuals’
understanding of their rights and
protections under the Privacy Rule.
Response: In response to comments
and in support of transparency for
individuals, the Department is finalizing
a new requirement to include in the
NPP a statement adequate to put the
individual on notice of the potential for
information disclosed pursuant to the
Privacy Rule to be subject to
redisclosure by the recipient and no
longer protected by the Privacy Rule.
This change will provide additional
clarity to individuals directly and assist
covered entities in explaining the
limitations of the Privacy Rule to
individuals. We believe that any
concerns about the negative effects of
these modifications on length are
outweighed by their benefits to the
individual.
Comment: Several commenters to the
2023 Privacy Rule NPRM requested the
Department provide additional time for
compliance with the new NPP
requirements and exercise enforcement
discretion for a period of time after the
compliance date.
Response: As noted above, we are
finalizing certain modifications to the
NPP provisions that were proposed in
the 2022 Part 2 NPRM rule and other
modifications to the same provisions
that were proposed in the 2023 Privacy
Rule NPRM. To ease the burden on
covered entities and in compliance with
45 CFR 160.104, the Department is
finalizing a compliance date of February
16, 2026, for the NPP provisions. The
rationale for this compliance date is
discussed in greater detail in the
discussion of Effective and Compliance
Dates.
F. Section 164.535—Severability
In the NPRM, the Department
included a discussion of severability
that explained how we believed the
proposed rule should be interpreted if
any provision was held to be invalid or
facially unenforceable. We are finalizing
a new 45 CFR 164.535 to codify this
interpretation. The Department intends
that, if a specific regulatory provision in
this rule is found to be invalid or
unenforceable, the remaining provisions
of the rule will remain in effect because
they would still function sensibly.
For example, the changes this final
rule makes to the NPP requirements in
45 CFR 164.520 (including the changes
finalizing proposals from the 2022 Part
2 NPRM) shall remain in full force and
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
effect to the extent that they are not
directly related to a provision in this
rulemaking that is held to be invalid or
unenforceable such that notice of that
provision is no longer necessary.
Conversely, if the NPP requirements are
held to be invalid or unenforceable, the
other modifications shall remain in full
force and effect to the extent that they
are not directly related to the NPP
requirements.
As another example, we also intend
that the revision in 45 CFR 160.103 to
the definition of ‘‘person’’ shall remain
in full force and effect if any other
provision is held to be invalid or
unenforceable because the new
modified definition is not solely related
to supporting reproductive health care
privacy and is consistent with the
Department’s longstanding
interpretation of the term and with
regulated entities’ current
understanding and practices.
Similarly, we are finalizing technical
corrections to the heading at 45 CFR
164.512(c) and a clarifying revision at
45 CFR 164.512(f) regarding the
permission for disclosures based on
administrative processes. Those changes
are intended to remain in full force and
effect even if other parts of this final
rule are held to be invalid or
unenforceable.
As another example, we also intend,
if the addition in 45 CFR 160.103 of the
definition of ‘‘public health,’’ as used in
the terms ‘‘public health surveillance,’’
‘‘public health investigation,’’ and
‘‘public health intervention’’ is held to
be invalid and unenforceable, the other
modifications to the rules shall remain
in full force and effect to the extent that
they are not directly related to the
definition of public health.
We further intend that if the rule is
held to be invalid and unenforceable
with respect to its application to some
types of health care, it should be upheld
with respect to other types (e.g.,
pregnancy or abortion-related care).
We also intend that any provisions of
the Privacy Rule that are unchanged by
this final rule shall remain in full force
and effect if any provision of this final
rule is held to be invalid or
unenforceable.
These examples are illustrative and
not exhaustive.
We received no comments on the
language addressing severability in the
2023 Privacy Rule NPRM.
G. Comments on Other Provisions of the
HIPAA Rules
Comment: A few commenters
expressed concerns that the Department
may grant exceptions to preemption and
recommended that the Department
PO 00000
Frm 00074
Fmt 4701
Sfmt 4700
clarify the standards for which
exceptions to preemption would be
made and consider strengthening these
standards wherever possible or remove
the potential for exceptions entirely.
One commenter expressed concern
that the proposed rule could dissuade
regulated entities from providing deidentified data for research, while
another commenter recommended that
the Department prohibit the sharing of
de-identified reproductive health care
data except in limited circumstances to
prevent the re-identification of
reproductive health data by third
parties, such as law enforcement or data
brokers
Response: The process for requesting
exceptions to preemption and the
standards for granting such requests are
at 45 CFR 160.201 et seq. We did not
propose any modifications to these
provisions as part of the 2023 Privacy
Rule NPRM, and as such, do not finalize
modifications in this final rule.
The Department does not believe that
this final rule will dissuade regulated
entities from providing de-identified
data for research or other purposes.
Under the Privacy Rule, health
information that meets the standard and
implementation specifications for deidentification under 45 CFR 164.514 is
considered not to be IIHI.412 HIPAA
confers on the Department the authority
to set standards for the privacy of IIHI,
including for de-identification. We did
not propose to modify the deidentification standard as part of the
2023 Privacy Rule NPRM, and as such,
do not finalize modifications in this
final rule.
Comment: A commenter posited that
the proposed rule’s preemption of
contrary state laws was not sufficiently
clear and recommended that the
Department reinforce the preemption
provision in the final rule.
Response: The Department did not
propose changes to the preemption
provisions of the HIPAA Rules, which
are based in statute,413 and believes that
the provisions, in combination with our
discussion of preemption in the
preamble, are sufficient.
VI. Regulatory Impact Analysis
A. Executive Order 12866 and Related
Executive Orders on Regulatory Review
The Department of Health and Human
Services (HHS or ‘‘Department’’) has
examined the effects of this final rule
under Executive Order (E.O.) 12866,
Regulatory Planning and Review,414 as
412 45
CFR 164.502(d)(2).
45 CFR part 160, subpart B—Preemption
of State Law.
414 58 FR 51735 (Oct. 4, 1993).
413 See
E:\FR\FM\26APR5.SGM
26APR5
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
amended by E.O. 14094,415 E.O. 13563,
Improving Regulation and Regulatory
Review,416 the Regulatory Flexibility
Act 417 (RFA), and the Unfunded
Mandates Reform Act of 1995 418
(UMRA). E.O.s 12866 and 13563 direct
the Department to assess all costs and
benefits of available regulatory
alternatives and, when regulation is
necessary, to select regulatory
approaches that maximize net benefits
(including potential economic,
environmental, public health and safety,
and other advantages; distributive
effects; and equity). This final rule is
significant under section 3(f)(1) of E.O.
12866, as amended.
The RFA requires us to analyze
regulatory options that would minimize
any significant effect of a rule on small
entities. As discussed in greater detail
below, this analysis concludes, and the
Secretary certifies, that the rule will not
result in a significant economic effect on
a substantial number of small entities.
The UMRA (section 202(a)) generally
requires us to prepare a written
statement, which includes an
assessment of anticipated costs and
benefits, before proposing ‘‘any rule that
includes any Federal mandate that may
result in the expenditure by State, local,
and tribal governments, in the aggregate,
or by the private sector, of $100,000,000
or more (adjusted annually for inflation)
in any 1 year.’’ 419 The current threshold
after adjustment for inflation is $177
million, using the most current (2023)
Implicit Price Deflator for the Gross
Domestic Product. UMRA does not
address the total cost of a rule. Rather,
it focuses on certain categories of cost,
mainly Federal mandate costs resulting
from imposing enforceable duties on
state, local, or Tribal governments or the
private sector; or increasing the
stringency of conditions in, or
decreasing the funding of, state, local, or
Tribal governments under entitlement
programs. This final rule imposes
mandates that would result in the
expenditure by state, local, and Tribal
governments, in the aggregate, or by the
private sector, of more than $177
million in any one year. The impact
415 88
FR 21879 (Apr. 11, 2023).
FR 3821 (Jan. 21, 2011).
417 Public Law 96–354, 94 Stat. 1164 (codified at
5 U.S.C. 601–612).
418 Public Law 104–4, 109 Stat. 48 (codified at 2
U.S.C. 1501).
419 Id. at sec. 202 (codified at 2 U.S.C. 1532(a)).
ddrumheller on DSK120RN23PROD with RULES5
416 76
VerDate Sep<11>2014
22:30 Apr 25, 2024
Jkt 262001
analysis in this final rule addresses such
effects both qualitatively and
quantitatively. In general, each
regulated entity, including government
entities that meet the definition of
covered entity (e.g., state Medicaid
agencies), is required to adopt new
policies and procedures for responding
to requests for the use or disclosure of
protected health information (PHI) for
which an attestation is required and to
train its workforce members on the new
requirements. Additionally, although
the Department has not quantified the
costs, state, local, and Tribal law
enforcement agencies must analyze
requests that they initiate for the use or
disclosure of PHI and provide regulated
entities with an attestation that the
request is not for a prohibited purpose
in instances where the request is made
for health oversight activities, judicial
and administrative proceedings, law
enforcement purposes, or about
decedents to coroners and medical
examiners, and is for PHI potentially
related to reproductive health care. Onetime costs for all regulated entities to
change their policies will increase costs
above the UMRA threshold in one year.
The Department initially estimated that
ongoing expenses for the new attestation
condition would not increase
significantly, but we sought additional
data to inform our estimates. Although
Medicaid makes Federal matching funds
available for states for certain
administrative costs, these are limited to
costs specific to operating the Medicaid
program. There are no Federal funds
directed at Health Insurance Portability
and Accountability Act of 1996 (HIPAA)
compliance activities.
Pursuant to Subtitle E of the Small
Business Regulatory Enforcement
Fairness Act of 1996,420 the Office of
Management and Budget’s (OMB’s)
Office of Information and Regulatory
Affairs has determined that this final
rule meets the criteria set forth in 5
U.S.C. 804(2) because it is projected to
have an annualized effect on the
economy of more than $100,000,000.
Because of the large number of covered
entities that are subject to this final rule
and the large number of individuals
with health plan coverage, any rule
modifying the HIPAA Privacy Rule that
requires updating policies and
procedures and the Notice of Privacy
420 Also referred to as the Congressional Review
Act, 5 U.S.C. 801 et seq.
PO 00000
Frm 00075
Fmt 4701
Sfmt 4700
33049
Practices (NPP) and distributing the
NPP to a percentage of individuals is
likely to meet the threshold in 5 U.S.C.
804(2).
The Justification for this Rulemaking
and Summary of Final Rule Provisions
section at the beginning of this preamble
contain a summary of this rule and
describe the reasons it is needed. The
Department presents a detailed analysis
below.
1. Summary of Costs and Benefits
The Department identified six general
categories of quantifiable costs arising
from these proposals: (1) responding to
requests for the use or disclosure of PHI
for which an attestation is required; (2)
revising business associate agreements;
(3) updating the NPP and posting it
online; (4) developing new or modified
policies and procedures; (5) revising
training programs for workforce
members; and (6) requesting an
exception from HIPAA’s general
preemption authority. The first five
categories apply primarily to covered
entities, while the sixth category applies
to states and other interested persons.
The Department estimates that the
first-year costs attributable to this final
rule total approximately $595.0 million.
These costs are associated with covered
entities responding to requests for the
use or disclosure of PHI that are
conditioned upon an attestation;
revising business associate agreements;
revising policies and procedures;
updating, posting, and mailing the NPP;
and revising training programs for
workforce members, and with states or
other persons requesting exceptions
from preemption. These costs also
include increased estimates for wages,
postage, and the number of NPPs
distributed by health plans as compared
to the baseline of existing annual cost
and burden estimates for these activities
in the approved HIPAA information
collection. For years two through five,
estimated annual costs of approximately
$20.9 million are attributable to ongoing
costs related to the attestation
requirement. Table 1 reports the present
value and annualized estimates of the
costs of this final rule covering a 5-year
time horizon. Using a 7% discount rate,
the Department estimates this final rule
will result in annualized costs of $151.8
million; and using a 3% discount rate,
these annualized costs are $142.6
million.
E:\FR\FM\26APR5.SGM
26APR5
33050
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
TABLE 1—ACCOUNTING TABLE, COSTS OF THE RULE
[$ Millions]
Primary
estimate
Costs
Present Value ..................................................................................................
Present Value ..................................................................................................
Present Value ..................................................................................................
Annualized .......................................................................................................
Annualized .......................................................................................................
The changes to the Privacy Rule will
likely result in important benefits and
some costs that the Department is
unable to fully quantify at this time. As
explained further below, unquantified
benefits include improved trust and
confidence between individuals and
health care providers; enhanced privacy
and improved access to reproductive
health care and information, which may
prevent increases in maternal mortality
Year
dollars
$678.6
622.3
653.1
151.8
142.6
and morbidity; increased accuracy and
completeness in patient medical
records, which may prevent poor health
outcomes; enhanced support for
survivors of rape, incest, and sex
trafficking; and maintenance of family
economic stability by allowing families
to determine the timing and spacing of
whether or when to be pregnant.
Additionally, allowing regulated entities
to accept an attestation for requests for
2022
2022
2022
2022
2022
Discount
rate
(%)
Undiscounted
7
3
7
3
Period
covered
2024–2028
2024–2028
2024–2028
2024–2028
2024–2028
the use or disclosure of PHI potentially
related to reproductive health care, and
to presume that reproductive health care
provided by another person was lawful
under the circumstances it was
provided, will reduce potential liability
for regulated entities by providing some
assurance with respect to whether the
requested disclosure is prohibited.
TABLE 2—POTENTIAL NON-QUANTIFIED BENEFITS FOR COVERED ENTITIES AND INDIVIDUALS
Benefits
ddrumheller on DSK120RN23PROD with RULES5
Improve access to complete information about lawful reproductive health care options, including for individuals who are pregnant or considering
a pregnancy (i.e., improve health literacy), by reducing concerns about disclosure of PHI.
Maintain or reduce levels of maternal mortality and morbidity by ensuring that individuals and their clinicians can freely communicate and have
access to complete information needed for quality lawful health care, including coordination of care.
Decrease barriers to accessing prenatal health care by maintaining privacy for individuals who seek a complete range of lawful reproductive
health care options.
Enhance mental health and emotional well-being of pregnant individuals by reducing fear of potential disclosures of their PHI to investigate or
impose liability on a person for the mere act of seeking, obtaining, providing, or facilitating lawful health care.
Improve or maintain trust between individuals and health care providers by reducing the potential for health care providers to report PHI in a
manner that could harm the individuals’ interests.
Prevent or reduce re-victimization of pregnant individuals who have survived rape or incest by protecting their PHI from undue scrutiny.
Improve or maintain families’ economic well-being by not exposing individuals or their family members to costly investigations or activities to impose liability for seeking, obtaining or facilitating lawful reproductive health care.
Maintain the economic well-being of regulated entities by not exposing regulated entities or workforce members to costly investigations or activities to impose liability on them for engaging in lawful activities.
Ensure individuals’ ability to obtain full and complete information and make lawful decisions concerning fertility- or infertility-related health care
that may include selection or disposal of embryos without risk of PHI disclosure for criminal, civil, or administrative investigations or activities
to impose liability for engaging in lawful activities.
The Department also recognizes that
there may be some costs that are not
readily quantifiable, notably, the
potential burden on persons requesting
PHI to investigate or impose liability on
persons for seeking, obtaining,
providing, or facilitating reproductive
health care that is not lawful under the
circumstances in which such health
care is provided. As discussed
elsewhere in this final rule, we
acknowledge that, in certain limited
circumstances, the final rule may,
prevent persons from obtaining an
individual’s PHI, such as where the
request is directed to the health care
provider that provided the reproductive
health care and that health care provider
reasonably determines that such health
care was provided lawfully. However,
the existing permission for disclosures
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
for law enforcement does not create a
mandate for disclosure to law
enforcement agencies. Rather, it
establishes the conditions under which
a regulated entity may disclose PHI if it
so chooses. Accordingly, consistent
with how the Privacy Rule has operated
since its inception, persons whose
requests for PHI are declined by
regulated entities may incur additional
costs if they choose to pursue their
investigations through other methods
and obtain evidence from non-covered
entities. We have not previously
quantified the costs to such persons for
obtaining an individual’s PHI, such as
where a law enforcement official is
required to prepare a formal
administrative request or obtain a
qualified protective order and we do not
do so here. We do not view the
PO 00000
Frm 00076
Fmt 4701
Sfmt 4700
attestation requirement as changing this
calculus and have designed the
attestation to impose a minimal burden
on requests for PHI related to lawful
conduct by health care providers by
offering a model attestation form.
Despite the minimal formality of
providing a signed attestation, some
state law enforcement agencies may
experience the requirement as a burden,
and we acknowledge that potential as a
non-quantifiable cost.
2. Baseline Conditions
The Privacy Rule, in conjunction with
the Security and Breach Notification
Rules, protects the privacy and security
of individuals’ PHI, that is, individually
identifiable health information (IIHI)
transmitted by or maintained in
electronic media or any other form or
E:\FR\FM\26APR5.SGM
26APR5
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
medium, with certain exceptions. It
limits the circumstances under which
regulated entities are permitted or
required to use or disclose PHI and
requires covered entities to have
safeguards in place to protect the
privacy of PHI. The Privacy Rule also
establishes certain rights for individuals
with respect to their PHI and sets limits
and conditions on the uses and
disclosures that may be made of such
information without an individual’s
authorization.
As explained in the preamble, the
Department has the authority under
HIPAA to modify the Privacy Rule to
prohibit the use or disclosure of PHI for
activities to conduct a criminal, civil, or
administrative investigation into or
impose criminal, civil, or administrative
liability on any person for the mere act
of seeking, obtaining, providing, or
facilitating reproductive health care that
is lawful under the circumstances in
which it was provided, as well as to
identify any person for the purpose of
initiating such activities. The Privacy
Rule has been modified several times
since it was first issued in 2000 to
address statutory requirements, changed
circumstances, and concerns and issues
raised by stakeholders regarding the
effects of the Privacy Rule on regulated
entities, individuals, and others.
Recently, as the preamble discusses,
changed circumstances resulting from
new inconsistencies in the regulation of
reproductive health care nationwide
and the negative effects on individuals’
expectations for privacy and their
relationships with their health care
providers, as well as the additional
burdens imposed on regulated entities,
require the modifications made by this
final rule.
For purposes of this Regulatory
Impact Analysis (RIA), this final rule
adopts the list of covered entities and
cost assumptions identified in the
Department’s 2023 Information
Collection Request (ICR).421 The
Department also relies on certain
estimates and assumptions from the
1999 Privacy Rule NPRM 422 that remain
relevant, and the 2013 Omnibus Rule,423
as referenced in the analysis that
follows.
The Department quantitatively
analyzes and monetizes the effect that
this final rule may have on regulated
entities’ actions to: revise business
associate agreements between covered
entities and their business associates,
including release-of-information
contractors; create new forms; respond
to certain types of requests for PHI;
update their NPPs; adopt policies and
procedures to implement the
requirements of this final rule; and train
their employees on the updated policies
and procedures. The Department
analyzes the remaining benefits and
burdens qualitatively because of the
uncertainty inherent in predicting other
concrete actions that such a diverse
scope of regulated entities might take in
response to this rule.
Analytic Assumptions
The Department bases its assumptions
for calculating estimated costs and
benefits on several publicly available
datasets, including data from the U.S.
Census, the U.S. Department of Labor,
Bureau of Labor Statistics, Centers for
Medicare & Medicaid Services, and the
Agency for Healthcare Research and
Quality. For the purposes of this
analysis, the Department assumes that
benefits plus indirect costs equal
approximately 100 percent of pre-tax
wages and adjusts the hourly wage rates
by multiplying by two, for a fully loaded
hourly wage rate. The Department
adopts this as the estimate of the hourly
value of time for changes in time use for
on-the-job activities.
Implementing the regulatory changes
likely will require covered entities to
engage workforce members or
consultants for certain activities. The
Department assumes that a lawyer will
draft or review the new attestation form,
422 64
ddrumheller on DSK120RN23PROD with RULES5
421 88
FR 3997 (Jan. 23, 2023).
VerDate Sep<11>2014
20:54 Apr 25, 2024
423 78
Jkt 262001
PO 00000
FR 59918 (Nov. 3, 1999).
FR 5566 (Jan. 25, 2013).
Frm 00077
Fmt 4701
Sfmt 4700
33051
revisions to business associate
agreements, revisions to the NPP, and
required changes to HIPAA policies and
procedures. The Department expects
that a training specialist will revise the
necessary HIPAA training and that a
web designer will post the updated
NPP. The Department further
anticipates that a workforce member at
the pay level of medical records
specialist will confirm receipt of
required attestations. To the extent that
these assumptions affect the
Department’s estimate of costs, the
Department solicited comment on its
assumptions, particularly assumptions
in which the Department identifies the
level of workforce member (e.g., clerical
staff, professional) that will be engaged
in activities and the amount of time that
particular types of workforce members
spend conducting activities related to
this RIA as further described below.
Table 3 also lists pay rates for
occupations referenced in the
explanation of estimated information
collection burdens in Section F of this
RIA and related tables.
The Department received several
comments about the occupations
engaged in certain activities and the
time burden associated with them. We
reviewed these submissions and used
the provided information to revise the
estimate for the cost of processing
requests for the use or disclosure of PHI
that require an attestation. For more
details, please see the sections
discussing the costs of the rule below.
The Department received no comment
on the hourly value of time; therefore,
we retain all relevant assumptions laid
out in the 2023 Privacy Rule NPRM, as
described above (see Table 3 for a list
of occupations and corresponding
wages).424
424 For each occupation performing activities as a
result of the final rule, the Department identifies a
pre-tax hourly wage using a database maintained by
the Bureau of Labor Statistics. See U.S. Dep’t of
Labor, ‘‘Occupational Employment and Wages’’
(May 2022), https://www.bls.gov/oes/current/oes_
nat.htm.
E:\FR\FM\26APR5.SGM
26APR5
33052
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
TABLE 3—OCCUPATIONAL PAY RATES
Mean hourly
wage
Occupation code and title
00–0000
43–3021
29–0000
29–9021
29–9099
15–1212
23–1011
13–1111
11–9111
29–2072
43–0000
11–2030
13–1151
43–4171
15–1255
All Occupations ......................................................................................................................................
Billing and Posting Clerks ......................................................................................................................
Healthcare Practitioners and Technical Occupations ............................................................................
Health Information Technologists and Medical Registrars ....................................................................
Healthcare Practitioners and Technical Workers, All Other ..................................................................
Information Security Analysts ................................................................................................................
Lawyers ..................................................................................................................................................
Management Analysts ............................................................................................................................
Medical and Health Services Manager ..................................................................................................
Medical Records Specialist ....................................................................................................................
Office and Administrative Support Occupations ....................................................................................
Public Relations and Fundraising Managers .........................................................................................
Training and Development Specialist ....................................................................................................
Receptionists and Information Clerks ....................................................................................................
Web and Digital Interface Designers .....................................................................................................
The Department assumes that most
covered entities will be able to
incorporate changes to their workforce
training into existing HIPAA training
programs rather than conduct a separate
training because the total time frame for
compliance from date of finalization
would be 240 days.425
Covered Entities Affected
The Department received no
substantive comments on the number or
type of HIPAA covered entities affected
by this rule; therefore, we retain the
methodology and entity estimates as
described in the 2023 Privacy Rule
NPRM and the baseline conditions
section above.
To the extent that covered entities
engage business associates to perform
activities under the rule, the Department
assumes that any additional costs will
be borne by the covered entities through
their contractual agreements with
business associates. The Department’s
estimate that each revised business
associate agreement will require no
more than 1 hour of a lawyer’s labor
assumes that the hourly burden could
be split between the covered entity and
the business associate. Thus, the
Department calculated estimated costs
based on the potential number of
business associate agreements that will
be revised rather than the number of
covered entities or business associates
with revised business associate
agreements.
The Department requested data on the
number of business associates (which
may include health care clearinghouses
acting in their role as business
associates of other covered entities) that
would be affected by the rule and the
extent to which they may experience
costs or other burdens not already
accounted for in the estimates of
burdens for revising business associate
Fully loaded
hourly wage
$29.76
21.54
46.52
31.38
32.78
57.63
78.74
50.32
61.53
24.56
21.90
68.56
33.59
16.64
48.91
$59.52
43.08
93.04
62.76
65.56
115.26
157.48
100.64
123.06
49.12
43.80
137.12
67.18
33.28
97.82
agreements. The Department also
requested comment on the number of
business associate agreements that
would need to be revised, if any. We did
not receive any actionable comments on
the number of affected business
associates, the number of business
associate agreements, or any specific
costs that business associates might
bear. For more details, see the section
on business associate agreements below.
The Department requested public
comment on these estimates, including
estimates for third party administrators
and pharmacies where the Department
has provided additional explanation.
The Department additionally requested
detailed comment on any situations,
other than those identified here, in
which covered entities would be
affected by this rulemaking. We did not
receive any substantive comments
related to these issues.
TABLE 4—ESTIMATED NUMBER AND TYPE OF COVERED ENTITIES
ddrumheller on DSK120RN23PROD with RULES5
Covered entities
NAICS code
Type of entity
Firms
524114 ..............
524292 ..............
622 ....................
44611 ................
6211–6213 ........
6215 ..................
6214 ..................
6219 ..................
623 ....................
6216 ..................
532283 ..............
Health and Medical Insurance Carriers ............................................................................
Third Party Administrators ................................................................................................
Hospitals ...........................................................................................................................
Pharmacies .......................................................................................................................
Office of Drs. & Other Professionals ................................................................................
Medical Diagnostic & Imaging ..........................................................................................
Outpatient Care ................................................................................................................
Other Ambulatory Care .....................................................................................................
Skilled Nursing & Residential Facilities ............................................................................
Home Health Agencies .....................................................................................................
Home Health Equipment Rental .......................................................................................
Total ..........
a Number
of pharmacy establishments is taken from industry statistics.
425 This includes 60 days from publication of a
final rule to the effective date and an additional 180
days until the compliance date.
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
PO 00000
Frm 00078
Fmt 4701
Sfmt 4700
E:\FR\FM\26APR5.SGM
26APR5
Establishments
880
456
3,293
19,540
433,267
7,863
16,896
6,623
38,455
21,829
611
5,379
783
7,012
a 67,753
505,863
17,265
39,387
10,059
86,653
30,980
3,197
549,713
774,331
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
Individuals Affected
The Department believes that the
population of individuals potentially
affected by the rule is approximately 76
million overall,426 representing nearly
one-fourth of the U.S. population,
including approximately 6 million
pregnant individuals annually and an
unknown number of individuals facing
a potential pregnancy or pregnancy risk
due to sexual activity, contraceptive
avoidance or failure, rape (including
statutory rape), and incest. According to
Federal data, 78 percent of sexually
active females received reproductive
health care in 2015–2017.427
The Department received comments
related to the number of individuals
affected by the rule, some of which are
summarized below. One commenter
asserted that the Department had
overestimated the number of affected
individuals and urged reducing the
estimate to 78 percent of sexually active
females (52.72 million). The same
commenter also argued that even this
revised number might be an
overestimate, and that the number of
individuals directly affected by the rule
would be closer to 50,400 a year.
Another commenter suggested that the
number of individuals potentially
affected by the proposed rule is much
larger than the estimate and that the
estimate should include any individual
who was ever capable of bearing
children and their family members.
Another commenter asserted that the
Department was underestimating the
number of individuals that would be
affected by the proposed rule but did
not include an estimate of their own.
After reviewing the comments, the
Department is finalizing the estimates of
the number of individuals that will be
affected by this final rule as described
above, which includes updates for 2022
data. The Department considers a key
category of individuals affected by this
final rule those who have the potential
to become pregnant because pregnancies
may occur and result in a need for
reproductive health care nationwide.
Pregnancy, concern about potential
pregnancy, and the need for
reproductive health care do not
33053
recognize state boundaries or regulatory
timelines.
Commenters recommended data
points above and below the
Department’s proposed estimate of 74
million affected individuals. We believe
that the number of affected individuals
is far greater than the total who are
survivors of sexual assault or sex
trafficking (as recommended by a
commenter), yet less than the number of
all individuals who have ever been of
childbearing age and their family
members (as recommended by another
commenter). We recognize that the age
range for the proposed estimate of
females, 10–44, imperfectly reflects the
number of females of childbearing age;
however, the number of females over
age 44 who could become pregnant may
be offset by the number of females aged
10–13 who are not yet capable of
childbearing. We use the number of
females of potentially childbearing age
as a proxy for the number of individuals
affected by the final rule as shown in
Table 5 below.
TABLE 5—ESTIMATED NUMBER OF INDIVIDUALS AFFECTED
Females of potentially childbearing age 428
10
15
20
25
30
35
40
to
to
to
to
to
to
to
14
19
24
29
34
39
44
years
years
years
years
years
years
years
..............................................................................................................................................................................
..............................................................................................................................................................................
..............................................................................................................................................................................
..............................................................................................................................................................................
..............................................................................................................................................................................
..............................................................................................................................................................................
..............................................................................................................................................................................
10,327,799
10,618,136
10,957,463
10,762,368
11,440,546
11,013,337
10,771,942
Total ......................................................................................................................................................................................
75,891,591
Below, the Department provides the
basis for its estimated quantifiable costs
resulting from the changes to specific
provisions of the Privacy Rule. Many of
the estimates are based on assumptions
formed through the Office for Civil
Rights’ (OCR’s) experience with its
compliance and enforcement program
and accounts from stakeholders
received at outreach events. The
Department has quantified recurring
burdens for this final rule for obtaining
an attestation from a person requesting
the use or disclosure of PHI potentially
related to reproductive health care for
health oversight activities, judicial and
administrative proceedings, law
enforcement purposes, and about
decedents to coroners or medical
examiners.
The Department requested
information or data points from
commenters to further refine its
estimates and assumptions. We examine
the most substantive comments received
in the cost section below. Additionally,
we received comments that are also
discussed below on topics that are not
directly addressed in the cost section.
A commenter asserted that the
Department did not account for the
additional costs associated with major
depressive disorders that would arise
from the increase in abortions due to the
rule. The Department does not believe
that is a valid benchmark for the effects
of this final rule, in part because we
reject the premise, which is not backed
by medical evidence or data, that this
final rule will result in an increase in
pregnancy terminations or
depression.429 Further, researchers have
raised numerous concerns about the
methodology of the 2011 study cited in
426 See U.S. Census Bureau, American
Community Survey S0101, AGE AND SEX 2022:
ACS 5-Year Estimates Subject Tables (females aged
10–44), https://data.census.gov/table/
ACSST1Y2022.S0101. The U.S. Census Bureau uses
the term ‘‘sex’’ to equate to an individual’s
biological sex. ‘‘Sex—Definition,’’ U.S. Census
Bureau (accessed Mar. 20, 2024), https://
www.census.gov/glossary/?term=Sex.
427 See ‘‘Reproductive and Sexual Health,’’
Sexually active females who received reproductive
health services (FP–7.1), Healthypeople.gov, https://
wayback.archive-it.org/5774/20220415172039/
https:/www.healthypeople.gov/2020/leading-healthindicators/2020-lhi-topics/Reproductive-andSexual-Health/data.
428 See American Community Survey S0101, AGE
AND SEX 2022: ACS 5-Year Estimates Subject
Tables (females aged 10–44), supra note 427.
429 See M. Antonia Biggs et al., ‘‘Women’s Mental
Health and Well-being 5 Years After Receiving or
Being Denied an Abortion: A Prospective,
Longitudinal Cohort Study,’’ 74(2) JAMA Psychiatry
169, 177 (2017), https://jamanetwork.com/journals/
jamapsychiatry/fullarticle/2592320. See also Julia
R. Steinberg et al., ‘‘The association between first
abortion and first-time non-fatal suicide attempt: a
longitudinal cohort study of Danish population
registries,’’ 6(12) The Lancet Psychiatry 1031–1038
(Dec. 2019).
3. Costs of the Rule
ddrumheller on DSK120RN23PROD with RULES5
Population estimate
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
PO 00000
Frm 00079
Fmt 4701
Sfmt 4700
E:\FR\FM\26APR5.SGM
26APR5
33054
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
the comment.430 Accordingly, we are
not including the costs associated with
treatment of depression in the cost
section.
a. Costs Associated With Requests for
Exception From Preemption
The Department anticipates that states
with laws that restrict access to
reproductive health care are likely to
seek an exception to the requirements of
this final rule that preempt state law.
Given the pace at which state laws
governing access to reproductive health
care are changing, the Department is
finalizing its proposed estimate that a
potential increase of 26 states 431 will
incur costs to develop a request to
except a provision of state law from
HIPAA’s general preemption authority
to submit to the Secretary.432 Based on
existing burden estimates for this
activity,433 the Department is finalizing
its estimate that each exception request
will require approximately 16 hours of
labor at the rate of a general health care
practitioner and that approximately 26
states will make such requests. Thus,
the Department estimates that states will
spend a total of 416 hours requesting
exception from preemption and
monetize this as a one-time cost of
$38,705 [= 16 × 26 × $93.04].
ddrumheller on DSK120RN23PROD with RULES5
b. Estimated Costs From Adding a
Requirement for an Attestation for
Disclosures for Certain Purposes
Multiple commenters asserted that the
projected attestation cost in the
proposed rule was incorrect and
underestimated the true cost of
implementing the proposed
requirement. One commenter asserted
that the proposed rule underestimated
430 See Julia R. Steinberg et al., ‘‘Fatal flaws in a
recent meta-analysis on abortion and mental
health,’’ 86(5) Contraception 430–7 (Nov. 2012),
https://www.ncbi.nlm.nih.gov/pmc/articles/
PMC3646711/ (discussing errors and significant
shortcomings of the studies included in the 2011
meta-analysis that render its conclusions invalid).
431 See Lawrence O. Gostin et al., ‘‘One Year After
Dobbs—Vast Changes to the Abortion Legal
Landscape,’’ 4(8) JAMA Health Forum (2023),
https://jamanetwork.com/journals/jama-healthforum/fullarticle/2808205 (counting 21 states with
post-Dobbs limits that are more restrictive than Roe
v. Wade allowed) and Laura Deal, ‘‘State Laws
Restricting or Prohibiting Abortion,’’ Congressional
Research Service (Jan. 22, 2024), https://crsreports.
congress.gov/product/pdf/R/R47595. Because of the
pace of change in this area, the Department relies
on a higher number than JAMA’s 2023 figure as a
basis for its cost estimates.
432 See 45 CFR 160.201 et seq. for information
about exceptions to HIPAA’s general preemption
authority and the process for requesting such an
exception and the criteria for granting it.
433 ‘‘Information Collection: Process for
Requesting Exception Determinations (states or
persons),’’ U.S. Gen. Servs. Admin. & Off. of Mgmt.
and Budget, https://www.reginfo.gov/public/do/
PRAViewIC?ref_nbr=201909-0945-001&icID=10428.
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
the time to review medical records for
PHI about reproductive health care and
recommended that it be increased
significantly. The same commenter also
suggested that the Department adopt a
requirement to obtain an individual’s
authorization, instead of an attestation,
because it would reduce costs. Other
commenters asserted that the proposed
cost estimates for the attestation
requirement did not account for
associated administrative burdens,
urged the Department to require an
attestation for every request for PHI to
decrease overall costs by establishing a
procedural norm, or requested that the
Department provide grants and trainings
to regulated entities to offset the costs of
the attestation provision. Finally,
another commenter requested that the
Department release a model attestation
form to decrease the cost burden for
covered entities.
A few commenters asserted that the
Department mis-identified the types of
staff that would performing specific
components of the attestation
requirement. One posited that both a
lawyer and a medical professional
would need to review medical records
for the use or disclosure of PHI in
response to the proposed revisions to
the Privacy Rule. Another asserted that
the person reviewing PHI in response to
a request for the use or disclosure of PHI
would be a medical records clerk.
The Department has modified the
attestation requirement in response to
public comments. As discussed above,
this final rule requires regulated entities
to obtain an attestation that the request
for the use or disclosure of PHI is not
for a purpose prohibited by 45 CFR
164.502(a)(5)(iii) when the request is for
certain purposes (health oversight
activities, judicial and administrative
proceedings, law enforcement purposes,
and about decedents to coroners and
medical examiners) and is for PHI
potentially related to reproductive
health care. Where the request is for a
purpose that implicates 45 CFR
164.502(a)(5)(iii) and the reproductive
health care was provided by someone
other than the regulated entity that
received the request, such health care is
presumed lawful under the
circumstances in which it was provided
unless the conditions of 45 CFR
164.502(a)(5)(iii)(C) are met. We expect
the presumption of lawfulness to lower
the burden for regulated entities to
process requests for the use or
disclosure of PHI for which an
attestation is required; however, we also
acknowledge that the proposed estimate
did not fully represent the number of
likely requests for the use or disclosure
of PHI. The Department declines to
PO 00000
Frm 00080
Fmt 4701
Sfmt 4700
require a valid authorization for these
requests, as opposed to an attestation,
and no grants to offset costs will be
needed because of the lower estimated
burden per request. The revised cost
estimates include review of each request
for the use or disclosure of PHI for
health oversight activities, judicial and
administrative proceedings, law
enforcement purposes, and about
decedents to coroners and medical
examiners, to determine if an attestation
has been provided and administrative
burdens associated with obtaining the
attestation.
This final rule necessitates that
regulated entities establish a process for
responding to requests for the use or
disclosure of PHI for which an
attestation is required, such as
reviewing and screening requests that
are not accompanied by a valid
authorization and are not a right of
access request. We anticipate that across
all regulated entities, this final rule will
result in approximately 2,794,201
requests that regulated entities need to
review in connection with the
permissions under 45 CFR 164.512(d)–
(g)(1). The Department estimates 5
minutes of average processing time per
attestation based on the average wage of
a mix of several occupations: medical
and health services managers, medical
records specialists, and health
practitioners.434 For example, a medical
records specialist may forward certain
requests for the use or disclosure of PHI
(for health oversight activities, judicial
and administrative proceedings, law
enforcement purposes, and about
decedents to coroners and medical
examiners) to a manager to review
whether the request pertains to the
lawfulness of reproductive health care.
A health practitioner may review a
number of records subject to a request
for whether they contain PHI potentially
related to reproductive health care. We
calculate the annual cost for initial
processing of the estimated 2,794,201
requests requiring attestations to total
$20,585,500 [2,794,201 × (5/60) ×
$88.41]. For almost all of these requests,
we believe that a brief review will be
sufficient for a regulated entity to make
a final disclosure determination.
For a small number of these requests,
approximately 1,300, we assume that
the brief review will not be sufficient;
we assume that these requests will
require legal review. This figure is an
estimate of the number of requests that
are generated to investigate or impose
liability on a person for the mere act of
seeking or obtaining lawful reproductive
health care, including from a health care
434 See
E:\FR\FM\26APR5.SGM
supra, Table 3 of this RIA.
26APR5
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
ddrumheller on DSK120RN23PROD with RULES5
provider in a state other than the state
where the regulated entity is located.
The Department’s estimate assumes that
approximately 26 states may seek to
restrict access to out-of-state
reproductive health care, including
reproductive health care that is lawful
under the circumstances in which it
provided, and will initiate an average of
50 such requests annually. The
Department estimates on average 1 hour
of review for such requests based on the
wage of a lawyer.435 We calculate the
annual legal review cost for the
estimated 1,300 requests totals $204,724
[1,300 × 1 × $157.48]. This additional
review increases the cost of processing
attestations to $20,790,224.
We anticipate that approximately onequarter of requests that result in legal
reviews, approximately 325, will require
additional managerial review by the
regulated entity before making a
disclosure decision. The Department
estimates on average 3 hours of
additional review for each of these
requests based on the wage of medical
and health insurance managers.436 We
calculate a total cost for additional
actions for these requests of $119,984
[325 × 3 × $123.06]. The total annual
estimated cost of processing attestations,
including all additional legal and
managerial reviews, is $20,910,207.
Upon consideration of the estimated
cost for regulated entities to create a
new attestation form, the Department is
planning to develop a model form to be
available prior to the compliance date of
this final rule. This will save an
estimated total of $60,970,823 [=
774,331 × (30/60) × $157.48], based on
30 minutes of labor by a lawyer.
c. Costs Arising From Revised Business
Associate Agreements
The Department anticipates that a
certain percentage of business associate
agreements will likely need to be
updated to reflect a determination made
by parties about their respective
responsibilities when either party
receives requests for disclosures of PHI
under 45 CFR 164.512(d), (e), (f), or
(g)(1). For example, each of the parties
to the business associate agreement may
need to notify the other party when they
have knowledge that a request is for an
unlawful purpose and allocate their
respective responsibilities for handling
these less frequent requests. The
Department is finalizing its proposed
estimate that each new or significantly
modified contract between a business
associate and its subcontractors will
require, on average, one hour of labor by
d. Costs Arising From Changes to the
Notice of Privacy Practices
The final rule modifies the NPP to
notify individuals that covered entities
cannot use or disclose PHI for certain
purposes and that in certain
circumstances, covered entities must
obtain an attestation from a person
requesting the PHI that affirms that the
use or disclosure is not for a purpose
437 This includes 60 days from the date of
publication to the effective date, plus 120 days from
the effective date to the compliance date.
435 Id.
436 Id.
VerDate Sep<11>2014
a lawyer at the wage reported in Table
3. We believe that approximately 35
percent of 1 million business associates,
or 350,000 entities, will decide to create
or significantly modify subcontracts,
resulting in total costs of $55,118,000 [=
350,000 × $157.48].
A few commenters asserted that the
Department’s estimates for business
associates’ costs were incorrect and that
it should consider additional costs. A
commenter recommended that the
Department adopt a non-enforcement
period to allow business associates to
achieve compliance and limit legal
costs. Another commenter stated that
the Department did not adequately
identify the costs that would be
associated with increased legal scrutiny
of business associates as a result of the
proposed rule. And another commenter
urged the Department to consider the
additional costs for renegotiated
contracts as a result of the proposed
rule. Lastly, a commenter requested that
the Department apply the attestation
requirement to business associates
because it would reduce the costs of the
rule.
The Department has reviewed the
comments and is adopting the 2023
Privacy Rule NPRM cost analysis in this
final rule. Business associate costs are
adequately captured by the estimate for
revising agreements. Applying costs
directly to business associates (as
opposed to covered entities) is
distributional and will not alter the total
impact of the rule. The Department
declines to create an additional nonenforcement period for this provision of
the final rule beyond the 180 days from
the date of publication for the final rule
to the compliance date.437 The
estimated cost for responding to
requests for PHI for which an attestation
is required accounts for increased
scrutiny of a small number of requests
for PHI, and the estimated costs for
updating business associate agreements
accounts for renegotiation of an average
of one release of information vendor
contract for nearly half of all covered
entities.
20:54 Apr 25, 2024
Jkt 262001
PO 00000
Frm 00081
Fmt 4701
Sfmt 4700
33055
prohibited under 45 CFR
164.502(a)(5)(iii). The final rule also
modifies the NPP to align with changes
proposed in the 2022 Part 2 NPRM. This
includes requiring covered entities that
create or maintain Part 2 records to
provide a notice that: addresses such
records; references Part 2 as ‘‘other
applicable law’’ that is more stringent
than the Privacy Rule; explains that
covered entities may not use or disclose
a Part 2 record in a civil, criminal,
administrative, or legislative proceeding
against the individual absent written
consent from the individual or a court
order; and clarifies the applicability of
Part 2 for organized health care
arrangements that hold Part 2 records.
Additionally, the final rule further
modifies language for fundraising by
covered entities that use or disclose Part
2 records to require a clear and
conspicuous opt-out opportunity for
patients. Finally, the modifications
require the NPP to explain that PHI
disclosed to a person other than a
regulated entity is no longer subject to
the requirements of the Privacy Rule.
The Department believes the burden
associated with revising the NPP
consists of costs related to developing
and drafting the revised NPP for covered
entities. The Department estimates that
the updating and revising the language
in the NPP will require 50 minutes of
professional legal services at the wage
reported in Table 3. Across all covered
entities, the Department estimates a cost
of $101,618,038 [= 774,331 × (50/60) ×
$157.48]. The Department does not
anticipate any new costs for health care
providers associated with distribution of
the revised notice other than posting it
on the entity’s website (if it has one)
because health care providers have an
ongoing obligation to provide the notice
to first-time patients that is already
accounted for in cost estimates for the
HIPAA Rules. Health plans that post
their NPP online will incur minimal
costs by posting the updated notice and
then including the updated NPP in the
next annual mailing to subscribers.438
Health plans that do not provide an
annual mailing will potentially incur an
additional $12,743,700 in capital
expenses for mailing the revised NPP to
an estimated 10 percent of the
150,000,000 health plan subscribers
who receive a mailed, paper copy of the
notice, as well as the labor expense for
an administrative support staff member
at the rate shown in Table 3 to complete
the mailing, for approximately
$2,737,500 [= 62,500 hours × $43.80].
The Department further estimates the
cost of posting the revised NPP on the
438 45
E:\FR\FM\26APR5.SGM
CFR 164.520(c)(1)(v)(A).
26APR5
33056
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
covered entity’s website will be 15
minutes of a web designer’s time at the
wage reported in Table 3. Across all
covered entities, the Department
estimates a cost of online posting as
$18,936,265 [= 774,331 × (15/60) ×
$97.82].
A commenter expressed concern that
the Department was underestimating the
cost of mailing updates associated with
changes to NPP policies.
The Department is already accounting
for the cost of mailing updated NPPs
within the estimated capital costs,
which include printing copies of NPPs
that are provided in person and those
that are mailed, and postage for health
plans that will need to conduct a
mailing that is off-cycle from its regular
schedule. We estimate that half of NPPs
will need to be mailed and that health
plans may include the updated NPP
with their next regular mailing to
individuals.
e. Estimated Costs for Developing New
or Modified Policies and Procedures
The Department anticipates that
covered entities will need to develop
new or modified policies and
procedures for the new requirements for
attestations, the new category of
prohibited uses and disclosures,
modifications to certain uses and
disclosures permitted under 45 CFR
164.512, and clarification of personal
representative qualifications. The
Department is finalizing its proposed
estimate that the costs associated with
developing such policies and
procedures will be the labor of a lawyer
for 2.5 hours and that this expense
represents the largest area of cost for
compliance with this final rule, for a
total of $304,854,115 [= 774,331 × 2.5 ×
$157.48].
A few commenters stated that the
estimate for covered entities to draft
new policies was incorrect and
provided additional information or
alternatives to reduce costs. A
commenter stated that the time burden
for drafting new policies was
insufficient and did not accurately
represent the amount of time it would
take a covered entity to draft a policy
that complied with the proposed rule.
Another commenter urged the
Department to include the costs for
organizations to update their privacy
policies because of the proposed rule. A
few commenters requested that the
Department provide organizations with
additional time to develop new policies
that comply with the final rule.
The Department considered the
concerns raised by commenters about
the burdens of the requirements to
revise the Privacy Rule and made
several additional modifications in this
final rule to reduce burdens on
regulated entities. For example,
regulated entities are not required to
develop policies to routinely evaluate
whether reproductive health care that
was provided by someone else was
lawful. Instead, regulated entities will
need to develop policies to ensure that
regulated entities identify requests for
health oversight activities, judicial and
administrative proceedings, law
enforcement purposes, and about
decedents to coroners or medical
examiners and procedures for obtaining
the required attestation if it is not
provided with the request for the use or
disclosure of PHI. Additional policies
will be required to address requests for
the above purposes that could result in
a prohibited use or disclosure, such as
requests from law enforcement for the
use or disclosure of PHI that assert,
without any other information, that
reproductive health care was provided
unlawfully. The updating of privacy
policies is included in the overall cost
of updating policies and the estimate for
updating the NPP. Because of changes
in the final rule that simplify
compliance with the new requirements,
the Department is not adjusting the time
burden for revising or creating new
policies and procedures.
f. Costs Associated With Training
Workforce Members
The Department anticipates that
covered entities will be able to
incorporate new content into existing
HIPAA training requirements and that
the costs associated with doing so will
be attributed to the labor of a training
specialist for an estimated 90 minutes
for a total of $78,029,335 [= 774,331 ×
(90/60) × $67.18].
A few commenters addressed training
costs within the proposed rule,
including one who asserted that such
costs could be reduced by ensuring that
the effective date for all of the
provisions of the rule is the same.
Another commenter stated that covered
entities would incur both a one time
and yearly training cost, with the yearly
training cost accounting for most of the
total training cost in year 1.
The Department is finalizing the cost
estimate for training workforce members
as proposed, which includes the cost of
a training a specialist to update the
covered entity’s HIPAA training
program with new content to include in
training for workforce members within
the first year. Any further recurring
component is likely to be implemented
into regularly scheduled employee
training and will thus not be directly
attributable to this rule.
g. Total Quantifiable Costs
The Department summarizes in Table
6 the estimated nonrecurring costs that
covered entities and states will
experience in the first year of
implementing the regulatory changes.
The Department anticipates that these
costs will be for requesting exceptions
from preemption of contrary state law,
implementing the attestation
requirement, revising business associate
agreements, revising the NPP, mailing
and posting it online, revising policies
and procedures, and updating HIPAA
training programs.
ddrumheller on DSK120RN23PROD with RULES5
TABLE 6—NEW NONRECURRING COSTS OF COMPLIANCE WITH THE FINAL RULE
Nonrecurring costs
Burden hours/
action × hourly
wage
Respondents
Exception Requests ..................................................................
BA Agreements, Revising .........................................................
NPP, Updating ..........................................................................
NPP, Mailing .............................................................................
NPP, Posting Online .................................................................
Policies & Procedures ...............................................................
Training .....................................................................................
Capital Expenses, Mailing NPPs—Health Plans ......................
16 × $93.04 .............................
1 × $157.48 .............................
50/60 × $157.48 ......................
0.25/60 × $43.80 .....................
15/60 × $97.82 ........................
150/60 × $157.48 ....................
90/60 × $67.18 ........................
$.85/NPP .................................
26 States .................................
350,000 BAAs .........................
774,331 Covered entities ........
15,000,000 Subscribers ..........
774,331 Covered entities ........
774,331 Covered entities ........
774,331 Covered entities ........
15,000,000 Subscribers ..........
$0.04
55
102
3
19
305
78
13
Total Nonrecurring Burden ................................................
.................................................
.................................................
a 574
a
Totals may not add up due to rounding.
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
PO 00000
Frm 00082
Fmt 4701
Sfmt 4700
E:\FR\FM\26APR5.SGM
26APR5
Total costs
(millions)
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
Table 7 summarizes the recurring
costs that the Department anticipates
covered entities will incur annually as
a result of the regulatory changes. These
new costs are based on responding to
33057
requests for uses and disclosures of PHI
that are conditioned upon an attestation.
TABLE 7—RECURRING ANNUAL COSTS OF COMPLIANCE WITH THE FINAL RULE a
Burden hours × wage
Respondents
Disclosures for which an attestation is required .......................
Attestation investigation review ................................................
Attestation additional actions ....................................................
232,850 × $88.41 ....................
1,300 × $157.48 ......................
975 × 123.06 ...........................
2,794,201 ................................
1,300 .......................................
325 ..........................................
$20,585,500
204,724
119,984
Total Recurring Annual Burden .........................................
.................................................
.................................................
20,910,207
a Totals
may not add up due to rounding.
Costs Borne by the Department
The covered entities that are operated
by the Department will be affected by
the changes in a similar manner to other
covered entities, and such costs have
been factored into the estimates above.
The Department expects that it will
incur costs related to drafting and
disseminating a model attestation form
and information about the regulatory
changes to covered entities, including
health care providers and health plans.
In addition, the Department anticipates
that it may incur a 26-fold increase in
the number of requests for exceptions
from preemption of contrary state law in
the first year after a final rule becomes
effective, at an estimated total cost of
approximately $146,319 to analyze and
develop responses for an average cost of
$7,410 per request. This increase is
based on the number of states that have
enacted or are likely to enact laws
restricting access to reproductive health
care 439 and may seek to obtain
individuals’ PHI to enforce those laws.
This estimate assumes that the
Department receives and reviews
exception requests from the 26 states,
that half require a more complex
analysis, and that all requests result in
a written response within one year of
the final rule’s publication.
Benefits of the Final Rule
The benefits of this final rule to
individuals and families are likely
substantial, and yet are not fully
quantifiable because the area of health
care this final rule addresses is among
the most sensitive and life-altering if
privacy is violated. Additionally, the
value of privacy, which cannot be
ddrumheller on DSK120RN23PROD with RULES5
Total annual
cost
(millions)
Recurring costs
439 See ‘‘One Year After Dobbs—Vast Changes to
the Abortion Legal Landscape,’’ supra note 432
(counting 21 states with post-Dobbs limits that are
more restrictive than Roe v. Wade allowed) and
‘‘State Laws Restricting or Prohibiting Abortion,’’
supra note 432. Because of the pace of change in
this area, the Department relies on a higher number
than JAMA’s 2023 figure as a basis for its cost
estimates.
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
recovered once lost, and trust that
privacy will be protected by others, is
difficult to quantify fully. Health
privacy has many significant benefits,
such as promoting effective
communication between individuals
and health care providers, preventing
discrimination, enhancing autonomy,
supporting medical research, and
protecting the individual from
unwanted exposure of sensitive health
information.440
Notably, reproductive health care may
include circumstances resulting in a
pregnancy, considerations concerning
maternal and fetal health, family genetic
conditions, information concerning
sexually transmitted infections, and the
relationship between prospective
parents (including victimization due to
rape, incest, or sex trafficking).
Involuntary or poorly-timed disclosures
can irreparably harm relationships and
reputations, and even result in job loss
or other negative consequences in the
workplace,441 as well as investigation,
civil litigation or proceedings, and
prosecution for lawful activities.442
Additionally, fear of potential penalties
or liability that may result from
disclosing information to a health care
provider about accessing reproductive
440 See ‘‘Trust and Privacy: How Patient Trust in
Providers is Related to Privacy Behaviors and
Attitudes,’’ supra note 120; Paige Nong et al.,
‘‘Discrimination, trust, and withholding
information from providers: Implications for
missing data and inequity,’’ SSM—Population
Health (Apr. 7, 2022), https://www.science
direct.com/science/article/pii/S2352827322000714;
See also S.J. Nass et al., ‘‘Beyond the HIPAA
Privacy Rule: Enhancing Privacy, Improving Health
Through Research,’’ Institute of Medicine (US)
Committee on Health Research and the Privacy of
Health Information: The HIPAA Privacy Rule
(2009), https://www.ncbi.nlm.nih.gov/books/
NBK9579/.
441 See Danielle Keats Citron & Daniel J. Solove,
‘‘Privacy Harms,’’ GWU Legal Studies Research
Paper No. 2021–11, GWU Law School Public Law
Research Paper No. 2021–11, 102 B.U. L. Rev. 793,
830–861 (Feb. 9, 2021), https://papers.ssrn.com/
sol3/papers.cfm?abstract_id=3782222.
442 See ‘‘Reclaiming Tort Law to Protect
Reproductive Rights,’’ supra note 152.
PO 00000
Frm 00083
Fmt 4701
Sfmt 4700
health care may cast a long shadow,
decreasing trust between individuals
and health care providers, discouraging
and deterring access to other valuable
and necessary health care, or
compromising ongoing or subsequent
care if an individual’s medical records
are not accurate or complete.443 This
final rule will prevent or reduce the
harms discussed here, resulting in nonquantifiable benefits to individuals and
their families, friends, and health care
providers. In particular, the role of trust
in the health care system and its
importance to the provision of highquality health care is discussed
extensively in Section III of this
preamble.
The Department anticipates that this
final rule will increase health literacy by
improving access to complete
information about health care options
for individuals.444 For example, the
prohibition on the use and disclosure of
PHI for purposes of investigating or
imposing liability on an individual, a
person assisting them, or their health
care provider for lawful health care will
increase individuals’ access to complete
information about their health care
options because they will have
increased confidence to share
information about their life, including
their health, with health care providers.
In turn, the receipt of more complete
information from patients will enable
443 See Div. of Reproductive Health, Nat’l Ctr. for
Chronic Disease Prevention and Health Promotion,
‘‘Women With Chronic Conditions Struggle to Find
Medications After Abortion Laws Limit Access,’’
Ctrs. for Disease Control and Prevention (Jan. 4,
2023), https://www.cdc.gov/teenpregnancy/healthcare-providers/index.htm; see also Brittni
Frederiksen et al., ‘‘Abortion Bans May Limit
Essential Medications for Women with Chronic
Conditions,’’ Kaiser Family Foundation (Nov. 17,
2022), https://www.kff.org/womens-health-policy/
issue-brief/abortion-bans-may-limit-essentialmedications-for-women-with-chronic-conditions/.
444 See Lynn M. Yee et al., ‘‘Association of Health
Literacy Among Nulliparous Individuals and
Maternal and Neonatal Outcomes,’’ JAMA Network
Open (Sept. 1, 2021), https://jamanetwork.com/
journals/jamanetworkopen/fullarticle/2783674.
E:\FR\FM\26APR5.SGM
26APR5
33058
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
ddrumheller on DSK120RN23PROD with RULES5
health care providers to provide more
accurate and relevant medical
information about lawful reproductive
health care, and the new prohibition
will enable them to do so without fear
of serious and costly professional
repercussions.
This final rule will also contribute to
increased access to prenatal health care
at the critical early stages of pregnancy
by affording individuals the assurance
that they may obtain lawful
reproductive health care without fearing
that records related to that care would
be subject to disclosure. For example, if
a sexually active individual fears they or
their health care providers could be
subject to prosecution as a result of
disclosure of their PHI, the individual
may avoid informing health care
providers about symptoms or asking
questions of medical experts and may
consequently fail to receive necessary
support and health care for a pregnancy
diagnosis.445 Similarly, this final rule
will likely contribute to a decreased rate
of maternal mortality and morbidity by
improving access to information about
health services.446
Additionally, this final rule will
enhance the mental health and
emotional well-being of individuals
seeking or obtaining lawful reproductive
health care by reducing fear that their
PHI will be disclosed to investigate or
impose liability on the individual, their
health care provider, or any persons
facilitating the individual’s access to
lawful reproductive health care. This is
especially important for individuals
who need access to reproductive health
care because they are survivors of rape,
incest, or sex trafficking. For at least
some such individuals, certain types of
reproductive health care, including
abortion, often remain legal even if
pregnancy termination is not available
to the broader population under state
law. The Department expects that this
final rule will help to prevent or reduce
re-victimization of pregnant individuals
who have been subject to rape, incest,
or sex trafficking by protecting their PHI
from disclosure.
Activities conducted to investigate
and impose liability that rely on that
information may be costly to defend
against and thus are financially draining
445 See ‘‘Texas Maternal Mortality and Morbidity
Review Committee and Department of State Health
Services Joint Biennial Report 2022,’’ supra note
123.
446 See Helen Levy & Alex Janke, ‘‘Health Literacy
and Access to Care,’’ J. of Health Commc’n (2016),
https://www.ncbi.nlm.nih.gov/pmc/articles/
PMC4924568/; see also Brief for Zurawski,
Zurawski v. State of Texas (No. D–1–GN–23–
000968) (W.D. Tex. 2023), https://reproductive
rights.org/wp-content/uploads/2023/03/Zurawski-vState-of-Texas-Complaint.pdf.
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
for the target of those activities and for
persons who are not the target of the
activity but whose information may be
used as evidence against others.
Witnesses or targets of such activities
may lose time from work and incur
steep legal bills that create
unmanageable debt or otherwise harm
the economic stability of the individual,
their family, and their health care
provider. In the absence of this final
rule, much of the costs may be for
defending against the unwanted use or
disclosure of PHI. Thus, the Department
expects that this final rule will
contribute to families’ economic wellbeing by reducing the risk of exposure
to costly activities to investigate or
impose liability on persons for lawful
activities as a result of disclosures of
PHI.
This final rule will also contribute to
improved continuity of care and
ongoing and subsequent health care for
individuals, thereby improving health
outcomes. If a health care provider
believes that PHI is likely to be
disclosed without the individual’s or
the health care provider’s knowledge or
consent, possibly to initiate or be used
in criminal or civil proceedings against
the individual, their health care
provider, or others, the health care
provider is more likely to omit
information about an individual’s
medical history or condition, leave gaps,
or include inaccuracies when preparing
the individual’s medical records. And if
an individual’s medical records lack
complete information about the
individual’s health history, a
subsequent health care provider may
not be able to conduct an appropriate
health assessment to reach a sound
diagnosis and recommend the best
course of action for the individual.
Alternatively, health care providers may
withhold from the individual full and
complete information about their
treatment options because of liability
concerns stemming from fears about the
privacy of an individual’s PHI.447
Heightened confidentiality and privacy
protections enable a health care
provider to feel confident maintaining
full and complete patient records.
Without complete patient records, an
individual is less likely to receive
appropriate ongoing or future health
care, including correct diagnoses, and
will be impeded in making informed
treatment decisions.
Comparison of Benefits and Costs
A few commenters stated that the
2023 Privacy Rule NPRM reflected the
staffing costs of covered entities in full.
447 See
PO 00000
Brief for Zurawski, at 10, supra note 447.
Frm 00084
Fmt 4701
Sfmt 4700
One posited that covered entities will
receive more requests for PHI because of
changes in the legal environment after
Dobbs, which will require some
regulated entities that may not typically
get such requests to adjust according to
the changes in the law and how it is
enforced. Another commenter stated
that the proposed rule did not account
for higher staffing costs from more
highly qualified employees. The
commenters did not provide any
relevant data or discussion of
methodology for how these costs should
be quantified. Therefore, the
Department did not include any
additional labor costs in the economic
analysis based on this comment.
A few additional commenters
expressed general concerns related to
electronic health record (EHR) systems
and data storage. One urged the
Department to include costs associated
with updating EHR systems to ensure
compliance and to allow for data
segmentation. Another asserted that the
current classifications for different types
of PHI are not clear enough for effective
data segmentation, contributing to
increased costs. As a result, they
recommended that the Department
provide clearer guidelines on the
different types of PHI. The Department
did not attempt to estimate additional
data maintenance or EHR-related costs
because any adjustments will be part of
the regular cost of business for regulated
entities.
A commenter stated that the
Department did not quantify the costs
associated with violations of the rule by
regulated entities, such as incurring a
monetary penalty after impermissibly
responding to a court order. The
Department does not quantify the costs
of noncompliance as part of its analysis.
Whether a violation will result in a
monetary penalty is dependent on
numerous factors and the aim of the
Department’s enforcement is to bring
regulated entities into compliance.
A few commenters asserted that the
proposed rule would make it more
difficult for law enforcement to
investigate criminals for crimes related
to sex and recommended that the
Department quantify this cost. The
Department acknowledges that the final
rule may result in some changes to
procedures for handling law
enforcement requests for PHI; however,
the burden on regulated entities is
calculated in its cost estimates. The
Department is unable to quantify the
burdens to law enforcement resulting
from this final rule. However, to address
concerns about victims’ ability to
disclose their PHI related to
reproductive health care, the final rule
E:\FR\FM\26APR5.SGM
26APR5
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
ddrumheller on DSK120RN23PROD with RULES5
permits individuals to authorize
disclosures for any purpose, including
law enforcement investigations.
Therefore, the Department is not
including costs to law enforcement in
the quantified costs and benefits
analysis. The Department expects the
totality of the benefits of this final rule
to outweigh the costs, particularly in
light of the privacy benefits for
individuals who could become pregnant
(nearly one-fourth of the U.S.
population in any given year) and seek
access to lawful health care without the
risk of their PHI being used or disclosed
in furtherance of activities to conduct
criminal, civil, or administrative
investigations or impose liability
without their authorization. The
Department expects covered entities and
individuals to benefit from covered
entities’ increased confidence to be able
to provide lawful health care according
to professional standards.
The Department’s qualitative benefitcost analysis asserts that the regulatory
changes in this final rule will support
an individual’s privacy with respect to
lawful health care, enhance the
relationship between health care
providers and individuals, strengthen
maternal well-being and family stability,
and support victims of rape, incest, and
sex trafficking. The regulatory changes
will also aid health care providers in
developing and maintaining a high level
of trust with individuals and
maintaining complete and accurate
medical records to aid ongoing and
subsequent health care. Greater levels of
trust will further enable individuals to
develop and maintain relationships
with health care providers, which
would enhance continuity of health care
for all individuals receiving care from
the health care provider, not only
individuals in need of reproductive
health care.
The financial costs of this final rule
will accrue primarily to covered
entities, particularly health care
providers and health plans in the first
year after implementation of a final rule,
with recurring costs accruing annually
at a lower rate.
B. Regulatory Alternatives to the Final
Rule
In addition to regulatory proposals in
the 2023 Privacy Rule NPRM that are
not adopted here, the Department
considered several alternatives to the
policies finalized in this rule.
Define Public Health in the Context of
Public Health Surveillance,
Intervention, or Investigation
The Department considered
alternatives to the proposed definition
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
of ‘‘public health’’ in the context of
public health surveillance,
investigation, and intervention,
particularly the reference to populationlevel activities. Specifically, the
Department considered whether to add
‘‘individual-level’’ to further distinguish
public health surveillance,
investigation, and intervention from
other activities but did not adopt this
approach because it would add a new
undefined term that would generate
more complexity without adding clarity.
The Department also considered
removing ‘‘population-level’’ from the
definition in this final rule, but we are
not adopting that approach because it
might lead people to believe that the
focus of public health is not on
activities benefiting the population as a
whole. Additionally, the Department
considered defining ‘‘public health’’
surveillance, investigation, or
intervention only in the negative—that
is, by listing activities that are
excluded—but decided not to adopt this
approach to ensure that stakeholders
understand what public health
surveillance, investigation, or
intervention means.
Modify Prohibition To Presume That
Reproductive Health Care Is Lawful
Absent Actual Knowledge
The Department considered adding a
provision that would allow regulated
entities to presume that certain requests
for PHI are about reproductive health
care that was lawful under the
circumstances in which such health
care was provided where it was
provided by someone other than the
regulated entity receiving the PHI
request, unless the regulated entity had
actual knowledge that such health care
was not lawful under the circumstances
in which it was provided. However, in
consultation with Federal partners, the
Department decided to finalize a second
exception to the presumption to permit
uses or disclosures of PHI where privacy
interests are reduced, as compared to
the societal interest in the PHI for
certain non-health care purposes. This
exception is available where factual
information supplied by the person
requesting the use or disclosure of PHI
demonstrates to the regulated entity a
substantial factual basis that the
reproductive health care was not lawful
under the specific circumstances in
which such health care was provided.
Administrative Requests by Law
Enforcement
The Department received reports that
not all regulated entities are interpreting
the administrative request provision
correctly and proposed a clarification to
PO 00000
Frm 00085
Fmt 4701
Sfmt 4700
33059
45 CFR 164.512(f)(1)(ii)(C). To address
concerns that disclosures currently
made under Federal agencies’
interpretations of the Privacy Act of
1974 448 would not be permitted under
the NPRM proposal, the Department
considered adding qualifying language
to paragraph 45 CFR 164.512(f)(1)(ii)(C)
to state that PHI may be disclosed by a
Federal agency in response to an
administrative request from law
enforcement where the Federal agency
is authorized, but not required, to
disclose under applicable law (see, e.g.,
the Privacy Act and OMB 1975
Guidelines 449). However, the
Department determined that the
contemplated change was not necessary
because the intent of the Privacy Rule
was adequately captured in the
clarification proposed in the NPRM and
finalized in this rule at 45 CFR
164.512(f)(1)(ii)(C). As finalized, this
provision permits disclosures to law
enforcement in response to ‘‘an
administrative request for which
response is required by law, including
an administrative subpoena or
summons, a civil or an authorized
investigative demand, or similar process
authorized under law.’’
Scope of Prohibited Conduct
In response to public comments on
the 2023 Privacy Rule NPRM, the
Department considered several
approaches to outlining prohibited
conduct. One approach was creating a
category of ‘‘highly sensitive PHI’’ and
prohibiting its use and disclosure in
certain proceedings based on the mere
act of, for example, obtaining,
providing, or aiding that category of
health care. The Department did not
adopt this category based on many
concerns expressed in public comments.
For example, distinguishing between
the sensitivity of different types of PHI
would require complicated subjective
determinations, and prohibiting or
limiting uses or disclosures of highly
sensitive PHI for certain purposes could
negatively affect efforts to eliminate data
segmentation and further stigmatize the
types of health care included in the
‘‘highly sensitive’’ category.
Another approach the Department
considered was to require an attestation
for all requested uses and discloses of
PHI under 45 CFR 164.512(d)–(g)(1),
rather than limiting the requirement to
only requested uses and disclosures of
PHI potentially related to reproductive
health care under such provisions. This
would have reduced the burden on
448 Public Law 93–579, 88 Stat. 1896 (Dec. 31,
1974) (codified at 5 U.S.C. 552a).
449 40 FR 28948, 28955 (July 9, 1975).
E:\FR\FM\26APR5.SGM
26APR5
33060
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
regulated entities to screen requested
PHI for whether it contained
information potentially related to
reproductive health care and increased
the burden on persons requesting PHI to
evaluate and attest to all requests for use
and disclosure of PHI under 45 CFR
164.512(d)–(g)(1). However, in
recognition of the importance of
oversight and law enforcement entities’
ability to obtain PHI for legitimate
inquiries, the Department decided not to
require an attestation for all requests
under these provisions.
Requiring an Attestation Under Penalty
of Perjury
The Department requested comments
about the possibility of adding a
required penalty of perjury statement to
strengthen the attestation requirement
but did not propose this statement in
the 2023 Privacy Rule NPRM. After
reviewing public comments on this
topic, the Department considered
adding a requirement that the attestation
be signed by the person requesting the
use or disclosure of PHI under penalty
of perjury but did not adopt such a
requirement in the final rule. As
discussed in greater detail above, a
person who knowingly and in violation
of the Administrative Simplification
provisions of HIPAA obtains or
discloses IIHI relating to another
individual or discloses IIHI to another
person is subject to criminal liability.450
Thus, a person who knowingly and in
violation of HIPAA 451 falsifies an
attestation (e.g., makes material
misrepresentations about the intended
uses of the PHI requested) to obtain (or
cause to be disclosed) an individual’s
IIHI could be subject to criminal
penalties as outlined in the statute. The
Department believes such penalties are
sufficient to hold persons who
knowingly submit false attestations
accountable for their actions and deter
such submissions entirely.
ddrumheller on DSK120RN23PROD with RULES5
Right To Request Restrictions
In the 2023 Privacy Rule NPRM, the
Department requested comments
regarding the right of individuals to
request restrictions of uses and
disclosures of their PHI. We did not
propose any changes to this provision in
the 2023 Privacy Rule NPRM, nor are
we proposing or finalizing any
450 42
U.S.C. 1320d–6(a).
person (including an employee or other
individual) shall be considered to have obtained or
disclosed individually identifiable health
information in violation of this part if the
information is maintained by a covered entity (as
defined in the HIPAA privacy regulation described
in section 1320d–9(b)(3) of this title) and the
individual obtained or disclosed such information
without authorization. Id.
451 A
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
modifications to it at this time. We
appreciate the comments we received
regarding expanding the rights to
request disclosures and will take them
under advisement when we consider
future modifications to the Privacy Rule.
C. Regulatory Flexibility Act—Small
Entity Analysis
The Department has examined the
economic implications of this final rule
as required by the RFA. If a rule has a
significant economic impact on a
substantial number of small entities, the
RFA requires agencies to analyze
regulatory options that would reduce
the economic effect of the rule on small
entities.
For purposes of the RFA, small
entities include small businesses,
nonprofit organizations, and small
governmental jurisdictions. The Act
defines ‘‘small entities’’ as (1) a
proprietary firm meeting the size
standards of the Small Business
Administration (SBA), (2) a nonprofit
organization that is not dominant in its
field, and (3) a small government
jurisdiction of less than 50,000
population. A few commenters raised
concerns about the effects of the
proposed rule on small or rural
providers and requested additional
analysis, guidance, or technical
assistance from the Department to aid
these entities. The Department did not
receive any public comments on the
small business analysis assumptions
used in the NPRM. Accordingly, we are
not changing the baseline assumptions
for this final rule. We have updated our
analysis of small entities for consistency
with revisions to the RIA for the costs
and savings for covered entities. The
Department has determined that roughly
90 percent or more of all health care
providers meet the SBA size standard
for a small business or are a nonprofit
organization. Therefore, the Department
estimates that there are 696,898 small
entities affected by the final rule.452 The
SBA size standard for health care
providers ranges between a maximum of
$16 million and $47 million in annual
receipts, depending upon the type of
entity.453
With respect to health insurers, the
SBA size standard is a maximum of $47
million in annual receipts, and for third
party administrators it is $45.5
million.454 While some insurers are
classified as nonprofit, it is possible
= 774,331 × .90.
U.S. Small Business Administration, Table
of Small Business Size Standards (Mar. 17, 2023),
https://www.sba.gov/sites/sbagov/files/2023-06/
Table%20of%20Size%20Standards_Effective%20
March%2017%2C%202023%20%282%29.pdf.
454 Id.
452 696,898
453 See
PO 00000
Frm 00086
Fmt 4701
Sfmt 4700
they are dominant in their market. For
example, a number of Blue Cross/Blue
Shield insurers are organized as
nonprofit entities; yet they dominate the
health insurance market in the states
where they are licensed.455
For the reasons stated below, we do
not expect that the cost of compliance
will be significant for small entities. Nor
do we expect that the cost of
compliance will fall disproportionately
on small entities. Although many of the
covered entities affected by this final
rule are small entities, they will not bear
a disproportionate cost burden
compared to the other entities subject to
the rule. The projected total costs are
discussed in detail in the RIA. The
Department does not view this as a
substantial burden because the result of
the changes will be annualized costs per
covered entity of approximately $184 [=
$142.6 million 456/774,331 covered
entities]. In the context of the RFA, HHS
generally considers an economic impact
exceeding 3 percent of annual revenue
to be significant, and 5 percent or more
of the affected small entities within an
identified industry to represent a
substantial number. The quantified
impact of $184 per covered entity would
only apply to covered entities whose
annual revenue is $6,133 or less. We
believe almost all, if not all covered
entities have annual revenues that
exceed this amount. Accordingly, the
Department has determined that this
final rule is unlikely to affect a
substantial number of small entities that
meet the RFA threshold. Thus, this
analysis concludes, and the Secretary
certifies, that the rule will not result in
a significant economic effect on a
substantial number of small entities.
D. Executive Order 13132—Federalism
As required by E.O. 13132 on
Federalism, the Department has
examined the provisions in both the
proposed and final regulation for their
effects on the relationship between the
Federal Government and the states. In
the Department’s view, the final
regulation may have federalism
implications because it may have direct
effects on the states, the relationship
between the Federal Government and
states, and on the distribution of power
and responsibilities among various
455 Kaiser Family Foundation, ‘‘Market Share and
Enrollment of Largest Three Insurers—Large Group
Market’’ (2019), https://www.kff.org/other/stateindicator/market-share-and-enrollment-of-largestthree-insurers-large-group-market/?current
Timeframe=0&sortModel=
%7B%22colId%22:%22Location
%22,%22sort%22:%22asc%22%7D.
456 This figure represents annualized costs
discounted at a 3% rate.
E:\FR\FM\26APR5.SGM
26APR5
ddrumheller on DSK120RN23PROD with RULES5
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
levels of government relating to the
disclosure of PHI.
The changes from this final rule flow
from and are consistent with the
underlying statute, which authorizes the
Secretary to issue regulations that
govern the privacy of PHI. The statute
provides that, with limited exceptions,
such regulations supersede contrary
provisions of state law unless the
provision of state law imposes more
stringent privacy protections than the
Federal law.457
Section 3(b) of E.O. 13132 recognizes
that national action limiting the
policymaking discretion of states will be
imposed only where there is
constitutional and statutory authority
for the action and the national activity
is appropriate when considering a
problem of national significance. The
privacy of PHI is of national concern by
virtue of the scope of interstate health
commerce. As described in the
preamble to the proposed rule and this
final rule, recent state actions affecting
reproductive health care have
undermined the longstanding
expectation among individuals in all
states that their highly sensitive
reproductive health information will
remain private and not be used against
them for seeking or obtaining legal
health care. These state actions thus
directly threaten the trust that is
essential to ensuring access to, and
quality of, lawful health care. HIPAA’s
provisions reflect this position by
authorizing the Secretary to promulgate
regulations to implement the Privacy
Rule.
Section 4(a) of E.O. 13132 expressly
contemplates preemption when there is
a conflict between exercising state and
Federal authority under a Federal
statute. Section 4(b) of the E.O.
authorizes preemption of state law in
the Federal rulemaking context when
‘‘the exercise of State authority directly
conflicts with the exercise of Federal
authority under the Federal statute.’’
The approach in this regulation is
consistent with the standards in the E.O.
because it supersedes state authority
only when such authority is
inconsistent with standards established
pursuant to the grant of Federal
authority under the statute.
State and local laws that impinge on
the privacy protections for PHI of
individuals who obtain lawful
reproductive health care undermine
Congress’ directive to develop a health
information system for the purpose of
improving the effectiveness of the
health care system, which requires that
all individuals who receive health care
457 42
U.S.C. 1320d–7(a)(1).
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
legally are assured a minimum level of
privacy for their PHI. Congress
established specific, narrow exceptions
to preemption that did not include the
use or disclosure of an individual’s
medical records for law enforcement
purposes generally. Nor did Congress
include a specific exception to
preemption that would permit states to
use PHI against that individual, health
care providers, or third parties merely
for seeking, obtaining, providing, or
facilitating lawful health care.458 Both
the personal and public interest is
served by protecting PHI so as not to
undermine an individual’s access to and
quality of lawful health care services
and their trust in the health care system.
The Department anticipates that the
most significant direct costs on state and
local governments would be the cost for
state and local government-operated
covered entities to revise business
associate agreements, revise policies
and procedures, update the NPP, update
training programs, and process requests
for disclosures for which an attestation
is required. These costs would be
similar in kind to those borne by nongovernment operated covered entities.
In addition, the Department anticipates
that approximately half of the states
may choose to file a request for an
exception to preemption. The
longstanding regulatory provisions that
govern preemption exception requests
under the HIPAA Rules would remain
undisturbed by this rule.459 However,
based on the legal developments in
some states that are described elsewhere
in this preamble, the Department
anticipates that in the first year of
implementation of a final rule, more
states will submit requests for
exceptions from preemption than have
done so in the past. The RIA above
addresses these costs in detail.
Pursuant to the requirements set forth
in section 8(a) of E.O. 13132, and by the
signature affixed to the final rule, the
Department certifies that it has
complied with the requirements of E.O.
13132, including review and
consideration of comments from state
and local government officials and the
public about the interaction of this rule
with state activity, for the final rule in
a meaningful and timely manner.
E. Assessment of Federal Regulation
and Policies on Families
Section 654 of the Treasury and
General Government Appropriations
Act of 1999 460 requires Federal
458 42
U.S.C. 1320d–7(a)(2)(A).
CFR 160.201 through 160.205.
460 Public Law 105–277, 112 Stat. 2681 (Oct. 21,
1998).
33061
departments and agencies to determine
whether a proposed policy or regulation
could affect family well-being. If the
determination is affirmative, then the
Department or agency must prepare an
impact assessment to address criteria
specified in the law. This final rule is
expected to strengthen the stability of
the family and marital commitment
because it protects individual privacy in
the context of sensitive decisions about
family planning. The rule may be
carried out only by the Federal
Government because it would modify
Federal health privacy law, ensuring
that American families have confidence
in the privacy of their information about
lawful reproductive health care,
regardless of the state where they are
located when health care is provided.
Such health care privacy is vital for
individuals who may become pregnant
or who are capable of becoming
pregnant.
F. Paperwork Reduction Act of 1995
Under the Paperwork Reduction Act
of 1995 461 (PRA), agencies are required
to submit to OMB for review and
approval any reporting or recordkeeping requirements inherent in a
proposed or final rule and are required
to publish such proposed requirements
for public comment. To fairly evaluate
whether an information collection
should be approved by the OMB,
section 3506(c)(2)(A) of the PRA
requires that the Department solicit
comment on the following issues:
1. Whether the information collection
is necessary and useful to carry out the
proper functions of the agency;
2. The accuracy of the agency’s
estimate of the information collection
burden;
3. The quality, utility, and clarity of
the information to be collected; and
4. Recommendations to minimize the
information collection burden on the
affected public, including automated
collection techniques.
The PRA requires consideration of the
time, effort, and financial resources
necessary to meet the information
collection requirements referenced in
this section. The Department considered
public comments on its assumptions
and burden estimates in the 2023
Privacy Rule NPRM and addresses those
comments above in the discussion of
benefits and costs of this final rule.
In this RIA, the Department is revising
certain information collection
requirements associated with this final
rule and, as such, is revising the
information collection last prepared in
459 45
PO 00000
Frm 00087
Fmt 4701
Sfmt 4700
461 Public Law 104–13, 109 Stat. 163 (May 22,
1995).
E:\FR\FM\26APR5.SGM
26APR5
33062
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
2023 and approved under OMB control
#0945–0003. The revised information
collection describes all new and
adjusted information collection
requirements for covered entities
pursuant to the implementing regulation
for HIPAA at 45 CFR parts 160 and 164,
the HIPAA Privacy, Security, Breach
Notification, and Enforcement Rules
(‘‘HIPAA Rules’’).
The estimated annual labor burden
presented by the regulatory
modifications in the first year of
implementation, including nonrecurring
and recurring burdens, is 4,584,224
burden hours at a cost of
$582,242,165 462 and $20,910,207 of
estimated annual labor costs in years
two through five. The overall total
burden for respondents to comply with
the information collection requirements
of all of the HIPAA Privacy, Security,
and Breach Notification Rules,
including nonrecurring and recurring
burdens presented by program changes,
is 953,982,236 burden hours at a cost of
$107,336,705,941, plus $197,364,010 in
capital costs for a total estimated annual
burden of $107,534,069,951 in the first
year following the effective date of the
final rule. Details describing the burden
analysis for the proposals associated
with this RIA are presented below and
explained further in the ICR associated
with this final rule.
ddrumheller on DSK120RN23PROD with RULES5
Explanation of Estimated Annualized
Burden Hours
Below is a summary of the significant
program changes and adjustments made
since the approved 2023 ICR; because
the ICR addresses regulatory burdens
associated with the full suite of HIPAA
Rules, the changes and adjustments
include updated data and estimates for
some provisions of the HIPAA Rules
that are not affected by this final rule.
These program changes and adjustments
form the bases for the burden estimates
presented in the ICR associated with
this RIA.
Adjusted Estimated Annual Burdens of
Compliance
(1) Increasing the number of covered
entities from 700,000 to 774,331 based
on program change.
(2) Increasing the number of
respondents requesting exceptions to
state law preemption from 1 to 27 based
on an expected reaction by states that
have enacted restrictions on
reproductive health care access.
(3) Increasing the burden hours by a
factor of two for responding to
462 This includes an increase of 416 burden hours
and $36,442 in costs added to the existing
information collection for requesting exemption
determinations under 45 CFR 160.204.
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
individuals’ requests for restrictions on
disclosures of their PHI under 45 CFR
164.522 to represent a doubling of the
expected requests.
(4) Updating the number of breaches
for which notification is required to
reflect data in OCR’s 2022 Report to
Congress 463 and related burdens.
(5) Increasing the number of estimated
uses and disclosures for research
purposes.
(6) Increasing the total number of
NPPs distributed by health plans by
50% to total 300,000,000 due to the
increase in number of Americans with
health coverage.
New Burdens Resulting from Program
Changes
In addition to these changes, the
Department added new annual burdens
as a result of program changes in the
final rule:
(1) A nonrecurring burden of 1 hour
for each of 350,000 business associate
agreements that is likely to be revised as
a result of the changes to handling
requests for PHI under 45 CFR
164.512(d), (e), (f), and (g)(1), to allocate
responsibilities between covered
entities and their release-of-information
contractors.
(2) A recurring burden of 5 minutes
per request for staff to determine
whether an attestation is required for
disclosure under 45 CFR 164.509.
(3) A recurring burden of 1 hour per
request for legal review of whether
certain requests identified by staff as
potentially requiring an attestation
pertain to the lawfulness of
reproductive health care.
(4) A recurring burden of 3 hours per
request for a percentage of requests
requiring legal review that might require
additional manager review to determine
whether the requirements at 45 CFR
164.509 are met.
(5) A nonrecurring burden of 50
minutes per covered entity to update the
required content of its NPP.
(6) A nonrecurring burden of 15
minutes per covered entity for posting
an updated NPP online.
(7) A nonrecurring burden of 2.5
hours for each covered entity to update
its policies and procedures.
(8) A nonrecurring burden of 90
minutes for each covered entity to
update the content of its HIPAA training
program.
463 See Off. for Civil Rights, ‘‘Annual Report to
Congress on Breaches of Unsecured Protected
Health Information,’’ U.S. Dep’t of Health and
Human Servs. (2022), https://www.hhs.gov/hipaa/
for-professionals/breach-notification/reportscongress/.
PO 00000
Frm 00088
Fmt 4701
Sfmt 4700
List of Subjects
45 CFR Part 160
Health care, Health records,
Preemption, Privacy, Public health,
Reproductive health care.
45 CFR Part 164
Health care, Health records, Privacy,
Public health, Reporting and
recordkeeping requirements,
Reproductive health care.
For the reasons stated in the
preamble, the Department of Health and
Human Services amends 45 CFR subtitle
A, subchapter C, parts 160 and 164 as
set forth below:
PART 160—GENERAL
ADMINISTRATIVE REQUIREMENTS
1. The authority citation for part 160
continues to read as follows:
■
Authority: 42 U.S.C. 1302(a); 42 U.S.C.
1320d–1320d–9; sec. 264, Pub. L. 104–191,
110 Stat. 2033–2034 (42 U.S.C. 1320d–2
(note)); 5 U.S.C. 552; secs. 13400–13424, Pub.
L. 111–5, 123 Stat. 258–279; and sec. 1104 of
Pub. L. 111–148, 124 Stat. 146–154.
2. Amend § 160.103 by:
a. Revising the definition of ‘‘Person’’;
and
■ b. Adding in alphabetical order the
definitions of ‘‘Public health’’ and
‘‘Reproductive health care’’.
The revision and additions read as
follows:
■
■
§ 160.103
Definitions.
*
*
*
*
*
Person means a natural person
(meaning a human being who is born
alive), trust or estate, partnership,
corporation, professional association or
corporation, or other entity, public or
private.
*
*
*
*
*
Public health, as used in the terms
‘‘public health surveillance,’’ ‘‘public
health investigation,’’ and ‘‘public
health intervention,’’ means populationlevel activities to prevent disease in and
promote the health of populations. Such
activities include identifying,
monitoring, preventing, or mitigating
ongoing or prospective threats to the
health or safety of a population, which
may involve the collection of protected
health information. But such activities
do not include those with any of the
following purposes:
(1) To conduct a criminal, civil, or
administrative investigation into any
person for the mere act of seeking,
obtaining, providing, or facilitating
health care.
(2) To impose criminal, civil, or
administrative liability on any person
for the mere act of seeking, obtaining,
providing, or facilitating health care.
E:\FR\FM\26APR5.SGM
26APR5
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
(3) To identify any person for any of
the activities described at paragraphs (1)
or (2) of this definition.
Reproductive health care means
health care, as defined in this section,
that affects the health of an individual
in all matters relating to the
reproductive system and to its functions
and processes. This definition shall not
be construed to set forth a standard of
care for or regulate what constitutes
clinically appropriate reproductive
health care.
*
*
*
*
*
PART 164—SECURITY AND PRIVACY
3. The authority citation for part 164
continues to read as follows:
■
Authority: 42 U.S.C. 1302(a); 42 U.S.C.
1320d–1320d–9; sec. 264, Pub. L. 104–191,
110 Stat. 2033–2034 (42 U.S.C. 1320d–
2(note)); and secs. 13400–13424, Pub. L. 111–
5, 123 Stat. 258–279.
4. Amend § 164.502 by
a. Revising paragraph (a)(1)(vi);
b. Adding paragraph (a)(5)(iii); and
c. Revising paragraph (g)(5).
The addition and revisions read as
follows:
■
■
■
■
ddrumheller on DSK120RN23PROD with RULES5
§ 164.502 Uses and disclosures of
protected health information: General rules.
(a) * * *
(1) * * *
(vi) As permitted by and in
compliance with any of the following:
(A) This section.
(B) Section 164.512 and, where
applicable, § 164.509.
(C) Section 164.514(e), (f), or (g).
*
*
*
*
*
(5) * * *
(iii) Reproductive health care—(A)
Prohibition. Subject to paragraphs
(a)(5)(iii)(B) and (C) of this section, a
covered entity or business associate may
not use or disclose protected health
information for any of the following
activities:
(1) To conduct a criminal, civil, or
administrative investigation into any
person for the mere act of seeking,
obtaining, providing, or facilitating
reproductive health care.
(2) To impose criminal, civil, or
administrative liability on any person
for the mere act of seeking, obtaining,
providing, or facilitating reproductive
health care.
(3) To identify any person for any
purpose described in paragraphs
(a)(5)(iii)(A)(1) or (2) of this section.
(B) Rule of applicability. The
prohibition at paragraph (a)(5)(iii)(A) of
this section applies only where the
relevant activity is in connection with
any person seeking, obtaining,
providing, or facilitating reproductive
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
health care, and the covered entity or
business associate that received the
request for protected health information
has reasonably determined that one or
more of the following conditions exists:
(1) The reproductive health care is
lawful under the law of the state in
which such health care is provided
under the circumstances in which it is
provided.
(2) The reproductive health care is
protected, required, or authorized by
Federal law, including the United States
Constitution, under the circumstances
in which such health care is provided,
regardless of the state in which it is
provided.
(3) The presumption at paragraph
(a)(5)(iii)(C) of this section applies.
(C) Presumption. The reproductive
health care provided by another person
is presumed lawful under paragraph
(a)(5)(iii)(B)(1) or (2) of this section
unless the covered entity or business
associate has any of the following:
(1) Actual knowledge that the
reproductive health care was not lawful
under the circumstances in which it was
provided.
(2) Factual information supplied by
the person requesting the use or
disclosure of protected health
information that demonstrates a
substantial factual basis that the
reproductive health care was not lawful
under the specific circumstances in
which it was provided.
(D) Scope. For the purposes of this
subpart, seeking, obtaining, providing,
or facilitating reproductive health care
includes, but is not limited to, any of
the following: expressing interest in,
using, performing, furnishing, paying
for, disseminating information about,
arranging, insuring, administering,
authorizing, providing coverage for,
approving, counseling about, assisting,
or otherwise taking action to engage in
reproductive health care; or attempting
any of the same.
*
*
*
*
*
(g) * * *
(5) Implementation specification:
Abuse, neglect, endangerment
situations. Notwithstanding a State law
or any requirement of this paragraph to
the contrary, a covered entity may elect
not to treat a person as the personal
representative, provided that the
conditions at paragraphs (g)(5)(i) and (ii)
of this section are met:
(i) Paragraphs (g)(5)(i)(A) and (B) of
this section both apply.
(A) The covered entity has a
reasonable belief that any of the
following is true:
(1) The individual has been or may be
subjected to domestic violence, abuse,
or neglect by such person.
PO 00000
Frm 00089
Fmt 4701
Sfmt 4700
33063
(2) Treating such person as the
personal representative could endanger
the individual.
(B) The covered entity, in the exercise
of professional judgment, decides that it
is not in the best interest of the
individual to treat the person as the
individual’s personal representative.
(ii) The covered entity does not have
a reasonable belief under paragraph
(g)(5)(i)(A) of this section if the basis for
their belief is the provision or
facilitation of reproductive health care
by such person for and at the request of
the individual.
*
*
*
*
*
■ 5. Add § 164.509 to read as follows:
§ 164.509 Uses and disclosures for which
an attestation is required.
(a) Standard: Attestations for certain
uses and disclosures of protected health
information to persons other than
covered entities or business associates.
(1) A covered entity or business
associate may not use or disclose
protected health information potentially
related to reproductive health care for
purposes specified in § 164.512(d), (e),
(f), or (g)(1), without obtaining an
attestation that is valid under paragraph
(b)(1) of this section from the person
requesting the use or disclosure and
complying with all applicable
conditions of this part.
(2) A covered entity or business
associate that uses or discloses
protected health information potentially
related to reproductive health care for
purposes specified in § 164.512(d), (e),
(f), or (g)(1), in reliance on an attestation
that is defective under paragraph (b)(2)
of this section, is not in compliance
with this section.
(b) Implementation specifications:
General requirements—(1) Valid
attestations. (i) A valid attestation is a
document that meets the requirements
of paragraph (c)(1) of this section.
(ii) A valid attestation verifies that the
use or disclosure is not otherwise
prohibited by § 164.502(a)(5)(iii).
(iii) A valid attestation may be
electronic, provided that it meets the
requirements in paragraph (c)(1) of this
section, as applicable.
(2) Defective attestations. An
attestation is not valid if the document
submitted has any of the following
defects:
(i) The attestation lacks an element or
statement required by paragraph (c) of
this section.
(ii) The attestation contains an
element or statement not required by
paragraph (c) of this section
(iii) The attestation violates paragraph
(b)(3) of this section.
E:\FR\FM\26APR5.SGM
26APR5
ddrumheller on DSK120RN23PROD with RULES5
33064
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
(iv) The covered entity or business
associate has actual knowledge that
material information in the attestation is
false.
(v) A reasonable covered entity or
business associate in the same position
would not believe that the attestation is
true with respect to the requirement at
paragraph (c)(1)(iv) of this section.
(3) Compound attestation. An
attestation may not be combined with
any other document except where such
other document is needed to satisfy the
requirements at paragraph (c)(iv) of this
section or at § 164.502(a)(5)(iii)(C), as
applicable.
(c) Implementation specifications:
Content requirements and other
obligations—(1) Required elements. A
valid attestation under this section must
contain the following elements:
(i) A description of the information
requested that identifies the information
in a specific fashion, including one of
the following:
(A) The name of any individual(s)
whose protected health information is
sought, if practicable.
(B) If including the name(s) of any
individual(s) whose protected health
information is sought is not practicable,
a description of the class of individuals
whose protected health information is
sought.
(ii) The name or other specific
identification of the person(s), or class
of persons, who are requested to make
the use or disclosure.
(iii) The name or other specific
identification of the person(s), or class
of persons, to whom the covered entity
is to make the requested use or
disclosure.
(iv) A clear statement that the use or
disclosure is not for a purpose
prohibited under § 164.502(a)(5)(iii).
(v) A statement that a person may be
subject to criminal penalties pursuant to
42 U.S.C. 1320d-6 if that person
knowingly and in violation of HIPAA
obtains individually identifiable health
information relating to an individual or
discloses individually identifiable
health information to another person.
(vi) Signature of the person requesting
the protected health information, which
may be an electronic signature, and
date. If the attestation is signed by a
representative of the person requesting
the information, a description of such
representative’s authority to act for the
person must also be provided.
(2) Plain language requirement. The
attestation must be written in plain
language.
(d) Material misrepresentations. If,
during the course of using or disclosing
protected health information in
reasonable reliance on a facially valid
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
attestation, a covered entity or business
associate discovers information
reasonably showing that any
representation made in the attestation
was materially false, leading to a use or
disclosure for a purpose prohibited
under § 164.502(a)(5)(iii), the covered
entity or business associate must cease
such use or disclosure.
*
*
*
*
*
■ 6. Amend § 164.512 by:
■ a. Revising the introductory text and
the paragraph (c) paragraph heading;
■ b. Adding paragraph (c)(3); and
■ c. Revising paragraph (f)(1)(ii)(C)
introductory text.
The revisions and addition read as
follows:
§ 164.512 Uses and disclosures for which
an authorization or opportunity to agree or
object is not required.
Except as provided by
§ 164.502(a)(5)(iii), a covered entity may
use or disclose protected health
information without the written
authorization of the individual, as
described in § 164.508, or the
opportunity for the individual to agree
or object as described in § 164.510, in
the situations covered by this section,
subject to the applicable requirements of
this section and § 164.509. When the
covered entity is required by this
section to inform the individual of, or
when the individual may agree to, a use
or disclosure permitted by this section,
the covered entity’s information and the
individual’s agreement may be given
verbally.
*
*
*
*
*
(c) Standard: Disclosures about
victims of abuse, neglect, or domestic
violence—* * *
(3) Rule of construction. Nothing in
this section shall be construed to permit
disclosures prohibited by
§ 164.502(a)(5)(iii) when the sole basis
of the report of abuse, neglect, or
domestic violence is the provision or
facilitation of reproductive health care.
*
*
*
*
*
(f) * * *
(1) * * *
(ii) * * *
(C) An administrative request for
which response is required by law,
including an administrative subpoena or
summons, a civil or an authorized
investigative demand, or similar process
authorized under law, provided that:
*
*
*
*
*
■ 7. Amend § 164.520 by:
■ a. Revising and republish paragraphs
(a) and (b); and
■ b. Adding paragraph (d)(4).
The revisions and additions read as
follows:
PO 00000
Frm 00090
Fmt 4701
Sfmt 4700
§ 164.520 Notice of privacy practices for
protected health information.
*
*
*
*
*
(a) Standard: Notice of privacy
practices—(1) Right to notice. Except as
provided by paragraph (a)(3) or (4) of
this section, an individual has a right to
adequate notice of the uses and
disclosures of protected health
information that may be made by the
covered entity, and of the individual’s
rights and the covered entity’s legal
duties with respect to protected health
information.
(2) Notice requirements for covered
entities creating or maintaining records
subject to 42 U.S.C. 290dd-2. As
provided in 42 CFR 2.22, an individual
who is the subject of records protected
under 42 CFR part 2 has a right to
adequate notice of the uses and
disclosures of such records, and of the
individual’s rights and the covered
entity’s legal duties with respect to such
records.
(3) Exception for group health plans.
(i) An individual enrolled in a group
health plan has a right to notice:
(A) From the group health plan, if,
and to the extent that, such an
individual does not receive health
benefits under the group health plan
through an insurance contract with a
health insurance issuer or HMO; or
(B) From the health insurance issuer
or HMO with respect to the group health
plan through which such individuals
receive their health benefits under the
group health plan.
(ii) A group health plan that provides
health benefits solely through an
insurance contract with a health
insurance issuer or HMO, and that
creates or receives protected health
information in addition to summary
health information as defined in
§ 164.504(a) or information on whether
the individual is participating in the
group health plan, or is enrolled in or
has disenrolled from a health insurance
issuer or HMO offered by the plan,
must:
(A) Maintain a notice under this
section; and
(B) Provide such notice upon request
to any person. The provisions of
paragraph (c)(1) of this section do not
apply to such group health plan.
(iii) A group health plan that provides
health benefits solely through an
insurance contract with a health
insurance issuer or HMO, and does not
create or receive protected health
information other than summary health
information as defined in § 164.504(a) or
information on whether an individual is
participating in the group health plan,
or is enrolled in or has disenrolled from
a health insurance issuer or HMO
E:\FR\FM\26APR5.SGM
26APR5
ddrumheller on DSK120RN23PROD with RULES5
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
offered by the plan, is not required to
maintain or provide a notice under this
section.
(4) Exception for inmates. An inmate
does not have a right to notice under
this section, and the requirements of
this section do not apply to a
correctional institution that is a covered
entity.
(b) Implementation specifications:
Content of notice—(1) Required
elements. The covered entity, including
any covered entity receiving or
maintaining records subject to 42 U.S.C.
290dd-2, must provide a notice that is
written in plain language and that
contains the elements required by this
paragraph.
(i) Header. The notice must contain
the following statement as a header or
otherwise prominently displayed:
‘‘THIS NOTICE DESCRIBES HOW
MEDICAL INFORMATION ABOUT
YOU MAY BE USED AND DISCLOSED
AND HOW YOU CAN GET ACCESS TO
THIS INFORMATION. PLEASE
REVIEW IT CAREFULLY.’’
(ii) Uses and disclosures. The notice
must contain:
(A) A description, including at least
one example, of the types of uses and
disclosures that the covered entity is
permitted by this subpart to make for
each of the following purposes:
treatment, payment, and health care
operations.
(B) A description of each of the other
purposes for which the covered entity is
permitted or required by this subpart to
use or disclose protected health
information without the individual’s
written authorization.
(C) If a use or disclosure for any
purpose described in paragraphs
(b)(1)(ii)(A) or (B) of this section is
prohibited or materially limited by other
applicable law, such as 42 CFR part 2,
the description of such use or disclosure
must reflect the more stringent law as
defined in § 160.202 of this subchapter.
(D) For each purpose described in
paragraph (b)(1)(ii)(A) or (B) of this
section, the description must include
sufficient detail to place the individual
on notice of the uses and disclosures
that are permitted or required by this
subpart and other applicable law, such
as 42 CFR part 2.
(E) A description of the types of uses
and disclosures that require an
authorization under § 164.508(a)(2)–
(a)(4), a statement that other uses and
disclosures not described in the notice
will be made only with the individual’s
written authorization, and a statement
that the individual may revoke an
authorization as provided by
§ 164.508(b)(5).
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
(F) A description, including at least
one example, of the types of uses and
disclosures prohibited under
§ 164.502(a)(5)(iii) in sufficient detail for
an individual to understand the
prohibition.
(G) A description, including at least
one example, of the types of uses and
disclosures for which an attestation is
required under § 164.509.
(H) A statement adequate to put the
individual on notice of the potential for
information disclosed pursuant to this
subpart to be subject to redisclosure by
the recipient and no longer protected by
this subpart
(iii) Separate statements for certain
uses or disclosures. If the covered entity
intends to engage in any of the
following activities, the description
required by paragraph (b)(1)(ii)(A) or (B)
of this section must include a separate
statement informing the individual of
such activities, as applicable:
(A) In accordance with § 164.514(f)(1),
the covered entity may contact the
individual to raise funds for the covered
entity and the individual has a right to
opt out of receiving such
communications;
(B) In accordance with § 164.504(f),
the group health plan, or a health
insurance issuer or HMO with respect to
a group health plan, may disclose
protected health information to the
sponsor of the plan;
(C) If a covered entity that is a health
plan, excluding an issuer of a long-term
care policy falling within paragraph
(1)(viii) of the definition of health plan,
intends to use or disclose protected
health information for underwriting
purposes, a statement that the covered
entity is prohibited from using or
disclosing protected health information
that is genetic information of an
individual for such purposes;
(D) Substance use disorder treatment
records received from programs subject
to 42 CFR part 2, or testimony relaying
the content of such records, shall not be
used or disclosed in civil, criminal,
administrative, or legislative
proceedings against the individual
unless based on written consent, or a
court order after notice and an
opportunity to be heard is provided to
the individual or the holder of the
record, as provided in 42 CFR part 2. A
court order authorizing use or
disclosure must be accompanied by a
subpoena or other legal requirement
compelling disclosure before the
requested record is used or disclosed; or
(E) If a covered entity that creates or
maintains records subject to 42 CFR part
2 intends to use or disclose such records
for fundraising for the benefit of the
covered entity, the individual must first
PO 00000
Frm 00091
Fmt 4701
Sfmt 4700
33065
be provided with a clear and
conspicuous opportunity to elect not to
receive any fundraising
communications.
(iv) Individual rights. The notice must
contain a statement of the individual’s
rights with respect to protected health
information and a brief description of
how the individual may exercise these
rights, as follows:
(A) The right to request restrictions on
certain uses and disclosures of protected
health information as provided by
§ 164.522(a), including a statement that
the covered entity is not required to
agree to a requested restriction, except
in case of a disclosure restricted under
§ 164.522(a)(1)(vi);
(B) The right to receive confidential
communications of protected health
information as provided by § 164.522(b),
as applicable;
(C) The right to inspect and copy
protected health information as
provided by § 164.524;
(D) The right to amend protected
health information as provided by
§ 164.526;
(E) The right to receive an accounting
of disclosures of protected health
information as provided by § 164.528;
and
(F) The right of an individual,
including an individual who has agreed
to receive the notice electronically in
accordance with paragraph (c)(3) of this
section, to obtain a paper copy of the
notice from the covered entity upon
request.
(v) Covered entity’s duties. The notice
must contain:
(A) A statement that the covered
entity is required by law to maintain the
privacy of protected health information,
to provide individuals with notice of its
legal duties and privacy practices, and
to notify affected individuals following
a breach of unsecured protected health
information;
(B) A statement that the covered
entity is required to abide by the terms
of the notice currently in effect; and
(C) For the covered entity to apply a
change in a privacy practice that is
described in the notice to protected
health information that the covered
entity created or received prior to
issuing a revised notice, in accordance
with § 164.530(i)(2)(ii), a statement that
it reserves the right to change the terms
of its notice and to make the new notice
provisions effective for all protected
health information that it maintains.
The statement must also describe how it
will provide individuals with a revised
notice.
(vi) Complaints. The notice must
contain a statement that individuals
may complain to the covered entity and
E:\FR\FM\26APR5.SGM
26APR5
33066
Federal Register / Vol. 89, No. 82 / Friday, April 26, 2024 / Rules and Regulations
ddrumheller on DSK120RN23PROD with RULES5
to the Secretary if they believe their
privacy rights have been violated, a brief
description of how the individual may
file a complaint with the covered entity,
and a statement that the individual will
not be retaliated against for filing a
complaint.
(vii) Contact. The notice must contain
the name, or title, and telephone
number of a person or office to contact
for further information as required by
§ 164.530(a)(1)(ii).
(viii) Effective date. The notice must
contain the date on which the notice is
first in effect, which may not be earlier
than the date on which the notice is
printed or otherwise published.
(2) Optional elements. (i) In addition
to the information required by
paragraph (b)(1) of this section, if a
covered entity elects to limit the uses or
disclosures that it is permitted to make
under this subpart, the covered entity
may describe its more limited uses or
disclosures in its notice, provided that
the covered entity may not include in its
notice a limitation affecting its right to
make a use or disclosure that is required
by law or permitted by § 164.512(j)(1)(i).
VerDate Sep<11>2014
20:54 Apr 25, 2024
Jkt 262001
(ii) For the covered entity to apply a
change in its more limited uses and
disclosures to protected health
information created or received prior to
issuing a revised notice, in accordance
with § 164.530(i)(2)(ii), the notice must
include the statements required by
paragraph (b)(1)(v)(C) of this section.
(3) Revisions to the notice. The
covered entity must promptly revise and
distribute its notice whenever there is a
material change to the uses or
disclosures, the individual’s rights, the
covered entity’s legal duties, or other
privacy practices stated in the notice.
Except when required by law, a material
change to any term of the notice may
not be implemented prior to the
effective date of the notice in which
such material change is reflected.
*
*
*
*
*
(d) * * *
*
*
*
*
*
(4) The permission in paragraph (d) of
this section for covered entities that
participate in an organized health care
arrangement to issue a joint notice may
not be construed to remove any
obligations or duties of entities creating
or maintaining records subject to 42
PO 00000
Frm 00092
Fmt 4701
Sfmt 9990
U.S.C. 290dd-2, or to remove any rights
of patients who are the subjects of such
records.
*
*
*
*
*
■
8. Add § 164.535 to read as follows:
§ 164.535
Severability.
If any provision of the HIPAA Privacy
Rule to Support Reproductive Health
Care Privacy is held to be invalid or
unenforceable facially, or as applied to
any person, plaintiff, or circumstance, it
shall be construed to give maximum
effect to the provision permitted by law,
unless such holding shall be one of utter
invalidity or unenforceability, in which
case the provision shall be severable
from this part and shall not affect the
remainder thereof or the application of
the provision to other persons not
similarly situated or to other dissimilar
circumstances.
*
*
*
*
*
Xavier Becerra,
Secretary, Department of Health and Human
Services.
[FR Doc. 2024–08503 Filed 4–22–24; 4:15 pm]
BILLING CODE 4153–01–P
E:\FR\FM\26APR5.SGM
26APR5
]]>Agencies
[Federal Register Volume 89, Number 82 (Friday, April 26, 2024)]
[Rules and Regulations]
[Pages 32976-33066]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-08503]
[[Page 32975]]
Vol. 89
Friday,
No. 82
April 26, 2024
Part V
Department of Health and Human Services
-----------------------------------------------------------------------
45 CFR Parts 160 and 164
HIPAA Privacy Rule To Support Reproductive Health Care Privacy; Final
Rule
��Federal Register / Vol. 89 , No. 82 / Friday, April 26, 2024 / Rules
and Regulations��
[[Page 32976]]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Office of the Secretary
45 CFR Parts 160 and 164
RIN 0945-AA20
HIPAA Privacy Rule To Support Reproductive Health Care Privacy
AGENCY: Office for Civil Rights (OCR), Office of the Secretary,
Department of Health and Human Services.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: The Department of Health and Human Services (HHS or
``Department'') is issuing this final rule to modify the Standards for
Privacy of Individually Identifiable Health Information (``Privacy
Rule'') under the Health Insurance Portability and Accountability Act
of 1996 (HIPAA) and the Health Information Technology for Economic and
Clinical Health Act of 2009 (HITECH Act). The Department is issuing
this final rule after careful consideration of all public comments
received in response to the notice of proposed rulemaking (NPRM) for
the HIPAA Privacy Rule to Support Reproductive Health Care Privacy
(``2023 Privacy Rule NPRM'') and public comments received on proposals
to revise provisions of the HIPAA Privacy Rule in the NPRM for the
Confidentiality of Substance Use Disorder (SUD) Patient Records (``2022
Part 2 NPRM'').
DATES:
Effective date: This final rule is effective on June 25, 2024.
Compliance date: Persons subject to this regulation must comply
with the applicable requirements of this final rule by December 23,
2024, except for the applicable requirements of 45 CFR 164.520 in this
final rule. Persons subject to this regulation must comply with the
applicable requirements of 45 CFR 164.520 in this final rule by
February 16, 2026.
FOR FURTHER INFORMATION CONTACT: Marissa Gordon-Nguyen at (202) 240-
3110 or (800) 537-7697 (TDD), or by email at [email protected].
SUPPLEMENTARY INFORMATION:
Table of Contents
I. Executive Summary
A. Overview
B. Effective and Compliance Dates
1. 2023 Privacy Rule NPRM
2. Overview of Comments
3. Final Rule
4. Response to Public Comments
II. Statutory and Regulatory Background
A. Statutory Authority and History
1. Health Insurance Portability and Accountability Act of 1996
(HIPAA)
2. Health Information Technology for Economic and Clinical
Health (HITECH) Act
B. Regulatory History
1. 2000 Privacy Rule
2. 2002 Privacy Rule
3. 2013 Omnibus Rule
4. 2024 Privacy Rule
III. Justification for This Rulemaking
A. HIPAA Encourages Trust and Confidence by Carefully Balancing
Individuals' Privacy Interests With Others' Interests in Using or
Disclosing PHI
1. Privacy Protections Ensure That Individuals Have Access to,
and Are Comfortable Accessing, High-Quality Health Care
2. The Department's Approach to the Privacy Rule Has Long Sought
To Balance the Interests of Individuals and Society
B. Developments in the Legal Environment Are Eroding
Individuals' Trust in the Health Care System
C. To Protect the Trust Between Individuals and Health Care
Providers, the Department Is Restricting Certain Uses and
Disclosures of PHI for Particular Non-Health Care Purposes
IV. General Discussion of Public Comments
A. General Comments in Support of the Proposed Rule
B. General Comments in Opposition to the Proposed Rule
C. Other General Comments on the Proposed Rule
V. Summary of Final Rule Provisions and Public Comments and
Responses
A. Section 160.103 Definitions
1. Clarifying the Definition of ``Person''
2. Interpreting Terms Used in Section 1178(b) of the Social
Security Act
3. Adding a Definition of ``Reproductive Health Care''
4. Whether the Department Should Define Any Additional Terms
B. Section 164.502--Uses and Disclosures of Protected Health
Information: General Rules
1. Clarifying When PHI May Be Used or Disclosed by Regulated
Entities
2. Adding a New Category of Prohibited Uses and Disclosures
3. Clarifying Personal Representative Status in the Context of
Reproductive Health Care
4. Request for Comments
C. Section 164.509--Uses and Disclosures for Which an
Attestation is Required
1. Current Provision
2. Proposed Rule
3. Overview of Public Comments
4. Final Rule
5. Responses to Public Comments
D. Section 164.512--Uses and Disclosures for Which an
Authorization or Opportunity To Agree or Object Is Not Required
1. Applying the Prohibition and Attestation Condition to Certain
Permitted Uses and Disclosures
2. Making a Technical Correction to the Heading of 45 CFR
164.512(c) and Clarifying That Providing or Facilitating
Reproductive Health Care Is Not Abuse, Neglect, or Domestic Violence
3. Clarifying the Permission for Disclosures Based on
Administrative Processes
4. Request for Information on Current Processes for Receiving
and Addressing Requests Pursuant to 164.512(d) Through (g)(1)
E. Section 164.520--Notice of Privacy Practices for Protected
Health Information
1. Current Provision
2. CARES Act
3. Proposals in 2022 Part 2 NPRM and 2023 Privacy Rule NPRM
4. Overview of Public Comments
5. Final Rule
6. Responses to Public Comments
F. Section 164.535--Severability
G. Comments on Other Provisions of the HIPAA Rules
VI. Regulatory Impact Analysis
A. Executive Order 12866 and Related Executive Orders on
Regulatory Review
1. Summary of Costs and Benefits
2. Baseline Conditions
3. Costs of the Rule
B. Regulatory Alternatives to the Final Rule
C. Regulatory Flexibility Act--Small Entity Analysis
D. Executive Order 13132--Federalism
E. Assessment of Federal Regulation and Policies on Families
F. Paperwork Reduction Act of 1995
Explanation of Estimated Annualized Burden Hours
Table of Acronyms
------------------------------------------------------------------------
Term Meaning
------------------------------------------------------------------------
AMA......................... American Medical Association.
API......................... Application Programming Interface.
CARES Act................... Coronavirus Aid, Relief, and Economic
Security Act.
CDC......................... Centers for Disease Control and
Prevention.
CLIA........................ Clinical Laboratory Improvement Amendments
of 1988.
CMS......................... Centers for Medicare & Medicaid Services.
DOD......................... Department of Defense.
[[Page 32977]]
Department or HHS........... Department of Health and Human Services.
EHR......................... Electronic Health Record.
E.O......................... Executive Order.
FDA......................... Food and Drug Administration.
FHIR[supreg]................ Fast Healthcare Interoperability
Resources[supreg].
FTC......................... Federal Trade Commission.
GINA........................ Genetic Information Nondiscrimination Act
of 2008.
Health IT................... Health Information Technology.
HIE......................... Health Information Exchange.
HIPAA....................... Health Insurance Portability and
Accountability Act of 1996.
HITECH Act.................. Health Information Technology for Economic
and Clinical Health Act of 2009.
ICR......................... Information Collection Request.
IIHI........................ Individually Identifiable Health
Information.
NCVHS....................... National Committee on Vital and Health
Statistics.
NICS........................ National Instant Criminal Background Check
System.
NPP......................... Notice of Privacy Practices.
NPRM........................ Notice of Proposed Rulemaking.
OCR......................... Office for Civil Rights.
OHCA........................ Organized Health Care Arrangement.
OMB......................... Office of Management and Budget.
ONC......................... Office of the National Coordinator for
Health Information Technology.
PHI......................... Protected Health Information.
PRA......................... Paperwork Reduction Act of 1995.
RFA......................... Regulatory Flexibility Act.
RIA......................... Regulatory Impact Analysis.
SBA......................... Small Business Administration.
SSA......................... Social Security Act of 1935.
TPO......................... Treatment, Payment, or Health Care
Operations.
UMRA........................ Unfunded Mandates Reform Act of 1995.
------------------------------------------------------------------------
I. Executive Summary
A. Overview
In this final rule, the Department of Health and Human Services
(HHS or ``Department'') modifies certain provisions of the Standards
for Privacy of Individually Identifiable Health Information (``Privacy
Rule''), issued pursuant to section 264 of the Administrative
Simplification provisions of title II, subtitle F, of the Health
Insurance Portability and Accountability Act of 1996 (HIPAA).\1\ The
Privacy Rule \2\ is one of several rules, collectively known as the
HIPAA Rules,\3\ that protect the privacy and security of individuals'
protected health information \4\ (PHI), which is individually
identifiable health information \5\ (IIHI) transmitted by or maintained
in electronic media or any other form or medium, with certain
exceptions.\6\
---------------------------------------------------------------------------
\1\ Subtitle F of title II of HIPAA (Pub. L. 104-191, 110 Stat.
1936 (Aug. 21, 1996)) added a new part C to title XI of the Social
Security Act of 1935 (SSA), Public Law 74-271, 49 Stat. 620 (Aug.
14, 1935), (see sections 1171-1179 of the SSA (codified at 42 U.S.C.
1320d-1320d-8)), as well as promulgating section 264 of HIPAA
(codified at 42 U.S.C. 1320d-2 note), which authorizes the Secretary
to promulgate regulations with respect to the privacy of
individually identifiable health information. The Privacy Rule has
subsequently been amended pursuant to the Genetic Information
Nondiscrimination Act of 2008 (GINA), title I, section 105, Public
Law 110-233, 122 Stat. 881 (May 21, 2008) (codified at 42 U.S.C.
2000ff), and the Health Information Technology for Economic and
Clinical Health (HITECH) Act of 2009, Public Law 111-5, 123 Stat.
226 (Feb. 17, 2009) (codified at 42 U.S.C. 1390w-4(O)(2)).
\2\ 45 CFR parts 160 and 164, subparts A and E. For a history of
the Privacy Rule, see infra Section II.B., ``Regulatory History.''
\3\ See also the HIPAA Security Rule, 45 CFR parts 160 and 164,
subparts A and C; the HIPAA Breach Notification Rule, 45 CFR part
164, subpart D; and the HIPAA Enforcement Rule, 45 CFR part 160,
subparts C, D, and E.
\4\ 45 CFR 160.103 (definition of ``Protected health
information'').
\5\ 42 U.S.C. 1320d. See also 45 CFR 160.103 (definition of
``Individually identifiable health information'').
\6\ At times throughout this final rule, the Department uses the
terms ``health information'' or ``individuals' health information''
to refer generically to health information pertaining to an
individual or individuals. In contrast, the Department's use of the
term ``IIHI'' refers to a category of health information defined in
HIPAA, and ``PHI'' is used to refer specifically to a category of
IIHI that is defined by and subject to the privacy and security
standards promulgated in the HIPAA Rules.
---------------------------------------------------------------------------
The Privacy Rule requires the disclosure of PHI only in the
following circumstances: when required by the Secretary to investigate
a regulated entity's compliance with the Privacy Rule and to the
individual pursuant to the individual's right of access and the
individual's right to an accounting of disclosures.\7\ Any other uses
or disclosures described in the Privacy Rule are either permitted or
prohibited, as specified in the Privacy Rule. For example, the Privacy
Rule permits, but does not require, a regulated entity to disclose PHI
to conduct quality improvement activities when applicable conditions
are met, and it prohibits a regulated entity from selling PHI except
pursuant to and in compliance with 45 CFR 164.508(a)(4).\8\
---------------------------------------------------------------------------
\7\ See 45 CFR 164.502(2) and (4).
\8\ See 45 CFR 164.512(i) and 164.502(a)(5)(ii).
---------------------------------------------------------------------------
In accordance with its statutory mandate, the Department
promulgated the Privacy Rule and continues to administer and enforce it
to ensure that individuals are not afraid to seek health care from, or
share important information with, their health care providers because
of a concern that their sensitive information will be disclosed outside
of their relationship with their health care provider. Protecting
privacy promotes trust between health care providers and individuals,
advancing access to and improving the quality of health care. To
achieve this goal, the Department generally has applied the same
privacy standards to nearly all PHI, regardless of the type of health
care at issue. Notably, special protections were given to psychotherapy
notes, owing in part to the particularly
[[Page 32978]]
sensitive information those notes contain.\9\
---------------------------------------------------------------------------
\9\ See 45 CFR 164.501 and 164.508(a)(2).
---------------------------------------------------------------------------
Under its statutory authority to administer and enforce the HIPAA
Rules, the Department may modify the HIPAA Rules as needed.\10\ The
Supreme Court decision in Dobbs v. Jackson Women's Health Organization
\11\ (Dobbs) overturned precedent that protected a constitutional right
to abortion and altered the legal and health care landscape. This
decision has far-reaching implications for reproductive health care
beyond its effects on access to abortion.\12\ This changing legal
landscape increases the likelihood that an individual's PHI may be
disclosed in ways that cause harm to the interests that HIPAA seeks to
protect, including the trust of individuals in health care providers
and the health care system.\13\ The threat that PHI will be disclosed
and used to conduct such an investigation against, or to impose
liability upon, an individual or another person is likely to chill an
individual's willingness to seek lawful health care treatment or to
provide full information to their health care providers when obtaining
that treatment, and on the willingness of health care providers to
provide such care.\14\ These developments in the legal environment
increase the potential that use and disclosure of PHI about an
individual's reproductive health will undermine access to and the
quality of health care generally.
---------------------------------------------------------------------------
\10\ Section 1174(b)(1) of Public Law 104-191 (codified at 42
U.S.C. 1320d-3).
\11\ 597 U.S. 215 (2022).
\12\ See Melissa Suran, ``Treating Cancer in Pregnant Patients
After Roe v Wade Overturned,'' JAMA (Sept. 29, 2022), https://jamanetwork-com.hhsnih.idm.oclc.org/journals/jama/fullarticle/2797062?resultClick=1 and Rita Rubin, ``How Abortion Bans Could
Affect Care for Miscarriage and Infertility,'' JAMA (June 28, 2022),
https://jamanetwork-com.hhsnih.idm.oclc.org/journals/jama/fullarticle/2793921?resultClick=1.
\13\ See infra National Committee on Vital and Health Statistics
(NCVHS) discussion, Section II.A.1., expressing concern for harm
caused by disclosing identifiable health information for non-health
care purposes.
\14\ See Whitney S. Rice et al. `` `Post-Roe' Abortion Policy
Context Heightens Imperative for Multilevel, Comprehensive,
Integrated Health Education,'' (Sept. 29, 2022), https://journals.sagepub.com/doi/full/10.1177/10901981221125399 (``New
ethical and legal complexities around patient counseling are
emerging, particularly in states limiting or eliminating abortion
access, due to more extreme abortion restrictions. Clinicians in
such contexts may be forced to adhere to legal requirements of
states which run counter to well-being and desires of patients,
violating the medical principles of beneficence and respect for
patient autonomy'').
---------------------------------------------------------------------------
In order to continue to protect privacy in a manner that promotes
trust between individuals and health care providers and advances access
to, and improves the quality of, health care, we have determined that
the Privacy Rule must be modified to limit the circumstances in which
provisions of the Privacy Rule permit the use or disclosure of an
individual's PHI about reproductive health care for certain non-health
care purposes, where such use or disclosure could be detrimental to
privacy of the individual or another person or the individual's trust
in their health care providers. This determination was informed by our
expertise in administering the Privacy Rule, questions we have received
from members of the public and Congress, comments we received on the
2023 HIPAA Privacy Rule to Support Reproductive Health Care Privacy
notice of proposed rulemaking (NPRM) (``2023 Privacy Rule NPRM''),\15\
and our analysis of the state of privacy for IIHI.
---------------------------------------------------------------------------
\15\ 88 FR 23506 (Apr. 17, 2023).
---------------------------------------------------------------------------
This final rule (``2024 Privacy Rule'') amends provisions of the
Privacy Rule to strengthen privacy protections for highly sensitive PHI
about the reproductive health care of an individual, and directly
advances the purposes of HIPAA by setting minimum protections for PHI
and providing peace of mind that is essential to individuals' ability
to obtain lawful reproductive health care. This final rule balances the
interests of society in obtaining PHI for non-health care purposes with
the interests of the individual, the Federal Government, and society in
protecting individual privacy, thereby improving the effectiveness of
the health care system by ensuring that persons are not deterred from
seeking, obtaining, providing, or facilitating reproductive health care
that is lawful under the circumstances in which such health care is
provided.
The Department carefully analyzed state prohibitions and
restrictions on an individual's ability to obtain high-quality health
care and their effects on health information privacy and the
relationships between individuals and their health care providers after
Dobbs; assessed trends in state legislative activity with respect to
the privacy of PHI; and conducted a thorough review of the text,
history, and purposes of HIPAA and the Privacy Rule. The Department
also engaged in extensive discussions with HHS agencies and other
Federal departments, including the Department of Justice; consulted
with the National Committee on Vital and Health Statistics (NCVHS) and
the Attorney General as required by section 264(d) of HIPAA, and with
Indian Tribes as required by Executive Order 13175; \16\ held listening
sessions with and reviewed correspondence from stakeholders, including
covered entities, states, individuals, and patient advocates; and
reviewed correspondence to HHS from Members of Congress.\17\ The
modifications made to the Privacy Rule by this final rule are the
result of this work.
---------------------------------------------------------------------------
\16\ See 65 FR 67249 (Nov. 11, 2000). See also Presidential
Memorandum on Tribal Consultation and Strengthening Nation-to-Nation
Relationships (Jan. 26, 2021), https://www.whitehouse.gov/briefing-room/presidential-actions/2021/01/26/memorandum-on-tribal-consultation-and-strengthening-nation-to-nation-relationships/ and
Dep't of Health and Human Servs., Tribal Consultation Policy,
https://www.hhs.gov/sites/default/files/iea/tribal/tribalconsultation/hhs-consultation-policy.pdf. See also 88 FR 23506
(Apr. 17, 2023) (notice of Tribal consultation). The Department
consulted with representatives of Tribal Nations on May 17, 2023.
During the consultation, the representatives raised issues of health
inequities and privacy of health information, specifically among
American Indians and Alaskan Natives after Dobbs.
\17\ Letter from U.S. Senator Tammy Baldwin et al. to HHS Sec'y
Xavier Becerra (Mar. 7, 2023) (addressing HIPAA privacy regulations
and Dobbs v. Jackson Women's Health Organization). Letter from U.S.
Senator Patty Murray et al. to HHS Sec'y Xavier Becerra (Sept. 13,
2022) (addressing HIPAA privacy regulations and Dobbs v. Jackson
Women's Health Organization). Letter from U.S. Representative Earl
Blumenauer et al. to HHS Sec'y Xavier Becerra (Aug. 30, 2022)
(addressing HIPAA privacy regulations and Dobbs v. Jackson Women's
Health Organization). Letter from U.S. Senator Michael F. Bennet et
al. to HHS Sec'y Xavier Becerra (July 1, 2022) (addressing HIPAA
privacy regulations and Dobbs v. Jackson Women's Health
Organization).
---------------------------------------------------------------------------
B. Effective and Compliance Dates
1. 2023 Privacy Rule NPRM
In the 2023 Privacy Rule NPRM, the Department proposed an effective
date for a final rule that would occur 60 days after publication, and a
compliance date that would occur 180 days after the effective date.\18\
Taken together, the two dates would give entities 240 days after
publication to implement compliance measures. In the preamble to the
proposed rule, the Department stated that it did not believe that the
proposed rule would pose unique implementation challenges that would
justify an extended compliance period (i.e., a period longer than the
standard 180 days provided in 45 CFR 160.105).\19\ The Department also
asserted that adherence to the standard compliance period is necessary
to timely address the circumstances described in the 2023 Privacy Rule
NPRM.
---------------------------------------------------------------------------
\18\ See 88 FR 23506, 23510 (Apr. 17, 2023).
\19\ See id.
---------------------------------------------------------------------------
2. Overview of Comments
A commenter urged the Department to move quickly to issue the final
rule and to provide a 180-day compliance period
[[Page 32979]]
as proposed. Some commenters requested that the Department provide
additional time for regulated entities to comply with the proposed
modifications to the Privacy Rule. Several commenters requested that
the Department coordinate compliance deadlines across its rulemakings,
while a few commenters specifically encouraged the Department to
provide additional time for compliance with the modifications to the
Notice of Privacy Practices (NPP) requirements proposed in the 2023
Privacy Rule NPRM.
3. Final Rule
This final rule is effective on June 25, 2024. Covered entities and
business associates of all sizes will have 180 days beyond the
effective date of the final rule to comply with the final rule's
provisions, with the exception of the NPP provisions, which we address
separately below. We understand that some covered entities and business
associates remain concerned that a 180-day period may not provide
sufficient time to come into compliance with the modified requirements.
However, we believe that providing a 180-day compliance period best
comports with section 1175(b)(2) of the Social Security Act of 1935
(SSA), 42 U.S.C. 1320d-4, and our implementing provision at 45 CFR
160.104(c)(1), which require the Secretary to provide at least a 180-
day period for covered entities to comply with modifications to
standards and implementation specifications in the HIPAA Rules, and
also that providing a 180-day compliance period best protects the
privacy and security of individuals' PHI in a timely manner that
reflects the urgency of addressing the changes in the legal landscape
and their effects on individuals, regulated entities, and other
persons, while balancing the burden imposed upon regulated entities of
implementing this final rule.
Section 160.104(a) permits the Department to adopt a modification
to a standard or implementation specification adopted under the Privacy
Rule no more frequently than once every 12 months.\20\ As discussed
above, we are required to provide a minimum of a 180-day compliance
period when adopting a modification, but we are permitted to provide a
longer compliance period based on the extent of the modification and
the time needed to comply with the modification in determining the
compliance date for the modification.\21\ The Department makes every
effort to consider the burden and cost of implementation for regulated
entities when determining an appropriate compliance date.
---------------------------------------------------------------------------
\20\ 45 CFR 160.104(a).
\21\ 45 CFR 160.104(c)(2).
---------------------------------------------------------------------------
While we recognize that regulated entities will need to revise and
implement changes to their policies and procedures in response to the
modifications in this final rule, we do not believe that these changes
are so significant as to require more than a 180-day compliance period.
This final rule narrowly tailors the application of its changes to
certain limited circumstances involving lawful reproductive health care
and clarifies that regulated entities are not expected to know or be
aware of laws other than those with which they are required to comply.
While it adds a condition to certain requests for uses and disclosures,
the affected requests already require careful review by regulated
entities for compliance with previously imposed conditions. Thus, we do
not believe it will be difficult for regulated entities to adjust their
policies and procedures to accommodate this new requirement. The other
modifications finalized in this rule are in service of implementing the
two changes above and impose minimal burden on regulated entities.
Additionally, the Department believes, based on its evaluation of the
evolving privacy landscape, that the changes made by this final rule
are of particular urgency. Accordingly, we believe that a 180-day
compliance period, combined with a 60-day effective date, is sufficient
for regulated entities to make the changes required by most of the
modifications in this final rule, with the exception of the NPP
provisions.
We separately consider the question of the compliance date for the
modifications to the NPP provisions. In the 2022 Confidentiality of
Substance Use Disorder (SUD) Patient Records NPRM (``2022 Part 2
NPRM''),\22\ the Department proposed, among other things, to revise 45
CFR 164.520 as required by section 3221 of the Coronavirus Aid, Relief,
and Economic Security (CARES) Act.\23\ The Department proposed to
provide the same compliance date for both the proposed modifications to
45 CFR 164.520 and the more extensive modifications to 42 CFR part 2
(``Part 2'').\24\ The 2024 Confidentiality of Substance Use Disorder
(SUD) Patient Records Final Rule (``2024 Part 2 Rule'') explicitly
noted that the Department was not finalizing the proposed modifications
to the NPP provisions at that time, but that we planned to do so in a
future HIPAA final rule.\25\ The Department also acknowledged that some
covered entities might have NPPs that would not reflect updated changes
to policies and procedures addressing how Part 2 records are used and
disclosed. Rather than requiring covered entities to revise their NPPs
twice in a short period of time, the Department announced in the 2024
Part 2 Rule that it would exercise enforcement discretion related to
the requirement that covered entities update their NPPs whenever
material changes are made to privacy practices until the compliance
date established by a future HIPAA final rule.\26\ The Department is
finalizing the modifications to the NPP required by section 3221 of the
CARES Act in this rule and aligning the effective and compliance dates
for all of the modified NPP requirements with those of the 2024 Part 2
Rule.
---------------------------------------------------------------------------
\22\ 87 FR 74216 (Dec. 2, 2022).
\23\ Public Law 116-136, 134 Stat. 281 (Mar. 27, 2020).
\24\ 89 FR 12472 (Feb. 16, 2024).
\25\ Id. at 12482, 12528, and 12530.
\26\ Id. at 12482, 12528, and 12530.
---------------------------------------------------------------------------
The compliance date of the 2024 Part 2 Rule is February 16, 2026,
substantially later than the compliance date for most of this final
rule, because of the significant changes required for compliance with
the 2024 Part 2 Rule. Accordingly, in compliance with 45 CFR 160.104
and consistent with the NPP proposals included in the 2022 Part 2 NPRM
and public comment, we are aligning the compliance date for the NPP
changes required by this final rule with the compliance date for the
2024 Part 2 Rule so that covered entities regulated under both rules
can implement all changes to their NPPs at the same time. Covered
entities are expected to be in compliance with the modifications to 45
CFR 164.520 on February 16, 2026.
4. Response to Public Comments
Comment: One commenter expressed support for the proposal in the
2023 Privacy Rule NPRM to establish a 180-day compliance date and urged
the Department to issue a final rule quickly. Some commenters sought an
extension of the compliance date for twelve to eighteen months,
explaining that extensive policy and legal work, process and software
changes, documentation and training would be required to implement the
2023 Privacy Rule NPRM.
One commenter suggested phasing in the attestation requirement so
that ``downstream'' regulated entities, such as business associates and
managed care organizations, would have a later compliance date than
health care providers.
[[Page 32980]]
Response: We appreciate the commenters' suggestions, but as
discussed above, based on our assessment, we do not believe the
modifications required by this final rule will require longer to
implement.
Comment: Some commenters requested that the Department coordinate
compliance deadlines of final rules that revise the Privacy Rule or
publish one final rule addressing the proposals in the NPRMs to enable
regulated entities to leverage the resources required to implement the
changes to achieve compliance with all of the new requirements at one
time.
One commenter explained that each NPRM would involve operational
changes requiring significant resources and effort and expressed their
belief that a single comprehensive final rule would allow regulated
entities to make all of the required changes, including revisions to
policies and procedures, development of new or revised workflows,
electronic health record (EHR) updates, and technology enhancements.
Response: We appreciate the commenters' suggestion, but we do not
believe that it is necessary to fully align the compliance dates for
the 2024 Part 2 Rule and the 2024 Privacy Rule. By imposing separate
compliance deadlines, we are able to act more quickly to protect the
privacy of PHI.
However, consistent with 45 CFR 160.104 and as requested by public
comment, we are applying the same compliance date for covered entities
to revise their NPPs to address modifications made to 45 CFR 164.520 in
response to and consistent with the CARES Act and to support
reproductive health care privacy. The compliance date for the NPP
provisions is February 16, 2026.\27\ Part 2 programs, including those
that are covered entities, can choose to implement the changes to their
NPPs that are required by the 2024 Part 2 Rule prior to the compliance
date, but there is no requirement that they do so.
---------------------------------------------------------------------------
\27\ 89 FR 12472 (Feb. 16, 2024).
---------------------------------------------------------------------------
II. Statutory and Regulatory Background
A. Statutory Authority and History
1. Health Insurance Portability and Accountability Act of 1996 (HIPAA)
In 1996, Congress enacted HIPAA \28\ to reform the health care
delivery system to ``improve portability and continuity of health
insurance coverage in the group and individual markets.'' \29\ To
enable health care delivery system reform, Congress included in HIPAA
requirements for standards to support the electronic exchange of health
information. According to section 261, ``[i]t is the purpose of this
subtitle to improve [. . .] the efficiency and effectiveness of the
health care system, by encouraging the development of a health
information system through the establishment of standards and
requirements for the electronic transmission of certain health
information [. . .].'' \30\ Congress applied the Administrative
Simplification provisions directly to three types of entities known as
``covered entities''--health plans, health care clearinghouses, and
health care providers who transmit information electronically in
connection with a transaction for which HHS has adopted a standard.\31\
---------------------------------------------------------------------------
\28\ Public Law 104-191, 110 Stat. 1936 (Aug. 21, 1996).
\29\ See H.R. Rep. No. 104-496, at 66-67 (1996).
\30\ 42 U.S.C. 1320d note (Statutory Notes and Related
Subsidiaries: Purpose). Subtitle F also amended related provisions
of the SSA.
\31\ See section 262 of Public Law 104-191, adding section 1172
to the SSA (codified at 42 U.S.C. 1320d-1). See also section 13404
of the American Recovery and Reinvestment Act of 2009, Public Law
111-5, 123 Stat. 115 (Feb. 17, 2009) (codified at 42 U.S.C. 17934)
(applying privacy provisions and penalties to business associates of
covered entities).
---------------------------------------------------------------------------
Section 262(a) of HIPAA required the Secretary to adopt uniform
standards ``to enable health information to be exchanged
electronically.'' \32\ Congress directed the Secretary to adopt
standards for unique identifiers to identify individuals, employers,
health plans, and health care providers across the nation \33\ and
standards for, among other things, transactions and data elements
relating to health information,\34\ the security of that
information,\35\ and verification of electronic signatures.\36\
---------------------------------------------------------------------------
\32\ 42 U.S.C. 1320d2(a)(1).
\33\ 42 U.S.C. 1320d-2(b)(1).
\34\ 42 U.S.C. 1320d-2(a), (c), and (f).
\35\ 42 U.S.C. 1320d-2(d).
\36\ 42 U.S.C. 1320d-2(e).
---------------------------------------------------------------------------
Congress recognized that the standardization of certain electronic
health care transactions required by HIPAA posed risks to the privacy
of confidential health information and viewed individual privacy,
confidentiality, and data security as critical for orderly
administrative simplification.\37\ Thus, as explained in the preamble
to the 2023 Privacy Rule NPRM,\38\ Congress provided the Department
with the authority to regulate the privacy of IIHI. According to one
Member of Congress, privacy standards would create an additional layer
of protection beyond the oath pledged by health care providers to keep
information secure and, as described by another Member, would further
protect information from being used in a ``malicious or discriminatory
manner.'' \39\ Congress intended for the law to enhance individuals'
trust in health care providers, which required that the law provide
additional protection for the confidentiality of IIHI. As described by
a Member of Congress: ``The bill would also establish strict security
standards for health information because Americans clearly want to make
sure that their health care records can only be used by the medical
professionals that treat them. Often, we assume that because doctors
take an oath of confidentiality that in fact all who touch their
records operate by the same standards. Clearly, they do not.'' \40\
Moreover, Congress considered that health care reform required an
approach that would not compromise privacy as health information became
more accessible.\41\
---------------------------------------------------------------------------
\37\ On a resolution waiving points of order against the
Conference Report to H.R. 3103, members debated an ``erosion of
privacy'' balanced against the administrative simplification
provisions. Thus, from HIPAA's inception, privacy has been a central
concern to be addressed as legislative changes eased disclosures of
PHI. See 142 Cong. Rec. H9777 and H9780; see also H.R. Rep. No. 104-
736, at 177 and 264 (1996); 142 Cong. Rec. H9780 (daily ed. Aug. 1,
1996) (statement of Rep. Sawyer); 142 Cong. Rec. H9792 (daily ed.
Aug. 1, 1996) (statement of Rep. McDermott); and 142 Cong. Rec.
S9515-16 (daily ed. Aug. 2, 1996) (statement of Sen. Simon).
\38\ 88 FR 23506, 23511 (Apr. 17, 2023).
\39\ See statement of Rep. Sawyer, supra note 37. See also
statement of Sen. Simon, supra note 37.
\40\ Statement of Rep. Sawyer, supra note 37.
\41\ See H.R. Rep. No. 104-496 Part 1, at 99-100 (Mar. 25,
1996).
---------------------------------------------------------------------------
Accordingly, section 264(a) directed the Secretary to submit to
Congress detailed recommendations for Federal ``standards with respect
to the privacy of [IIHI]'' nationwide within one year of HIPAA's
enactment.\42\ The statute made clear that the Secretary had the
authority to promulgate regulations if Congress did not enact
legislation covering these matters within three years.\43\ Congress
directed the Secretary to ensure that the regulations promulgated
``address at least'' the following three subjects: (1) the rights that
an individual who is a subject of IIHI should have; (2) the procedures
that should be established for the exercise of such rights; and (3) the
uses and disclosures of such information that should be authorized or
required.\44\
---------------------------------------------------------------------------
\42\ 42 U.S.C. 1320d-2 note.
\43\ Id.
\44\ Id.
---------------------------------------------------------------------------
Additionally, Congress provided a clear statement that HIPAA's
provisions would ``supersede any contrary
[[Page 32981]]
provision of State law,'' with certain limited exceptions.\45\ One
exception to this general preemption authority is for ``state privacy
laws that are contrary to and more stringent than the corresponding
federal standard, requirement, or implementation specification.'' \46\
Thus, Congress intended for the Department to create privacy standards
to safeguard health information while respecting the ability of states
to provide individuals with additional health information privacy.
---------------------------------------------------------------------------
\45\ 42 U.S.C. 1320d-7.
\46\ 65 FR 82580 (the exception applies under section
1178(a)(2)(B) of the SSA and section 264(c)(2) of HIPAA).
---------------------------------------------------------------------------
Congress required the Secretary to consult with the NCVHS,\47\
thereby ensuring that the Secretary's decisions reflected public and
expert involvement and advice in carrying out the requirements of
section 264.\48\ NCVHS sent its initial recommendations to the
Secretary in a letter to the Secretary on June 27, 1997. Importantly,
NCVHS advised that ``strong substantive and procedural protections''
should be imposed if health information were to be disclosed to law
enforcement, and, where identifiable health information would be made
available for non-health purposes, individuals should be afforded
assurances that their data would not be used against them.\49\
Additionally, NCVHS ``unanimously'' recommended that ``[. . .] the
Secretary and the Administration assign the highest priority to the
development of a strong position on health privacy that provides the
highest possible level of protection for the privacy rights of
patients.'' \50\ NCVHS further noted that failure to do so would
``undermine public confidence in the health care system, expose
patients to continuing invasions of privacy, subject record keepers to
potentially significant legal liability, and interfere with the ability
of health care providers and others to operate the health care delivery
and payment system in an effective and efficient manner,'' which would
undermine what Congress intended.\51\
---------------------------------------------------------------------------
\47\ NCVHS serves as the Secretary's statutory public advisory
body for health data, statistics, privacy, and national health
information policy and HIPAA. NCVHS also advises the Secretary,
``reports regularly to Congress on HIPAA implementation, and serves
as a forum for interaction between HHS and interested private sector
groups on a range of health data issues.'' Nat'l Comm. On Vital and
Health Statistics, ``About NCVHS,'' https://ncvhs.hhs.gov/; see also
``NCVHS 60th Anniversary Symposium and History,'' U.S. Dep't of
Health and Human Servs., at 28-29 (Feb. 2011), https://ncvhs.hhs.gov/wp-content/uploads/2014/05/60_years_of_difference.pdf.
\48\ See section 264(a) and (d) of Public Law 104-191 (codified
at 42 U.S.C. 1320d-2 note).
\49\ Letter from NCVHS Chair Don E. Detmer to HHS Sec'y Donna E.
Shalala (June 27, 1997) (forwarding NCVHS recommendations), https://ncvhs.hhs.gov/rrp/june-27-1997-letter-to-the-secretary-with-recommendations-on-health-privacy-and-confidentiality/.
\50\ Id. at Principal Findings and Recommendations.
\51\ Id.
---------------------------------------------------------------------------
NCVHS further recommended that ``any rules regulating disclosures
of identifiable health information be as clear and as narrow as
possible. Each group of users must be required to justify their need
for health information and must accept reasonable substantive and
procedural limitations on access.'' \52\ According to NCVHS, this would
allow for the disclosures that society deemed necessary and appropriate
while providing individuals with clear expectations regarding their
health information privacy.
---------------------------------------------------------------------------
\52\ Id. at Third-Party Disclosures.
---------------------------------------------------------------------------
As we noted in the 2023 Privacy Rule NPRM,\53\ Congress
contemplated that the Department's rulemaking authorities under HIPAA
would not be static. Congress specifically built in a mechanism to
adapt such regulations as technology and health care evolve, directing
that the Secretary review and modify the Administrative Simplification
standards as determined appropriate, but not more frequently than once
every 12 months.\54\ That statutory directive complements the
Secretary's general rulemaking authority to ``make and publish such
rules and regulations, not inconsistent with this chapter, as may be
necessary to the efficient administration of the functions with which
each is charged under this chapter.'' \55\
---------------------------------------------------------------------------
\53\ 88 FR 23506, 23513 (Apr. 17, 2023).
\54\ See section 1174(b)(1) of Public Law 104-191 (codified at
42 U.S.C. 1320d-3).
\55\ Section 1102 of the SSA (codified at 42 U.S.C. 1302).
---------------------------------------------------------------------------
2. Health Information Technology for Economic and Clinical Health
(HITECH) Act
On February 17, 2009, Congress enacted the Health Information
Technology for Economic and Clinical Health Act of 2009 (HITECH Act)
\56\ to promote the widespread adoption and standardization of health
information technology (health IT). The HITECH Act included additional
HIPAA privacy and security requirements for covered entities and
business associates and expanded certain rights of individuals with
respect to their PHI.
---------------------------------------------------------------------------
\56\ Title XIII of Division A and Title IV of Division B of the
American Recovery and Reinvestment Act of 2009, Public Law 111-5,
123 Stat. 115 (Feb. 17, 2009) (codified at 42 U.S.C. 201 note).
---------------------------------------------------------------------------
Congress understood the importance of a relationship between a
connected health IT landscape, ``a necessary and vital component of
health care reform,'' \57\ and privacy and security standards when it
enacted the HITECH Act. The Purpose statement of an accompanying House
of Representatives report \58\ on the Energy and Commerce Recovery and
Reinvestment Act \59\ recognizes that ``[i]n addition to costs,
concerns about the security and privacy of health information have also
been regarded as an obstacle to the adoption of [health IT].'' The
Senate Report for S. 336 \60\ similarly acknowledges that
``[i]nformation technology systems linked securely and with strong
privacy protections can improve the quality and efficiency of health
care while producing significant cost savings.'' \61\ As the Department
explained in the 2013 regulation referred to as the ``Omnibus Rule''
\62\ and discussed in greater detail below, the HITECH Act's additional
HIPAA privacy and security requirements \63\ supported Congress' goal
of promoting widespread adoption and interoperability of health IT by
``strengthen[ing] the privacy and security protections for health
information established by HIPAA.'' \64\
---------------------------------------------------------------------------
\57\ C. Stephen Redhead, Cong. Rsch. Serv., R40161, ``The Health
Information Technology for Economic and Clinical Health (HITECH)
Act,'' (2009), https://crsreports.congress.gov/product/pdf/R/R40161/9 (``[Health IT], which generally refers to the use of computer
applications in medical practice, is widely viewed as a necessary
and vital component of health care reform.'').
\58\ H.R. Rep. No. 111-7, at 74 (2009), accompanying H.R. 629,
111th Cong.
\59\ H.R. 629, Energy and Commerce Recovery and Reinvestment Act
of 2009, introduced in the House on January 22, 2009, contained
nearly identical provisions to subtitle D of the HITECH Act.
\60\ Congress enacted the American Recovery and Reinvestment Act
of 2009, which included the HITECH Act, on February 17, 2009. While
it was the House version of the bill, H.R. 1, that was enacted, the
Senate version, S. 336, contained nearly identical provisions to
subtitle D of the HITECH Act.
\61\ S. Rep. No. 111-3 accompanying S. 336, 111th Cong., at 59
(2009).
\62\ 78 FR 5566 (Jan. 25, 2013).
\63\ Subtitle D of title XIII of the HITECH Act (codified at 42
U.S.C. 17921, 42 U.S.C. 17931-17941, and 42 U.S.C. 17951-17953).
\64\ 78 FR 5566, 5568 (Jan. 25, 2013).
---------------------------------------------------------------------------
In passing the HITECH Act, Congress instructed the Department that
any new health IT standards adopted under section 3004 of the Public
Health Service Act (PHSA) must take into account the privacy and
security requirements of the HIPAA Rules.\65\ Congress also affirmed
that the existing HIPAA Rules were to remain in effect to the extent
that they are consistent with the HITECH Act and directed the Secretary
to revise the HIPAA Rules as necessary for consistency with the
[[Page 32982]]
HITECH Act.\66\ Congress confirmed that the new law was not intended to
have any effect on authorities already granted under HIPAA to the
Department, including section 264 of that statute and the regulations
issued under that provision.\67\ Congress thus affirmed the Secretary's
ongoing rulemaking authority to modify the Privacy Rule's standards and
implementation specifications as often as every 12 months when
appropriate, including to strengthen privacy and security protections
for IIHI.
---------------------------------------------------------------------------
\65\ Section 3009(a)(1)(B) of the PHSA, as added by section
13101 of the HITECH Act (codified at 42 U.S.C. 300jj-19(a)(1)).
\66\ Section 13421(b) of the HITECH Act (codified at 42 U.S.C.
17951).
\67\ Section 3009(a)(1)(A) of the PHSA, as added by section
13101 of the HITECH Act (codified at 42 U.S.C. 300jj-19(a)(1)).
---------------------------------------------------------------------------
B. Regulatory History
The Secretary has delegated the authority to administer the HIPAA
Rules and to make decisions regarding their implementation,
interpretation, and enforcement to the HHS Office for Civil Rights
(OCR).\68\ Since the enactment of the HITECH Act, the Department has
exercised its authority to modify the Privacy Rule several times--in
2013, 2014, and 2016.\69\
---------------------------------------------------------------------------
\68\ See U.S. Dep't of Health and Hum. Servs., Off. of the
Sec'y, Off. for Civil Rights; Statement of Delegation of Authority,
65 FR 82381 (Dec. 28, 2000); U.S. Dep't of Health and Hum. Servs.,
Off. of the Sec'y, Off. for Civil Rights; Delegation of Authority,
74 FR 38630 (Aug. 4, 2009); U.S. Dep't of Health and Hum. Servs.,
Off. of the Sec'y, Statement of Organization, Functions and
Delegations of Authority, 81 FR 95622 (Dec. 28, 2016).
\69\ See 78 FR 5566 (Jan. 25, 2013); 79 FR 7290 (Feb. 6, 2014);
81 FR 382 (Jan. 6, 2016).
---------------------------------------------------------------------------
1. 2000 Privacy Rule
As directed by HIPAA, the Department provided a series of
recommendations to Congress for a potential new law that would address
the confidentiality of IIHI.\70\ Congress did not act within its three-
year self-imposed deadline. Accordingly, the Department published a
proposed rule on November 3, 1999,\71\ and issued the first final rule
establishing ``Standards for Privacy of Individually Identifiable
Health Information'' (``2000 Privacy Rule'') on December 28, 2000.\72\
---------------------------------------------------------------------------
\70\ See U.S. Dep't of Health and Hum. Servs., Off. of the
Assistant Sec'y for Plan. and Evaluation, ``Recommendations of the
Secretary of Health and Human Services, pursuant to section 264 of
the Health Insurance Portability and Accountability Act of 1996,''
Section I.A. (Sept. 1997), https://aspe.hhs.gov/reports/confidentiality-individually-identifiable-health-information.
\71\ 64 FR 59918 (Nov. 3, 1999).
\72\ 65 FR 82462 (Dec. 28, 2000).
---------------------------------------------------------------------------
The primary goal of the Privacy Rule was to provide greater
protection to individuals' privacy to engender a trusting relationship
between individuals and health care providers. As announced, the final
rule set standards to protect the privacy of IIHI to ``begin to address
growing public concerns that advances in electronic technology and
evolution in the health care industry are resulting, or may result, in
a substantial erosion of the privacy surrounding'' health
information.\73\ On the eve of that rule's issuance, the President
issued an Executive Order recognizing the importance of protecting
individual privacy, explaining that ``[p]rotecting the privacy of
patients' protected health information promotes trust in the health
care system. It improves the quality of health care by fostering an
environment in which patients can feel more comfortable in providing
health care professionals with accurate and detailed information about
their personal health.'' \74\
---------------------------------------------------------------------------
\73\ Id.
\74\ See Executive Order 13181 (Dec. 20, 2000), 65 FR 81321.
---------------------------------------------------------------------------
Since its promulgation, the Privacy Rule has protected PHI by
limiting the circumstances under which covered entities and their
business associates (collectively, ``regulated entities'') are
permitted or required to use or disclose PHI and by requiring covered
entities to have safeguards in place to protect the privacy of PHI. In
adopting these regulations, the Department acknowledged the need to
balance several competing factors, including existing legal
expectations, individuals' privacy expectations, and societal
expectations.\75\ The Department noted in the preamble that the large
number of comments from individuals and groups representing individuals
demonstrated the deep public concern about the need to protect the
privacy of IIHI and constituted evidence of the importance of
protecting privacy and the potential adverse consequences to
individuals and their health if such protections are not extended.\76\
Through its policy choices in the 2000 Privacy Rule, the Department
struck a balance between competing interests--the necessity of
protecting privacy and the public interest in using identifiable health
information for vital public and private purposes--in a way that was
also workable for the varied stakeholders.\77\
---------------------------------------------------------------------------
\75\ See 65 FR 82462, 82471 (Dec. 28, 2000).
\76\ See id. at 82472.
\77\ See id.
---------------------------------------------------------------------------
In the 2000 Privacy Rule, the Department established ``general
rules'' for uses and disclosures of PHI, codified at 45 CFR
164.502.\78\ The 2000 Privacy Rule also specified the circumstances in
which a covered entity was required to obtain an individual's
consent,\79\ authorization,\80\ or the opportunity for the individual
to agree or object.\81\ Additionally, it established rules for when a
covered entity is permitted to use or disclose PHI without an
individual's consent, authorization, or opportunity to agree or
object.\82\ In particular, the Privacy Rule permits certain uses and
disclosures of PHI, without the individual's authorization, for
identified activities that benefit the community, such as public health
activities, judicial and administrative proceedings, law enforcement
purposes, and research.\83\
---------------------------------------------------------------------------
\78\ 65 FR 82462 (Dec. 28, 2000).
\79\ 45 CFR 164.506 was originally titled ``Consent for uses or
disclosures to carry out treatment, payment, or health care
operations.''
\80\ 45 CFR 164.508.
\81\ 45 CFR 164.510.
\82\ 45 CFR 164.512.
\83\ See 64 FR 59918, 59955 (Nov. 3, 1999).
---------------------------------------------------------------------------
The Privacy Rule also established the rights of individuals with
respect to their PHI, including the right to receive adequate notice of
a covered entity's privacy practices, the right to request restrictions
of uses and disclosures, the right to access (i.e., to inspect and
obtain a copy of) their PHI, the right to request an amendment of their
PHI, and the right to receive an accounting of disclosures.\84\
---------------------------------------------------------------------------
\84\ See 45 CFR 164.520, 164.522, 164.524, 164.526, and 164.528.
---------------------------------------------------------------------------
In the 2000 Privacy Rule, the Secretary exercised her statutory
authority to adopt 45 CFR 160.104(a), which reserves the Secretary's
ability to modify any standard or implementation specification adopted
under the Administrative Simplification provisions.\85\ The Secretary
first invoked this modification authority to amend the Privacy Rule in
2002 \86\ and made additional modifications in 2013,\87\ and 2016,\88\
as described below.
---------------------------------------------------------------------------
\85\ See 65 FR 82462, 82800 (Dec. 28, 2000).
\86\ See 67 FR 53182 (Aug. 14, 2002).
\87\ 78 FR 5566 (Jan. 25, 2013).
\88\ 81 FR 382 (Jan. 6, 2016).
---------------------------------------------------------------------------
2. 2002 Privacy Rule
After publication of the 2000 Privacy Rule, the Department received
many inquiries and unsolicited comments about the Privacy Rule's
effects and operation. As a result, the Department opened the 2000
Privacy Rule for further comment in February 2001, less than one month
before the effective date and 25 months before the compliance date for
most covered entities, and issued clarifying guidance on its
implementation.\89\ NCVHS' Subcommittee on Privacy, Confidentiality and
Security held public
[[Page 32983]]
hearings about the 2000 Privacy Rule. From those hearings, the
Department obtained additional information about concerns related to
key provisions and their potential unintended consequences for health
care quality and access.\90\ On March 27, 2002, the Department proposed
modifications to the 2000 Privacy Rule to clarify the requirements and
correct potential problems that could threaten access to, or quality
of, health care.\91\
---------------------------------------------------------------------------
\89\ 66 FR 12738 (Feb. 28, 2001).
\90\ 67 FR 53182, 53183 (Aug. 14, 2002).
\91\ 67 FR 14775 (Mar. 27, 2002).
---------------------------------------------------------------------------
In response to comments on the proposed rule, the Department
finalized modifications to the Privacy Rule on August 14, 2002 (``2002
Privacy Rule'').\92\ This final rule clarified HIPAA's requirements
while maintaining strong protections for the privacy of IIHI.\93\ These
modifications addressed certain workability issues, including but not
limited to clarifying distinctions between health care operations and
marketing; modifying the minimum necessary standard to exclude
disclosures authorized by individuals and clarify its operation;
eliminating the consent requirement for uses and disclosures of PHI for
treatment, payment, or health care operations (TPO), and to otherwise
clarify the role of consent in the Privacy Rule; and making other
modifications and conforming amendments consistent with the proposed
rule. The Department also included modifications to the provisions
permitting the use or disclosure of PHI for public health activities
and for research activities without consent, authorization, or an
opportunity to agree or object.
---------------------------------------------------------------------------
\92\ 67 FR 53182 (Aug. 14, 2002). See the final rule for changes
in the entirety. The 2002 Privacy Rule was issued before the
compliance date for the 2000 Privacy Rule. Thus, covered entities
never implemented the 2000 Privacy Rule. Instead, they implemented
the 2000 Privacy Rule as modified by the 2002 Privacy Rule.
\93\ See 67 FR 53182 (Aug. 14, 2002).
---------------------------------------------------------------------------
3. 2013 Omnibus Rule
Following the enactment of the HITECH Act, the Department issued an
NPRM, entitled ``Modifications to the HIPAA Privacy, Security, and
Enforcement Rules Under the Health Information Technology for Economic
and Clinical Health [HITECH] Act'' (``2010 NPRM''),\94\ which proposed
to implement certain HITECH Act requirements. In 2013, the Department
issued the final rule, Modifications to the HIPAA Privacy, Security,
Enforcement, and Breach Notification Rules Under the Health Information
Technology for Economic and Clinical Health [HITECH] Act and the
Genetic Information Nondiscrimination Act, and Other Modifications to
the HIPAA Rules (``2013 Omnibus Rule''),\95\ which implemented many of
the new HITECH Act requirements, including strengthening individuals'
privacy rights related to their PHI.
---------------------------------------------------------------------------
\94\ 75 FR 40868 (July 14, 2010).
\95\ 78 FR 5566 (Jan. 25, 2013). In addition to finalizing
requirements of the HITECH Act that were proposed in the 2010 NPRM,
the Department adopted modifications to the Enforcement Rule not
previously adopted in an earlier interim final rule, 74 FR 56123
(Oct. 30, 2009), and to the Breach Notification Rule not previously
adopted in an interim final rule, 74 FR 42739 (Aug. 24, 2009). The
Department also finalized previously proposed Privacy Rule
modifications as required by GINA, 74 FR 51698 (Oct. 7, 2009).
---------------------------------------------------------------------------
The Department also finalized regulatory provisions that were not
required by the HITECH Act, but were necessary to address the
workability and effectiveness of the Privacy Rule and to increase
flexibility for and decrease burden on regulated entities.\96\ In the
2010 NPRM, the Department noted that it had not amended the Privacy
Rule since 2002.\97\ It further explained that information gleaned from
contact with the public since that time, enforcement experience, and
technical corrections needed to eliminate ambiguity provided the
impetus for the Department's actions to make certain regulatory
changes.\98\
---------------------------------------------------------------------------
\96\ See 78 FR 5566 (Jan. 25, 2013) (explaining that the
Department was using its general authority under HIPAA to make a
number of changes to the Privacy Rule that were intended to increase
workability and flexibility, decrease burden, and better harmonize
the requirements with those under other Departmental regulations).
The Department's general authority to modify the Privacy Rule is
codified in HIPAA section 264(c), and OCR conducts rulemaking under
HIPAA based on authority granted by the Secretary.
\97\ See 75 FR 40868, 40871 (July 14, 2010).
\98\ 75 FR 40868, 40871 (July 14, 2010).
---------------------------------------------------------------------------
For example, the Department modified its prior interpretation of
the Privacy Rule requirement at 45 CFR 164.508(c)(1)(iv) that a
description of a research purpose must be study specific.\99\ The
Department explained that, under its new interpretation, the research
purposes need only be described adequately such that it would be
reasonable for an individual to expect that their PHI could be used or
disclosed for such future research.\100\ In the 2013 Omnibus Rule, the
Department explained that this change was based on the concerns
expressed by covered entities, researchers, and other commenters on the
2010 NPRM that the former requirement did not represent current
research practices. The Department provided a similar explanation for
its modifications to the Privacy Rule that permit certain disclosures
of student immunization records to schools without an
authorization.\101\ Additionally, based on a recommendation made at an
NCVHS meeting, the Department requested comment on and finalized
proposed revisions to the definition of PHI to exclude information
regarding an individual who has been deceased for more than 50
years.\102\ For the latter, the Department noted that it was balancing
the privacy interests of decedents' living relatives and other affected
individuals against the legitimate needs of public archivists to obtain
records.\103\
---------------------------------------------------------------------------
\99\ See 78 FR 5566, 5611 (Jan. 25, 2013).
\100\ See id. at 5612.
\101\ Id. at 5616-17. See also 45 CFR 164.512(b)(1).
\102\ 78 FR 5566, 5614 (Jan. 25, 2013). See also 45 CFR
164.502(f) and the definition of ``Protected health information'' at
45 CFR 160.103, excluding IIHI regarding a person who has been
deceased for more than 50 years.
\103\ In addition to the rulemakings discussed here, the
Department has modified the Privacy Rule for workability purposes
and in response to changes in circumstances on two other occasions,
and it issued another notice of proposed rulemaking in 2021 for the
same reasons. See 79 FR 7289 (Feb. 6, 2014), 81 FR 382 (Jan. 6,
2016), and 86 FR 6446 (Jan. 21, 2021).
---------------------------------------------------------------------------
None of the changes described in the paragraph above were required
by the HITECH Act. Rather, the Department determined that it was
necessary to promulgate these changes pursuant to its existing general
rulemaking authority under HIPAA. NCVHS and the public also recommended
other changes between the publication of the 2002 Privacy Rule and the
2013 Omnibus Rule, including the creation of specific categories of
PHI, such as ``Sexuality and Reproductive Health Information'' that
would allow for special protections of such PHI.\104\ The Department
declined to propose specific protections for certain categories of PHI
at that time because of concerns about the ability of regulated
entities to segment PHI and the effects on care coordination. Many of
those concerns are still present and so, the Department did not propose
and determined not to establish a specific category of particularly
sensitive PHI in this rulemaking. Instead, as discussed more fully
below, the Department is finalizing a purpose-based prohibition against
certain uses and disclosures.
---------------------------------------------------------------------------
\104\ See Letter from NCVHS Chair Simon P. Cohn to HHS Sec'y
Michael O. Leavitt (June 22, 2006), https://ncvhs.hhs.gov/rrp/june-22-2006-letter-to-the-secretary-recommendations-regarding-privacy-and-confidentiality-in-the-nationwide-health-information-network/;
Letter from NCVHS Chair Simon P. Cohn to HHS Sec'y Michael O.
Leavitt (Feb. 20, 2008) (listing categories of health information
that are commonly considered to contain sensitive information),
https://ncvhs.hhs.gov/wp-content/uploads/2014/05/080220lt.pdf;
Letter from NCVHS Chair Justine M. Carr to HHS Sec'y Kathleen
Sebelius (Nov. 10, 2010) (forwarding NCVHS recommendations), https://ncvhs.hhs.gov/wp-content/uploads/2014/05/101110lt.pdf.
---------------------------------------------------------------------------
[[Page 32984]]
4. 2024 Privacy Rule
On April 17, 2023, the Department issued an NPRM \105\ to modify
the Privacy Rule for the purpose of prohibiting uses and disclosures of
PHI for criminal, civil, or administrative investigations or
proceedings against persons for seeking, obtaining, providing, or
facilitating reproductive health care that is lawful under the
circumstances in which it is provided. To properly execute the HIPAA
statutory mandate, and in accordance with the regulatory authority
granted to it by Congress, the Department continually monitors and
evaluates the evolving environment for health information privacy
nationally, including the interaction of the Privacy Rule and state
statutes and regulations governing the privacy of health information.
In keeping with the Department's practice, this final rule accommodates
state autonomy to the extent consistent with the need to maintain rules
for health information privacy that serve HIPAA's objectives. The
regulation thus preempts state law only to the extent necessary to
achieve Congress' directive to establish a standard for the privacy of
IIHI for the purpose of improving the effectiveness of the health care
system. As discussed below, achieving that objective requires
individuals to trust that their health care providers will maintain
privacy of PHI about lawful reproductive health care. In addition,
NCVHS held a virtual public meeting that included a discussion about
the proposed rule on June 14, 2023,\106\ and provided recommendations
to the Department based on this discussion, briefings at their July
2022 \107\ and December 2022 \108\ meetings, and the expertise of its
members.\109\ The resultant public record and subsequent
recommendations submitted to the Department by NCVHS, along with other
public comments on the 2023 Privacy Rule NPRM, informed the development
of these modifications.
---------------------------------------------------------------------------
\105\ 88 FR 23506.
\106\ See Meeting of NCVHS (June 14, 2023), https://ncvhs.hhs.gov/meetings/full-committee-meeting-13/.
\107\ See Meeting of NCVHS, Briefing on Legislative Developments
in Data Privacy (July 21, 2022), https://ncvhs.hhs.gov/meetings/full-committee-meeting-11/.
\108\ See Meeting of NCVHS, Briefing by Cason Schmit (Dec. 7,
2022), https://ncvhs.hhs.gov/meetings/full-committee-meeting-12/.
\109\ Letter from NCVHS Chair Jacki Monson to HHS Sec'y Xavier
Becerra (June 14, 2023) (forwarding NCVHS recommendations), https://ncvhs.hhs.gov/wp-content/uploads/2023/06/NCVHS-Comments-on-HIPAA-Reproduction-Health-NPRM-Final-508.pdf.
---------------------------------------------------------------------------
III. Justification for This Rulemaking
A. HIPAA Encourages Trust and Confidence by Carefully Balancing
Individuals' Privacy Interests With Others' Interests in Using or
Disclosing PHI
1. Privacy Protections Ensure That Individuals Have Access to, and Are
Comfortable Accessing, High-Quality Health Care
The goal of a functioning health care system is to provide high-
quality health care that results in the best possible outcomes for
individuals. To achieve that goal, a functioning health care system
depends in part on individuals trusting health care providers. Thus,
trust between individuals and health care providers is essential to an
individual's health and well-being.\110\ Protecting the privacy of an
individual's health information is ``a crucial element for honest
health discussions.'' \111\ The original Hippocratic Oath required
physicians to pledge to maintain the confidentiality of health
information they learn about individuals.\112\ Without confidence that
private information will remain private, individuals--to their own
detriment--are reluctant to share information with health care
providers.
---------------------------------------------------------------------------
\110\ See Jennifer Richmond et al., ``Development and Validation
of the Trust in My Doctor, Trust in Doctors in General, and Trust in
the Health Care Team Scales,'' 298 Social Science & Medicine 114827
(2022), https://www.sciencedirect.com/science/article/abs/pii/S0277953622001332?via%3Dihub; see also Fallon E. Chipidza et al.,
``Impact of the Doctor-Patient Relationship,'' The Primary Care
Companion for CNS Disorders (Oct. 2015), https://www.psychiatrist.com/pcc/delivery/patient-physician-communication/impact-doctor-patient-relationship/. See Testimony (transcribed) of
William G. Plested, III, M.D., Member, Board of Trustees, American
Medical Association, Hearing on Confidentiality of Patient Medical
Records before House of Representatives Committee on Ways and Means,
Subcommittee on Health (Feb. 17, 2000), https://www.govinfo.gov/content/pkg/CHRG-106hhrg66897/html/CHRG-106hhrg66897.htm. (``Trust
is the foundation of the patient/physician relationship.'')
\111\ See Am. Med. Ass'n, ``Patient Perspectives Around Data
Privacy,'' (2022), https://www.ama-assn.org/system/files/ama-patient-data-privacy-survey-results.pdf.
\112\ See John C. Moskop et al., ``From Hippocrates to HIPAA:
Privacy and Confidentiality in Emergency Medicine--Part I:
Conceptual, Moral, and Legal Foundations,'' 45 Ann Emerg. Med.1
(Jan. 2005) (quoting the Oath of Hippocrates, ``What I may see or
hear in the course of the treatment or even outside of the treatment
in regard to the life of men, which on no account one must spread
abroad, I will keep to myself [. . .].''), https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7132445/#bib1.
---------------------------------------------------------------------------
When proposing the 2000 Privacy Rule, the Department recognized
that individuals may be deterred from seeking needed health care if
they do not trust that their sensitive information will be kept
private.\113\ The Department described its policy choices as stemming
from a motivation to develop and maintain a relationship of trust
between individuals and health care providers. The Department explained
that a fundamental assumption of the 2000 Privacy Rule was that the
greatest benefits of improved privacy protection would be realized in
the future as individuals gain increasing trust in their health care
provider's ability to maintain the confidentiality of their health
information.\114\ As a result, the Privacy Rule strengthened
protections for health information privacy, including the right of
individuals to determine who has access to their health information.
---------------------------------------------------------------------------
\113\ See 64 FR 59918, 60006 (Nov. 3, 1999) (In the 1999 Privacy
Rule NPRM, the Department discussed confidentiality as an important
component of trust between individuals and health care providers and
cited a 1994 consumer privacy survey that indicated that a lack of
privacy may deter patients from obtaining preventive care and
treatment.). See id. at 60019.
\114\ See 64 FR 59918, 60006 (Nov. 3, 1999).
---------------------------------------------------------------------------
Despite the Privacy Rule's rights and protections, individuals do
not have confidence that their IIHI is being protected adequately. In a
2022 survey on patient privacy, the American Medical Association (AMA)
found that, of 1,000 patients surveyed: (1) nearly 75% were concerned
about protecting the privacy of their own health information; and (2)
59% of patients worried about health data being used by companies to
discriminate against them or their loved ones.\115\ According to the
AMA, a lack of health information privacy raises many questions about
circumstances that could put individuals and health care providers in
legal peril, and that the ``primary purpose of increasing [health
information] privacy is to build public trust, not inhibit data
exchange.'' \116\
---------------------------------------------------------------------------
\115\ See ``Patient Perspectives Around Data Privacy,'' supra
note 111.
\116\ Id. at 2.
---------------------------------------------------------------------------
The Federal Government also has a strong interest in ensuring that
individuals have access to high-quality health care.\117\ This is true
at both an
[[Page 32985]]
individual and population level. In the 2000 Privacy Rule, the
Department noted that high-quality health care depends on an individual
being able to share sensitive information with their health care
provider based on the trust that the information shared will be
protected and kept confidential.\118\ An effective health care system
requires an individual to share sensitive health information with their
health care providers. They do so with the reasonable expectation that
this information is going to be used to treat them. The prospect of the
disclosure of highly sensitive PHI by regulated entities can result in
medical mistrust and the deterioration of the confidential, safe
environment that is necessary to provide high-quality health care,
operate a functional health care system, and improve the public's
health generally.\119\ High-quality health care cannot be attained
without patient candor. Health care providers rely on an individual's
health information to diagnose them and provide them with appropriate
treatment options and may not be able to reach an accurate diagnosis or
recommend the best course of action for the individual if the
individual's medical records lack complete information about their
health history. However, an individual may be unwilling to seek
treatment or share highly sensitive PHI when they are concerned about
the confidentiality and security of PHI provided to treating health
care providers.\120\ The Department has long recognized that health
care professionals who lose the trust of their patients cannot deliver
high-quality care.\121\ Similarly, if a health care provider does not
trust that the PHI they include in an individual's medical records will
be kept private, the health care provider may leave gaps or include
inaccuracies when preparing medical records, creating a risk that
ongoing or future health care would be compromised. In contrast,
heightened confidentiality and privacy protections enable a health care
provider to feel confident maintaining full and complete medical
records.
---------------------------------------------------------------------------
\117\ See Testimony (transcribed) of Peter R. Orszag, Director,
Congressional Budget Office, Hearing on Comparative Clinical
Effectiveness before House of Representatives Committee on Ways and
Means, Subcommittee on Health, 2007 WL 1686358 (June 12, 2007)
(``because federal health insurance programs play a large role in
financing medical care and represent a significant expenditure, the
federal government itself has an interest in evaluations of the
effectiveness of different health care approaches''); Statement of
Sen. Durenberger introducing S.1836, American Health Quality Act of
1991 and reading bill text, 137 Cong. Rec. S26720 (Oct. 17, 1991)
(``[T]he Federal Government has a demonstrated interest in assessing
the quality of care, access to care, and the costs of care through
the evaluative activities of several Federal agencies.'').
\118\ See 65 FR 82462, 82463 (Dec. 28, 2000).
\119\ See, e.g., Brooke Rockwern et al., Medical Informatics
Committee and Ethics, Professionalism and Human Rights Committee of
the American College of Physicians, ``Health Information Privacy,
Protection, and Use in the Expanding Digital Health Ecosystem: A
Position Paper of the American College of Physicians,'' 174 Ann
Intern Med. 994 (Jul. 2021) (discussing the need for trust in the
health care system as necessary to mitigate a global pandemic);
Johanna Birkh[auml]uer et. al, ``Trust in the Health Care
Professional and Health Outcome: A Meta-Analysis,'' 12 PLoS One
e0170988 (Feb. 7, 2017). See also Eric Boodman, ``In a doctor's
suspicion after a miscarriage, a glimpse of expanding medical
mistrust,'' STAT News (June 29, 2022), https://www.statnews.com/2022/06/29/doctor-suspicion-after-miscarriage-glimpse-of-expanding-medical-mistrust/ (Sarah Prager, professor of obstetrics and
gynecology at the University of Washington, stating that it is a bad
precedent if clinical spaces become unsafe for patients because,
``[a health care provider's] ability to take care of patients relies
on trust, and that will be impossible moving forward.'').
\120\ See ``Development and Validation of the Trust in My
Doctor, Trust in Doctors in General, and Trust in the Health Care
Team Scales,'' supra note 110; Bradley E. Iott et al., ``Trust and
Privacy: How Patient Trust in Providers is Related to Privacy
Behaviors and Attitudes,'' 2019 AMIA Annu Symp Proc 487 (Mar. 2020),
https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7153104/; Pamela Sankar
et al., ``Patient Perspectives of Medical Confidentiality: a Review
of the Literature,'' 18 J. of Gen. Internal Med. 659 (Aug. 2003),
https://pubmed.ncbi.nlm.nih.gov/12911650/.
\121\ See 65 FR 82462, 82468 (Dec. 28, 2000).
---------------------------------------------------------------------------
Incomplete medical records and health care avoidance not only
inhibit the quality of health care an individual receives; they are
also detrimental to efforts to improve public health. The objective of
public health is to prevent disease in and improve the health of
populations. Barriers that undermine the willingness of individuals to
seek health care in a timely manner or to provide complete and accurate
health information to their health care providers undermine the overall
objective of public health. For example, individuals who are not candid
with their health care providers because of concerns about potential
negative consequences of a loss of privacy may withhold information
about a variety of health matters that have public health implications,
such as communicable diseases or vaccinations.\122\ Experience also
shows that medical mistrust--especially in communities of color and
other communities that have been marginalized or negatively affected by
historical and current health care disparities--can create damaging and
chilling effects on individuals' willingness to seek appropriate and
lawful health care for medical conditions that can worsen without
treatment.\123\
---------------------------------------------------------------------------
\122\ See Letter from NCVHS Chair Simon P. Cohn, supra note 104,
at 2 (2006) (with forwarded NCVHS recommendations, ``Individual
trust in the privacy and confidentiality of their personal health
information also promotes public health, because individuals with
potentially contagious or communicable diseases are not inhibited
from seeking treatment.'').
\123\ See Texas Dep't of State Health Servs., ``Texas Maternal
Mortality and Morbidity Review Committee and Department of State
Health Services Joint Biennial Report 2022,'' at 41 (Dec. 2022)
https://www.dshs.texas.gov/sites/default/files/legislative/2022-Reports/2022-MMMRC-DSHS-Joint-Biennial-Report.pdf; Lynn M. Paltrow
et al., ``Arrests of and forced interventions on pregnant women in
the United States, 1973-2005: implications for women's legal status
and public health,'' 38 J. Health Pol. Pol'y Law 299 (2013) (finding
that hospital staff are most likely to report pregnant low-income
and patients of color, especially Black women, to the authorities.);
Terri-ann Monique Thompson et al., ``Racism Runs Through It:
Examining the Sexual and Reproductive Health Experience of Black
Women in the South,'' 41 Health Affairs 195 (Feb. 2022) (discussing
how individual racism affects reproductive health care use by
undermining the patient-doctor relationship), https://www.healthaffairs.org/doi/10.1377/hlthaff.2021.01422); Joli Hunt,
``Maternal Mortality among Black Women in the United States,''
Ballard Brief (July 2021), https://ballardbrief.byu.edu/issue-briefs/maternal-mortality-among-black-women-in-the-united-states/
(discussing the disproportionately high rate of Black maternal
mortality and morbidity); Austin Frakt, ``Bad Medicine: The Harm
that Comes from Racism,'' The New York Times (July 8, 2020), https://www.nytimes.com/2020/01/13/upshot/bad-medicine-the-harm-that-comes-from-racism.html.
---------------------------------------------------------------------------
2. The Department's Approach to the Privacy Rule Has Long Sought To
Balance the Interests of Individuals and Society
While recognizing the importance of preserving individuals' trust,
the Department has consistently taken the approach of balancing the
interests of the individual in the privacy of their PHI with society's
interests, including in the free flow of information that enables the
provision of effective and efficient health care services. Such an
approach derives from Congress's direction, in 1996, to improve the
efficiency and effectiveness of the health care system by encouraging
the development of a health information system while taking into
account the privacy of IIHI and the uses and disclosures of such
information that should be authorized or required.\124\ In past
rulemakings, the Department has made revisions to the Privacy Rule to
balance an individual's privacy expectations with a covered entity's
need for information for reimbursement and quality purposes.\125\ As
the Department previously explained, ``Patient privacy must be balanced
against other public goods, such as research and the risk of
compromising such research projects if researchers could not continue
to use such data.'' \126\ The 2000 Privacy Rule included permissions
for regulated entities to disclose PHI under certain conditions,
including for judicial and administrative proceedings and law
enforcement purposes, because an individual's right to privacy in
information about themselves is not absolute. For example, it does not
prevent reporting of public health information on communicable
diseases, nor does it prevent law enforcement
[[Page 32986]]
from obtaining information when due process has been observed.\127\
---------------------------------------------------------------------------
\124\ 42 U.S.C. 1320d note and 1320d-2 note.
\125\ See 67 FR 53182, 53216 (Aug. 14, 2002).
\126\ Id. at 53226.
\127\ 65 FR 82462, 82464 (Dec. 28, 2000).
---------------------------------------------------------------------------
In more recent rulemakings revising the Privacy Rule, the
Department has continued its efforts to build and maintain individuals'
trust in the health care system while balancing the interests of
individuals with those of others. For example, in explaining revisions
made as part of the 2013 Omnibus Rule, the Department recognized that
covered entities must balance protecting the privacy of health
information with sharing health information with those responsible for
ensuring public health and safety.\128\ The Privacy Rule was also
revised in 2016 (``2016 Privacy Rule'') in accordance with an
administration-wide effort to curb gun violence across the nation.\129\
The 2016 Privacy Rule was tailored to authorize the disclosure of a
limited set of PHI \130\ for a narrow, specific purpose, that is, to
permit only regulated entities that are state agencies or other
entities designated by a state to collect and report information to the
National Instant Criminal Background Check System (NICS) or a lawful
authority making an adjudication or commitment as described by 18
U.S.C. 922(g)(4) to disclose to NICS the identities of individuals who
are subject to a Federal ``mental health prohibitor,'' that
disqualifies them from shipping, transporting, possessing, or receiving
a firearm. As explained in the 2016 Privacy Rule, the Federal mental
health prohibitor applies only to the extent that the individual is
involuntarily committed or determined by a court or other lawful
authority to be a danger to self or others, or is unable to manage
their own affairs because of a mental illness or condition.\131\
Similar to this final rule, the 2016 Privacy Rule balanced public
safety goals with individuals' privacy interests by clearly limiting
permissible disclosures to those that are necessary to ensure that
individuals are not discouraged from seeking lawful health care, in
this case, voluntary treatment for mental health needs.\132\ In the
2013 Omnibus Rule and 2016 Privacy Rule, the Department ensured that
the disclosures were necessary for the public good and were not for the
purpose of harming the individual. This approach is consistent with the
NCVHS recommendations to the Secretary relating to health information
privacy: ``The Committee strongly supports limiting use and disclosure
of identifiable information to the minimum amount necessary to
accomplish the purpose. The Committee also strongly believes that when
identifiable health information is made available for non-health uses,
patients deserve a strong assurance that the data will not be used to
harm them.'' \133\
---------------------------------------------------------------------------
\128\ See 78 FR 5566, 5616 (Jan. 25, 2013).
\129\ 81 FR 382 (Jan. 6, 2016); see, e.g., 78 FR 4297 (Jan. 22,
2013) and 78 FR 4295 (Jan. 22, 2013); see also Colleen Curtis,
``President Obama Announces New Measures to Prevent Gun Violence,''
The White House President Barack Obama (Jan. 16, 2013), https://obamawhitehouse.archives.gov/blog/2013/01/16/president-obama-announces-new-measures-prevent-gun-violence.
\130\ This PHI includes limited demographic and certain other
information needed for the purposes of reporting to NICS. 45 CFR
164.512(k)(7)(iii)(A). In preamble, the Department explained that
generally the information described at 45 CFR 164.512(k)(7)(iii)(A)
would be limited to the data elements required to create a NICS
record and certain other elements to the extent that they are
necessary to exclude false matches: Social Security number, State of
residence, height, weight, place of birth, eye color, hair color,
and race. 81 FR 382, 390 (Jan. 6, 2016).
\131\ 81 FR 382, 386-388 (Jan. 6, 2016).
\132\ Id. The Department addressed concerns about the possible
chilling effect on individuals seeking health care by explaining
that (1) the permission is limited to only those covered entities
that order the involuntary commitments or make the other
adjudications that cause individuals to be subject to the Federal
mental health prohibitor, or that serve as repositories of such
information for NICS reporting purposes; (2) the specified regulated
entities are permitted to disclose NICS data only to designated
repositories or the NICS; (3) the information that may be disclosed
is limited to certain demographic or other information that is
necessary for NICS reporting; and (4) the rulemaking did not expand
the permission to encompass State law prohibitor information.
\133\ Letter from NCVHS Chair Don E. Detmer to HHS Sec'y Donna
E. Shalala (June 27, 1997) (forwarding NCVHS recommendations),
https://ncvhs.hhs.gov/rrp/june-27-1997-letter-to-the-secretary-with-recommendations-on-health-privacy-and-confidentiality/.
---------------------------------------------------------------------------
Consistent with Congress's directive to promulgate ``standards with
respect to the privacy of [IIHI]'' that, among other things, address
the ``uses and disclosures of such information that should be
authorized or required,'' \134\ the Department recognizes a variety of
interests with respect to health information. These include
individuals' interests in the privacy of their health information,
society's interests in ensuring the effectiveness of the health care
system, and other interests of society in using IIHI for certain non-
health care purposes. As part of balancing these interests, the
Department has also recognized that it may be necessary to afford
additional protection to certain types of health information because
those types of information are particularly sensitive and often involve
highly personal health care decisions. For example, the Department
affords special privacy protections to psychotherapy notes. These
protections are afforded in part because of the particularly sensitive
information those notes contain and in part because of the unique
function of these records, which are by definition maintained
separately from an individual's medical record.\135\ As we previously
explained, the primary value of psychotherapy notes is to the specific
provider, and the promise of strict confidentiality helps to ensure
that the patient will feel comfortable freely and completely disclosing
very personal information essential to successful treatment.\136\ The
Department elaborated that even the possibility of disclosure may
impede development of the confidential relationship necessary for
successful treatment because of the sensitive nature of the problems
for which individuals consult psychotherapists and the potential
embarrassment that may be engendered by the disclosure of confidential
communications made during counseling sessions.\137\ Therefore, to
support the development and maintenance of an individual's trust and
protect the relationship between an individual and their therapist, the
Privacy Rule permits the disclosure of psychotherapy notes without an
individual's authorization only in limited circumstances, such as to
avert a serious and imminent threat to health or safety. Those limited
circumstances do not include judicial and administrative proceedings or
law enforcement purposes unless the disclosure is ``necessary to
prevent or lessen a serious and imminent threat to the health or safety
of a person or the public.'' \138\
---------------------------------------------------------------------------
\134\ 42 U.S.C. 1320d-2 note.
\135\ See 45 CFR 164.501 (definition of ``Psychotherapy
notes'').
\136\ See 64 FR 59918, 59941 (Nov. 3, 1999).
\137\ See id.
\138\ 45 CFR 164.508(a)(2).
---------------------------------------------------------------------------
Information about an individual's reproductive health and
associated health care is also especially sensitive and has long been
recognized as such. As stated in the AMA's Principles of Medical
Ethics, the ``decision to terminate a pregnancy should be made
privately within the relationship of trust between patient and
physician in keeping with the patient's unique values and needs and the
physician's best professional judgment.'' \139\ NCVHS first noted
reproductive health information as an example of a category of health
information commonly considered to contain sensitive information in
[[Page 32987]]
2006.\140\ Between 2005 and 2010, NCVHS held nine hearings that
addressed questions about sensitive information in medical records and
identified additional categories of sensitive information beyond those
addressed in Federal and state law, including ``sexuality and
reproductive health information.'' In several letters to the Secretary
during that period, NCVHS recommended that the Department identify and
define categories of sensitive information, including ``reproductive
health.'' \141\ In a 2010 letter to the Secretary, NCVHS elaborated
that, after extensive testimony on sensitive categories of health
information, ``reproductive health'' should be expanded to ``sexuality
and reproductive health information,'' because:
---------------------------------------------------------------------------
\139\ Council on Ethical and Judicial Affairs, ``Ethics,
Amendment to Opinion 4.2.7, Abortion H-140.823,'' Am. Med. Ass'n
(2022), https://policysearch.ama-assn.org/policyfinder/detail/%224.2.7%20Abortion%22?uri=%2FAMADoc%2FHOD.xml-H-140.823.xml.
\140\ See Letter from NCVHS Chair Simon P. Cohn (2006), supra
note 104.
\141\ See Letter from NCVHS Chair Simon P. Cohn (2006), supra
note 104; Letter from NCVHS Chair Simon P. Cohn (2008), supra note
104; Letter from NCVHS Chair Justine M. Carr (2010), supra note 104.
Information about sexuality and reproductive history is often
very sensitive. Some reproductive issues may expose people to
political controversy (such as protests from abortion proponents),
and public knowledge of an individual's reproductive history may
place [them] at risk of stigmatization.'' Additionally, individuals
may wish to have their reproductive history segmented so that it is
not viewed by family members who otherwise have access to their
records. Parents may wish to delay telling their offspring about
adoption, gamete donation, or the use of other forms of assisted
reproduction technology in their conception, and, thus, it may be
important to have the capacity to segment these records.\142\
---------------------------------------------------------------------------
\142\ See Letter from NCVHS Chair Justine M. Carr (2010), supra
note 104.
The Department did not provide specific protections for certain
categories of PHI upon receipt of the recommendation or as part of the
2013 Omnibus Rule because of concerns about the ability of regulated
entities to segment PHI and the effects on care coordination. While we
recognized the sensitive nature of reproductive health information
before this rulemaking, the Department believed that the Supreme
Court's recognition of a constitutional right to abortion coupled with
the privacy protections afforded by the HIPAA Rules provided the
necessary trust to promote access to and quality of health care. As a
result of the changed legal landscape for reproductive health care
broadly, including abortion, the range of circumstances in which PHI
about legal reproductive health care could be sought and used in
investigations or to impose liability expanded significantly. Now that
states have much broader power to criminalize and regulate reproductive
choices--and that some states have already exercised that power in a
variety of ways \143\--individuals legitimately have a far greater fear
that especially sensitive information about lawful health care will not
be kept private. This changed environment requires additional privacy
protections to help restore the Privacy Rule's carefully-struck balance
between individual and societal interests. Because the concerns
regarding segmentation and the negative impact on care coordination
remain, the Department did not propose and is not establishing a new
category of particularly sensitive PHI in this final rule. Instead, as
discussed more fully below, the Department is finalizing its proposed
purpose-based prohibition against certain uses and disclosures.
---------------------------------------------------------------------------
\143\ See LePage v. Center for Reproductive Medicine, SC-2022-
0515 (Feb. 16, 2024).
---------------------------------------------------------------------------
B. Developments in the Legal Environment Are Eroding Individuals' Trust
in the Health Care System
The Supreme Court's decision in Dobbs overturned Roe v. Wade \144\
and Planned Parenthood of Southeastern Pennsylvania v. Casey,\145\
thereby enabling states to significantly restrict access to
abortion.\146\ Following the Supreme Court's decision, the legal
landscape has shifted as laws significantly restricting access to
abortion have in fact become effective in some jurisdictions. This
change has also led to questions about both the current and future
lawfulness of other types of reproductive health care, and therefore,
the ability of individuals to access such health care.\147\ Thus, this
shift may interfere with the longstanding expectations of individuals,
established by HIPAA and the Privacy Rule, with respect to the privacy
of their PHI.\148\ For example, while the Privacy Rule currently
permits, but does not require, uses and disclosures of PHI for certain
purposes,\149\ including when another law requires a regulated entity
to make the use or disclosure,\150\ regulated entities after Dobbs may
feel compelled by other applicable law to use or disclose PHI to law
enforcement or other persons who may use that health information
against an individual, a regulated entity, or another person who has
sought, obtained, provided, or facilitated reproductive health care,
even when such health care is lawful in the circumstances in which the
health care is obtained.\151\
---------------------------------------------------------------------------
\144\ 410 U.S. 113 (1973).
\145\ 505 U.S. 833 (1992).
\146\ Dobbs, 597 U.S. 299-302.
\147\ See, e.g., Carmel Shachar et al., ``Informational Privacy
After Dobbs,'' 75 Ala. L. Rev. 1 (2023), https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4570500 and Andrzej Kulczycki, ``Dobbs:
Navigating the New Quagmire and Its Impacts on Abortion and
Reproductive Health Care,'' Health Education & Behavior (2022),
https://doi.org/10.1177/10901981221125430.
\148\ See, e.g., Kayte Spector-Bagdady & Michelle M. Mello,
``Protecting the Privacy of Reproductive Health Information After
the Fall of Roe v. Wade,'' 3 JAMA Network e222656 (June 30, 2022),
https://jamanetwork.com/journals/jama-health-forum/fullarticle/2794032; Lisa G. Gill, ``What does the overturn of Roe v. Wade mean
for you?,'' Consumer Reports (June 24, 2022), https://www.consumerreports.org/health-privacy/what-does-the-overturn-of-roe-v-wade-mean-for-you-a1957506408/.
\149\ 45 CFR 164.502(a)(1).
\150\ 45 CFR 164.512(a).
\151\ See Laura J. Faherty et al. ``Consensus Guidelines and
State Policies: The Gap Between Principle and Practice at the
Intersection of Substance Use and Pregnancy,'' American Journal of
Obstetrics & Gynecology Maternal-Fetal Medicine (Aug. 2020)
(discussing a concern raised by multiple organizations that pregnant
women will hesitate to seek prenatal care and addiction treatment
during pregnancy because their concerns that disclosing substance
use to health care providers will increase the likelihood that they
will face legal penalties); see also ``Informational Privacy After
Dobbs,'' supra note 147.
---------------------------------------------------------------------------
As a consequence of these developments in Federal and state law, an
individual's expectation of privacy of their health information
(irrespective of whether an individual is or was pregnant) is
threatened by the potential use or disclosure of PHI to identify
persons who seek, obtain, provide, or facilitate lawful reproductive
health care. Thus, these developments have created an environment in
which individuals are more likely to fear that their PHI will be
requested from regulated entities for use against individuals, health
care providers, and others, merely because such persons sought,
obtained, provided, or facilitated lawful reproductive health
care.\152\ The potential increased demand for PHI for these purposes is
not limited to states in which providing or obtaining certain
reproductive health care is no longer legal. Rather, the changes in the
legal landscape have nationwide implications, not only because of their
effects on the relationship between health care providers and
individuals, but also because of the potential effects on the flow of
health information across state lines. For example, an individual who
travels out-of-state to obtain reproductive health care that is lawful
under the circumstances in which it is provided may now be reluctant to
have that information disclosed to a health care provider in their home
state if they
[[Page 32988]]
fear that it may then be used against them or a loved one in their home
state. A health care provider may be unable to provide appropriate
health care if they are unaware of the individual's recent health
history, which could have significant negative health consequences.
Individuals and health care providers may also be reluctant to disclose
PHI to health plans with a multi-state presence because of concerns
that one of those states will seek to obtain that PHI to investigate or
impose liability on the individual or the health care provider, even if
there is no nexus with that state other than the presence of the health
plan in that state. Such reluctance may have significant ramifications
for access to reproductive health care, given the cost associated with
obtaining such health care, and health care generally.
---------------------------------------------------------------------------
\152\ See, e.g., Yvonne Lindgren et al., ``Reclaiming Tort Law
to Protect Reproductive Rights,'' 75 Alabama L. Rev. 355 (2023),
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4435834.
---------------------------------------------------------------------------
Additionally, PHI is more likely to be transmitted across state
lines as the electronic exchange of PHI increases because it is easier
and more efficient to send information electronically. For instance,
the Trusted Exchange Framework and Common Agreement (TEFCA) initiative
established under the 21st Century Cures Act and the Centers for
Medicare & Medicaid Services (CMS) Interoperability and Prior
Authorization Final Rule will spur greater use and disclosure of PHI by
regulated entities and to health apps and others.\153\ Different
components of a health information exchange/health information network
(HIE/HIN) may be located in different states, meaning that the PHI may
be transmitted across state lines, and thus affected by laws severely
restricting access to reproductive health care, even where both the
health care and the recipient of the PHI are located in states where
access to such health care is not substantially restricted.
---------------------------------------------------------------------------
\153\ See section 3001(c) of the PHSA, as amended by section
4003(b) of the 21st Century Cures Act, Public Law 114-255, 130 Stat.
1165 (codified at 42 U.S.C. 300jj-11(c)). For more information, see
Office of the Nat'l Coordinator for Health Info. Tech., ``Trusted
Exchange Framework and Common Agreement (TEFCA),'' https://www.healthit.gov/topic/interoperability/policy/trusted-exchange-framework-and-common-agreement-tefca; See also 89 FR 8758 (Feb. 8,
2024); ``CMS Interoperability and Prior Authorization Final Rule
CMS-0057-F,'' Centers for Medicare & Medicaid (Jan. 17, 2024),
https://www.cms.gov/newsroom/fact-sheets/cms-interoperability-and-prior-authorization-final-rule-cms-0057-f.
---------------------------------------------------------------------------
According to commenters, individuals are increasingly concerned
about the confidentiality of discussions with their health care
providers. As a result, some individuals are not confiding fully in
their health care providers, increasing the risk that their medical
records will not be complete and accurate, leading to decreases in
health care quality and safety. This lack of openness is also likely to
affect the information and treatment recommendations health care
providers provide to individuals because health care providers will not
be sufficiently informed to provide thorough and accurate information
and guidance.\154\
---------------------------------------------------------------------------
\154\ See Eric Boodman, ``In a doctor's suspicion after a
miscarriage, a glimpse of expanding medical mistrust,'' STAT News
(June 29, 2022), https://www.statnews.com/2022/06/29/doctor-
suspicion-after-miscarriage-glimpse-of-expanding-medical-mistrust/
#:~:text=In%20a%20doctor's%20suspicion%20after,glimpse%20of%20expandi
ng%20medical%20mistrust&text=The%20idea%20that%20she,used%20contracep
tives%20and%20trusted%20them.
---------------------------------------------------------------------------
Individuals are not alone in their fears. Indeed, according to
commenters, some health care providers are afraid to provide lawful
health care because they are concerned that in doing so, they risk
being subjected to investigation and possible liability.\155\ The
Department is aware that some health care providers, such as clinicians
and pharmacies, are hesitant to provide lawful health care or lawfully
prescribe or fill prescriptions for medications that can result in
pregnancy loss, even when the health care or those prescriptions are
intended to treat individuals for other health matters, because of fear
of law enforcement action.\156\ Some health care providers are also not
providing individuals with information to address concerns about their
reproductive health, even where their communications would be lawful,
out of fear of criminal prosecution, civil suit, or loss of their
clinical license.\157\ This may result in individuals making decisions
about their health care with incomplete information, which could have
serious implications for health outcomes. These fears also increase the
risk that individual medical records will not be maintained with
completeness and accuracy, which will in turn affect the quality of
health care provided to individuals and their safety. Fears about
potential prosecution, even when Federal law protects the actions of
health care providers, are likely to negatively affect the accuracy of
medical records maintained by health care providers and thereby harm
individuals.
---------------------------------------------------------------------------
\155\ See also Melissa Suran, ``As Laws Restricting Health Care
Surge, Some US Physicians Choose Between Fight or Flight,'' JAMA,
329(22):1899-1903 (May 17, 2023) (discussing a maternal-fetal
medicine specialist who stated that she moved to another state
because of legislation that restricts evidence-based health care and
prevents her from fulfilling her ethical obligation to protect her
patients' health.), https://pubmed.ncbi.nlm.nih.gov/37195699/.
\156\ See Off. for Civil Rights, ``HHS Office for Civil Rights
Resolves Complaints with CVS and Walgreens to Ensure Timely Access
to Medications for Women and Support Persons with Disabilities,''
U.S. Dep't of Health and Human Servs. (June 16, 2023), https://www.hhs.gov/civil-rights/for-providers/compliance-enforcement/agreements/cvs-walgreens/. See also Kathryn Starzyk et
al., ``More than half of patients with a rheumatic disease or
immunologic condition undergoing methotrexate treatment reside in
states in which the overturning of Roe v. Wade can jeopardize access
to medications with abortifacient potential,'' 75 Arthritis
Rheumatol 328 (Feb. 2023); see also Celine Castronuovo, ``Many
Female Arthritis Drug Users Face Restrictions After Dobbs,''
Bloomberg Law (Nov. 14, 2022) (noting that 16 out of 524 patients
responding to a survey indicated that they've had trouble getting
methotrexate, their arthritis medication, since the Dobbs decision.)
https://news.bloomberglaw.com/health-law-and-business/many-female-arthritis-drug-users-face-restrictions-after-dobbs; Interview with
Donald Miller, PharmD, ``Methotrexate access becomes challenging for
some patients following Supreme Court decision on abortion,''
Pharmacy Times (July 20, 2022), https://www.pharmacytimes.com/view/methotrexate-access-becomes-challenging-for-patients-following-supreme-court-decision-on-abortion; Jamie Ducharme, ``Abortion
restrictions may be making it harder for patients to get a cancer
and arthritis drug,'' Time (July 6, 2022), https://time.com/6194179/abortion-restrictions-methotrexate-cancer-arthritis/; Katie Shepherd
& Frances Stead Sellers, ``Abortion bans complicate access to drugs
for cancer, arthritis, even ulcers,'' The Washington Post (Aug. 8,
2022), https://www.washingtonpost.com/health/2022/08/08/abortion-bans-methotrexate-mifepristone-rheumatoid-arthritis/.
\157\ See Michelle Oberman & Lisa Soleymani Lehmann, ``Doctors'
duty to provide abortion information,'' J. of Law and Biosciences.
(Sept. 1, 2023) https://www.ncbi.nlm.nih.gov/pmc/articles/PMC10474560/; Whitney Arey et al., ``Abortion Access and Medically
Complex Pregnancies Before and After Texas Senate Bill 8,'' 141
Obstet Gynecol. 995 (May 1, 2023) (concluding that ``Abortion
restrictions limit shared decision making, compromise patient care,
and put pregnant people's health at risk.''); ``1 Year Without
Roe,'' Center for American Progress (Jun. 23, 2023) (where a
physician detailed her fear about speaking freely with her patients
after Dobbs ``worried a vigilante posing as a new patient would
attempt to bait her into talking about abortion and attempt to sue
her, and she sometimes skirts the topic of abortion when speaking
with patients about their health care options.'')
---------------------------------------------------------------------------
As explained by commenters and supported by research, these
impingements on the privacy of health information about reproductive
health care are likely to have a disproportionately greater effect on
women, individuals of reproductive age, and individuals from
communities that have been historically underserved, marginalized, or
subject to discrimination or systemic disadvantage by virtue of their
race, disability, social or economic status, geographic location, or
environment.\158\ Historically
[[Page 32989]]
underserved and marginalized individuals are also more likely to be the
subjects of investigations and other activities to impose liability for
seeking or obtaining reproductive health care, even where such health
care is lawful under the circumstances in which it is provided.\159\
They are also less likely to have adequate access to legal counsel to
defend themselves from such actions.\160\ These inequities may be
exacerbated where individuals face multiple, intersecting disparities,
such as having limited English proficiency \161\ and disability.\162\
Such individuals are thus especially likely to be concerned that
information they share with their health care providers about their
reproductive health care will not remain private. This is particularly
true considering the historic lack of trust, negative experiences, and
fear of discrimination that many members of historically
underrepresented and marginalized communities and communities of color
have in the health care system; \163\ such individuals are more likely
to be deterred from seeking or obtaining health care--or from giving
their health care providers full information.
---------------------------------------------------------------------------
\158\ See Christine Dehlendorf et al., ``Disparities in Abortion
Rates: A Public Health Approach,'' Am. J. of Pub. Health (Oct.
2013), https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3780732/. See
also Kiara Alfonseca, ``Why Abortion Restrictions Disproportionately
Impact People of Color,'' ABC News (June 24, 2022), https://abcnews.go.com/Health/abortion-restrictions-disproportionately-impact-people-color/story?id=84467809; Dulce Gonzalez et al., Robert
Wood Johnson Foundation, ``Perceptions of Discrimination and Unfair
Judgment While Seeking Health Care'' (Mar. 31, 2021), https://www.rwjf.org/en/insights/our-research/2021/03/perceptions-of-discrimination-and-unfair-judgment-while-seeking-health-care.html;
Susan A. Cohen, ``Abortion and Women of Color: The Bigger Picture,''
11 Guttmacher Pol'y Rev. (Aug. 6, 2008), https://www.guttmacher.org/gpr/2008/08/abortion-and-women-color-bigger-picture; ``The
Disproportionate Harm of Abortion Bans: Spotlight on Dobbs v.
Jackson Women's Health,'' Center for Reproductive Rights (Nov. 29,
2021), https://reproductiverights.org/supreme-court-case-mississippi-abortion-ban-disproportionate-harm/ (``Abuses such as
forced sterilization of Black, Indigenous, and other people of color
and individuals with disabilities specifically exacerbate medical
mistrust within reproductive healthcare.'').
\159\ See Brief of Amici Curiae for Organizations Dedicated to
the Fight for Reproductive Justice--Mississippi in Action, et al. at
*35-36, Dobbs, 597 U.S. 215 (discussing the likelihood that
individuals, particularly those from marginalized communities who
terminate their pregnancies and anyone who assists them may be
disproportionally likely to face criminal investigation or arrest,
given the rates of incarceration of persons from such communities.);
see also Elizabeth Yuko, ``Women of Color Will Face More
Criminalized Pregnancies in Post-`Roe' America,'' Rolling Stone
(Jul. 7, 2020) (``Historically, we've seen the criminalization of
people of color, young people, and people with lower incomes who've
had miscarriages and other types of pregnancy losses that the state
deemed were their fault [. . .] These groups are the most likely to
be reported to law enforcement and investigated''); see also
Sentencing Project, State-by-State Data, https://www.sentencingproject.org/research/us-criminal-justice-data/ (last
visited Feb. 16, 2024) (U.S. Total: Imprisonment rate per 100,000
residents--355; Black/White disparity--4.8:1; Latinx/White
disparity--1.3:1); Racial Disparities in Incarceration, Vera
Institute of Justice (Aug. 21, 2023), https://trends.vera.org/
(Prison population rate per 100,000 residents ages 15 to 64. U.S.
total incarceration rate 2021 Q2--298, Asian American/Pacific
Islander incarceration rate 2021 Q2--100, Black/African American
incarceration rate 2021 Q2--1,310, Latinx incarceration rate 2021
Q2--671, Native American incarceration rate 2021 Q2--1,021, White
incarceration rate 2021 Q2--281).
\160\ See Columbia Law Sch. Hum. Rts. Inst. & and Ne. Univ. Sch.
of Law Program on Hum. Rts. and the Glob. Econ.,'' Equal Access to
Justice: Ensuring Meaningful Access to Counsel in Civil Cases,
Including Immigration Proceedings'' (July 2014), https://hri.law.columbia.edu/sites/default/files/publications/equal_access_to_justice_-_cerd_shadow_report.pdf. See also Lauren
Hoffman et al., Ctr. For Am. Progress, ``Report: State Abortion Bans
Will Harm Women and Families' Economic Security Across the US''
(Aug. 25, 2022), https://www.americanprogress.org/article/state-abortion-bans-will-harm-women-and-families-economic-security-across-the-us/.
\161\ See Myasar Ihmud, ``Lost in Translation: Language Barriers
to Accessing Justice in the American Court System,'' UIC Law Review
(2023) (discussing ``access to justice for [limited English
proficient (LEP)] individuals is hindered because they are unable to
communicate with the court or understand the proceedings. Case law
shows that, when unable to communicate with the court, LEP litigants
are unable to defend themselves appropriately in criminal or
immigration hearings, protect their homes, or keep custody of their
children.''), https://repository.law.uic.edu/cgi/viewcontent.cgi?article=2908&context=lawreview; see also ``Language
Access & Cultural Sensitivity,'' Legal Services Corporation (last
visited Feb. 21, 2024) (describing how legal aid organizations
should plan for providing meaningful access to language services. As
of 2013, ``close to 25 million people, about 8 percent of the
population, has limited English proficiency.''), https://www.lsc.gov/i-am-grantee/model-practices-innovations/language-access-cultural-sensitivity.
\162\ See, e.g., Gautam Gulati et al., ``The experience of law
enforcement officers interfacing with suspects who have an
intellectual disability--A systematic review,'' International
Journal of Law and Psychiatry (Sept.-Oct. 2020) (``It is not
uncommon for people with [intellectual disability] to be suspects or
accused persons when interfacing with Law Enforcement Officers
(LEOs) and therefore face arrest, interview and/or custody.''),
https://www.sciencedirect.com/science/article/pii/S016025272030073X.
\163\ See Leslie Read et al., The Deloitte Ctr. for Health
Solutions, ``Rebuilding Trust in Health Care: What Do Consumers
Want--and Need--Organizations to Do?,'' at 3 (Aug. 5, 2021) (With
focus groups of 525 individuals in the United States who identify as
Black, Hispanic, Asian, or Native American, ``[f]ifty-five percent
reported a negative experience where they lost trust in a health
care provider.''), https://www2.deloitte.com/us/en/insights/industry/health-care/trust-in-health-care-system.html; Liz Hamel et
al., Kaiser Family Foundation, ``The Undefeated Survey on Race and
Health,'' at 23 (Oct. 2020) (Percent who say they can trust the
health care system to do what is right for them or their community
almost all of the time or most of the time: Black adults: 44%;
Hispanic adults: 50%; White adults: 55%), https://files.kff.org/attachment/Report-Race-Health-and-COVID-19-The-Views-and-Experiences-of-Black-Americans.pdf; U.S. Dep't of Health and Hum.
Servs., Assistant Sec'y for Pol. & Eval., Off. of Health Pol.,
``Issue Brief: Health Insurance Coverage and Access to Care for
LGBTQ+ Individuals: Current Trends and Key Challenges,'' at 9 (June
2021) (A 2021 survey found that 18 percent of LGBTQ+ individuals
reported avoiding going to a doctor or seeking health care out of
concern that they would face discrimination or poor treatment
because of their sexual orientation or gender identity.), https://aspe.hhs.gov/sites/default/files/2021-07/lgbt-health-ib.pdf; Abigail
A. Sewell, ``Disaggregating Ethnoracial Disparities in Physician
Trust,'' Soc. Science Rsch. (Nov. 2015), https://pubmed.ncbi.nlm.nih.gov/26463531/; Irena Stepanikova et al.,
``Patients' Race, Ethnicity, Language, and Trust in a Physician,''
J. of Health and Soc. Behavior (Dec. 2006), https://pubmed.ncbi.nlm.nih.gov/17240927/.
---------------------------------------------------------------------------
Congress contemplated that the Department would need to modify
standards adopted under HIPAA's Administrative Simplification
provisions and directed the Secretary to review standards adopted under
42 U.S.C. 1320d-2 periodically.\164\ In accordance with this directive
and based on the Department's expertise and analysis and the recent
developments in the legal landscape, there is a compelling need to
provide additional protections to PHI about lawful reproductive health
care. Accordingly, consistent with Congress's directions to the
Department, in HIPAA, as amended by Genetic Information
Nondiscrimination Act (GINA) and the HITECH Act, to establish standards
and requirements for the electronic transmission of certain health
information, including the privacy thereof, for the development of a
health information system, the Department is restricting certain uses
and disclosures of PHI for particular non-health care purposes to
provide such protections.
---------------------------------------------------------------------------
\164\ Congress' directions regarding the issuance of standards
for the privacy of IIHI are codified at 42 U.S.C. 1320d-2 note. See
also 45 CFR 160.104(a).
---------------------------------------------------------------------------
C. To Protect the Trust Between Individuals and Health Care Providers,
the Department Is Restricting Certain Uses and Disclosures of PHI for
Particular Non-Health Care Purposes
As discussed above, Congress enacted HIPAA to improve the
efficiency and effectiveness of the health care system, which includes
ensuring that individuals have trust in the health care system.
Congress also directed the Department to develop standards with respect
to the privacy of IIHI as part of its decision to encourage the
development of a health information system. To preserve such trust, and
to encourage the development and use of a nationwide health information
system, it is appropriate and necessary for Federal law and policy to
protect the confidentiality of medical records, especially those that
are highly sensitive. Accordingly, to protect the trust between
individuals and health care providers, this rule restricts certain uses
and disclosures of PHI for particular non-health care purposes, i.e.,
for using or disclosing PHI to conduct a criminal, civil, or
administrative investigation into or to impose criminal, civil, or
administrative liability on any person for the mere act of seeking,
obtaining, providing, or facilitating
[[Page 32990]]
lawful reproductive health care, or to identify any person to initiate
such activities.
Information about reproductive health care is particularly
sensitive and requires heightened privacy protection. The Department's
approach is consistent with efforts across the Federal Government. For
example, the Department of Defense (DOD) has recognized such privacy
concerns. In a memorandum to DOD leaders, the Secretary of Defense
directed the DOD to ``[e]stablish additional privacy protections for
reproductive health care information'' for service members and
``[d]isseminate guidance that directs Department of Defense health care
providers that they may not notify or disclose reproductive health
information to commanders unless this presumption is overcome by
specific exceptions set forth in policy.'' \165\ The Federal Trade
Commission (FTC) has also recognized that information about personal
reproductive matters is ``particularly sensitive'' and has committed to
using the full scope of its authorities to protect consumers' privacy,
including the privacy of their health information and other sensitive
data.\166\ In business guidance, the FTC explained that ``[t]he
exposure of health information and medical conditions, especially data
related to sexual activity or reproductive health, may subject people
to discrimination, stigma, mental anguish, or other serious harms.''
\167\
---------------------------------------------------------------------------
\165\ Dep't of Defense, Memorandum Re: Ensuring Access to
Reproductive Health Care, at 1 (Oct. 20, 2022) (removed emphasis on
``not'' in original), https://media.defense.gov/2022/Oct/20/2003099747/-1/-1/1/MEMORANDUM-ENSURING-ACCESS-TO-REPRODUCTIVE-HEALTH-CARE.PDF.
\166\ Kristin Cohen, ``Location, health, and other sensitive
information: FTC committed to fully enforcing the law against
illegal use and sharing of highly sensitive data'', Federal Trade
Commission Business Blog (July 11, 2022), https://www.ftc.gov/business-guidance/blog/2022/07/location-health-and-other-sensitive-information-ftc-committed-fully-enforcing-law-against-illegal (last
accessed Nov. 15, 2022).
\167\ Id.
---------------------------------------------------------------------------
As discussed above, the Department has long provided special
protections for psychotherapy notes because of the sensitivity around
this information. However, unlike psychotherapy notes, which by their
very nature are easily segregated, reproductive health information is
not easily segregated. Additionally, regulated entities generally do
not have the ability to segment certain PHI such that regulated
entities could afford special protections for specific categories of
PHI.\168\ Where such technology is available, it is generally cost
prohibitive and burdensome to implement.\169\ Therefore, the Department
did not propose, and is not finalizing, a newly defined subset of PHI.
Creating such a subset would create barriers to disclosing PHI for care
coordination because the PHI would need to be segregated from the
remaining medical record. Instead, consistent with the Privacy Rule's
longstanding overall approach,\170\ the Department is finalizing a
purpose-based prohibition against certain uses and disclosures. This
rule seeks to protect individuals' privacy interests in their PHI about
reproductive health care and the interests of society in an effective
health care system by enabling individuals and licensed health care
professionals to make decisions about reproductive health care based on
a complete medical record, while balancing those interests with other
interests of society in obtaining PHI for certain non-health care
purposes.
---------------------------------------------------------------------------
\168\ See Daniel M. Walker et al., ``Interoperability in a Post-
Roe Era Sustaining Progress While Protecting Reproductive Health
Information,'' JAMA (Nov. 1, 2022) (discussing that segregation of
records for reproductive health care is more difficult than for SUD
treatment records because ``reproductive health services are often
provided in the same settings as other primary and acute care and
thus could be inferred or directly reflected in many parts of the
record.''), https://jamanetwork-com.ezproxyhhs.nihlibrary.nih.gov/journals/jama/fullarticle/2797865; See, e.g., 87 FR 74216, 74221
(Dec. 2, 2022) (noting that 42 CFR part 2 previously resulted in the
separation of SUD treatment records previous from other health
records, which led to the creation of data ``silos'' that hampered
the integration of SUD treatment records into covered entities'
electronic record systems and billing processes. When considering
amendments to the relevant statute, some lawmakers argued that the
silos perpetuated negative stereotypes about persons with SUD and
inhibited coordination of care during the opioid epidemic.). See
also Health Info. Tech. Advisory Comm., ``Health Information
Technology Advisory Committee (HITAC) Annual Report for Fiscal Year
2019,'' 2019 ONC Ann. Rep., at 37 (Feb. 19, 2020), https://www.healthit.gov/sites/default/files/page/2020-03/HITAC%20Annual%20Report%20for%20FY19_508.pdf (``The new
certification criteria that support the sharing of data via third-
party apps will help advance the use of data segmentation, but
adoption of this capability by the industry is not yet
widespread.'').
\169\ See 88 FR 23746, 23898 (Apr. 18, 2023) (explaining that
while there are standards for security labels for document-based
exchange that the Office of the National Coordinator for Health
Information Technology (ONC) adopted in full in 2020 for the
criteria in 45 CFR 170.315(b)(7) and (b)(8) to support the
application of security labels at a granular level for sending in
and receiving, standards to define the technical requirements for
the actions described by the security label vocabularies do not yet
exist. In the 21st Century Cures Act: Interoperability, Information
Blocking, and the ONC Health IT Certification Program Final Rule,
published in 2020, ONC estimated a cost of the certification
criteria and standards adopted for security labels in 45 CFR
170.315(b)(7) and (b)(8). The Department estimated the total cost to
developers could range from $2,910,400 to $6,933,600 and that it
would be a onetime cost. (85 FR 25926) The criteria do not include
the ability for health IT to take the actions described by the
security labels. Additionally, ONC did not require that health IT be
certified to the criteria described above, making it essentially
voluntary. Accordingly, the estimates for health IT developer and
health care provider costs were likely significantly lower than they
would have been if health IT were required to be certified to the
criteria for participation. Thus, the total cost of implementing
full segmentation capabilities is likely substantially higher than
the per-product cost estimates provided by the Department in that
rule). See also 88 FR 23746, 23875 (Apr. 18, 2023) (discussing
examples of challenges or technical limitations to electronic health
information segmentation that have been described to ONC).
\170\ See 64 FR 59918, at 59924, 59939, and 59955 (Nov. 3,
1999).
---------------------------------------------------------------------------
To assist in effectuating this prohibition, the Department is also
requiring regulated entities to obtain an attestation in certain
circumstances from the person requesting the use or disclosure stating
that the use or disclosure is not for a prohibited purpose. A person
(including a regulated entity or someone who requests PHI) who
knowingly and in violation of the Administrative Simplification
provisions obtains or discloses IIHI relating to another individual
would be subject to potential criminal liability.\171\ Thus, a person
who knowingly and in violation of HIPAA falsifies an attestation (e.g.,
makes a material misrepresentation about the intended uses of the PHI
requested) to obtain (or cause to be disclosed) an individual's IIHI
could be subject to the criminal penalties provided by the
statute.\172\ Additionally, a regulated entity is subject to potential
civil penalties for violations of the HIPAA Rules, including a failure
to obtain a valid attestation before disclosing PHI, where an
attestation is required.\173\ The purpose-based prohibition, in concert
with the attestation, will restrict the use and disclosure of PHI about
lawful reproductive health care where the use or disclosure could harm
HIPAA's overall goals of increasing trust in the health care system,
improving health care quality, and protecting individual privacy. At
the same time, it will allow uses and disclosures that either support
those goals or do not substantially interfere with their achievement.
---------------------------------------------------------------------------
\171\ See 42 U.S.C. 1320d-6(a).
\172\ See 42 U.S.C. 1320d-6(b).
\173\ See 42 U.S.C. 1320d-5. See also 45 CFR part 160, subparts
A, D, and E.
---------------------------------------------------------------------------
Consistent with the Privacy Rule's approach, the Department is
clarifying that the purpose-based prohibition applies only in certain
circumstances, recognizing the interests of both the Federal Government
and states while also protecting the information privacy interests of
persons who seek, obtain, provide, or facilitate lawful reproductive
health care. Thus, the Department is finalizing a Rule of
[[Page 32991]]
Applicability that balances the privacy interests of individuals and
the interests of society in an effective health care system with those
of society in the use of PHI for other non-health care purposes by
limiting the new prohibition to certain circumstances.
The Department's experience administering the Privacy Rule,
research cited below, our assessment of the needs of individuals and
health care providers in light of recent developments to the legal
landscape, public comments, and the Regulatory Impact Analysis, in
Section VI below, all provide support for the changes finalized in this
rulemaking. These changes will improve individuals' confidence in the
confidentiality of their PHI and their trust in the health care system,
creating myriad benefits for the health care system. Balancing the
privacy interests of individuals and the use of PHI for other societal
priorities will continue to support an effective health care system, as
Congress intended. This final rule will deter the creation of
inaccurate and incomplete medical records, which will help to support
the provision of appropriate lawful health care. Health care providers
base their treatment recommendations on PHI contained within existing
medical records, as well as information shared with them directly by
the individual. Thus, where individuals withhold information from their
health care providers about lawful health care, health care providers
may not be in possession of all of the necessary information to make an
informed recommendation for an appropriate treatment plan, which may
result in negative health outcomes at both the individual and
population level. It will also improve the confidence of individuals,
including among the Nation's most vulnerable communities, that they can
securely seek or obtain or share that they sought or obtained lawful
reproductive health care without that information being used or
disclosed for the purpose of investigating or imposing liability on
them for seeking or obtaining that lawful health care. By improving
individuals' confidence and trust in their relationships with their
health care providers, it will make individuals more likely to, for
example, comply with preventative health screening recommendations,
which will protect against a decline in individual and population
health outcomes related to missed preventative health screenings.
Additional intangible benefits from increased privacy protections in
this area include enhanced support for survivors of rape, incest, and
sex trafficking. The new attestation requirement discussed in greater
detail below will help to assure regulated entities of their ability to
operationalize these changes and avoid exposure to HIPAA liability for
impermissible disclosures.
IV. General Discussion of Public Comments
The Department received more than 25,900 comments in response to
its proposed rule. Overall, these comments represent the views of
approximately 51,500 individuals and 350 organizations. Slightly more
than half of the individuals and organizations who shared their views
expressed general support for the 2023 Privacy Rule NPRM and its
objectives. Less than one percent expressed mixed views. Organizational
commenters included professional and trade associations, including
those representing medical professionals, health plans, health care
providers, health information management professionals, health
information management system vendors, release-of-information vendors,
employers, epidemiologists, and attorneys. The Department also received
comments from advocacy organizations, including those representing
patients, privacy advocates, faith-based organizations, and civil
rights organizations. The NCVHS also provided comments, as did members
of Congress, state, local, and Tribal government officials and public
health authorities. Other commenters included health care systems,
hospitals, and health care professionals.
A. General Comments in Support of the Proposed Rule
Comment: Many commenters expressed general support for the proposed
rule and urged the Department to protect the privacy of individuals by
limiting uses and disclosures of PHI for certain purposes where the use
or disclosure of information is about reproductive health care that is
lawful under the circumstances in which such health care is provided.
Many health care providers and individuals emphasized the
importance of trusting relationships between individuals and their
health care providers. According to individual commenters, a trusting
relationship permits individuals to participate in sensitive and
difficult conversations with their health care providers and enables
health care providers to furnish high-quality and appropriate health
care and to maintain accurate and complete medical records, including
records that contain information about reproductive health care.
Many organizations also submitted comments that expressed agreement
with the Department's position on the importance of the relationship
between HIPAA and the HIPAA Rules and trust between individuals and
health care providers. For example, an organization commented that
privacy has long been a ``hallmark'' of medical care and agreed with
the Department that Congress recognized this principle when it enacted
HIPAA. Some organizations commented that the HIPAA framework of law and
rules provides individuals with the necessary trust and confidence to
seek reproductive health care without fear of being prosecuted or
targeted by law enforcement, including in medical emergencies.
Other commenters stated that a trusting confidential relationship
between an individual and a health care provider is an essential
prerequisite to the delivery of high-quality health care. They also
asserted that protective privacy laws, including HIPAA, help to ensure
that individuals do not forgo health care.
Many individuals asserted that the proposed safeguards are urgently
needed to provide individuals with the confidence to seek health care.
According to the commenters, the proposal would increase the likelihood
that pregnant individuals would receive essential health care, thus
improving their overall well-being. One commenter expressed support for
the proposal because they believe people should not be held liable or
face punishment for seeking, obtaining, providing, or facilitating
lawful health care. Another commenter expressed concerns that the
increase in state legislation targeting reproductive health care has
placed significant burdens on physicians and increased the risk of
maternal morbidity and mortality for individuals.
A few commenters also expressed agreement with the Department's
assertion that the proposed restrictions would clarify legal
obligations of regulated entities with respect to the disclosure of PHI
for certain non-health related purposes and would enable persons
requesting PHI, including health plans, to better understand when such
disclosures are permitted.
Response: The Department appreciates these comments and is
finalizing the proposed rule with modification, as described in greater
detail below. Consistent with HIPAA's goals, this final rule will
support the development and maintenance of trust between individuals
and their health care providers, encouraging individuals
[[Page 32992]]
to be forthright with health care providers regarding their health
history and providing valuable clarity to the regulated community and
individuals concerning their privacy rights with respect to lawfully
provided health care. In so doing, the Department helps to support
access to health care by increasing individuals' confidence in the
privacy of their PHI about lawfully provided reproductive health care.
We are taking these actions as a result of our ongoing evaluation of
the environment, including the legal landscape, and consistent with the
Privacy Rule's longstanding balance of individual privacy and societal
interests in PHI for non-health care purposes.
Comment: A wide cross-section of commenters, including individuals,
health care providers, patient advocacy organizations, reproductive
rights organizations, state law enforcement agencies, and others all
agreed that individuals who frequently experience discrimination
generally also experience it when seeking health care.
Many of these commenters urged the Department to recognize that
there is a trust deficit in relationships between individuals and
health care providers in communities that frequently experience
discrimination. Many commenters cited scholarly journals and research
articles showing that women of color especially suffer poorer medical
outcomes, including higher maternal mortality and denial of medical
interventions or treatments.
Commenters who answered the Department's request for comment about
whether members of ``historically underserved and minority
communities'' are more likely to be the subject of investigations into
or proceedings against persons in connection with seeking, obtaining,
providing, or facilitating lawful reproductive health care unanimously
responded in the affirmative. Some commenters expressed concern about
the current legal environment's disproportionately negative effect on
the privacy of women and members of marginalized and historically
underserved communities and communities of color, such as immigrants
who might avoid obtaining health care because of fears that their PHI
could be shared with government officials. In general, commenters
encouraged the Department to consider the likely negative implications
of reduced health information privacy when combined with these
disparities on health outcomes for members of marginalized and
historically underserved communities and communities of color when
crafting the final rule.
Some commenters expressed concern about the current legal
environment's disproportionately negative effect on the privacy of
members of marginalized and historically underserved communities and
communities of color, such as women of color, immigrants and American
Indians and Alaska Natives, who might withhold information from health
care providers or avoid obtaining health care because of fears that
their PHI could be shared with government officials or used to
investigate or impose liability on them.
Among commenters that addressed this topic, many supported the
Department's proposed purpose-based prohibition. Commenters stated that
the proposed rule would help to mitigate medical mistrust of
individuals in marginalized and historically underserved communities
and communities of color and reduce the racial disparities that result
from the increased criminalization of reproductive health care.
Several commenters also addressed the issue of the availability of
legal counsel among these communities. A few commenters asserted that
individuals who are members of marginalized and historically
underserved communities and communities of color are less likely to
have access to legal counsel, despite being more likely to be subjects
of investigations into or proceedings against persons in connection
with obtaining providing or facilitating lawful sexual and reproductive
health care and cited to related studies.
Response: We appreciate these comments and thank commenters for
sharing these important considerations. As we discussed in the 2023
Privacy Rule NPRM and again here, the experiences of individuals from
communities that have been historically underserved, marginalized, or
subject to discrimination or systemic disadvantage by virtue of their
race, disability, social or economic status, geographic location, or
environment have significant negative effects on their relationships
with health care providers and their willingness to seek necessary
health care. We agree that the current legal landscape has exacerbated
the health inequities that these individuals encounter when seeking
reproductive health care services. The Department expects that the
steps we have taken in this rule will meaningfully strengthen the
privacy of PHI about lawful reproductive health care, and as a result,
will help to mitigate the exacerbation of health disparities for
members of marginalized and historically underserved communities and
communities of color.
The Department is actively working to reduce health disparities. In
recent months, we released a new plan to address language barriers and
strengthen language access in health care,\174\ and issued three
proposed rules to address health disparities: one to revise existing
regulations to strengthen prohibitions against discrimination on the
basis of a disability in health care and human services programs; \175\
another to issue new regulations to advance non-discrimination in
health and human service programs for the LGBTQI+ community; \176\ and
a third to revise existing regulations to prohibit discrimination on
the basis of race, color, national origin, sex, age, and disability in
a range of health programs.\177\ The Department will continue to work
to address these concerns, ensure that individuals have access to and
do not forgo necessary health care, and build individuals' trust that
health care providers can and will protect the privacy of individuals'
sensitive health information.
---------------------------------------------------------------------------
\174\ Press Release, ``Breaking Language Barriers: Biden-Harris
Administration Announces New Plan to Address Language Barriers and
Strengthen Language Access,'' U.S. Dep't of Health and Human Servs.
(Nov. 15, 2023), https://www.hhs.gov/about/news/2023/11/15/breaking-language-barriers-biden-harris-administration-announces-new-plan-address-language-barriers-strengthen-language-access.html.
\175\ Press Release, ``HHS Issues New Proposed Rule to
Strengthen Prohibitions Against Discrimination on the Basis of a
Disability in Health Care and Human Services Programs,'' U.S. Dep't
of Health and Human Servs. (Sept. 7, 2023), https://www.hhs.gov/about/news/2023/09/07/hhs-issues-new-proposed-rule-to-strengthen-prohibitions-against-discrimination-on-basis-of-disability-in-health-care-and-human-services-programs.html.
\176\ Press Release, ``HHS Issues Proposed Rule to Advance Non-
discrimination in Health and Human Service Programs for LGBTQI+
Community,'' U.S. Dep't of Health and Human Servs. (July 11, 2023),
https://www.hhs.gov/about/news/2023/07/11/hhs-issues-proposed-rule-advance-non-discrimination-health-human-service-programs-lgbtqi-community.html.
\177\ Press Release, ``HHS Announces Proposed Rule to Strengthen
Nondiscrimination in Health Care,'' U.S. Dep't of Health and Human
Servs. (July 25, 2022), https://www.hhs.gov/about/news/2022/07/25/hhs-announces-proposed-rule-to-strengthen-nondiscrimination-in-health-care.html.
---------------------------------------------------------------------------
Comment: A few commenters agreed with the Department's position
that the proposed rule would appropriately protect individuals against
growing threats to their privacy with respect to PHI about reproductive
health care while permitting states to conduct law enforcement
activities.
Response: The Privacy Rule always has and continues to balance
privacy interests and other societal interests by permitting
disclosures of PHI to support
[[Page 32993]]
public policy goals, including disclosures to support certain criminal,
civil, and administrative law enforcement activities; the operation of
courts and tribunals; health oversight activities; the duties of
coroners and medical examiners; and the reporting of child abuse,
domestic violence, and neglect to appropriate authorities. We
appreciate these comments that recognized the growing threat to the
privacy of PHI and the need to strike an appropriate balance between
ensuring health care privacy and conducting law enforcement activities.
We are finalizing the proposed rule with modification as described in
greater detail below.
B. General Comments in Opposition to the Proposed Rule
Comment: Several commenters generally opposed the proposed rule
because of their opposition to certain types of reproductive health
care. Many commenters opposed the proposed rule generally because they
believed that it would harm women and children. Other commenters
expressed concern that the proposals would increase administrative
burdens and costs for health care providers; impede parental rights;
prevent mandatory reporting of child abuse or abuse, domestic violence,
and neglect; infringe upon states' rights; thwart law enforcement
investigations; inhibit disclosures for public health activities; and
protect those who engage in unlawful activities.
Response: The modifications to the Privacy Rule in this final rule
directly advance Congress' directive in HIPAA to improve the efficiency
and effectiveness of the health care system by encouraging the
development of a health information system through the establishment of
standards and requirements for the electronic transmission of certain
health information,\178\ including a standard for the privacy of IIHI
that, among other things, addresses the ``uses and disclosures of such
information that should be authorized or required.'' \179\ As discussed
in greater detail elsewhere in this final rule, a trusting relationship
between individuals and health care providers is the foundation of
effective health care. A primary goal of the Privacy Rule is to ensure
the privacy of an individual's PHI while permitting necessary uses and
disclosures of PHI that enable high-quality health care and protect the
health and well-being of all individuals, including women and children,
and the public.
---------------------------------------------------------------------------
\178\ See 42 U.S.C. 1320d note.
\179\ See 42 U.S.C. 1320d-2 note.
---------------------------------------------------------------------------
From the outset, the Department structured the Privacy Rule to
ensure that individuals do not forgo lawful health care when needed--or
withhold important information from their health care providers that
may affect the quality of health care they receive out of a fear that
their sensitive information would be revealed outside of their
relationship with their health care provider. The Department has long
been committed to protecting the privacy of PHI and providing the
opportunity for an authentic, trusting relationship between individuals
and health care providers. As we discussed in the 2023 Privacy Rule
NPRM and again here, this final rule will help engender trust between
individuals and health care providers and confidence in the health care
system. We believe that this confidence will eliminate some of the
burdens health care providers face in providing high-quality health
care, encourage health care providers to accurately document PHI in an
individual's medical record, and encourage individuals to provide
health care providers with their complete and accurate health history,
all of which will ultimately support better health outcomes. Nothing in
this final rule sets forth a particular standard of care or affects the
ability of health care providers to exercise their professional
judgment.
This final rule protects the relationship between individuals and
health care providers by protecting the privacy of PHI in circumstances
where recent legal developments have increased concerns about that
information being used and disclosed to harm persons who seek, obtain,
provide, or facilitate reproductive health care under circumstances in
which such health care is lawful, while continuing to permit uses and
disclosures that confer other social benefits. It is narrowly tailored
and respects the interests of both states and the Department. The final
rule continues to permit regulated entities to use or disclose PHI to
comply with certain mandatory reporting laws, for public health
activities, and for law enforcement purposes when the uses and
disclosures are compliant with the applicable provisions of the Privacy
Rule.
Further, consistent with the longstanding operation of the Privacy
Rule, this final rule requires that, in certain circumstances,
regulated entities obtain information from persons requesting PHI, such
as law enforcement, before the regulated entities may use or disclose
the requested PHI. The Department recognizes that this final rule may
increase the burden on those persons making requests for PHI, such as
federal and state law enforcement officials, by requiring, in certain
circumstances, that regulated entities obtain more information from
such persons than previously required, and may, at times, prevent
regulated entities from using or disclosing PHI that they previously
would have been permitted to use or disclose. For example, the
Department recognizes that situations may arise where a regulated
entity reasonably determines that reproductive health care was lawfully
provided, while at the same time, the person requesting the PHI (e.g.,
law enforcement) reasonably believes otherwise. In such circumstances,
where the regulated entity provided the reproductive health care, and
upon receiving a request for the PHI for a purpose that implicates the
prohibition, reasonably determines that the provision of reproductive
health care was lawful, the final rule would prohibit the regulated
entity from disclosing PHI for certain types of investigations into the
provision of such health care. This constitutes a change from the
current Privacy Rule, under which a regulated entity is permitted, but
not required, to make a use or disclosure under 45 CFR 164.512(f) of
information that is ``relevant and material to a legitimate'' law
enforcement inquiry, provided that certain conditions are met; these
conditions include, for example, that the request is specific and
limited in scope to the extent reasonably practicable given the purpose
for which the information is sought.\180\ Similarly, the Department
acknowledges that, where the regulated entity did not provide the
reproductive health care that is the subject of the investigation or
imposition of liability, the Rule of Applicability and Presumption,
discussed below, may require regulated entities to obtain additional
information, that is, factual information that demonstrates to the
regulated entity a substantial factual basis that the reproductive
health care was not lawful under the specific circumstances in which it
was provided, from persons requesting PHI before using or disclosing
the requested PHI.
---------------------------------------------------------------------------
\180\ See 45 CFR 164.512(f)(1)(ii)(C).
---------------------------------------------------------------------------
Consistent with HIPAA and the Department's longstanding approach in
the Privacy Rule, the Department is finalizing an approach that strikes
an appropriate balance between the privacy interests of individuals and
the interests of law enforcement, and private parties afforded legal
rights of action, in
[[Page 32994]]
obtaining PHI for certain non-health care purposes. While this approach
may adversely affect particular interests of law enforcement, and
private parties afforded legal rights of action, in some cases, the
Department believes that the final rule best balances these competing
interests by enhancing privacy protections without unduly interfering
with legitimate law enforcement activities and does so in a manner that
is consistent with the approach taken elsewhere in the Privacy Rule. As
explained above, individual privacy interests are especially strong
where individuals seek lawful reproductive health care. In particular,
individuals may forgo lawful health care or avoid disclosing previous
lawful health care to providers because they fear that their PHI will
be disclosed. The Department believes these concerns are exacerbated by
the prospect of state investigations into, and resulting intimidation
and criminalization of, health care providers for providing lawful
reproductive health care, as well as state laws encouraging state
residents to sue persons who facilitate individuals' access to legal
health care. The final rule addresses these interests by protecting
privacy in situations where the reproductive health care at issue is
especially likely to be lawful under the circumstances in which such
health care was provided. Where a regulated entity receives a request
for PHI about reproductive health care that the regulated entity
provided, such health care is likely to be lawful where the regulated
entity reasonably determines, based on all information in its
possession, that such health care was lawful under the circumstances in
which it was provided. Similarly, where a regulated entity receives a
request for PHI about reproductive health care that the regulated
entity did not provide, such health care is likely to be lawful where
law enforcement is unable to provide factual information that
demonstrates to the regulated entity a substantial factual basis that
the reproductive health care was not lawful under the specific
circumstances in which such health care was provided.
The Department recognizes that, in some cases, the approach adopted
in this final rule may inadvertently prohibit the disclosure of PHI
about reproductive health care that was unlawfully provided, such as
where a health care provider reasonably but incorrectly determines that
the reproductive health care it provided was lawful under the
circumstances in which such health care was provided. This is similar
to how the Privacy Rule has always potentially prevented the use or
disclosure of PHI that could be useful to law enforcement in certain
circumstances because the request for PHI does not meet the conditions
of the applicable permission. Nevertheless, given the importance of
protecting individual privacy in this area, the Department has
determined that the final rule adopts the appropriate balance between
individual privacy and the interests of other persons, such as law
enforcement. Specifically, the Department believes that the benefits to
individual privacy of a broadly protective rule outweigh the benefits
to societal interests in the use or disclosure of PHI from a narrower
rule. While a narrower rule would more broadly permit disclosures
related to PHI that might concern reproductive health care that is not
lawful under the circumstances in which it is provided, such a rule
would inadvertently permit more disclosures of PHI about lawful
reproductive health care. Accordingly, the Department concludes that
the final rule must be sufficiently broad to protect against such
disclosures, given the paramount importance of individual privacy in
this area.
Moreover, as explained above, individual privacy interests are
paramount to promote free and open communication between individuals
and their health care providers, thereby ensuring that individuals
receive high-quality care based on their accurate medical history.
Society has long recognized that information exchanged as part of a
specific relationship for which trust is paramount should be entitled
to heightened protection (e.g., marital privilege, attorney-client
privilege, doctor-patient privilege). Similarly, this final rule seeks
to address situations where privacy interests are especially important,
based both on the content of the information that is protected from
disclosure (concerning lawful reproductive health care) and the context
in which that information is shared (concerning a trust-based
relationship between individuals and their health care providers).
In contrast, the potential adverse effects of this final rule on
other interests, such as those of law enforcement, are limited by the
narrow scope of this final rule. This final rule does not seek to
prohibit disclosures of PHI where the request is for reasons other than
investigating or imposing liability on persons for the mere act of
seeking, obtaining, providing, or facilitating reproductive health care
that is lawful under the circumstances in which such health care is
provided. For example, as explained in the NPRM and below, the final
rule does not prohibit the use or disclosure of PHI for investigating
alleged violations of the Federal False Claims Act or a state
equivalent; conducting an audit by an Inspector General aimed at
protecting the integrity of the Medicare or Medicaid program where the
audit is not inconsistent with this final rule; investigating alleged
violations of Federal nondiscrimination laws or abusive conduct, such
as sexual assault, that occur in connection with reproductive health
care; or determining whether a person or entity violated 18 U.S.C. 248
regarding freedom of access to clinic entrances. In each of these
cases, the request is not made for the purpose of investigating or
imposing liability on any person for the mere act of seeking,
obtaining, providing, or facilitating reproductive health care.
Even when the request is for the purpose of investigating or
imposing liability on the mere act of seeking, obtaining, providing, or
facilitating reproductive health care, this final rule does not seek to
prohibit disclosures of PHI about reproductive health care that is not
lawful under the circumstances in which it was provided. Thus, in most
situations involving reproductive health care that is not lawful under
the circumstances in which it is provided, this final rule will not
prevent the use or disclosure of PHI to investigate or impose liability
on persons for such legal violations, provided such disclosures are
otherwise permitted by the Privacy Rule. Moreover, where a regulated
entity did not provide the reproductive health care at issue, this
final rule prohibits the use or disclosure of PHI where the person
making the request does not provide sufficient information to overcome
the presumption of legality. In such cases, law enforcement agencies
and other persons have a reduced interest in obtaining such PHI where
the information does not demonstrate to the regulated entity a
substantial factual basis that the reproductive health care was not
lawful under the circumstances in which such health care was provided.
This final rule does not prohibit the use or disclosure of PHI to
investigate or impose liability on persons where reproductive health
care is unlawful under the circumstances in which it is provided.
Instead, the final rule prohibits the use or disclosure of PHI in
narrowly tailored circumstances (i.e., where the use or disclosure is
to conduct an investigation or impose liability on a person for the
mere act of seeking, obtaining, providing, or facilitating reproductive
health care that
[[Page 32995]]
is lawful under the circumstances in which such health care is
provided, or to identify a person for such activities). For example,
once this final rule is in effect, a covered health care provider may
still disclose PHI to a medical licensing board investigating a health
care provider's actions related to their obligation to report suspected
elder abuse, assuming the disclosure meets the conditions of an
applicable Privacy Rule permission. This is because the final rule does
not bar the use or disclosure of PHI for health oversight purposes,
which is unrelated to the mere act of seeking, obtaining, providing, or
facilitating reproductive health care.
Additionally, even where the final rule prohibits the use or
disclosure of PHI to investigate potentially unlawful reproductive
health care (i.e., where a regulated entity reasonably determines that
the reproductive health care they provided was lawful, or where the
presumption of legality is not overcome), law enforcement retains other
ways of investigating reproductive health care that they suspect may
have been unlawfully provided. For example, law enforcement retains the
use of other traditional and otherwise lawful investigatory means for
obtaining information, such as conducting witness interviews and
accessing other sources of information not covered by HIPAA. The final
rule is therefore tailored to protect the relationship between
individuals and their health care providers specifically, while leaving
unaffected law enforcement's ability to conduct investigations using
information from other sources.
With respect to commenters' concerns about parental rights, this
final rule also does not interfere with the ability of states to define
the nature of the relationship between a minor and a parent or
guardian.
Comment: A few commenters that expressed negative views asserted
that the proposed rule exceeded the Department's statutory authority
under HIPAA or was beyond the Department's rulemaking authority. Some
commenters stated that the rulemaking was arbitrary and capricious and
would make it difficult for law enforcement to investigate reproductive
health care and engage in health oversight activities and would require
health care providers to provide certain types of health care against
which they have objections. Some commenters expressed concern about the
balance of powers between the states and the federal government. Other
commenters suggested that the proposals preempt state laws serving
public health, safety, and welfare.
Response: As discussed above, Congress explicitly stated that the
purpose of HIPAA's Administrative Simplification provisions was to
improve the efficiency and effectiveness of the health care system. For
the health care system to be effective, individuals must trust that
information that they share with health care providers about lawful
health care will remain private. Accordingly, since their inception,
the HIPAA Rules have required that regulated entities narrowly tailor
disclosures to law enforcement to protect an individual's privacy.\181\
While the Department is adopting an approach in this final rule that is
more protective of privacy interests than the current Privacy Rule in
certain circumstances, these changes are necessary to appropriately
balance privacy interests and the interests of law enforcement, and
private parties afforded legal rights of action, in light of the
changing legal environment. This is discussed in detail above. In both
the 2023 Privacy Rule NPRM and this final rule, the Department cited to
multiple studies documenting the real-world harm to health and health
care in the changing legal environment. As explained above, the
Department acknowledges that this final rule may affect certain state
interests in obtaining PHI to investigate potentially unlawful
reproductive health care, but the Department has tailored the final
rule to strike the appropriate balance between privacy interests and
state interests. This final rule limits the potential harm to
individuals, health care providers, and others resulting from the
disclosure of PHI to investigate or punish individuals for the mere act
of seeking, obtaining, providing, or facilitating reproductive health
care that is lawful under the circumstances in which such health care
is provided. We emphasize that nothing in this rule or any of the HIPAA
Rules requires a health care provider to provide any type of health
care, including any type of reproductive health care.
---------------------------------------------------------------------------
\181\ See, e.g., 45 CFR 164.512(f) and 164.514(d)(3)(iii).
---------------------------------------------------------------------------
Comment: Several commenters asserted that the proposed rule would
impede states' enforcement of their own laws, including those
concerning sexual assault and sex trafficking. Many commenters opposed
the proposed rule because they believed it would inhibit the ability of
states to investigate or enforce laws prohibiting minors from obtaining
certain types of health care and prevent the commenters from reporting
minors who they believe are coerced into obtaining such health care to
authorities.
Response: This rule does not prohibit the disclosure of PHI for
investigating allegations of or imposing liability for sexual assault,
sex trafficking, or coercing minors into obtaining reproductive health
care. Rather, this final rule modifies the existing HIPAA Privacy Rule
standards by prohibiting uses and disclosures of PHI to investigate or
impose liability on individuals, regulated entities, or other persons
for the mere act of seeking, obtaining, providing, or facilitating
reproductive health care that is lawful under the circumstances in
which such reproductive health care is provided, or to identify any
person to investigate or impose liability on them for such purposes.
Accordingly, requests for the disclosure of PHI to investigate such
allegations of or impose liability for such crimes do not fall within
the final rule's prohibition, and the presumption of lawfulness
likewise would not be triggered because the prohibition would not
apply. A regulated entity therefore would not be prohibited from
disclosing an individual's PHI when subpoenaed by law enforcement for
the purpose of investigating such allegations, assuming that law
enforcement provided a valid attestation and met the other conditions
of the applicable permission.
Moreover, as explained above, the final rule is tailored to
prohibit disclosures related to lawful reproductive health care,
thereby reducing the interference with law enforcement interests to
create an appropriate balance with privacy interests.
Comment: Some states expressed concern that the proposed rule would
intrude into areas where the HIPAA Rules have previously acknowledged
state control, such as enforcement of state and local laws, regulation
of the practice of health care, and reporting of abuse.
Response: This final rule balances the interests of individuals in
the privacy of their PHI and of society in an effective health care
system with those of society in obtaining PHI for certain non-health
care purposes. The Privacy Rule always has and continues to permit
disclosures of PHI to support public policy goals, including
disclosures to support criminal, civil, and administrative law
enforcement activities; the operation of courts and tribunals; health
oversight activities; the duties of coroners and medical examiners; and
the reporting of child abuse, domestic violence, and neglect to
appropriate authorities. As explained above, while the final rule
adopts an approach that is more
[[Page 32996]]
protective of privacy interests in certain circumstances than the
previous Privacy Rule, the final rule continues to balance the
interests that HIPAA Rules have long sought to protect with those of
society in PHI.
C. Other General Comments on the Proposed Rule
Comment: Commenters urged the Department to provide enhanced
privacy protections for health information that is not covered by
existing frameworks or specifically addressed in the proposed rule. A
few professional associations expressed support for revising the
Privacy Rule to provide stronger protection for the privacy of
reproductive health care information and urged the Department to modify
the Privacy Rule to provide even stronger protections than those
proposed in the 2023 Privacy Rule NPRM.
Response: The Department's authority under HIPAA is limited to
protecting the privacy of IIHI that is maintained or transmitted by
covered entities and, in some cases, their business associates.
Specific modifications to the Privacy Rule to protect the privacy of
PHI are described in greater detail below. Consistent with the
Department's longstanding approach with respect to the Privacy Rule,
the modifications we are finalizing in this rule strike a balance
between protecting an individual's right to health information privacy
with the interests of society in permitting the disclosure of PHI to
support the investigation or imposition of liability for unlawful
conduct. In particular, the final rule does not prohibit the disclosure
of PHI about reproductive health care that was unlawfully provided,
because an individual's privacy interests in reproductive health care
that is not lawful (e.g., a particular type of reproductive health care
that is provided by a nurse practitioner in a state that requires that
type of reproductive health care to be provided by a physician) are
comparatively lower than a state's interests in investigating and
imposing liability on persons for unlawful reproductive health care. We
will continue to monitor legal developments and their effects on
individual privacy as we consider the need for future modifications to
the Privacy Rule.
Comment: Several commenters questioned how the proposed rule would
affect their current business associate and data exchange agreements.
Response: The modifications in this final rule may require
regulated entities to revise existing business associate agreements
where such agreements permit regulated entities to engage in activities
that are no longer permitted under the revised Privacy Rule. Regulated
entities must be in compliance with the provisions of this rule by
December 23, 2024.
Comment: A few commenters requested clarification of whether minors
and legal adults have the same protections under the Privacy Rule and
whether this rule would alter existing protections.
Response: The final rule does not change how the Privacy Rule
applies to adults and minors. Thus, all of the protections provided to
PHI by this final rule apply equally to adults and minors. For example,
under this final rule, a regulated entity is prohibited from using or
disclosing a minor's PHI for the purposes prohibited under 45 CFR
164.502(a)(5)(iii). The Privacy Rule generally permits a parent to have
access to the medical records about their child as their minor child's
personal representative when such access is consistent with state or
other law, with limited exceptions.\182\ Additional information about
how the Privacy Rule applies to minors can be found at 45 CFR
164.502(g) and on the OCR website.\183\
---------------------------------------------------------------------------
\182\ See 45 CFR 164.502(g) (describing personal
representatives) and 164.524(a)(3) (describing reviewable grounds
for denial of access to PHI by a personal representative).
\183\ Off. for Civil Rights, ``Health Information Privacy,''
U.S. Dep't of Health and Human Servs., https://www.hhs.gov/hipaa/.
---------------------------------------------------------------------------
Comment: Many commenters urged the Department to take an
educational approach, rather than a punitive one, with respect to
enforcement against regulated entities. In addition, many commenters
addressed the need for resources and education for successful
implementation of the proposed changes to the Privacy Rule. They called
for the Department to collaborate with and educate regulated entities,
individuals, and others affected by the proposed revisions, such as law
enforcement, as well as for the Department to partner with other
Federal agencies and state governments to conduct the education. Some
suggested that educational resources should include multiple media
formats and a centralized platform.
Response: The Department frequently issues non-binding guidance and
conducts outreach to help regulated entities achieve compliance. We
appreciate these recommendations and will consider these topics for
future guidance. Regulated entities are expected to comply with the
Privacy Rule as revised once the compliance date has passed.
V. Summary of Final Rule Provisions and Public Comments and Responses
The Department is modifying the Privacy Rule to strengthen privacy
protections for individuals' PHI by adding a new category of prohibited
uses and disclosures of PHI. This final rule prohibits a regulated
entity from using or disclosing an individual's PHI for the purpose of
conducting a criminal, civil, or administrative investigation into or
imposing criminal, civil, or administrative liability on any person for
the mere act of seeking, obtaining, providing, or facilitating
reproductive health care that is lawful under the circumstances in
which it is provided, meaning that it is either: (1) lawful under the
circumstances in which such health care is provided and in the state in
which it is provided; or (2) protected, required, or authorized by
Federal law, including the United States Constitution, regardless of
the state in which such health care is provided. In both of these
circumstances, as explained above, the interests of the individual in
the privacy of their PHI and of society in ensuring an effective health
care system outweighs those of society in the use of PHI for non-health
care purposes. To operationalize this modification, the Department is
revising or clarifying certain definitions and terms that apply to the
Privacy Rule, as well as other HIPAA Rules. This final rule also
prohibits a regulated entity from using or disclosing an individual's
PHI for the purpose of identifying an individual, health care provider,
or other person for the purpose of initiating such an investigation or
proceeding against the individual, a health care provider, or other
person in connection with seeking, obtaining, providing, or
facilitating reproductive health care that is lawful under the
circumstances in which it is provided.
To effectuate these proposals, the Department is finalizing
conforming and clarifying changes to the HIPAA Rules. These changes
include, but are not limited to, clarifying the definition of
``person'' to reflect longstanding statutory language defining the
term; adopting new definitions of ``public health'' surveillance,
investigation, or intervention, and ``reproductive health care'';
adding a new category of prohibited uses and disclosures; clarifying
that a regulated entity may not decline to recognize a person as a
personal representative for the purposes of the Privacy Rule because
they provide or facilitate reproductive health care for an individual;
imposing a new
[[Page 32997]]
requirement that, in certain circumstances, regulated entities must
first obtain an attestation that a requested use or disclosure is not
for a prohibited purpose; and requiring modifications to covered
entities' NPPs to inform individuals that their PHI may not be used or
disclosed for a purpose prohibited under this final rule.
The Department's section-by-section description of the final rule
is below.
A. Section 160.103 Definitions
1. Clarifying the Definition of ``Person''
HIPAA does not define the term ``person.'' \184\ The HIPAA Rules
have long defined ``person'' to mean ``a natural person, trust or
estate, partnership, corporation, professional association or
corporation, or other entity, public or private.'' \185\ This meaning
was based on the definition of ``person'' adopted by Congress in the
original SSA, as an ``individual, a trust or estate, a partnership, or
a corporation.'' \186\
---------------------------------------------------------------------------
\184\ See 42 U.S.C. 1320d-1320d-8.
\185\ 45 CFR 160.103.
\186\ See section 1101(3) of Public Law 74-271, 49 Stat. 620
(Aug. 14, 1935) (codified at 42 U.S.C. 1301(3)).
---------------------------------------------------------------------------
In 2002, Congress enacted 1 U.S.C. 8, which defines ``person,''
``human being,'' ``child,'' and ``individual.'' \187\ The statute
specifies that these definitions shall apply when ``determining the
meaning of any Act of Congress, or of any ruling, regulation, or
interpretation of the various administrative bureaus and agencies of
the United States.'' \188\ The Department understands 1 U.S.C. 8 to
provide definitions of ``person,'' ``individual,'' and ``child'' that
do not include a fertilized egg, embryo, or fetus, and are consistent
with the Department's understanding of those terms, as used in the SSA,
HIPAA, and the HIPAA Rules.
---------------------------------------------------------------------------
\187\ 1 U.S.C. 8(a). The Department is not opining on whether
any state law confers a particular legal status upon a fertilized
egg, embryo, or fetus. Rather, the Department cites to this statute
to help define the scope of privacy protections that attach pursuant
to HIPAA and its implementing regulations.
\188\ Id.
---------------------------------------------------------------------------
The Department proposed to clarify the term ``natural person'' in a
manner consistent with 1 U.S.C. 8.\189\ Thus, the Department proposed
to clarify that all terms subsumed within the definition of ``natural
person,'' such as ``individual,'' \190\ are limited to the confines of
the term ``person.'' \191\ As discussed in the 2023 Privacy Rule NPRM,
the purpose of this proposal was to better explain to regulated
entities and other stakeholders the parameters of an ``individual''
whose PHI is protected by the HIPAA Rules.
---------------------------------------------------------------------------
\189\ 88 FR 23506, 23523 (Apr. 17, 2023).
\190\ 45 CFR 160.103 (definition of ``Individual'').
\191\ See Sharon T. Phelan, ``The Prenatal Record and the
Initial Prenatal Visit,'' The Glob. Libr. of Women's Med. (last
updated Jan. 2008) (PHI about the fetus is included in the mother's
PHI), https://www.glowm.com/section-view/heading/The%20Prenatal%20Record%20and%20the%20Initial%20Prenatal%20Visit/item/107#.Y7WRKofMKUl.
---------------------------------------------------------------------------
Many individuals and organizations commented on the proposal to
clarify the definition ``person.'' Organizational commenters, including
professional associations representing health care providers, advocacy
groups, and academic departments, generally supported the proposal.
Several commenters applauded the proposed clarification because they
believed it would limit disclosures of PHI in cases where no individual
has been harmed.
Most opponents of the proposed clarification were individuals
participating in form letter campaigns who expressed concern that the
proposal might diminish access to prenatal care. Others asserted that
the proposed clarification would contradict or conflict with existing
laws, such as mandatory reporting laws and Federal statutes that rely
upon a different definition of ``person.''
The final rule adopts the proposed clarification of the definition
of person, to mean a ``natural person (meaning a human being who is
born alive), trust or estate, partnership, corporation, professional
association or corporation, or other entity, public or private.''
Therefore, an ``individual,'' ``child,'' or ``victim'' (e.g., a victim
of crime) under the HIPAA Rules must be a natural person. As we
explained in the 2023 Privacy Rule NPRM, this clarification is
consistent with the SSA, HIPAA, and 1 U.S.C. 8. This clarification
applies only to regulations issued pursuant to the Administrative
Simplification provisions of HIPAA.\192\
---------------------------------------------------------------------------
\192\ See 42 U.S.C. 1320d.
---------------------------------------------------------------------------
This clarification is consistent with the Privacy Rule's
longstanding definitions of ``person'' \193\ and ``individual,'' \194\
as applied to Privacy Rule provisions permitting certain types of
reports or other disclosures of PHI. For example, a regulated entity is
permitted to disclose PHI about an individual who the regulated entity
reasonably believes to be a victim of abuse, neglect, or domestic
violence only where the individual is a ``natural person.'' \195\ In
addition, because a ``victim'' necessarily is a natural person, the
permission to disclose PHI to avert a serious threat to health or
safety at 45 CFR 164.512(j)(i) does not permit disclosures when the
perceived threat does not involve the health or safety of a natural
person or the public, or when an individual has not caused serious
physical harm to a natural person.
---------------------------------------------------------------------------
\193\ 45 CFR 160.103 (definition of ``Person''). The Department
first defined the term ``person'' in the HIPAA Rules as part of the
2003 Civil Money Penalties: Procedures for Investigations,
Imposition of Penalties, and Hearings Interim Final Rule (2003
Interim Final Rule) to distinguish a ``natural person'' who could
testify in the context of administrative proceedings from an
``entity'' (defined therein as a ``legal person'') on whose behalf a
person would testify. See 45 CFR 160.502 of the 2003 Interim Final
Rule, 68 FR 18895, 18898 (Apr. 17, 2003) (Person is defined to mean
a natural person or a legal person).
\194\ 45 CFR 160.103 (definition of ``Individual''). The
definition of ``individual'' in the HIPAA Rules was first adopted in
the 2000 Privacy Rule.
\195\ See 45 CFR 164.512(c)(1). This provision explicitly
excludes reports of child abuse, which are addressed by 45 CFR
164.512(b)(1).
---------------------------------------------------------------------------
Comment: Many organizational commenters expressed support for the
proposal to clarify the definition of ``person.''
One commenter stated that this clarification should prevent law
enforcement from attempting to avoid the proposed prohibition.
According to another commenter, this proposed clarification is crucial
as stakeholders adapt to the current reproductive health landscape.
Several commenters expressed support for the Department's proposal
but requested additional clarifications. For example, one commenter
recommended that the Department clarify whether the definition would
preempt state laws.
Response: We take the opportunity to emphasize here that the
clarification only applies to the HIPAA Rules and explains certain
terms that apply to the permissions for uses and disclosures of PHI by
regulated entities. We do not believe it is necessary to further
clarify the final regulatory text because the current definition
remains unchanged other than to incorporate the plain wording of 1
U.S.C. 8.
Comment: A few commenters expressed opposition to the Department's
proposed clarification of ``person'' as tantamount to eliminating legal
protections for and recognition of categories of human beings based on
developmental stage. Some commenters maintained that the proposed
clarification of ``person'' was inaccurate.
Several commenters opposed the proposed clarification of ``person''
because it would affect the provision of prenatal care.
A few commenters asserted that the proposed clarification would
prevent the collection of medical information about reproductive health
care for
[[Page 32998]]
important purposes, such as public health and research.
Response: We are clarifying the definition of person consistent
with applicable Federal law only for the purpose of applying HIPAA's
Administrative Simplification provisions. This clarification will not
affect how the term ``person'' is applied for purposes of other laws,
affect any rights or protections provided by any other law, or affect
standards of health care, including prenatal care.
This final rule does not affect the reporting of vital statistics,
nor does it affect the ability of regulated entities to use and
disclose PHI for research. The Privacy Rule's standards for uses and
disclosures for public health surveillance, investigations, and
interventions, or for health oversight activities, are discussed
elsewhere.
Comment: Several commenters requested additional clarifications to
the Department's proposed clarification of ``person.'' A few commenters
asserted that the proposed clarification would be overly expansive.
Most of these same commenters disagreed with the Department's
interpretation of 1 U.S.C. 8.\196\ Commenters asserted that the
clarification was inconsistent or conflicted with other laws.
---------------------------------------------------------------------------
\196\ 1 U.S.C. 8(a).
---------------------------------------------------------------------------
Response: The clarified definition of person that we are finalizing
in this rule does not change the Department's interpretation of the
term or change definitions under other law, such as state law. It also
is consistent with Federal law, including 1 U.S.C. 8, which
specifically applies to Federal regulations, and other examples cited
by commenters. For example, both GINA and the Privacy Rule protect the
genetic information of a fetus carried by a pregnant individual as the
PHI of the pregnant individual.\197\
---------------------------------------------------------------------------
\197\ Public Law 110-233, 122 Stat. 881. See generally Off. for
Civil Rights, ``Health Information Privacy, Genetic Information,''
U.S. Dep't of Health and Human Servs. (Content last reviewed June
16, 2017), https://www.hhs.gov/hipaa/for-professionals/special-
topics/genetic-information/
index.html#:~:text=The%20Genetic%20Information%20Nondiscrimination%20
Act,into%20two%20sections%2C%20or%20Titles.
---------------------------------------------------------------------------
The other laws cited by commenters address policy concerns that are
different from those health information privacy issues addressed under
HIPAA and do not address personhood. Even if those statutes did adopt
different understandings of who is a ``person,'' the Department has the
authority to clarify or define terms that apply to the Administrative
Simplification regulations issued pursuant to HIPAA. Additionally, the
definition in the final rule of 1 U.S.C. 8 is appropriate because it is
consistent with the Department's longstanding interpretation of the
term in the context of HIPAA's Administrative Simplification provisions
and associated regulations. Many Federal and state laws operate with
differing definitions of common terms, to which existing legal
standards that govern how such differences are to be interpreted would
apply.\198\
---------------------------------------------------------------------------
\198\ See 45 CFR 164.524. See also William Baude & Stephen E.
Sachs, ``The Law of Interpretation,'' 130 Harv. L. Rev. 1079 (2017).
---------------------------------------------------------------------------
Comment: A few commenters asserted that the proposal would expand
minors' access to hormone therapy or surgeries without requiring
parental consent.
Response: The final rule's clarification to define the term
``person'' does not affect the ability of a parent to make decisions
related to health care for an individual who is an unemancipated
minor,\199\ and nothing in this rule dictates a standard of care. The
application of this definition is limited to the HIPAA Rules.
---------------------------------------------------------------------------
\199\ 45 CFR 164.502(g).
---------------------------------------------------------------------------
Comment: A few commenters asserted that the proposed clarification
would help to prevent the misapplication of child abuse laws to
individuals who engage in certain behaviors while pregnant (e.g., use
of an illicit substance or alcohol). Several other commenters expressed
concern that this definition would limit the ability of a regulated
entity to apply the Privacy Rule permission to use or disclose PHI to
prevent a serious and imminent threat to a fertilized egg, embryo, or
fetus.
Response: Under this final rule, a regulated entity would continue
to be permitted to disclose PHI about an individual who the covered
entity reasonably believes is a victim of child abuse or neglect,
consistent with 45 CFR 164.512(b)(1)(ii), or a victim of abuse,
neglect, or domestic violence, consistent with 45 CFR 164.512(c), to a
government authority, including a social service or protective services
agency, authorized by law to receive reports of such abuse, neglect, or
domestic violence under the circumstances set forth under 45 CFR
164.512(c) where the individual meets the clarified definition of
person. The Privacy Rule permission concerning serious and imminent
threats \200\ applies to threats to a person, consistent with the
definition as clarified by this final rule, or the public.
---------------------------------------------------------------------------
\200\ See 45 CFR 164.512(j)(1)(i).
---------------------------------------------------------------------------
2. Interpreting Terms Used in Section 1178(b) of the Social Security
Act Reporting of Disease or Injury, Birth, or Death
Section 1178(a) of the SSA provides that HIPAA generally preempts
contrary state laws with certain limited exceptions, such as those
described in section 1178(b).\201\ Specifically, section 1178(b)
excepts from HIPAA's general preemption authority laws that provide for
certain public health reporting, such as the reporting of disease or
injury, birth, or death.\202\ HIPAA does not define the terms in
section 1178(b) that govern the scope of this exception to HIPAA's
general preemption authority, nor has the Department previously defined
such terms through rulemaking.
---------------------------------------------------------------------------
\201\ 42 U.S.C. 1320d-7(a)
\202\ 42 U.S.C. 1320d-7(b).
---------------------------------------------------------------------------
The Department recognizes that such public health reporting
activities are an important means of identifying threats to the health
and safety of the public. Accordingly, when a public health authority
\203\ has furnished documentation of its authority \204\ to collect or
receive such information, the Privacy Rule permits a regulated entity,
without an individual's authorization, to use or disclose PHI to
specified persons for public health activities.\205\ These activities
include all of the vital statistics reporting activities described in
section 1178(b), including reporting of diseases and injuries, birth,
or death.\206\
---------------------------------------------------------------------------
\203\ 45 CFR 164.501 (definition of ``Public health
authority'').
\204\ 45 CFR 164.514(h).
\205\ This is unchanged by this final rule.
\206\ See 45 CFR 164.512(b). The Privacy Rule addresses its
interactions with laws governing excepted public health activities
in two sections: 45 CFR 164.512(a), Standard: Uses and disclosures
required by law, and 45 CFR 164.512(b), Standard: Uses and
disclosures for public health activities.
---------------------------------------------------------------------------
The Department proposed to interpret in preamble key terms used in
section 1178(b) to clarify when HIPAA's general preemption authority
applies. Specifically, the Department proposed an interpretation of
section 1178(b) that would clarify that HIPAA's general preemption
authority applies to laws that require regulated entities to use or
disclose PHI for a purpose that would be prohibited under the proposed
rule. Under this interpretation, the Privacy Rule permission to use or
disclose PHI without an individual's authorization for the reporting of
disease or injury, birth, or death \207\ would not permit the use or
disclosure of PHI for a criminal, civil, or administrative
investigation into or proceeding against a person in connection with
seeking, obtaining,
[[Page 32999]]
providing, or facilitating reproductive health care. The Department did
not intend this clarification to prevent disclosures of PHI from
regulated entities to public health authorities for public health
purposes that have been and continue to be permitted under the Privacy
Rule. Nor did the Department intend for this proposed clarification to
prevent disclosures of PHI by regulated entities under other
permissions in the Privacy Rule, such as for law enforcement
purposes,\208\ when made consistent with the conditions of the relevant
permission and where the purpose of the disclosure is not one for which
a use or disclosure would have been prohibited under 45 CFR
164.502(a)(5)(iii) as proposed.
---------------------------------------------------------------------------
\207\ 45 CFR 164.512(b).
\208\ 45 CFR 164.512(f).
---------------------------------------------------------------------------
The Department did not propose to define ``disease or injury,''
``birth,'' or ``death,'' because we believed that these terms, when
read with the definition of ``person'' and in the broader context of
HIPAA, would exclude information about reproductive health care without
the need for further clarification.\209\ However, the Department
invited public comment on whether it would be beneficial to make such
clarification.
---------------------------------------------------------------------------
\209\ 88 FR 23506, 23523 (Apr. 17, 2023).
---------------------------------------------------------------------------
Few commenters addressed interpretation of these terms. Some
commenters expressed concern that the Department's interpretation would
prevent beneficial public health reporting about certain types of
reproductive health care, while others requested that the Department
prohibit public health reporting about certain types of reproductive
health care. Some commenters on this issue agreed with the Department's
interpretation and clarification of the terms used in 1178(b). Several
of these commenters requested that the Department define or clarify
these terms because reporting standards are inconsistent across states.
The Department declines to add definitions for ``disease or
injury,'' ``birth,'' or ``death'' to the Privacy Rule in this final
rule. However, we offer the discussion below to provide additional
context on our interpretation of these terms.
At the time of HIPAA's enactment, state laws provided for the
reporting of disease or injury, birth, or death by covered health care
providers and other persons.\210\ State public health reporting systems
were well established and involved close collaboration between the
state, local, or territorial jurisdiction and the Federal
Government.\211\ Reports generally were made to public health
authorities or, in some specific cases, law enforcement (e.g.,
reporting of gunshot wounds).\212\ Similar public health reporting
systems continue to exist today.
---------------------------------------------------------------------------
\210\ The 1996-98 Report of the NCVHS to the Secretary describes
various types of activities considered to be public health during
the era in which HIPAA was enacted, such as the collection of public
health surveillance data on health status and health outcomes and
vital statistics information. See Nat'l Comm. On Vital and Health
Stats., Report of The National Committee on Vital and Health
Statistics, 1996-98, (Dec. 1999), https://ncvhs.hhs.gov/wp-content/uploads/2018/03/90727nv-508.pdf.
\211\ Id.
\212\ Id.
---------------------------------------------------------------------------
Reporting of ``disease or injury'' commonly refers to diagnosable
health conditions reported for limited purposes such as workers'
compensation, tort claims, or communicable or other disease or injury
tracking efforts. States, territories, and Tribal governments require
health care providers (e.g., physicians, laboratories) and some others
(e.g., medical examiners, coroners, veterinarians,\213\ local boards of
health) to report cases of certain diseases or conditions that affect
public health, such as coronavirus disease 2019 (COVID-19), malaria,
and foodborne illnesses.\214\ Such reporting enables public health
practitioners to study and explain diseases and their spread, along
with determining appropriate actions to prevent and respond to
outbreaks.\215\ States also require health care providers to report
incidents of certain types of injuries, such as those caused by
gunshots, knives, or burns.\216\ Various Federal statutes use the
phrase ``disease or injury'' similarly to refer to events such as
workplace injuries for purposes of compensation.\217\
---------------------------------------------------------------------------
\213\ Richard N. Danila et al., ``Legal Authority for Infectious
Disease Reporting in the United States: Case Study of the 2009 H1N1
Influenza Pandemic,'' 105 a.m. J. Public Health 13 (Jan. 2015).
\214\ See ``Reportable Diseases,'' MedlinePlus, https://medlineplus.gov/ency/article/001929.htm (accessed Oct. 19, 2022).
See also Nat'l Notifiable Diseases Surveillance Sys., ``What is Case
Surveillance?,'' Ctrs. for Disease Control and Prevention (July 20,
2022), https://www.cdc.gov/nndss/about/.
\215\ See ``Reportable Diseases,'' supra note 215. Such
reporting is a type of public health surveillance activity.
\216\ See Victims Rts. Law Ctr., ``Mandatory Reporting of Non-
Accidental Injuries: A State-by-State Guide'' (May 2014), https://4e5ae7d17e.nxcli.net/wp-content/uploads/2021/01/Mandatory-Reporting-of-Non-Accidental-Injury-Statutes-by-State.pdf.
\217\ See, e.g., 38 U.S.C. 1110 (referring to an ``injury
suffered or disease contracted''); 10 U.S.C. 972 (discussing time
lost as a result of ``disease or injury''); 38 U.S.C. 3500
(providing education for certain children whose parent suffered ``a
disease or injury'' incurred or aggravated in the Armed Forces); see
also 5 U.S.C. 8707 (insurance provision discussing compensation as a
result of ``disease or injury''); 33 U.S.C. 765 (discussing
retirement for disability as a result of ``disease or injury''); 15
U.S.C. 2607(c) (requiring chemical manufacturers to maintain records
of ``occupational disease or injury'').
---------------------------------------------------------------------------
The limited meaning given to the terms ``disease'' and ``injury''
for purposes of public health reporting is clear from HIPAA's broader
context. For instance, interpreting ``injury'' reporting to include
disclosures about all instances of suspected criminal abuse would
render the specific permission to report ``child abuse''
superfluous.\218\ And interpreting ``disease'' reporting to include
disclosures about any sort of disease for any purpose would both
eviscerate HIPAA's general provisions protecting PHI and make
superfluous the statutory requirement to not invalidate laws providing
for public health surveillance, or public health investigation or
intervention. For example, ``disease management activities'' constitute
``health care'' under the Privacy Rule. As such, a broad interpretation
of ``disease or injury'' reporting could make potentially all the
health records detailing a particular individual's treatment for any
disease or injury disclosable to a public health authority or others
unrelated to the health care.\219\ Consequently, the Department has
long understood ``disease or injury'' to narrowly refer to diagnosable
health conditions reported for limited purposes such as workers'
compensation, tort claims or in compliance with Federal laws that
require states to conduct surveillance of specific diseases and
injuries related to public health or Federal funding.\220\
---------------------------------------------------------------------------
\218\ 45 CFR 164.512(b)(ii).
\219\ See 65 FR 82462, 82571 (Dec. 28, 2000) (recognizing that
``disease management activities'' often constitute ``health care''
under HIPAA); Id. at 82777 (discussing the importance of privacy for
information about cancer, a ``disease'' that causes an
``indisputable'' ``societal burden''); Id. at 82778 (discussing the
importance of privacy for information about sexually transmitted
diseases, including Human Immunodeficiency Virus/Acquired
Immunodeficiency Syndrome (HIV/AIDS)); Id. at 82463-64 (noting that
numerous states adopted laws protecting health information relating
to certain health conditions such as communicable diseases, cancer,
HIV/AIDS, and other stigmatized conditions.); Id. at 82731 (finding
that there are no persuasive reasons to provide information
contained within disease registries with special treatment as
compared with other information that may be used to make decisions
about an individual).
\220\ See, e.g., 65 FR 82462, 82517 (Dec. 28, 2000) (discussing
tort litigation as information that could implicate IIHI); Id. at
82542 (discussing workers' compensation); Id. at 82527 (separately
addressing disclosures about ``abuse, neglect or domestic violence''
and limiting such disclosures to only two circumstances, even if
expressly authorized by state statute or regulation).
---------------------------------------------------------------------------
With respect to reporting of ``births'' and ``deaths,'' such vital
statistics are reported by health care providers to the vital
registration systems operated in
[[Page 33000]]
various jurisdictions \221\ legally responsible for the registration of
vital events.\222\ State laws require birth certificates to be
completed for all births, and Federal law mandates the national
collection and publication of births and other vital statistics
data.\223\ Tracking and reporting death is a complex and decentralized
process with a variety of systems used by more than 6,000 local vital
registrars.\224\ When HIPAA was enacted, the Model State Vital
Statistics Act and Regulations, which is followed by most states,\225\
included distinct categories for ``live births,'' ``fetal deaths,'' and
``induced terminations of pregnancy,'' with instructions that abortions
``shall not be reported as fetal deaths.'' \226\ In light of that
common understanding at the time of HIPAA's enactment, it is clear that
the reporting of abortions is not included in the category of reporting
of deaths for the purposes of HIPAA and does not fall within the scope
of state death reporting activities that Congress specifically
designated as excepted from preemption by HIPAA.
---------------------------------------------------------------------------
\221\ See ``Public Health Professionals Gateway, Public Health
Systems & Best Practices, Health Department Governance,'' Ctrs. for
Disease Control and Prevention (Nov. 25, 2022), https://www.cdc.gov/publichealthgateway/sitesgovernance/.
\222\ See the list of events included in vital events, Nat'l
Ctr. for Health Stats., ``About the National Vital Statistics
System,'' Ctrs. for Disease Control and Prevention (Jan. 4, 2016),
https://www.cdc.gov/nchs/nvss/about_nvss.htm.
\223\ See Nat'l Ctr. for Health Stats., ``Birth Data,'' Ctrs.
for Disease Control and Prevention (Dec. 6, 2022), https://www.cdc.gov/nchs/nvss/births.htm.
\224\ See Ctrs. For Disease Control and Surveillance, ``How
Tracking Deaths Protects Health,'' (July 2018), https://www.cdc.gov/surveillance/pdfs/Tracking-Deaths-protects-healthh.pdf.
\225\ See Nat'l Ctr. for Health Stats., Ctrs. for Disease
Control and Prevention, ``State Definitions and Reporting
Requirements: For Live Births, Fetal Deaths, and Induced
Terminations of Pregnancy,'' at 5 (1997), https://www.cdc.gov/nchs/data/misc/itop97.pdf.
\226\ Nat'l Ctr. for Health Stats., Ctrs. for Disease Control
and Prevention, ``Model State Vital Statistics Act and
Regulations,'' at 8 (1992), https://www.cdc.gov/nchs/data/misc/mvsact92b.pdf.
---------------------------------------------------------------------------
More generally, while Congress exempted certain ``[p]ublic health''
laws from preemption,\227\ Congress chose not to create a general
exception for criminal laws or other laws that address the disclosure
of information about similar types of activities outside of the public
health context.
---------------------------------------------------------------------------
\227\ 42 U.S.C. 1178(b) (codified in HIPAA at 42 U.S.C. 1320d-
7).
---------------------------------------------------------------------------
For all these reasons, state laws requiring the use or disclosure
of PHI for the purpose of investigating or imposing liability on a
person for the mere act of seeking, obtaining, providing, or
facilitating health care, or identifying a person for such activities,
are subject to HIPAA's general preemption provision. Similarly, the
Privacy Rule's public health provisions that permit the disclosure of
PHI for the reporting of disease or injury, birth, or death do not
include permission to use or disclose PHI for the purpose of
investigating or imposing liability on a person for the mere act of
seeking, obtaining, providing, or facilitating health care, or
identifying a person for such activities. This general distinction
between public health activities and investigation and enforcement
activities is not limited to reproductive health care. Nevertheless, as
discussed elsewhere in this final rule, the Department has chosen to
strike a balance between privacy interests and other public policy
interests. Consistent with the Department's longstanding approach that
has allowed disclosures for law enforcement purposes in certain
circumstances, the new prohibitions set forth in this rule apply only
to lawful reproductive health care. State authorities cannot rely on
the Privacy Rule's permissions for disclosures related to disease or
injury, birth, or death to obtain PHI for the purpose of investigating
or imposing liability for the provision of reproductive health care.
However, as discussed above, state authorities may be able to invoke
other permissions, such as the permission for disclosures for law
enforcement purposes, to obtain such PHI where such disclosure is to
investigate or impose liability on a person when the reproductive
health care at issue is unlawful under the circumstances in which it is
provided.
Comment: A few commenters expressed support for the Department's
interpretation and clarification of the terms used in section 1178(b)
of the SSA. A few commenters recommended that the Department define,
rather than clarify, these terms. Some commenters requested that the
Department further clarify the terms ``disease or injury,'' ``birth,''
and ``death,'' to explicitly exclude information about reproductive
health care. Other commenters expressed opposition to the Department's
clarifications.
Response: We decline to define ``disease or injury,'' ``birth,'' or
``death'' in this final rule. The Department's understanding of these
terms is consistent with the Model State Vital Statistics Act and
Regulations and its application in the context of the passage of HIPAA.
We believe that the 2023 Privacy Rule NPRM preamble discussion is
sufficient to clarify that such reporting does not include the use or
disclosure of PHI for investigating or imposing liability on a person
for the mere act of seeking, obtaining, providing, or facilitating
health care, including reproductive health care, or to identify a
person for such activities.
Defining ``Public health,'' as used in the terms ``public health
surveillance,'' ``public health investigation,'' and ``public health
intervention.''
Section 1178(b) also excepts state laws providing for ``public
health surveillance, or public health investigation or intervention''
from HIPAA's general preemption authority.\228\ Neither HIPAA nor the
Privacy Rule currently defines ``public health surveillance'' or
``public health investigation or intervention.'' Consistent with the
statute, the Privacy Rule expressly permits a regulated entity to use
or disclose PHI for ``public health'' surveillance, investigation, or
intervention.\229\ The Department proposed to define public health, as
used in the terms ``public health surveillance,'' ``public health
investigations,'' and ``public health interventions,'' to mean
population-level activities to prevent disease and promote health of
populations. In preamble to the 2023 Privacy Rule NPRM, the Department
described public health surveillance as the ongoing, systematic
collection, analysis, and interpretation of health-related data
essential to planning, implementation, and evaluation of public health
practice.\230\ The Department explained that public health
investigations or interventions include monitoring real-time health
status and identifying patterns to develop strategies to address
chronic diseases and injuries, as well as using real-time data to
identify and respond to acute outbreaks, emergencies, and other health
hazards.\231\ Public health surveillance, investigations, or
interventions safeguard the health of the community by addressing
ongoing or prospective population-level issues such as the spread of
communicable diseases, even where these activities involve
[[Page 33001]]
individual-level investigations or interventions.
---------------------------------------------------------------------------
\228\ Section 1178(a) of HIPAA.
\229\ See 45 CFR 164.512(b)(1)(i); Off. for Civil Rights,
``Disclosures for Public Health Activities,'' U.S. Dep't of Health
and Human Servs., https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/disclosures-public-health-activities/
(accessed Oct. 19, 2022).
\230\ See ``Introduction to Public Health Surveillance,'' Ctrs.
for Disease Control and Prevention (Nov. 15, 2018), https://www.cdc.gov/training/publichealth101/surveillance.html.
\231\ See ``Public Health Professionals Gateway, Ten Essential
Public Health Services,'' Ctrs. for Disease Control and Prevention
(Dec. 1, 2022), https://www.cdc.gov/publichealthgateway/publichealthservices/essentialhealthservices.html.
---------------------------------------------------------------------------
The Department also proposed to expressly exclude certain
activities from the definition of public health to distinguish between
public health activities and certain criminal investigations.
Specifically, the Department proposed to provide in regulatory text
that the Privacy Rule's permissions to use and disclose PHI for the
``public health'' activities of surveillance, investigations, or
interventions do not include criminal, civil, or administrative
investigations into, or proceedings against, any person in connection
with seeking, obtaining, providing, or facilitating reproductive health
care, nor do they include identifying any person for the purpose of
initiating such investigations or proceedings. The Department stated
that any such actions are not public health activities that would be
subject to the exception to HIPAA's general preemption authority for
state laws providing for ``public health surveillance, or public health
investigation or intervention.'' \232\
---------------------------------------------------------------------------
\232\ Section 1178(a) of SSA.
---------------------------------------------------------------------------
Commenters expressed mixed views on the proposal to define ``public
health'' in the context of ``public health surveillance,'' ``public
health investigations'' or ``public health interventions.'' Commenters
expressing opposition to the proposal either disagreed with the
Department's assertion that public health activities do not involve
uses and disclosures that would be prohibited by the rule or asserted
that the proposal would prevent public health reporting of reproductive
health care. Some commenters generally supported the goal of the
proposal but expressed concern that inclusion of the proposed language
about ``population-level'' activities could prevent essential public
health activities that involve specific persons, such as reporting data
about specific health care services provided to specific persons that
have a ``population-level'' effect and investigating the spread of
communicable diseases.
Some commenters asserted that the proposal would frustrate states'
ability to enforce their laws not related to public health, such as
laws banning health care such as abortion. Supporters asserted that the
proposal would help to prevent PHI from being disclosed for a purpose
that would be prohibited under the proposed rule. Supportive commenters
also expressed concern about states obtaining PHI based on an
interpretation of ``public health investigations'' that includes the
mandatory reporting of pregnant individuals who engage in certain
activities, such as substance use. Other commenters asserted that
disclosures of PHI to public health authorities should be limited
because of the potential for PHI to be redisclosed for purposes that
otherwise would be prohibited under the Privacy Rule.
The final rule adopts the proposed definition with some
modifications. The final rule maintains the proposed rule's focus on
activities aimed at preventing disease and improving the health of
populations. This definition does not prevent disclosures of PHI by
covered entities to public health authorities for public health
activities that have long been permitted under the Privacy Rule. As
discussed in the 2023 Privacy Rule NPRM, since the time of HIPAA's
enactment, public health activities related to surveillance,
investigation, or intervention have been widely understood to refer to
activities aimed at improving the health of a population. For example,
legal dictionaries define ``public health'' as ``[t]he health of the
community at large,'' or ``[t]he healthful or sanitary condition of the
general body of people or the community en masse; esp., the methods of
maintaining the health of the community, as by preventive medicine or
organized care for the sick.'' \233\ Stedman's Medical Dictionary
defines ``public health'' as ``the art and science of community health,
concerned with statistics, epidemiology, hygiene, and the prevention
and eradication of epidemic diseases; an effort organized by society to
promote, protect, and restore the people's health; public health is a
social institution, a service, and a practice.'' \234\ The Centers for
Disease Control and Prevention (CDC) and the Agency for Toxic
Substances and Disease Registry have described ``public health
surveillance'' as ``the ongoing systematic collection, analysis and
interpretation of outcome-specific data for use in the planning,
implementation, and evaluation of public health practice.'' \235\ And
many states similarly define ``public health'' to mean activities to
support population health.\236\ The Department likewise has used the
term public health in this way since it first adopted the Privacy
Rule.\237\
---------------------------------------------------------------------------
\233\ ``Health, Public Health,'' Black's Law Dictionary (11th
ed. 2019).
\234\ ``Public Health,'' Stedman's Medical Dictionary 394520.
\235\ Jonathan Weinstein, In Re Miguel M., 55 N.Y.L. Sch. L.
Rev. 389, 390 (2010) (citing Stephen B. Thacker, ``Historical
Development,'' in Principles and Practice of Public Health
Surveillance 1 (Steven M. Teutsch & R. Elliott Churchill eds., 2d
ed., 2000)), https://digitalcommons.nyls.edu/cgi/viewcontent.cgi?article=1599&context=nyls_law_review.
\236\ See, e.g., Richard A. Goodman et al., ``Forensic
Epidemiology: Law at the Intersection of Public Health and Criminal
Investigations,'' 31 J. of Law, Med. & Ethics 684, 689-90 (2003);
La. Rev. Stat. Ann. Sec. 40:3.1 (2011) (defining threats to public
health as nuisances ``including but not limited to communicable,
contagious, and infectious diseases, as well as illnesses, diseases,
and genetic disorders or abnormalities''); N.C. Gen. Stat. sec.
130A-141.1(a) (2010) (defining public health investigations as the
``surveillance of an illness, condition, or symptoms that may
indicate the existence of a communicable disease or condition'').
\237\ See, e.g., 65 FR 82462, 82464 (Dec. 28, 2000) (noting that
reporting of public health information on communicable diseases is
not prevented by individuals' right to information privacy); Id. at
82467 (discussing the importance of accurate medical records in
recognizing troubling public health trends and in assessing the
effectiveness of public health efforts); Id. at 82473 (discussing
disclosure to ``a department of public health''); Id. at 82525
(recognizing that it may be necessary to disclose PHI about
communicable diseases when conducting a public health intervention
or investigation); Id. at 82526 (recognizing that an entity acts as
a ``public health authority'' when, in its role as a component of
the public health department, it conducts infectious disease
surveillance); Stephen B. Thacker, Epidemiology Program Office,
Ctrs. for Disease Control and Prevention, ``HIPAA Privacy Rule and
Public Health: Guidance from CDC and the U.S. Department of Health
and Human Services,'' 52 MMWR 1 (Apr. 11, 2003), https://www.cdc.gov/mmwr/preview/mmwrhtml/m2e411a1.htm (describing what
traditionally are considered to be ``public health activities'' that
require PHI).
---------------------------------------------------------------------------
Public health surveillance, public health investigations, and
public health interventions are activities that address population
health concerns and have generalized public benefit \238\ to the health
of a population, including activities that involve specific persons.
Examples of activities that prevent disease in and promote the health
of populations include vaccination campaigns to eradicate communicable
disease, surveillance of a community's use of emergency services after
a natural disaster to improve allocation of resources to meet health
needs, and investigation of the source of an outbreak of food
poisoning. As explained in the preamble to the 2023 Privacy Rule
NPRM,\239\ there is a widely recognized distinction between public
health activities, which primarily focus on improving the health of
populations, and criminal investigations, which primarily focus on
identifying and imposing liability on persons who have
[[Page 33002]]
violated the law.\240\ States and other local governing authorities
maintain criminal codes that are distinct and separate from public
health reporting laws,\241\ although some jurisdictions enforce
required public health reporting through criminal statutes. Different
governmental bodies are responsible for enforcing these separate codes,
and public health officials do not typically investigate activities
enforced under criminal statutes or laws.\242\ Federal laws also
generally treat public health investigations as distinct from criminal
investigations.\243\ Maintaining a clear distinction between public
health investigations and criminal investigations serves HIPAA's
broader purposes.\244\
---------------------------------------------------------------------------
\238\ See Miguel M. v. Barron, 950 NE2d 107, at 111 (2011)
(explaining ``[t]he apparent purpose of the public health exception
is to facilitate government activities that protect large numbers of
people from epidemics, environmental hazards, and the like, or that
advance public health by accumulating valuable statistical
information.'').
\239\ 88 FR 23510, 23525 (Apr. 17, 2023).
\240\ See Miguel M. v. Barron at 111, supra note 239 (concluding
that ``[t]o disclose private information about particular people,
for the purpose of preventing those people from harming themselves
or others, effects a very substantial invasion of privacy without
the sort of generalized public benefit that would come from, for
example, tracing the course of an infectious disease.'').
\241\ For example, traditional public health reporting laws grew
from colonial requirements that physicians report disease. These
requirements transitioned to state regulatory requirements imposed
by public health departments on authority granted to them by states.
See Ctrs. for Disease Control and Prevention, ``Public Health Law
101, Disease Reporting and Public Health Surveillance,'' at 12 and
14 (Jan. 16, 2009), https://www.cdc.gov/phlp/docs/phl101/PHL101-Unit-5-16Jan09-Secure.pdf. See also, e.g., Code of Georgia 31-12-2
(2021) (authority to require disease reporting).
\242\ See ``Public Health,'' supra note 235 (``Many cities have
a `public health department' or other agency responsible for
maintaining the public health; Federal laws dealing with health are
administered by the Department of Health and Human Services.''); see
also ``Forensic Epidemiology: Law at the Intersection of Public
Health and Criminal Investigations,'' supra note 237, at 689.
\243\ See Camara v. Municipal Ct. of City & Cty. of S.F., 387
U.S. 523, 535-37 (1967) (discussing administrative inspections under
the Fourth Amendment, such as those aimed at addressing ``conditions
which are hazardous to public health and safety,'' and not ``aimed
at the discovery of evidence of crime''); 42 U.S.C. 241(d)(D)
(prohibiting disclosure of private information from research
subjects in ``criminal'' and other proceedings); 42 U.S.C. 290dd-
2(c) (prohibiting substance abuse records from being used in
criminal proceedings).
\244\ See ``Forensic Epidemiology: Law at the Intersection of
Public Health and Criminal Investigations,'' supra note 237, at 687
(discussing reasons why ``an association of public health with law
enforcement'' may be ``to the detriment of routine public health
practice''). See also 45 CFR 164.512(b)(1)(i) (including ``public
health investigations'' as an activity carried out by a public
health authority that is authorized by law to carry out public
health activities).
---------------------------------------------------------------------------
The Department concludes that neither section 1178(b) nor the
Privacy Rule's permissions to use and disclose PHI for the ``public
health'' activities of surveillance, investigation, or intervention
include conducting criminal, civil, or administrative investigations
into, or imposing criminal, civil, or administrative liability on any
person for the mere act of seeking, obtaining, providing, or
facilitating health care, including reproductive health care, nor do
they include the identification of any person for such purposes. Such
actions are not public health activities. As described above, this
distinction between public health activities and other investigation
and enforcement activities is not limited to reproductive health care.
Public health surveillance, investigations, or interventions ensure the
health of the community as a whole by addressing ongoing or prospective
population-level issues such as the spread of communicable diseases,
even where they involve interventions involving specific individuals.
Such surveillance systems provide the necessary data to examine and
potentially develop interventions to improve the public's health, such
as providing education or resources to support individuals' access to
health care and improve health outcomes and are not affected by this
final rule.\245\ U.S. states, territories, and Tribal governments
participate in bilateral agreements with the Federal Government to
share data on conditions that affect public health.\246\ The CDC's
Division of Reproductive Health collects reproductive health data in
support of national and state-based population surveillance systems to
assess maternal complications, mortality and pregnancy-related
disparities, and the numbers and characteristics of individuals who
obtain legal induced abortions.\247\ This final rule does not affect
CDC's ability to collect this information now or in the future.
Importantly, disclosures to public health authorities permitted by the
Privacy Rule are limited to the ``minimum necessary'' to accomplish the
public health purpose.\248\ In some cases, regulated entities need
disclose only de-identified data \249\ to meet the public health
purpose.
---------------------------------------------------------------------------
\245\ See ``Improving the Role of Health Departments in
Activities Related to Abortion,'' Am. Pub. Health Ass'n (Oct. 26,
2021), https://www.apha.org/Policies-and-Advocacy/Public-Health-Policy-Statements/Policy-Database/2022/01/07/Improving-Health-Department-Role-in-Activities-Related-to-Abortion.
\246\ See ``Reportable diseases,'' supra note 215. See also
``What is Case Surveillance?,'' supra note 215.
\247\ See ``Reproductive Health, About Us,'' Ctrs. for Disease
Control and Prevention (Apr. 20, 2022), https://www.cdc.gov/reproductivehealth/drh/about-us/index.htm; and ``Reproductive
Health, CDCs Abortion Surveillance System FAQs,'' Ctrs. for Disease
Control and Prevention (Nov. 17, 2022), https://www.cdc.gov/reproductivehealth/data_stats/abortion.htm.
\248\ See 45 CFR 164.502(b).
\249\ See 45 CFR 164.514(a).
---------------------------------------------------------------------------
By contrast, efforts to conduct criminal, civil, and administrative
investigations or impose criminal, civil, and administrative liability
on any person for the mere act of seeking, obtaining, providing, or
facilitating health care generally target specific persons for
particular conduct; they are not designed to address population-level
health concerns and are not limited to information authorized to be
collected by a public health or similar government authority for a
public health activity. Thus, the exceptions in section 1178(b) for
``public health'' investigations, interventions, or surveillance do not
limit the Department's ability to prohibit uses or disclosures of PHI
for other purposes, such as judicial and administrative proceedings or
law enforcement purposes. While the Department has chosen as a policy
matter to continue to permit uses or disclosures of PHI for law
enforcement and other purposes in certain contexts, it is adopting a
different balance where such uses or disclosures are about reproductive
health care that is lawful under the circumstances in which it was
provided.
While retaining the focus on activities to prevent disease and
promote the health of populations, this final rule clarifies that
population-level activities ``include identifying, monitoring,
preventing, or mitigating ongoing or prospective threats to the health
or safety of a population, which may involve the collection of
protected health information.'' This clarification addresses
commenters' concerns that regulated entities would no longer be able to
report information that states need to conduct public health functions
intended to protect against prospective or ongoing threats at the
population level, even if at times they necessarily will focus on
individuals while doing so (through contact tracing, quarantine or
isolation, and the like). The Department does not intend this
clarification to prevent disclosures of PHI from covered entities to
public health authorities for public health activities that have long
been and continue to be permitted under the Privacy Rule. These changes
clarify that public health, as used in the specified terms, broadly
includes activities to prevent disease in and promote the health of
populations. The changes also confirm that the Department does not
require a public health authority to supply an attestation to a covered
entity to receive PHI of an individual where that disclosure is
intended to prevent disease in or promote the health of populations.
The intended purpose of including ``population-level'' was to
facilitate
[[Page 33003]]
public health activities that protect large numbers of people from
epidemics, environmental hazards, and the like. However, we believe
that the language that clarifies that population-level activities
``include identifying, monitoring, preventing, or mitigating ongoing or
prospective threats to the health or safety of a population, which may
involve the collection of protected health information,'' sufficiently
serves this purpose of addressing uses and disclosures of PHI that are
necessary to accomplish the overarching goals of public health.
The last sentence of the proposed definition, which described what
are not public health activities, is also revised in the final rule for
consistency with the general distinction between activities of public
health surveillance, investigation, and intervention and activities of
investigating or imposing liability on a person for the mere act of
seeking, obtaining, providing, or facilitating health care, or
identifying a person for such activities, as well as the standard the
Department is adopting at 45 CFR 164.502(a)(5)(iii), which is discussed
further in that section of this rule. Thus, while a state might assert
that investigating or imposing liability on persons for the mere act of
seeking, obtaining, providing, or facilitating health care satisfies
the definition of ``public health,'' their interpretation would not
supersede the definition of ``public health'' in the context of public
health surveillance, investigations, or interventions that the
Department is adopting under its own Federal statutory authority to
administer the HIPAA Rules.
Comment: A few organizations expressed support for the proposed
definition of ``public health'' without further elaboration. Several
commenters expressed support for the proposed definition of ``public
health'' because it would prevent PHI from being disclosed for a
prohibited purpose. A few commenters expressed support for the proposal
because they believed that information reported for public health
purposes could be requested, re-identified (in the case of de-
identified information), or further disclosed to law enforcement for
purposes for which the Department proposed to prohibit uses and
disclosures.
Several commenters expressed support for the proposed definition of
``public health'' and the existing standard that limits public health
disclosures of PHI to the minimum necessary information to achieve the
purpose.
Response: Consistent with the NPRM, the Department agrees with the
commenters who stated that it is important to define ``public health''
in the context of public health surveillance, investigation, or
intervention to ensure that PHI is not disclosed for a purpose
prohibited under 45 CFR 164.502(a)(5)(iii). Disclosures of PHI for
public health purposes continue to be subject to the minimum necessary
standard, which limits the use and disclosure of PHI to the minimum
necessary to achieve the specified purpose; in some circumstances, de-
identified information may suffice. However, many public health
activities do require identifiable data, such as for interventions
involving individuals, to protect against prospective or ongoing
threats to health or safety at the population level, and the Privacy
Rule does not prohibit such uses and disclosures.
When making disclosures to public officials that are permitted
under 45 CFR 164.512, if the public official represents that the
information requested is the minimum necessary for the stated purpose,
regulated entities are permitted, but not required, to rely on that
representation, if such reliance is reasonable under the
circumstances.\250\ Such reliance may not be reasonable where the
request appears to be overly broad when compared to the stated purpose
of the request (e.g., where a public health authority requests the
disclosure of PHI of all individuals who received treatment for uterine
bleeding when the stated purpose is to investigate infection control
practices by an obstetrician/gynecologist in a state where law
enforcement has publicly announced its intention to investigate
individuals for traveling out of state to seek or obtain reproductive
health care that is lawful under the circumstances in which it is
provided).
---------------------------------------------------------------------------
\250\ 45 CFR 164.514(d)(3)(iii)(A); see also 45 CFR
164.514(h)(2)(ii) and (iii).
---------------------------------------------------------------------------
Comment: A few commenters asserted that law enforcement generally
interprets public health investigations to include criminal
investigations and prosecutions and the NPRM proposed definition would
complicate such investigations by limiting the amount of PHI that could
be disclosed to law enforcement.
Response: The Department has adopted a definition of ``public
health'' in the context of public health surveillance, investigation,
and intervention that sets clear parameters between such activities and
law enforcement activities conducted to impose liability for the mere
act of seeking, obtaining, providing, or facilitating health care.
Public health surveillance, investigation, and intervention do not
include efforts to attach liability to persons for specific acts of
seeking, obtaining, providing, or facilitating health care.
This definition is consistent with the longstanding distinction
made by the Department between public health activities and law
enforcement activities as described above.
Comment: Several commenters expressed support for the Department's
proposal generally but recommended further clarifications or revisions
to it, especially regarding the limitation to ``population-level''
activities. A few commenters raised questions about the difference
between the proposed definition of ``public health'' and the permission
for public health activities under 45 CFR 164.512(b)(1)(i) and
recommended that the Department clarify the definition to ensure that
public health agencies are able to obtain health information for
administrative or civil proceedings, such as quarantine or isolation in
cases involving infectious diseases.
Response: The Department has modified the definition of ``public
health'' in the context of public health surveillance, investigation,
or intervention to clarify that such activities include identifying,
monitoring, preventing, or mitigating ongoing or prospective threats to
the health or safety of a population, which may involve the collection
of PHI. This change addresses commenters' concerns that under the
proposed definition, regulated entities would no longer be able to
report PHI that is required to address population-level concerns.
Comment: Several commenters raised concerns that the proposed
definition of ``public health'' would circumvent states' interests
related to public health. A few commenters expressed opposition to the
Department's clarification of public health because they believed that
states should have the ability to conduct surveillance, investigations,
or interventions concerning certain types of health care for public
health purposes. Several commenters asserted that the proposal would
frustrate the ability of states to enforce their laws prohibiting
access to certain types of health care. Conversely, a commenter
requested that the Department explicitly exclude reproductive health
care from the proposed definition of ``public health,'' so it would not
be reportable to public health agencies.
Response: We disagree with commenters' assertions that this final
rule will prevent the reporting of vital statistics or other public
health
[[Page 33004]]
activities. A covered entity may continue to use or disclose PHI for
all the public health activities and purposes listed in section
1178(b). We also decline to explicitly exclude reproductive health care
from the definition of ``public health'' because doing so could hinder
beneficial public health activities. Instead, this definition supports
this final rule's prohibition against certain uses and disclosures of
PHI by clarifying that public health surveillance, investigation, and
intervention exclude conducting a criminal, civil, or administrative
investigation into any person, or the imposing criminal, civil, or
administrative liability on any person for the mere act of seeking,
obtaining, providing, or facilitating health care, or identifying any
person for such activities. Such excluded activities include those with
the purposes that are prohibited at 45 CFR 164.502(a)(5)(iii).
Comment: A few commenters believed that defining ``investigation,''
``intervention,'' or ``surveillance'' was unnecessary or recommended
against doing so and requested that the Department clarify that such
terms do not encompass any prohibited purposes. One commenter requested
that the Department define these terms to expressly exclude information
related to reproductive health care.
Response: We are not defining the terms ``investigation,''
``intervention,'' or ``surveillance'' in this rule. However, we are
providing extensive interpretation in the preamble to clarify that such
activities in the public health context do not encompass conducting a
criminal, civil, or administrative investigation into any person, or
imposing criminal, civil, or administrative liability on any person for
the mere act of seeking, obtaining, providing, or facilitating health
care, or identifying any person for such activities, including those
for which use or disclosure of PHI is prohibited by 45 CFR
164.502(a)(5)(iii).
Reporting of Child Abuse
In accordance with section 1178(b) of HIPAA, the Privacy Rule
permits a regulated entity to use or disclose PHI to report known or
suspected child abuse or neglect if the report is made to a public
health authority or other appropriate government authority that is
authorized by law to receive such reports.\251\ The Privacy Rule limits
disclosures of PHI made pursuant to this permission to the minimum
necessary to make the report.\252\
---------------------------------------------------------------------------
\251\ See 45 CFR 164.512(b)(1)(ii).
\252\ See 45 CFR 164.502(b) and 164.514(d).
---------------------------------------------------------------------------
As the Department explained in the 2023 Privacy Rule NPRM, at the
time HIPAA was enacted, ``most, if not all, states had laws that
mandated reporting of child abuse or neglect to the appropriate
authorities.'' \253\ Additionally, when Congress enacted HIPAA, it had
already addressed child abuse reporting in other laws, such as the
Victims of Child Abuse Act of 1990 \254\ and the Child Abuse Prevention
and Treatment Act.\255\ For example, 34 U.S.C. 20341(a)(1), a provision
of the original Victims of Child Abuse Act of 1990 that is still in
place today, requires certain professionals to report suspected abuse
when working on Federal land or in a federally operated (or contracted)
facility.\256\ As used in these statutes, the term ``child abuse'' does
not include activities related to reproductive health care, such as
abortion.
---------------------------------------------------------------------------
\253\ 65 FR 82462, 82527 (Dec. 28, 2000).
\254\ Public Law 101-647, 104 Stat. 4789 (codified at 18 U.S.C.
3509).
\255\ Public Law 93-247, 88 Stat. (codified at 42 U.S.C. 5101
note).
\256\ See 34 U.S.C. 20341(a)(1), originally enacted as part of
the Victims of Child Abuse Act of 1990 and codified at 42 U.S.C.
13031, which was editorially reclassified as 34 U.S.C. 20341, Crime
Control and Law Enforcement. For the purposes of such mandated
reporting, see 34 U.S.C. 20341(c)(1) for definition of ``child
abuse.''
---------------------------------------------------------------------------
In the 2023 Privacy Rule NPRM, the Department discussed that it has
long interpreted ``child abuse,'' as used in the Privacy Rule and
section 1178(b) of HIPAA, to exclude conduct based solely on a person
seeking, obtaining, providing, or facilitating reproductive health
care.\257\ This interpretation is consistent with the public health
aims of improving access to health care for individuals, including
reproductive health care, and with relevant statutes at the time HIPAA
was enacted, as described above. The Department also stated that this
interpretation prohibits a regulated entity from disclosing PHI in
reliance on the permission for reporting ``child abuse'' where the
alleged victim does not meet the definition of ``person'' or ``child,''
consistent with both 1 U.S.C. 8 and section 1178(b). Additionally,
consistent with previous rulemaking under HIPAA, the Department
clarified in the preamble that it did not intend for the interpretation
to disrupt longstanding state or Federal child abuse reporting
requirements that apply to regulated entities.\258\
---------------------------------------------------------------------------
\257\ 88 FR 23506, 23526 (Apr. 17, 2023).
\258\ 65 FR 82462, 82527 (Dec. 28, 2000).
---------------------------------------------------------------------------
The Department also made several clarifications in preamble
concerning our interpretation of section 1178(b) and the Privacy Rule's
public health permission and how we distinguish between public health
reporting and disclosures for law enforcement purposes or judicial and
administrative proceedings.
Comment: Many commenters supported the Department's clarification
and agreed that it would preserve trust between individuals and health
care providers, but also requested additional clarification from the
Department on its implementation. Few opposed the clarification; those
who did expressed concerns about the potential for the clarification to
prevent state-mandated reporting in certain circumstances. Many
commenters expressed mixed views about the Department's interpretation.
Response: The Department is moving forward with its interpretation
as described in the NPRM. As noted above, this final rule does not
alter the Privacy Rule's reliance on other applicable law with respect
to determining who has the authority to act on behalf of an individual
who is an unemancipated minor in making decisions related to health
care, including lawful reproductive health care.\259\ The Privacy Rule
does not permit a regulated entity to disclose PHI as part of a report
of suspected child abuse based solely on the fact that a parent seeks
reproductive health care (e.g., treatment for a sexually transmitted
infection) for a child. However, the regulated entity is permitted to
make such disclosure where there is suspicion of sexual abuse that
could be the basis of permitted reporting.
---------------------------------------------------------------------------
\259\ See 45 CFR 164.502(g).
---------------------------------------------------------------------------
Congress defined the term ``child'' in 1 U.S.C. 8, and the term
``child'' in the Privacy Rule is consistent with that definition. As
such, the Department believes that to the extent this clarification
prohibits a regulated entity from disclosing PHI to report ``child
abuse'' under this permission in the Privacy Rule where the alleged
victim does not meet the definition of ``person,'' it is consistent
with both 1 U.S.C. 8 and section 1178(b).
The Department also reaffirms its clarification that the Privacy
Rule permission to report known or suspected child abuse or neglect
permits a disclosure only for the purpose of making a report, and the
PHI disclosed must be limited to the minimum necessary information for
the purpose of making a report.\260\ These provisions do not permit the
covered entity to disclose PHI in response to a request for the use or
disclosure of PHI to conduct a criminal, civil, or administrative
investigation into or impose criminal, civil, or administrative
liability on a
[[Page 33005]]
person based on suspected child abuse. Instead, as we explained in the
2023 Privacy Rule NPRM, any disclosure of PHI in response to this type
of request from an investigator, must meet the applicable Privacy Rule
conditions for disclosures for judicial and administrative proceedings
or law enforcement purposes, as applicable.\261\ That is the case
whether such disclosure is in follow up to the report made by the
covered entity (other than to clarify the PHI provided on the report)
or part of an investigation initiated based on an allegation or report
made by a person other than the covered entity.\262\
---------------------------------------------------------------------------
\260\ See 45 CFR 164.502(b) and 164.514(d).
\261\ See 45 CFR 164.512(e) and (f).
\262\ See 45 CFR 164.512(e) and (f).
---------------------------------------------------------------------------
Moreover, this clarification does not affect the ability of state
authorities to invoke other permissions for disclosure under the
Privacy Rule, such as the permission for disclosures for law
enforcement purposes, where they are seeking PHI related to unlawful
reproductive health care.\263\ Thus, the Department's interpretation of
``child abuse'' continues to support the protection of children while
also serving HIPAA's objectives of protecting the privacy of PHI to
promote individuals' trust in the health care system and preserving the
relationship between individuals and their health care providers.
---------------------------------------------------------------------------
\263\ 65 FR 82462, 82527 (Dec. 28, 2000).
---------------------------------------------------------------------------
Comment: A few commenters recommended that the Department expand
the clarification of child abuse to broadly address providing or
facilitating all health care, rather than just reproductive health
care.
Response: It is beyond the scope of this rule making to expand the
clarification to include the provision or facilitation of all lawful
health care. We appreciate the recommendations of commenters and will
take them under advisement for potential future rulemaking.
3. Adding a Definition of ``Reproductive Health Care''
Section 160.103 of the HIPAA Rules defines ``health care'' as
``care, services, or supplies related to the health of an individual.''
\264\ The definition clarifies that the term ``includes but is not
limited to'' several identified types of care, services, and procedures
\265\ and includes examples such as therapeutic, rehabilitative, or
maintenance care, as well as sale or dispensing of drugs or devices.
---------------------------------------------------------------------------
\264\ 45 CFR 160.103 (definition of ``Health care'').
\265\ These groupings are (1) ``[p]reventive, diagnostic,
therapeutic, rehabilitative, maintenance, or palliative care, and
counseling, service, assessment, or procedure with respect to the
physical or mental condition, or functional status, of an individual
or that affects the structure or function of the body'' and (2)
``[the s]ale or dispensing of a drug, device, equipment, or other
item in accordance with a prescription.'' It would also include
supplies purchased over the counter or furnished to the individual
by a person that does not meet the definition of a health care
provider under the HIPAA Rules. 45 CFR 164.103 (definition of
``Health care provider'').
---------------------------------------------------------------------------
The Department proposed to add and define a new term,
``reproductive health care,'' that would be a subset of the term
``health care.'' \266\ The Department proposed to define ``reproductive
health care'' as ``care, services, or supplies related to the
reproductive health of the individual.'' The Department noted in the
NPRM preamble that the HIPAA Rules define ``health care'' broadly.\267\
---------------------------------------------------------------------------
\266\ 88 FR 23506, 23527-28 (Apr. 17, 2023).
\267\ 88 FR 23506, 23527 (Apr. 17, 2023).
---------------------------------------------------------------------------
Consistent with the definition of ``health care'' in the HIPAA
Rules, the proposed definition of ``reproductive health care'' would
have applied broadly and included not only reproductive health care and
services furnished by a health care provider and supplies furnished in
accordance with a prescription, but also care, services, or supplies
furnished by other persons and non-prescription supplies purchased in
connection with an individual's reproductive health. The Department
proposed to use the term ``reproductive health care'' rather than
``reproductive health services'' to ensure that the term was
interpreted broadly to capture all health care that could be furnished
to address reproductive health, including the provision of medications
and devices, whether prescription or over-the-counter.
The Department discussed in preamble some of the types of care,
services, and supplies that were included in the proposed term. In
keeping with the Department's intention for ``reproductive health
care'' to be inclusive of all types of health care related to an
individual's reproductive system, the 2023 Privacy Rule NPRM preamble
indicated that the term would include, but not be limited to:
contraception, including emergency contraception; pregnancy-related
health care; fertility or infertility-related health care; and other
types of care, services, or supplies used for the diagnosis and
treatment of conditions related to the reproductive system. We also
provided a non-exhaustive list of examples of health care within each
of these categories of reproductive health care.
Consistent with the definition of ``health care'' adopted in 2000
in the HIPAA Rules, the Department did not propose a specific
definition of ``reproductive health'' but invited comment on whether
including a particular definition of ``reproductive health'' would be
beneficial.
Many commenters supported the proposal and agreed that it would
provide the necessary protections for individuals and others. Some
referenced existing definitions used by other legal authorities and
recommended the Department consider adopting or incorporating them in
some manner.
Some commenters opposed the proposal to provide an inclusive
definition of reproductive health care. Some commenters asserted that
the proposal lacked clarity and was too open-ended, making it difficult
to operationalize. Other commenters expressed concern that the proposed
definition would permit minors to consent to reproductive health care
without parental consent.
The final rule adopts the new term ``reproductive health care'' and
definition with three modifications. First, we replace ``care,
services, or supplies related to the reproductive health of the
individual'' with ``health care'' and add a citation to the HIPAA
Rules' definition of that term to clarify that reproductive health care
is a subset of ``health care.''
Second, we specify that the term means health care ``that affects
the health of the individual in all matters relating to the
reproductive system and to its functions and processes.'' In keeping
with the Department's intention for ``reproductive health care'' to be
interpreted broadly and inclusive of all types of health care related
to an individual's reproductive system, this additional language
clarifies that the definition encompasses the full range of health care
related to an individual's reproductive health.
Third, we add a statement reaffirming that the definition should
not be construed to establish a standard of care for or regulate what
constitutes clinically appropriate reproductive health care.
As discussed in the NPRM, this approach is consistent with the
approach the Department took when it adopted the definition of ``health
care'' in the HIPAA Rules. At that time, the Department explained that
listing specific activities would create the risk that important
activities would be left out and could also create confusion.\268\
---------------------------------------------------------------------------
\268\ 65 FR 82571 (Dec. 28, 2000).
---------------------------------------------------------------------------
By describing more fully the breadth of reproductive health care,
the definition may decrease the perceived burden to regulated entities
of complying with the rule by helping them determine whether a request
for
[[Page 33006]]
the use or disclosure of PHI includes PHI that is implicated by this
final rule.
To further clarify what is included in reproductive health care for
regulated entities, we provide a non-exclusive list of examples that
fit within the definition: contraception, including emergency
contraception; preconception screening and counseling; management of
pregnancy and pregnancy-related conditions, including pregnancy
screening, prenatal care, miscarriage management, treatment for
preeclampsia, hypertension during pregnancy, gestational diabetes,
molar or ectopic pregnancy, and pregnancy termination; fertility and
infertility diagnosis and treatment, including assisted reproductive
technology and its components \269\ (e.g., in vitro fertilization
(IVF)); diagnosis and treatment of conditions that affect the
reproductive system (e.g., perimenopause, menopause, endometriosis,
adenomyosis); and other types of care, services, and supplies used for
the diagnosis and treatment of conditions related to the reproductive
system (e.g., mammography, pregnancy-related nutrition services,
postpartum care products).
---------------------------------------------------------------------------
\269\ See ``What is Assisted Reproductive Technology?'' Centers
for Disease Control and Prevention (Oct. 8, 2019), https://www.cdc.gov/art/whatis.html and ``Fact Sheet: In Vitro Fertilization
(IVF) Use Across the United States,'' U.S. Dep't of Health and Human
Servs. (Mar. 13, 2024), https://www.hhs.gov/about/news/2024/03/13/fact-sheet-in-vitro-fertilization-ivf-use-across-united-states.html.
---------------------------------------------------------------------------
Additionally, the language in the definition stating that the
definition should not be construed to set forth a standard of care or
regulate what constitutes clinically appropriate reproductive health
care should not be read as limiting ``reproductive health care'' to
only health care that is determined to be appropriate by a health care
professional. Rather, it may be the individual who determines whether
the health care they receive, such as over-the-counter contraceptives,
is appropriate. Like the definition of ``health care,'' the definition
of reproductive health care is intended to be broad. Finally, we
clarify that meeting the definition is not sufficient for information
about such health care to be protected under the HIPAA Rules or this
final rule. Rather, the information about such health care still needs
to meet the definition of PHI.\270\
---------------------------------------------------------------------------
\270\ 45 CFR 160.103 (definition of ``Protected health
information'').
---------------------------------------------------------------------------
Comment: Some commenters expressed support for the proposed
definition of ``reproductive health care.'' Several commenters
specifically expressed their support for a broad definition of the term
for various reasons, including: ensuring that providers of reproductive
health care can continue to serve vulnerable communities and reduce
health care disparities; providing clarity; and mitigating the need for
clinical expertise and interpretation for each request for reproductive
health information. Other commenters expressed support for the term
because it would improve access to care and better reflect the breadth
of services that support an individual's reproductive health, enable
health care providers to continue to maintain appropriate data
safeguards, and enable individuals to feel comfortable disclosing their
information without fear of incrimination.
Many other commenters expressed opposition to the proposed
definition because it was too expansive and would encompass procedures
that they did not consider to be reproductive health care. Many
commenters explicitly requested that the definition exclude certain
types of health care. A few commenters recommended that the Department
narrow the proposed definition to apply only to records directly
involving certain specified services and clarify that the final
definition does not include other procedures or treatments related to
pregnancy or contraception. Another commenter expressed opposition to
the proposed definition of ``reproductive health care'' because they
believe that reproductive health information is no more sensitive than
other medical information and should not be treated differently.
One commenter opposed the proposed definition of ``reproductive
health care'' because they thought it would prevent health care
providers from disclosing PHI to other health care providers for
treatment, which would erode individual trust.
Several commenters requested that the Department expand the
proposed definition, be more specific in its meaning (e.g., provide
additional information about the types of care, services, or supplies
included in the definition), or replace it with a more expansive term
(e.g., ``sensitive personal health care'' meaning ``care, services, or
supplies related to the health of the individual which could expose any
person to civil or criminal liability for the mere act of seeking,
obtaining, providing, or facilitating such health care''). A commenter
urged the Department to define the term ``sexual and reproductive
health care'' to ensure that individuals have reproductive health care
privacy, regardless of their sexual orientation or gender identity.
Commenters offered several alternative definitions or terms, such
as ``including but not limited to services related to contraception,
sterilization, preconception care, maternity care, abortion care, and
counseling regarding reproductive health care''; the definition of
``reproductive health care services'' at 18 U.S.C. 248(e)(5);
``reproductive and sexual health care services'' as defined in
California Health and Safety Code section 1367.31; and limiting the
definition to capture only health care that is at risk of being
investigated or prosecuted because of Dobbs. Other commenters requested
additional precision or clarity in the definition. For example, a
commenter recommended that the definition include the specific codes
and data points that would constitute reproductive health care that
would be prohibited from disclosure under the proposed rule (e.g.,
International Classification of Diseases (ICD) codes related to
reproductive health, ABO blood type and Rh factor).
Several commenters urged the Department to narrow the proposed
definition because of operational concerns, including the redirection
of resources to making or obtaining legal determinations about whether
a particular type of care was reproductive health care. Some explained
that health information management staff generally do not have the
clinical expertise to determine what would constitute ``reproductive
health care,'' while another stated that physicians would also have
trouble discerning what health care would meet the proposed definition.
Another commenter recommended that the Department include only PHI that
is already reliably segregated in EHRs in the definition.
Many commenters requested that the Department further explain the
proposed definition either in preamble or the regulatory text. One
commenter suggested that in lieu of a definition of ``reproductive
health care,'' the Department include an extensive discussion of
examples in the preamble and provide entities flexibility to implement
policies or procedures that may be affected by the definition of
``reproductive health care'' in accordance with their operational
structures. A few commenters also recommended that the Department
provide examples in preamble discussion, rather than regulatory text.
One commenter recommended that the Department provide specific examples
to illustrate its meaning where there could be ambiguity. Several
commenters recommended that examples be included in the regulatory text
and provided specific examples of the types
[[Page 33007]]
of health care they thought should be included. Some commenters
recommended the Department include examples but did not specify whether
they should be in the preamble or in the regulatory text, while other
commenters requested that the Department include a non-exhaustive list
of examples of reproductive health care in both the regulation and
preamble.
Response: After consideration, we have finalized a definition
grounded in the Privacy Rule's long-established term ``health care.''
We provide a non-exhaustive list of examples in preamble above. We do
not explicitly address all of the many types of health care suggested
in comments to avoid creating the impression of a complete list. This
is also consistent with our approach regarding the definition of
``health care.'' We emphasize that this definition does not set or
affect standards of care, nor does it affect uses and disclosures of
PHI for treatment purposes. Operational concerns expressed by some
commenters are addressed in response to comments on the prohibition.
4. Whether the Department Should Define Any Additional Terms
The Department requested comments about whether it would be helpful
for the Department to define ``reproductive health'' or any additional
terms.\271\
---------------------------------------------------------------------------
\271\ 88 FR 23506, 23528 (Apr. 17, 2023).
---------------------------------------------------------------------------
Comment: Several commenters recommended that the Department define
``reproductive health'' because it would ensure that all covered
entities would be required to implement changes, or that the PHI of
individuals receiving certain types of health care would not be
disclosed to states where individuals who receive such health care is
being penalized.
Several commenters urged the Department to add the definition of
reproductive health adopted by the United Nations and World Health
Organization, while others recommended the adoption of the definition
articulated by the International Conference on Population and
Development in 1994. One commenter expressed opposition to adding a
definition of reproductive health as unnecessary, and another instead
recommended adoption of a precise definition of ``reproductive health
care.''
Another commenter recommended expanding the definition of PHI to
include certain digital data of entities not regulated under HIPAA
(e.g., information from period tracking apps). One commenter
recommended revising the definition of ``health oversight agency'' to
exclude agencies that investigate or prosecute activities related to
reproductive health care. Some commenters requested that the Department
define additional terms or clarify existing terms.
Rather than define additional terms, one commenter recommended that
the Department ensure that all the proposed definitions would be
aligned with the Office of the National Coordinator for Health
Information Technology (ONC) and CMS-mandated data elements for
Certified Electronic Health Record Technology products and in the
electronic clinical quality measures that health care providers are
required to report to CMS.
Response: We appreciate the feedback from commenters, but upon
further consideration, have concluded that defining any of the
additional terms or clarifying additional existing ones is not
necessary to support the implementation of this final rule. We also
clarify that because HIPAA only authorizes the Department to protect
IIHI used or disclosed by covered entities and their business
associates, we are not able to regulate information that individuals
themselves store and share using consumer health apps.
B. Section 164.502--Uses and Disclosures of Protected Health
Information: General Rules
Section 164.502 of the Privacy Rule contains the general rules
governing uses and disclosures of PHI. Paragraph (a)(1) of this section
sets forth the list of permitted uses and disclosures.
1. Clarifying When PHI May Be Used or Disclosed by Regulated Entities
Section 164.502(a)(1)(iv) generally permits a regulated entity to
use or disclose PHI pursuant to and in compliance with a valid
authorization under 45 CFR 164.508, except for uses and disclosures of
genetic information by a health plan for underwriting purposes
prohibited under 45 CFR 164.502(a)(5)(i). Thus, an authorization that
purports to allow a health plan to use or disclose PHI for that
prohibited purpose is not valid under the Privacy Rule.
The Department proposed to modify 45 CFR 164.502(a)(1)(iv) to
incorporate an additional limitation on the ability of a regulated
entity to use and disclose PHI pursuant to an individual's
authorization.\272\ Specifically, the Department's proposal would
prohibit a regulated entity from using or disclosing PHI pursuant to an
individual's authorization where the purpose of the disclosure is for a
criminal, civil, or administrative investigation or proceeding against
any person in connection with seeking, obtaining, providing, or
facilitating reproductive health care that is lawful under the
circumstances in which such health care is provided, or to identify any
person for the purpose of initiating such activities. As explained in
the 2023 Privacy Rule NPRM, the proposed modification was intended to
prevent the misuse of the general permission for a regulated entity to
use or disclose PHI pursuant to an individual's authorization to bypass
the proposed prohibition against using and disclosing PHI for purposes
that would be prohibited by proposed 45 CFR 164.502(a)(5)(iii).
---------------------------------------------------------------------------
\272\ 88 FR 23506, 23528-29 (Apr. 17, 2023).
---------------------------------------------------------------------------
The Department explained in the proposed rule that this change to
the authorization permission was necessary to protect individuals'
privacy by precluding any possibility that a third party, such as a law
enforcement official, could coerce or attempt to coerce an individual
into signing an authorization, thereby enabling the third party to
circumvent the prohibition proposed at 45 CFR 164.502(a)(5)(iii).
The Department also proposed to modify the general rules in 45 CFR
164.502(a)(1)(vi) to expressly condition certain uses and disclosures
made under 45 CFR 164.512 on the receipt of an attestation pursuant to
proposed 45 CFR 164.509, which is discussed below in greater detail.
For clarity, the Department proposed to revise 45 CFR 164.502(a)(1)(vi)
by replacing the sentence containing the conditions for certain
permitted uses and disclosures with a lettered list.
Public comments about the use of authorization to use and disclose
PHI for the purposes the Department proposed to prohibit in the 2023
Privacy Rule NPRM were generally divided between opposing views and
supportive views, although only a few comments expressed full support
for the proposal, as drafted. While many commenters shared the
Department's concerns about the potential for individuals to be coerced
into providing an authorization, some of these commenters nonetheless
opposed the proposal because it could limit beneficial disclosures,
cause uncertainty about the validity of an authorization, increase the
burden on regulated entities, or seem to conflict with state laws that
permit the disclosure of certain health information with the
individual's explicit written consent.
The Department received no comments on its proposal to replace the
[[Page 33008]]
sentence at 45 CFR 164.502(a)(1)(vi) with a lettered list. Comments on
the Department's proposal to condition certain disclosures made under
45 CFR 164.512 on the receipt of an attestation as required by proposed
45 CFR 164.509 are discussed below in greater detail.
The Department is not finalizing its proposal to prohibit a
regulated entity from using or disclosing an individual's PHI for the
specified purposes pursuant to and in compliance with an individual's
authorization. We agree with the majority of public comments discussed
in detail below that generally expressed the view that the Privacy
Rule's authorization requirements empower individuals to make decisions
about who has access to their PHI. We acknowledge that maintaining the
permission for regulated entities to obtain an individual's
authorization to use and disclose PHI could leave an individual exposed
to the potential for duress or coercion by a third party. It could also
expose a health care provider or other person who provides or
facilitates reproductive health care to liability in the event the
authorization is used to affect a disclosure for a prohibited purpose
in connection with lawful reproductive health care. However, we believe
that continuing to permit uses and disclosures pursuant to an
individual's authorization best preserves individual autonomy
concerning uses and disclosures of their PHI. Consistent with our
practice described above, the Department will monitor closely the
interaction of the revised Privacy Rule and the evolving legal
landscape to ensure an appropriate balance of protecting the privacy
interests of individuals and permitting access to PHI for non-health
care purposes.
As we discussed in the proposed rule, there is a relationship
between the provision allowing an individual to authorize a regulated
entity to use or disclose the individual's PHI to a third party and the
HITECH Act requirement that a regulated entity comply with an
individual's direction to transmit to another person an electronic copy
of the individual's PHI in an EHR (``individual access right to
direct'').\273\ Both enhance an individual's autonomy by providing them
with the ability to determine who can access the individual's PHI as
specified in the authorization or access request. Both also create an
opportunity for coercion or attempted coercion of an individual by
another person (e.g., a law enforcement official could attempt to
coerce an individual into providing the law enforcement official with
access to the individual's PHI by offering the individual a reduced
sentence for an alleged crime). And while we remain concerned about the
potential for coercion or attempted coercion, even if the Department
were to finalize the proposed limitation on uses and disclosures with
an authorization, the individual would retain the individual access
right to direct, which is enshrined in statute. We also believe it
would be inconsistent with the spirit of individual access right to
direct for the Department to limit the ability of an individual to
authorize a regulated entity to disclose their PHI to another person.
---------------------------------------------------------------------------
\273\ 42 U.S.C. 17935(e).
---------------------------------------------------------------------------
For the foregoing reasons, we are not finalizing this proposal, and
the language in 45 CFR 164.502(a)(1)(iv) remains unchanged.
Comment: While some commenters expressed concern about the
potential for coercion described in the proposed rule, they did not all
agree that it would be appropriate to address this concern by
prohibiting such disclosures pursuant to an authorization. Some
commenters asserted that coercion concerns would not be eliminated by
curtailing the ability of individuals to authorize disclosures of their
PHI in certain circumstances.
Some commenters explained that prohibiting individuals from
requesting disclosures of their PHI pursuant to an authorization for
prohibited purposes would create a significant burden for regulated
entities, primarily because of the frequent failure of persons
requesting the use or disclosure of PHI to provide sufficient detail
regarding the purpose of the request to allow them to determine if it
would be for a prohibited purpose.
A few commenters asserted that a HIPAA authorization is the safest
approach to ensuring an individual is aware of and agrees to the use or
disclosure of their PHI. One of those commenters recommended that the
Department permit a regulated entity to disclose PHI pursuant to a
valid authorization unless the covered entity has actual knowledge that
an authorization was not voluntary. A commenter recommended adding a
disclaimer or warning to the authorization to provide assurances that
an individual was not coerced into disclosing their PHI to law
enforcement or other third party that might seek to use the PHI for
improper purposes. Still another commenter recommended that the
Department require the authorization to indicate the types of sensitive
information the individual intends to share. One commenter recommended
that certain disclosures be accompanied by a notice of the individual's
rights under the Privacy Rule.
Response: We appreciate comments concerning this proposal and the
restriction of individuals' ability to maintain control over their PHI
by prohibiting the use of written authorization. The Privacy Rule's
written authorization requirements are the most objective means by
which an individual can provide direction to a regulated entity about
the use and disclosure of their PHI known to a regulated entity. The
right of individuals to access their PHI and choose to disclose their
PHI to another person is a cornerstone of HIPAA, and as such, we are
not proceeding with this proposal. The Department will continue to
monitor complaints we receive and the outcome of enforcement actions to
identify potential coercion and the effect of permitting individuals to
authorize the disclosure of PHI for purposes that are prohibited under
45 CFR 164.502(a)(5)(iii) on the relationship between health care
providers and individuals.
We also appreciate the comments that asserted that restricting the
ability of regulated entities to use an authorization to obtain PHI for
the purposes prohibited in this rulemaking could create a burden for
the regulated entities.
To the extent that individuals wish to authorize the use and
disclosure of their PHI, particularly when a request is not clear, or
when a request seeks only partial parts of a record, a written
authorization provides the regulated entity with the opportunity to
clarify, with both the individual and the person requesting the
disclosure, the PHI that will be disclosed. State laws that require
regulated entities to obtain an individual's written consent are
generally considered more privacy protective, and thus are not
preempted.
Comment: Several commenters expressed support for eliminating the
ability of regulated entities to use or disclose PHI pursuant to an
authorization in certain circumstances because of the potential for
harm to individuals as proposed. One commenter described the potential
negative effects of permitting uses and disclosures pursuant to an
authorization in certain circumstances on individuals from historically
marginalized communities. Another commenter asserted that individuals
frequently do not read consent forms provided to them for signature for
a variety of reasons, including proficiency. Some commenters expressed
concerns that individuals who are the subject of a
[[Page 33009]]
criminal investigation or prosecution would be placed in situations
where it would not be possible to obtain a voluntary authorization
(e.g., a custodial situation), or that law enforcement could seek to
persuade an individual to provide them with access to the individual's
PHI through improper means.
Response: We continue to share the concern expressed by commenters
about the potential for coercion or harassment of individuals,
particularly those in marginalized or underserved communities, to
provide authorization for the use or disclosure of their PHI. According
to many reports and data cited by the Department and commenters, such
individuals more often experience negative interactions with law
enforcement or other prosecutorial authorities. We urge HIPAA regulated
entities to be mindful of Privacy Rule requirements that could help
mitigate the potential for harm resulting from coercion or difficulties
individuals may experience in understanding an authorization. For
example, 45 CFR 164.508(b)(2)(v) holds invalid authorizations that
include ``material information [. . .] known by the covered entity to
be false''; 45 CFR 164.508(c)(1)(iv) requires that every authorization
include a description of each purpose of the requested use or
disclosure; and 45 CFR 164.508(c)(3), requires the authorization be
written in plain language.\274\ The Department will continue to monitor
complaints, questions, and enforcement outcomes for potential harm from
disclosures resulting from authorizations.
---------------------------------------------------------------------------
\274\ In the preamble to the 2000 Privacy Rule, we explained
that a covered entity could meet HIPAA plain language requirements
by organizing material to serve the reader; writing short sentences
in the active voice; using pronouns; using common, everyday
language; and dividing material into short sections. 65 FR 82462,
82548 (Dec. 28, 2000).
---------------------------------------------------------------------------
Comment: A few commenters requested clarifications of how the
proposal would affect other disclosures made pursuant to the Privacy
Rule, including disclosures to the individual's attorney, and whether
the Department intended it to apply to other consumer-initiated
requests, such as part of an Application Programming Interface (API).
A commenter recommended that health care providers be permitted to
refuse to release PHI to any consumer health app when the information
could lead to civil or criminal repercussions for the health care
provider unless the app developer signs a binding agreement that
protects them.
Response: We are not finalizing the proposal, but state here that
the Department did not intend to affect or disrupt the ability of
covered entities to make other disclosures of PHI pursuant to a written
authorization under the Privacy Rule. Additionally, as discussed above,
individuals have the right to obtain a copy of their PHI and the
individual access right to direct, which could involve releasing PHI to
a consumer health app or an API. With respect to EHR and technology
vendors and other third parties who facilitate the exchange of PHI on
behalf of covered entities, we continue to stress that valid business
associate agreements are required by the Privacy Rule and necessary to
protect the privacy of the individuals who are the subject of the PHI.
ONC also has made clear that it intends to advance technologies that
support requirements already extant under the HIPAA Privacy Rule.\275\
Additionally, the Department continues to urge covered entities that
have direct contact with individuals to educate such individuals on the
risks of disclosing their PHI to persons that are not regulated by
HIPAA.\276\ We will continue to ensure that regulated entities enter
into business associate agreements as required by the Privacy
Rule.\277\ We will continue to monitor complaints, questions, and
enforcement outcomes.
---------------------------------------------------------------------------
\275\ 89 FR 1192, 1302 (Jan. 9, 2024). See also Off. for Civil
Rights, ``Information Blocking Regulations Work In Concert with
HIPAA Rules and Other Privacy Laws to Support Health Information
Privacy,'' U.S. Dep't of Health and Human Servs. (Apr. 12, 2023),
https://www.healthit.gov/buzz-blog/information-blocking/information-blocking-regulations-work-in-concert-with-hipaa-rules-and-other-privacy-laws-to-support-health-information-privacy.
\276\ See, e.g., Off. for Civil Rights, ``Resource for Health
Care Providers on Educating Patients about Privacy and Security
Risks to Protected Health Information when Using Remote
Communication Technologies for Telehealth,'' U.S. Dep't of Health
and Human Servs., https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/resource-health-care-providers-educating-patients/.
\277\ See 45 CFR 164.502(a)(3) and (e). See also 45 CFR
164.504(e).
---------------------------------------------------------------------------
Comment: Many commenters addressed the relationship between the
Department's proposal to eliminate the option for an individual to
request disclosure of their information for the prohibited purposes
pursuant to an authorization and the individual right of access,
particularly, the right of an individual to direct a regulated entity
to transmit to a third party an electronic copy of their PHI in an EHR.
Several commenters recommended that the Department curtail the
individual access right to direct. Some commenters expressed concern
about the potential for individuals to be coerced into providing access
to their PHI to third parties. A few commenters expressed concerns that
some third parties sell PHI for purposes adverse to individuals'
interests, including some of the purposes described in the 2023 Privacy
Rule NPRM.
A few commenters provided recommendations for ways to educate
individuals regarding their rights under the Privacy Rule.
Response: Although we appreciate the comments on this topic, any
modifications to the individual access right to direct are beyond the
scope of this rulemaking. We reiterate here that covered entities and
their technology vendors that meet the definition of business
associates must ensure that valid business associate agreements are in
place,\278\ and we urge them to facilitate individuals' awareness of
the risks of using third-party consumer apps that are not regulated by
HIPAA.\279\ The Department continues to appreciate the identification
of better education resources for individuals and health care providers
and commits to providing educational resources through its website,
regional offices, and webinars.
---------------------------------------------------------------------------
\278\ For information about what a business associate is and the
requirements for business associate agreements, see Off. for Civil
Rights, ``Business Associate Contracts,'' U.S. Dep't of Health and
Human Servs. (Jan. 25, 2013), https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/.
\279\ Off. for Civil Rights, ``Protecting the Privacy and
Security of Your Health Information When Using Your Personal Cell
Phone or Tablet,'' U.S. Dep't of Health and Human Servs. (June 29,
2022), https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/cell-phone-hipaa/.
---------------------------------------------------------------------------
2. Adding a New Category of Prohibited Uses and Disclosures
Generally, the Privacy Rule prohibits the use or disclosure of PHI
except as permitted or required by the Privacy Rule. Paragraph (a)(5)
of section 164.502 contains specific purposes for which the Privacy
Rule explicitly prohibits the use and disclosure of PHI. Section
164.502(a)(5)(i) prohibits most health plans from using or disclosing
PHI that is genetic information for underwriting purposes, while 45 CFR
164.502(a)(5)(ii) prohibits a regulated entity from selling PHI, except
when they have obtained a valid authorization from the individual who
is the subject of the PHI.
The Department proposed to add a new paragraph, 45 CFR
164.502(a)(5)(iii), to prohibit regulated entities from using or
disclosing an individual's PHI for certain additional purposes, and to
describe the scope, applicability, and limitations of the prohibition.
Similar to most other
[[Page 33010]]
prohibitions within the Privacy Rule, this prohibition would be
purpose-based, rather than a blanket prohibition against uses and
disclosures of certain types of PHI.\280\ The Department's rationale
for this approach was four-fold: (1) to be consistent with the existing
Privacy Rule permissible use and disclosure structure with which
regulated entities are familiar, including the permission to disclose
to law enforcement for certain purposes; (2) to avoid imposing a
requirement on regulated entities that would necessitate the adoption
and implementation of costly technology upgrades to enable data
segmentation; \281\ (3) to recognize that PHI about an individual's
reproductive health care may be used or disclosed for a wide variety of
purposes, and permitting the use or disclosure of PHI for some of those
purposes would erode individuals' ability to trust in the health care
system; and (4) to avoid any misperception that the Department is
setting a standard of care or substituting its judgment for that of
individuals and licensed health care professionals.
---------------------------------------------------------------------------
\280\ 88 FR 23506, 23529-33 (Apr. 17, 2023).
\281\ The Department does not oppose efforts to implement or
employ technology that is capable of segmenting data. Rather, the
Department's proposal was informed by the recognition that the
technology deployed by most regulated entities today is not capable
of doing so.
---------------------------------------------------------------------------
Proposed 45 CFR 164.502(a)(5)(iii)(A) would establish a new
prohibition against the use or disclosure of PHI. Section
(a)(5)(iii)(A)(1) would prohibit the use or disclosure of PHI where the
use or disclosure is for a criminal, civil, or administrative
investigation into or proceeding against any person in connection with
seeking, obtaining, providing, or facilitating reproductive health
care. Section 164.502(a)(5)(iii)(A)(2) would prohibit the use or
disclosure of PHI to identify any person for the purpose of initiating
a criminal, civil, or administrative investigation into or proceeding
against any person in connection with seeking, obtaining, providing, or
facilitating reproductive health care.
The Department proposed 45 CFR 164.502(a)(5)(iii)(B) to explain
that ``seeking, obtaining, providing, or facilitating'' would include,
but not be limited to, expressing interest in, inducing, using,
performing, furnishing, paying for, disseminating information about,
arranging, insuring, assisting, or otherwise taking action to engage in
reproductive health care; or attempting any of the same. As the
Department explained in the 2023 Privacy Rule NPRM, the proposed
prohibition would apply to any request for PHI to facilitate a
criminal, civil, or administrative investigation or proceeding against
any person, or to identify any person to initiate an investigation or
proceeding, where the basis for the investigation, proceeding, or
identification is that the person sought, obtained, provided, or
facilitated reproductive health care that is lawful under the
circumstances in which such health care is provided. The Department
further explained that, consistent with its HIPAA authority, the
prohibition would preempt state or other laws requiring a regulated
entity to use or disclose PHI in response to a court order or other
type of legal process for a purpose prohibited under the proposed rule.
Conversely, the prohibition would not preempt laws that require the use
or disclosure of PHI for other purposes, such as: public health
activities; \282\ investigations of sexual assault committed against an
individual where such use or disclosure is conditioned upon the receipt
of an attestation; or investigations into human and sex trafficking,
child abuse, or professional misconduct or licensing inquiries.\283\
---------------------------------------------------------------------------
\282\ See supra discussion of ``Public health'' for more
information on what constitutes a ``public health activity'' under
the Privacy Rule.
\283\ 88 FR 23506, 23532 (Apr. 17, 2023).
---------------------------------------------------------------------------
The Department also proposed to subject this prohibition to a Rule
of Applicability in 45 CFR 164.502(a)(5)(iii)(C). As the Department
explained, the proposed prohibition in 45 CFR 164.502(a)(5)(iii) would
prohibit a regulated entity from using or disclosing PHI for certain
purposes against any person in connection with seeking, obtaining,
providing, or facilitating reproductive health care that is ``lawful
under the circumstances in which such health care is provided.'' \284\
The Department further explained that it proposed a framework for
regulated entities to determine whether the reproductive health care at
issue was lawful under the circumstances in which such health care was
provided. The proposed language of the Rule of Applicability under this
rule would apply where one or more of three specified conditions exist.
---------------------------------------------------------------------------
\284\ Id. at 23510, 23522, and 23531.
---------------------------------------------------------------------------
The first condition, as proposed in 45 CFR
164.502(a)(5)(iii)(C)(1), addressed reproductive health care provided
outside of the state that authorized the investigation or proceeding
where such health care is lawful in the state where it is provided. In
the proposed rule, we also clarified that the proposal would apply the
prohibition in a situation in which the health care is ongoing, has
been completed, or has not yet been obtained, provided, or facilitated.
The proposed prohibition would recognize that any interest of society
in conducting an investigation or proceeding against a person would
require balancing with, and generally be outweighed by, the interests
of society in protecting the privacy interests of individuals when they
access lawful health care. As discussed above, privacy interests are
heightened with respect to reproductive health care that is lawful
under the circumstances in which it is provided as compared to the
interests of law enforcement, and private parties afforded legal rights
of action, in investigating or imposing liability for actions related
to lawful reproductive health care.
The second condition, proposed in 45 CFR 164.502(a)(5)(iii)(C)(2),
addressed reproductive health care protected, required, or authorized
by Federal law, regardless of the state in which such health care is
provided. It would apply the prohibition to reproductive health care
that is lawful under the applicable Federal law and where the
investigation or proceeding is against any person in connection with
seeking, obtaining, providing, or facilitating reproductive health
care. It would apply, for example, where the underlying reproductive
health care continues to be protected by the Constitution, such as
contraception, or is expressly required or authorized under Federal
law.\285\
---------------------------------------------------------------------------
\285\ See Griswold v. Connecticut, 381 U.S. 479 (1965);
Eisenstadt v. Baird, 405 U.S. 438 (1972); Dobbs, 597 U.S. 345
(Kavanaugh, J., concurring) (Dobbs ``does not threaten or cast doubt
on'' the precedents providing constitutional protection for
contraception).
---------------------------------------------------------------------------
The third condition, proposed in 45 CFR 164.502(a)(5)(iii)(C)(3),
would apply the prohibition when the relevant criminal, civil, or
administrative investigation or proceeding is in connection with any
person seeking, obtaining, providing, or facilitating reproductive
health care that is provided in a state consistent with and permitted
by the law of that same state.
The Department also proposed a Rule of Construction in 45 CFR
164.502(a)(5)(iii)(D) that provided that the proposed prohibition
should not be construed to prohibit a use or disclosure of PHI
otherwise permitted by the Privacy Rule unless such use or disclosure
is primarily for the purpose of investigating or imposing liability on
any person for the mere act of seeking, obtaining, providing, or
facilitating reproductive health care.\286\ The Department proposed the
Rule of Construction to avoid an erroneous interpretation of the
prohibition
[[Page 33011]]
standard, which otherwise could have been construed to prevent
regulated entities from using or disclosing PHI for the purpose of
defending themselves or others against allegations that they sought,
obtained, provided, or facilitated reproductive health care that was
not lawful under the circumstances in which it was provided.
---------------------------------------------------------------------------
\286\ See proposed 45 CFR 164.502(a)(5)(iii)(D). See also 88 FR
23506, 23552-53 (Apr. 17, 2023).
---------------------------------------------------------------------------
Most of the comments addressing the proposed prohibition expressed
support for the Department's purpose-based approach and the principle
that the Privacy Rule should prohibit the use and disclosure of PHI for
a criminal, civil, or administrative investigation into or proceeding
against any person, or to identify any person to initiate a criminal,
civil, or administrative investigation into or proceeding against any
person, in connection with seeking, obtaining, providing, or
facilitating lawful reproductive health care. At the same time, the
Department received many comments that expressed concern about the
proposal's clarity and regulated entities' ability to operationalize
the Rule of Applicability and Rule of Construction. For example,
commenters asserted that to the extent the proposed rule would require
regulated entities to determine whether the requested PHI was about
reproductive health care that was lawful under the circumstances in
which it was provided, making such a determination could be unduly
burdensome when the request was about reproductive health care that was
not provided by the regulated entity that received the request and
could expose them to legal risk in the absence of additional guidance
or a safe harbor. Other commenters expressed concern that applying the
prohibition would undermine the ability of states to enforce their own
health care laws.
Commenters who addressed the proposed Rule of Construction also
expressed confusion about how the Department intended ``primarily'' or
``primarily for the purpose of'' to be interpreted. Many either
requested examples of uses and disclosures that were ``primarily'' for
the underlying prohibited purposes. In lieu of the proposal to avoid
liability based on ``the mere act of'' seeking, obtaining, providing,
or facilitating reproductive health care, a few commenters suggested
expanding the proposed definition or modifying existing permissions to
explicitly exclude conduct based solely on seeking, obtaining,
providing, or facilitating certain types of health care.
The Department is finalizing the proposed prohibition that
restricts the ability of regulated entities to use or disclose PHI for
activities with the purpose of investigating or imposing liability on
any person for the mere act of seeking, obtaining, providing, or
facilitating reproductive health care that is lawful under the
circumstances in which it was provided, or to identify any person for
such purposes, with modifications to improve clarity and ease
implementation for regulated entities.
The Department is retaining its purpose-based approach in the final
rule in light of concerns about the ability of regulated entities to
segment certain types of data and in recognition that PHI about an
individual's reproductive health may be reflected throughout an
individual's longitudinal health record, in addition to being
maintained by a wide variety of regulated entities.
As we discussed in the 2023 Privacy Rule NPRM, the Department
recognizes that diseases and conditions that are not directly related
to an individual's reproductive health may be affected by or have
bearing on the individual's reproductive health and the reproductive
health care they are eligible to receive, and vice versa. Thus, it may
be necessary for all types of health care providers to maintain
complete and accurate medical records to ensure that subsequent health
care providers are adequately informed in making diagnoses or
recommending courses of treatment. For example, an individual with a
chronic cardiac or endocrine condition may become pregnant, placing
additional strain on the individual's cardiovascular or endocrine
system. In such cases, it is essential that their cardiologist or
endocrinologist be informed of the pregnancy and consulted as necessary
to ensure appropriate health care is provided to the individual because
such conditions may have bearing on their pregnancy.
Additionally, the final rule revises the prohibition standard at 45
CFR 164.502(a)(5)(iii) by incorporating language from the proposed Rule
of Construction to clarify the purposes for which the Department
prohibits uses or disclosures of PHI. In 45 CFR
164.502(a)(5)(iii)(A)(1) and (2), the Department incorporates the
``mere act of'' language of the proposed Rule of Construction to
clarify that the prohibited uses and disclosures of PHI are tied to
imposing criminal, civil, or administrative liability for the ``mere
act of'' seeking, obtaining, providing, or facilitating reproductive
care and not just ``in connection to'' such acts.\287\ Section
164.502(a)(5)(iii)(A)(1) combines the criminal, civil, or
administrative investigations language from the proposed prohibition
standard with the proposed Rule of Construction to prohibit regulated
entities from using or disclosing PHI for activities conducted for the
purpose of a criminal, civil, or administrative investigation into any
person for the mere act of seeking, obtaining, providing, or
facilitating reproductive health care. Section 164.502(a)(5)(iii)(A)(2)
separates and replaces the ``or proceeding against'' language from the
first condition of the proposed prohibition standard with ``to impose
criminal, civil, or administrative liability on'' and incorporates
language from the proposed Rule of Construction to prohibit regulated
entities from using or disclosing PHI for activities conducted for the
purpose of imposing criminal, civil, or administrative liability on any
person for the mere act of seeking, obtaining, providing, or
facilitating reproductive health care. Similar to proposed 45 CFR
164.502(a)(5)(iii)(A)(2), 45 CFR 164.502(a)(5)(iii)(A)(3) now addresses
the use or disclosure of PHI to identify any person for the activities
described in the other conditions of the prohibition standard. To the
extent the purpose in 45 CFR 164.502(a)(5)(iii)(A)(1) relates to
activities conducted for an investigation, the purpose in 45 CFR
164.502(a)(5)(iii)(A)(2) relates to the activities to impose liability,
including activities that would flow from that investigation, whether
it be in the form of proceedings to consider censure, medical license
revocation, the imposition of fines or other penalties, or detainment
or imprisonment, or the actual imposition of such liability.
---------------------------------------------------------------------------
\287\ Section 164.502(a)(5)(iii)(A)(3) incorporates the same
language by reference to 45 CFR 164.502(a)(5)(iii)(A)(1) and (A)(2).
---------------------------------------------------------------------------
The prohibition against the uses and disclosures of PHI finalized
in 45 CFR 164.502(a)(5)(iii)(A) is subject to the Rule of Applicability
that the Department is finalizing in 45 CFR 164.502(a)(5)(iii)(B). As
discussed in the proposed rule and finalized herein, the Rule of
Applicability modifies the prohibition standard to make clear that the
prohibition encompasses the use or disclosure of PHI for any activities
conducted for the purpose of investigating or imposing liability on any
person for the mere act of seeking, obtaining, providing, or
facilitating reproductive health care that the regulated entity that
has received the request for PHI has reasonably determined is lawful
under the circumstances in which such health care is provided. The
prohibition's
[[Page 33012]]
reference to the ``mere act'' of seeking, obtaining, providing, or
facilitating lawful reproductive health care includes the reasons that
the reproductive health care was sought or provided (e.g., an
investigation into whether a particular abortion was necessary to save
a pregnant person's life would constitute an investigation into the
``mere act'' of seeking, obtaining, providing, or facilitating
reproductive health care). The reference to ``mere act'' operates the
same way with respect to activities conducted to identify any
individual for the purposes described above. This includes but is not
limited to law enforcement investigations, third party investigations
in furtherance of civil proceedings, state licensure proceedings,
criminal prosecutions, and family law proceedings. Examples of
criminal, civil, or administrative investigations or activities to
impose liability for which regulated entities would be prohibited from
using or disclosing PHI would also include a civil suit brought by a
person exercising a private right of action provided for under state
law against an individual or health care provider who obtained,
provided, or facilitated a lawful abortion, or a law enforcement
investigation into a health care provider for lawfully providing or
facilitating the disposal of an embryo at the direction of the
individual.
The Department acknowledges that this final rule will not prohibit
the use or disclosure of PHI in all instances in which persons request
the use or disclosure of PHI for an investigation or to impose
liability on a person for seeking, obtaining, providing, or
facilitating reproductive health care. As discussed extensively in
Section III of this rule, the Privacy Rule has long balanced the
privacy interests of individuals with that of society in obtaining PHI
for certain non-health care purposes. Accordingly, we acknowledge that
in some circumstances, an individual's privacy interest in obtaining
lawful care will outweigh law enforcement's interests in the PHI for
certain non-health care purposes, while in others, law enforcement's
interests in the PHI will outweigh the privacy interests of
individuals. As we discussed above in Section III and in the proposed
rule, recent developments in the legal landscape have made information
about an individual's reproductive health more likely to be sought for
punitive non-health care purposes, such as targeting individuals for
seeking lawful reproductive health care outside of their home state,
and therefore more likely to be subject to disclosure by regulated
entities if the requested disclosure is permitted under the Privacy
Rule. The Department's approach in this rulemaking limits the
application of the prohibition to situations in which reproductive
health care meets one of the conditions of the Rule of Applicability.
Accordingly, the prohibition applies only where individuals' privacy
interests outweigh the interests of law enforcement, and private
parties afforded legal rights of action, in obtaining individuals' PHI
for the non-health care purpose of investigating or imposing liability
for reproductive health care that was not lawful under the
circumstances in which it was provided.
We also acknowledge, as we did in the proposed rule, that in some
circumstances, the Privacy Rule imposes greater restrictions on uses
and disclosures of PHI than state privacy laws, and the prohibition may
delay or hamper enforcement of certain other state laws (e.g., laws
governing access to reproductive health care). Such circumstances were
contemplated by Congress when it enacted HIPAA.\288\ For example, a
state law might require a covered entity to disclose PHI to law
enforcement in furtherance of an investigation, while the final rule
may prohibit such a disclosure. In such cases, the provisions of the
Privacy Rule would preempt the application of contrary provisions of
state law, and the regulated entity could not disclose the PHI.\289\
However, as discussed above in section III, we reiterate that not all
methods to investigate the lawfulness of reproductive health care are
foreclosed by this rule.
---------------------------------------------------------------------------
\288\ 42 U.S.C. 1320d-7(a)(1) (providing the general rule that,
with limited exceptions, a provision or requirement under HIPAA
supersedes any contrary provision of state law); see also section
264(c)(2) of Public Law 104-191 (codified at 42 U.S.C. 1320d-2 note)
and 45 CFR 160.203.
\289\ See final 45 CFR 164.509, and discussion below.
---------------------------------------------------------------------------
The Department emphasizes that the prohibition does not apply in
circumstances that fall outside of its terms. Where a person requesting
PHI identifies a legal basis for the request beyond the mere act of a
person having sought, obtained, provided, or facilitated reproductive
health care that was lawful under the circumstances in which it was
provided, the prohibition at 45 CFR 164.502(a)(5)(iii) would not apply.
Similarly, if a person obtains reproductive health care that was
unlawful, such health care would not be lawful under the circumstances
in which it was provided, and the prohibition would not apply. Where
the prohibition does not apply, the Privacy Rule permits the requested
PHI to be used or disclosed, provided that the use or disclosure is
otherwise permitted by the Privacy Rule (i.e., the request meets the
requirements of an applicable permission and is accompanied by a valid
attestation as described by 45 CFR 164.509, where required). The
Department reminds the public that persons who request PHI under false
pretenses may be subject to criminal penalties under HIPAA.\290\
---------------------------------------------------------------------------
\290\ See 42 U.S.C. 1320d-6.
---------------------------------------------------------------------------
The Rule of Applicability, as discussed below, vests the
determination of whether the reproductive health care was lawful under
the circumstances it was provided with the regulated entity that
receives the request for PHI and requires that such determination be
reasonable. The regulatory presumption, also discussed below, replaces
the proposed requirement that a regulated entity make a determination
regarding the lawfulness of the reproductive health care where someone
other than the regulated entity that receives the request provided such
health care. The new language requires that the reproductive health
care at issue be presumed lawful under the circumstances in which such
health care is provided when provided by a person other than the
regulated entity receiving the request. This helps to ensure that the
regulated entity is not required to make a determination about the
lawfulness of such health care. The presumption may be overcome if
certain conditions are met.
In the proposed rule, the Department provided examples that remain
helpful in illustrating the operation of the clarified prohibition and
how it continues to permit uses and disclosures for legitimate
interests.\291\ For example, the prohibition does not restrict a
regulated entity from using or disclosing PHI to a health oversight
agency conducting health oversight activities, such as investigating
whether reproductive health care was actually provided or appropriately
billed in connection with a claim for such services, or investigating
substandard medical care or patient abuse.\292\ However, as discussed
above, investigating substandard medical care
[[Page 33013]]
or patient abuse may not be used as a pretext for investigating
reproductive health care for purposes that are otherwise prohibited by
this final rule. In another example, the rule does not bar a regulated
entity from using or disclosing PHI to investigate an alleged violation
of the Federal False Claims Act or a state equivalent based on unusual
prescribing or billing patterns for erectile dysfunction medication.
---------------------------------------------------------------------------
\291\ 88 FR 23506, 23532-33 (Apr. 17, 2023).
\292\ See 45 CFR 164.512(d)(1)(i) through (iv) for health
oversight activities for which the Privacy Rule permits uses and
disclosures of PHI. See also the National Association of Medicaid
Fraud Control Units, described at https://www.naag.org/about-naag/namfcu/. All 53 federally certified Medicaid Fraud Control Units
voluntarily subscribe to this organization. This final rule does not
interfere with any State's ability to meet their statutory
obligations to combat health care fraud related to Medicaid.
---------------------------------------------------------------------------
This final rule also does not prohibit the use or disclosure of PHI
where the PHI is sought to investigate or impose liability on a person
for submitting a false claim for reproductive health care for payment
to the government. In such a case, the request is not made for the
purpose of investigating or imposing liability on a person for the mere
act of seeking, obtaining, providing, or facilitating reproductive
health care. Instead, the purpose of the request for PHI is to
investigate or impose liability on a person for an alleged violation of
the Federal False Claims Act or a state equivalent.\293\ As another
example, the revised prohibition standard generally does not prohibit
the disclosure of PHI to an Inspector General where the PHI is sought
to conduct an audit aimed at protecting the integrity of the Medicare
or Medicaid Program where the audit is not inconsistent with this final
rule. This is because the request is generally not being made for the
purpose of investigating or imposing liability on a person for the mere
act of providing the reproductive health care itself. The prohibition
also makes clear that the use or disclosure of PHI is permitted where
the purpose of the use or disclosure is to investigate alleged
violations of Federal nondiscrimination laws or abusive conduct, such
as sexual assault, that may occur in connection with reproductive
health care. The prohibition likewise makes clear that the use or
disclosure of PHI is permitted where the purpose of the use or
disclosure is to penalize the provision of reproductive health care
that is not lawful, as defined by the Rule of Applicability at 45 CFR
164.502(a)(5)(iii)(B), as long as a Privacy Rule permission applies.
---------------------------------------------------------------------------
\293\ 31 U.S.C. 3729-3733.
---------------------------------------------------------------------------
Under the prohibition, a regulated entity could respond to a
request for relevant records in a criminal or civil investigation
pursuant to 18 U.S.C. 248 regarding freedom of access to clinic
entrances. Investigations under this provision are conducted for the
purpose of determining whether a person physically obstructed,
intimidated, or interfered with persons providing ``reproductive health
services,'' \294\ or attempted to do so. Thus, they do not involve
investigating or imposing liability on a person for the mere act of
seeking, obtaining, providing, or facilitating reproductive health care
that was reasonably determined to be lawful under the circumstances in
which such health care was provided by the regulated entity that
received the request for PHI.
---------------------------------------------------------------------------
\294\ 18 U.S.C. 248(e)(5) (definition of ``Reproductive health
services'').
---------------------------------------------------------------------------
The final rule retains the proposal's prohibition against the use
or disclosure of PHI for activities conducted for the purpose of
investigating or imposing liability on ``any person'' for the mere act
of seeking, obtaining, providing, or facilitating reproductive health
care that is lawful under the circumstances in which such health care
is provided, or for identifying ``any person'' for such activities.
``Any person'' means, based on the HIPAA Rules' definition of
``person,'' \295\ that the prohibition is not limited to use or
disclosure of PHI for use against the individual; rather, the
prohibition applies to the use or disclosure of PHI against a regulated
entity, or any other person, including an individual or entity, who may
have obtained, provided, or facilitated lawful reproductive health
care.\296\
---------------------------------------------------------------------------
\295\ 45 CFR 160.103 (definition of ``Person'').
\296\ Note that in Section V.A.1, the Department is clarifying
the definition of ``person,'' although that clarification does not
affect the analysis in this paragraph.
---------------------------------------------------------------------------
The Department has always and continues to recognize that there may
be a public interest and benefit in disclosing PHI for limited non-
health care purposes, including enforcing duly enacted laws. The
Department has also always sought to balance competing interests in
individual privacy and the use and disclosure of PHI for particular
purposes in the Privacy Rule. We balance these competing interests by
considering both the harm to individuals that results from the use or
disclosure of PHI (e.g., loss of trust in the health care system,
potential for financial liability or detainment) and the countervailing
interests in disclosure. As discussed above, the Department finds that
the final rule reflects the appropriate balance between these interests
by prohibiting the use and disclosure of PHI for activities conducted
for the purpose of investigating or imposing liability on ``any
person'' for the mere act of seeking, obtaining, providing, or
facilitating reproductive health care that is lawful under the
circumstances in which such health care is provided, or for identifying
``any person'' for such activities.
Accordingly, the final rule adopts, with modifications discussed
below, the proposed Rule of Applicability and re-designates it as 45
CFR 164.502(a)(5)(iii)(B). The final rule text also adds the word
``only'' in 45 CFR 164.502(a)(5)(iii)(B) to make clear that the
prohibition's application is limited to the use or disclosure of PHI
``only'' where one or more of the conditions set forth in the Rule of
Applicability exists.
To address concerns from commenters about how to determine whether
reproductive health care is ``lawful,'' the Department finalizes a
revised Rule of Applicability at 45 CFR 164.502(a)(5)(iii)(B).
Specifically, the Rule of Applicability, as finalized, requires that a
regulated entity that receives a request for PHI make a reasonable
determination about the lawfulness of the reproductive health care in
the circumstances in which such health care was provided, where
lawfulness is described by 45 CFR 164.502(a)(5)(iii)(B)(1)-(3). Thus, a
regulated entity that receives the request for PHI must decide whether
it would be reasonable for a similarly situated regulated entity to
determine, as provided in the Rule of Applicability, that the
reproductive health care is lawful under the circumstances in which
such health care is provided.
To make the reasonableness determination, that is, to determine
whether it would be reasonable for a similarly situated regulated
entity to determine that one or more of the conditions of the Rule of
Applicability applies, a regulated entity receiving the request for PHI
must evaluate the facts and circumstances under which the reproductive
health care was provided. Such facts and circumstances include but are
not limited to the individual's diagnosis and prognosis, the time such
health care was provided, the location where such health care was
provided, and the particular health care provider who provided the
health care. This approach is consistent with the current and
longstanding practice under the Privacy Rule, whereby a covered entity
is responsible for determining whether a requested use or disclosure is
permitted under one or more of the permissions set forth in the Privacy
Rule. For example, a regulated entity is permitted to make a use or
disclosure of PHI where ``required by law'' pursuant to 45 CFR
164.512(a). To make a use or disclosure under that permission, the
regulated entity cannot rely on assertions from the person making the
request, but rather, must itself evaluate the relevant law to determine
whether
[[Page 33014]]
the use or disclosure is ``required by law'' and thus permitted under
that permission. As discussed above, the Department recognizes that
this approach may prevent uses or disclosures in support of some law
enforcement investigations (e.g., where a health care provider
reasonably determines that its provision of reproductive health care
was lawful, but where law enforcement reasonably disagrees or does not
provide sufficient factual information for a regulated entity to
determine that there is a substantial factual basis that the
reproductive health care was not lawful under the circumstances in
which such health care was provided). However, we believe that, in
these narrow circumstances, the interests of law enforcement, and
private parties afforded legal rights of action, are outweighed by
privacy interests and that the current approach strikes the appropriate
balance between these competing interests.
The Department is retaining the proposed framework for identifying
the circumstances in which reproductive health care is lawful, and thus
the prohibition applies. However, we are modifying the regulatory text
of the Rule of Applicability to clarify its conditions. As revised, the
regulatory text combines the first and third conditions of the Rule of
Applicability into a revised 45 CFR 164.502(a)(5)(iii)(B)(1) that
focuses on whether the reproductive health care at issue is lawful
under the circumstances in which such health care is provided. Under
the revised condition, the circumstances in which the prohibition
applies are determined by the law of the state in which the health care
is provided.
As proposed in the 2023 Privacy Rule NPRM, the first and third
conditions, when considered together, would have given the impression
that the Department was drawing a distinction between reproductive
health care provided in-state or out-of-state, although outcomes would
have been the same. As the Department explained in the proposed rule,
both the first and third conditions would have prohibited a regulated
entity from using or disclosing PHI where the reproductive health care
was permitted by the law of the state in which it was provided (e.g.,
for pregnancy termination that occurs before a state-specific
gestational limit or under a relevant exception in a state law
restricting pregnancy termination such as when the pregnancy is the
result of rape or incest or because the life of the pregnant individual
is endangered, for reproductive health care that is generally permitted
but must be provided by a specific type of health care professional or
in a certain place of service). The outcome of the analysis remains the
same under this final rule, which combines the first and third
conditions of the Rule of Applicability into one condition. Thus, the
revision improves the clarity of the Rule of Applicability by focusing
solely on whether the reproductive health care was lawful under the
circumstances in which it was provided.
Additionally, the final rule modifies the regulatory text in 45 CFR
164.502(a)(5)(iii)(B)(2) to include an express reference to the U.S.
Constitution as a source of Federal law for determining whether
reproductive health care is lawful under the circumstances in which
such health care is provided. The Department has always intended to
include the U.S. Constitution as a source of Federal law, and the final
regulatory text now explicitly reflects this. The regulatory text also
makes clear that the U.S. Constitution is not the sole source of
Federal law and that Federal statutes, regulations, and policies may be
the relevant legal authority for determining whether the reproductive
health care is protected, required, or authorized under Federal law.
This final rule in no way supersedes applicable state law pertaining to
the lawfulness of reproductive health care.
To address commenters' concerns about obligating regulated entities
to determine whether reproductive health care that occurred outside of
the regulated entity is lawful, the Department is adding a new
presumption provision at 45 CFR 164.502(a)(5)(iii)(C). It presumes the
reproductive health care at issue was lawful under the circumstances in
which such health care was provided when it was provided by a person
other than the regulated entity receiving the request. The presumption
can be overcome where the regulated entity has either actual knowledge,
or factual information supplied by the person requesting the use or
disclosure, that demonstrates a substantial factual basis that the
reproductive health care was not lawful under the specific
circumstances in which it was provided. The first ground to overcome
the presumption--concerning ``actual knowledge''--accounts for
situations where the regulated entity has actual knowledge that the
reproductive health care was not lawful. The second ground to overcome
the presumption--concerning ``factual information''--accounts for
situations where the person making the request has demonstrated to the
regulated entity that there is a substantial factual basis that the
reproductive health care was unlawful under the circumstances in which
such health care was provided. To satisfy the second ground, the
regulated entity must obtain from the person making the request
sufficient threshold factual evidence that demonstrates to the
regulated entity a substantial factual basis that the reproductive
health care was not lawful under the circumstances in which such health
care was provided.
For example, an investigator requests information from a health
plan about claims for coverage of certain reproductive health care
provided by a particular health care provider. The health plan must
presume that the reproductive health care was lawful unless the health
plan has actual knowledge that the reproductive health care was not
lawful or the investigator supplied information that demonstrates a
substantial factual basis to believe that the reproductive health care
was not lawful under these circumstances. The latter condition could be
met where the investigator provides the regulated entity with various
types of documentation. For example, persons requesting PHI could
provide the regulated entity with affidavits supplied by complainants
that contain the circumstances under which the reproductive health care
was provided. In this example, the presumption would be overcome, and
the health plan would be permitted to use or disclose the PHI, assuming
that all applicable conditions of the Privacy Rule were otherwise met.
In contrast, if the investigator requests the same information but only
provides an anonymous report of a particular health care provider
providing reproductive health care that is not lawful under the
circumstances in which it is provided, the health plan would not have a
substantial factual basis to believe that the reproductive health care
was not lawful. Accordingly, this final rule would prohibit the health
plan from disclosing the requested PHI unless the investigator provides
sufficient information to overcome the presumption and the use or
disclosure is otherwise permitted by the Privacy Rule. The conditions
of making the use or disclosure would include, as described elsewhere
in this final rule, obtaining a valid attestation if the relevant
permission requires one.
The Department emphasizes that, as demonstrated by the numerous
comments on this issue, this regulatory presumption is necessary for
workability by the regulated entities subject to this final rule. We
recognize that when a regulated entity did not provide the reproductive
health care at
[[Page 33015]]
issue, it may not have access to all of the relevant information,
including medical records with the necessary information, to determine
whether prior reproductive health care obtained by an individual was
lawful. We clarify that regulated entities are not expected to conduct
research or perform an analysis of an individual's PHI to determine
whether prior reproductive health care was lawful under the
circumstances in which it was provided when such health care was
provided by someone other than the regulated entity that receives the
request for the use or disclosure of PHI.
We also reiterate that this final rule is intended to support and
clarify the privacy interests of individuals availing themselves of
lawful reproductive health care, and not to thwart the interests of
states in conducting lawful investigations or imposing liability on the
provision of unlawful reproductive health care. While this new
regulatory presumption may make it more difficult for a state to
investigate whether reproductive health care was unlawful under the
circumstances in which it was provided (e.g., when other sources of
information that is not PHI are unavailable), as discussed above, the
Department has considered those interests and determined that the
effects are justified by countervailing privacy benefits. Moreover, as
also explained above, society's interest in obtaining PHI in such
circumstances is reduced, particularly in light of its continued
ability to obtain information from other sources. The Department also
emphasizes that it is not applying a blanket presumption that all
reproductive health care reflected in a regulated entity's records was
lawful under the circumstances in which it was provided. Instead, the
presumption applies only where the reproductive health care at issue is
provided by someone other than the regulated entity that received the
request for the use or disclosure of PHI, and it may be overcome in the
circumstances identified above.
In contrast, where a request for PHI is made to the regulated
entity that provided the relevant reproductive health care, the
regulated entity is responsible for determining whether it provided
reproductive health care that was lawful under the circumstances in
which it was provided, including, as discussed above, a review of all
available relevant evidence bearing on whether the reproductive health
care was lawful under the circumstances in which it was provided. If
the regulated entity reasonably determines that the health care was
lawfully provided, the prohibition applies, and the regulated entity
may not make the use or disclosure.
To illustrate how the presumption would apply, consider a hospital
that has PHI about the provision of reproductive health care by a
different facility. The hospital is not expected to conduct research or
perform analysis into whether reproductive health care obtained at a
different facility from another health care provider was lawful under
the circumstances in which such health care was provided. Accordingly,
the regulated entity, if they receive a request for PHI to which the
prohibition at 45 CFR 164.502(a)(5)(iii) may apply, is not expected to
review the individual's PHI to determine the lawfulness of the prior
reproductive health care. In such situations, the regulated entity is
also not expected to research other states' laws to determine whether
the reproductive health care was lawful under the circumstances in
which it was provided, nor are they expected to consult with an
attorney to do the same. Rather, the presumption standard allows the
regulated entity to limit their review to information supplied by the
person making the request for the use or disclosure of PHI where the
request addresses reproductive health care provided by someone other
than the regulated entity receiving the request. Thus, a regulated
entity that did not provide the reproductive health care must presume
that the reproductive health care was lawful under the circumstances in
which it was provided unless the conditions of rebutting the
presumption are met.
Consider a different example in which a law enforcement official
from State A issues a subpoena to a hospital in State A to request the
PHI of an individual from State A who is suspected of obtaining
reproductive health care in State B that would have been unlawful under
the law of State A if provided there. The hospital did not provide the
reproductive health care in question, nor did the individual provide
information to the hospital about who may have provided such health
care. At the time the law enforcement official issues the subpoena, the
individual is no longer in the hospital, nor is the individual
receiving treatment at the hospital. Additionally, the law enforcement
official provided no information in the subpoena that would make it
reasonable for the hospital to determine that the reproductive health
care at issue was not lawful in the circumstances in which it was
provided, that is, to determine that the reproductive health care was
not lawful under the law of State B or was not protected, required, or
authorized by Federal law. In this case, the hospital did not have
actual knowledge that, nor did the information supplied to it by the
law enforcement official making the request demonstrate to the hospital
a substantial factual basis that, the individual had previously
received unlawful reproductive health care; therefore, the reproductive
health care is presumed to have been provided under circumstances in
which it was lawful to provide such health care. Accordingly, this
final rule would prohibit the hospital from disclosing the requested
PHI unless the law enforcement official provides sufficient information
to overcome the presumption and the use or disclosure is otherwise
permitted by the Privacy Rule. This includes, as described elsewhere in
this final rule, receipt of a valid attestation if the relevant
permission requires one.
Conversely, if the hospital is provided with factual information
that demonstrates a substantial factual basis that the reproductive
health care at issue was not lawful under the specific circumstances in
which such health care was provided, the presumption would be overcome.
When a presumption is overcome or rebutted, the Rule of Applicability
at 45 CFR 164.502(a)(5)(iii)(B) cannot be satisfied (i.e., the
regulated entity has actual knowledge, or has received factual
information from the person requesting the PHI to determine that there
is substantial factual basis to believe, that the reproductive health
care was not lawful under the circumstances in which it was provided),
and thus, the use or disclosure would not be prohibited under the final
rule. As such, the Privacy Rule would permit, but would not require,
the hospital to disclose the PHI in response to the subpoena where the
use or disclosure meets the requirements of an applicable permission,
including the receipt of a valid attestation where required.
In another example, a law enforcement agency presents a covered
entity's business associate, such as a cloud service provider, with a
subpoena for the PHI of an individual who received reproductive health
care as part of its investigation into the health care provider who
provided such health care for the provision of that health care. The
PHI is encrypted, and the business associate does not have the key to
decrypt it or is not permitted under the terms of its business
associate agreement with the covered entity to decrypt the PHI. Thus,
the business associate lacks a complete view of the individual's PHI
and did not provide
[[Page 33016]]
the underlying reproductive health care. Additionally, the business
associate has no actual knowledge that the reproductive health care was
unlawful, nor did the person requesting the PHI supply it with
information that demonstrates to the business associate a substantial
factual basis that the reproductive health care was not lawful under
the specific circumstances in which such health care was provided. In
such a case, the presumption that the reproductive health care at issue
was lawful applies. If the law enforcement agency does not present more
information to overcome the presumption, the Privacy Rule prohibits the
business associate from disclosing the requested PHI in response to the
subpoena, even if the law enforcement agency has provided an
attestation; in this circumstance, the attestation would not be valid
because the disclosure is for a purpose that is prohibited by 45 CFR
164.502(a)(5)(iii).
The presumption serves a different purpose than the attestation,
which is required when there is a request for PHI potentially related
to reproductive health care for certain permitted purposes under the
Privacy Rule, as discussed further below. In contrast with the
attestation, the presumption applies only where a request for PHI
involves a purpose prohibited under 45 CFR 164.502(a)(5)(iii) and the
reproductive health care at issue was provided by someone other than
the regulated entity that received the request for PHI, so the
regulated entity does not have first-hand knowledge of the
circumstances in which the reproductive health care was provided.
Because the situations in which the presumption applies involve
purposes prohibited under 45 CFR 164.502(a)(5)(iii), it is not
reasonable for a regulated entity to rely, without additional
information, on a statement from the person requesting the use or
disclosure, including the statement required in the attestation by 45
CFR 164.509(b)(1)(ii), that the request is not made for a prohibited
purpose or that the underlying reproductive health care was unlawful.
Thus, such statement alone does not satisfy 45 CFR
164.502(a)(5)(iii)(C)(2). However, if a person requesting the use or
disclosure of PHI provides the regulated entity with sufficient
information, separate and distinct from the attestation itself, that
demonstrates to the regulated entity a substantial factual basis that
the reproductive health care was not lawful under the specific
circumstances in which such health care was provided, the presumption
would be overcome; in this scenario, the Privacy Rule would permit, but
would not require, the regulated entity to disclose the PHI in response
to the subpoena. The presumption may also be overcome by, for example,
a spontaneous statement from the individual about the circumstances
under which they obtained reproductive health care.
As we explained above, this final rule, consistent with the
Department's longstanding approach to the Privacy Rule, balances
competing interests between the privacy expectations of individuals and
society's interests in PHI for certain non-health care purposes. For
example, since its inception, the Privacy Rule has permitted a covered
entity to rely, if such reliance is reasonable under the circumstances,
on a requested disclosure as the minimum necessary for the stated
purpose when making disclosures to public officials that are permitted
under 45 CFR 164.512, if the public official represents that the
information requested is the minimum necessary for the stated
purpose(s).\297\ Elsewhere in the Privacy Rule, covered entities are
required to make a determination of whether it is ``reasonable under
the circumstances'' to rely on documentation, statements, or
representations from a person requesting PHI to verify the identity of
the person requesting PHI and the authority of the person to access the
PHI.\298\ In the case of public officials, we have previously explained
that covered entities must verify the identity of the request by
examination of reasonable evidence, such as written statement of
identity on agency letterhead, an identification badge, or similar
proof of official status. In addition, where explicit written evidence
of legal process or other authority is required before disclosure may
be made, a public official's proof of identity and oral statement that
the request is authorized by law are not sufficient to constitute the
required reasonable evidence of the legal process or authority.\299\ In
both instances, the Privacy Rule permits regulated entities to rely on
representations made by public officials where it is reasonable to do
so but makes clear that in some instances, documentary or other
evidentiary proof is needed.\300\
---------------------------------------------------------------------------
\297\ See 45 CFR 164.514(d)(3)(iii)(A) and 65 FR 82462, 82545,
and 82547 (Dec. 28, 2000).
\298\ 45 CFR 164.514(h)(2) and 65 FR 82462, 82546-47 (Dec. 28,
2000).
\299\ See 45 CFR 164.514(h) and 65 FR 82462, 82546-47 (Dec. 28,
2000).
\300\ See 65 FR 82462, 82545 (Dec. 28, 2000) (``[. . .] covered
entities making disclosures to public officials that are permitted
under Sec. 164.512 may rely on the representations of a public
official that the information requested is the minimum
necessary.''); see also id. at 82547 (further discussing
verification of identity and authority of persons requesting PHI in
45 CFR 164.514(h) and the requirements in 45 CFR 164.512 for the
circumstances under which covered entities must make reasonable
determinations about the sufficiency of proof of identify and
authority based on documentary evidence, contrasted with a
reasonable reliance on verbal representations when necessary to
avert a pending emergency or imminent threat to the health or safety
of a person or the public pursuant to 45 CFR 164.512(j)(1)(i)).
---------------------------------------------------------------------------
In this final rule, the Department has enshrined the requirement
that a regulated entity make a reasonable determination of whether PHI
should be disclosed in response to a request from law enforcement, or
other official, in regulatory text and determined that is not
reasonable to rely solely on representations of law enforcement or
other officials without a written attestation. This approach is due to
the high potential for harm to the individual who is the subject of the
PHI or to persons who are subject to liability for the mere act of
seeking, obtaining, providing or facilitating reproductive health care.
Further, as we discussed above, even in the scenario where a state
official seeks PHI to investigate whether the underlying reproductive
health care was unlawful, a regulated entity's reasonable determination
that the conditions of the prohibition set forth in the Rule of
Applicability are met means that the prohibition applies and the
regulated entity is prohibited from using or disclosing the PHI. This
does not foreclose the ability of state officials to investigate the
circumstances surrounding the provision of the reproductive health
care, including through the collection of information from sources that
are not regulated under HIPAA, to determine whether a health care
provider or other person may have acted unlawfully. Rather, this final
rule prohibits the use or disclosure of PHI when it is being used to
investigate or impose liability on a person for the mere act of
seeking, obtaining, providing, or facilitating lawful reproductive
health care, or to identify any person to initiate such activities.
Indeed, the individual's privacy interests are especially strong where
individuals seek lawful reproductive health care and risk either
avoiding such lawful health care or being less than truthful with their
health care providers because they fear that their PHI will be
disclosed.
The Department is re-designating proposed 45 CFR
164.502(a)(5)(iii)(B) as 45 CFR 164.502(a)(5)(iii)(D) and modifying it
in response to the
[[Page 33017]]
commenters who provided examples of situations where they could
reasonably expect to receive a request for PHI that might relate to
``seeking, obtaining, providing, or facilitating reproductive health
care.'' To address these concerns, the Department is revising the list
of activities in 45 CFR 164.502(a)(5)(iii)(D) that explain the scope of
actions taken by persons that the Department is protecting against
impermissible requests for PHI. Specifically, the Department is adding
the terms ``administering,'' ``authorizing,'' ``providing coverage
for,'' ``approving,'' and ``counseling about'' to the current list of
descriptive activities in the proposed rule and removing ``inducing''
from the list. We are removing ``inducing'' from the list in response
to concerns from commenters that the prohibition might apply in
circumstances where individuals are coerced to obtain reproductive
health care. It was never the Department's intention for the
prohibition on the use or disclosure of PHI to apply in such
circumstances. Rather, we intended it to refer to situations in which a
health care provider ``induces'' labor under circumstances in which
such health care is lawful; however, we believe our intended meaning of
``inducing'' is encompassed in other terms in the list. The revised
list better explains the type of activities in which a person may be
engaged and about which the Department intends to prevent the use or
disclosure of PHI.
The Department is not finalizing a separate Rule of Construction
because the need is obviated by incorporating the key content into the
prohibition itself at 45 CFR 164.502(a)(5)(iii). The Department
proposed the Rule of Construction to clarify that 45 CFR
164.502(a)(5)(iii) should not be construed to prohibit a use or
disclosure of PHI otherwise permitted by the Privacy Rule unless such
use or disclosure is ``primarily for the purpose of'' investigating or
imposing liability on any person for the mere act of seeking,
obtaining, providing, or facilitating reproductive health care. By
incorporating the Rule of Construction into the main standard and
removing the proposed ``primarily for the purpose of'' language, the
Department now more clearly conveys its intent to prohibit the use and
disclosure of PHI for the specified purposes only when it relates to
the ``mere act of'' seeking, obtaining, providing, or facilitating
reproductive health care. As discussed in greater detail below in our
responses to comments, this change is designed to reduce confusion for
regulated entities about how to reconcile and apply the Rule of
Construction with the main prohibition standard and does not change the
scope of the prohibition as proposed. The revisions and restructuring
of regulatory text formerly included in the Rule of Construction
improve readability and reduce redundancy. Likewise, the final rule
incorporates other minor wording changes to improve readability and
updates regulatory text references to other paragraphs to accurately
reflect the organization of this section.
Comment: Many commenters expressed support for the Department's
proposal to create a new category of prohibited uses and disclosures
about reproductive health care. A few of these commenters explained the
rationale for their support as based on the proposed approach's balance
of preventing harm to individuals from certain uses and disclosures and
permitting beneficial uses and disclosures, while providing regulated
entities with clarity with respect to when uses and disclosures of PHI
would be permitted.
A few commenters agreed with the Department's view that a purpose-
based prohibition is preferable to other approaches to protecting the
privacy of individuals that would require labeling or segmenting of
PHI. Other commenters focused on how the proposal would better
facilitate HIPAA's goals of providing high-quality health care and
encouraging the flow of information to covered entities.
Response: The approach we are taking in this final rule preserves
the ability of regulated entities to use and disclose PHI for permitted
purposes while also enhancing protections for PHI, to strike the
appropriate balance between privacy interests and other societal
interests, including law enforcement. As discussed above, the
Department's approach will lead to numerous benefits associated with
enhanced privacy protections.
Comment: A few commenters asserted that the Department's proposal
would provide a consistent standard for all states to follow.
Response: The Department believes this final rule will provide
clear standards for regulated entities, especially health care
providers, by incorporating the prohibition into the Privacy Rule.
However, we stress that the prohibition attaches to only requests for
uses and disclosures that are for a prohibited purpose where the
reproductive health care is lawful under the circumstances in which
such health care is provided. Different states and localities have
promulgated different standards for the lawfulness of reproductive
health care.
Comment: A few commenters expressed their appreciation that the
proposal encompassed a broad range of reproductive health care and
explained the importance of ensuring that a final rule protects any
health information about reproductive health care.
Response: As the Department acknowledged in the 2023 Privacy Rule
NPRM, many routine medical examinations and treatments could involve
PHI about an individual's reproductive health or reproductive organs
and systems. This final rule is not limited to PHI about abortion. The
Department recognized the impracticability of attempting to parse out
the types of reproductive health care that should be subject to the
prohibition and those that should not be. For this reason, and in
keeping with the existing scheme of the Privacy Rule, the Department
proposed and is finalizing a purpose-based approach to prohibiting the
use and disclosure of any PHI for use against any person for seeking,
obtaining, providing, or facilitating reproductive health care that is
lawful under the circumstances in which such health care is provided. A
regulated entity that receives a request for PHI is charged with making
a reasonable determination of whether the conditions of lawfulness set
forth in the Rule of Applicability apply. To further assist regulated
entities in understanding the broad scope of ``reproductive health
care,'' we provide in the preamble a non-exclusive list of examples
that fit within the definition.
Comment: Some commenters expressed opposition to this proposal,
asserting that the proposed new category would interfere with the
enforcement of state laws that restrict or regulate abortion or that
the proposal would make it more difficult for regulated entities to
determine whether a requested use or disclosure of PHI is permitted
under the Privacy Rule because it lacked sufficient specificity.
Response: The Department is finalizing a narrowly tailored
prohibition that will only apply when an individual's privacy interest
in lawfully obtained reproductive health care outweighs society's
interest in obtaining PHI for non-health care purposes. As discussed
above, the Department has adopted an approach that strikes the
appropriate balance between privacy interests and other interests,
including law enforcement interests in accessing PHI to investigate or
impose liability on persons for seeking, obtaining, providing, or
facilitating reproductive health care that
[[Page 33018]]
is unlawful under the circumstances in which such health care is
provided. To help regulated entities operationalize the prohibition,
the Department is finalizing an attestation requirement in 45 CFR
164.509 in which persons requesting PHI under a permission that is
mostly likely to be used to request PHI for a purpose prohibited by 45
CFR 164.502(a)(5)(iii) must attest that the request is not subject to
the prohibition. The Department acknowledges that requests for a
purpose prohibited by 45 CFR 164.502(a)(5)(iii) may be made pursuant to
another applicable permission and reminds regulated entities that they
must evaluate all requests made by a third party for the use or
disclosure of PHI to ensure that they are not for a prohibited purpose.
Requests not subject to the prohibition would still be subject to the
conditions of the relevant permissions in the Privacy Rule. When
requests for PHI meet the conditions for permissions in the Privacy
Rule, including conditions specified in 45 CFR 164.512, regulated
entities are permitted to use and disclose PHI in accordance with such
permissions.
Moreover, as we describe above, the Department is modifying the
final rule to clarify that the prohibition restricts the use and
disclosure of PHI for the enumerated purposes when connected to the
``mere act of'' seeking, obtaining, providing, or facilitating
reproductive health care. Thus, the prohibition does not prevent the
use or disclosure of the PHI about reproductive health care obtained by
an individual in all circumstances. Rather, it prevents the use or
disclosure of PHI when the purpose of the disclosure is to investigate
or impose liability on a person because they sought, obtained,
provided, or facilitated reproductive health care that was lawful under
the circumstances in which such health care was provided, as determined
by the regulated entity that received the request for PHI. For example,
a regulated entity would not be prohibited from disclosing an
individual's PHI when subpoenaed by law enforcement for the purpose of
investigating allegations of sexual assault by or of the individual,
assuming that law enforcement provided a valid attestation and met the
other conditions of the permission under which the request was made.
Comment: A commenter expressed opposition to the proposal and
asserted that it relied on the assumption that it would be readily
apparent or ascertainable whether particular reproductive health care
was lawfully provided. According to this commenter, persons who violate
the law have an interest in concealing their activity, and the proposal
would impede law enforcement investigations to determine whether
lawbreaking has occurred. Additionally, the commenter expressed their
concern that the proposal would represent a departure from the Privacy
Rule's existing approach to law enforcement investigations and
proceedings.
Response: The Department is finalizing a regulatory presumption to
address the narrow circumstance of when lawfulness is not readily
apparent to a regulated entity who is the recipient of a request for
the use or disclosure PHI when the regulated entity did not provide the
underlying reproductive health care. As we explained above, this final
rule is intended to support and clarify the privacy interests of
individuals availing themselves of lawful reproductive health care, and
not to thwart the interests of states and the Federal government in
conducting lawful investigations or imposing liability on the provision
of unlawful reproductive health care. While this new regulatory
presumption may make it more difficult for law enforcement officials to
investigate whether reproductive health care was unlawful under the
circumstances in which it was provided (e.g., when other sources of
information that is not PHI are unavailable), the Department has
considered those interests and determined that the effects are
justified by countervailing privacy benefits. We also reiterate here
that the presumption is not a blanket presumption. It only applies
where the reproductive health care at issue is provided by someone
other than the regulated entity that received the request for the use
or disclosure of PHI, and it may be overcome in the circumstances
identified above.
We note that the Privacy Rule has always and continues to permit
regulated entities to disclose PHI for law enforcement purposes,
subject to certain conditions or limitations. In this final rule, the
Department has found that changes in the legal landscape now
necessitate codifying a prohibition against uses and disclosures for
the purposes specified in 45 CFR 164.502(a)(5)(iii)(A), subject to the
Rule of Applicability in 45 CFR 164.502(a)(5)(iii)(B). The Department
is not otherwise changing the existing permissions in the Privacy Rule
that permit regulated entities to use or disclose PHI for law
enforcement purposes and other important non-health care purposes,
except as discussed elsewhere in this rule. These purposes include when
PHI is required by law to be disclosed for purposes other than those
prohibited by this final rule, for public health and health oversight
activities, for other law enforcement purposes not in conflict with
this rulemaking, for reports of child abuse, about decedents when not
prohibited by this final rule, and other purposes specified in the
Privacy Rule.
In particular, in the 2023 Privacy Rule NPRM, the Department
discussed the interaction of this rule with HIPAA's statutory
preemption provisions \301\ and explained that it was necessary to
preempt state laws that require the use and disclosure of PHI for the
purposes prohibited by this rule to give effect to the prohibition
consistent with HIPAA. As discussed above, to achieve the purpose for
which HIPAA was enacted, to enable the electronic exchange of
identifiable health information, we must protect the privacy of that
information to further individuals' trust in the health care system. As
finalized, the prohibition is limited only to circumstances in which
the privacy interests of an individual and the interests of society in
an effective health care system outweigh society's interest in
obtaining PHI for non-health care purposes.
---------------------------------------------------------------------------
\301\ See 88 FR 23506, 23530 (Apr. 17, 2023).
---------------------------------------------------------------------------
Comment: A commenter stated that, to the extent the ability of a
state to determine whether to investigate or bring a proceeding is
based on information in the possession of a regulated entity, the
proposed rule did not adequately address a state's need to regulate the
medical profession and health care facilities.
Response: As finalized, the prohibition prevents the use and
disclosure of PHI for certain purposes where a person sought, obtained,
provided, or facilitated reproductive health care that is lawful under
the circumstances in which such health care is provided. As discussed
above, the final rule strikes the appropriate balance between privacy
interests and other interests. Public officials remain free to
investigate the provision of health care by seeking information from
non-covered entities. Moreover, the prohibition does not prevent a
state from enforcing its laws. Instead, it protects the privacy of
individuals' PHI in certain circumstances.
Comment: A few commenters expressed concern that the proposed
prohibition may also affect the enforcement of Federal laws.
Response: The Department has consulted extensively with other
Federal agencies and officials in the
[[Page 33019]]
development of this rule, including the Attorney General, and does not
believe that this rule will impede the enforcement of Federal laws. As
discussed above, this rule carefully balances privacy and other
interests, applying only in certain narrowly tailored situations.
Comment: Numerous commenters recommended that the Department expand
the scope of the proposed prohibition to include other or all types of
stigmatized health care. A few commenters recommended expanding the
proposed prohibition to all health care or to provide individuals the
ability to prevent the disclosure of their PHI through HIEs.
Generally, commenters supporting expansion of the proposal's scope
expressed the belief that it was necessary for HIPAA to promote trust
between individuals and health care providers and to improve health
care quality and outcomes.
Several commenters explained that persons seeking, obtaining,
providing, or facilitating other types of health care are facing the
same challenges as described in the proposal with respect to
reproductive health care, including health care obtained outside of the
health care system, and provided examples of such challenges. Many
commenters also made recommendations for how the Department should
address those challenges.
Response: The Department is issuing this final rule to protect the
privacy of PHI when it is sought for activities to investigate or
impose liability on persons for the mere act of seeking, obtaining,
providing, or facilitating lawful reproductive health care. Lawfulness
is based on a reasonable determination made by a regulated entity that
has received a request for PHI for one of the purposes specified at 45
CFR 164.502(a)(5)(iii)(A) that at least one of the conditions in the
Rule of Applicability applies. We are finalizing a prohibition that is
not specific to certain procedures, laws, or types of providers.
Rather, the prohibition we finalize here requires regulated entities to
consider the purpose of the requested use or disclosure. To the extent
that the specific types of health care referenced by commenters above
meet the definition of reproductive health care, this final rule will
prevent the disclosure of PHI where it is sought for activities with
the purpose of investigating or imposing liability on any person for
the mere act of seeking, obtaining, providing, or facilitating
reproductive health care that is lawful under the circumstances in
which it is provided. In adopting a purpose-based prohibition, the
Department has chosen an administrable standard that reflects the
appropriate balance between protecting individuals' privacy interests
and allowing the use or disclosure of PHI in support of other important
societal interests. Additional privacy protections for information
about SUD treatment may be afforded to PHI in Part 2 records under Part
2.\302\
---------------------------------------------------------------------------
\302\ See 42 CFR part 2 and the 2024 Part 2 Rule for more
information about Part 2 and the protections afforded to Part 2
records.
---------------------------------------------------------------------------
Comment: In response to the Department's specific request about
whether it should require a regulated entity to obtain an individual's
authorization for any uses and disclosures of ``highly sensitive PHI''
or otherwise address such a defined category of PHI in the Privacy
Rule, a few commenters urged the Department to expand the proposed
prohibition to protect all people at risk of criminal or other
investigation for use of essential health care or care, services, or
supplies related to the health of the individual that could expose any
person to civil or criminal liability. Several commenters recommended
that the Department expand the scope of the proposed prohibition to,
variously, all ``highly sensitive health information,'' ``sensitive
personal health care,'' ``highly sensitive PHI,'' or ``highly sensitive
PHI and restricted health care service'' because of the potential harms
that could result if such health information were to be disclosed
without stringent privacy safeguards.
Several commenters asserted that creating a category of or separate
standard for ``highly sensitive PHI'' would cause significant confusion
because it would be difficult to define in a commonly understood
manner. According to these commenters, this would make compliance more
challenging and costly and further decrease the individual's privacy. A
few commenters expressed concern that creating a special category of
highly sensitive PHI would further stigmatize certain types of health
care.
Several commenters expressed concern that prohibiting or limiting
uses or disclosures of highly sensitive PHI for certain purposes may
negatively affect efforts to eliminate the need for data segmentation,
such as efforts to align the Privacy Rule and Part 2; reduce or
eliminate stigmatization of certain health conditions and diagnoses;
and improve health care management and health care coordination.
Response: We appreciate these comments and generally agree with
commenters who expressed concern that the Privacy Rule should address
the shifting legal landscape to ensure that it continues to protect
PHI, regardless of how the PHI is transmitted or maintained. We also
agree that to the extent possible, the Privacy Rule should promote
administrative efficiency and disincentivize adverse actions by health
care providers grounded in fear of prosecution or legal risks borne
from providing lawful health care to individuals, which may erode
patients' trust and confidence in the health care system and deter them
from seeking lawful health care. The Department's approach to
promulgating a narrowly tailored prohibition focused on clarifying the
use and disclosure of PHI for the purposes prohibited by this final
rule accomplishes these goals. As we explained in the 2023 Privacy Rule
NPRM and re-affirm in this final rule, recent developments in the legal
environment have made information about lawful reproductive health care
sought by or provided to an individual more likely to be of interest
for punitive non-health care purposes, and thus more likely to be used
or disclosed if sought for a purpose permitted under the Privacy Rule
today. As explained, the Department has identified concerns that the
use or disclosure of PHI for the prohibited purposes in this rule would
erode individuals' trust in the privacy of legal reproductive health
care. Such erosion would negatively affect relationships between
individuals and their health care providers, result in individuals
forgoing needed treatment, and make individuals less likely to share
pertinent health concerns with their health care providers. Modifying
the Privacy Rule to focus on and address this shifting landscape is the
most efficient way to return to a regulatory landscape that is balanced
and consistent with the goals of HIPAA.
We do not believe that it is necessary to modify the Privacy Rule
to prohibit the use and disclosure of PHI for any criminal, civil, or
administrative investigation or effort to impose criminal, civil, or
administrative liability related to all health care, services, or
supplies. Sections 164.512(e) and (f) already set forth the specified
conditions under which regulated entities may disclose PHI for judicial
and administrative proceedings and law enforcement purposes.
We decline to modify the prohibition to apply it to the use and
disclosure of ``highly sensitive PHI.'' We are persuaded by commenters
who voiced concern about the feasibility of defining the phrase such
that regulated entities would be able to understand and
[[Page 33020]]
operationalize it. We also find persuasive comments about the
compliance burden that would result from implementing such a
prohibition. While PHI about reproductive health care may be found
throughout an individual's record and may be collected or maintained by
multiple types of providers, the term ``reproductive health care'' is
defined in a manner that is clearly connected to the reproductive
system, its functions, and processes.\303\
---------------------------------------------------------------------------
\303\ See the finalized definition of ``Reproductive health
care'' at 45 CFR 160.103.
---------------------------------------------------------------------------
In contrast, applying the prohibition to all ``highly sensitive
PHI'' or any use or disclosure of PHI that results in harm, stigma, or
adverse result for an individual would be unworkable because of lack of
consensus about how to define such categories and would likely create
the issues with segmentation and care coordination discussed above. As
discussed above, the purpose of this final rule and narrowly crafted
prohibition is to adopt the appropriate balance in the Privacy Rule
between protecting individuals' privacy and permitting PHI to be used
and disclosed for other societal benefits. The commenters' objectives
reflect a desire to protect individuals, but their discussion does not
properly account for other societal interests that are supported by
certain disclosures of PHI, interests that the Privacy Rule has
balanced since its inception.
Comment: A commenter requested that the Department clarify that
state laws may protect the privacy of health information when the
Privacy Rule does not apply, such as when individuals' health
information is in the possession of a person that is not a regulated
entity, such as a friend or family member, or is stored on a personal
cellular phone or tablet.
Response: HIPAA provides the Department with the authority to
protect the privacy and security of IIHI that is maintained or
transmitted by covered entities, and in some cases, their business
associates. Other laws may apply where the HIPAA Rules do not. Guidance
on protecting the privacy and security of health information when using
a personal cell phone or tablet is available on OCR's website.\304\
---------------------------------------------------------------------------
\304\ See Off. for Civil Rights, ``Protecting the Privacy and
Security of Your Health Information When Using Your Personal Cell
Phone or Tablet,'' U.S. Dep't of Health and Human Servs. (June 29,
2022), https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/cell-phone-hipaa/.
---------------------------------------------------------------------------
Comment: Many commenters cited potential operational challenges
with the proposed prohibition and confirmed that current health IT
generally does not provide regulated entities with the ability to
segment PHI into specific categories afforded special protections. A
few commenters recommended that the Department work with EHR vendors to
modernize health care data management platforms to better address data
segmentation, while others recommended that the Department ensure
interagency coordination of data segmentation policies and provide
individuals with granular level of control over their PHI.
A few commenters requested that the Department address concerns
about the interaction between the minimum necessary standard and this
final rule.
A commenter asserted that privacy protections that do not account
for individual privacy preferences would result in individuals
withholding information from their health care providers, and some
health care providers electing not to generate or document certain
information from or about individuals.
Response: The prohibition, as finalized, should not implicate
additional data segmentation concerns beyond those that already exist.
We acknowledge the low adoption rate of data segmentation standards and
challenges related to the technical and administrative feasibility of
data segmentation (e.g., costs), and as discussed above, are finalizing
a purpose-based approach to address such concerns. The Department
continues its active engagement, particularly through ONC, to identify
robust data sharing standards that facilitate appropriate privacy
controls.
With respect to concerns about the Privacy Rule minimum necessary
standard, we do not anticipate that this final rule will affect the
ability of regulated entities subject to the standard to comply. First,
the prohibition is applicable only for the purposed uses and
disclosures specified in 45 CFR 164.502(a)(5)(iii). Regulated entities
must make reasonable efforts to limit the use or disclosure of PHI
pursuant to 45 CFR 164.512, other than 45 CFR 164.512(a), to the
minimum amount of PHI necessary to accomplish the intended purpose of
the use, disclosure, or request.\305\ Regulated entities are required
to have in place policies and procedures that outline how the entity
complies with the standard.\306\
---------------------------------------------------------------------------
\305\ See 45 CFR 164.502(b). Uses and disclosures of PHI
pursuant to 45 CFR 164.512(a) are limited to the relevant
requirements of such law. 45 CFR 164.512(a)(1).
\306\ 45 CFR 164.514(b).
---------------------------------------------------------------------------
Comment: A few commenters requested that the Department clarify the
roles and responsibilities of covered entities and business associates
with respect to compliance with the proposed prohibition and
attestation requirements and whether business associate agreements
would need to be amended to reflect the requirements of the final rule.
Response: The prohibition standard finalized in 45 CFR
164.502(a)(5)(iii)(A) applies directly to all regulated entities;
meaning, all HIPAA covered entities and business associates. We also
note that the finalized presumption of lawfulness for the underlying
health care, when applicable, directly applies to business associates,
as does the attestation requirement in 45 CFR 164.509. As such,
business associates of covered entities that hold PHI by virtue of
their business associate relationship with the covered entity are
subject to the express prohibition on using or disclosing PHI for the
specified purposes, regardless of whether the prohibition is specified
in the business associate agreement. The attestation requirement and
its application to business associates are discussed in greater detail
below.
Comment: A commenter expressed support for the application of the
proposal to health care providers, but also recognized states' interest
in ensuring that health care providers render health care in accordance
with the standard of care in that state. Another commenter questioned
the Department's authority under HIPAA to implement this provision.
Response: The Department is modifying the proposed definition of
``Reproductive health care'' to explicitly clarify that the definition
does not set a standard of care for or determine what constitutes
clinically appropriate reproductive health care. Additionally, as
discussed above, the application of this rule is limited to
reproductive health care that is lawful under the circumstances in
which such health care is provided as described at 45 CFR
164.502(a)(5)(iii)(B). Lawfulness is determined by the regulated entity
that receives the request for PHI, after a reasonable determination
that at least one of the conditions in the Rule of Applicability apply.
As explained above, the prohibition is carefully tailored to protect
the privacy of individuals' health information in circumstances where
the reproductive health care at issue was lawful under the
circumstances such care was provided, reflecting the appropriate
balance between privacy interests and other societal interests.
Comment: Many commenters recommended alternative or additional
[[Page 33021]]
approaches to the purpose-based prohibition, such as eliminating or
narrowing the permissions for use or disclosure of PHI without an
individual's authorization or limiting disclosures to third parties
subject to an individual's authorization.
A few commenters recommended that the Department revise specific
Privacy Rule permissions to clarify the use and disclosure of PHI for
certain administrative or law enforcement requests, instead of
promulgating a new prohibition.
Response: The Department's approach to prohibit the uses and
disclosures of PHI for the purposes described in this final rule is
consistent with the Privacy Rule's longstanding balancing of individual
privacy interests with society's interests in PHI for non-health care
purposes. Adopting the correct balance is necessary to preserve and
promote trust between individuals and health care providers. Instead of
modifying specific permissions at 45 CFR 164.512, we are finalizing
modifications that prohibit the use or disclosure of PHI to ensure the
correct balance, instead of modifying specific permissions at 45 CFR
164.512. Recognizing that requests that fall under these permissions
represent important public policy objectives (e.g., health oversight,
law enforcement, protection of individuals subject to abuse), the
Department is imposing a new attestation requirement, as described in
greater detail below, to protect against harm that may arise from the
use or disclosure of PHI for a purpose prohibited under 45 CFR
164.502(a)(5)(iii), which is more likely to occur when a person
requesting the use or disclosure of PHI relies on certain permissions.
The new attestation condition will also provide a mechanism that will
enable a regulated entity to better evaluate the request. The
Department declines to make additional changes at this time and will
consider these topics for future guidance. The Department also declines
to finalize its proposal to prevent an individual from requesting that
a regulated entity use or disclose PHI pursuant to a valid
authorization.
Comment: A few commenters questioned the ability of regulated
entities to use or disclose PHI in compliance with mandatory reporting
laws, such as laws requiring the reporting of suspected child abuse or
domestic violence.
A few of these commenters questioned whether mandatory reporting
requirements would change a regulated entity's duty to apply the
minimum necessary standard.
A few commenters asserted that mandatory reporting laws dissuade
individuals from seeking health care, prevent the development of trust
between individuals and health care providers, and generally are
implemented in an inequitable fashion that disproportionately apply to
individuals from marginalized or historically underserved communities
or communities of color.
Response: The Department acknowledges that there may be some
mandatory reporting laws that require a regulated entity to determine
whether a request for PHI is for a purpose prohibited by this rule.
However, whether in response to a mandatory reporting law or routine
request, the final rule's operation remains the same, that is, it
prohibits a regulated entity from using or disclosing PHI for a
prohibited purpose when the reproductive health care under
investigation or at the center of the activity to impose liability is
lawful under the circumstances that it was provided.
To the extent mandatory reporting requirements apply to the
reporting of PHI to public health authorities for public health
purposes, including PHI about reproductive health care, this final rule
does not prevent a regulated entity from complying with such mandate.
To aid stakeholders in understanding how the prohibition operates
with respect to public health reporting, the Department is clarifying
that the term ``Public health,'' as used in public health surveillance,
investigation, and intervention, includes identifying, monitoring,
preventing, or mitigating ongoing or prospective threats to the health
or safety of a population, which may involve the collection of PHI. In
so doing, we are clarifying that public health surveillance,
investigation, and intervention are outside of the scope of activities
prohibited by 45 CFR 164.502(a)(5)(iii). These changes will offer
additional protection to individuals who would otherwise be subject to
having their PHI disclosed for a prohibited purpose because the
underlying mandatory reporting requirement did not clearly specify its
relationship to public health. This final rule does not change the
minimum necessary standard or the circumstances in which the Privacy
Rule requires a regulated entity to apply the minimum necessary
standard.
Comment: Many commenters expressed concern that the purposes for
which the Department proposed to prohibit uses or disclosures would
interfere with the ability of law enforcement to conduct
investigations, including into coercion, child abuse, and sex
trafficking and assault, would prevent states from verifying state
licensure requirements, and would hamper the ability of health care
professionals to report illegal behavior by other health care
professionals.
Response: As discussed above, the prohibition applies only to
activities conducted for the purpose of investigating or imposing
liability on a person for the mere act of seeking, obtaining,
providing, or facilitating reproductive health care that is provided
under circumstances in which such health care is lawful. A regulated
entity is permitted to disclose PHI to a person who requests PHI for
other purposes if a permission applies and the underlying conditions of
the relevant permission are met, including the attestation condition,
if applicable.
Comment: A few commenters recommended that the Department establish
a safe harbor for the use or disclosure of PHI by regulated entities
for TPO.
Response: We appreciate the comment but do not believe such a safe
harbor is necessary. The Privacy Rule permits the disclosure of an
individual's PHI for TPO when the conditions set forth in the TPO
provisions of the rule are met.\307\ The prohibited uses and
disclosures codified in this rulemaking would rarely intersect with
uses and disclosures that qualify as TPO activities. As explained
above, to the extent a person requesting the use or disclosure of PHI
reasonably articulates a basis for a request that is not related to the
mere act of seeking, obtaining, providing, or facilitating reproductive
health care, a regulated entity may use or disclose the PHI where
otherwise permitted by the Privacy Rule.
---------------------------------------------------------------------------
\307\ See 45 CFR 164.506.
---------------------------------------------------------------------------
Comment: A commenter recommended that the Department clarify that
the prohibition applies to the activities of insurers and third-party
administrators of self-funded plans by adding ``administering,
authorizing, covering, approving, or gathering or providing information
about'' to the explanation of ``seeking, obtaining, providing, or
facilitating.''
Response: The prohibition applies to all activities that a person
could reasonably be expected to engage in with a regulated entity that
could result in a use or disclosure of PHI that might be sought for
prohibited purposes, including activities conducted or performed by or
on behalf of a health
[[Page 33022]]
plan, including a group health plan.\308\ Accordingly, the Department
has modified the scope of activities initially proposed in the 2023
Privacy Rule NPRM to better explain what it meant by seeking,
obtaining, providing, or facilitating reproductive health care. The
modified text is finalized at 45 CFR 164.502(a)(5)(iii)(D),\309\ and
adds administering, authorizing, providing coverage for, approving,
counseling about to the non-exhaustive list of example activities.
---------------------------------------------------------------------------
\308\ See 45 CFR 160.103 (definitions of ``health plan'' and
``group health plan'').
\309\ In the 2023 Privacy Rule NPRM, we proposed the Scope of
prohibition in 45 CFR 164.502(a)(5)(iii)(B).
---------------------------------------------------------------------------
Comment: Several commenters expressed support for the proposed Rule
of Applicability. A few commenters expressed support for the proposed
Rule of Applicability because it would reassure residents of the state
in which the lawful health care is provided and individuals who travel
to such states for lawful health care that their medical records will
not be disclosed for prohibited purposes.
Response: We are finalizing a modified Rule of Applicability as
described above.
Comment: Some comments expressed varying levels of support for the
Department's references to ``substantial interests'' by states or
superseding state laws. A few commenters disagreed with the
Department's assertion that states lack a legitimate interest in
conducting a criminal, civil, or administrative investigation or
proceeding into lawful reproductive health care where the investigation
is based on the mere fact that reproductive health care was or is being
provided. Others asserted that the proposed rule would be unworkable
and would assign health care providers and the Department the power to
determine whether reproductive health care was provided lawfully,
thereby affording them the authority to enforce certain state laws.
Response: As explained above, the Rule of Applicability reflects
the Department's careful balancing of privacy interests and other
societal interests. For the reasons explained above, the Department has
determined that the privacy interest of an individual and the interest
of society in an effective health care system outweigh the interests of
society in seeking the use of PHI for non-health care purposes that
could result in harm to the individual where a regulated entity that
receives a request for PHI reasonably determines that at least one of
the conditions in the Rule of Applicability applies. To help clarify
this discussion further, the Department provides examples where the
Rule of Applicability applies in this section of this final rule.
Comment: Several commenters recommended that the Department
eliminate the distinction between health care that is lawful and health
care that is not and that all forms of reproductive health care should
be protected from criminalization and government investigation.
Several commenters stated that the term ``lawful'' would
incorrectly suggest that receiving certain types of reproductive health
care could be unlawful, even though most prohibitions on reproductive
health care apply to providing or performing the health care, rather
than receiving it. They also questioned whether the proposed Rule of
Applicability would protect individuals who obtained reproductive
health care in another state.
Response: We are finalizing a Rule of Applicability at 45 CFR
164.502(a)(5)(iii)(B) that ensures the privacy of PHI when it is sought
to conduct an investigation into or impose liability on any person for
the mere act of seeking, obtaining, providing or facilitating
reproductive health care that is lawful under the circumstances in
which such health care is provided, consistent with applicable Federal
or state law. A regulated entity that receives a request for PHI must
make a reasonable determination that at least one of the conditions in
the Rule of Applicability applies. As discussed above, this approach
reflects a careful balance between privacy interests and other societal
interests.
Comment: Some commenters asserted that medical records should not
be used for purposes outside of the health care setting in ways that
could harm the subject of the records, particularly for law enforcement
or other governmental purposes. One commenter expressed concern that
disclosures of PHI would not be limited for all purposes, and that the
proposal would not prevent a state from pursuing actions where the
health care is later found to be unlawful. Another commenter asserted
that disclosing PHI to law enforcement in connection with an
investigation into reproductive health care is a secondary use of PHI
that would be directly at odds with the purpose for which the PHI was
collected, while others stated that the proposal risks deterring
individuals from seeking or obtaining necessary health care.
A few commenters expressed concerns that health care providers
could be inhibited from providing necessary health care, fully
educating individuals about their options, or documenting the health
care provided.
Response: When the Department promulgated the 2000 Privacy Rule, we
acknowledged that the rule balanced the privacy interests of
individuals with the interests of the public in ensuring PHI was
available for non-health purposes. As we explained in the 2023 Privacy
Rule NPRM, ``individuals' right to privacy in information about
themselves is not absolute. It does not, for instance, prevent
reporting of public health information on communicable diseases or stop
law enforcement from getting information when due process has been
observed.'' \310\ At the same time, in the 2023 Privacy Rule NPRM, the
Department acknowledged that adverse consequences do result when
individuals question the privacy of their health information and
explained that the purpose of HIPAA is to protect the privacy of
information and promote trust in the health care system to ensure that
individuals do not forgo lawful health care when needed or withhold
important information that may affect the quality of their health
care.\311\
---------------------------------------------------------------------------
\310\ 88 FR 23506, 23509 (Apr. 17, 2023) (citing 65 FR 82464
(Dec. 28, 2000)).
\311\ Id.
---------------------------------------------------------------------------
Accordingly, the Privacy Rule provides a clear framework to
operationalize these principles, and this final rule is intended to
balance these interests. The Privacy Rule does not protect information
received or maintained by entities other than those that are regulated
under HIPAA, including information that is used for a purpose other
than the purpose for which it was initially requested. This final rule
provides heightened protection, as necessary, to the privacy of PHI
where its use or disclosure may result in harm to a person in
connection with seeking, obtaining, providing, or facilitating
reproductive health care that is lawful under the circumstances in
which such health care is provided. With respect to other disclosures
to law enforcement or to other governmental interests, the Privacy Rule
includes other carefully crafted permissions that specify the
conditions under which such disclosures must be made to ensure a
reasonable balance between privacy and the public policies that
disclosure would serve.
Comment: Several commenters asserted that the proposed Rule of
Applicability would not protect all PHI pertaining to lawful health
care. For example, commenters suggested that the proposed Rule of
Applicability would be unlikely to protect individuals who
[[Page 33023]]
obtain care outside of the health care system and urged the Department
to clarify the final rule to strengthen protections for individuals who
receive care in this manner. As another example, a commenter expressed
concern that the proposal would not protect PHI for individuals who
obtain legal reproductive health care, but as a result of
complications, subsequently access health care in a state where the
same reproductive health care is illegal.
Response: The definition of ``reproductive health care'' is
discussed in greater detail above. As noted above, this final rule does
not establish a standard of care, nor does it regulate what constitutes
clinically appropriate health care.
Commenters who point out that different results may arise in
different states are correct, but this has been true since the
inception of the Privacy Rule because it sets a national floor for
privacy standards, rather than a universal rule. The prohibition
applies, and therefore liability attaches, when the prohibition is
violated, based on the ``circumstances in which such health care is
provided.'' Thus, a regulated entity is not permitted to disclose PHI
about reproductive health care that was provided in another state where
such health care was provided under circumstances in which it was
lawful to provide such health care, even where the individual
subsequently accesses related health care in a state where it would
have been unlawful to provide the underlying health care under the
circumstances in which such health care was provided. HIPAA liability
attaches in cases where attempts to circumvent the Privacy Rule result
in impermissible or wrongful uses or disclosures.\312\
---------------------------------------------------------------------------
\312\ See 42 U.S.C. 1320d-5 and 6.
---------------------------------------------------------------------------
We remind regulated entities that the Privacy Rule permits the use
or disclosure of PHI, without an individual's signed authorization,
only as expressly permitted or required by the Privacy Rule. For
example, where state or other applicable law prohibits certain
reproductive health care but does not expressly require a regulated
entity to report that an individual obtained the prohibited health
care, the Privacy Rule would not permit a disclosure to law enforcement
or other investigative body pursuant to the ``required by law''
permission (but could potentially allow it pursuant to other
provisions).\313\
---------------------------------------------------------------------------
\313\ See 45 CFR 164.512(a).
---------------------------------------------------------------------------
Comment: One commenter recommended the Department add language to
the proposed Rule of Applicability or elsewhere to ensure that there
would be protections for PHI where a health care provider believes the
health care is legal, even when the person requesting the use or
disclosure of PHI disputes the legality. A few commenters asserted that
the health care provider making the decision could be a party to the
reproductive health care at issue, making it a conflict of interest for
the health care provider to make the determination regarding the
lawfulness of the reproductive health care.
Response: We do not believe additional language is necessary
because, under the prohibition, the regulated entity--and not the
person making the request--is responsible for reasonably determining
whether health care was lawful before making a disclosure. As explained
above, this framework is consistent with how the Privacy Rule's
permissions are administered, whereby regulated entities must determine
whether a use or disclosure is permitted under the relevant permission.
For example, when evaluating whether a use or disclosure of PHI is
permitted because the use or disclosure is required by law, the
regulated entity must look to the relevant law to determine whether the
use or disclosure falls within that permission.\314\ Furthermore, as
with other use and disclosure provisions in the Privacy Rule, regulated
entities remain subject to HIPAA liability for impermissible or
wrongful disclosures. Neither the statute nor the Privacy Rule provides
an exception to such liability for circumstances involving conflicts of
interest.
---------------------------------------------------------------------------
\314\ See 45 CFR 164.512(a).
---------------------------------------------------------------------------
Comment: Many commenters expressed concern regarding the burden
imposed upon and resources that would be required for regulated
entities to determine whether the reproductive health care at issue was
lawful if they did not provide the health care at issue, particularly
considering the evolving nature of state law in this area. Several
commenters expressed concern that the proposal incorrectly assumes that
regulated entities would know where the reproductive health care at
issue occurred and inquired about specific scenarios, such as where
requests for PHI are received by clinical laboratories that have no
face-to-face interaction with individuals and that rely on information
provided by other covered entities. A few commenters asserted that
requiring regulated entities to make the required legal determinations
would not be conducive to building a trusting relationship between
individuals and health care providers.
Some commenters offered recommendations to the Department, such as
providing guidance for health care providers regarding their rights and
responsibilities under a final rule, revising the proposal to clarify
that there would be a presumption that reproductive health care
occurred under lawful circumstances, absent compelling evidence to the
contrary, particularly when an individual travels for health care, and
clarifying the Rule of Applicability by including examples in the
regulatory text.
Some commenters asserted that regulated entities in different
states or with different interpretations of certain state requirements
could reach different determinations about whether the reproductive
health care was provided lawfully, in part because of the lack of
clarity or consistency in the interpretation in these laws. Yet another
commenter recommended that the Department add an express directive
that, in the event of any ambiguity or unsettled law, the scope of what
is considered lawful should be interpreted consistently with the intent
of the rule to protect the privacy of PHI to the maximum extent
possible. A commenter recommended that where the regulated entity
decides in good faith, it should not be subject to penalties or
enforcement action if their determination is incorrect or if the
Department disagrees with the determination. Another commenter
recommended that the Department clarify that regulated entities may use
a reasonableness standard when making the determination about whether
state laws conflict with the Privacy Rule and are therefore preempted
by HIPAA.
A few commenters expressed concern about the potential
interpretation or application of the proposed Rule of Applicability,
particularly when the laws at issue are ambiguous. Commenters
recommended inclusion of language that PHI need not be disclosed to a
government agency or law enforcement if the health care provider deems,
in good faith, that the reproductive health care is lawful under the
circumstances in which it is provided, and that the Department clarify
the application of preemption or provide in preamble examples of each
condition of the proposed Rule of Applicability.
Response: We appreciate the many comments the Department received
in response to its inquiry asking whether the proposed Rule of
Applicability would be sufficiently clear to individuals and covered
entities, and
[[Page 33024]]
whether the provision should be made more specific or otherwise
modified. Considering the many comments expressing concern about the
burden associated with, the difficulty of, or the liability that could
attach when someone other than the person who provided the health care
must determine whether the underlying reproductive health care is
lawful, the Department is adding a regulatory presumption in the final
rule.
As discussed above, the regulatory presumption in 45 CFR
164.502(a)(5)(iii)(C) will permit a regulated entity receiving a PHI
request that may be subject to the prohibition to presume the
reproductive health care at issue was lawful under the circumstances in
which such health care was provided when provided by a person other
than the regulated entity receiving the request. The presumption
includes a knowledge requirement such that the regulated entity must
not have actual knowledge that the reproductive health care was
unlawful under the circumstances in which such health care was provided
or factual information supplied by the person requesting the use or
disclosure of PHI that demonstrates to the regulated entity a
substantial factual basis that the reproductive health care was not
lawful under the specific circumstances in which such health care was
provided.
Comment: A commenter asserted that the proposed rule would
unlawfully thwart enforcement of Federal criminal laws on reproductive
health care because the proposed rule would be limited to circumstances
where reproductive health care is permitted by state law, thereby
prohibiting disclosures for the purpose of enforcing Federal laws
pertaining to reproductive health care when they conflict with state
law. A few commenters expressed their support for the Department's
proposal that the prohibition against the use or disclosure of PHI
apply where certain Federal laws apply. A few commenters requested
greater specificity with respect to the application of Federal and
state laws on abortion.
Response: Federal laws that involve reproductive health care form
the underlying basis for examining whether reproductive health care was
protected, required, or authorized by Federal law under the
circumstances in which it was provided, pursuant to the 45 CFR
164.502(a)(5)(iii)(B)(2). Under this final rule, Federal and state
authorities retain the ability to investigate or impose liability on
persons where the investigation or imposition of liability is centered
upon the provision of reproductive health care that is unlawful under
the circumstances in which it is provided. As discussed above, this
rule reflects a careful balance between privacy interests and other
societal interests, and the prohibition is tailored to cover situations
where the reproductive health care was lawfully provided, whether state
or Federal law is at issue.
Comment: A few commenters provided examples of and expressed
concerns about the electronic availability of PHI about health care
lawfully provided in one state to health care providers in another
state where such health care would not have been lawful.
A few commenters requested that the Department clarify that
clinical laboratory testing involving a validated laboratory-developed
test used within a single laboratory certified pursuant to the Clinical
Laboratory Improvement Amendments of 1988 \315\ (CLIA) and the
implementing regulations, an in vitro diagnostic test cleared or
approved by the Food and Drug Administration (FDA), or a validated
laboratory-developed test that is an in vitro diagnostic test cleared
or approved by the FDA and used within a single CLIA-certified
laboratory would fall within the scope of reproductive health care that
would be ``authorized by Federal law'' for the purposes of the Rule of
Applicability. The commenters also recommended that a clinical
laboratory test furnished under the authority of a state with legal
requirements that are equal to or more stringent than CLIA's statutory
and regulatory requirements, and is therefore exempt from CLIA
requirements, also be considered ``authorized by Federal law'' for the
purposes of the Rule of Applicability.
---------------------------------------------------------------------------
\315\ Public Law 100-578, 102 Stat. 2903 (Oct. 31, 1988)
(codified at 42 U.S.C. 201 note).
---------------------------------------------------------------------------
Response: We interpret the language ``authorized by Federal law''
in the Rule of Applicability to include activities, including clinical
laboratory activities, that are conducted as allowed under applicable
Federal law, in circumstances where there is no conflicting state
restriction on the Federally authorized activity or where applicable
Federal law preempts a contrary state restriction. In such
circumstances, these activities are lawfully conducted because there
either is no relevant state restriction or Federal law preempts a
contrary state restriction. This provision thus reflects the
Department's careful balancing of privacy interests and other societal
interests in disclosure. As explained above, in circumstances where
reproductive health care is lawfully provided, privacy interests are
heightened while other societal interests in disclosure are reduced.
This final rule and the operation of HIPAA's general preemption
authority do not supersede applicable state law pertaining to the
lawfulness of reproductive health care.
Comment: One commenter expressed support for including the phrase
``based primarily'' to clarify that the proposed Rule of Construction
would only address situations where the purpose of the disclosure is to
investigate or impose liability because reproductive health care was
provided, rather than for an issue related to, but not focused on the
provision of such health care, such as the quality of the health care
provided or whether claims for certain health care were submitted
appropriately.
All other commenters recommended removing ``primarily'' to ensure
that there is consistent implementation. In the alternative, the
commenters recommended that the Department provide additional examples
of scenarios in which a situation would and would not be considered
``primarily for the purposes of'' or ``primarily based on'' the
provision of reproductive health care. One commenter asserted that the
definition is uncertain and could be interpreted as permitting
secondary or additional uses or disclosures. Another commenter
explained that permitting a use or disclosure where conducting the
investigation or imposing liability is only for a secondary or
incidental purpose would create too much risk for individuals and
health care providers and would undermine the intent of the proposed
prohibition. And another stated it is foreseeable that a requesting
entity could still use the PHI for one of the purposes for which the
Department proposed to prohibit uses or disclosures of PHI once they
have it if it was not the primary purpose of their request. A commenter
expressed concern that the language could be exploited to manufacture a
``primary'' purpose that would be permissible to permit PHI to be used
or disclosed for a prohibited purpose, particularly because the PHI
would lose the protections of the Privacy Rule once it is disclosed to
another person, unless that person is also a regulated entity. Another
commenter asserted that the proposed rule did not define ``primarily''
or ``mere act,'' nor did it provide sufficient examples to provide
regulated entities with sufficient information to understand the
proposal.
A commenter explained that a request for PHI is often for multiple
purposes
[[Page 33025]]
and recommended that the Department revise the proposed Rule of
Construction to allow the proposed prohibition to apply where at least
one of the purposes for which PHI is sought is to use or disclose the
information for a prohibited purpose. Similarly, this commenter
recommended the proposed attestation requirement in 45 CFR
164.509(b)(1) be revised to state that ``one of the uses or
disclosures'' is not prohibited by 45 CFR 164.502(a)(5)(iii).
Response: We agree with the commenter that explained that a request
for PHI may be multi-purposed. We also agree with commenters that
pointed out that as proposed, the regulatory Rule of Construction
appeared to create a secondary standard to consider whether a regulated
entity should be prohibited from using or disclosing PHI. As discussed
above, the Department is not finalizing a separate Rule of Construction
and is not incorporating the phrase ``primarily for the purpose of''
originally proposed in 45 CFR 164.502(a)(5)(iii)(D) into the final
prohibition standard. The modified prohibition standard more clearly
conveys that it only prohibits the use and disclosure of PHI for the
specified purposes when it relates to the mere act of seeking,
obtaining, providing, or facilitating lawful reproductive health care
in certain circumstances.
Comment: Commenters also recommended that the proposed Rule of
Construction prohibit health care providers from reporting individuals
for the sole reason of having received health care in a state where it
was not lawful. They described concerns about the effect of
interoperability and data sharing rules that give health care providers
ready access to individuals' full medical records and urged the
Department to expand the proposed Rule of Construction to mitigate the
risks created by the electronic exchange of PHI.
Response: The prohibition, as finalized, is narrowly tailored to
operate in a manner that protects the interests of individuals and
society in protecting the privacy of PHI while still allowing the use
or disclosure of PHI for certain non-health care purposes. We remind
regulated entities that they are generally prohibited from disclosing
PHI unless there is a specific provision of the Privacy Rule that
permits (or, in limited instances, requires) such disclosure. For
example, the Privacy Rule permits but does not require regulated
entities to disclose PHI about an individual, without the individual's
authorization, when such disclosure is required by another law and the
disclosure complies with the requirements of the other law.\316\ The
permission to disclose PHI as ``required by law'' is limited to a
``mandate contained in law that compels an entity to use or disclose
PHI and that is enforceable in a court of law.'' \317\ Further, where a
disclosure is required by law, the disclosure is limited to the
relevant requirements of such law.\318\ Disclosures that do not meet
the ``required by law'' definition of the HIPAA Rules,\319\ or that
exceed what is required by such law,'' \320\ are not permissible
disclosures under the required by law permission. Accordingly,
regulated entities are prohibited from proactively disclosing PHI under
the required by law permission at 45 CFR 164.512(a) absent a law
requiring mandatory reporting of such PHI.
---------------------------------------------------------------------------
\316\ See 45 CFR 164.512(a)(1).
\317\ See 45 CFR 164.103 (definition of ``Required by law'').
The definition provides additional explanation about what
constitutes a mandate contained in law.
\318\ See 45 CFR 164.512(a)(1).
\319\ See 45 CFR 164.103 (definition of ``Required by law'').
\320\ The Privacy Rule permits but does not require covered
entities to disclose PHI in response to an order of a court or
administrative tribunal. The Privacy Rule also permits but does not
require covered entities to disclose PHI in response to a subpoena,
discovery request, or other lawful process, but only when certain
conditions are met. See 45 CFR 164.512(e)(1). These provisions
cannot be used to make disclosures to law enforcement officials that
are restricted by 45 CFR 164.512(f). See 45 CFR 164.512(e)(2).
---------------------------------------------------------------------------
Comment: A few commenters asserted that the Department should
modify the regulatory text of the proposed prohibition to eliminate the
need for the proposed Rule of Construction because it is confusing and
appears to set forth two different standards.
Response: For the reasons discussed above, we agree and have
incorporated the Rule of Construction into the prohibition standard as
described above.
Comment: A commenter expressed concerns that beneficial uses or
disclosures, such as for conducting investigations into health care
fraud, would be too limited and would not address criminal, civil and
administrative proceedings, which are not related to receiving,
obtaining, facilitating, or providing reproductive health services
where the receipt or provision of these services could serve as
evidence of another crime.
Response: We disagree with concerns that beneficial uses or
disclosures would be too limited under the changes. If PHI is requested
for a purpose that is not prohibited and the request complies with the
conditions of an applicable permission, including the requirements of
the attestation condition are met, where applicable, the regulated
entity is permitted to comply with the request.
Comment: Another commenter cited studies to assert that the
proposed Rule of Construction would continue to permit health care
providers to proactively report on individuals. The commenter also
stated that the proposed rule would not clarify how it would interact
with mandatory reporting laws that could expose individuals and health
care providers to investigations based on the provision of reproductive
health care.
Response: The Privacy Rule does not permit a regulated entity to
disclose PHI for law enforcement purposes, proactively or otherwise,
without an individual's authorization when the disclosure is not made
pursuant to process or as otherwise required by law.\321\ This is true
currently and remains true under this final rule.
---------------------------------------------------------------------------
\321\ 45 CFR 164.512(f)(1).
---------------------------------------------------------------------------
As discussed above, HIPAA generally preempts state laws requiring
the use or disclosure of PHI, except in limited circumstances. Where
such mandatory reporting laws are not preempted by HIPAA, regulated
entities are limited to disclosing the minimum amount of PHI necessary
to comply with the mandatory reporting requirement or the relevant
requirements of such law.\322\
---------------------------------------------------------------------------
\322\ Whether the regulated entity is limited by the minimum
necessary standard or the relevant requirements of the law that
requires the reporting depends upon whether the regulated entity is
making the disclosure pursuant to 45 CFR 164.512(a) or some other
permission under 45 CFR 164.512. See 45 CFR 164.502(b)(v).
---------------------------------------------------------------------------
Comment: Several commenters responded to the question about whether
it would be beneficial for the Department to further clarify or provide
examples of uses or disclosures of PHI that would be permitted under a
final rule. All of these commenters agreed that it would be beneficial
for the Department to do so. Of those, several commenters specified
that the Department should provide such examples in the final
regulatory text. A few commenters who requested examples be provided
within the regulatory text also recommended that the language make
clear that the examples are illustrative.
Response: The Department declines to include examples of uses or
disclosures of PHI that would be permitted in this rule, in regulatory
text. We have provided illustrative examples above.
3. Clarifying Personal Representative Status in the Context of
Reproductive Health Care
Section 164.502(g) of the Privacy Rule contains the standard for
personal
[[Page 33026]]
representatives and generally requires a regulated entity to treat an
individual's personal representative as the individual if that person
has authority under applicable law (e.g., state law, court order) to
act on behalf of the individual in making decisions related to health
care.\323\ For example, the Privacy Rule would treat a legal guardian
of an individual who has been declared incompetent by a court as the
personal representative of that individual, if consistent with
applicable law.\324\ In this and certain other provisions, the
Department seeks to maintain the longstanding balance HIPAA strikes
between the interest of a state or other authorities to regulate health
and safety and protect vulnerable individuals \325\ with the goal of
maintaining the privacy protections established in the Privacy
Rule.\326\
---------------------------------------------------------------------------
\323\ See 45 CFR 164.502(g).
\324\ See 45 CFR 164.502(g)(3)(i). See also Off. for Civil
Rights, ``Personal Representatives,'' U.S. Dep't of Health and Human
Servs., https://www.hhs.gov/hipaa/for-individuals/personal-representatives/.
\325\ See, e.g., 45 CFR 164.510(b)(3) and 164.512(j)(1)(i)(A).
\326\ See 65 FR 82462, 82471 (Dec. 28, 2000).
---------------------------------------------------------------------------
In the 2023 Privacy Rule NPRM, the Department expressed concern
that some regulated entities may interpret the Privacy Rule as
providing them with the ability to refuse to recognize as an
individual's personal representative a person who makes reproductive
health care decisions, on behalf of the individual, with which the
regulated entity disagrees.\327\ Under these circumstances, current
section 45 CFR 164.502(g)(5) of the Privacy Rule could be interpreted
to permit a regulated entity to assert that, by virtue of the personal
representative's involvement in the reproductive health care of the
individual, the regulated entity believes that the personal
representative is subjecting the individual to abuse. Further, this
regulated entity might exercise its professional judgment and decide
that it is in the best interest of the individual to not recognize the
personal representative's authority to make health care decisions for
that individual.
---------------------------------------------------------------------------
\327\ 88 FR 23506, 23533-34 (Apr. 17, 2023).
---------------------------------------------------------------------------
To protect the balance of interests struck by the Privacy Rule, the
Department proposed to modify 45 CFR 164.502 by adding a new paragraph
(g)(5)(iii). Proposed 45 CFR 164.502(g)(5)(iii) would ensure that a
regulated entity could not deny personal representative status to a
person where such status would otherwise be consistent with state and
other applicable law primarily because that person provided or
facilitated reproductive health care for an individual. The Department
expressed its belief that this proposal was narrowly tailored and
respected the interests of states and the Department by not unduly
interfering with the ability of states to define the nature of the
relationship between an individual and another person, including
between a minor and a parent, upon whom the state deems it appropriate
to bestow personal representative status. The proposal would, however,
maintain the existing HIPAA standard by ensuring personal
representative status, when otherwise consistent with state law, would
not be affected by the type of underlying health care sought.
Several commenters supported the Department's proposal to clarify
that the covered entity's reasonable basis for electing not to treat a
person as a personal representative of an individual, despite state law
or other requirements of the Privacy Rule, cannot be primarily because
the person has provided or facilitated reproductive health care. Other
commenters expressed concern about their ability to determine what
constitutes reproductive health care, as would be required to ascertain
whether the covered entity had a reasonable basis to elect not to treat
a person as an individual's personal representative. These commenters
requested that the Department provide additional clarity in regulatory
text or through examples. Other commenters questioned how the
Department's proposal would align with existing state law on parental
rights.
As discussed throughout this final rule, reproductive health care
is uniquely sensitive and must be treated accordingly. Thus, we are
finalizing 45 CFR 164.502(g)(5) with additional modifications as
follows. This final rule precludes the denial of personal
representative status where the basis of the denial is that the person
provided or facilitated reproductive health care instead of the
proposed standard that would have precluded denial ``primarily'' based
on these actions. This change clarifies that the covered entity does
not have to determine whether the reproductive health care is the
``primary'' basis for denying a person personal representative status.
Additionally, the final rule adds the term ``reasonable'' before
``belief'' to align with 45 CFR 164.502(g)(5)(i)(A), clarifying that
the basis of the covered entity's belief must be reasonable in the
circumstances. We are also renumbering paragraphs. Collectively, these
changes clarify that it is not reasonable to elect not to treat a
person as an individual's personal representative because the person
provides or facilitates reproductive health care for and at the request
of the individual. The Department is making these changes in response
to comments received on the 2023 Privacy Rule NPRM, which are further
discussed below.
Comment: Several commenters supported the Department's proposal to
clarify that the covered entity's basis for electing not to treat a
person as a personal representative of an individual, despite state law
or other requirements of the Privacy Rule, cannot be primarily because
the person has provided or facilitated reproductive health care.
Response: As explained throughout this final rule, reproductive
health care is uniquely sensitive and must be treated as such.
Accordingly, we are finalizing this proposal with modifications as
described above.
Comment: A commenter expressed concerns that regulated entities
would have difficulty determining whether the ``primary'' basis for the
belief that the individual has been or may be subjected to domestic
violence, abuse, or neglect by such person, or that treating such
person as the personal representative could endanger the individual
related to the provision or facilitation of the reproductive health
care, in some circumstances. The commenter requested that the
Department provide additional clarity in the regulatory text or through
examples.
Response: As discussed above, we have removed the term ``primary''
before ``basis'' and reorganized the provision. We believe this change
clarifies that the covered entity does not have to determine whether
the provision or facilitation of reproductive health care is the
``primary'' basis for believing that a person who is an individual's
personal representative under applicable law has abused, neglected, or
endangered the individual, or may do so in the future, such that the
covered entity would be permitted to deny the person personal
representative status.
Comment: A few commenters requested that the Department clarify
that other existing provisions pertaining to personal representatives
continue to apply, including the provision that a covered entity should
not treat a parent or guardian as a personal representative where state
law does not require a minor to obtain parental consent to lawfully
obtain health care.
Response: As discussed above, the Privacy Rule generally requires a
covered entity to treat a person who, under applicable law, has the
authority to act on behalf of an individual in making decisions related
to health care
[[Page 33027]]
as the individual's personal representative with respect to PHI
relevant to such personal representation, with limited exception.\328\
In this final rule, we are clarifying those limited exceptions apply to
this general rule.\329\ We did not propose, nor are we making any
additional changes to the Privacy Rule's provisions on personal
representatives. Nothing in this final rule is intended to alter any
other use or disclosure permissions for personal representatives, nor
does it interfere with the ability of states to define the nature of
the relationship between a minor and a parent or guardian.
---------------------------------------------------------------------------
\328\ See 45 CFR 164.502(g).
\329\ See 45 CFR 164.502(g)(3)(i).
---------------------------------------------------------------------------
Comment: A commenter asserted that the proposal could lead to
situations in which someone pretending to be a personal representative
of the individual would consent to reproductive health care for the
individual. According to a few commenters, the proposal would make it
easier for a person abusing an individual to obtain access to an
individual's PHI because of the limits imposed on the reasonable belief
provisions by the proposal. Another commenter asserted that the
proposal would hinder state investigations into crimes that affect an
individual's reproductive health where such crimes are committed by a
person meeting a state's definition of a personal representative.
Response: The Department has no reason to believe, and commenters
provided no evidence to suggest, that the final rule will lead to abuse
or undermine parental consent. Rather, the final rule will protect
sensitive PHI by clarifying that a regulated entity must treat a person
as a personal representative of an individual with respect to PHI
relevant to such personal representation if such person is, under
applicable law, authorized to act on behalf of the individual in making
decisions related to health care. This includes a court-appointed
guardian, a person with a power of attorney, or other persons with
legal authority to make health care decisions. Further, under 45 CFR
164.514(h), a covered entity must verify the identity of a person
requesting PHI and the authority of any such person to have access to
PHI, if the identity is not already known to the covered entity.
Additionally, the final rule allows a covered entity to elect not
to treat a person as a personal representative of an individual if the
covered entity, in the exercise of professional judgment, has a
reasonable belief that the individual has been or may be subjected to
domestic violence, abuse, or neglect by such person, or that treating
such person as the personal representative could endanger the
individual. The final rule only clarifies that the reasonable basis
cannot be the provision or facilitation of reproductive health care by
the person authorized by applicable law.
Comment: A few commenters recommended that the Department define
and interpret personal representative status in the context of
reproductive health care consistent with its current interpretation.
Response: We appreciate the comments but decline to specifically
define ``personal representative'' in the context of reproductive
health care. We are reducing compliance burdens by eliminating the need
for covered entities to determine whether the provision or facilitation
of reproductive health care was the ``primary'' basis for their belief
that an individual has been or may be subjected to domestic violence,
abuse, or neglect, or may be endangered by a person authorized by
applicable law to act as an individual's personal representative if the
covered entity treats the person as such, with respect to PHI relevant
to such personal representation.
Comment: A covered entity recommended that the Department set
reasonable threshold standards that covered entities would be required
to meet if they deny personal representative status to a person because
of any legal, social, or professional liability that could attach based
on such denials. The commenter further recommended that the Department
set objective universal thresholds for denials that are clear, concise,
and easily defined.
Response: We appreciate the comment but decline to set a reasonable
threshold standard that covered entities would be required to meet if
they deny personal representative status to a person. As discussed
above, the Department gives covered entities discretion to elect not to
treat a person as a personal representative of an individual if the
covered entity has a reasonable belief that the individual has been
subjected to domestic violence, abuse, or neglect by or would be in
danger from a person seeking to act as the personal representative,
except where the basis of the denial is that the person provided or
facilitated reproductive health care.
Response: As discussed above, a personal representative, with
authority under applicable law, stands in the shoes of the individual
and has the ability to act for the individual and exercise the
individual's rights. Thus, with very limited exceptions, covered
entities must provide the personal representative access to the
individual's PHI in accordance with 45 CFR 164.524 to the extent such
information is relevant to such representation.
4. Request for Comments
The Department requested comment on whether to eliminate or narrow
any existing permissions to use or disclose ``highly sensitive PHI.''
\330\ Most of the comments on this question are discussed in the
context of the prohibition.
---------------------------------------------------------------------------
\330\ 88 FR 23506, 23534 (Apr. 17, 2023).
---------------------------------------------------------------------------
C. Section 164.509--Uses and Disclosures for Which an Attestation Is
Required
1. Current Provision
The Privacy Rule currently separates uses and disclosures into
three categories: required, permitted, and prohibited. Permitted uses
and disclosures are further subdivided into those to carry out TPO;
\331\ those for which an individual's authorization is required; \332\
those requiring an opportunity for the individual to agree or object;
\333\ and those for which an authorization or opportunity to agree or
object is not required.\334\ For an individual's authorization to be
valid, the Privacy Rule requires that it contain certain specific
information to ensure that an individual authorizing a regulated entity
to use or disclose their PHI to another person knows and understands to
what it is they are agreeing.\335\
---------------------------------------------------------------------------
\331\ 45 CFR 164.506.
\332\ 45 CFR 164.508.
\333\ 45 CFR 164.510.
\334\ 45 CFR 164.512.
\335\ 45 CFR 164.508(b).
---------------------------------------------------------------------------
2. Proposed Rule
As we described in the 2023 Privacy Rule NPRM, a regulated entity
presented with a request for PHI would need to discern whether using or
disclosing PHI in response to the request would be prohibited. To
facilitate compliance with the proposed prohibition at 45 CFR
164.502(a)(5)(iii) while also providing a pathway for regulated
entities to disclose PHI for certain permitted purposes, the Department
proposed to require that a covered entity obtain an attestation from a
person requesting the use or disclosure of PHI in certain
circumstances.\336\
---------------------------------------------------------------------------
\336\ 88 FR 23506, 23534-37 (Apr. 17, 2023).
---------------------------------------------------------------------------
[[Page 33028]]
Specifically, the Department proposed to add a new section 45 CFR
164.509, ``Uses and disclosures for which an attestation is required.''
This proposed condition would require a regulated entity to obtain
certain assurances from the person requesting PHI potentially related
to reproductive health care before the PHI is used or disclosed, in the
form of a signed and dated written statement attesting that the use or
disclosure would not be for a purpose prohibited under 45 CFR
164.502(a)(5)(iii), where the person is making the request under the
Privacy Rule permissions at 45 CFR 164.512(d) (disclosures for health
oversight activities), (e) (disclosures for judicial and administrative
proceedings), (f) (disclosures for law enforcement purposes), or (g)(1)
(disclosures about decedents to coroners and medical examiners).
The proposed new section included a description of the proposed
attestation contents, including a statement that the use or disclosure
is not for a purpose the Department proposed to prohibit as described
at 45 CFR 164.502(a)(5)(iii). The 2023 Privacy Rule NPRM also included
a discussion about how the Department anticipated the proposed
attestation requirement would work in concert with Privacy Rule
permissions. Additionally, the proposed attestation provision would
also include the general requirements for a valid attestation, and
defects of an invalid attestation.\337\ The Department also proposed to
require that an attestation be written in plain language \338\ and to
prohibit it from being ``combined with'' any other document. Further,
the Department's proposal would explicitly permit the attestation to be
in an electronic format, as well as electronically signed by the person
requesting the disclosure.\339\ Under the proposal, the attestation
would be facially valid when the document meets the required elements
of the attestation proposal and includes an electronic signature that
is valid under applicable Federal and state law.\340\
---------------------------------------------------------------------------
\337\ Pursuant to 45 CFR 164.530(j), regulated entities would be
required to maintain a written or electronic copy of the
attestation.
\338\ The Federal plain language guidelines under the Plain
Writing Act of 2010 only applies to Federal agencies, but it serves
as a helpful resource. See 5 U.S.C. 105 and ``Federal plain language
guidelines,'' U.S. Gen. Servs. Admin., https://www.plainlanguage.gov/guidelines/.
\339\ Proposed 45 CFR 164.509(b)(1)(iv) and (c)(1)(iv).
\340\ While not explicitly stated in the Privacy Rule, the
Department previously issued guidance clarifying that authorizations
are permitted to be submitted and signed electronically. See Off.
for Civil Rights, ``Is a copy, facsimile, or electronically
transmitted version of a signed authorization valid under the
Privacy Rule?,'' U.S. Dep't of Health and Human Servs., HIPAA FAQ
#475 (Jan. 9, 2023), https://www.hhs.gov/hipaa/for-professionals/faq/475/is-a-copy-of-a-signed-authorization-valid/ and
Off. for Civil Rights, ``How do HIPAA authorizations apply to an
electronic health information exchange environment?,'' U.S. Dep't of
Health and Human Servs., HIPAA FAQ #554 (July 26, 2013), https://www.hhs.gov/hipaa/for-professionals/faq/554/how-do-hipaa-authorizations-apply-to-electronic-health-information/.
---------------------------------------------------------------------------
Additionally, the proposal specified that each use or disclosure
request would require a new attestation.
The Department proposed that a regulated entity would be able to
rely on the attestation provided that it is objectively reasonable
under the circumstances for the regulated entity to believe the
statement required by 45 CFR 164.509(c)(1)(iv) that the requested
disclosure of PHI is not for a purpose prohibited by 45 CFR
164.502(a)(5)(iii), rather than requiring a regulated entity to
investigate the validity of an attestation.\341\ We explained that it
would not be objectively reasonable for a regulated entity to rely on
the representation of the person requesting PHI about whether the
reproductive health care was provided under circumstances in which it
was lawful to provide such health care. This is because we believed
that the regulated entity, not the person requesting the disclosure of
PHI, has the information about the provision of such health care that
is necessary to make this determination. Therefore, we explained that
this determination would need to be made by the regulated entity prior
to using or disclosing PHI in response to a request for a use or
disclosure of PHI that would require an attestation under the proposal.
---------------------------------------------------------------------------
\341\ This approach is consistent with 45 CFR 164.514(h), which
requires a regulated entity to verify the identity and legal
authority of a public official or a person acting on behalf of a
public official, and describes the type of documentation upon which
a regulated entity may rely, if such reliance is reasonable under
the circumstances, to do so. See also 45 CFR 164.514(d)(3)(iii)(A),
which permits a covered entity to rely, if such reliance is
reasonable under the circumstances, on a requested disclosure as the
minimum necessary for the stated purpose when making disclosures to
public officials that are permitted under 45 CFR 164.512, if the
public official represents that the information requested is the
minimum necessary for the stated purpose(s).
---------------------------------------------------------------------------
The attestation proposal also would require a regulated entity to
cease use or disclosure of PHI if the regulated entity develops reason
to believe, during the course of the use or disclosure, that the
representations contained within the attestation were materially
incorrect, leading to uses or disclosures for a prohibited
purpose.\342\ Relatedly, the 2023 Privacy Rule NPRM included a
discussion of the consequences of material misrepresentations that
cause the impermissible use or disclosure of IIHI relating to another
individual under HIPAA.
---------------------------------------------------------------------------
\342\ Proposed 45 CFR 164.509(d).
---------------------------------------------------------------------------
To reduce the burden on regulated entities implementing this
proposed attestation, the Department requested comment on whether it
should develop a model attestation that a regulated entity may use when
developing its own attestation templates. The Department did not
propose to require that regulated entities use the model attestation.
3. Overview of Public Comments
Most commenters expressed support for the proposal to require an
attestation for certain uses and disclosures. Some commenters
questioned why the Department did not extend the attestation
requirement directly to business associates, consistent with the
general prohibition and recommended that the attestation requirements
be applied to business associates.
Some of those commenters that supported the proposal to require an
attestation expressed concern or made additional recommendations about
its components, content, and scope, and the consequences for covered
entities that make inadvertent disclosures of PHI without an
attestation. A small number of opposing commenters also expressed
concerns about the effectiveness and administrative burden of the
proposed attestation requirement.
About half of the commenters concerned about the administrative
burden of the attestation expressed support for limiting the
applicability of the proposed attestation to certain types of uses and
disclosures of information, while the other half recommended expanding
the scope of the proposed attestation requirement to mitigate burdens
on covered entities or to increase privacy protections for individuals.
Many commenters expressed concern about the Department's statement
in the 2023 Privacy Rule NPRM that it would not be objectively
reasonable for a regulated entity to rely on the representation of a
person requesting the use or disclosure of PHI about whether the PHI
sought was related to lawful health care. Specifically, commenters
asserted that regulated entities may have difficulties determining
whether an attestation is ``objectively reasonable'' and were unlikely
to possess the information necessary to determine the purpose of a
person's request for the use or disclosure of PHI.
[[Page 33029]]
Most commenters urged the Department to expand the proposal beyond
requests for PHI potentially related to reproductive health care to
requests for any PHI because of the associated administrative burden of
identifying and segmenting PHI about reproductive health care from
other types of PHI. These commenters asserted that the burden would be
significant because such PHI can be found throughout the medical
record. Commenters also expressed concerns about the ability of EHRs to
segment data.
Most commenters recommended that the Department add to or modify
the content of the proposed attestation, including to add a statement
that the recipient pledges not to redisclose PHI to another party for
any of the prohibited purposes or that the request is for the minimum
amount of information necessary. Many supported the inclusion of a
signed declaration under penalty of perjury and a statement regarding
the penalties for perjury to add a layer of accountability.
4. Final Rule
As we explained in the 2023 Privacy Rule NPRM, it may be difficult
for regulated entities to distinguish between requests for the use and
disclosure of PHI based on whether the request is for a permitted or
prohibited purpose, which could lead regulated entities to deny use or
disclosure requests for permitted purposes. Additionally, absent an
enforcement mechanism, it is likely that persons requesting the use or
disclosure of PHI could seek to use Privacy Rule permissions for
purposes that are prohibited under the new 45 CFR 164.502(a)(5)(iii).
Accordingly, the Department is finalizing the proposed attestation
requirement, with modification, as described below. We intend to
publish a model attestation prior to the compliance date for this final
rule.
First, the Department is renumbering the attestation provision such
that the requirement is now 45 CFR 164.509(a)(1) and modifying that
requirement to hold business associates directly liable for compliance
with the attestation requirement. This change was made to address
concerns raised by commenters who questioned why the Department did not
extend the attestation requirement directly to business associates,
consistent with the general prohibition and with revisions made to the
HIPAA Rules in the 2013 Omnibus Rule, as required by the HITECH Act.
The Department has authority to take enforcement action against
business associates only for requirements for which the business
associate is directly liable.\343\ Thus, under the proposed attestation
requirement, a business associate would only have been required to
comply with the proposed 45 CFR 164.509 if such obligation was
explicitly included within its business associate agreement.\344\
---------------------------------------------------------------------------
\343\ Business associates became directly liable for compliance
with certain requirements of the HIPAA Rules under the HITECH Act.
Consistent with the HITECH Act, the 2013 Omnibus Rule identified the
portions of the HIPAA Rules that apply directly to business
associates and for which business associates are directly liable.
Prior to the HITECH Act and the Omnibus Rule, these requirements
applied to business associates and their subcontractors indirectly
through the requirements under 45 CFR 164.504(e) and 164.314(a),
which require that covered entities by contract require business
associates to limit uses and disclosures and implement HIPAA
Security Rule-like safeguards. See 78 FR 5566 (Jan. 25, 2013). See
also Off. for Civil Rights, ``Direct Liability of Business
Associates Fact Sheet,'' U.S. Dep't of Health and Human Servs. (July
16, 2021), https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/factsheet/.
\344\ 45 CFR 164.504(e) and 164.314(a).
---------------------------------------------------------------------------
Both covered entities and business associates process requests for
PHI. The Privacy Rule permits regulated entities to determine whether a
business associate can respond to such requests or whether they are
required to defer to the covered entity.\345\ As noted by commenters,
while many PHI requests processed by a business associate pursuant to
45 CFR 164.512(d)-(g)(1) are processed on behalf of the covered entity,
persons may elect to request PHI directly from the business associate.
Thus, the Department has determined that it is appropriate to hold both
covered entities and business associates directly liable for compliance
with the attestation requirement. Expanding the attestation requirement
to apply to business associates will ensure that the business associate
is directly liable for compliance with it, regardless of whether
compliance with 45 CFR 164.509 is explicitly included in a BAA.
---------------------------------------------------------------------------
\345\ 45 CFR 164.504(e)(2)(i)(E).
---------------------------------------------------------------------------
The Department is also adopting the proposed attestation
requirement that a regulated entity obtain an attestation only for PHI
``potentially related to reproductive health care.'' As discussed in
the 2023 Privacy Rule NPRM, this will limit the number of requests that
require an attestation, and therefore, the burden of the attestation
requirement on regulated entities and persons requesting PHI. The
Department reminds regulated entities that they are permitted, but not
required, to respond to law enforcement requests for PHI where the
purpose of the request is not one for which regulated entities are
prohibited from disclosing PHI. By narrowing the scope of the
attestation to PHI ``potentially related to reproductive health care,''
the attestation requirement will not unnecessarily interfere with or
delay law enforcement investigations that do not involve PHI
``potentially related to reproductive health care.'' While in practice
this scope may be wide, we believe the privacy interests of individuals
who have obtained reproductive health care necessitates the inclusion
of ``potentially related'' PHI. We are concerned that extending the
attestation requirement to all PHI could unnecessarily delay law
enforcement investigations that are not for a purpose prohibited under
45 CFR 164.502(a)(5)(iii). We acknowledge commenters' concerns about
the ability of regulated entities to operationalize the attestation
condition and note that the requirement to obtain an attestation
applies where the request is for PHI ``potentially related to
reproductive health care,'' as opposed to PHI ``related to reproductive
health care.'' Consistent with the Department's instructions to
regulated entities since the Privacy Rule's inception, we have taken a
flexible approach to allow scalability based on a regulated entity's
activities and size. All regulated entities must take appropriate steps
to address privacy concerns. Regulated entities should weigh the costs
and benefits of alternative approaches when determining the scope and
extent of their compliance activities, including when developing
policies and procedures to comply with the Privacy Rule.\346\ The
Department will assess the progress of regulated entities' compliance
with this requirement and promulgate guidance as appropriate. The
Department also notes that with limited exceptions, the Privacy Rule
generally permits but does not require the use or disclosure of PHI
when the conditions set by the Privacy Rule for the specific use or
disclosure of PHI are met.
---------------------------------------------------------------------------
\346\ 65 FR 82462, 82471, and 82875 (Dec. 28, 2000).
---------------------------------------------------------------------------
The Department is adopting the proposed requirement that an
attestation be obtained where a request is made under the Privacy Rule
permissions at 45 CFR 164.512(d) (disclosures for health oversight
activities), (e) (disclosures for judicial and administrative
proceedings), (f) (disclosures for law enforcement purposes), or (g)(1)
(disclosures about decedents to coroners and medical examiners). This
requirement will help ensure that these Privacy Rule permissions cannot
be used to circumvent the new prohibition at 45
[[Page 33030]]
CFR 164.502(a)(5)(iii) and continue permitting essential disclosures,
while also limiting the attestation's burden on regulated entities by
providing a standard mechanism by which the regulated entity can
ascertain whether a requested use or disclosure is prohibited under
this final rule. The attestation requirement is intended to reduce the
burden of determining whether the PHI request is for a purpose
prohibited under 45 CFR 164.502(a)(5)(iii), but it does not absolve
regulated entities of the responsibility of making this determination,
nor does it absolve regulated entities of the responsibility for
ensuring that such requests meet the other conditions of the relevant
permission.
We are modifying the proposal by revising 45 CFR 164.509(a)(1) to
clarify that a regulated entity may not use or disclose PHI where the
use or disclosure does not meet all of the Privacy Rule's applicable
conditions, including the attestation requirement. While this is
consistent with the existing requirements of the Privacy Rule, we
determined that it was necessary to reiterate this requirement here
based on comments we received. Thus, when this final rule is read
holistically, a regulated entity is not permitted to use or disclose
PHI where such disclosure does not meet all of the Privacy Rule's
applicable conditions, including the attestation requirement.
We are also modifying the proposal by adding 45 CFR 164.509(a)(2)
to clarify that the use or disclosure of PHI based on a defective
attestation does not meet the attestation requirement. For example, the
attestation requirement would not be met if a regulated entity relies
on an attestation where it is not reasonable to do so because the
attestation would be defective under 45 CFR 164.509(b)(2)(v).
Accordingly, it would be a violation of the Privacy Rule if the
regulated entity makes a use or disclosure in response to a defective
attestation.
The Department is modifying the proposal to prohibit inclusion in
the attestation of any elements that are not specifically required by
45 CFR 164.509(c). This provision addresses concerns that regulated
entities might require persons requesting PHI to provide information
beyond that which is required under 45 CFR 164.509(c). Such additional
requirements could make it burdensome for persons requesting PHI to
submit a valid attestation when they make a request pursuant to 45 CFR
164.512(d), (e), (f), or (g)(1). Additionally, a person requesting PHI
is not required to use the specific attestation form provided by a
regulated entity, as long as the attestation provided by such person is
compliant with the requirements of 45 CFR 164.509.
Additionally, the Department is modifying the proposed prohibition
on compound attestations. Specifically, the final rule prohibits the
attestation from being ``combined with'' any other document. The
modification clarifies that while an attestation may not be combined
with other ``forms,'' additional documentation to support the
information provided in the attestation may be submitted. This
additional documentation may not replace or substitute for any of the
attestation's required elements. The attestation itself must be clearly
labeled, distinct from any surrounding text, and completed in its
entirety, but documentation to support the statement at 45 CFR
164.509(c)(1)(iv) or to overcome the presumption at 45 CFR
164.502(a)(5)(iii)(C) may be appended to the attestation. Thus, a
regulated entity must ensure that the required elements of the
attestation are met, and should review any additional documents
provided by the person making the request when making the required
determinations.
A regulated entity may use this information--the information on the
attestation combined with any additional documentation provided by the
person making the request for PHI--to make a reasonable determination
that the attestation is true, consistent with 45 CFR 164.509(b)(2)(v).
For example, an attestation would not be impermissibly ``combined
with'' a subpoena if it is attached to it, provided that the
attestation is clearly labeled as such. As another example, an
electronic attestation would not be impermissibly ``combined with''
another document where the attestation is on the same screen as the
other document, provided that the attestation is clearly and distinctly
labeled as such.
The Department is finalizing the proposed content requirements with
modifications as follows. Specifically, the Department is finalizing
the proposal that an attestation must include that the person
requesting the disclosure confirm the types of PHI that they are
requesting; clearly identify the name of the individual whose PHI is
being requested, if practicable, or if not practicable, the class of
individuals whose PHI is being requested; and confirm, in writing, that
the use or disclosure is not for a purpose prohibited under 45 CFR
164.502(a)(5)(iii). For purposes of the ``class of individuals''
described in 45 CFR 164.509(c)(1)(i)(B), the Department clarifies that
the requesting entity may describe such a class in general terms--for
example, as all individuals who were treated by a certain health care
provider or for whom a certain health care provider submitted claims,
all individuals who received a certain procedure, or all individuals
with given health insurance coverage.
As we proposed, we are finalizing a requirement that the
attestation include a clear statement that the use or disclosure is not
for a purpose prohibited under 45 CFR 164.502(a)(5)(iii). This
requirement may be satisfied with a series of checkboxes that
identifies why the use or disclosure is not prohibited under 45 CFR
164.502(a)(5)(iii) (i.e., the use or disclosure is not for a purpose
specified in 45 CFR 164.502(a)(5)(iii)(A); or the use or disclosure is
for a purpose that would be prohibited under 45 CFR
164.502(a)(5)(iii)(A), but the reproductive health care at issue was
not lawful under the circumstances in which it was provided so the Rule
of Applicability is not satisfied, and thus the prohibition does not
apply).
The Department is adding another new required element, a statement
that the attestation is signed with the understanding that a person who
knowingly and in violation of HIPAA obtains or discloses IIHI relating
to another individual, or discloses IIHI to another person, may be
subject to criminal liability.\347\ We believe that adding this
language satisfies the intent that led us to consider including a
penalty of perjury requirement and with applicable law. The statement
does not impose new liability on persons who sign an attestation;
instead, including the statement in the attestation ensures that
persons who request the use or disclosure of PHI for which an
attestation is required are on notice of and acknowledge the
consequences of making such requests under false pretenses.
---------------------------------------------------------------------------
\347\ See 42 U.S.C. 1320d-6(a).
---------------------------------------------------------------------------
The Department is also finalizing the proposed requirement that the
attestation must be written in plain language. Additionally, the
Department is finalizing its proposal to permit the attestation to be
in electronic format and for it to be electronically signed by the
person requesting the disclosure where such electronic signature is
valid under applicable law.\348\ The Department declines to mandate a
specific electronic format for the attestation.
---------------------------------------------------------------------------
\348\ 45 CFR 164.509(b)(1)(iii) and (c)(1)(vi).
---------------------------------------------------------------------------
As we proposed, an attestation will be limited to the specific use
or disclosure. Accordingly, each use or disclosure
[[Page 33031]]
request for PHI will require a new attestation.
There is no exception to the minimum necessary standard for uses
and disclosures made pursuant to an attestation under 45 CFR
164.509.\349\ Thus, a regulated entity will have to limit a use or
disclosure to the minimum necessary when provided in response to a
request that would be subject to the proposed attestation requirement,
unless one of the specified exceptions to the minimum necessary
standard in 45 CFR 164.502(b)(2) applies. Where the person requesting
the PHI is also a regulated entity, that person will also need to make
reasonable efforts to limit their request to the minimum necessary to
accomplish the intended purpose of the use, disclosure, or
request.\350\
---------------------------------------------------------------------------
\349\ 45 CFR 164.502(b). The minimum necessary standard of the
Privacy Rule applies to all uses and disclosures where a request
does not meet one of the specified exceptions in paragraph (b)(2).
\350\ 45 CFR 164.502(b)(1).
---------------------------------------------------------------------------
The Department is not requiring a regulated entity to investigate
the validity of an attestation provided by a person requesting a use or
disclosure of PHI. Rather, a regulated entity is generally permitted to
rely on the attestation if, under the circumstances, a regulated entity
reasonably determines that the request is not for investigating or
imposing liability for the mere act of seeking, obtaining, providing,
or facilitating allegedly unlawful reproductive health care. In
addition, a regulated entity is generally permitted to rely on the
attestation and any accompanying material if, under the circumstances,
a regulated entity reasonably could conclude (e.g., upon examination of
adequate supporting documentation provided by the person making the
request) that the requested disclosure of PHI is not for a purpose
prohibited by 45 CFR 164.502(a)(5)(iii), consistent with the approach
taken in the Privacy Rule \351\ and elsewhere in this final rule. If
such reliance is not reasonable, then the regulated entity may not rely
on the attestation. This is a change from the proposed language, which
permitted reliance based on an ``objectively reasonable'' standard. The
proposed standard was modified because a reasonable person standard is
inherently objective.\352\ Thus, including ``objectively'' in the
description of the standard was redundant.
---------------------------------------------------------------------------
\351\ This approach is consistent with 45 CFR 164.514(h), which
requires a covered entity to verify the identity and legal authority
of a public official or a person acting on behalf of the public
official and describes the type of documentation upon which
regulated entities can rely, if such reliance is reasonable under
the circumstances, to do so. See also 45 CFR 164.514(d)(3)(iii)(A),
which permits a covered entity to rely, if such reliance is
reasonable under the circumstances, on a requested disclosure as the
minimum necessary for the stated purpose when making disclosures to
public officials that are permitted under 45 CFR 164.512, if the
public official represents that the information requested is the
minimum necessary for the stated purpose(s).
\352\ E.g., Restatement (Second) Torts Sec. 283, comment b (Am.
L. Inst. 1965).
---------------------------------------------------------------------------
For requests involving allegedly unlawful reproductive health care,
the extent to which a regulated entity may reasonably rely on an
attestation depends in part on whether the regulated entity provided
the reproductive health care at issue. Under the final rule, it would
not be reasonable for a regulated entity to rely on the representation
made by a person requesting the use or disclosure of PHI that the
reproductive health care was unlawful under the circumstances in which
it was provided unless such representation meets the conditions set
forth in the presumption at 45 CFR 164.502(a)(5)(iii)(C). As discussed
above, under the presumption, reproductive health care is presumed to
be lawful under the circumstances in which such health care is provided
unless a regulated entity has actual knowledge, or information from the
person making the request that demonstrates to the regulated entity a
substantial factual basis that the reproductive health care was not
lawful under the specific circumstances in which such health care was
provided. Where the reproductive health care at issue was provided by a
person other than the regulated entity receiving the request for the
use or disclosure of PHI and the presumption is overcome, the regulated
entity is permitted to use or disclose PHI in response to the request
upon receipt of an attestation where it is reasonable to rely on the
representations made in the attestation. It is not reasonable for the
regulated entity to rely solely on a statement of the person requesting
the use or disclosure of PHI that the reproductive health care was
unlawful under the circumstances in which such health care was
provided. Instead, the person requesting the use or disclosure of PHI
must provide the regulated entity with information such that it would
constitute actual knowledge or that demonstrates to the regulated
entity a substantial factual basis that the reproductive health care
was not lawful under the specific circumstances in which such health
care was provided. A regulated entity that receives a request for PHI
involving reproductive health care provided by that regulated entity
should review the relevant PHI in its possession and other related
information (e.g., license of health care provider that provided the
health care, operating license for the facility in which such health
care was provided) to determine whether the reproductive health care
was lawful under the circumstances in which it was provided prior to
using or disclosing PHI in response to a request for PHI that requires
an attestation. Where the request is about reproductive health care
that is provided by the regulated entity receiving the request, it
would not be reasonable for a regulated entity to automatically rely on
a representation made by a person requesting the use or disclosure of
PHI about whether the reproductive health care was provided under the
circumstances in which it was lawful to provide such health care.
Rather, the regulated entity must review the individual's PHI to
consider the circumstances under which it provided the reproductive
health care to determine whether such reliance is reasonable.
Therefore, where the request involves the use or disclosure of PHI
potentially related to reproductive health care that was provided by
the recipient of the request, the regulated entity must make the
determination about whether it provided the health care lawfully prior
to using or disclosing PHI in response to a request that requires an
attestation.
For example, if a law enforcement official requested PHI
potentially related to reproductive health care to investigate a person
for the mere act of seeking, obtaining, providing or facilitating
allegedly unlawful reproductive health care, it would not be reasonable
for a regulated entity that receives such a request to rely solely on a
signed attestation that states that the reproductive health care was
not lawful under the circumstances in which it was provided, as set
forth in 45 CFR 164.502(a)(5)(iii)(B), and therefore, that the
requested disclosure is not for a purpose prohibited under 45 CFR
164.502(a)(5)(iii)(A). This is regardless of whether the regulated
entity receiving the request for PHI provided the reproductive health
care at issue. Assuming that the attestation is not facially deficient,
a regulated entity must consider the totality of the circumstances
surrounding the attestation and whether it is reasonable to rely on the
attestation in those circumstances. To determine whether it is
reasonable to rely on the attestation, a regulated entity should
consider, among other things: who is requesting the use or disclosure
of PHI; the permission upon which the person making the request is
relying; the
[[Page 33032]]
information provided to satisfy other conditions of the relevant
permission; the PHI requested and its relationship to the stated
purpose of the request; and, where the reproductive health care was
supplied by another person, whether the regulated entity has: (1)
actual knowledge that the reproductive health care was not lawful under
the circumstances in which it was provided; or (2) factual information
supplied by the person requesting the use or disclosure of PHI that
would demonstrate to a reasonable regulated entity a substantial
factual basis that the reproductive health care was not lawful under
the specific circumstances in which such health care was provided.
For example, a regulated entity receives an attestation from a
Federal law enforcement official, along with a court ordered warrant
demanding PHI potentially related to reproductive health care. The law
enforcement official represents that the request is about reproductive
health care that was not lawful under the circumstances in which such
health care was provided, but the official will not divulge more
information because they allege that doing so would jeopardize an
ongoing criminal investigation. In this example, if the regulated
entity itself provided the reproductive health care and, based on the
information in its possession, reasonably determines that such health
care was lawful under the circumstances in which it was provided, the
regulated entity may not disclose the requested PHI.
If the regulated entity did not provide the reproductive health
care, it may not disclose the requested PHI absent additional factual
information because the official requesting the PHI has not provided
sufficient information to overcome the presumption at 45 CFR
164.502(a)(5)(iii)(C). Further, it also would not be reasonable under
the circumstances for the regulated entity to rely on the attestation
that the information would not be used for a purpose prohibited by 45
CFR 164.502(a)(5)(iii) because of the presumption that the reproductive
health care was lawfully provided.
However, in cases where the presumption of lawfulness applies, the
regulated entity would be permitted to make the disclosure, for
example, where the law enforcement official provides additional factual
information for the regulated entity to determine that there is a
substantial factual basis that the reproductive health care was not
lawful under the circumstances in which such health care was provided.
As another example, a regulated entity could rebut the presumption of
lawfulness by relying on a sworn statement by a law enforcement
official that the PHI is necessary for an investigation into violations
of specific criminal codes unrelated to the provision of reproductive
health care (e.g., billing fraud) or an affidavit from an individual
that the individual obtained unlawful reproductive health care from a
different health care provider and the requested PHI is relevant to
that investigation. Similarly, if a regulated entity receives an
attestation from a Federal law enforcement official, along with a
court-ordered warrant demanding PHI potentially related to reproductive
health care, that both specify that the purpose of the request is not
for a purpose prohibited by 45 CFR 164.502(a)(5)(iii), the regulated
entity may rely on the attestation and warrant, subject to the
requirements of 45 CFR 164.512(f)(1)(ii)(A).
Lastly, this final rule requires a regulated entity to cease use or
disclosure of PHI if the regulated entity, during the course of the use
or disclosure, discovers information reasonably showing that the
representations contained within the attestation are materially
incorrect, leading to uses or disclosures for a prohibited
purpose.\353\ As we explained in the 2023 Privacy Rule NPRM, pursuant
to HIPAA, a person who knowingly and in violation of the Administrative
Simplification provisions obtains or discloses IIHI relating to another
individual or discloses IIHI to another person would be subject to
criminal liability.\354\ Thus, a person who knowingly and in violation
of HIPAA \355\ falsifies an attestation (e.g., makes material
misrepresentations about the intended uses of the PHI requested) to
obtain (or cause to be disclosed) an individual's IIHI could be subject
to criminal penalties as outlined in the statute.\356\ Additionally, a
disclosure made based on an attestation that contains material
misrepresentations after the regulated entity becomes aware of such
misrepresentations constitutes an impermissible disclosure, which
requires notifications of a breach to the individual, the Secretary,
and in some cases, the media.\357\
---------------------------------------------------------------------------
\353\ 45 CFR 164.509(d).
\354\ See 42 U.S.C. 1320d-6(a).
\355\ A person (including an employee or other individual) shall
be considered to have obtained or disclosed individually
identifiable health information in violation of this part if the
information is maintained by a covered entity (as defined in the
HIPAA privacy regulation described in section 1320d-9(b)(3) of this
title) and the individual obtained or disclosed such information
without authorization. Id.
\356\ See 42 U.S.C. 1320d-6(b).
\357\ 45 CFR 164.400 et seq. The HIPAA Breach Notification Rule,
45 CFR 164.400-414, requires HIPAA covered entities and their
business associates to provide notification following a breach of
unsecured PHI.
---------------------------------------------------------------------------
The attestation requirement does not replace the conditions of the
Privacy Rule's permissions for a regulated entity to disclose PHI,
including in response to a subpoena, discovery request, or other lawful
process, or administrative request. Instead, the attestation is
designed to work with the permissions and their requirements. If PHI is
disclosed pursuant to 45 CFR 164.512(e)(1)(ii) or (f)(1)(ii)(C), a
regulated entity will need to verify that the requirements of each
provision are met, in addition to satisfying the requirements of the
new attestation provision under 45 CFR 164.509. Furthermore, the
requirements of 45 CFR 164.528, the right to an accounting of
disclosures of PHI made by a covered entity, are not affected by the
attestation requirement. Thus, disclosures made pursuant to a
permission under 45 CFR 164.512(d), (e), (f), or (g) must be included
in the accounting, including when they are made pursuant to an
attestation.
5. Responses to Public Comments
Comment: Most commenters supported the proposal to require an
attestation for certain uses and disclosures. A few commenters
recognized the benefits of the attestation requirement, despite the
potential increase in administrative burden for regulated entities.
Many commenters opposed the proposal for what they described as
administrative burden, questionable effectiveness, and lack of clarity.
A few commenters stated that the requirements imposed an inappropriate
compliance burden on covered entities that would need to determine
whether a PHI request was ``potentially related'' to sensitive personal
health care, and, along with a health care provider who otherwise
supported the attestation, they recommended instead that the Department
impose requirements on the person requesting the use or disclosure of
PHI. Many commenters expressed concerns about the ability of covered
entities to operationalize the proposed requirement with the limitation
to PHI potentially related to reproductive health care because it would
require the ability to segment PHI, which the Department previously
acknowledged is generally unavailable. A few commenters questioned the
effectiveness of the proposed attestation
[[Page 33033]]
requirement, as compared to its potential burden, enforceability, and
effects on access to maternal and specialty health care.
Response: We agree with commenters that the attestation requirement
will bolster the privacy of PHI and acknowledge that implementation of
this important safeguard requires additional administrative activities
by regulated entities. The Department considered removing the
limitation on the application of the attestation condition to PHI
``potentially related to reproductive health care,'' but we are
concerned that expanding it to apply to all requests for PHI made for
specified purposes would impose even more burden on regulated entities.
The requirement is to determine whether the requested PHI is
``potentially related to reproductive health care,'' not whether it is
``related to reproductive health care.'' Thus, regulated entities are
not required to make an affirmative determination that the requested
PHI is in fact related to reproductive health care before requiring a
person requesting PHI to provide an attestation. We note that the focus
of the attestation requirement has been limited to PHI potentially
related to reproductive health care because the changes to the legal
landscape have heighted privacy concerns about reproductive health care
that is lawful under the circumstances in which such health care is
provided. We also note that the provision of an attestation itself is
not determinant of whether the request is for a prohibited purpose.
Rather, regulated entities must consider whether a request for PHI is
for a prohibited purpose, regardless of whether the request is made for
a purpose for which the Privacy Rule requires an attestation.
The Department is limited to applying the HIPAA Rules to those
entities covered by HIPAA (i.e., health plans, health care
clearinghouses, and health care providers that conduct covered
transactions) and to business associates, as provided under the HITECH
Act. Accordingly, the Department is limited to imposing obligations on
persons requesting the use or disclosure of PHI to those who are also
regulated entities.
The attestation condition has been drafted to promote the privacy
of information about lawful reproductive health care, including
maternal and specialty health care, while still permitting certain uses
of PHI. Regulated entities, including covered entities that specialize
in providing reproductive health care may determine, based on their
assessment of what PHI is potentially related to reproductive health
care, that an attestation must accompany all requests they receive for
the use or disclosure of any PHI made pursuant to and in compliance
with 45 CFR 164.512(d)-(g)(1). Further, the attestation requirement
only applies to the specified requests for PHI and should not affect
any intake of new patients or provision of maternal health care.
The Department is not requiring a regulated entity to investigate
the veracity of the information provided in support of an attestation
because doing so would impose a significant administrative burden on
regulated entities and persons requesting the use or disclosure of PHI
without proportional benefit. Additionally, requiring such an
investigation by the regulated entity may cause unnecessary delays to
law enforcement activities. Rather, the Department is finalizing a
regulated entity's ability to rely on the attestation provided that it
is reasonable under the circumstances for the regulated entity to
believe the statement required by 45 CFR 164.509(c)(1)(iv) that the
requested disclosure of PHI is not for a purpose prohibited by 45 CFR
164.502(a)(5)(iii). If such reliance is not reasonable, then the
regulated entity may not rely on the attestation.
A regulated entity that receives a request for PHI potentially
related to reproductive health care for purposes specified in 45 CFR
164.512(d), (e), (f), or (g)(1) may accept information, in addition to
the attestation, from the person requesting the PHI to support its
ability to make the determinations required by 45 CFR
164.502(a)(5)(iii) and 45 CFR 164.509(b)(v).
For example, it likely would not be reasonable for a regulated
entity to rely on an attestation from a public official who represents
that their request is for a purpose that is not prohibited, if the
request for PHI is overly broad for its purported purpose and the
public official has publicly stated that they will be investigating
health care providers for providing reproductive health care. In such
cases, regulated entities should consider the circumstances surrounding
an attestation to determine whether they can reasonably rely on the
attestation. Although we have modified the regulatory text by removing
``objectively,'' the standard remains unchanged in practice because a
reasonableness standard is an objective standard. As we also discussed
above, it is not reasonable for a regulated entity that provided the
reproductive health care at issue to rely on a representation made by a
person requesting the use or disclosure of PHI that the reproductive
health care at issue was unlawful under the circumstance in which such
health care was provided. A regulated entity that makes a disclosure
where it was not reasonable to rely on the representation made by the
person requesting the use or disclosure may be subject to enforcement
action by OCR.
Additionally, as discussed in greater detail above, a person who
knowingly and in violation of the Administrative Simplification
provisions obtains or discloses IIHI relating to another individual or
discloses IIHI to another person would be subject to criminal
liability.\358\ We believe that this provision serves as a deterrent
for those who otherwise might request PHI in violation of this final
rule. It also will continue to permit essential disclosures while
ensuring that Privacy Rule permissions cannot be used to circumvent the
new prohibition, thereby enhancing the privacy of individuals' PHI and
protecting other important interests.
---------------------------------------------------------------------------
\358\ See 42 U.S.C. 1320d-6(a).
---------------------------------------------------------------------------
Comment: Several commenters opposed the attestation proposal
because they believed that the proposal would make it more difficult
for law enforcement to request PHI and for entities to respond to such
requests, potentially putting them in situations where they need to
choose between complying with a court order and impermissibly
disclosing PHI. A few individuals stated that the proposal would have a
chilling effect on the ability of a state to conduct investigations or
proceedings for which the use or disclosure of PHI could be beneficial,
particularly in cases involving rape, incest, sex trafficking, domestic
violence, abuse, and neglect.
Response: We acknowledge that the attestation provision may require
regulated entities to obtain additional information from persons
requesting PHI in certain circumstances. As discussed above, this
condition is consistent with the operation of the Privacy Rule since
its inception, which has always required regulated entities to obtain
additional information from persons requesting PHI in certain
circumstances, such as where the use or disclosure is one for which an
authorization or opportunity to agree or object is not required.\359\
However, as also discussed above, any burden the attestation may impose
on persons requesting PHI is outweighed by the privacy interests that
this final rule is designed to protect.
---------------------------------------------------------------------------
\359\ See 45 CFR 164.512.
---------------------------------------------------------------------------
A person requesting PHI pursuant to 45 CFR 164.512(d)-(g)(1) may
elect to provide an attestation with their request, even if a
determination has not
[[Page 33034]]
yet been made concerning whether such request is for PHI potentially
related to reproductive health care. Similarly, the Privacy Rule does
not require a regulated entity to respond to requests for PHI.
Comment: Some commenters were concerned about the effect of the
attestation requirement on the electronic exchange of PHI and
recommended approaches for incorporating attestations into a HIE
environment. A commenter expressed concern that the requirement for an
attestation would delay or prevent automated data exchange using Fast
Healthcare Interoperability Resources[supreg] (FHIR[supreg]) APIs and
might impede innovation. They requested guidance on how to implement
the attestation condition in an HIE environment without impeding
regulated exchanges or industry innovations using extensive data
exchange via FHIR APIs. Commenters also recommended that the Department
issue guidance on implementing attestation policies in circumstances
not required by this rule that would not constitute information
blocking. A commenter encouraged the Department to implement processes
that limit the liability of health care providers for the actions of
third parties. For example, the commenter requested that the Department
clarify that a refusal to disclose PHI absent an attestation is
protected from a finding of information blocking.
Response: We do not believe that this final rule prevents the
disclosure of PHI via a HIE. We disagree that this requirement prevents
the exchange of data using FHIR APIs under these permissions or for
automated health data exchange more broadly. PHI can be disclosed as
requested if the regulated entity obtains a valid attestation and the
request meets the conditions of an applicable permission. The
attestation requirement does not affect any requests via FHIR API that
fall outside of the 45 CFR 164.512(d)-(g)(1) permissions. For example,
a disclosure of PHI from a covered health care provider to another
health care provider for care coordination purposes would not require
an attestation because the disclosure would not be for a purpose
addressed by 45 CFR 164.512(d)-(g)(1). The importance of ensuring the
protection of an individual's interests in the privacy of their PHI and
society in improving the effectiveness of the health care system far
outweigh any potential administrative burdens or delays in the
electronic exchange of PHI for non-health care purposes. Further,
compliance with applicable law does not constitute information
blocking.\360\ Thus, we do not believe additional regulatory language
is necessary at this time. OCR regularly collaborates with other
Federal agencies, including ONC, to develop guidance on compliance with
Federal standards and to address questions that arise about the ability
of regulated entities to comply with applicable laws.
---------------------------------------------------------------------------
\360\ See 42 U.S.C. 300jj-52(a)(1) (excluding from the
definition of ``information blocking'' practices that are likely to
interfere with, prevent, or materially discourage access, exchange,
or use of electronic health information if they are ``required by
law''; 85 FR 25642, 25794 (May 1, 2020) (explaining that ``required
by law'' specifically refers to interferences that are explicitly
required by state or Federal law). See also 89 FR 1192, 1351 (Jan.
9, 2024) (affirming that where applicable law prohibits access,
exchange, or use of information, practices in compliance with such
law are not considered to be information blocking and citing to
compliance with the Privacy Rule as an example of an applicable
law).
---------------------------------------------------------------------------
The permissions for which the Department is requiring that a
regulated entity obtain an attestation prior to using or disclosing PHI
are already conditioned upon meeting certain requirements, which
generally require manual review. The Department acknowledges that
certain persons may need to adjust their workflows to account for the
attestation requirement. While there may be some delays until new
processes are implemented, any disruptions will decrease over time.
Thus, we do not anticipate that this final rule will contribute to
additional delays in the disclosure of PHI.
The Department is finalizing a new regulatory presumption that
permits a regulated entity to presume reproductive health care provided
by another person was lawful unless the regulated entity has actual
knowledge or factual information supplied by the person requesting the
use or disclosure of PHI that demonstrates to the regulated entity a
substantial factual basis that the reproductive health care was not
lawful under the specific circumstances in which such health care was
provided. This presumption will facilitate the determination by the
regulated entity about whether a request for the use or disclosure of
PHI would be subject to the prohibition, and thus will reduce the risk
of an impermissible use or disclosure of the requested PHI, thereby
reducing the liability of regulated entities that receive requests for
PHI to which the prohibition may apply, but where they did not provide
the reproductive health care at issue.
Comment: Many commenters questioned the Department's rationale for
not extending the attestation requirement directly to business
associates, consistent with the general prohibition. Some commenters
recommended that the attestation requirement be applied to business
associates because persons requesting the use or disclosure of PHI may
directly approach a business associate for this PHI (and the business
associate agreement may permit such disclosures or be silent regarding
whether the business associate may respond to them). Commenters also
requested clarification of the responsibilities of business associates
with respect to attestations and questioned whether the proposal would
require amendment of their business associate agreements.
Response: As discussed above, we agree with the commenters that the
attestation requirement should apply directly to business associates
because they receive direct requests for PHI and are subject to the
general prohibition in the same manner as covered entities. Therefore,
we are modifying 45 CFR 164.509 to ensure that it expressly applies to
both covered entities and their business associates.
Comment: Although a few commenters expressed support for limiting
the attestation condition to requests regarding ``PHI potentially
related to reproductive health care,'' many commenters recommended that
the proposed requirement to obtain an attestation be broadly applied to
requests for any PHI. Many stated that it would be easier and more
efficient for regulated entities if all requests related to a
prohibited purpose required the attestation, regardless of the PHI
being requested. According to these commenters, this would allow the
regulated entity to avoid making any determinations regarding the PHI.
A few explained that expanding the requirement to all PHI would
appropriately place the burden of demonstrating that the requested
disclosure was permissible on the person making request.
Several commenters asserted that information related to
reproductive health care is potentially found in every department,
record, and system, including those that may not have a readily
apparent relationship to reproductive health care. As a result,
according to these commenters, it would be onerous and costly to
separate different types of health information in a medical record.
According to other commenters, the volume of records requests received
by health systems would render any requirement on a health care
provider to redact PHI from an individual's medical record in the
absence of an attestation overly burdensome and increase the risk of
unauthorized disclosure. Some
[[Page 33035]]
commenters explained that staff managing health information generally
do not have the legal or medical training to determine whether a PHI
request may be for PHI potentially related to reproductive health care,
particularly given the breadth of most requests (e.g., for all medical
records of an entity, of a particular health care provider or a
particular individual). These commenters also raised concerns that the
lack of legal or medical training could lead to inconsistent
application of the rule, the inadvertent disclosure of PHI potentially
related to reproductive health care, or delay the use or disclosure of
PHI, even when the individual has not sought or obtained reproductive
health care. Many commenters asserted that determining whether a
request for the use or disclosure of PHI includes PHI potentially
related to reproductive health care is difficult and a significant
burden on health information professionals, particularly where the
covered entity did not provide or facilitate the health care. According
to some commenters, some business associates, such as cloud services
providers, may not have the ability to determine whether the PHI that
they maintain includes PHI potentially related to reproductive health
care.
Some commenters posited that the result of this requirement would
be that health care providers would refuse to provide any PHI in
response to a request for the use or disclosure PHI on any matter that
could possibly be construed as potentially related to reproductive
health care. They and others stated that limiting the proposed
prohibition to one category of PHI would require regulated entities to
label or segment certain PHI within medical records, which would be
impractical and costly because EHRs are unable to reliably segregate or
flag PHI retrospectively.
Response: We acknowledge the comments from regulated entities that
expressed concerns about the effects of the limitation of the
attestation requirement to PHI potentially related to reproductive
health care. However, the Department is concerned that extending the
attestation requirement to all PHI could result in unintended
consequences, such as the potential delay of law enforcement
investigations that do not require PHI potentially related to
reproductive health care. By contrast, an attestation requirement is
necessary for PHI potentially related to reproductive health care
because of recent changes to the legal landscape that make it more
likely that PHI will be sought for punitive non-health care purposes,
and thus more likely to be subject to disclosure by regulated entities
if the requested disclosure is permissible under the Privacy Rule,
thereby harming the interests that HIPAA seeks to protect. Accordingly,
the Department is not modifying the attestation requirement that a
regulated entity obtain an attestation only for PHI potentially related
to reproductive health care.
The Department acknowledges that the attestation requirement may
increase the burden on regulated entities, but we disagree that
regulated entities are unable to make the required assessments of
attestations. Regulated entities currently conduct similar assessments
when determining whether PHI may be disclosed to a personal
representative, when making disclosures that are required by law or for
public health purposes, and for various other permitted purposes.
Regulated entities also regularly review medical records to comply with
minimum necessary requirements. The Department is cognizant that an
expanded attestation requirement could significantly increase burden if
it were to expand this requirement to all disclosures in the absence of
the sensitivities described in this final rule.
Comment: Many commenters supported the proposal to limit the
requirement to obtain an attestation with a request for uses and
disclosures for certain permissions, namely that have the greatest
potential to be connected with a purpose for which the Department
proposed to prohibit the use and disclosure of PHI. Some commenters
expressed their belief that the Department had identified the
appropriate permissions for which the attestation would provide
additional safeguards.
Many commenters suggested modifications, primarily expansions or
clarifications of the types of permitted uses and disclosures that
would be subject to the attestation. Generally, commenters explained
their belief that their recommended modifications would either mitigate
the burden of the requirement to ascertain the purposes of the
requested disclosure or increase privacy protections for individuals.
Commenters recommended multiple ways to expand the attestation
requirement, such as extending it to all permissions in 45 CFR 164.512;
disclosures required by law, for public health activities, and to avert
a serious threat to health or safety; disclosures for treatment
purposes to a person not regulated by HIPAA or disclosures to any
person who might use the PHI for a prohibited purpose; and any
disclosure at the discretion of the covered entity.
Response: The Department declines to expand the permissions for
which an attestation is required at this time. The Department
specifically chose to limit the attestation condition to the
permissions at 45 CFR 164.512(d)-(g)(1) because these permissions have
the greatest potential to result in the use or disclosure of an
individual's PHI for a purpose prohibited at 45 CFR 164.502(a)(5)(iii).
In the context of other permissions, where the risk of improper use or
disclosure is less, the benefits of an attestation condition would be
outweighed by the administrative burden of compliance. Accordingly, any
disclosures made pursuant to 45 CFR 164.512(b), which includes
disclosures for public health surveillance, investigations, or
interventions, do not require an attestation. However, we note that
requests made pursuant to other permissions of the rule remain subject
to and must be evaluated for compliance with the prohibition at 45 CFR
164.502(a)(5)(iii).
Comment: A commenter stated that no attestation should be needed
for judicial and administrative proceedings because current
requirements are adequate. Instead, the commenter requested that the
Department consider expanding procedural protections.
Response: We are finalizing the requirement that regulated entities
obtain an attestation as a condition of a use or disclosure of PHI for
judicial and administrative proceedings. As previously discussed, the
attestation requirement ensures that certain Privacy Rule permissions
are not used to circumvent the prohibition. The attestation requirement
also reduces the burden on regulated entities because it is
specifically designed to facilitate compliance with the prohibition
under 45 CFR 164.502(a)(5)(iii) by helping regulated entities determine
whether the use or disclosure of the requested PHI is permitted.
Although a court order, qualified protective order, satisfactory
assurance, or subpoena may have a restriction that prevents information
requested from being further disclosed, it protects PHI only after it
has been used or disclosed. Thus, the regulated entity's use or
disclosure of PHI could still violate the prohibition at 45 CFR
164.502(a)(5)(iii), even if that disclosure is made in response to a
court order, qualified protective order, satisfactory assurance, or
subpoena. The attestation requirement helps to mitigate the risk of
violations in these circumstances.
Comment: A few commenters expressed concerns about their ability to
implement the attestation requirement
[[Page 33036]]
in circumstances where the use or disclosure is triggered by a
mandatory reporting law or verbal request and recommended that no
attestation should be required in any case where disclosure of PHI is
required by law. According to the commenters, an attestation
requirement could require a significant change to operational workflows
for permitted disclosures and significantly impede operations for state
and local agencies that conduct death investigations and perform public
health studies and initiatives.
Response: The Privacy Rule at 45 CFR 164.512(a) permits certain
uses and disclosures of PHI that are required by law, including
notification of certain deaths by a covered health care provider to a
medical examiner, when those uses and disclosures are limited to the
requirements of such law. The attestation condition does not apply to
the mandatory disclosures made pursuant to 45 CFR 164.512(a). Other
mandatory reporting that is subject to 45 CFR 164.512(a)(2) has always
been subject to the additional requirements of 45 CFR 164.512(c), (e),
or (f). Further, mandatory reporting for public health activities
pursuant to 45 CFR 164.512(b) do not require an attestation.
The attestation condition applies if the regulated entity is making
a use or disclosure to a coroner or medical examiner pursuant to 45 CFR
164.512(g)(1). We understand that this may require regulated entities
to adjust their workflows to comply with this requirement. For example,
regulated entities could consider having an electronic attestation form
readily available for persons that request the use or disclosure of PHI
potentially related to reproductive health care because doing so may
reduce delays in the regulated entity's response time related to the
attestation condition. Thus, this condition will not significantly
impede operations for persons who request information because the
interruptions will decrease as they adjust their workflows to
accommodate the new condition.
We remind regulated entities that the prohibition in 45 CFR
164.502(a)(5)(iii) applies, regardless of whether the request for PHI
is made pursuant to a permission for which an attestation is required
or another permission.
Comment: Many commenters urged the Department to implement a
reasonable, good faith standard or a safe harbor for situations in
which a regulated entity discloses PHI and the person requesting the
PHI either uses or rediscloses it for a purpose that would be
prohibited under the proposed rule. Some commenters were concerned that
a covered entity will be liable for inadvertent disclosures of PHI and
sought the benefit of the affirmative defense afforded at 45 CFR
160.410(b)(2).
Response: The Department declines to add a ``good faith'' standard
or safe harbor to this final rule. As discussed above, the Department
is not finalizing a separate Rule of Construction and is not
incorporating the phrase ``primarily for the purpose of'' into the
final prohibition standard.
As we explained in the 2023 Privacy Rule NPRM, 45 CFR 164.509
requires a new attestation for each use or disclosure request; a single
attestation would not be sufficient to permit multiple uses or
disclosures. This requirement is unlike the authorization, where
generally, when a regulated entity receives a valid authorization, they
may continue to use or disclose PHI to the person requesting the use or
disclosure of PHI pursuant to that authorization after the initial
disclosure, provided that such subsequent uses and disclosures are
valid and related to that authorization. We understand that this may
constitute an additional administrative burden for both the regulated
entity and the person or entity requesting the information; however,
requiring an attestation for each use or disclosure is necessary to
ensure that certain Privacy Rule permissions are not used to circumvent
the new prohibition at 45 CFR 164.502(a)(5)(iii), and to permit
essential disclosures.
Comment: Some commenters expressed support for permitting a
regulated entity to rely on an attestation if ``it appears objectively
reasonable'' or ``when objectively reasonable'' and not requiring
covered entities to investigate the accuracy of an attestation, thereby
mitigating liability to the regulated entity, if not fully protecting
an individual. Many commenters expressed concern that it would not be
objectively reasonable for a regulated entity to rely on a
representation made by the person requesting the use or disclosure of
PHI that the PHI sought was related to unlawful health care. The
commenters requested a guarantee that a health care provider's reliance
on a ``facially valid'' attestation would be objectively reasonable
without requiring the entity to investigate the intentions of the
person requesting the use or disclosure of PHI and the validity of
their attestation. A commenter recommended that the final rule direct
regulated entities to take attestations at face value and hold harmless
regulated entities in the event of a false attestation.
Commenters offered several reasons for these recommendations,
including the burden on covered entities where they are required to
determine: (1) the veracity of every attestation; (2) whether an
attestation is required; and (3) whether the statement that the request
for the use or disclosure is not for a purpose prohibited under 45 CFR
164.502(a)(5)(iii) is objectively reasonable.
Response: To assist in effectuating the prohibition, this Final
Rule requires an attestation in some circumstances. We recognize the
potential burden on regulated entities to investigate the validity of
every attestation and do not require that they conduct a full
investigation in each instance. However, as discussed above, if an
attestation, on its face, meets the requirements at 45 CFR 164.509(c),
a regulated entity must consider the totality of the circumstances
surrounding the attestation and whether it is reasonable to rely on the
attestation in those circumstances. To determine whether it is
reasonable to rely on the attestation, a regulated entity should
consider, among other things: who is requesting the use or disclosure
of PHI; the permission upon which the person making the request is
relying; the information provided to satisfy other conditions of the
relevant permission; the PHI requested and its relationship to the
purpose of the request (i.e., does the request meet the minimum
necessary standard in relation to the purpose of the request); and,
where the presumption at 45 CFR 164.502(a)(5)(iii)(C) applies,
information provided by the person requesting the use or disclosure of
PHI to overcome that presumption.
For example, as discussed above, it may not be reasonable for a
regulated entity to rely on an attestation filed by a public official
that a request for PHI potentially related to reproductive health care
is not for a prohibited purpose when that public official has publicly
stated their interest in investigating or imposing liability on those
who seek, obtain, provide, or facilitate certain types of lawful
reproductive health care. If a regulated entity concludes that it would
not reasonable to rely on the attestation in this instance, the
regulated entity would be prohibited from disclosing the requested PHI
unless and until the public official provided additional information
that enables the regulated entity to assess the veracity of its
attestation. In contrast, it may be reasonable to rely on the
representation of a public official that a request for PHI potentially
related to reproductive
[[Page 33037]]
health care is not for a prohibited purpose if the stated purpose for
the request is to investigate insurance fraud and the public official
making the request is expressly authorized by law to conduct insurance
fraud investigations as part of their legal mandate. Therefore, as
discussed above, the Department is balancing these considerations by
finalizing language that generally permits a regulated entity to rely
on the attestation if it is reasonable for the regulated entity to
believe the statement that the requested disclosure of PHI is not for a
purpose prohibited by 45 CFR 164.502(a)(5)(iii).\361\ To further assist
regulated entities in determining whether it is reasonable to rely on
the attestation, the requirement that the attestation include a clear
statement that the use or disclosure is not for a prohibited purpose
under 45 CFR 164.502(a)(5)(iii) may be satisfied with a statement that
identifies why the use or disclosure is not prohibited, which could be
checkboxes that indicate that the use or disclosure is not for a
purpose described in 45 CFR 164.502(a)(5)(iii)(A), or that the
reproductive health care does not satisfy the Rule of Applicability at
45 CFR 164.502(a)(5)(iii)(B).
---------------------------------------------------------------------------
\361\ This approach is consistent with 45 CFR 164.514(h), which
requires a regulated entity to verify the identity and legal
authority of a public official or a person acting on behalf of the
public official and describes the type of documentation upon which
the regulated entity can rely, if such reliance is reasonable under
the circumstances, to do so. See also 45 CFR 164.514(d)(3)(iii)(A),
which permits a covered entity to rely, if such reliance is
reasonable under the circumstances, on a requested disclosure as the
minimum necessary for the stated purpose when making disclosures to
public officials that are permitted under 45 CFR 164.512, if the
public official represents that the information requested is the
minimum necessary for the stated purpose(s).
---------------------------------------------------------------------------
Where the request for the use or disclosure of PHI is made of the
regulated entity that provided the reproductive health care at issue,
the regulated entity should ensure that the reproductive health care
was not lawful under the circumstances in which such health care was
provided before using or disclosing the requested PHI. If the
reproductive health care at issue was provided under circumstances in
which such health care was lawful, the regulated entity must obtain an
attestation and determine whether it is reasonable to rely on the
attestation that the use or disclosure is not being requested to
conduct an investigation into or impose liability on any person for the
mere act of seeking, obtaining, providing, or facilitating such
reproductive health care. If the reproductive health care at issue was
provided under circumstances in which such health care was unlawful,
the regulated entity is permitted, but not required, to disclose the
PHI if the disclosure is meets the conditions of an applicable Privacy
Rule permission, which may include an attestation.
Regulated entities will not generally be held liable for disclosing
PHI to a person who signed the attestation under false pretenses,
provided that the requirements of 45 CFR 164.509 are met, and it is
reasonable under the circumstances for the regulated entity to believe
the statement that the requested disclosure of PHI is not for a purpose
prohibited by 45 CFR 164.502(a)(5)(iii).
Comment: A commenter recommended that the rule clarify the
relationship between the attestation and 45 CFR 164.514(h) regarding
verification requirements. They requested that the Department consider
making explicit in the Final Rule that reliance on legal process would
not be appropriate in the absence of an attestation.
Response: The verification requirement under 45 CFR 164.514(h)
\362\ is separate from the attestation requirement, and a regulated
entity must still comply with 45 CFR 164.514(h) when processing an
attestation. The final rule makes clear that the attestation
requirement will apply if the request for PHI potentially related to
reproductive health care is made pursuant to permissions under 45 CFR
164.512(d)-(g)(1), which may include disclosing PHI pursuant to a legal
process.
---------------------------------------------------------------------------
\362\ 45 CFR 164.514(h)(1) requires a regulated entity to verify
both the identity of the person requesting PHI and the authority of
any such person to have access to PHI, if the identity or authority
of such person is not known to the regulated entity. 45 CFR
164.514(h)(2)(ii) describes the information upon which a regulated
entity may rely, if such reliance is reasonable under the
circumstances, to verify the identity of a public official
requesting PHI or a person acting on behalf of a public official,
while 45 CFR 164.514(h)(2)(iii) describes the information upon which
a regulated entity may rely, if such reliance is reasonable under
the circumstances, to verify the authority of the public official
requesting PHI or a person acting on behalf of a public official.
---------------------------------------------------------------------------
Comment: Some commenters stated that it is difficult to determine
the purpose of a request for the use or disclosure of PHI because many
requests include only a general purpose. A commenter asserted that
staff would need to screen all incoming requests, a task that may
require legal or clinical expertise. Further, some commenters stated
that regulated entities may experience conflict with persons requesting
the use or disclosure of PHI about signing the form.
Response: This final rule prohibits the use and disclosure of PHI
for certain purposes and conditions disclosures for certain purposes
upon the receipt of an attestation. Thus, it is incumbent upon the
regulated entity receiving the request to determine whether disclosure
is in compliance with the Privacy Rule. To help the regulated entity
make such a determination, the Department is adding to the required
elements of the attestation a description of the purpose of the request
that is sufficient for the regulated entity to determine whether the
prohibition at 45 CFR164.502(a)(5)(iii) may apply to the request.
Requests for the use or disclosure of PHI for the specified purposes
are likely subject to heightened scrutiny by the regulated entity
currently because of other conditions imposed upon such disclosures by
the Privacy Rule, so additional expertise will not always be required
when processing a request for the use or disclosure of PHI and the
accompanying attestation. For example, under the Privacy Rule, a
regulated entity must determine whether a request for the use or
disclosure of PHI for a judicial or administrative proceeding made
using a subpoena, discovery request, or other lawful process, that is
not accompanied by an order of a court or administrative tribunal
contains ``satisfactory assurances'' that reasonable efforts have been
made by the person making the request either: (1) to ensure that the
individual who is the subject of the PHI that has been requested has
been given notice of the request; \363\ or (2) to secure a qualified
protective order that meets certain requirements specified in the
Privacy Rule.\364\ The Privacy Rule further details how regulated
entities are to determine whether they have received ``satisfactory
assurances'' for both options described above.\365\ Such requirements
ensure that a regulated entity must already carefully review requests
for such purposes, such that the attestation condition likely poses
minimal additional burden for such requests. In any event, the
Department believes that these administrative burdens are outweighed by
the privacy interests that this final rule seeks to protect.
---------------------------------------------------------------------------
\363\ 45 CFR 164.512(e)(1)(ii)(A).
\364\ 45 CFR 164.512(e)(1)(ii)(B).
\365\ 45 CFR 164.512(e)(1)(iii) and (iv).
---------------------------------------------------------------------------
Comment: Many commenters asserted that it would be reasonable to
require affirmative verification under penalty of perjury that the
request for the use or disclosure of PHI is not for a purpose
prohibited under 45 CFR 164.502(a)(5)(iii) because it would signal an
intent to penalize requests
[[Page 33038]]
made to contravene the prohibition; would incentivize persons
requesting the use or disclosure of PHI to consider whether their
request is for a purpose prohibited under 45 CFR 164.502(a)(5)(iii);
deter unlawful ``fishing expeditions'' or conceal improper intent; and
add a layer of accountability. Another commenter stated this heightened
standard would enable the covered entity to reasonably rely in good
faith on the substance of the attestation without further
investigation, delay, cost, burden, or dispute. According to the
commenter, a person making a request for the use or disclosure of PHI
in good faith should have minimal to no concern when providing a
statement signed under penalty of perjury. Another commenter supported
a requirement that a person requesting the use or disclosure of PHI
provide an affirmative verification made under penalty of perjury that
the use or disclosure is not for purpose prohibited under 45 CFR
164.502(a)(5)(iii) because it would suggest that evidence obtained
falsely would not be admissible in a legal proceeding. A commenter
asserted that it is important to ensure that the proposed attestations
would be as effective as possible, and including a signed declaration
made under penalty of perjury is critical to ensuring their
effectiveness in the current legal environment. A commenter endorsed
adding a statement regarding perjury to the proposed attestation
because it would place the person requesting the use or disclosure of
PHI on notice of the criminal penalties if the person were to violate
the proposed requirement.
A commenter asserted that the penalty of perjury requirement is a
common signature standard for legal and administrative proceedings and
expressed support for expanding it to other proceedings. The commenter
also expressed support for considering other options because of
concerns that the application and consequences of making a statement
under a penalty of perjury may lack clarity outside of certain
proceedings.
Response: We appreciate commenters' suggestions; however, the
Department ultimately decided that the addition of a penalty of perjury
would be unnecessary in light of the statutory criminal and civil
penalties under HIPAA. 42 U.S.C. 1320d-6 provides that any person who
knowingly and in violation of the Administrative Simplification
provisions obtains IIHI relating to another individual or discloses
IIHI to another person is subject to criminal liability.\366\ A
regulated entity is also subject to civil penalties for violations of
requirements of the HIPAA Rules.\367\ Thus, a person that requests PHI
who knowingly falsifies an attestation (e.g., makes material
misrepresentations as to the intended uses of the PHI requested) to
obtain PHI or cause PHI to be disclosed would be in violation of HIPAA
and could be subject to criminal penalties.\368\
---------------------------------------------------------------------------
\366\ See 42 U.S.C. 1320d-6(a).
\367\ See 42 U.S.C. 1320d-5. See also 45 CFR part 160, subparts
A, D, and E.
\368\ See 42 U.S.C. 1320d-6(b).
---------------------------------------------------------------------------
Comment: Some commenters expressed support for requiring that the
attestation include a statement that a person signing an attestation is
doing so under penalty of perjury, but they also questioned its ability
to prevent a person from requesting the use or disclosure of PHI for a
purpose prohibited under 45 CFR 164.502(a)(5)(iii) and recommended
additional requirements or alternatives. One commenter expressed
concern that there would be no disincentive for the recipient to submit
an attestation signed under false pretenses in the absence of
enforceable penalties. A different commenter questioned the efficacy of
a penalty of perjury requirement because the person requesting the use
or disclosure may not be the person that uses the PHI for a purpose
prohibited under 45 CFR 164.502(a)(5)(iii); it might be another person
who uses the information for a purpose prohibited under that provision.
According to the commenter, no criminal or other penalty would attach
because that other person did not sign the attestation. The commenter
also expressed concern that an attestation signed on behalf of an
entity may not be enforceable because the person who signed the
attestation did not have authority to bind the entity.
Commenters variously recommended that the Department include
language that the person requesting the use or disclosure of PHI would
not further use or disclose the PHI for a purpose prohibited under 45
CFR 164.502(a)(5)(iii) and that the requested information is the
minimum necessary, or require a search warrant or data use agreement
instead of an attestation. A commenter recommended that the Department
provide individuals with an actionable remedy, such as the right to
receive a portion of any civil money penalty assessed to the regulated
entity or the right to ``claw back'' the disclosure from the receiving
entity if the party that signed the attestation later violates its
terms.
Response: The Department understands and shares commenters'
concerns about redisclosures that would be prohibited by this rule if
the disclosure was made by a regulated entity. However, HIPAA limits
the Department's authority to regulating PHI maintained or transmitted
by a regulated entity, that is a covered entity or their business
associate. Accordingly, a person that is not a regulated entity
generally may use or disclose such information without further
limitation by the HIPAA Rules.
Requiring search warrants or data use agreements as a condition of
the use or disclosure of PHI is beyond the scope of this final rule.
With respect to the commenter's concern about situations in which a
person who does not have the appropriate authority requests PHI on
behalf of a public official, the Privacy Rule generally requires that a
regulated entity verify the identity and legal authority of persons
requesting PHI prior to making the disclosure.\369\ Where a disclosure
of PHI is to a public official or person acting on behalf of a public
official who has the authority to request the information, a regulated
entity may verify the authority of that public official by relying on,
if reliance is reasonable under the circumstances, either a written
statement of legal authority under which the information is requested
(or an oral statement, if the written statement is impracticable).\370\
Alternatively, a regulated entity may presume the public official's
legal authority if a request is made pursuant to legal process,
warrant, subpoena, order, or other legal process issued by a grand jury
or judicial administrative tribunal.\371\ We remind regulated entities
that a determination that a public official has the authority to make a
request for the use or disclosure does not mean that the Privacy Rule
permits them to obtain any and all information that the official
requests. In such circumstances, the regulated entity should carefully
review the conditions of the applicable permission to ensure that they
are met. Where the condition involves a warrant, subpoena, or similar
instrument, the regulated entity must also review the scope of the
authority granted by the warrant, subpoena, or order to determine the
extent of the PHI that it is permitted to disclose.\372\ Further, a
regulated entity may rely, if such reliance is reasonable under the
[[Page 33039]]
circumstances, on a requested disclosure by a public official as the
minimum necessary if the public official represents that the requested
PHI is the minimum necessary for the stated purpose.\373\
---------------------------------------------------------------------------
\369\ See 45 CFR 164.514(h); see also 65 FR 82462, 82541, and
82547 (Dec. 28, 2000).
\370\ 45 CFR 164.514(h)(2)(iii)(A).
\371\ 45 CFR 164.514(h)(2)(iii)(B).
\372\ 45 CFR 164.512(a)(1).
\373\ 45 CFR 164.514(d)(3)(iii)(A).
---------------------------------------------------------------------------
HIPAA specifies the remedies available to the Federal Government
where persons violate the statute's Administrative Simplification
provisions: civil monetary penalties \374\ and criminal fines and
imprisonment.\375\ HIPAA does not include a private right of action.
---------------------------------------------------------------------------
\374\ 42 U.S.C. 1320d-5.
\375\ 42 U.S.C. 1320d-6.
---------------------------------------------------------------------------
Comment: One commenter asked the Department to clarify that anyone
providing a false attestation would be held accountable for false
statements with appropriate or significant civil fines or criminal
penalties for the material misrepresentation. Another commenter
specifically recommended that the Department consider it a material
misrepresentation for a person to sign an attestation without an
objectively reasonable basis to suspect that the reproductive health
care of interest was unlawful under the circumstances in which such
health care was provided. The commenter asserted that the attestation
should include specific language that any person who is requesting the
use or disclosure of PHI because they believe the reproductive health
care was not lawful under the circumstances in which such health care
was provided must have a reasonable basis for that belief (e.g., a
statement from a witness) and that the absence of an articulable, fact-
based reasonable suspicion would constitute a material
misrepresentation. According to the commenter, such a requirement would
prevent fishing expeditions because persons requesting the use or
disclosure of PHI would be required to have an actual, objective reason
for believing that a person provided health care in violation of state
or Federal law.
Response: The Department agrees that it would be a material
misrepresentation if a person who signs an attestation does not have an
objectively reasonable basis to suspect that the reproductive health
care was provided under circumstances in which it was unlawful, and
that an objectively reasonable basis of suspicion requires specific and
articulable facts associated with the individual whose PHI is requested
and the health care they received. We decline to include a statement of
this position on the attestation because it is encompassed in the
language that requires persons making a request for PHI to attest that
they are not making the request for a prohibited purpose and the
language ensuring that persons making such requests are aware of the
potential liability for knowingly and in violation of HIPAA obtaining
IIHI relating to an individual or disclosing IIHI to another person.
Comment: Some commenters urged the Department to include additional
provisions to monitor and enforce the attestation condition, including
requiring that a court order, written attestation, or valid
authorization accompany requests for the use or disclosure of PHI for
legal or administrative proceedings or law enforcement investigations.
Response: The attestation condition does not replace the conditions
of the Privacy Rule's permissions for a regulated entity to disclose
PHI in response to a subpoena, discovery request, or other lawful
process,\376\ or administrative request.\377\ Instead, it is designed
to work with these permissions and associated condition. For PHI to be
disclosed pursuant to 45 CFR 164.512(e)(1)(ii) and (f)(1)(ii)(C), a
regulated entity must verify that the relevant conditions are met and
also satisfy the attestation condition at 45 CFR 164.509. We do not
believe it is necessary to include additional requirements to monitor
and enforce implementation of the attestation condition because a
person who knowingly and in violation of the Administrative
Simplification provisions obtains or discloses IIHI relating to another
individual or discloses IIHI to another person would be subject to
criminal liability.\378\
---------------------------------------------------------------------------
\376\ 45 CFR 165.512(e)(1)(ii).
\377\ 45 CFR 164.512(f)(1)(ii)(C).
\378\ See 42 U.S.C. 1320d-6(a).
---------------------------------------------------------------------------
Comment: Almost all commenters responding to the Department's
request for comment expressed support for a Department-developed model
attestation or sample language that could be used by regulated entities
to reduce the implementation burden of the attestation condition. A
large health care provider expressed appreciation for options that
would simplify the process for reviewing requests for the use or
disclosure of PHI made pursuant to 45 CFR 164.512(d)-(g)(1). Other
commenters asserted that a standard form would reduce unnecessary
variation, support a consistent approach, decrease implementation
costs, and make it easier for a regulated entity to identify requests
for the use or disclosure of PHI for purposes prohibited under 45 CFR
164.502(a)(5)(iii).
Several commenters suggested that a universal or standardized
attestation form would reduce the burden of the attestation
requirement, especially for smaller health care providers, and reduce
delays in the disclosure of PHI resulting from the need for legal
review or unfamiliarity with the format of an attestation provided by a
person requesting the use or disclosure of PHI. One of these commenters
stated this would also support electronic data exchange by
standardizing attestation fields and the format. Most commenters
expressed opposition to a Department-required format and recommended
that the Department permit covered entities to modify the language of
the attestation.
Some commenters requested that the model attestation include a
plain language explanation and a tip sheet or guidance for completion.
They also requested that the model be an electronic, fillable form with
a clear heading and that the editing capabilities be limited to the
specific required fields. Some commenters recommended that the model
attestation contain an outline of penalties for misuse of PHI.
A commenter requested that the Department guarantee that a health
care provider's good faith reliance on a model attestation form would
be objectively reasonable.
Response: We appreciate these recommendations and intend to publish
model attestation language before the compliance date of this final
rule. As discussed above, if an attestation, on its face, meets the
requirements at 45 CFR 164.509(c), a regulated entity must consider the
totality of the circumstances surrounding the attestation and whether
it is reasonable to rely on the attestation in those circumstances.
Comment: In response to the Department's request for comment on how
the proposed attestation would affect a regulated entity's process for
responding to regular or routine requests from certain persons, a few
commenters explained their current workflows and the resource
requirements for managing these requests.
Some commenters suggested that an attestation requirement might
require changes to workflows and discussed the changes that might be
made.
Response: The Department appreciates these insights into how
regulated entities currently respond to certain requests for the use or
disclosure of PHI. We confirm that a person requesting the use or
disclosure of PHI
[[Page 33040]]
pursuant to 45 CFR 164.512(d), (e), (f), or (g)(1) must provide the
regulated entity a signed and truthful attestation where the request is
for PHI potentially related to reproductive health care before the
regulated entity is permitted to use or disclose the requested PHI. The
Department will consider developing guidance and technical assistance
as needed on these topics in the future as necessary to ensure
compliance with the Privacy Rule, including both the prohibition at 45
CFR 164.502(a)(5)(iii) and 164.509. It may benefit a regulated entity
to require such documentation where the requested use or disclosure is
for TPO or in response to a valid authorization or individual right of
access request.
Comment: A few commenters recommended imposing obligations to limit
redisclosures of PHI for certain purposes.
A few commenters stated that a person requesting the use or
disclosure of PHI could seek a court order or provide a written
attestation to permit the regulated entity to make the disclosure in
question in the event they were unable to obtain an authorization.
Response: While we understand commenters' concerns regarding the
uses and disclosures of health information by entities not covered by
the Privacy Rule, the Department is limited to applying the HIPAA Rules
to those entities covered by HIPAA (i.e., health plans, health care
clearinghouses, and health care providers that conduct covered
transactions) and to business associates, as provided under the HITECH
Act.
In the 2023 Privacy Rule NPRM, the Department considered permitting
regulated entities to make uses or disclosures of PHI only after
obtaining a valid authorization. However, the Department rejected the
approach because requiring an authorization in all circumstances would
not reflect the appropriate balance between individual privacy
interests and other societal interests in disclosure. In particular,
individuals may decline to authorize disclosure of PHI even in
circumstances where their privacy interests are reduced and societal
interests in disclosure are heightened, such as where the reproductive
health care was unlawful under the circumstances in which it was
provided.
Comment: Some commenters requested that the Department provide
educational resources for regulated entities to implement the
attestation. A commenter encouraged the Department to strongly enforce
the attestation provision.
Response: We appreciate these recommendations and commit to
providing additional resources to assist regulated entities with
implementation of this rule.
Comment: In response to the Department's request for comment on
alternative documentation that could assist regulated entities in
complying with the proposed limitations on the use and disclosure of
PHI, some commenters recommended that an attestation always be
required, even if additional documentation is mandated, because the
attestation would place the person requesting the use or disclosure of
PHI on notice of the prohibition and to hold them accountable if they
use the PHI for a purpose prohibited by 45 CFR 164.502(a)(5)(iii), in
addition to helping a covered entity to determine whether the PHI is
being requested for a legitimate or prohibited purpose. Others agreed
because of the risk of coercion when authorizations are sought from
individuals for certain purposes.
Some commenters suggested that the Department require that a court
order, written attestation, or valid authorization accompany a request
for the use or disclosure of any PHI for legal or administrative
proceedings or law enforcement investigations because there are
circumstances under which it would be unlikely for a person to obtain
an authorization. Some commenters recommended that the Department not
require an attestation when the disclosure of PHI is required by law,
or when so ordered by a court of competent jurisdiction. A commenter
proposed that the Department permit regulated entities to make the
specified uses and disclosures with a written attestation, a HIPAA
authorization, or alternative documentation described by the
Department, including a court order, to minimize the administrative
burden.
Response: The Department appreciates the approaches recommended by
commenters to ensure that PHI requested is not for a prohibited
purpose. We also believe that the attestation will place the person
requesting the use or disclosure of PHI on notice of the prohibition
and serve to hold them accountable if they use the PHI for a purpose
prohibited by 45 CFR 164.502(a)(5)(iii). However, we have limited the
attestation requirement to requests for PHI that is potentially related
to reproductive health care. In addition, as discussed above, because
the Privacy Rule's authorization requirements empower individuals to
make decisions about who has access to their PHI, we are not adopting
the proposed exception to the permission to use or disclose PHI
pursuant to a valid authorization, nor are we adopting the other
recommendations made by commenters. The Department is not finalizing
its proposal to prohibit the disclosure of PHI for a purpose prohibited
by 45 CFR 164.502(a)(5)(iii) pursuant to an authorization. Accordingly,
the final rule permits the disclosure of an individual's PHI to another
person pursuant to a valid authorization, even if the disclosure would
otherwise be prohibited under this rule. Therefore, a regulated entity
may disclose PHI for a purpose that otherwise would be prohibited under
45 CFR 164.502(a)(5)(iii) by obtaining a valid authorization or
pursuant to the individual right of access. We reiterate that in all
cases, the conditions of the underlying permission must be met before a
regulated entity is permitted to use or disclose the requested PHI.
D. Section 164.512--Uses and Disclosures for Which an Authorization or
Opportunity To Agree or Object Is Not Required
1. Applying the Prohibition and Attestation Condition to Certain
Permitted Uses and Disclosures
Section 164.512 of the Privacy Rule contains the standards for uses
and disclosures for which an authorization or opportunity to agree or
object is not required. Many of the uses and disclosures addressed by
45 CFR 164.512 relate to government or administrative functions and are
described in the 2000 Privacy Rule preamble as ``national priority
purposes.'' \379\ These permissions for uses and disclosures were not
required by HIPAA; instead they represented the Secretary's previous
balancing of the privacy interests and expectations of individuals and
the interests of communities in making certain information available
for community purposes, such as for certain public health, health care
oversight, and research purposes.\380\ As discussed previously, the
Department, in its implementation of HIPAA, has sought to ensure that
individuals do not forgo health care when needed--or withhold important
information from their health care providers that may affect the
quality of health care they receive--out of a fear that their sensitive
information would be revealed outside of their relationships with their
health care providers.
---------------------------------------------------------------------------
\379\ 65 FR 82462, 82524 (Dec. 28, 2000).
\380\ See id. at 82471.
---------------------------------------------------------------------------
To clarify that the proposal at 45 CFR 164.502(a)(5)(iii) would
prohibit the use and disclosure of PHI in some
[[Page 33041]]
circumstances where such uses or disclosures are currently permitted,
the Department proposed to cite the proposed prohibition at the
beginning of the introductory text of 45 CFR 164.512 and condition
certain disclosures on the receipt of the attestation proposed at 45
CFR 164.509.\381\ The proposed modification would add the clause,
``Except as provided by 45 CFR 164.502(a)(5)(iii), [. . .]'' and add
``and 45 CFR 164.509'' to ``subject to the applicable requirements of
this section.'' This would create a new requirement to obtain an
attestation from the person requesting the use and disclosure of PHI as
a condition of making certain types of permitted uses and disclosures
of PHI. Thus, under the proposal and subject to the Department
finalizing the prohibition at paragraph (a)(5)(iii) of 45 CFR 164.502,
uses and disclosures of PHI for certain purposes would be prohibited
unless a regulated entity first obtained an attestation from the person
requesting the use and disclosure under proposed 45 CFR 164.509.
---------------------------------------------------------------------------
\381\ 88 FR 23506, 23537-38 (Apr. 17, 2023).
---------------------------------------------------------------------------
The Department also proposed to replace ``orally'' with
``verbally'' at the end of the introductory paragraph for clarity.
Overview of Public Comments
While many commenters addressed the proposals to add a prohibition
on the use and disclosure of PHI and to require an attestation in
certain circumstances, few commenters addressed the proposal to modify
the introductory paragraph to 45 CFR 164.512. Such commenters either
expressed support for it or requested additional guidance on the
Department's intention or the proposal's operation.
The Department is adopting its proposal without modification. As
discussed above, this change creates a new requirement for a regulated
entity to obtain an attestation from a person requesting the use or
disclosure of PHI as a condition of making certain types of permitted
uses and disclosures of PHI. For example, the Privacy Rule currently
permits uses and disclosures for health care oversight,\382\ judicial
and administrative proceedings,\383\ law enforcement purposes,\384\ and
about decedents to coroners and medical examiners,\385\ provided
specified conditions are met. When read in conjunction with the new
prohibition at 45 CFR 164.502(a)(5)(iii), uses and disclosures of PHI
for these purposes will be subject to an additional condition that the
regulated entity first obtain an attestation from the person requesting
the use and disclosure under the new attestation requirement at 45 CFR
164.509.
---------------------------------------------------------------------------
\382\ 45 CFR 164.512(d).
\383\ 45 CFR 164.512(e).
\384\ 45 CFR 164.512(f).
\385\ 45 CFR 164.512(g)(1).
---------------------------------------------------------------------------
The Department assumes that there will be instances in which state
or other law requires a regulated entity to use or disclose PHI for
health care oversight, judicial and administrative proceedings, law
enforcement purposes, or about decedents to coroners and medical
examiners for a purpose not related to one of the prohibited purposes
in 45 CFR 164.502(a)(5)(iii). The Department believes that a regulated
entity will be able to comply with such laws and the attestation
requirement. For example, a regulated entity may continue to disclose
PHI without an individual's authorization to a state medical board, a
prosecutor, or a coroner, in accordance with the Privacy Rule, when the
request is accompanied by the required attestation. As a result, a
regulated entity generally may continue to assist the state in carrying
out its health care oversight, judicial and administrative functions,
law enforcement, and coroner duties with the use or disclosure of PHI
once a facially valid attestation has been provided to the regulated
entity from whom PHI is sought. However, where an attestation is
required but not obtained, a state seeking information about an
individual's reproductive health or reproductive health care would need
to obtain such information from an entity not regulated under the
Privacy Rule \386\ or demonstrate that the regulated entity has actual
knowledge that the reproductive health care was not lawful under the
circumstances in which such health care was provided, thereby reversing
the presumption described at 45 CFR 164.502(a)(5)(iii)(C).
---------------------------------------------------------------------------
\386\ The Privacy Rule only applies to PHI, which is IIHI that
is maintained or transmitted by, for, or on behalf of a covered
entity. Thus, it does not apply to individuals' health information
when it is in the possession of a person that is not a regulated
entity, such as a friend, family member, or is stored on a personal
cellular telephone or tablet. See Off. for Civil Rights,
``Protecting the Privacy and Security of Your Health Information
When Using Your Personal Cell Phone or Tablet,'' U.S. Dep't of
Health and Human Servs. (June 29, 2022), https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/cell-phone-hipaa/.
---------------------------------------------------------------------------
Additionally, we are replacing ``orally'' with ``verbally'' for
clarity. No substantive change is intended.
Comment: One commenter expressed support for the Department's
proposed revision to 45 CFR 164.512, while another commenter requested
additional examples or detail in preamble about what the Department
intends by this revision.
Response: The Department intends that the uses and disclosures of
PHI made in accordance with 45 CFR 164.512 would be subject to both the
45 CFR 164.502(a)(5)(iii) prohibition and the 45 CFR 164.509
attestation, when applicable, specifically uses or disclosures made for
health oversight activities,\387\ judicial and administrative
proceedings,\388\ law enforcement purposes,\389\ and about decedents to
coroners and medical examiners.\390\ For example, a regulated entity
may disclose PHI for law enforcement purposes, subject to the
conditions of the permission at 45 CFR 164.512(f), where the purpose of
the request for the use or disclosure is to investigate a sexual
assault and the person requesting the PHI provides the regulated entity
with a valid attestation signifying that the purpose of the request is
not for a prohibited purpose. Similarly, where a request meets the
requirements of 45 CFR 164.502(a)(5)(iii), a regulated entity may
disclose PHI for law enforcement purposes, subject to the conditions of
the permission at 45 CFR 164.512(f), where the purpose of the request
for the use or disclosure is to investigate the unlawful provision of
reproductive health care with a valid attestation signifying that the
purpose of the request is not one that is prohibited (i.e., that the
purpose of the use or disclosure is not to investigate or impose
liability on any person for the lawful provision of reproductive health
care). As another example, a regulated entity may disclose PHI to a
state Medicaid agency in accordance with 45 CFR 164.512(d) where the
purpose of the request is to ensure that the regulated entity is
providing the reproductive health care for which the regulated entity
has submitted claims for payment to Medicaid after obtaining an
attestation that meets the requirements of 45 CFR 164.509 from the
state Medicaid agency.
---------------------------------------------------------------------------
\387\ 45 CFR 164.512(d).
\388\ 45 CFR 164.512(e).
\389\ 45 CFR 164.512(f).
\390\ 45 CFR 164.512(g)(1).
---------------------------------------------------------------------------
Comment: One commenter requested clarification regarding the
intersection between the Department's proposed Rule of Construction at
45 CFR 164.502(a)(5)(iii)(D) and its proposal at 45 CFR 164.512.
Response: The Department is not adopting the proposed Rule of
Construction. Rather, the language of the proposal has been integrated
into the prohibition standard at 45 CFR 164.502(a)(5)(iii)(A). The
finalized prohibition standard requires a
[[Page 33042]]
regulated entity to ensure that they obtain a valid attestation from a
person requesting the use or disclosure of PHI for health oversight
activities, judicial and administrative proceedings, law enforcement
purposes, or about decedents to coroners or medical examiners, assuring
the regulated entity that the purpose of the request is not for a
purpose prohibited under 45 CFR 164.502(a)(5)(iii).
2. Making a Technical Correction to the Heading of 45 CFR 164.512(c)
and Clarifying That Providing or Facilitating Reproductive Health Care
Is Not Abuse, Neglect, or Domestic Violence
Paragraph (c) of 45 CFR 164.512 permits a regulated entity to
disclose PHI, under specified conditions, to an authorized government
agency where the regulated entity reasonably believes the individual is
a victim of abuse, neglect, or domestic violence. The regulatory text
includes a serial comma, which clearly indicates that the provision
addresses victims of three different types of crimes, but the heading
of this standard does not include the serial comma.
For grammatical clarity, the Department proposed to add the serial
comma after the word ``neglect'' in the heading of the standard
contained at 45 CFR 164.512(c).\391\
---------------------------------------------------------------------------
\391\ 88 FR 23506, 23538 (Apr. 17, 2023).
---------------------------------------------------------------------------
The Department also proposed to add a new paragraph (c)(3) to 45
CFR 164.512(c), with the heading ``Rule of construction,'' to clarify
that the permission to use or disclose PHI in reports of abuse,
neglect, or domestic violence does not permit uses or disclosures based
primarily on the provision or facilitation of reproductive health care
to the individual.\392\ The Department intended the proposed provision
to safeguard the privacy of individuals' PHI against claims that uses
and disclosures of that PHI are warranted because the provision or
facilitation of reproductive health care, in and of itself, may
constitute abuse, neglect, or domestic violence.
---------------------------------------------------------------------------
\392\ Id.
---------------------------------------------------------------------------
A few commenters supported the proposal because it would clarify
that providing or facilitating access to health care is not itself
abuse, neglect, or violence, while others expressed opposition to the
proposal because they believed it would prevent health care providers
from reporting abuse based on the provision of reproductive health
care, including potentially coerced reproductive health care.
Commenters both supported and opposed the inclusion of the phrase
``based primarily.''
The Department is finalizing the proposal to add the serial comma
after the word ``neglect'' in the heading of the standard contained at
45 CFR 164.512(c).
As we explained in the 2023 Privacy Rule NPRM, the Department is
concerned that recent state actions may lead regulated entities to
believe that they are permitted to make disclosures of PHI when they
believe that persons who provide or facilitate access to reproductive
health care are perpetrators of a crime simply because they provide or
facilitate access to reproductive health care. Thus, the Department is
clarifying that providing or facilitating access to lawful reproductive
health care itself is not abuse, neglect, or domestic violence for
purposes of the Privacy Rule. This is consistent with the Department's
understanding that the provision or facilitation of lawful health care
is not itself abuse, neglect, or domestic violence. Such clarification
has not previously been required, but recent developments in the legal
landscape have made it necessary for us to codify this interpretation
in the context of reproductive health care.
Accordingly, the Department is finalizing the proposed Rule of
Construction at 45 CFR 164.512(c)(3), with modification as follows. The
modification clarifies the circumstances under which regulated entities
that are mandatory reporters of abuse, neglect, or domestic violence
are permitted to make such reports. Specifically, we are replacing
``based primarily on'' with language specifying that the prohibition at
45 CFR 164.502(a)(5)(iii) cannot be circumvented by the permission to
use or disclose PHI to report abuse, neglect, or domestic violence
where the ``sole basis of'' the report is the provision or facilitation
of reproductive health care. Thus, the Department makes clear that it
may be reasonable for a covered entity that is a mandatory reporter to
believe that an individual is the victim of abuse, neglect, or domestic
violence and to make such report to the government authority authorized
by law to receive such reports in circumstances where the provision of
reproductive health care to the individual is but one factor prompting
the suspicion. For example, it would not be reasonable for a covered
entity to believe that an individual is the victim of domestic violence
solely because the individual's spouse facilitated the covered entity's
provision of reproductive health care to the individual.
Comment: A few commenters supported the Department's proposal. One
commenter asserted that providing or facilitating access to any type of
health care is not in and of itself abuse, neglect, or domestic
violence and urged the Department to expand the scope of this language,
particularly if the prohibition is similarly expanded in the final
rule.
Response: The Department appreciates the comments about the
modifications to 45 CFR 164.512(c). As discussed above, the scope of
the prohibition is limited to reproductive health care. The proposed
and final regulations are narrowly tailored and limited in scope to not
increase regulatory burden beyond appropriate public policy objectives.
Thus, we decline to expand the scope of this provision, as well.
Comment: A large coalition expressed concerns about mandatory
domestic violence and sexual assault reporting laws. According to the
coalition, mandatory reporting laws reduce the willingness of domestic
violence survivors to seek help, including health care, and that the
reports themselves worsen the situation for most survivors. The
coalition asserted that permitting the disclosure of PHI to law
enforcement and other agencies for reports of abuse, neglect, or
domestic violence isolates survivors of such abuse and puts them at
risk of losing their children. These commenters recommended that the
Department prevent such disclosures.
Some commenters expressed opposition to the proposal because they
believe it would put victims of domestic abuse at risk because it would
prevent health care providers from reporting abuse, including child
abuse, based on the provision or facilitation of reproductive health
care. A commenter asserted that the proposal would circumvent the
exception prohibiting disclosures to abusive persons at 45 CFR
164.512(b)(1)(ii). According to another commenter, the change would
chill the willingness of covered entities to cooperate with
investigations and judicial proceedings concerning individuals who may
have used reproductive health care, regardless of the matter being
adjudicated.
According to another commenter, the proposal is aimed at
undermining state laws and shielding persons who provide or facilitate
reproductive health care. Commenters expressed concern that the
proposal would prohibit reports of abuse, neglect, or domestic violence
because such reports are made for the purpose of investigating or
prosecuting a person for providing or facilitating
[[Page 33043]]
unlawful reproductive health care, and for committing sexual assault.
Response: The Department appreciates the concerns raised by the
commenters. Since publication of the final Privacy Rule in 2000, the
Department has acknowledged that covered entities, including covered
health care providers, may have legal obligations to report PHI in
certain circumstances, including about suspected victims of abuse,
neglect, or domestic violence. The Department did not propose to modify
the Privacy Rule's permission to disclose PHI at 45 CFR 164.512(c). The
Department declines to expand its proposal to eliminate the permission
for covered entities to disclose PHI to public health authorities, law
enforcement, and other government authority authorized by law to
receive reports of abuse, neglect, or domestic violence.
Additionally, the Department does not agree that covered entities
will be prevented from reporting PHI about victims of abuse, neglect,
or domestic violence. The new language at 45 CFR 164.512(c)(3) is
narrowly tailored to reduce the conflation between lawfully provided
reproductive health care and the view that such lawful health care, on
its own, is abuse. Readers are referred to the preamble discussion of
45 CFR 164.502(a)(5)(iii) that describes the scope of disclosure
changes which are being made applicable to 45 CFR 164.512(c).
The Department does not agree that the modifications circumvent the
exception prohibiting disclosures to abusive persons at 45 CFR
164.512(b)(1)(ii). The new language at 45 CFR 164.512(c)(3) does not
modify or change the current Privacy Rule provision for disclosures to
a public health authority or other appropriate government authority
authorized by law to receive reports of child abuse or neglect. We
believe the commenter is referring to 45 CFR 164.512(c)(2), which
requires a covered entity to inform an individual that a report has
been or will be made, and 45 CFR 164.512(c)(2)(ii), which removes the
requirement to inform the individual when the covered entity would be
informing a personal representative and the covered entity reasonably
believes the personal representative is responsible for the abuse,
neglect, or other injury, and that informing such person would not be
in the best interests of the individual as determined by the covered
entity, in the exercise of professional judgment. Because the new
language at 45 CFR 164.512(c)(3) operates as a limitation on
disclosure, it is not possible for the new provision to permit
disclosures in more circumstances than previously permitted, and
therefore does not circumvent the existing provision.
Comment: A commenter recommended that the Department clarify that
the proposed Rule of Applicability would not prohibit disclosure and
use of such records when they are sought for a defensive purpose by
revising the proposed Rule of Construction at 45 CFR 164.512(c)(3) to
more explicitly state that it permits such use or disclosure.
Response: The adopted Rule of Construction at 45 CFR 164.512(c)(3)
applies to disclosures permitted by 45 CFR 164.512(c), which are
explicitly to a government authority, including a social service or
protective services agency, authorized by law to receive reports of
abuse, neglect, or domestic violence. The Department is not aware of a
disclosure that otherwise meets the requirements specified at 45 CFR
164.512(c)(1) that would constitute a disclosure for defensive
purposes. Rather, disclosures of PHI for defensive purposes, such as a
disclosure to defend against a prosecution for criminal prosecution for
allegations of providing unlawful health care, are permitted by 45 CFR
164.512(f), as well as for health care operations when obtaining legal
services. To the extent that a disclosure for a defensive purpose meets
the applicable requirements and is permitted, the Department confirms
that the final rule language generally would not prohibit a disclosure.
Comment: A few commenters requested clarification of the standard
for determining what would constitute a report of abuse, neglect, or
domestic violence that is based primarily on the provision of
reproductive health care. Commenters also requested clarification about
the interaction between the proposed prohibition and the permission at
45 CFR 164.512(c).
Response: The Privacy Rule permits but does not require the
reporting of abuse, neglect, or domestic violence under certain
conditions.\393\ Under the final rule, the Department is clarifying
that this permission does not apply where the sole basis of the report
is the provision or facilitation of reproductive health care. With this
modification, the Department makes clear that it may be reasonable for
a covered entity that is a mandatory reporter to believe that an
individual is the victim of abuse, neglect, or domestic violence and to
make such report to the government authority authorized by law to
receive such reports in circumstances where the provision or
facilitation of reproductive health care is but one factor prompting
the suspicion. We also note, as discussed above with respect to 45 CFR
164.512(b)(1)(i), this permission allows a covered entity to report
known or suspected abuse, neglect, or domestic violence only for the
purpose of making a report. The PHI disclosed must be limited to the
minimum necessary information for the purpose of making a report.\394\
These provisions do not permit the covered entity to disclose PHI in
response to a request for the use or disclosure of PHI to conduct a
criminal, civil, or administrative investigation into or impose
criminal, civil, or administrative liability on a person based on
suspected abuse, neglect, or domestic violence. Thus, any disclosure of
PHI in response to a request from an investigator, whether in follow up
to the report made by the covered entity (other than to clarify the PHI
provided on the report) or as part of an investigation initiated based
on an allegation or report made by a person other than the covered
entity, must meet the conditions of disclosures for law enforcement
purposes or judicial and administrative proceedings.\395\
---------------------------------------------------------------------------
\393\ 45 CFR 164.512(c).
\394\ See 45 CFR 164.502(b) and 164.514(d).
\395\ See 45 CFR 164.512(e) and (f).
---------------------------------------------------------------------------
3. Clarifying the Permission for Disclosures Based on Administrative
Processes
Under 45 CFR 164.512(f)(1), a regulated entity may disclose PHI
pursuant to an administrative request, provided that: (1) the
information sought is relevant and material to a legitimate law
enforcement inquiry; (2) the request is specific and limited in scope
to the extent reasonably practicable in light of the purpose for which
the information is sought; and (3) de-identified information could not
reasonably be used. Examples of administrative requests include
administrative subpoena or summons, a civil or an authorized
investigative demand, or similar process authorized under law. The
examples of administrative requests provided in the regulatory text
include only requests that are enforceable in a court of law, and the
catchall ``or similar process authorized by law'' similarly is intended
to include only requests that, by law, require a response. This
interpretation is consistent with the Privacy Rule's definition of
``required by law,'' which enumerates these and other examples of
administrative requests that constitute ``a mandate contained in law
that compels an entity to make a use or disclosure of protected health
[[Page 33044]]
information and that is enforceable in a court of law.''
As we explained in the 2023 Privacy Rule NPRM, the Department has
become aware that some regulated entities may be interpreting 45 CFR
164.512(f)(1) in a manner that is inconsistent with the Department's
intent. Therefore, the Department proposed to clarify the types of
administrative processes that this provision was intended to
address.\396\
---------------------------------------------------------------------------
\396\ 88 FR 23506, 23538-39 (Apr. 17, 2023).
---------------------------------------------------------------------------
Specifically, the Department proposed to insert language to clarify
that the administrative processes that give rise to a permitted
disclosure include only requests that, by law, require a regulated
entity to respond. Accordingly, the proposal would specify that PHI may
be disclosed pursuant to an administrative request ``for which a
response is required by law.'' The Department does not consider this to
be a substantive change because the proposal was consistent with
express language of the preamble discussion on this topic in the 2000
Privacy Rule.\397\ The Department intends that the express inclusion of
this language will ensure that regulated entities more fully appreciate
the permitted uses and disclosures pursuant to 45 CFR
164.512(f)(1)(ii)(C).
---------------------------------------------------------------------------
\397\ See 65 FR 82462, 82531 (Dec. 28, 2000).
---------------------------------------------------------------------------
The Department received few comments on the proposal to clarify the
permission at 45 CFR 164.512(f)(1)(ii)(C). Comments were mixed, with
some support, some opposition, and some requesting additional
modifications or additional examples or guidance.
While the Department received few comments on this clarification,
the Department is aware of reports that covered entities are
misinterpreting the intention of the requirements of 45 CFR
164.512(f)(1)(ii)(C) that disclosures of PHI to law enforcement be
necessary and limited in scope. For example, a congressional inquiry
recently highlighted concerns about disclosures of PHI to law
enforcement from retail pharmacy chains. The inquiry found that some
pharmacy staff are providing PHI directly to law enforcement without
advice from their legal departments in part because their staff ``face
extreme pressure to immediately respond to law enforcement demands.''
\398\ Based on this inquiry, these disclosures often are made without a
warrant or subpoena issued by a court.\399\
---------------------------------------------------------------------------
\398\ See U.S. Senate Committee on Finance News Release (Dec.
12, 2023), https://www.finance.senate.gov/chairmans-news/wyden-jayapal-and-jacobs-inquiry-finds-pharmacies-fail-to-protect-the-privacy-of-americans-medical-records-hhs-must-update-health-privacy-rules (describing legislative inquiry into pharmacy chains and
release of health information in response to law enforcement). See
also Letter from Sen. Wyden and Reps. Jayapal and Jacobs to HHS
Sec'y Xavier Becerra (Dec. 12, 2023), https://www.finance.senate.gov/imo/media/doc/hhs_pharmacy_surveillance_letter_signed.pdf (describing findings
from Congressional oversight, including survey of chain pharmacies
about their processes for responding to law enforcement requests for
PHI).
\399\ See U.S. Senate Committee on Finance News Release, supra
note 399 and Letter from Sen. Wyden and Reps. Jayapal and Jacobs,
supra note 399; see also Remy Tumin, ``Pharmacies Shared Patient
Records Without a Warrant, an Inquiry Finds,'' The New York Times
(Dec. 13, 2023), https://www.nytimes.com/2023/12/13/us/pharmacy-records-abortion-privacy.html.
---------------------------------------------------------------------------
The Department is adopting the clarification as proposed because
regulated entities are misinterpreting the requirements of 45 CFR
164.512(f)(1)(ii)(C) that ensure that disclosures of PHI to law
enforcement are necessary and limited in scope. Accordingly, the
Department is adding to 45 CFR 164.512(f)(1)(ii)(C) language that
specifies that PHI may be disclosed pursuant to an administrative
request ``for which a response is required by law.'' Thus, the
regulatory text now clearly states that the administrative processes
for which a disclosure is permitted are limited to only requests that,
by law, require a regulated entity to respond, consistent with preamble
discussion on this topic in the 2000 Privacy Rule.\400\
---------------------------------------------------------------------------
\400\ See 65 FR 82462, 82531 (Dec. 28, 2000).
---------------------------------------------------------------------------
Comment: A few commenters supported the Department's proposed
clarification of 45 CFR 164.512(f)(1)(ii)(C). A commenter recommended
that the Department revise the language to refer to an administrative
subpoena or summons, a civil or other ``expressly'' authorized demand,
or other similar process. The commenter recommended that, at a minimum,
the Department prohibit disclosures in response to oral requests,
require all informal administrative requests be in writing, and require
qualifying administrative requests to obtain express supervisory
approval.
A commenter asserted, without providing examples, that there are
many disclosures currently made under Federal agencies' interpretations
of the Privacy Act of 1974 \401\ that would not be permitted under the
NPRM proposal.
---------------------------------------------------------------------------
\401\ Public Law 93-579, 88 Stat. 1896 (Dec. 31, 1974) (codified
at 5 U.S.C. 552a).
---------------------------------------------------------------------------
Response: The Department appreciates the comments on this
clarification. The Department understands the commenter's request to
add language identifying specific processes but declines to make the
suggested modification at this time. The Department is concerned that
references to specific items or actions could be understood to not
apply to similarly situated administrative requests understood by
different names. In guidance for law enforcement, the Department has
provided its interpretation that administrative requests must be
accompanied by a written statement.\402\
---------------------------------------------------------------------------
\402\ Off. for Civil Rights, ``Health Insurance Portability and
Accountability Act (HIPAA) Privacy Rule: A Guide for Law
Enforcement,'' https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/special/emergency/final_hipaa_guide_law_enforcement.pdf.
---------------------------------------------------------------------------
In addition, the Department does not control whether a verbal or
other non-written request is sufficient to meet the standards of
various jurisdictions for an administrative process that would require
a responding covered entity to be legally required to respond. The
Department understands that valid, justiciable reasons for responding
to a verbal or other non-written request may exist, such as an emergent
situation that requires an immediate response to avoid an adverse
outcome. The Department believes the additional text sufficiently
clarifies the misunderstandings of some regulated entities about what
constitutes administrative process for the purposes of this permission.
4. Request for Information on Current Processes for Receiving and
Addressing Requests Pursuant to 164.512(d) Through (g)(1)
The Department requested information and comments on certain
considerations to help inform development of the final rule.\403\ In
particular, the Department asked how regulated entities currently
receive and address requests for PHI when requested pursuant to the
Privacy Rule permissions at 45 CFR 164.512(d), (e), (f), or (g)(1), and
what effect expanding the scope of the proposed prohibition to include
any health care would have on the proposed attestation requirement and
the ability of regulated entities to implement it. Comments submitted
in response to the question about the effects of expanding the scope of
the proposed prohibition have been included in prior discussions of the
specific policy issues elsewhere, as applicable.
---------------------------------------------------------------------------
\403\ 88 FR 23506, 23539 (Apr. 17, 2023).
---------------------------------------------------------------------------
Comment: Several commenters responded to this request for
information concerning current processes for receiving certain requests
pursuant to 45 CFR 164.512 by providing specific information about how
they receive such requests. Some requests for PHI are received in hard
copy, either by mail or hand delivery, while others are received via
email. Still
[[Page 33045]]
others are received through the regulated entities online portal or
facsimile. In emergency circumstances, such requests may be received
verbally. Commenters generally receive assurances through hard copy,
email, their patient portal, and fax. A few commenters seek assurances
for every subsequent related request, while another commenter stated
that it does not require or obtain assurances for every subsequent
related request if the subsequent request is related to the initial
request for which the initial assurance was received.
A commenter asserted that the privacy interests at stake outweigh
potential administrative burdens and provided examples of state laws
that are more privacy protective than the Privacy Rule. The commenter
explained that the privacy landscape is constantly evolving, as do the
HIPAA Rules, and as such, regulated entities must adapt in response.
Response: The Department appreciates the information provided by
commenters explaining the processes by which regulated entities
currently receive requests for the use or disclosure of PHI for certain
purposes and the workflows of regulated entities to ensure that such
requests comply with the conditions of the applicable Privacy Rule
permissions. We reviewed and considered this information when
evaluating the burden of the proposed modifications to the Privacy Rule
during the development of this final rule.
E. Section 164.520--Notice of Privacy Practices for Protected Health
Information
1. Current Provision
The Privacy Rule generally requires that a covered entity provide
individuals with an NPP to ensure that they understand how a covered
entity may use and disclose their PHI, as well as their rights and the
covered entity's legal duties with respect to PHI.\404\ Section
164.520(b)(1)(ii) of the Privacy Rule describes the required contents
of the NPP, including descriptions of the types of permitted uses and
disclosures of their PHI. More specifically, the NPP must describe the
ways in which the covered entity may use and disclose PHI for TPO, as
well as each of the other purposes for which the covered entity is
permitted or required to use or disclose PHI without the individual's
written authorization. Additionally, the NPP must state the covered
entity's duties to protect privacy, provide a copy of the NPP, and
abide by the terms of the current notice. The NPP must also describe
individuals' rights, including the right to complain to HHS and to the
covered entity if they believe their privacy rights have been violated,
as well as other statements if the covered entity uses PHI for certain
activities, such as fundraising. The Privacy Rule does not, however,
currently require a covered entity to provide information about
specific prohibited uses and disclosures of PHI.
---------------------------------------------------------------------------
\404\ 45 CFR 164.520. Unlike many provisions of the Privacy
Rule, 45 CFR 164.520 applies only to covered entities, as opposed to
both covered entities and their business associates.
---------------------------------------------------------------------------
2. CARES Act
Section 3221(i) of the CARES Act directs the Secretary to modify
the NPP provisions at 45 CFR 164.520 to include new requirements for
covered entities that create or maintain PHI that is also a record of
SUD treatment provided by a Part 2 program (i.e., covered entities that
are Part 2 programs and covered entities that receive Part 2 records
from a Part 2 program). The CARES Act amended 42 U.S.C. 290dd-2 to
require the Department to revise Part 2 to more closely align with the
Privacy Rule.
3. Proposals in 2022 Part 2 NPRM and 2023 Privacy Rule NPRM
The Department proposed in December 2022 to modify both the Patient
Notice requirements at 42 CFR 2.22 and the NPP requirements at 45 CFR
164.520 to provide consistent notice requirements for all Part 2
records. Revisions to the Patient Notice requirements were addressed
and finalized in the 2024 Part 2 Rule, while modifications to the NPP
provisions proposed in the 2022 Part 2 NPRM were deferred to a future
rulemaking. The Department also separately proposed to modify the NPP
provisions to support reproductive health care privacy as part of the
2023 Privacy Rule NPRM.
As part of the 2022 Part 2 NPRM, the Department proposed several
changes to the NPP provisions. We proposed in a new paragraph (2) to 45
CFR 164.520(a) that individuals with Part 2 records that are created or
maintained by covered entities would have a right to adequate notice of
uses and disclosures, their rights, and the responsibilities of covered
entities with respect to such records. The Department also proposed to
remove 45 CFR 164.520(a)(3), the exception for providing inmates a copy
of the NPP, which would require covered entities that serve
correctional facilities to provide inmates with a copy of the NPP.
Additionally, the Department proposed revising 45 CFR 164.520(b)(1) to
specifically clarify that covered entities that maintain or receive
Part 2 records would need to provide an NPP that is written in plain
language and contains the notice's required elements. We also proposed
to modify 45 CFR 164.520(b)(1)(i) to replace ``medical'' with
``health'' information.
The Department also proposed in the 2022 Part 2 NPRM to incorporate
changes proposed to the NPP requirements in the 2021 Privacy Rule
NPRM,\405\ such as adding a requirement to include the email address
for a designated person who would be available to answer questions
about the covered entity's privacy practices; adding a permission for a
covered entity to provide information in its NPP concerning the
individual access right to direct copies of PHI to third parties when
the PHI is not in an EHR and the ability to request the transmission
using an authorization; and removing the requirement for a covered
entity to obtain a written acknowledgment of receipt of the NPP. The
Department is finalizing certain changes proposed in the 2022 Part 2
NPRM and the 2023 Privacy Rule NPRM that directly support the two final
rules.
---------------------------------------------------------------------------
\405\ 86 FR 6446 (Jan. 21, 2021).
---------------------------------------------------------------------------
In both the 2022 Part 2 NPRM and 2023 Privacy Rule NPRM, the
Department proposed to modify 45 CFR 164.520(b)(1)(ii), which requires
covered entities to describe for individuals the purposes for which a
covered entity is permitted to use and disclose PHI. Consistent with
the CARES Act, we proposed in the 2022 Part 2 NPRM to modify paragraph
(C) to clarify that where uses and disclosures are prohibited or
materially limited by other applicable law, ``other applicable law''
would include Part 2, while the Department proposed to clarify at
paragraph (D) that the requirement for a covered entity to include in
the NPP sufficient detail to place an individual on notice of the uses
and disclosures that are permitted or required by the Privacy Rule and
other applicable laws, including Part 2.
The Department further proposed to require in 45 CFR
164.520(b)(1)(iii), which requires covered entities to include
descriptions of certain activities in which the covered entity intends
to engage, in a new paragraph (D) the inclusion of a statement that
Part 2 records created or maintained by the covered entity will not be
used in certain proceedings against the individual without the
individual's written consent or a court order consistent with 42 CFR
part 2. Additionally, we proposed to require in a new paragraph (E)
that covered entities that intend to use Part 2 records for fundraising
include a statement that
[[Page 33046]]
such records may be used or disclosed for fundraising purposes only if
the individual grants written consent as provided in 42 CFR 2.31.
In 45 CFR 164.520(b)(1)(v)(C), which addresses a covered entity's
right to change the terms of its notice, we also proposed to simplify
and modify the regulatory text to clarify that this right is limited to
circumstances where such changes are not material or contrary to law.
The Department also proposed to add a new paragraph (4) to 45 CFR
164.520(d) to prohibit construing permissions for covered entities
participating in organized health care arrangements \406\ (OHCAs) to
disclose PHI between participants as negating obligations relating to
Part 2 records.
---------------------------------------------------------------------------
\406\ 45 CFR 160.103 (definition of ``Organized health care
arrangement'').
---------------------------------------------------------------------------
The 2023 Privacy Rule NPRM also proposed modifications to the NPP
requirements.\407\ Specifically, the Department proposed to modify 45
CFR 164.520(b)(1)(ii) by adding a new paragraph (F) to require a
covered entity to describe and provide an example of the types of uses
or disclosures prohibited by 45 CFR 164.502(a)(5)(iii), and to do so in
sufficient detail for an individual to understand the prohibition. We
also proposed adding a new paragraph (G) to 45 CFR 164.502(b)(1)(ii) to
describe each type of use and disclosure for which an attestation is
required under 45 CFR 164.509, with an example. Additionally, the
Department requested comment on whether it would benefit individuals
for the Department to require that covered entities include a statement
in the NPP that would explain that the recipient of the PHI would not
be bound by the proposed prohibition because the Privacy Rule would no
longer apply after PHI is disclosed for a permitted purpose to an
entity other than a regulated entity (e.g., disclosed to a non-covered
health care provider for treatment purposes).
---------------------------------------------------------------------------
\407\ 88 FR 23506, 23539 (Apr. 17, 2023).
---------------------------------------------------------------------------
4. Overview of Public Comments
We received many comments on the proposed NPP changes in both the
2022 Part 2 NPRM and the 2023 Privacy Rule NPRM. Some of the comments
on the 2022 Part 2 NPRM addressed both the NPP and the Patient Notice.
Comments concerning the Patient Notice are discussed in the 2024 Part 2
Rule.\408\ Commenters on the NPP proposals in the 2022 Part 2 NPRM
urged the Department to coordinate revisions to the NPP provisions
across its proposed and final rules. Commenters also requested guidance
about their ability to use a single form to satisfy both the NPP and
Patient Notice requirements. Commenters generally expressed support for
the Department's proposals to modify 45 CFR 164.520(a) and
164.520(b)(1) to apply the NPP requirements to certain entities, in
coordination with changes required by the CARES Act and consistent with
Part 2.
---------------------------------------------------------------------------
\408\ 89 FR 12472 (Feb. 16, 2024).
---------------------------------------------------------------------------
Commenters to the 2022 Part 2 NPRM generally did not express
opposition to the Department's proposed changes to paragraph (b)(iii)
of 45 CFR 164.520, although some did request additional guidance. We
received no comments on our proposed modifications to add a new
paragraph concerning OHCAs to 45 CFR 164.520(d).
Most commenters expressed support for the Department's 2023 Privacy
Rule NPRM proposals to revise the NPP requirements. Many also
recommended additional modifications to the NPP requirements or
clarifications to the requirements. Most also recommended that the
Department add a requirement that NPPs include a statement that would
explain that the recipient of PHI would not be bound by the proposed
prohibition because the Privacy Rule would no longer apply after PHI is
disclosed for a permitted purpose to an entity other than a regulated
entity (e.g., disclosed to a non-covered health care provider for
treatment purposes).
5. Final Rule
The Department published the 2024 Part 2 Rule on February 16, 2024.
It included modifications to the Patient Notice in 42 CFR 2.22 and
reserved modifications to the HIPAA NPP for a forthcoming HIPAA rule.
We address the modifications proposed in the 2022 Part 2 NPRM here, in
concert with the modifications proposed in the 2023 Privacy Rule NPRM.
As required by the CARES Act and in alignment with the Privacy
Rule, we are modifying the NPP provisions in multiple ways. First, we
are requiring in 45 CFR 164.520(a)(2) that covered entities that create
or maintain Part 2 records provide notice to individuals of the ways in
which those covered entities may use and disclose such records, and of
the individual's rights and the covered entities' responsibilities with
respect to such records. Second, we are revising 45 CFR 164.520(b)(1)
to clarify that a covered entity that receives or maintains records
subject to Part 2 must provide an NPP that is written in plain language
and that contains the elements required. For clarity, we have reordered
wording within this paragraph to refer to ``receiving or maintaining''
records, rather than ``maintaining or receiving'' records as initially
proposed.
Third, the Department is modifying 45 CFR 164.520(b)(1)(ii) to
revise paragraphs (C) and (D), and to add paragraphs (F), (G), and (H)
to clarify certain statements and add new statements that must be
included in an NPP. Consistent with the CARES Act, we are modifying
paragraph (C) to clarify that where NPP's descriptions of uses or
disclosures that are permitted for TPO or without an authorization must
reflect ``other applicable law'' that is more stringent than the
Privacy Rule, other applicable law includes Part 2. Likewise, we are
modifying paragraph (D) to clarify that Part 2 is specifically included
in the ``other applicable law'' referenced in the requirement to
describe uses and disclosures that are permitted for TPO or without an
authorization sufficiently to place an individual on notice of the uses
and disclosures that are permitted or required by the Privacy Rule and
other applicable law.
New paragraphs (F) and (G) provide individuals with additional
information about how their PHI may or may not be disclosed for
purposes addressed in this rule, furthering trust in the relationship
between regulated entities and individuals by ensuring that individuals
are aware that certain uses and disclosures of PHI are prohibited.
Specifically, paragraph (F) requires that the NPP contain a
description, including at least one example, of the types of uses and
disclosures prohibited under 45 CFR 164.502(a)(5)(iii) in sufficient
detail for an individual to understand the prohibition, while paragraph
(G) requires that the NPP contain a description, including at least one
example, of the types of uses and disclosures for which an attestation
is required under new 45 CFR 164.509.
Additionally, based on feedback from commenters, we are requiring
in a new paragraph (H) that covered entities include a statement
explaining to individuals that PHI disclosed pursuant to the Privacy
Rule may be subject to redisclosure and no longer protected by the
Privacy Rule.This will help individuals to make informed decisions
about to whom they provide access to or authorize the disclosure of
their PHI.
Under new paragraph (D) of 45 CFR 164.520(b)(1)(iii), the
Department is requiring that covered entities provide notice to
individuals that a Part 2 record, or testimony relaying the content of
such record, may not be used or disclosed in a civil, criminal,
administrative, or legislative proceeding against the individual absent
written
[[Page 33047]]
consent from the individual or a court order, consistent with the
requirements of 42 CFR part 2.
The Department is also finalizing a requirement at 45 CFR
164.520(b)(1)(iii)(E) that a covered entity must provide individuals
with a clear and conspicuous opportunity to elect not to receive any
fundraising communications before using Part 2 records for fundraising
purposes for the benefit of the covered entity.
Lastly, we are finalizing our proposal to add a new paragraph (4)
in 45 CFR 164.520(d) regarding joint notice by separate covered
entities. This modification clarifies that Part 2 requirements continue
to apply to Part 2 records maintained by covered entities that are part
of OHCAs.
We are not finalizing in this rule the proposal to remove the
exception to the NPP requirements for inmates of correctional
facilities in this rule because it would be better addressed within the
context of care coordination.
6. Responses to Public Comments
Comment: Commenters on both the 2022 Part 2 NPRM and the 2023
Privacy Rule NPRM urged the Department to coordinate any changes made
to the NPP provisions based on proposals made in the separate
rulemakings. According to the commenters, coordinating the changes to
the NPP requirements would help to ensure consistency, reduce the
administrative burden on covered entities, and ensure individual
understanding of the permitted uses and disclosures of their PHI,
including PHI that is also a Part 2 record. A few commenters on the
2022 Part 2 NPRM explained the different concerns that updates to the
NPP pose to covered entities of differing sizes, based on resource
constraints directly related to their size. Several commenters on the
2023 Privacy Rule NPRM requested that the Department provide sample
language and examples or provide an updated model NPP.
Response: As part of this rulemaking, the Department is finalizing
modifications to certain NPP requirements that were proposed in the
2022 Part 2 NPRM and the 2023 Privacy Rule NPRM. Thus, these changes
serve to implement certain requirements of the CARES Act and to support
reproductive health care privacy. The Department appreciates the
recommendations and will consider them for future guidance.
Comment: A few commenters on the 2022 Part 2 NPRM requested that
the Department clarify whether they would be permitted to use a single
document or form when providing notice statements to individuals to
ensure compliance by regulated entities and understanding of the
notices by individuals. A few commenters agreed that a single NPP would
reduce the administrative burden on regulated entities or be the most
effective way to convey privacy information to individuals and asked
for confirmation that this was permitted. A commenter requested that
the Department update the Patient Notice in a manner such that the NPP
header may be used in the combined notice if they are permitted to use
a combined NPP/Patient Notice.
Response: As we have provided previously in guidance on the Privacy
Rule and Part 2, notices issued by covered entities for different
purposes may be separate or combined, as long as all of the required
elements for both are included.\409\ Thus, it is acceptable under both
the Privacy Rule and Part 2 to meet the notice requirements of the
Privacy Rule, Part 2, and state law by either providing separate
notices or combining the required notices into a single notice, as long
as all of the required elements are included.
---------------------------------------------------------------------------
\409\ See also 82 FR 6052, 6082-83 (Jan. 18, 2017); Off. for
Civil Rights, ``Notice of Privacy Practices for Protected Health
Information,'' U.S. Dep't of Health and Human Servs. (July 26,
2013), https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/privacy-practices-for-protected-health-information/.
---------------------------------------------------------------------------
Comment: A few commenters on the 2022 Part 2 NPRM and most of the
commenters on the 2023 Privacy Rule NPRM suggested the proposed
approach to modifying both the Patient Notice and NPP would bolster
transparency and the public's understanding of how their health
information is used or disclosed and collected. Many commenters on the
2023 Privacy Rule NPRM provided recommendations for ways in which the
Department could improve the NPP, including requiring that the NPP be
in plain language.
Response: The Department appreciates the comments on its proposal
to modify the NPP to align with changes made in the Patient Notice and
in support of reproductive health care privacy. The modifications will
bolster transparency and public understanding of how information is
used, disclosed, and protected. Covered entities have long been
required under 45 CFR 164.520(b)(1) to provide an NPP that is written
in plain language. Discussion of this requirement can be found in the
preamble to the 2000 Privacy Rule.\410\ The Department's model NPP
forms, available in both English and Spanish, provide one example of
how the plain language requirement may be met.\411\As discussed above,
we are modifying 45 CFR 164.520 to clarify that this requirement
applies to covered entities that use and disclose Part 2 records.
Additional resources on writing in plain language can be found at
https://plainlanguage.gov. Additionally, covered entities are required
to comply with all Federal nondiscrimination laws, including laws that
address language access requirements. Information about such
requirements is available at www.hhs.gov/hipaa.
---------------------------------------------------------------------------
\410\ 65 FR 82462, 82548-49 (Dec. 28, 2000).
\411\ Off. for Civil Rights, ``Model Notices of Privacy
Practices,'' U.S. Dep't of Health and Human Servs. (Apr. 8, 2013),
https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/model-notices-privacy-practices/.
---------------------------------------------------------------------------
Comment: Commenters expressed concerns about the interplay of the
Part 2 Patient Notice requirements with the NPP, the burden on covered
entities to modify the NPP, and including the attestation requirement
in the NPP.
Response: We have sought to align the requirements for the Patient
Notice as closely as possible with the NPP requirements and to modify
the NPP requirements to allow for a combined Patient Notice and NPP.
The changes the Department is making to the NPP empower the individual
and improve health outcomes by improving the likelihood that health
care providers will make accurate diagnoses and informed treatment
recommendations to individuals. These changes to the NPP provide the
individual with clear information and reassurance about their privacy
rights and their ability to discuss their reproductive health and
related health care because they inform an individual that their PHI
may not be used or disclosed for certain purposes prohibited by new 45
CFR 164.502(a)(5)(iii). As such, the qualitative benefits of providing
individuals with information about how their PHI may be used and
disclosed under the Privacy Rule outweigh the quantitative burdens for
covered entities to revise their NPPs. Accordingly, we are finalizing
the modifications proposed to the NPP as part of the 2023 Privacy Rule
NPRM.
Comment: A majority of the commenters on the 2023 Privacy Rule NPRM
who expressed support for revising the NPP also recommended that the
Department require that the NPP include an explanation that the
prohibition or Privacy Rule generally would no longer apply to PHI that
has been disclosed for a permitted purpose to a person that is not a
regulated entity. A few commenters opposed the addition as unnecessary
or expressed concern about the potential length of the NPP. A
[[Page 33048]]
few of the commenters opposed adding such a statement because they
believed it could deter individuals from seeking reproductive health
care, increase individuals' mistrust of health care providers, or not
add to individuals' understanding of their rights and protections under
the Privacy Rule.
Response: In response to comments and in support of transparency
for individuals, the Department is finalizing a new requirement to
include in the NPP a statement adequate to put the individual on notice
of the potential for information disclosed pursuant to the Privacy Rule
to be subject to redisclosure by the recipient and no longer protected
by the Privacy Rule. This change will provide additional clarity to
individuals directly and assist covered entities in explaining the
limitations of the Privacy Rule to individuals. We believe that any
concerns about the negative effects of these modifications on length
are outweighed by their benefits to the individual.
Comment: Several commenters to the 2023 Privacy Rule NPRM requested
the Department provide additional time for compliance with the new NPP
requirements and exercise enforcement discretion for a period of time
after the compliance date.
Response: As noted above, we are finalizing certain modifications
to the NPP provisions that were proposed in the 2022 Part 2 NPRM rule
and other modifications to the same provisions that were proposed in
the 2023 Privacy Rule NPRM. To ease the burden on covered entities and
in compliance with 45 CFR 160.104, the Department is finalizing a
compliance date of February 16, 2026, for the NPP provisions. The
rationale for this compliance date is discussed in greater detail in
the discussion of Effective and Compliance Dates.
F. Section 164.535--Severability
In the NPRM, the Department included a discussion of severability
that explained how we believed the proposed rule should be interpreted
if any provision was held to be invalid or facially unenforceable. We
are finalizing a new 45 CFR 164.535 to codify this interpretation. The
Department intends that, if a specific regulatory provision in this
rule is found to be invalid or unenforceable, the remaining provisions
of the rule will remain in effect because they would still function
sensibly.
For example, the changes this final rule makes to the NPP
requirements in 45 CFR 164.520 (including the changes finalizing
proposals from the 2022 Part 2 NPRM) shall remain in full force and
effect to the extent that they are not directly related to a provision
in this rulemaking that is held to be invalid or unenforceable such
that notice of that provision is no longer necessary. Conversely, if
the NPP requirements are held to be invalid or unenforceable, the other
modifications shall remain in full force and effect to the extent that
they are not directly related to the NPP requirements.
As another example, we also intend that the revision in 45 CFR
160.103 to the definition of ``person'' shall remain in full force and
effect if any other provision is held to be invalid or unenforceable
because the new modified definition is not solely related to supporting
reproductive health care privacy and is consistent with the
Department's longstanding interpretation of the term and with regulated
entities' current understanding and practices.
Similarly, we are finalizing technical corrections to the heading
at 45 CFR 164.512(c) and a clarifying revision at 45 CFR 164.512(f)
regarding the permission for disclosures based on administrative
processes. Those changes are intended to remain in full force and
effect even if other parts of this final rule are held to be invalid or
unenforceable.
As another example, we also intend, if the addition in 45 CFR
160.103 of the definition of ``public health,'' as used in the terms
``public health surveillance,'' ``public health investigation,'' and
``public health intervention'' is held to be invalid and unenforceable,
the other modifications to the rules shall remain in full force and
effect to the extent that they are not directly related to the
definition of public health.
We further intend that if the rule is held to be invalid and
unenforceable with respect to its application to some types of health
care, it should be upheld with respect to other types (e.g., pregnancy
or abortion-related care).
We also intend that any provisions of the Privacy Rule that are
unchanged by this final rule shall remain in full force and effect if
any provision of this final rule is held to be invalid or
unenforceable.
These examples are illustrative and not exhaustive.
We received no comments on the language addressing severability in
the 2023 Privacy Rule NPRM.
G. Comments on Other Provisions of the HIPAA Rules
Comment: A few commenters expressed concerns that the Department
may grant exceptions to preemption and recommended that the Department
clarify the standards for which exceptions to preemption would be made
and consider strengthening these standards wherever possible or remove
the potential for exceptions entirely.
One commenter expressed concern that the proposed rule could
dissuade regulated entities from providing de-identified data for
research, while another commenter recommended that the Department
prohibit the sharing of de-identified reproductive health care data
except in limited circumstances to prevent the re-identification of
reproductive health data by third parties, such as law enforcement or
data brokers
Response: The process for requesting exceptions to preemption and
the standards for granting such requests are at 45 CFR 160.201 et seq.
We did not propose any modifications to these provisions as part of the
2023 Privacy Rule NPRM, and as such, do not finalize modifications in
this final rule.
The Department does not believe that this final rule will dissuade
regulated entities from providing de-identified data for research or
other purposes. Under the Privacy Rule, health information that meets
the standard and implementation specifications for de-identification
under 45 CFR 164.514 is considered not to be IIHI.\412\ HIPAA confers
on the Department the authority to set standards for the privacy of
IIHI, including for de-identification. We did not propose to modify the
de-identification standard as part of the 2023 Privacy Rule NPRM, and
as such, do not finalize modifications in this final rule.
---------------------------------------------------------------------------
\412\ 45 CFR 164.502(d)(2).
---------------------------------------------------------------------------
Comment: A commenter posited that the proposed rule's preemption of
contrary state laws was not sufficiently clear and recommended that the
Department reinforce the preemption provision in the final rule.
Response: The Department did not propose changes to the preemption
provisions of the HIPAA Rules, which are based in statute,\413\ and
believes that the provisions, in combination with our discussion of
preemption in the preamble, are sufficient.
---------------------------------------------------------------------------
\413\ See 45 CFR part 160, subpart B--Preemption of State Law.
\414\ 58 FR 51735 (Oct. 4, 1993).
---------------------------------------------------------------------------
VI. Regulatory Impact Analysis
A. Executive Order 12866 and Related Executive Orders on Regulatory
Review
The Department of Health and Human Services (HHS or ``Department'')
has examined the effects of this final rule under Executive Order
(E.O.) 12866, Regulatory Planning and Review,\414\ as
[[Page 33049]]
amended by E.O. 14094,\415\ E.O. 13563, Improving Regulation and
Regulatory Review,\416\ the Regulatory Flexibility Act \417\ (RFA), and
the Unfunded Mandates Reform Act of 1995 \418\ (UMRA). E.O.s 12866 and
13563 direct the Department to assess all costs and benefits of
available regulatory alternatives and, when regulation is necessary, to
select regulatory approaches that maximize net benefits (including
potential economic, environmental, public health and safety, and other
advantages; distributive effects; and equity). This final rule is
significant under section 3(f)(1) of E.O. 12866, as amended.
---------------------------------------------------------------------------
\415\ 88 FR 21879 (Apr. 11, 2023).
\416\ 76 FR 3821 (Jan. 21, 2011).
\417\ Public Law 96-354, 94 Stat. 1164 (codified at 5 U.S.C.
601-612).
\418\ Public Law 104-4, 109 Stat. 48 (codified at 2 U.S.C.
1501).
---------------------------------------------------------------------------
The RFA requires us to analyze regulatory options that would
minimize any significant effect of a rule on small entities. As
discussed in greater detail below, this analysis concludes, and the
Secretary certifies, that the rule will not result in a significant
economic effect on a substantial number of small entities.
The UMRA (section 202(a)) generally requires us to prepare a
written statement, which includes an assessment of anticipated costs
and benefits, before proposing ``any rule that includes any Federal
mandate that may result in the expenditure by State, local, and tribal
governments, in the aggregate, or by the private sector, of
$100,000,000 or more (adjusted annually for inflation) in any 1 year.''
\419\ The current threshold after adjustment for inflation is $177
million, using the most current (2023) Implicit Price Deflator for the
Gross Domestic Product. UMRA does not address the total cost of a rule.
Rather, it focuses on certain categories of cost, mainly Federal
mandate costs resulting from imposing enforceable duties on state,
local, or Tribal governments or the private sector; or increasing the
stringency of conditions in, or decreasing the funding of, state,
local, or Tribal governments under entitlement programs. This final
rule imposes mandates that would result in the expenditure by state,
local, and Tribal governments, in the aggregate, or by the private
sector, of more than $177 million in any one year. The impact analysis
in this final rule addresses such effects both qualitatively and
quantitatively. In general, each regulated entity, including government
entities that meet the definition of covered entity (e.g., state
Medicaid agencies), is required to adopt new policies and procedures
for responding to requests for the use or disclosure of protected
health information (PHI) for which an attestation is required and to
train its workforce members on the new requirements. Additionally,
although the Department has not quantified the costs, state, local, and
Tribal law enforcement agencies must analyze requests that they
initiate for the use or disclosure of PHI and provide regulated
entities with an attestation that the request is not for a prohibited
purpose in instances where the request is made for health oversight
activities, judicial and administrative proceedings, law enforcement
purposes, or about decedents to coroners and medical examiners, and is
for PHI potentially related to reproductive health care. One-time costs
for all regulated entities to change their policies will increase costs
above the UMRA threshold in one year. The Department initially
estimated that ongoing expenses for the new attestation condition would
not increase significantly, but we sought additional data to inform our
estimates. Although Medicaid makes Federal matching funds available for
states for certain administrative costs, these are limited to costs
specific to operating the Medicaid program. There are no Federal funds
directed at Health Insurance Portability and Accountability Act of 1996
(HIPAA) compliance activities.
---------------------------------------------------------------------------
\419\ Id. at sec. 202 (codified at 2 U.S.C. 1532(a)).
---------------------------------------------------------------------------
Pursuant to Subtitle E of the Small Business Regulatory Enforcement
Fairness Act of 1996,\420\ the Office of Management and Budget's
(OMB's) Office of Information and Regulatory Affairs has determined
that this final rule meets the criteria set forth in 5 U.S.C. 804(2)
because it is projected to have an annualized effect on the economy of
more than $100,000,000. Because of the large number of covered entities
that are subject to this final rule and the large number of individuals
with health plan coverage, any rule modifying the HIPAA Privacy Rule
that requires updating policies and procedures and the Notice of
Privacy Practices (NPP) and distributing the NPP to a percentage of
individuals is likely to meet the threshold in 5 U.S.C. 804(2).
---------------------------------------------------------------------------
\420\ Also referred to as the Congressional Review Act, 5 U.S.C.
801 et seq.
---------------------------------------------------------------------------
The Justification for this Rulemaking and Summary of Final Rule
Provisions section at the beginning of this preamble contain a summary
of this rule and describe the reasons it is needed. The Department
presents a detailed analysis below.
1. Summary of Costs and Benefits
The Department identified six general categories of quantifiable
costs arising from these proposals: (1) responding to requests for the
use or disclosure of PHI for which an attestation is required; (2)
revising business associate agreements; (3) updating the NPP and
posting it online; (4) developing new or modified policies and
procedures; (5) revising training programs for workforce members; and
(6) requesting an exception from HIPAA's general preemption authority.
The first five categories apply primarily to covered entities, while
the sixth category applies to states and other interested persons.
The Department estimates that the first-year costs attributable to
this final rule total approximately $595.0 million. These costs are
associated with covered entities responding to requests for the use or
disclosure of PHI that are conditioned upon an attestation; revising
business associate agreements; revising policies and procedures;
updating, posting, and mailing the NPP; and revising training programs
for workforce members, and with states or other persons requesting
exceptions from preemption. These costs also include increased
estimates for wages, postage, and the number of NPPs distributed by
health plans as compared to the baseline of existing annual cost and
burden estimates for these activities in the approved HIPAA information
collection. For years two through five, estimated annual costs of
approximately $20.9 million are attributable to ongoing costs related
to the attestation requirement. Table 1 reports the present value and
annualized estimates of the costs of this final rule covering a 5-year
time horizon. Using a 7% discount rate, the Department estimates this
final rule will result in annualized costs of $151.8 million; and using
a 3% discount rate, these annualized costs are $142.6 million.
[[Page 33050]]
Table 1--Accounting Table, Costs of the Rule
[$ Millions]
----------------------------------------------------------------------------------------------------------------
Primary Discount rate
Costs estimate Year dollars (%) Period covered
----------------------------------------------------------------------------------------------------------------
Present Value................................... $678.6 2022 Undiscounted 2024-2028
Present Value................................... 622.3 2022 7 2024-2028
Present Value................................... 653.1 2022 3 2024-2028
Annualized...................................... 151.8 2022 7 2024-2028
Annualized...................................... 142.6 2022 3 2024-2028
----------------------------------------------------------------------------------------------------------------
The changes to the Privacy Rule will likely result in important
benefits and some costs that the Department is unable to fully quantify
at this time. As explained further below, unquantified benefits include
improved trust and confidence between individuals and health care
providers; enhanced privacy and improved access to reproductive health
care and information, which may prevent increases in maternal mortality
and morbidity; increased accuracy and completeness in patient medical
records, which may prevent poor health outcomes; enhanced support for
survivors of rape, incest, and sex trafficking; and maintenance of
family economic stability by allowing families to determine the timing
and spacing of whether or when to be pregnant. Additionally, allowing
regulated entities to accept an attestation for requests for the use or
disclosure of PHI potentially related to reproductive health care, and
to presume that reproductive health care provided by another person was
lawful under the circumstances it was provided, will reduce potential
liability for regulated entities by providing some assurance with
respect to whether the requested disclosure is prohibited.
Table 2--Potential Non-Quantified Benefits for Covered Entities and
Individuals
------------------------------------------------------------------------
Benefits
-------------------------------------------------------------------------
Improve access to complete information about lawful reproductive health
care options, including for individuals who are pregnant or considering
a pregnancy (i.e., improve health literacy), by reducing concerns about
disclosure of PHI.
Maintain or reduce levels of maternal mortality and morbidity by
ensuring that individuals and their clinicians can freely communicate
and have access to complete information needed for quality lawful
health care, including coordination of care.
Decrease barriers to accessing prenatal health care by maintaining
privacy for individuals who seek a complete range of lawful
reproductive health care options.
Enhance mental health and emotional well-being of pregnant individuals
by reducing fear of potential disclosures of their PHI to investigate
or impose liability on a person for the mere act of seeking, obtaining,
providing, or facilitating lawful health care.
Improve or maintain trust between individuals and health care providers
by reducing the potential for health care providers to report PHI in a
manner that could harm the individuals' interests.
Prevent or reduce re-victimization of pregnant individuals who have
survived rape or incest by protecting their PHI from undue scrutiny.
Improve or maintain families' economic well-being by not exposing
individuals or their family members to costly investigations or
activities to impose liability for seeking, obtaining or facilitating
lawful reproductive health care.
Maintain the economic well-being of regulated entities by not exposing
regulated entities or workforce members to costly investigations or
activities to impose liability on them for engaging in lawful
activities.
Ensure individuals' ability to obtain full and complete information and
make lawful decisions concerning fertility- or infertility-related
health care that may include selection or disposal of embryos without
risk of PHI disclosure for criminal, civil, or administrative
investigations or activities to impose liability for engaging in lawful
activities.
------------------------------------------------------------------------
The Department also recognizes that there may be some costs that
are not readily quantifiable, notably, the potential burden on persons
requesting PHI to investigate or impose liability on persons for
seeking, obtaining, providing, or facilitating reproductive health care
that is not lawful under the circumstances in which such health care is
provided. As discussed elsewhere in this final rule, we acknowledge
that, in certain limited circumstances, the final rule may, prevent
persons from obtaining an individual's PHI, such as where the request
is directed to the health care provider that provided the reproductive
health care and that health care provider reasonably determines that
such health care was provided lawfully. However, the existing
permission for disclosures for law enforcement does not create a
mandate for disclosure to law enforcement agencies. Rather, it
establishes the conditions under which a regulated entity may disclose
PHI if it so chooses. Accordingly, consistent with how the Privacy Rule
has operated since its inception, persons whose requests for PHI are
declined by regulated entities may incur additional costs if they
choose to pursue their investigations through other methods and obtain
evidence from non-covered entities. We have not previously quantified
the costs to such persons for obtaining an individual's PHI, such as
where a law enforcement official is required to prepare a formal
administrative request or obtain a qualified protective order and we do
not do so here. We do not view the attestation requirement as changing
this calculus and have designed the attestation to impose a minimal
burden on requests for PHI related to lawful conduct by health care
providers by offering a model attestation form. Despite the minimal
formality of providing a signed attestation, some state law enforcement
agencies may experience the requirement as a burden, and we acknowledge
that potential as a non-quantifiable cost.
2. Baseline Conditions
The Privacy Rule, in conjunction with the Security and Breach
Notification Rules, protects the privacy and security of individuals'
PHI, that is, individually identifiable health information (IIHI)
transmitted by or maintained in electronic media or any other form or
[[Page 33051]]
medium, with certain exceptions. It limits the circumstances under
which regulated entities are permitted or required to use or disclose
PHI and requires covered entities to have safeguards in place to
protect the privacy of PHI. The Privacy Rule also establishes certain
rights for individuals with respect to their PHI and sets limits and
conditions on the uses and disclosures that may be made of such
information without an individual's authorization.
As explained in the preamble, the Department has the authority
under HIPAA to modify the Privacy Rule to prohibit the use or
disclosure of PHI for activities to conduct a criminal, civil, or
administrative investigation into or impose criminal, civil, or
administrative liability on any person for the mere act of seeking,
obtaining, providing, or facilitating reproductive health care that is
lawful under the circumstances in which it was provided, as well as to
identify any person for the purpose of initiating such activities. The
Privacy Rule has been modified several times since it was first issued
in 2000 to address statutory requirements, changed circumstances, and
concerns and issues raised by stakeholders regarding the effects of the
Privacy Rule on regulated entities, individuals, and others. Recently,
as the preamble discusses, changed circumstances resulting from new
inconsistencies in the regulation of reproductive health care
nationwide and the negative effects on individuals' expectations for
privacy and their relationships with their health care providers, as
well as the additional burdens imposed on regulated entities, require
the modifications made by this final rule.
For purposes of this Regulatory Impact Analysis (RIA), this final
rule adopts the list of covered entities and cost assumptions
identified in the Department's 2023 Information Collection Request
(ICR).\421\ The Department also relies on certain estimates and
assumptions from the 1999 Privacy Rule NPRM \422\ that remain relevant,
and the 2013 Omnibus Rule,\423\ as referenced in the analysis that
follows.
---------------------------------------------------------------------------
\421\ 88 FR 3997 (Jan. 23, 2023).
\422\ 64 FR 59918 (Nov. 3, 1999).
\423\ 78 FR 5566 (Jan. 25, 2013).
---------------------------------------------------------------------------
The Department quantitatively analyzes and monetizes the effect
that this final rule may have on regulated entities' actions to: revise
business associate agreements between covered entities and their
business associates, including release-of-information contractors;
create new forms; respond to certain types of requests for PHI; update
their NPPs; adopt policies and procedures to implement the requirements
of this final rule; and train their employees on the updated policies
and procedures. The Department analyzes the remaining benefits and
burdens qualitatively because of the uncertainty inherent in predicting
other concrete actions that such a diverse scope of regulated entities
might take in response to this rule.
Analytic Assumptions
The Department bases its assumptions for calculating estimated
costs and benefits on several publicly available datasets, including
data from the U.S. Census, the U.S. Department of Labor, Bureau of
Labor Statistics, Centers for Medicare & Medicaid Services, and the
Agency for Healthcare Research and Quality. For the purposes of this
analysis, the Department assumes that benefits plus indirect costs
equal approximately 100 percent of pre-tax wages and adjusts the hourly
wage rates by multiplying by two, for a fully loaded hourly wage rate.
The Department adopts this as the estimate of the hourly value of time
for changes in time use for on-the-job activities.
Implementing the regulatory changes likely will require covered
entities to engage workforce members or consultants for certain
activities. The Department assumes that a lawyer will draft or review
the new attestation form, revisions to business associate agreements,
revisions to the NPP, and required changes to HIPAA policies and
procedures. The Department expects that a training specialist will
revise the necessary HIPAA training and that a web designer will post
the updated NPP. The Department further anticipates that a workforce
member at the pay level of medical records specialist will confirm
receipt of required attestations. To the extent that these assumptions
affect the Department's estimate of costs, the Department solicited
comment on its assumptions, particularly assumptions in which the
Department identifies the level of workforce member (e.g., clerical
staff, professional) that will be engaged in activities and the amount
of time that particular types of workforce members spend conducting
activities related to this RIA as further described below. Table 3 also
lists pay rates for occupations referenced in the explanation of
estimated information collection burdens in Section F of this RIA and
related tables.
The Department received several comments about the occupations
engaged in certain activities and the time burden associated with them.
We reviewed these submissions and used the provided information to
revise the estimate for the cost of processing requests for the use or
disclosure of PHI that require an attestation. For more details, please
see the sections discussing the costs of the rule below.
The Department received no comment on the hourly value of time;
therefore, we retain all relevant assumptions laid out in the 2023
Privacy Rule NPRM, as described above (see Table 3 for a list of
occupations and corresponding wages).\424\
---------------------------------------------------------------------------
\424\ For each occupation performing activities as a result of
the final rule, the Department identifies a pre-tax hourly wage
using a database maintained by the Bureau of Labor Statistics. See
U.S. Dep't of Labor, ``Occupational Employment and Wages'' (May
2022), https://www.bls.gov/oes/current/oes_nat.htm.
[[Page 33052]]
Table 3--Occupational Pay Rates
------------------------------------------------------------------------
Mean hourly Fully loaded
Occupation code and title wage hourly wage
------------------------------------------------------------------------
00-0000 All Occupations................. $29.76 $59.52
43-3021 Billing and Posting Clerks...... 21.54 43.08
29-0000 Healthcare Practitioners and 46.52 93.04
Technical Occupations..................
29-9021 Health Information Technologists 31.38 62.76
and Medical Registrars.................
29-9099 Healthcare Practitioners and 32.78 65.56
Technical Workers, All Other...........
15-1212 Information Security Analysts... 57.63 115.26
23-1011 Lawyers......................... 78.74 157.48
13-1111 Management Analysts............. 50.32 100.64
11-9111 Medical and Health Services 61.53 123.06
Manager................................
29-2072 Medical Records Specialist...... 24.56 49.12
43-0000 Office and Administrative 21.90 43.80
Support Occupations....................
11-2030 Public Relations and Fundraising 68.56 137.12
Managers...............................
13-1151 Training and Development 33.59 67.18
Specialist.............................
43-4171 Receptionists and Information 16.64 33.28
Clerks.................................
15-1255 Web and Digital Interface 48.91 97.82
Designers..............................
------------------------------------------------------------------------
The Department assumes that most covered entities will be able to
incorporate changes to their workforce training into existing HIPAA
training programs rather than conduct a separate training because the
total time frame for compliance from date of finalization would be 240
days.\425\
---------------------------------------------------------------------------
\425\ This includes 60 days from publication of a final rule to
the effective date and an additional 180 days until the compliance
date.
---------------------------------------------------------------------------
Covered Entities Affected
The Department received no substantive comments on the number or
type of HIPAA covered entities affected by this rule; therefore, we
retain the methodology and entity estimates as described in the 2023
Privacy Rule NPRM and the baseline conditions section above.
To the extent that covered entities engage business associates to
perform activities under the rule, the Department assumes that any
additional costs will be borne by the covered entities through their
contractual agreements with business associates. The Department's
estimate that each revised business associate agreement will require no
more than 1 hour of a lawyer's labor assumes that the hourly burden
could be split between the covered entity and the business associate.
Thus, the Department calculated estimated costs based on the potential
number of business associate agreements that will be revised rather
than the number of covered entities or business associates with revised
business associate agreements.
The Department requested data on the number of business associates
(which may include health care clearinghouses acting in their role as
business associates of other covered entities) that would be affected
by the rule and the extent to which they may experience costs or other
burdens not already accounted for in the estimates of burdens for
revising business associate agreements. The Department also requested
comment on the number of business associate agreements that would need
to be revised, if any. We did not receive any actionable comments on
the number of affected business associates, the number of business
associate agreements, or any specific costs that business associates
might bear. For more details, see the section on business associate
agreements below.
The Department requested public comment on these estimates,
including estimates for third party administrators and pharmacies where
the Department has provided additional explanation. The Department
additionally requested detailed comment on any situations, other than
those identified here, in which covered entities would be affected by
this rulemaking. We did not receive any substantive comments related to
these issues.
Table 4--Estimated Number and Type of Covered Entities
----------------------------------------------------------------------------------------------------------------
Covered entities
-----------------------------------------------------------------------------------------------------------------
NAICS code Type of entity Firms Establishments
----------------------------------------------------------------------------------------------------------------
524114............................... Health and Medical Insurance Carriers 880 5,379
524292............................... Third Party Administrators........... 456 783
622.................................. Hospitals............................ 3,293 7,012
44611................................ Pharmacies........................... 19,540 \a\ 67,753
6211-6213............................ Office of Drs. & Other Professionals. 433,267 505,863
6215................................. Medical Diagnostic & Imaging......... 7,863 17,265
6214................................. Outpatient Care...................... 16,896 39,387
6219................................. Other Ambulatory Care................ 6,623 10,059
623.................................. Skilled Nursing & Residential 38,455 86,653
Facilities.
6216................................. Home Health Agencies................. 21,829 30,980
532283............................... Home Health Equipment Rental......... 611 3,197
-----------------------------------
Total............................ 549,713 774,331
----------------------------------------------------------------------------------------------------------------
\a\ Number of pharmacy establishments is taken from industry statistics.
[[Page 33053]]
Individuals Affected
The Department believes that the population of individuals
potentially affected by the rule is approximately 76 million
overall,\426\ representing nearly one-fourth of the U.S. population,
including approximately 6 million pregnant individuals annually and an
unknown number of individuals facing a potential pregnancy or pregnancy
risk due to sexual activity, contraceptive avoidance or failure, rape
(including statutory rape), and incest. According to Federal data, 78
percent of sexually active females received reproductive health care in
2015-2017.\427\
---------------------------------------------------------------------------
\426\ See U.S. Census Bureau, American Community Survey S0101,
AGE AND SEX 2022: ACS 5-Year Estimates Subject Tables (females aged
10-44), https://data.census.gov/table/ACSST1Y2022.S0101. The U.S.
Census Bureau uses the term ``sex'' to equate to an individual's
biological sex. ``Sex--Definition,'' U.S. Census Bureau (accessed
Mar. 20, 2024), https://www.census.gov/glossary/?term=Sex.
\427\ See ``Reproductive and Sexual Health,'' Sexually active
females who received reproductive health services (FP-7.1),
Healthypeople.gov, https://wayback.archive-it.org/5774/20220415172039/https:/www.healthypeople.gov/2020/leading-health-indicators/2020-lhi-topics/Reproductive-and-Sexual-Health/data.
---------------------------------------------------------------------------
The Department received comments related to the number of
individuals affected by the rule, some of which are summarized below.
One commenter asserted that the Department had overestimated the number
of affected individuals and urged reducing the estimate to 78 percent
of sexually active females (52.72 million). The same commenter also
argued that even this revised number might be an overestimate, and that
the number of individuals directly affected by the rule would be closer
to 50,400 a year. Another commenter suggested that the number of
individuals potentially affected by the proposed rule is much larger
than the estimate and that the estimate should include any individual
who was ever capable of bearing children and their family members.
Another commenter asserted that the Department was underestimating
the number of individuals that would be affected by the proposed rule
but did not include an estimate of their own.
After reviewing the comments, the Department is finalizing the
estimates of the number of individuals that will be affected by this
final rule as described above, which includes updates for 2022 data.
The Department considers a key category of individuals affected by this
final rule those who have the potential to become pregnant because
pregnancies may occur and result in a need for reproductive health care
nationwide. Pregnancy, concern about potential pregnancy, and the need
for reproductive health care do not recognize state boundaries or
regulatory timelines.
Commenters recommended data points above and below the Department's
proposed estimate of 74 million affected individuals. We believe that
the number of affected individuals is far greater than the total who
are survivors of sexual assault or sex trafficking (as recommended by a
commenter), yet less than the number of all individuals who have ever
been of childbearing age and their family members (as recommended by
another commenter). We recognize that the age range for the proposed
estimate of females, 10-44, imperfectly reflects the number of females
of childbearing age; however, the number of females over age 44 who
could become pregnant may be offset by the number of females aged 10-13
who are not yet capable of childbearing. We use the number of females
of potentially childbearing age as a proxy for the number of
individuals affected by the final rule as shown in Table 5 below.
---------------------------------------------------------------------------
\428\ See American Community Survey S0101, AGE AND SEX 2022: ACS
5-Year Estimates Subject Tables (females aged 10-44), supra note
427.
Table 5--Estimated Number of Individuals Affected
------------------------------------------------------------------------
Population
Females of potentially childbearing age \428\ estimate
------------------------------------------------------------------------
10 to 14 years...................................... 10,327,799
15 to 19 years...................................... 10,618,136
20 to 24 years...................................... 10,957,463
25 to 29 years...................................... 10,762,368
30 to 34 years...................................... 11,440,546
35 to 39 years...................................... 11,013,337
40 to 44 years...................................... 10,771,942
-------------------
Total........................................... 75,891,591
------------------------------------------------------------------------
3. Costs of the Rule
Below, the Department provides the basis for its estimated
quantifiable costs resulting from the changes to specific provisions of
the Privacy Rule. Many of the estimates are based on assumptions formed
through the Office for Civil Rights' (OCR's) experience with its
compliance and enforcement program and accounts from stakeholders
received at outreach events. The Department has quantified recurring
burdens for this final rule for obtaining an attestation from a person
requesting the use or disclosure of PHI potentially related to
reproductive health care for health oversight activities, judicial and
administrative proceedings, law enforcement purposes, and about
decedents to coroners or medical examiners.
The Department requested information or data points from commenters
to further refine its estimates and assumptions. We examine the most
substantive comments received in the cost section below. Additionally,
we received comments that are also discussed below on topics that are
not directly addressed in the cost section.
A commenter asserted that the Department did not account for the
additional costs associated with major depressive disorders that would
arise from the increase in abortions due to the rule. The Department
does not believe that is a valid benchmark for the effects of this
final rule, in part because we reject the premise, which is not backed
by medical evidence or data, that this final rule will result in an
increase in pregnancy terminations or depression.\429\ Further,
researchers have raised numerous concerns about the methodology of the
2011 study cited in
[[Page 33054]]
the comment.\430\ Accordingly, we are not including the costs
associated with treatment of depression in the cost section.
---------------------------------------------------------------------------
\429\ See M. Antonia Biggs et al., ``Women's Mental Health and
Well-being 5 Years After Receiving or Being Denied an Abortion: A
Prospective, Longitudinal Cohort Study,'' 74(2) JAMA Psychiatry 169,
177 (2017), https://jamanetwork.com/journals/jamapsychiatry/fullarticle/2592320. See also Julia R. Steinberg et al., ``The
association between first abortion and first-time non-fatal suicide
attempt: a longitudinal cohort study of Danish population
registries,'' 6(12) The Lancet Psychiatry 1031-1038 (Dec. 2019).
\430\ See Julia R. Steinberg et al., ``Fatal flaws in a recent
meta-analysis on abortion and mental health,'' 86(5) Contraception
430-7 (Nov. 2012), https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3646711/ (discussing errors and significant shortcomings of the
studies included in the 2011 meta-analysis that render its
conclusions invalid).
---------------------------------------------------------------------------
a. Costs Associated With Requests for Exception From Preemption
The Department anticipates that states with laws that restrict
access to reproductive health care are likely to seek an exception to
the requirements of this final rule that preempt state law. Given the
pace at which state laws governing access to reproductive health care
are changing, the Department is finalizing its proposed estimate that a
potential increase of 26 states \431\ will incur costs to develop a
request to except a provision of state law from HIPAA's general
preemption authority to submit to the Secretary.\432\ Based on existing
burden estimates for this activity,\433\ the Department is finalizing
its estimate that each exception request will require approximately 16
hours of labor at the rate of a general health care practitioner and
that approximately 26 states will make such requests. Thus, the
Department estimates that states will spend a total of 416 hours
requesting exception from preemption and monetize this as a one-time
cost of $38,705 [= 16 x 26 x $93.04].
---------------------------------------------------------------------------
\431\ See Lawrence O. Gostin et al., ``One Year After Dobbs--
Vast Changes to the Abortion Legal Landscape,'' 4(8) JAMA Health
Forum (2023), https://jamanetwork.com/journals/jama-health-forum/fullarticle/2808205 (counting 21 states with post-Dobbs limits that
are more restrictive than Roe v. Wade allowed) and Laura Deal,
``State Laws Restricting or Prohibiting Abortion,'' Congressional
Research Service (Jan. 22, 2024), https://crsreports.congress.gov/product/pdf/R/R47595. Because of the pace of change in this area,
the Department relies on a higher number than JAMA's 2023 figure as
a basis for its cost estimates.
\432\ See 45 CFR 160.201 et seq. for information about
exceptions to HIPAA's general preemption authority and the process
for requesting such an exception and the criteria for granting it.
\433\ ``Information Collection: Process for Requesting Exception
Determinations (states or persons),'' U.S. Gen. Servs. Admin. & Off.
of Mgmt. and Budget, https://www.reginfo.gov/public/do/PRAViewIC?ref_nbr=201909-0945-001&icID=10428.
---------------------------------------------------------------------------
b. Estimated Costs From Adding a Requirement for an Attestation for
Disclosures for Certain Purposes
Multiple commenters asserted that the projected attestation cost in
the proposed rule was incorrect and underestimated the true cost of
implementing the proposed requirement. One commenter asserted that the
proposed rule underestimated the time to review medical records for PHI
about reproductive health care and recommended that it be increased
significantly. The same commenter also suggested that the Department
adopt a requirement to obtain an individual's authorization, instead of
an attestation, because it would reduce costs. Other commenters
asserted that the proposed cost estimates for the attestation
requirement did not account for associated administrative burdens,
urged the Department to require an attestation for every request for
PHI to decrease overall costs by establishing a procedural norm, or
requested that the Department provide grants and trainings to regulated
entities to offset the costs of the attestation provision. Finally,
another commenter requested that the Department release a model
attestation form to decrease the cost burden for covered entities.
A few commenters asserted that the Department mis-identified the
types of staff that would performing specific components of the
attestation requirement. One posited that both a lawyer and a medical
professional would need to review medical records for the use or
disclosure of PHI in response to the proposed revisions to the Privacy
Rule. Another asserted that the person reviewing PHI in response to a
request for the use or disclosure of PHI would be a medical records
clerk.
The Department has modified the attestation requirement in response
to public comments. As discussed above, this final rule requires
regulated entities to obtain an attestation that the request for the
use or disclosure of PHI is not for a purpose prohibited by 45 CFR
164.502(a)(5)(iii) when the request is for certain purposes (health
oversight activities, judicial and administrative proceedings, law
enforcement purposes, and about decedents to coroners and medical
examiners) and is for PHI potentially related to reproductive health
care. Where the request is for a purpose that implicates 45 CFR
164.502(a)(5)(iii) and the reproductive health care was provided by
someone other than the regulated entity that received the request, such
health care is presumed lawful under the circumstances in which it was
provided unless the conditions of 45 CFR 164.502(a)(5)(iii)(C) are met.
We expect the presumption of lawfulness to lower the burden for
regulated entities to process requests for the use or disclosure of PHI
for which an attestation is required; however, we also acknowledge that
the proposed estimate did not fully represent the number of likely
requests for the use or disclosure of PHI. The Department declines to
require a valid authorization for these requests, as opposed to an
attestation, and no grants to offset costs will be needed because of
the lower estimated burden per request. The revised cost estimates
include review of each request for the use or disclosure of PHI for
health oversight activities, judicial and administrative proceedings,
law enforcement purposes, and about decedents to coroners and medical
examiners, to determine if an attestation has been provided and
administrative burdens associated with obtaining the attestation.
This final rule necessitates that regulated entities establish a
process for responding to requests for the use or disclosure of PHI for
which an attestation is required, such as reviewing and screening
requests that are not accompanied by a valid authorization and are not
a right of access request. We anticipate that across all regulated
entities, this final rule will result in approximately 2,794,201
requests that regulated entities need to review in connection with the
permissions under 45 CFR 164.512(d)-(g)(1). The Department estimates 5
minutes of average processing time per attestation based on the average
wage of a mix of several occupations: medical and health services
managers, medical records specialists, and health practitioners.\434\
For example, a medical records specialist may forward certain requests
for the use or disclosure of PHI (for health oversight activities,
judicial and administrative proceedings, law enforcement purposes, and
about decedents to coroners and medical examiners) to a manager to
review whether the request pertains to the lawfulness of reproductive
health care. A health practitioner may review a number of records
subject to a request for whether they contain PHI potentially related
to reproductive health care. We calculate the annual cost for initial
processing of the estimated 2,794,201 requests requiring attestations
to total $20,585,500 [2,794,201 x (5/60) x $88.41]. For almost all of
these requests, we believe that a brief review will be sufficient for a
regulated entity to make a final disclosure determination.
---------------------------------------------------------------------------
\434\ See supra, Table 3 of this RIA.
---------------------------------------------------------------------------
For a small number of these requests, approximately 1,300, we
assume that the brief review will not be sufficient; we assume that
these requests will require legal review. This figure is an estimate of
the number of requests that are generated to investigate or impose
liability on a person for the mere act of seeking or obtaining lawful
reproductive health care, including from a health care
[[Page 33055]]
provider in a state other than the state where the regulated entity is
located. The Department's estimate assumes that approximately 26 states
may seek to restrict access to out-of-state reproductive health care,
including reproductive health care that is lawful under the
circumstances in which it provided, and will initiate an average of 50
such requests annually. The Department estimates on average 1 hour of
review for such requests based on the wage of a lawyer.\435\ We
calculate the annual legal review cost for the estimated 1,300 requests
totals $204,724 [1,300 x 1 x $157.48]. This additional review increases
the cost of processing attestations to $20,790,224.
---------------------------------------------------------------------------
\435\ Id.
---------------------------------------------------------------------------
We anticipate that approximately one-quarter of requests that
result in legal reviews, approximately 325, will require additional
managerial review by the regulated entity before making a disclosure
decision. The Department estimates on average 3 hours of additional
review for each of these requests based on the wage of medical and
health insurance managers.\436\ We calculate a total cost for
additional actions for these requests of $119,984 [325 x 3 x $123.06].
The total annual estimated cost of processing attestations, including
all additional legal and managerial reviews, is $20,910,207.
---------------------------------------------------------------------------
\436\ Id.
---------------------------------------------------------------------------
Upon consideration of the estimated cost for regulated entities to
create a new attestation form, the Department is planning to develop a
model form to be available prior to the compliance date of this final
rule. This will save an estimated total of $60,970,823 [= 774,331 x
(30/60) x $157.48], based on 30 minutes of labor by a lawyer.
c. Costs Arising From Revised Business Associate Agreements
The Department anticipates that a certain percentage of business
associate agreements will likely need to be updated to reflect a
determination made by parties about their respective responsibilities
when either party receives requests for disclosures of PHI under 45 CFR
164.512(d), (e), (f), or (g)(1). For example, each of the parties to
the business associate agreement may need to notify the other party
when they have knowledge that a request is for an unlawful purpose and
allocate their respective responsibilities for handling these less
frequent requests. The Department is finalizing its proposed estimate
that each new or significantly modified contract between a business
associate and its subcontractors will require, on average, one hour of
labor by a lawyer at the wage reported in Table 3. We believe that
approximately 35 percent of 1 million business associates, or 350,000
entities, will decide to create or significantly modify subcontracts,
resulting in total costs of $55,118,000 [= 350,000 x $157.48].
A few commenters asserted that the Department's estimates for
business associates' costs were incorrect and that it should consider
additional costs. A commenter recommended that the Department adopt a
non-enforcement period to allow business associates to achieve
compliance and limit legal costs. Another commenter stated that the
Department did not adequately identify the costs that would be
associated with increased legal scrutiny of business associates as a
result of the proposed rule. And another commenter urged the Department
to consider the additional costs for renegotiated contracts as a result
of the proposed rule. Lastly, a commenter requested that the Department
apply the attestation requirement to business associates because it
would reduce the costs of the rule.
The Department has reviewed the comments and is adopting the 2023
Privacy Rule NPRM cost analysis in this final rule. Business associate
costs are adequately captured by the estimate for revising agreements.
Applying costs directly to business associates (as opposed to covered
entities) is distributional and will not alter the total impact of the
rule. The Department declines to create an additional non-enforcement
period for this provision of the final rule beyond the 180 days from
the date of publication for the final rule to the compliance date.\437\
The estimated cost for responding to requests for PHI for which an
attestation is required accounts for increased scrutiny of a small
number of requests for PHI, and the estimated costs for updating
business associate agreements accounts for renegotiation of an average
of one release of information vendor contract for nearly half of all
covered entities.
---------------------------------------------------------------------------
\437\ This includes 60 days from the date of publication to the
effective date, plus 120 days from the effective date to the
compliance date.
---------------------------------------------------------------------------
d. Costs Arising From Changes to the Notice of Privacy Practices
The final rule modifies the NPP to notify individuals that covered
entities cannot use or disclose PHI for certain purposes and that in
certain circumstances, covered entities must obtain an attestation from
a person requesting the PHI that affirms that the use or disclosure is
not for a purpose prohibited under 45 CFR 164.502(a)(5)(iii). The final
rule also modifies the NPP to align with changes proposed in the 2022
Part 2 NPRM. This includes requiring covered entities that create or
maintain Part 2 records to provide a notice that: addresses such
records; references Part 2 as ``other applicable law'' that is more
stringent than the Privacy Rule; explains that covered entities may not
use or disclose a Part 2 record in a civil, criminal, administrative,
or legislative proceeding against the individual absent written consent
from the individual or a court order; and clarifies the applicability
of Part 2 for organized health care arrangements that hold Part 2
records. Additionally, the final rule further modifies language for
fundraising by covered entities that use or disclose Part 2 records to
require a clear and conspicuous opt-out opportunity for patients.
Finally, the modifications require the NPP to explain that PHI
disclosed to a person other than a regulated entity is no longer
subject to the requirements of the Privacy Rule.
The Department believes the burden associated with revising the NPP
consists of costs related to developing and drafting the revised NPP
for covered entities. The Department estimates that the updating and
revising the language in the NPP will require 50 minutes of
professional legal services at the wage reported in Table 3. Across all
covered entities, the Department estimates a cost of $101,618,038 [=
774,331 x (50/60) x $157.48]. The Department does not anticipate any
new costs for health care providers associated with distribution of the
revised notice other than posting it on the entity's website (if it has
one) because health care providers have an ongoing obligation to
provide the notice to first-time patients that is already accounted for
in cost estimates for the HIPAA Rules. Health plans that post their NPP
online will incur minimal costs by posting the updated notice and then
including the updated NPP in the next annual mailing to
subscribers.\438\ Health plans that do not provide an annual mailing
will potentially incur an additional $12,743,700 in capital expenses
for mailing the revised NPP to an estimated 10 percent of the
150,000,000 health plan subscribers who receive a mailed, paper copy of
the notice, as well as the labor expense for an administrative support
staff member at the rate shown in Table 3 to complete the mailing, for
approximately $2,737,500 [= 62,500 hours x $43.80]. The Department
further estimates the cost of posting the revised NPP on the
[[Page 33056]]
covered entity's website will be 15 minutes of a web designer's time at
the wage reported in Table 3. Across all covered entities, the
Department estimates a cost of online posting as $18,936,265 [= 774,331
x (15/60) x $97.82].
---------------------------------------------------------------------------
\438\ 45 CFR 164.520(c)(1)(v)(A).
---------------------------------------------------------------------------
A commenter expressed concern that the Department was
underestimating the cost of mailing updates associated with changes to
NPP policies.
The Department is already accounting for the cost of mailing
updated NPPs within the estimated capital costs, which include printing
copies of NPPs that are provided in person and those that are mailed,
and postage for health plans that will need to conduct a mailing that
is off-cycle from its regular schedule. We estimate that half of NPPs
will need to be mailed and that health plans may include the updated
NPP with their next regular mailing to individuals.
e. Estimated Costs for Developing New or Modified Policies and
Procedures
The Department anticipates that covered entities will need to
develop new or modified policies and procedures for the new
requirements for attestations, the new category of prohibited uses and
disclosures, modifications to certain uses and disclosures permitted
under 45 CFR 164.512, and clarification of personal representative
qualifications. The Department is finalizing its proposed estimate that
the costs associated with developing such policies and procedures will
be the labor of a lawyer for 2.5 hours and that this expense represents
the largest area of cost for compliance with this final rule, for a
total of $304,854,115 [= 774,331 x 2.5 x $157.48].
A few commenters stated that the estimate for covered entities to
draft new policies was incorrect and provided additional information or
alternatives to reduce costs. A commenter stated that the time burden
for drafting new policies was insufficient and did not accurately
represent the amount of time it would take a covered entity to draft a
policy that complied with the proposed rule. Another commenter urged
the Department to include the costs for organizations to update their
privacy policies because of the proposed rule. A few commenters
requested that the Department provide organizations with additional
time to develop new policies that comply with the final rule.
The Department considered the concerns raised by commenters about
the burdens of the requirements to revise the Privacy Rule and made
several additional modifications in this final rule to reduce burdens
on regulated entities. For example, regulated entities are not required
to develop policies to routinely evaluate whether reproductive health
care that was provided by someone else was lawful. Instead, regulated
entities will need to develop policies to ensure that regulated
entities identify requests for health oversight activities, judicial
and administrative proceedings, law enforcement purposes, and about
decedents to coroners or medical examiners and procedures for obtaining
the required attestation if it is not provided with the request for the
use or disclosure of PHI. Additional policies will be required to
address requests for the above purposes that could result in a
prohibited use or disclosure, such as requests from law enforcement for
the use or disclosure of PHI that assert, without any other
information, that reproductive health care was provided unlawfully. The
updating of privacy policies is included in the overall cost of
updating policies and the estimate for updating the NPP. Because of
changes in the final rule that simplify compliance with the new
requirements, the Department is not adjusting the time burden for
revising or creating new policies and procedures.
f. Costs Associated With Training Workforce Members
The Department anticipates that covered entities will be able to
incorporate new content into existing HIPAA training requirements and
that the costs associated with doing so will be attributed to the labor
of a training specialist for an estimated 90 minutes for a total of
$78,029,335 [= 774,331 x (90/60) x $67.18].
A few commenters addressed training costs within the proposed rule,
including one who asserted that such costs could be reduced by ensuring
that the effective date for all of the provisions of the rule is the
same. Another commenter stated that covered entities would incur both a
one time and yearly training cost, with the yearly training cost
accounting for most of the total training cost in year 1.
The Department is finalizing the cost estimate for training
workforce members as proposed, which includes the cost of a training a
specialist to update the covered entity's HIPAA training program with
new content to include in training for workforce members within the
first year. Any further recurring component is likely to be implemented
into regularly scheduled employee training and will thus not be
directly attributable to this rule.
g. Total Quantifiable Costs
The Department summarizes in Table 6 the estimated nonrecurring
costs that covered entities and states will experience in the first
year of implementing the regulatory changes. The Department anticipates
that these costs will be for requesting exceptions from preemption of
contrary state law, implementing the attestation requirement, revising
business associate agreements, revising the NPP, mailing and posting it
online, revising policies and procedures, and updating HIPAA training
programs.
Table 6--New Nonrecurring Costs of Compliance With the Final Rule
----------------------------------------------------------------------------------------------------------------
Burden hours/ action x Total costs
Nonrecurring costs hourly wage Respondents (millions)
----------------------------------------------------------------------------------------------------------------
Exception Requests...................... 16 x $93.04............... 26 States................. $0.04
BA Agreements, Revising................. 1 x $157.48............... 350,000 BAAs.............. 55
NPP, Updating........................... 50/60 x $157.48........... 774,331 Covered entities.. 102
NPP, Mailing............................ 0.25/60 x $43.80.......... 15,000,000 Subscribers.... 3
NPP, Posting Online..................... 15/60 x $97.82............ 774,331 Covered entities.. 19
Policies & Procedures................... 150/60 x $157.48.......... 774,331 Covered entities.. 305
Training................................ 90/60 x $67.18............ 774,331 Covered entities.. 78
Capital Expenses, Mailing NPPs--Health $.85/NPP.................. 15,000,000 Subscribers.... 13
Plans.
-----------------------------------------------------------------------
Total Nonrecurring Burden........... .......................... .......................... \a\ 574
----------------------------------------------------------------------------------------------------------------
\a\ Totals may not add up due to rounding.
[[Page 33057]]
Table 7 summarizes the recurring costs that the Department
anticipates covered entities will incur annually as a result of the
regulatory changes. These new costs are based on responding to requests
for uses and disclosures of PHI that are conditioned upon an
attestation.
Table 7--Recurring Annual Costs of Compliance With the Final Rule \a\
----------------------------------------------------------------------------------------------------------------
Total annual
Recurring costs Burden hours x wage Respondents cost
(millions)
----------------------------------------------------------------------------------------------------------------
Disclosures for which an attestation is 232,850 x $88.41.......... 2,794,201................. $20,585,500
required.
Attestation investigation review........ 1,300 x $157.48........... 1,300..................... 204,724
Attestation additional actions.......... 975 x 123.06.............. 325....................... 119,984
-----------------------------------------------------------------------
Total Recurring Annual Burden....... .......................... .......................... 20,910,207
----------------------------------------------------------------------------------------------------------------
\a\ Totals may not add up due to rounding.
Costs Borne by the Department
The covered entities that are operated by the Department will be
affected by the changes in a similar manner to other covered entities,
and such costs have been factored into the estimates above.
The Department expects that it will incur costs related to drafting
and disseminating a model attestation form and information about the
regulatory changes to covered entities, including health care providers
and health plans. In addition, the Department anticipates that it may
incur a 26-fold increase in the number of requests for exceptions from
preemption of contrary state law in the first year after a final rule
becomes effective, at an estimated total cost of approximately $146,319
to analyze and develop responses for an average cost of $7,410 per
request. This increase is based on the number of states that have
enacted or are likely to enact laws restricting access to reproductive
health care \439\ and may seek to obtain individuals' PHI to enforce
those laws. This estimate assumes that the Department receives and
reviews exception requests from the 26 states, that half require a more
complex analysis, and that all requests result in a written response
within one year of the final rule's publication.
---------------------------------------------------------------------------
\439\ See ``One Year After Dobbs--Vast Changes to the Abortion
Legal Landscape,'' supra note 432 (counting 21 states with post-
Dobbs limits that are more restrictive than Roe v. Wade allowed) and
``State Laws Restricting or Prohibiting Abortion,'' supra note 432.
Because of the pace of change in this area, the Department relies on
a higher number than JAMA's 2023 figure as a basis for its cost
estimates.
---------------------------------------------------------------------------
Benefits of the Final Rule
The benefits of this final rule to individuals and families are
likely substantial, and yet are not fully quantifiable because the area
of health care this final rule addresses is among the most sensitive
and life-altering if privacy is violated. Additionally, the value of
privacy, which cannot be recovered once lost, and trust that privacy
will be protected by others, is difficult to quantify fully. Health
privacy has many significant benefits, such as promoting effective
communication between individuals and health care providers, preventing
discrimination, enhancing autonomy, supporting medical research, and
protecting the individual from unwanted exposure of sensitive health
information.\440\
---------------------------------------------------------------------------
\440\ See ``Trust and Privacy: How Patient Trust in Providers is
Related to Privacy Behaviors and Attitudes,'' supra note 120; Paige
Nong et al., ``Discrimination, trust, and withholding information
from providers: Implications for missing data and inequity,'' SSM--
Population Health (Apr. 7, 2022), https://www.sciencedirect.com/science/article/pii/S2352827322000714; See also S.J. Nass et al.,
``Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health
Through Research,'' Institute of Medicine (US) Committee on Health
Research and the Privacy of Health Information: The HIPAA Privacy
Rule (2009), https://www.ncbi.nlm.nih.gov/books/NBK9579/.
---------------------------------------------------------------------------
Notably, reproductive health care may include circumstances
resulting in a pregnancy, considerations concerning maternal and fetal
health, family genetic conditions, information concerning sexually
transmitted infections, and the relationship between prospective
parents (including victimization due to rape, incest, or sex
trafficking). Involuntary or poorly-timed disclosures can irreparably
harm relationships and reputations, and even result in job loss or
other negative consequences in the workplace,\441\ as well as
investigation, civil litigation or proceedings, and prosecution for
lawful activities.\442\ Additionally, fear of potential penalties or
liability that may result from disclosing information to a health care
provider about accessing reproductive health care may cast a long
shadow, decreasing trust between individuals and health care providers,
discouraging and deterring access to other valuable and necessary
health care, or compromising ongoing or subsequent care if an
individual's medical records are not accurate or complete.\443\ This
final rule will prevent or reduce the harms discussed here, resulting
in non-quantifiable benefits to individuals and their families,
friends, and health care providers. In particular, the role of trust in
the health care system and its importance to the provision of high-
quality health care is discussed extensively in Section III of this
preamble.
---------------------------------------------------------------------------
\441\ See Danielle Keats Citron & Daniel J. Solove, ``Privacy
Harms,'' GWU Legal Studies Research Paper No. 2021-11, GWU Law
School Public Law Research Paper No. 2021-11, 102 B.U. L. Rev. 793,
830-861 (Feb. 9, 2021), https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3782222.
\442\ See ``Reclaiming Tort Law to Protect Reproductive
Rights,'' supra note 152.
\443\ See Div. of Reproductive Health, Nat'l Ctr. for Chronic
Disease Prevention and Health Promotion, ``Women With Chronic
Conditions Struggle to Find Medications After Abortion Laws Limit
Access,'' Ctrs. for Disease Control and Prevention (Jan. 4, 2023),
https://www.cdc.gov/teenpregnancy/health-care-providers/index.htm;
see also Brittni Frederiksen et al., ``Abortion Bans May Limit
Essential Medications for Women with Chronic Conditions,'' Kaiser
Family Foundation (Nov. 17, 2022), https://www.kff.org/womens-health-policy/issue-brief/abortion-bans-may-limit-essential-medications-for-women-with-chronic-conditions/.
---------------------------------------------------------------------------
The Department anticipates that this final rule will increase
health literacy by improving access to complete information about
health care options for individuals.\444\ For example, the prohibition
on the use and disclosure of PHI for purposes of investigating or
imposing liability on an individual, a person assisting them, or their
health care provider for lawful health care will increase individuals'
access to complete information about their health care options because
they will have increased confidence to share information about their
life, including their health, with health care providers. In turn, the
receipt of more complete information from patients will enable
[[Page 33058]]
health care providers to provide more accurate and relevant medical
information about lawful reproductive health care, and the new
prohibition will enable them to do so without fear of serious and
costly professional repercussions.
---------------------------------------------------------------------------
\444\ See Lynn M. Yee et al., ``Association of Health Literacy
Among Nulliparous Individuals and Maternal and Neonatal Outcomes,''
JAMA Network Open (Sept. 1, 2021), https://jamanetwork.com/journals/jamanetworkopen/fullarticle/2783674.
---------------------------------------------------------------------------
This final rule will also contribute to increased access to
prenatal health care at the critical early stages of pregnancy by
affording individuals the assurance that they may obtain lawful
reproductive health care without fearing that records related to that
care would be subject to disclosure. For example, if a sexually active
individual fears they or their health care providers could be subject
to prosecution as a result of disclosure of their PHI, the individual
may avoid informing health care providers about symptoms or asking
questions of medical experts and may consequently fail to receive
necessary support and health care for a pregnancy diagnosis.\445\
Similarly, this final rule will likely contribute to a decreased rate
of maternal mortality and morbidity by improving access to information
about health services.\446\
---------------------------------------------------------------------------
\445\ See ``Texas Maternal Mortality and Morbidity Review
Committee and Department of State Health Services Joint Biennial
Report 2022,'' supra note 123.
\446\ See Helen Levy & Alex Janke, ``Health Literacy and Access
to Care,'' J. of Health Commc'n (2016), https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4924568/; see also Brief for
Zurawski, Zurawski v. State of Texas (No. D-1-GN-23-000968) (W.D.
Tex. 2023), https://reproductiverights.org/wp-content/uploads/2023/03/Zurawski-v-State-of-Texas-Complaint.pdf.
---------------------------------------------------------------------------
Additionally, this final rule will enhance the mental health and
emotional well-being of individuals seeking or obtaining lawful
reproductive health care by reducing fear that their PHI will be
disclosed to investigate or impose liability on the individual, their
health care provider, or any persons facilitating the individual's
access to lawful reproductive health care. This is especially important
for individuals who need access to reproductive health care because
they are survivors of rape, incest, or sex trafficking. For at least
some such individuals, certain types of reproductive health care,
including abortion, often remain legal even if pregnancy termination is
not available to the broader population under state law. The Department
expects that this final rule will help to prevent or reduce re-
victimization of pregnant individuals who have been subject to rape,
incest, or sex trafficking by protecting their PHI from disclosure.
Activities conducted to investigate and impose liability that rely
on that information may be costly to defend against and thus are
financially draining for the target of those activities and for persons
who are not the target of the activity but whose information may be
used as evidence against others. Witnesses or targets of such
activities may lose time from work and incur steep legal bills that
create unmanageable debt or otherwise harm the economic stability of
the individual, their family, and their health care provider. In the
absence of this final rule, much of the costs may be for defending
against the unwanted use or disclosure of PHI. Thus, the Department
expects that this final rule will contribute to families' economic
well-being by reducing the risk of exposure to costly activities to
investigate or impose liability on persons for lawful activities as a
result of disclosures of PHI.
This final rule will also contribute to improved continuity of care
and ongoing and subsequent health care for individuals, thereby
improving health outcomes. If a health care provider believes that PHI
is likely to be disclosed without the individual's or the health care
provider's knowledge or consent, possibly to initiate or be used in
criminal or civil proceedings against the individual, their health care
provider, or others, the health care provider is more likely to omit
information about an individual's medical history or condition, leave
gaps, or include inaccuracies when preparing the individual's medical
records. And if an individual's medical records lack complete
information about the individual's health history, a subsequent health
care provider may not be able to conduct an appropriate health
assessment to reach a sound diagnosis and recommend the best course of
action for the individual. Alternatively, health care providers may
withhold from the individual full and complete information about their
treatment options because of liability concerns stemming from fears
about the privacy of an individual's PHI.\447\ Heightened
confidentiality and privacy protections enable a health care provider
to feel confident maintaining full and complete patient records.
Without complete patient records, an individual is less likely to
receive appropriate ongoing or future health care, including correct
diagnoses, and will be impeded in making informed treatment decisions.
---------------------------------------------------------------------------
\447\ See Brief for Zurawski, at 10, supra note 447.
---------------------------------------------------------------------------
Comparison of Benefits and Costs
A few commenters stated that the 2023 Privacy Rule NPRM reflected
the staffing costs of covered entities in full. One posited that
covered entities will receive more requests for PHI because of changes
in the legal environment after Dobbs, which will require some regulated
entities that may not typically get such requests to adjust according
to the changes in the law and how it is enforced. Another commenter
stated that the proposed rule did not account for higher staffing costs
from more highly qualified employees. The commenters did not provide
any relevant data or discussion of methodology for how these costs
should be quantified. Therefore, the Department did not include any
additional labor costs in the economic analysis based on this comment.
A few additional commenters expressed general concerns related to
electronic health record (EHR) systems and data storage. One urged the
Department to include costs associated with updating EHR systems to
ensure compliance and to allow for data segmentation. Another asserted
that the current classifications for different types of PHI are not
clear enough for effective data segmentation, contributing to increased
costs. As a result, they recommended that the Department provide
clearer guidelines on the different types of PHI. The Department did
not attempt to estimate additional data maintenance or EHR-related
costs because any adjustments will be part of the regular cost of
business for regulated entities.
A commenter stated that the Department did not quantify the costs
associated with violations of the rule by regulated entities, such as
incurring a monetary penalty after impermissibly responding to a court
order. The Department does not quantify the costs of noncompliance as
part of its analysis. Whether a violation will result in a monetary
penalty is dependent on numerous factors and the aim of the
Department's enforcement is to bring regulated entities into
compliance.
A few commenters asserted that the proposed rule would make it more
difficult for law enforcement to investigate criminals for crimes
related to sex and recommended that the Department quantify this cost.
The Department acknowledges that the final rule may result in some
changes to procedures for handling law enforcement requests for PHI;
however, the burden on regulated entities is calculated in its cost
estimates. The Department is unable to quantify the burdens to law
enforcement resulting from this final rule. However, to address
concerns about victims' ability to disclose their PHI related to
reproductive health care, the final rule
[[Page 33059]]
permits individuals to authorize disclosures for any purpose, including
law enforcement investigations. Therefore, the Department is not
including costs to law enforcement in the quantified costs and benefits
analysis. The Department expects the totality of the benefits of this
final rule to outweigh the costs, particularly in light of the privacy
benefits for individuals who could become pregnant (nearly one-fourth
of the U.S. population in any given year) and seek access to lawful
health care without the risk of their PHI being used or disclosed in
furtherance of activities to conduct criminal, civil, or administrative
investigations or impose liability without their authorization. The
Department expects covered entities and individuals to benefit from
covered entities' increased confidence to be able to provide lawful
health care according to professional standards.
The Department's qualitative benefit-cost analysis asserts that the
regulatory changes in this final rule will support an individual's
privacy with respect to lawful health care, enhance the relationship
between health care providers and individuals, strengthen maternal
well-being and family stability, and support victims of rape, incest,
and sex trafficking. The regulatory changes will also aid health care
providers in developing and maintaining a high level of trust with
individuals and maintaining complete and accurate medical records to
aid ongoing and subsequent health care. Greater levels of trust will
further enable individuals to develop and maintain relationships with
health care providers, which would enhance continuity of health care
for all individuals receiving care from the health care provider, not
only individuals in need of reproductive health care.
The financial costs of this final rule will accrue primarily to
covered entities, particularly health care providers and health plans
in the first year after implementation of a final rule, with recurring
costs accruing annually at a lower rate.
B. Regulatory Alternatives to the Final Rule
In addition to regulatory proposals in the 2023 Privacy Rule NPRM
that are not adopted here, the Department considered several
alternatives to the policies finalized in this rule.
Define Public Health in the Context of Public Health Surveillance,
Intervention, or Investigation
The Department considered alternatives to the proposed definition
of ``public health'' in the context of public health surveillance,
investigation, and intervention, particularly the reference to
population-level activities. Specifically, the Department considered
whether to add ``individual-level'' to further distinguish public
health surveillance, investigation, and intervention from other
activities but did not adopt this approach because it would add a new
undefined term that would generate more complexity without adding
clarity. The Department also considered removing ``population-level''
from the definition in this final rule, but we are not adopting that
approach because it might lead people to believe that the focus of
public health is not on activities benefiting the population as a
whole. Additionally, the Department considered defining ``public
health'' surveillance, investigation, or intervention only in the
negative--that is, by listing activities that are excluded--but decided
not to adopt this approach to ensure that stakeholders understand what
public health surveillance, investigation, or intervention means.
Modify Prohibition To Presume That Reproductive Health Care Is Lawful
Absent Actual Knowledge
The Department considered adding a provision that would allow
regulated entities to presume that certain requests for PHI are about
reproductive health care that was lawful under the circumstances in
which such health care was provided where it was provided by someone
other than the regulated entity receiving the PHI request, unless the
regulated entity had actual knowledge that such health care was not
lawful under the circumstances in which it was provided. However, in
consultation with Federal partners, the Department decided to finalize
a second exception to the presumption to permit uses or disclosures of
PHI where privacy interests are reduced, as compared to the societal
interest in the PHI for certain non-health care purposes. This
exception is available where factual information supplied by the person
requesting the use or disclosure of PHI demonstrates to the regulated
entity a substantial factual basis that the reproductive health care
was not lawful under the specific circumstances in which such health
care was provided.
Administrative Requests by Law Enforcement
The Department received reports that not all regulated entities are
interpreting the administrative request provision correctly and
proposed a clarification to 45 CFR 164.512(f)(1)(ii)(C). To address
concerns that disclosures currently made under Federal agencies'
interpretations of the Privacy Act of 1974 \448\ would not be permitted
under the NPRM proposal, the Department considered adding qualifying
language to paragraph 45 CFR 164.512(f)(1)(ii)(C) to state that PHI may
be disclosed by a Federal agency in response to an administrative
request from law enforcement where the Federal agency is authorized,
but not required, to disclose under applicable law (see, e.g., the
Privacy Act and OMB 1975 Guidelines \449\). However, the Department
determined that the contemplated change was not necessary because the
intent of the Privacy Rule was adequately captured in the clarification
proposed in the NPRM and finalized in this rule at 45 CFR
164.512(f)(1)(ii)(C). As finalized, this provision permits disclosures
to law enforcement in response to ``an administrative request for which
response is required by law, including an administrative subpoena or
summons, a civil or an authorized investigative demand, or similar
process authorized under law.''
---------------------------------------------------------------------------
\448\ Public Law 93-579, 88 Stat. 1896 (Dec. 31, 1974) (codified
at 5 U.S.C. 552a).
\449\ 40 FR 28948, 28955 (July 9, 1975).
---------------------------------------------------------------------------
Scope of Prohibited Conduct
In response to public comments on the 2023 Privacy Rule NPRM, the
Department considered several approaches to outlining prohibited
conduct. One approach was creating a category of ``highly sensitive
PHI'' and prohibiting its use and disclosure in certain proceedings
based on the mere act of, for example, obtaining, providing, or aiding
that category of health care. The Department did not adopt this
category based on many concerns expressed in public comments. For
example, distinguishing between the sensitivity of different types of
PHI would require complicated subjective determinations, and
prohibiting or limiting uses or disclosures of highly sensitive PHI for
certain purposes could negatively affect efforts to eliminate data
segmentation and further stigmatize the types of health care included
in the ``highly sensitive'' category.
Another approach the Department considered was to require an
attestation for all requested uses and discloses of PHI under 45 CFR
164.512(d)-(g)(1), rather than limiting the requirement to only
requested uses and disclosures of PHI potentially related to
reproductive health care under such provisions. This would have reduced
the burden on
[[Page 33060]]
regulated entities to screen requested PHI for whether it contained
information potentially related to reproductive health care and
increased the burden on persons requesting PHI to evaluate and attest
to all requests for use and disclosure of PHI under 45 CFR 164.512(d)-
(g)(1). However, in recognition of the importance of oversight and law
enforcement entities' ability to obtain PHI for legitimate inquiries,
the Department decided not to require an attestation for all requests
under these provisions.
Requiring an Attestation Under Penalty of Perjury
The Department requested comments about the possibility of adding a
required penalty of perjury statement to strengthen the attestation
requirement but did not propose this statement in the 2023 Privacy Rule
NPRM. After reviewing public comments on this topic, the Department
considered adding a requirement that the attestation be signed by the
person requesting the use or disclosure of PHI under penalty of perjury
but did not adopt such a requirement in the final rule. As discussed in
greater detail above, a person who knowingly and in violation of the
Administrative Simplification provisions of HIPAA obtains or discloses
IIHI relating to another individual or discloses IIHI to another person
is subject to criminal liability.\450\ Thus, a person who knowingly and
in violation of HIPAA \451\ falsifies an attestation (e.g., makes
material misrepresentations about the intended uses of the PHI
requested) to obtain (or cause to be disclosed) an individual's IIHI
could be subject to criminal penalties as outlined in the statute. The
Department believes such penalties are sufficient to hold persons who
knowingly submit false attestations accountable for their actions and
deter such submissions entirely.
---------------------------------------------------------------------------
\450\ 42 U.S.C. 1320d-6(a).
\451\ A person (including an employee or other individual) shall
be considered to have obtained or disclosed individually
identifiable health information in violation of this part if the
information is maintained by a covered entity (as defined in the
HIPAA privacy regulation described in section 1320d-9(b)(3) of this
title) and the individual obtained or disclosed such information
without authorization. Id.
---------------------------------------------------------------------------
Right To Request Restrictions
In the 2023 Privacy Rule NPRM, the Department requested comments
regarding the right of individuals to request restrictions of uses and
disclosures of their PHI. We did not propose any changes to this
provision in the 2023 Privacy Rule NPRM, nor are we proposing or
finalizing any modifications to it at this time. We appreciate the
comments we received regarding expanding the rights to request
disclosures and will take them under advisement when we consider future
modifications to the Privacy Rule.
C. Regulatory Flexibility Act--Small Entity Analysis
The Department has examined the economic implications of this final
rule as required by the RFA. If a rule has a significant economic
impact on a substantial number of small entities, the RFA requires
agencies to analyze regulatory options that would reduce the economic
effect of the rule on small entities.
For purposes of the RFA, small entities include small businesses,
nonprofit organizations, and small governmental jurisdictions. The Act
defines ``small entities'' as (1) a proprietary firm meeting the size
standards of the Small Business Administration (SBA), (2) a nonprofit
organization that is not dominant in its field, and (3) a small
government jurisdiction of less than 50,000 population. A few
commenters raised concerns about the effects of the proposed rule on
small or rural providers and requested additional analysis, guidance,
or technical assistance from the Department to aid these entities. The
Department did not receive any public comments on the small business
analysis assumptions used in the NPRM. Accordingly, we are not changing
the baseline assumptions for this final rule. We have updated our
analysis of small entities for consistency with revisions to the RIA
for the costs and savings for covered entities. The Department has
determined that roughly 90 percent or more of all health care providers
meet the SBA size standard for a small business or are a nonprofit
organization. Therefore, the Department estimates that there are
696,898 small entities affected by the final rule.\452\ The SBA size
standard for health care providers ranges between a maximum of $16
million and $47 million in annual receipts, depending upon the type of
entity.\453\
---------------------------------------------------------------------------
\452\ 696,898 = 774,331 x .90.
\453\ See U.S. Small Business Administration, Table of Small
Business Size Standards (Mar. 17, 2023), https://www.sba.gov/sites/sbagov/files/2023-06/Table%20of%20Size%20Standards_Effective%20March%2017%2C%202023%20%282%29.pdf.
---------------------------------------------------------------------------
With respect to health insurers, the SBA size standard is a maximum
of $47 million in annual receipts, and for third party administrators
it is $45.5 million.\454\ While some insurers are classified as
nonprofit, it is possible they are dominant in their market. For
example, a number of Blue Cross/Blue Shield insurers are organized as
nonprofit entities; yet they dominate the health insurance market in
the states where they are licensed.\455\
---------------------------------------------------------------------------
\454\ Id.
\455\ Kaiser Family Foundation, ``Market Share and Enrollment of
Largest Three Insurers--Large Group Market'' (2019), https://www.kff.org/other/state-indicator/market-share-and-enrollment-of-largest-three-insurers-large-group-market/?currentTimeframe=0&sortModel=%7B%22colId%22:%22Location%22,%22sort%22:%22asc%22%7D.
---------------------------------------------------------------------------
For the reasons stated below, we do not expect that the cost of
compliance will be significant for small entities. Nor do we expect
that the cost of compliance will fall disproportionately on small
entities. Although many of the covered entities affected by this final
rule are small entities, they will not bear a disproportionate cost
burden compared to the other entities subject to the rule. The
projected total costs are discussed in detail in the RIA. The
Department does not view this as a substantial burden because the
result of the changes will be annualized costs per covered entity of
approximately $184 [= $142.6 million \456\/774,331 covered entities].
In the context of the RFA, HHS generally considers an economic impact
exceeding 3 percent of annual revenue to be significant, and 5 percent
or more of the affected small entities within an identified industry to
represent a substantial number. The quantified impact of $184 per
covered entity would only apply to covered entities whose annual
revenue is $6,133 or less. We believe almost all, if not all covered
entities have annual revenues that exceed this amount. Accordingly, the
Department has determined that this final rule is unlikely to affect a
substantial number of small entities that meet the RFA threshold. Thus,
this analysis concludes, and the Secretary certifies, that the rule
will not result in a significant economic effect on a substantial
number of small entities.
---------------------------------------------------------------------------
\456\ This figure represents annualized costs discounted at a 3%
rate.
---------------------------------------------------------------------------
D. Executive Order 13132--Federalism
As required by E.O. 13132 on Federalism, the Department has
examined the provisions in both the proposed and final regulation for
their effects on the relationship between the Federal Government and
the states. In the Department's view, the final regulation may have
federalism implications because it may have direct effects on the
states, the relationship between the Federal Government and states, and
on the distribution of power and responsibilities among various
[[Page 33061]]
levels of government relating to the disclosure of PHI.
The changes from this final rule flow from and are consistent with
the underlying statute, which authorizes the Secretary to issue
regulations that govern the privacy of PHI. The statute provides that,
with limited exceptions, such regulations supersede contrary provisions
of state law unless the provision of state law imposes more stringent
privacy protections than the Federal law.\457\
---------------------------------------------------------------------------
\457\ 42 U.S.C. 1320d-7(a)(1).
---------------------------------------------------------------------------
Section 3(b) of E.O. 13132 recognizes that national action limiting
the policymaking discretion of states will be imposed only where there
is constitutional and statutory authority for the action and the
national activity is appropriate when considering a problem of national
significance. The privacy of PHI is of national concern by virtue of
the scope of interstate health commerce. As described in the preamble
to the proposed rule and this final rule, recent state actions
affecting reproductive health care have undermined the longstanding
expectation among individuals in all states that their highly sensitive
reproductive health information will remain private and not be used
against them for seeking or obtaining legal health care. These state
actions thus directly threaten the trust that is essential to ensuring
access to, and quality of, lawful health care. HIPAA's provisions
reflect this position by authorizing the Secretary to promulgate
regulations to implement the Privacy Rule.
Section 4(a) of E.O. 13132 expressly contemplates preemption when
there is a conflict between exercising state and Federal authority
under a Federal statute. Section 4(b) of the E.O. authorizes preemption
of state law in the Federal rulemaking context when ``the exercise of
State authority directly conflicts with the exercise of Federal
authority under the Federal statute.'' The approach in this regulation
is consistent with the standards in the E.O. because it supersedes
state authority only when such authority is inconsistent with standards
established pursuant to the grant of Federal authority under the
statute.
State and local laws that impinge on the privacy protections for
PHI of individuals who obtain lawful reproductive health care undermine
Congress' directive to develop a health information system for the
purpose of improving the effectiveness of the health care system, which
requires that all individuals who receive health care legally are
assured a minimum level of privacy for their PHI. Congress established
specific, narrow exceptions to preemption that did not include the use
or disclosure of an individual's medical records for law enforcement
purposes generally. Nor did Congress include a specific exception to
preemption that would permit states to use PHI against that individual,
health care providers, or third parties merely for seeking, obtaining,
providing, or facilitating lawful health care.\458\ Both the personal
and public interest is served by protecting PHI so as not to undermine
an individual's access to and quality of lawful health care services
and their trust in the health care system.
---------------------------------------------------------------------------
\458\ 42 U.S.C. 1320d-7(a)(2)(A).
---------------------------------------------------------------------------
The Department anticipates that the most significant direct costs
on state and local governments would be the cost for state and local
government-operated covered entities to revise business associate
agreements, revise policies and procedures, update the NPP, update
training programs, and process requests for disclosures for which an
attestation is required. These costs would be similar in kind to those
borne by non-government operated covered entities. In addition, the
Department anticipates that approximately half of the states may choose
to file a request for an exception to preemption. The longstanding
regulatory provisions that govern preemption exception requests under
the HIPAA Rules would remain undisturbed by this rule.\459\ However,
based on the legal developments in some states that are described
elsewhere in this preamble, the Department anticipates that in the
first year of implementation of a final rule, more states will submit
requests for exceptions from preemption than have done so in the past.
The RIA above addresses these costs in detail.
---------------------------------------------------------------------------
\459\ 45 CFR 160.201 through 160.205.
---------------------------------------------------------------------------
Pursuant to the requirements set forth in section 8(a) of E.O.
13132, and by the signature affixed to the final rule, the Department
certifies that it has complied with the requirements of E.O. 13132,
including review and consideration of comments from state and local
government officials and the public about the interaction of this rule
with state activity, for the final rule in a meaningful and timely
manner.
E. Assessment of Federal Regulation and Policies on Families
Section 654 of the Treasury and General Government Appropriations
Act of 1999 \460\ requires Federal departments and agencies to
determine whether a proposed policy or regulation could affect family
well-being. If the determination is affirmative, then the Department or
agency must prepare an impact assessment to address criteria specified
in the law. This final rule is expected to strengthen the stability of
the family and marital commitment because it protects individual
privacy in the context of sensitive decisions about family planning.
The rule may be carried out only by the Federal Government because it
would modify Federal health privacy law, ensuring that American
families have confidence in the privacy of their information about
lawful reproductive health care, regardless of the state where they are
located when health care is provided. Such health care privacy is vital
for individuals who may become pregnant or who are capable of becoming
pregnant.
---------------------------------------------------------------------------
\460\ Public Law 105-277, 112 Stat. 2681 (Oct. 21, 1998).
---------------------------------------------------------------------------
F. Paperwork Reduction Act of 1995
Under the Paperwork Reduction Act of 1995 \461\ (PRA), agencies are
required to submit to OMB for review and approval any reporting or
record-keeping requirements inherent in a proposed or final rule and
are required to publish such proposed requirements for public comment.
To fairly evaluate whether an information collection should be approved
by the OMB, section 3506(c)(2)(A) of the PRA requires that the
Department solicit comment on the following issues:
---------------------------------------------------------------------------
\461\ Public Law 104-13, 109 Stat. 163 (May 22, 1995).
---------------------------------------------------------------------------
1. Whether the information collection is necessary and useful to
carry out the proper functions of the agency;
2. The accuracy of the agency's estimate of the information
collection burden;
3. The quality, utility, and clarity of the information to be
collected; and
4. Recommendations to minimize the information collection burden on
the affected public, including automated collection techniques.
The PRA requires consideration of the time, effort, and financial
resources necessary to meet the information collection requirements
referenced in this section. The Department considered public comments
on its assumptions and burden estimates in the 2023 Privacy Rule NPRM
and addresses those comments above in the discussion of benefits and
costs of this final rule.
In this RIA, the Department is revising certain information
collection requirements associated with this final rule and, as such,
is revising the information collection last prepared in
[[Page 33062]]
2023 and approved under OMB control #0945-0003. The revised information
collection describes all new and adjusted information collection
requirements for covered entities pursuant to the implementing
regulation for HIPAA at 45 CFR parts 160 and 164, the HIPAA Privacy,
Security, Breach Notification, and Enforcement Rules (``HIPAA Rules'').
The estimated annual labor burden presented by the regulatory
modifications in the first year of implementation, including
nonrecurring and recurring burdens, is 4,584,224 burden hours at a cost
of $582,242,165 \462\ and $20,910,207 of estimated annual labor costs
in years two through five. The overall total burden for respondents to
comply with the information collection requirements of all of the HIPAA
Privacy, Security, and Breach Notification Rules, including
nonrecurring and recurring burdens presented by program changes, is
953,982,236 burden hours at a cost of $107,336,705,941, plus
$197,364,010 in capital costs for a total estimated annual burden of
$107,534,069,951 in the first year following the effective date of the
final rule. Details describing the burden analysis for the proposals
associated with this RIA are presented below and explained further in
the ICR associated with this final rule.
---------------------------------------------------------------------------
\462\ This includes an increase of 416 burden hours and $36,442
in costs added to the existing information collection for requesting
exemption determinations under 45 CFR 160.204.
---------------------------------------------------------------------------
Explanation of Estimated Annualized Burden Hours
Below is a summary of the significant program changes and
adjustments made since the approved 2023 ICR; because the ICR addresses
regulatory burdens associated with the full suite of HIPAA Rules, the
changes and adjustments include updated data and estimates for some
provisions of the HIPAA Rules that are not affected by this final rule.
These program changes and adjustments form the bases for the burden
estimates presented in the ICR associated with this RIA.
Adjusted Estimated Annual Burdens of Compliance
(1) Increasing the number of covered entities from 700,000 to
774,331 based on program change.
(2) Increasing the number of respondents requesting exceptions to
state law preemption from 1 to 27 based on an expected reaction by
states that have enacted restrictions on reproductive health care
access.
(3) Increasing the burden hours by a factor of two for responding
to individuals' requests for restrictions on disclosures of their PHI
under 45 CFR 164.522 to represent a doubling of the expected requests.
(4) Updating the number of breaches for which notification is
required to reflect data in OCR's 2022 Report to Congress \463\ and
related burdens.
---------------------------------------------------------------------------
\463\ See Off. for Civil Rights, ``Annual Report to Congress on
Breaches of Unsecured Protected Health Information,'' U.S. Dep't of
Health and Human Servs. (2022), https://www.hhs.gov/hipaa/for-professionals/breach-notification/reports-congress/.
---------------------------------------------------------------------------
(5) Increasing the number of estimated uses and disclosures for
research purposes.
(6) Increasing the total number of NPPs distributed by health plans
by 50% to total 300,000,000 due to the increase in number of Americans
with health coverage.
New Burdens Resulting from Program Changes
In addition to these changes, the Department added new annual
burdens as a result of program changes in the final rule:
(1) A nonrecurring burden of 1 hour for each of 350,000 business
associate agreements that is likely to be revised as a result of the
changes to handling requests for PHI under 45 CFR 164.512(d), (e), (f),
and (g)(1), to allocate responsibilities between covered entities and
their release-of-information contractors.
(2) A recurring burden of 5 minutes per request for staff to
determine whether an attestation is required for disclosure under 45
CFR 164.509.
(3) A recurring burden of 1 hour per request for legal review of
whether certain requests identified by staff as potentially requiring
an attestation pertain to the lawfulness of reproductive health care.
(4) A recurring burden of 3 hours per request for a percentage of
requests requiring legal review that might require additional manager
review to determine whether the requirements at 45 CFR 164.509 are met.
(5) A nonrecurring burden of 50 minutes per covered entity to
update the required content of its NPP.
(6) A nonrecurring burden of 15 minutes per covered entity for
posting an updated NPP online.
(7) A nonrecurring burden of 2.5 hours for each covered entity to
update its policies and procedures.
(8) A nonrecurring burden of 90 minutes for each covered entity to
update the content of its HIPAA training program.
List of Subjects
45 CFR Part 160
Health care, Health records, Preemption, Privacy, Public health,
Reproductive health care.
45 CFR Part 164
Health care, Health records, Privacy, Public health, Reporting and
recordkeeping requirements, Reproductive health care.
For the reasons stated in the preamble, the Department of Health
and Human Services amends 45 CFR subtitle A, subchapter C, parts 160
and 164 as set forth below:
PART 160--GENERAL ADMINISTRATIVE REQUIREMENTS
0
1. The authority citation for part 160 continues to read as follows:
Authority: 42 U.S.C. 1302(a); 42 U.S.C. 1320d-1320d-9; sec.
264, Pub. L. 104-191, 110 Stat. 2033-2034 (42 U.S.C. 1320d-2
(note)); 5 U.S.C. 552; secs. 13400-13424, Pub. L. 111-5, 123 Stat.
258-279; and sec. 1104 of Pub. L. 111-148, 124 Stat. 146-154.
0
2. Amend Sec. 160.103 by:
0
a. Revising the definition of ``Person''; and
0
b. Adding in alphabetical order the definitions of ``Public health''
and ``Reproductive health care''.
The revision and additions read as follows:
Sec. 160.103 Definitions.
* * * * *
Person means a natural person (meaning a human being who is born
alive), trust or estate, partnership, corporation, professional
association or corporation, or other entity, public or private.
* * * * *
Public health, as used in the terms ``public health surveillance,''
``public health investigation,'' and ``public health intervention,''
means population-level activities to prevent disease in and promote the
health of populations. Such activities include identifying, monitoring,
preventing, or mitigating ongoing or prospective threats to the health
or safety of a population, which may involve the collection of
protected health information. But such activities do not include those
with any of the following purposes:
(1) To conduct a criminal, civil, or administrative investigation
into any person for the mere act of seeking, obtaining, providing, or
facilitating health care.
(2) To impose criminal, civil, or administrative liability on any
person for the mere act of seeking, obtaining, providing, or
facilitating health care.
[[Page 33063]]
(3) To identify any person for any of the activities described at
paragraphs (1) or (2) of this definition.
Reproductive health care means health care, as defined in this
section, that affects the health of an individual in all matters
relating to the reproductive system and to its functions and processes.
This definition shall not be construed to set forth a standard of care
for or regulate what constitutes clinically appropriate reproductive
health care.
* * * * *
PART 164--SECURITY AND PRIVACY
0
3. The authority citation for part 164 continues to read as follows:
Authority: 42 U.S.C. 1302(a); 42 U.S.C. 1320d-1320d-9; sec.
264, Pub. L. 104-191, 110 Stat. 2033-2034 (42 U.S.C. 1320d-2(note));
and secs. 13400-13424, Pub. L. 111-5, 123 Stat. 258-279.
0
4. Amend Sec. 164.502 by
0
a. Revising paragraph (a)(1)(vi);
0
b. Adding paragraph (a)(5)(iii); and
0
c. Revising paragraph (g)(5).
The addition and revisions read as follows:
Sec. 164.502 Uses and disclosures of protected health information:
General rules.
(a) * * *
(1) * * *
(vi) As permitted by and in compliance with any of the following:
(A) This section.
(B) Section 164.512 and, where applicable, Sec. 164.509.
(C) Section 164.514(e), (f), or (g).
* * * * *
(5) * * *
(iii) Reproductive health care--(A) Prohibition. Subject to
paragraphs (a)(5)(iii)(B) and (C) of this section, a covered entity or
business associate may not use or disclose protected health information
for any of the following activities:
(1) To conduct a criminal, civil, or administrative investigation
into any person for the mere act of seeking, obtaining, providing, or
facilitating reproductive health care.
(2) To impose criminal, civil, or administrative liability on any
person for the mere act of seeking, obtaining, providing, or
facilitating reproductive health care.
(3) To identify any person for any purpose described in paragraphs
(a)(5)(iii)(A)(1) or (2) of this section.
(B) Rule of applicability. The prohibition at paragraph
(a)(5)(iii)(A) of this section applies only where the relevant activity
is in connection with any person seeking, obtaining, providing, or
facilitating reproductive health care, and the covered entity or
business associate that received the request for protected health
information has reasonably determined that one or more of the following
conditions exists:
(1) The reproductive health care is lawful under the law of the
state in which such health care is provided under the circumstances in
which it is provided.
(2) The reproductive health care is protected, required, or
authorized by Federal law, including the United States Constitution,
under the circumstances in which such health care is provided,
regardless of the state in which it is provided.
(3) The presumption at paragraph (a)(5)(iii)(C) of this section
applies.
(C) Presumption. The reproductive health care provided by another
person is presumed lawful under paragraph (a)(5)(iii)(B)(1) or (2) of
this section unless the covered entity or business associate has any of
the following:
(1) Actual knowledge that the reproductive health care was not
lawful under the circumstances in which it was provided.
(2) Factual information supplied by the person requesting the use
or disclosure of protected health information that demonstrates a
substantial factual basis that the reproductive health care was not
lawful under the specific circumstances in which it was provided.
(D) Scope. For the purposes of this subpart, seeking, obtaining,
providing, or facilitating reproductive health care includes, but is
not limited to, any of the following: expressing interest in, using,
performing, furnishing, paying for, disseminating information about,
arranging, insuring, administering, authorizing, providing coverage
for, approving, counseling about, assisting, or otherwise taking action
to engage in reproductive health care; or attempting any of the same.
* * * * *
(g) * * *
(5) Implementation specification: Abuse, neglect, endangerment
situations. Notwithstanding a State law or any requirement of this
paragraph to the contrary, a covered entity may elect not to treat a
person as the personal representative, provided that the conditions at
paragraphs (g)(5)(i) and (ii) of this section are met:
(i) Paragraphs (g)(5)(i)(A) and (B) of this section both apply.
(A) The covered entity has a reasonable belief that any of the
following is true:
(1) The individual has been or may be subjected to domestic
violence, abuse, or neglect by such person.
(2) Treating such person as the personal representative could
endanger the individual.
(B) The covered entity, in the exercise of professional judgment,
decides that it is not in the best interest of the individual to treat
the person as the individual's personal representative.
(ii) The covered entity does not have a reasonable belief under
paragraph (g)(5)(i)(A) of this section if the basis for their belief is
the provision or facilitation of reproductive health care by such
person for and at the request of the individual.
* * * * *
0
5. Add Sec. 164.509 to read as follows:
Sec. 164.509 Uses and disclosures for which an attestation is
required.
(a) Standard: Attestations for certain uses and disclosures of
protected health information to persons other than covered entities or
business associates. (1) A covered entity or business associate may not
use or disclose protected health information potentially related to
reproductive health care for purposes specified in Sec. 164.512(d),
(e), (f), or (g)(1), without obtaining an attestation that is valid
under paragraph (b)(1) of this section from the person requesting the
use or disclosure and complying with all applicable conditions of this
part.
(2) A covered entity or business associate that uses or discloses
protected health information potentially related to reproductive health
care for purposes specified in Sec. 164.512(d), (e), (f), or (g)(1),
in reliance on an attestation that is defective under paragraph (b)(2)
of this section, is not in compliance with this section.
(b) Implementation specifications: General requirements--(1) Valid
attestations. (i) A valid attestation is a document that meets the
requirements of paragraph (c)(1) of this section.
(ii) A valid attestation verifies that the use or disclosure is not
otherwise prohibited by Sec. 164.502(a)(5)(iii).
(iii) A valid attestation may be electronic, provided that it meets
the requirements in paragraph (c)(1) of this section, as applicable.
(2) Defective attestations. An attestation is not valid if the
document submitted has any of the following defects:
(i) The attestation lacks an element or statement required by
paragraph (c) of this section.
(ii) The attestation contains an element or statement not required
by paragraph (c) of this section
(iii) The attestation violates paragraph (b)(3) of this section.
[[Page 33064]]
(iv) The covered entity or business associate has actual knowledge
that material information in the attestation is false.
(v) A reasonable covered entity or business associate in the same
position would not believe that the attestation is true with respect to
the requirement at paragraph (c)(1)(iv) of this section.
(3) Compound attestation. An attestation may not be combined with
any other document except where such other document is needed to
satisfy the requirements at paragraph (c)(iv) of this section or at
Sec. 164.502(a)(5)(iii)(C), as applicable.
(c) Implementation specifications: Content requirements and other
obligations--(1) Required elements. A valid attestation under this
section must contain the following elements:
(i) A description of the information requested that identifies the
information in a specific fashion, including one of the following:
(A) The name of any individual(s) whose protected health
information is sought, if practicable.
(B) If including the name(s) of any individual(s) whose protected
health information is sought is not practicable, a description of the
class of individuals whose protected health information is sought.
(ii) The name or other specific identification of the person(s), or
class of persons, who are requested to make the use or disclosure.
(iii) The name or other specific identification of the person(s),
or class of persons, to whom the covered entity is to make the
requested use or disclosure.
(iv) A clear statement that the use or disclosure is not for a
purpose prohibited under Sec. 164.502(a)(5)(iii).
(v) A statement that a person may be subject to criminal penalties
pursuant to 42 U.S.C. 1320d-6 if that person knowingly and in violation
of HIPAA obtains individually identifiable health information relating
to an individual or discloses individually identifiable health
information to another person.
(vi) Signature of the person requesting the protected health
information, which may be an electronic signature, and date. If the
attestation is signed by a representative of the person requesting the
information, a description of such representative's authority to act
for the person must also be provided.
(2) Plain language requirement. The attestation must be written in
plain language.
(d) Material misrepresentations. If, during the course of using or
disclosing protected health information in reasonable reliance on a
facially valid attestation, a covered entity or business associate
discovers information reasonably showing that any representation made
in the attestation was materially false, leading to a use or disclosure
for a purpose prohibited under Sec. 164.502(a)(5)(iii), the covered
entity or business associate must cease such use or disclosure.
* * * * *
0
6. Amend Sec. 164.512 by:
0
a. Revising the introductory text and the paragraph (c) paragraph
heading;
0
b. Adding paragraph (c)(3); and
0
c. Revising paragraph (f)(1)(ii)(C) introductory text.
The revisions and addition read as follows:
Sec. 164.512 Uses and disclosures for which an authorization or
opportunity to agree or object is not required.
Except as provided by Sec. 164.502(a)(5)(iii), a covered entity
may use or disclose protected health information without the written
authorization of the individual, as described in Sec. 164.508, or the
opportunity for the individual to agree or object as described in Sec.
164.510, in the situations covered by this section, subject to the
applicable requirements of this section and Sec. 164.509. When the
covered entity is required by this section to inform the individual of,
or when the individual may agree to, a use or disclosure permitted by
this section, the covered entity's information and the individual's
agreement may be given verbally.
* * * * *
(c) Standard: Disclosures about victims of abuse, neglect, or
domestic violence--* * *
(3) Rule of construction. Nothing in this section shall be
construed to permit disclosures prohibited by Sec. 164.502(a)(5)(iii)
when the sole basis of the report of abuse, neglect, or domestic
violence is the provision or facilitation of reproductive health care.
* * * * *
(f) * * *
(1) * * *
(ii) * * *
(C) An administrative request for which response is required by
law, including an administrative subpoena or summons, a civil or an
authorized investigative demand, or similar process authorized under
law, provided that:
* * * * *
0
7. Amend Sec. 164.520 by:
0
a. Revising and republish paragraphs (a) and (b); and
0
b. Adding paragraph (d)(4).
The revisions and additions read as follows:
Sec. 164.520 Notice of privacy practices for protected health
information.
* * * * *
(a) Standard: Notice of privacy practices--(1) Right to notice.
Except as provided by paragraph (a)(3) or (4) of this section, an
individual has a right to adequate notice of the uses and disclosures
of protected health information that may be made by the covered entity,
and of the individual's rights and the covered entity's legal duties
with respect to protected health information.
(2) Notice requirements for covered entities creating or
maintaining records subject to 42 U.S.C. 290dd-2. As provided in 42 CFR
2.22, an individual who is the subject of records protected under 42
CFR part 2 has a right to adequate notice of the uses and disclosures
of such records, and of the individual's rights and the covered
entity's legal duties with respect to such records.
(3) Exception for group health plans. (i) An individual enrolled in
a group health plan has a right to notice:
(A) From the group health plan, if, and to the extent that, such an
individual does not receive health benefits under the group health plan
through an insurance contract with a health insurance issuer or HMO; or
(B) From the health insurance issuer or HMO with respect to the
group health plan through which such individuals receive their health
benefits under the group health plan.
(ii) A group health plan that provides health benefits solely
through an insurance contract with a health insurance issuer or HMO,
and that creates or receives protected health information in addition
to summary health information as defined in Sec. 164.504(a) or
information on whether the individual is participating in the group
health plan, or is enrolled in or has disenrolled from a health
insurance issuer or HMO offered by the plan, must:
(A) Maintain a notice under this section; and
(B) Provide such notice upon request to any person. The provisions
of paragraph (c)(1) of this section do not apply to such group health
plan.
(iii) A group health plan that provides health benefits solely
through an insurance contract with a health insurance issuer or HMO,
and does not create or receive protected health information other than
summary health information as defined in Sec. 164.504(a) or
information on whether an individual is participating in the group
health plan, or is enrolled in or has disenrolled from a health
insurance issuer or HMO
[[Page 33065]]
offered by the plan, is not required to maintain or provide a notice
under this section.
(4) Exception for inmates. An inmate does not have a right to
notice under this section, and the requirements of this section do not
apply to a correctional institution that is a covered entity.
(b) Implementation specifications: Content of notice--(1) Required
elements. The covered entity, including any covered entity receiving or
maintaining records subject to 42 U.S.C. 290dd-2, must provide a notice
that is written in plain language and that contains the elements
required by this paragraph.
(i) Header. The notice must contain the following statement as a
header or otherwise prominently displayed:
``THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE
USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.
PLEASE REVIEW IT CAREFULLY.''
(ii) Uses and disclosures. The notice must contain:
(A) A description, including at least one example, of the types of
uses and disclosures that the covered entity is permitted by this
subpart to make for each of the following purposes: treatment, payment,
and health care operations.
(B) A description of each of the other purposes for which the
covered entity is permitted or required by this subpart to use or
disclose protected health information without the individual's written
authorization.
(C) If a use or disclosure for any purpose described in paragraphs
(b)(1)(ii)(A) or (B) of this section is prohibited or materially
limited by other applicable law, such as 42 CFR part 2, the description
of such use or disclosure must reflect the more stringent law as
defined in Sec. 160.202 of this subchapter.
(D) For each purpose described in paragraph (b)(1)(ii)(A) or (B) of
this section, the description must include sufficient detail to place
the individual on notice of the uses and disclosures that are permitted
or required by this subpart and other applicable law, such as 42 CFR
part 2.
(E) A description of the types of uses and disclosures that require
an authorization under Sec. 164.508(a)(2)-(a)(4), a statement that
other uses and disclosures not described in the notice will be made
only with the individual's written authorization, and a statement that
the individual may revoke an authorization as provided by Sec.
164.508(b)(5).
(F) A description, including at least one example, of the types of
uses and disclosures prohibited under Sec. 164.502(a)(5)(iii) in
sufficient detail for an individual to understand the prohibition.
(G) A description, including at least one example, of the types of
uses and disclosures for which an attestation is required under Sec.
164.509.
(H) A statement adequate to put the individual on notice of the
potential for information disclosed pursuant to this subpart to be
subject to redisclosure by the recipient and no longer protected by
this subpart
(iii) Separate statements for certain uses or disclosures. If the
covered entity intends to engage in any of the following activities,
the description required by paragraph (b)(1)(ii)(A) or (B) of this
section must include a separate statement informing the individual of
such activities, as applicable:
(A) In accordance with Sec. 164.514(f)(1), the covered entity may
contact the individual to raise funds for the covered entity and the
individual has a right to opt out of receiving such communications;
(B) In accordance with Sec. 164.504(f), the group health plan, or
a health insurance issuer or HMO with respect to a group health plan,
may disclose protected health information to the sponsor of the plan;
(C) If a covered entity that is a health plan, excluding an issuer
of a long-term care policy falling within paragraph (1)(viii) of the
definition of health plan, intends to use or disclose protected health
information for underwriting purposes, a statement that the covered
entity is prohibited from using or disclosing protected health
information that is genetic information of an individual for such
purposes;
(D) Substance use disorder treatment records received from programs
subject to 42 CFR part 2, or testimony relaying the content of such
records, shall not be used or disclosed in civil, criminal,
administrative, or legislative proceedings against the individual
unless based on written consent, or a court order after notice and an
opportunity to be heard is provided to the individual or the holder of
the record, as provided in 42 CFR part 2. A court order authorizing use
or disclosure must be accompanied by a subpoena or other legal
requirement compelling disclosure before the requested record is used
or disclosed; or
(E) If a covered entity that creates or maintains records subject
to 42 CFR part 2 intends to use or disclose such records for
fundraising for the benefit of the covered entity, the individual must
first be provided with a clear and conspicuous opportunity to elect not
to receive any fundraising communications.
(iv) Individual rights. The notice must contain a statement of the
individual's rights with respect to protected health information and a
brief description of how the individual may exercise these rights, as
follows:
(A) The right to request restrictions on certain uses and
disclosures of protected health information as provided by Sec.
164.522(a), including a statement that the covered entity is not
required to agree to a requested restriction, except in case of a
disclosure restricted under Sec. 164.522(a)(1)(vi);
(B) The right to receive confidential communications of protected
health information as provided by Sec. 164.522(b), as applicable;
(C) The right to inspect and copy protected health information as
provided by Sec. 164.524;
(D) The right to amend protected health information as provided by
Sec. 164.526;
(E) The right to receive an accounting of disclosures of protected
health information as provided by Sec. 164.528; and
(F) The right of an individual, including an individual who has
agreed to receive the notice electronically in accordance with
paragraph (c)(3) of this section, to obtain a paper copy of the notice
from the covered entity upon request.
(v) Covered entity's duties. The notice must contain:
(A) A statement that the covered entity is required by law to
maintain the privacy of protected health information, to provide
individuals with notice of its legal duties and privacy practices, and
to notify affected individuals following a breach of unsecured
protected health information;
(B) A statement that the covered entity is required to abide by the
terms of the notice currently in effect; and
(C) For the covered entity to apply a change in a privacy practice
that is described in the notice to protected health information that
the covered entity created or received prior to issuing a revised
notice, in accordance with Sec. 164.530(i)(2)(ii), a statement that it
reserves the right to change the terms of its notice and to make the
new notice provisions effective for all protected health information
that it maintains. The statement must also describe how it will provide
individuals with a revised notice.
(vi) Complaints. The notice must contain a statement that
individuals may complain to the covered entity and
[[Page 33066]]
to the Secretary if they believe their privacy rights have been
violated, a brief description of how the individual may file a
complaint with the covered entity, and a statement that the individual
will not be retaliated against for filing a complaint.
(vii) Contact. The notice must contain the name, or title, and
telephone number of a person or office to contact for further
information as required by Sec. 164.530(a)(1)(ii).
(viii) Effective date. The notice must contain the date on which
the notice is first in effect, which may not be earlier than the date
on which the notice is printed or otherwise published.
(2) Optional elements. (i) In addition to the information required
by paragraph (b)(1) of this section, if a covered entity elects to
limit the uses or disclosures that it is permitted to make under this
subpart, the covered entity may describe its more limited uses or
disclosures in its notice, provided that the covered entity may not
include in its notice a limitation affecting its right to make a use or
disclosure that is required by law or permitted by Sec.
164.512(j)(1)(i).
(ii) For the covered entity to apply a change in its more limited
uses and disclosures to protected health information created or
received prior to issuing a revised notice, in accordance with Sec.
164.530(i)(2)(ii), the notice must include the statements required by
paragraph (b)(1)(v)(C) of this section.
(3) Revisions to the notice. The covered entity must promptly
revise and distribute its notice whenever there is a material change to
the uses or disclosures, the individual's rights, the covered entity's
legal duties, or other privacy practices stated in the notice. Except
when required by law, a material change to any term of the notice may
not be implemented prior to the effective date of the notice in which
such material change is reflected.
* * * * *
(d) * * *
* * * * *
(4) The permission in paragraph (d) of this section for covered
entities that participate in an organized health care arrangement to
issue a joint notice may not be construed to remove any obligations or
duties of entities creating or maintaining records subject to 42 U.S.C.
290dd-2, or to remove any rights of patients who are the subjects of
such records.
* * * * *
0
8. Add Sec. 164.535 to read as follows:
Sec. 164.535 Severability.
If any provision of the HIPAA Privacy Rule to Support Reproductive
Health Care Privacy is held to be invalid or unenforceable facially, or
as applied to any person, plaintiff, or circumstance, it shall be
construed to give maximum effect to the provision permitted by law,
unless such holding shall be one of utter invalidity or
unenforceability, in which case the provision shall be severable from
this part and shall not affect the remainder thereof or the application
of the provision to other persons not similarly situated or to other
dissimilar circumstances.
* * * * *
Xavier Becerra,
Secretary, Department of Health and Human Services.
[FR Doc. 2024-08503 Filed 4-22-24; 4:15 pm]
BILLING CODE 4153-01-P
