[Federal Register Volume 89, Number 82 (Friday, April 26, 2024)]
[Rules and Regulations]
[Pages 32976-33066]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-08503]
[[Page 32975]]
Vol. 89
Friday,
No. 82
April 26, 2024
Part V
Department of Health and Human Services
-----------------------------------------------------------------------
45 CFR Parts 160 and 164
HIPAA Privacy Rule To Support Reproductive Health Care Privacy; Final
Rule
Federal Register / Vol. 89 , No. 82 / Friday, April 26, 2024 / Rules
and Regulations
[[Page 32976]]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Office of the Secretary
45 CFR Parts 160 and 164
RIN 0945-AA20
HIPAA Privacy Rule To Support Reproductive Health Care Privacy
AGENCY: Office for Civil Rights (OCR), Office of the Secretary,
Department of Health and Human Services.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: The Department of Health and Human Services (HHS or
``Department'') is issuing this final rule to modify the Standards for
Privacy of Individually Identifiable Health Information (``Privacy
Rule'') under the Health Insurance Portability and Accountability Act
of 1996 (HIPAA) and the Health Information Technology for Economic and
Clinical Health Act of 2009 (HITECH Act). The Department is issuing
this final rule after careful consideration of all public comments
received in response to the notice of proposed rulemaking (NPRM) for
the HIPAA Privacy Rule to Support Reproductive Health Care Privacy
(``2023 Privacy Rule NPRM'') and public comments received on proposals
to revise provisions of the HIPAA Privacy Rule in the NPRM for the
Confidentiality of Substance Use Disorder (SUD) Patient Records (``2022
Part 2 NPRM'').
DATES:
Effective date: This final rule is effective on June 25, 2024.
Compliance date: Persons subject to this regulation must comply
with the applicable requirements of this final rule by December 23,
2024, except for the applicable requirements of 45 CFR 164.520 in this
final rule. Persons subject to this regulation must comply with the
applicable requirements of 45 CFR 164.520 in this final rule by
February 16, 2026.
FOR FURTHER INFORMATION CONTACT: Marissa Gordon-Nguyen at (202) 240-
3110 or (800) 537-7697 (TDD), or by email at [email protected].
SUPPLEMENTARY INFORMATION:
Table of Contents
I. Executive Summary
A. Overview
B. Effective and Compliance Dates
1. 2023 Privacy Rule NPRM
2. Overview of Comments
3. Final Rule
4. Response to Public Comments
II. Statutory and Regulatory Background
A. Statutory Authority and History
1. Health Insurance Portability and Accountability Act of 1996
(HIPAA)
2. Health Information Technology for Economic and Clinical
Health (HITECH) Act
B. Regulatory History
1. 2000 Privacy Rule
2. 2002 Privacy Rule
3. 2013 Omnibus Rule
4. 2024 Privacy Rule
III. Justification for This Rulemaking
A. HIPAA Encourages Trust and Confidence by Carefully Balancing
Individuals' Privacy Interests With Others' Interests in Using or
Disclosing PHI
1. Privacy Protections Ensure That Individuals Have Access to,
and Are Comfortable Accessing, High-Quality Health Care
2. The Department's Approach to the Privacy Rule Has Long Sought
To Balance the Interests of Individuals and Society
B. Developments in the Legal Environment Are Eroding
Individuals' Trust in the Health Care System
C. To Protect the Trust Between Individuals and Health Care
Providers, the Department Is Restricting Certain Uses and
Disclosures of PHI for Particular Non-Health Care Purposes
IV. General Discussion of Public Comments
A. General Comments in Support of the Proposed Rule
B. General Comments in Opposition to the Proposed Rule
C. Other General Comments on the Proposed Rule
V. Summary of Final Rule Provisions and Public Comments and
Responses
A. Section 160.103 Definitions
1. Clarifying the Definition of ``Person''
2. Interpreting Terms Used in Section 1178(b) of the Social
Security Act
3. Adding a Definition of ``Reproductive Health Care''
4. Whether the Department Should Define Any Additional Terms
B. Section 164.502--Uses and Disclosures of Protected Health
Information: General Rules
1. Clarifying When PHI May Be Used or Disclosed by Regulated
Entities
2. Adding a New Category of Prohibited Uses and Disclosures
3. Clarifying Personal Representative Status in the Context of
Reproductive Health Care
4. Request for Comments
C. Section 164.509--Uses and Disclosures for Which an
Attestation is Required
1. Current Provision
2. Proposed Rule
3. Overview of Public Comments
4. Final Rule
5. Responses to Public Comments
D. Section 164.512--Uses and Disclosures for Which an
Authorization or Opportunity To Agree or Object Is Not Required
1. Applying the Prohibition and Attestation Condition to Certain
Permitted Uses and Disclosures
2. Making a Technical Correction to the Heading of 45 CFR
164.512(c) and Clarifying That Providing or Facilitating
Reproductive Health Care Is Not Abuse, Neglect, or Domestic Violence
3. Clarifying the Permission for Disclosures Based on
Administrative Processes
4. Request for Information on Current Processes for Receiving
and Addressing Requests Pursuant to 164.512(d) Through (g)(1)
E. Section 164.520--Notice of Privacy Practices for Protected
Health Information
1. Current Provision
2. CARES Act
3. Proposals in 2022 Part 2 NPRM and 2023 Privacy Rule NPRM
4. Overview of Public Comments
5. Final Rule
6. Responses to Public Comments
F. Section 164.535--Severability
G. Comments on Other Provisions of the HIPAA Rules
VI. Regulatory Impact Analysis
A. Executive Order 12866 and Related Executive Orders on
Regulatory Review
1. Summary of Costs and Benefits
2. Baseline Conditions
3. Costs of the Rule
B. Regulatory Alternatives to the Final Rule
C. Regulatory Flexibility Act--Small Entity Analysis
D. Executive Order 13132--Federalism
E. Assessment of Federal Regulation and Policies on Families
F. Paperwork Reduction Act of 1995
Explanation of Estimated Annualized Burden Hours
Table of Acronyms
------------------------------------------------------------------------
Term Meaning
------------------------------------------------------------------------
AMA......................... American Medical Association.
API......................... Application Programming Interface.
CARES Act................... Coronavirus Aid, Relief, and Economic
Security Act.
CDC......................... Centers for Disease Control and
Prevention.
CLIA........................ Clinical Laboratory Improvement Amendments
of 1988.
CMS......................... Centers for Medicare & Medicaid Services.
DOD......................... Department of Defense.
[[Page 32977]]
Department or HHS........... Department of Health and Human Services.
EHR......................... Electronic Health Record.
E.O......................... Executive Order.
FDA......................... Food and Drug Administration.
FHIR[supreg]................ Fast Healthcare Interoperability
Resources[supreg].
FTC......................... Federal Trade Commission.
GINA........................ Genetic Information Nondiscrimination Act
of 2008.
Health IT................... Health Information Technology.
HIE......................... Health Information Exchange.
HIPAA....................... Health Insurance Portability and
Accountability Act of 1996.
HITECH Act.................. Health Information Technology for Economic
and Clinical Health Act of 2009.
ICR......................... Information Collection Request.
IIHI........................ Individually Identifiable Health
Information.
NCVHS....................... National Committee on Vital and Health
Statistics.
NICS........................ National Instant Criminal Background Check
System.
NPP......................... Notice of Privacy Practices.
NPRM........................ Notice of Proposed Rulemaking.
OCR......................... Office for Civil Rights.
OHCA........................ Organized Health Care Arrangement.
OMB......................... Office of Management and Budget.
ONC......................... Office of the National Coordinator for
Health Information Technology.
PHI......................... Protected Health Information.
PRA......................... Paperwork Reduction Act of 1995.
RFA......................... Regulatory Flexibility Act.
RIA......................... Regulatory Impact Analysis.
SBA......................... Small Business Administration.
SSA......................... Social Security Act of 1935.
TPO......................... Treatment, Payment, or Health Care
Operations.
UMRA........................ Unfunded Mandates Reform Act of 1995.
------------------------------------------------------------------------
I. Executive Summary
A. Overview
In this final rule, the Department of Health and Human Services
(HHS or ``Department'') modifies certain provisions of the Standards
for Privacy of Individually Identifiable Health Information (``Privacy
Rule''), issued pursuant to section 264 of the Administrative
Simplification provisions of title II, subtitle F, of the Health
Insurance Portability and Accountability Act of 1996 (HIPAA).\1\ The
Privacy Rule \2\ is one of several rules, collectively known as the
HIPAA Rules,\3\ that protect the privacy and security of individuals'
protected health information \4\ (PHI), which is individually
identifiable health information \5\ (IIHI) transmitted by or maintained
in electronic media or any other form or medium, with certain
exceptions.\6\
---------------------------------------------------------------------------
\1\ Subtitle F of title II of HIPAA (Pub. L. 104-191, 110 Stat.
1936 (Aug. 21, 1996)) added a new part C to title XI of the Social
Security Act of 1935 (SSA), Public Law 74-271, 49 Stat. 620 (Aug.
14, 1935), (see sections 1171-1179 of the SSA (codified at 42 U.S.C.
1320d-1320d-8)), as well as promulgating section 264 of HIPAA
(codified at 42 U.S.C. 1320d-2 note), which authorizes the Secretary
to promulgate regulations with respect to the privacy of
individually identifiable health information. The Privacy Rule has
subsequently been amended pursuant to the Genetic Information
Nondiscrimination Act of 2008 (GINA), title I, section 105, Public
Law 110-233, 122 Stat. 881 (May 21, 2008) (codified at 42 U.S.C.
2000ff), and the Health Information Technology for Economic and
Clinical Health (HITECH) Act of 2009, Public Law 111-5, 123 Stat.
226 (Feb. 17, 2009) (codified at 42 U.S.C. 1390w-4(O)(2)).
\2\ 45 CFR parts 160 and 164, subparts A and E. For a history of
the Privacy Rule, see infra Section II.B., ``Regulatory History.''
\3\ See also the HIPAA Security Rule, 45 CFR parts 160 and 164,
subparts A and C; the HIPAA Breach Notification Rule, 45 CFR part
164, subpart D; and the HIPAA Enforcement Rule, 45 CFR part 160,
subparts C, D, and E.
\4\ 45 CFR 160.103 (definition of ``Protected health
information'').
\5\ 42 U.S.C. 1320d. See also 45 CFR 160.103 (definition of
``Individually identifiable health information'').
\6\ At times throughout this final rule, the Department uses the
terms ``health information'' or ``individuals' health information''
to refer generically to health information pertaining to an
individual or individuals. In contrast, the Department's use of the
term ``IIHI'' refers to a category of health information defined in
HIPAA, and ``PHI'' is used to refer specifically to a category of
IIHI that is defined by and subject to the privacy and security
standards promulgated in the HIPAA Rules.
---------------------------------------------------------------------------
The Privacy Rule requires the disclosure of PHI only in the
following circumstances: when required by the Secretary to investigate
a regulated entity's compliance with the Privacy Rule and to the
individual pursuant to the individual's right of access and the
individual's right to an accounting of disclosures.\7\ Any other uses
or disclosures described in the Privacy Rule are either permitted or
prohibited, as specified in the Privacy Rule. For example, the Privacy
Rule permits, but does not require, a regulated entity to disclose PHI
to conduct quality improvement activities when applicable conditions
are met, and it prohibits a regulated entity from selling PHI except
pursuant to and in compliance with 45 CFR 164.508(a)(4).\8\
---------------------------------------------------------------------------
\7\ See 45 CFR 164.502(2) and (4).
\8\ See 45 CFR 164.512(i) and 164.502(a)(5)(ii).
---------------------------------------------------------------------------
In accordance with its statutory mandate, the Department
promulgated the Privacy Rule and continues to administer and enforce it
to ensure that individuals are not afraid to seek health care from, or
share important information with, their health care providers because
of a concern that their sensitive information will be disclosed outside
of their relationship with their health care provider. Protecting
privacy promotes trust between health care providers and individuals,
advancing access to and improving the quality of health care. To
achieve this goal, the Department generally has applied the same
privacy standards to nearly all PHI, regardless of the type of health
care at issue. Notably, special protections were given to psychotherapy
notes, owing in part to the particularly
[[Page 32978]]
sensitive information those notes contain.\9\
---------------------------------------------------------------------------
\9\ See 45 CFR 164.501 and 164.508(a)(2).
---------------------------------------------------------------------------
Under its statutory authority to administer and enforce the HIPAA
Rules, the Department may modify the HIPAA Rules as needed.\10\ The
Supreme Court decision in Dobbs v. Jackson Women's Health Organization
\11\ (Dobbs) overturned precedent that protected a constitutional right
to abortion and altered the legal and health care landscape. This
decision has far-reaching implications for reproductive health care
beyond its effects on access to abortion.\12\ This changing legal
landscape increases the likelihood that an individual's PHI may be
disclosed in ways that cause harm to the interests that HIPAA seeks to
protect, including the trust of individuals in health care providers
and the health care system.\13\ The threat that PHI will be disclosed
and used to conduct such an investigation against, or to impose
liability upon, an individual or another person is likely to chill an
individual's willingness to seek lawful health care treatment or to
provide full information to their health care providers when obtaining
that treatment, and on the willingness of health care providers to
provide such care.\14\ These developments in the legal environment
increase the potential that use and disclosure of PHI about an
individual's reproductive health will undermine access to and the
quality of health care generally.
---------------------------------------------------------------------------
\10\ Section 1174(b)(1) of Public Law 104-191 (codified at 42
U.S.C. 1320d-3).
\11\ 597 U.S. 215 (2022).
\12\ See Melissa Suran, ``Treating Cancer in Pregnant Patients
After Roe v Wade Overturned,'' JAMA (Sept. 29, 2022), https://jamanetwork-com.hhsnih.idm.oclc.org/journals/jama/fullarticle/2797062?resultClick=1 and Rita Rubin, ``How Abortion Bans Could
Affect Care for Miscarriage and Infertility,'' JAMA (June 28, 2022),
https://jamanetwork-com.hhsnih.idm.oclc.org/journals/jama/fullarticle/2793921?resultClick=1.
\13\ See infra National Committee on Vital and Health Statistics
(NCVHS) discussion, Section II.A.1., expressing concern for harm
caused by disclosing identifiable health information for non-health
care purposes.
\14\ See Whitney S. Rice et al. `` `Post-Roe' Abortion Policy
Context Heightens Imperative for Multilevel, Comprehensive,
Integrated Health Education,'' (Sept. 29, 2022), https://journals.sagepub.com/doi/full/10.1177/10901981221125399 (``New
ethical and legal complexities around patient counseling are
emerging, particularly in states limiting or eliminating abortion
access, due to more extreme abortion restrictions. Clinicians in
such contexts may be forced to adhere to legal requirements of
states which run counter to well-being and desires of patients,
violating the medical principles of beneficence and respect for
patient autonomy'').
---------------------------------------------------------------------------
In order to continue to protect privacy in a manner that promotes
trust between individuals and health care providers and advances access
to, and improves the quality of, health care, we have determined that
the Privacy Rule must be modified to limit the circumstances in which
provisions of the Privacy Rule permit the use or disclosure of an
individual's PHI about reproductive health care for certain non-health
care purposes, where such use or disclosure could be detrimental to
privacy of the individual or another person or the individual's trust
in their health care providers. This determination was informed by our
expertise in administering the Privacy Rule, questions we have received
from members of the public and Congress, comments we received on the
2023 HIPAA Privacy Rule to Support Reproductive Health Care Privacy
notice of proposed rulemaking (NPRM) (``2023 Privacy Rule NPRM''),\15\
and our analysis of the state of privacy for IIHI.
---------------------------------------------------------------------------
\15\ 88 FR 23506 (Apr. 17, 2023).
---------------------------------------------------------------------------
This final rule (``2024 Privacy Rule'') amends provisions of the
Privacy Rule to strengthen privacy protections for highly sensitive PHI
about the reproductive health care of an individual, and directly
advances the purposes of HIPAA by setting minimum protections for PHI
and providing peace of mind that is essential to individuals' ability
to obtain lawful reproductive health care. This final rule balances the
interests of society in obtaining PHI for non-health care purposes with
the interests of the individual, the Federal Government, and society in
protecting individual privacy, thereby improving the effectiveness of
the health care system by ensuring that persons are not deterred from
seeking, obtaining, providing, or facilitating reproductive health care
that is lawful under the circumstances in which such health care is
provided.
The Department carefully analyzed state prohibitions and
restrictions on an individual's ability to obtain high-quality health
care and their effects on health information privacy and the
relationships between individuals and their health care providers after
Dobbs; assessed trends in state legislative activity with respect to
the privacy of PHI; and conducted a thorough review of the text,
history, and purposes of HIPAA and the Privacy Rule. The Department
also engaged in extensive discussions with HHS agencies and other
Federal departments, including the Department of Justice; consulted
with the National Committee on Vital and Health Statistics (NCVHS) and
the Attorney General as required by section 264(d) of HIPAA, and with
Indian Tribes as required by Executive Order 13175; \16\ held listening
sessions with and reviewed correspondence from stakeholders, including
covered entities, states, individuals, and patient advocates; and
reviewed correspondence to HHS from Members of Congress.\17\ The
modifications made to the Privacy Rule by this final rule are the
result of this work.
---------------------------------------------------------------------------
\16\ See 65 FR 67249 (Nov. 11, 2000). See also Presidential
Memorandum on Tribal Consultation and Strengthening Nation-to-Nation
Relationships (Jan. 26, 2021), https://www.whitehouse.gov/briefing-room/presidential-actions/2021/01/26/memorandum-on-tribal-consultation-and-strengthening-nation-to-nation-relationships/ and
Dep't of Health and Human Servs., Tribal Consultation Policy,
https://www.hhs.gov/sites/default/files/iea/tribal/tribalconsultation/hhs-consultation-policy.pdf. See also 88 FR 23506
(Apr. 17, 2023) (notice of Tribal consultation). The Department
consulted with representatives of Tribal Nations on May 17, 2023.
During the consultation, the representatives raised issues of health
inequities and privacy of health information, specifically among
American Indians and Alaskan Natives after Dobbs.
\17\ Letter from U.S. Senator Tammy Baldwin et al. to HHS Sec'y
Xavier Becerra (Mar. 7, 2023) (addressing HIPAA privacy regulations
and Dobbs v. Jackson Women's Health Organization). Letter from U.S.
Senator Patty Murray et al. to HHS Sec'y Xavier Becerra (Sept. 13,
2022) (addressing HIPAA privacy regulations and Dobbs v. Jackson
Women's Health Organization). Letter from U.S. Representative Earl
Blumenauer et al. to HHS Sec'y Xavier Becerra (Aug. 30, 2022)
(addressing HIPAA privacy regulations and Dobbs v. Jackson Women's
Health Organization). Letter from U.S. Senator Michael F. Bennet et
al. to HHS Sec'y Xavier Becerra (July 1, 2022) (addressing HIPAA
privacy regulations and Dobbs v. Jackson Women's Health
Organization).
---------------------------------------------------------------------------
B. Effective and Compliance Dates
1. 2023 Privacy Rule NPRM
In the 2023 Privacy Rule NPRM, the Department proposed an effective
date for a final rule that would occur 60 days after publication, and a
compliance date that would occur 180 days after the effective date.\18\
Taken together, the two dates would give entities 240 days after
publication to implement compliance measures. In the preamble to the
proposed rule, the Department stated that it did not believe that the
proposed rule would pose unique implementation challenges that would
justify an extended compliance period (i.e., a period longer than the
standard 180 days provided in 45 CFR 160.105).\19\ The Department also
asserted that adherence to the standard compliance period is necessary
to timely address the circumstances described in the 2023 Privacy Rule
NPRM.
---------------------------------------------------------------------------
\18\ See 88 FR 23506, 23510 (Apr. 17, 2023).
\19\ See id.
---------------------------------------------------------------------------
2. Overview of Comments
A commenter urged the Department to move quickly to issue the final
rule and to provide a 180-day compliance period
[[Page 32979]]
as proposed. Some commenters requested that the Department provide
additional time for regulated entities to comply with the proposed
modifications to the Privacy Rule. Several commenters requested that
the Department coordinate compliance deadlines across its rulemakings,
while a few commenters specifically encouraged the Department to
provide additional time for compliance with the modifications to the
Notice of Privacy Practices (NPP) requirements proposed in the 2023
Privacy Rule NPRM.
3. Final Rule
This final rule is effective on June 25, 2024. Covered entities and
business associates of all sizes will have 180 days beyond the
effective date of the final rule to comply with the final rule's
provisions, with the exception of the NPP provisions, which we address
separately below. We understand that some covered entities and business
associates remain concerned that a 180-day period may not provide
sufficient time to come into compliance with the modified requirements.
However, we believe that providing a 180-day compliance period best
comports with section 1175(b)(2) of the Social Security Act of 1935
(SSA), 42 U.S.C. 1320d-4, and our implementing provision at 45 CFR
160.104(c)(1), which require the Secretary to provide at least a 180-
day period for covered entities to comply with modifications to
standards and implementation specifications in the HIPAA Rules, and
also that providing a 180-day compliance period best protects the
privacy and security of individuals' PHI in a timely manner that
reflects the urgency of addressing the changes in the legal landscape
and their effects on individuals, regulated entities, and other
persons, while balancing the burden imposed upon regulated entities of
implementing this final rule.
Section 160.104(a) permits the Department to adopt a modification
to a standard or implementation specification adopted under the Privacy
Rule no more frequently than once every 12 months.\20\ As discussed
above, we are required to provide a minimum of a 180-day compliance
period when adopting a modification, but we are permitted to provide a
longer compliance period based on the extent of the modification and
the time needed to comply with the modification in determining the
compliance date for the modification.\21\ The Department makes every
effort to consider the burden and cost of implementation for regulated
entities when determining an appropriate compliance date.
---------------------------------------------------------------------------
\20\ 45 CFR 160.104(a).
\21\ 45 CFR 160.104(c)(2).
---------------------------------------------------------------------------
While we recognize that regulated entities will need to revise and
implement changes to their policies and procedures in response to the
modifications in this final rule, we do not believe that these changes
are so significant as to require more than a 180-day compliance period.
This final rule narrowly tailors the application of its changes to
certain limited circumstances involving lawful reproductive health care
and clarifies that regulated entities are not expected to know or be
aware of laws other than those with which they are required to comply.
While it adds a condition to certain requests for uses and disclosures,
the affected requests already require careful review by regulated
entities for compliance with previously imposed conditions. Thus, we do
not believe it will be difficult for regulated entities to adjust their
policies and procedures to accommodate this new requirement. The other
modifications finalized in this rule are in service of implementing the
two changes above and impose minimal burden on regulated entities.
Additionally, the Department believes, based on its evaluation of the
evolving privacy landscape, that the changes made by this final rule
are of particular urgency. Accordingly, we believe that a 180-day
compliance period, combined with a 60-day effective date, is sufficient
for regulated entities to make the changes required by most of the
modifications in this final rule, with the exception of the NPP
provisions.
We separately consider the question of the compliance date for the
modifications to the NPP provisions. In the 2022 Confidentiality of
Substance Use Disorder (SUD) Patient Records NPRM (``2022 Part 2
NPRM''),\22\ the Department proposed, among other things, to revise 45
CFR 164.520 as required by section 3221 of the Coronavirus Aid, Relief,
and Economic Security (CARES) Act.\23\ The Department proposed to
provide the same compliance date for both the proposed modifications to
45 CFR 164.520 and the more extensive modifications to 42 CFR part 2
(``Part 2'').\24\ The 2024 Confidentiality of Substance Use Disorder
(SUD) Patient Records Final Rule (``2024 Part 2 Rule'') explicitly
noted that the Department was not finalizing the proposed modifications
to the NPP provisions at that time, but that we planned to do so in a
future HIPAA final rule.\25\ The Department also acknowledged that some
covered entities might have NPPs that would not reflect updated changes
to policies and procedures addressing how Part 2 records are used and
disclosed. Rather than requiring covered entities to revise their NPPs
twice in a short period of time, the Department announced in the 2024
Part 2 Rule that it would exercise enforcement discretion related to
the requirement that covered entities update their NPPs whenever
material changes are made to privacy practices until the compliance
date established by a future HIPAA final rule.\26\ The Department is
finalizing the modifications to the NPP required by section 3221 of the
CARES Act in this rule and aligning the effective and compliance dates
for all of the modified NPP requirements with those of the 2024 Part 2
Rule.
---------------------------------------------------------------------------
\22\ 87 FR 74216 (Dec. 2, 2022).
\23\ Public Law 116-136, 134 Stat. 281 (Mar. 27, 2020).
\24\ 89 FR 12472 (Feb. 16, 2024).
\25\ Id. at 12482, 12528, and 12530.
\26\ Id. at 12482, 12528, and 12530.
---------------------------------------------------------------------------
The compliance date of the 2024 Part 2 Rule is February 16, 2026,
substantially later than the compliance date for most of this final
rule, because of the significant changes required for compliance with
the 2024 Part 2 Rule. Accordingly, in compliance with 45 CFR 160.104
and consistent with the NPP proposals included in the 2022 Part 2 NPRM
and public comment, we are aligning the compliance date for the NPP
changes required by this final rule with the compliance date for the
2024 Part 2 Rule so that covered entities regulated under both rules
can implement all changes to their NPPs at the same time. Covered
entities are expected to be in compliance with the modifications to 45
CFR 164.520 on February 16, 2026.
4. Response to Public Comments
Comment: One commenter expressed support for the proposal in the
2023 Privacy Rule NPRM to establish a 180-day compliance date and urged
the Department to issue a final rule quickly. Some commenters sought an
extension of the compliance date for twelve to eighteen months,
explaining that extensive policy and legal work, process and software
changes, documentation and training would be required to implement the
2023 Privacy Rule NPRM.
One commenter suggested phasing in the attestation requirement so
that ``downstream'' regulated entities, such as business associates and
managed care organizations, would have a later compliance date than
health care providers.
[[Page 32980]]
Response: We appreciate the commenters' suggestions, but as
discussed above, based on our assessment, we do not believe the
modifications required by this final rule will require longer to
implement.
Comment: Some commenters requested that the Department coordinate
compliance deadlines of final rules that revise the Privacy Rule or
publish one final rule addressing the proposals in the NPRMs to enable
regulated entities to leverage the resources required to implement the
changes to achieve compliance with all of the new requirements at one
time.
One commenter explained that each NPRM would involve operational
changes requiring significant resources and effort and expressed their
belief that a single comprehensive final rule would allow regulated
entities to make all of the required changes, including revisions to
policies and procedures, development of new or revised workflows,
electronic health record (EHR) updates, and technology enhancements.
Response: We appreciate the commenters' suggestion, but we do not
believe that it is necessary to fully align the compliance dates for
the 2024 Part 2 Rule and the 2024 Privacy Rule. By imposing separate
compliance deadlines, we are able to act more quickly to protect the
privacy of PHI.
However, consistent with 45 CFR 160.104 and as requested by public
comment, we are applying the same compliance date for covered entities
to revise their NPPs to address modifications made to 45 CFR 164.520 in
response to and consistent with the CARES Act and to support
reproductive health care privacy. The compliance date for the NPP
provisions is February 16, 2026.\27\ Part 2 programs, including those
that are covered entities, can choose to implement the changes to their
NPPs that are required by the 2024 Part 2 Rule prior to the compliance
date, but there is no requirement that they do so.
---------------------------------------------------------------------------
\27\ 89 FR 12472 (Feb. 16, 2024).
---------------------------------------------------------------------------
II. Statutory and Regulatory Background
A. Statutory Authority and History
1. Health Insurance Portability and Accountability Act of 1996 (HIPAA)
In 1996, Congress enacted HIPAA \28\ to reform the health care
delivery system to ``improve portability and continuity of health
insurance coverage in the group and individual markets.'' \29\ To
enable health care delivery system reform, Congress included in HIPAA
requirements for standards to support the electronic exchange of health
information. According to section 261, ``[i]t is the purpose of this
subtitle to improve [. . .] the efficiency and effectiveness of the
health care system, by encouraging the development of a health
information system through the establishment of standards and
requirements for the electronic transmission of certain health
information [. . .].'' \30\ Congress applied the Administrative
Simplification provisions directly to three types of entities known as
``covered entities''--health plans, health care clearinghouses, and
health care providers who transmit information electronically in
connection with a transaction for which HHS has adopted a standard.\31\
---------------------------------------------------------------------------
\28\ Public Law 104-191, 110 Stat. 1936 (Aug. 21, 1996).
\29\ See H.R. Rep. No. 104-496, at 66-67 (1996).
\30\ 42 U.S.C. 1320d note (Statutory Notes and Related
Subsidiaries: Purpose). Subtitle F also amended related provisions
of the SSA.
\31\ See section 262 of Public Law 104-191, adding section 1172
to the SSA (codified at 42 U.S.C. 1320d-1). See also section 13404
of the American Recovery and Reinvestment Act of 2009, Public Law
111-5, 123 Stat. 115 (Feb. 17, 2009) (codified at 42 U.S.C. 17934)
(applying privacy provisions and penalties to business associates of
covered entities).
---------------------------------------------------------------------------
Section 262(a) of HIPAA required the Secretary to adopt uniform
standards ``to enable health information to be exchanged
electronically.'' \32\ Congress directed the Secretary to adopt
standards for unique identifiers to identify individuals, employers,
health plans, and health care providers across the nation \33\ and
standards for, among other things, transactions and data elements
relating to health information,\34\ the security of that
information,\35\ and verification of electronic signatures.\36\
---------------------------------------------------------------------------
\32\ 42 U.S.C. 1320d2(a)(1).
\33\ 42 U.S.C. 1320d-2(b)(1).
\34\ 42 U.S.C. 1320d-2(a), (c), and (f).
\35\ 42 U.S.C. 1320d-2(d).
\36\ 42 U.S.C. 1320d-2(e).
---------------------------------------------------------------------------
Congress recognized that the standardization of certain electronic
health care transactions required by HIPAA posed risks to the privacy
of confidential health information and viewed individual privacy,
confidentiality, and data security as critical for orderly
administrative simplification.\37\ Thus, as explained in the preamble
to the 2023 Privacy Rule NPRM,\38\ Congress provided the Department
with the authority to regulate the privacy of IIHI. According to one
Member of Congress, privacy standards would create an additional layer
of protection beyond the oath pledged by health care providers to keep
information secure and, as described by another Member, would further
protect information from being used in a ``malicious or discriminatory
manner.'' \39\ Congress intended for the law to enhance individuals'
trust in health care providers, which required that the law provide
additional protection for the confidentiality of IIHI. As described by
a Member of Congress: ``The bill would also establish strict security
standards for health information because Americans clearly want to make
sure that their health care records can only be used by the medical
professionals that treat them. Often, we assume that because doctors
take an oath of confidentiality that in fact all who touch their
records operate by the same standards. Clearly, they do not.'' \40\
Moreover, Congress considered that health care reform required an
approach that would not compromise privacy as health information became
more accessible.\41\
---------------------------------------------------------------------------
\37\ On a resolution waiving points of order against the
Conference Report to H.R. 3103, members debated an ``erosion of
privacy'' balanced against the administrative simplification
provisions. Thus, from HIPAA's inception, privacy has been a central
concern to be addressed as legislative changes eased disclosures of
PHI. See 142 Cong. Rec. H9777 and H9780; see also H.R. Rep. No. 104-
736, at 177 and 264 (1996); 142 Cong. Rec. H9780 (daily ed. Aug. 1,
1996) (statement of Rep. Sawyer); 142 Cong. Rec. H9792 (daily ed.
Aug. 1, 1996) (statement of Rep. McDermott); and 142 Cong. Rec.
S9515-16 (daily ed. Aug. 2, 1996) (statement of Sen. Simon).
\38\ 88 FR 23506, 23511 (Apr. 17, 2023).
\39\ See statement of Rep. Sawyer, supra note 37. See also
statement of Sen. Simon, supra note 37.
\40\ Statement of Rep. Sawyer, supra note 37.
\41\ See H.R. Rep. No. 104-496 Part 1, at 99-100 (Mar. 25,
1996).
---------------------------------------------------------------------------
Accordingly, section 264(a) directed the Secretary to submit to
Congress detailed recommendations for Federal ``standards with respect
to the privacy of [IIHI]'' nationwide within one year of HIPAA's
enactment.\42\ The statute made clear that the Secretary had the
authority to promulgate regulations if Congress did not enact
legislation covering these matters within three years.\43\ Congress
directed the Secretary to ensure that the regulations promulgated
``address at least'' the following three subjects: (1) the rights that
an individual who is a subject of IIHI should have; (2) the procedures
that should be established for the exercise of such rights; and (3) the
uses and disclosures of such information that should be authorized or
required.\44\
---------------------------------------------------------------------------
\42\ 42 U.S.C. 1320d-2 note.
\43\ Id.
\44\ Id.
---------------------------------------------------------------------------
Additionally, Congress provided a clear statement that HIPAA's
provisions would ``supersede any contrary
[[Page 32981]]
provision of State law,'' with certain limited exceptions.\45\ One
exception to this general preemption authority is for ``state privacy
laws that are contrary to and more stringent than the corresponding
federal standard, requirement, or implementation specification.'' \46\
Thus, Congress intended for the Department to create privacy standards
to safeguard health information while respecting the ability of states
to provide individuals with additional health information privacy.
---------------------------------------------------------------------------
\45\ 42 U.S.C. 1320d-7.
\46\ 65 FR 82580 (the exception applies under section
1178(a)(2)(B) of the SSA and section 264(c)(2) of HIPAA).
---------------------------------------------------------------------------
Congress required the Secretary to consult with the NCVHS,\47\
thereby ensuring that the Secretary's decisions reflected public and
expert involvement and advice in carrying out the requirements of
section 264.\48\ NCVHS sent its initial recommendations to the
Secretary in a letter to the Secretary on June 27, 1997. Importantly,
NCVHS advised that ``strong substantive and procedural protections''
should be imposed if health information were to be disclosed to law
enforcement, and, where identifiable health information would be made
available for non-health purposes, individuals should be afforded
assurances that their data would not be used against them.\49\
Additionally, NCVHS ``unanimously'' recommended that ``[. . .] the
Secretary and the Administration assign the highest priority to the
development of a strong position on health privacy that provides the
highest possible level of protection for the privacy rights of
patients.'' \50\ NCVHS further noted that failure to do so would
``undermine public confidence in the health care system, expose
patients to continuing invasions of privacy, subject record keepers to
potentially significant legal liability, and interfere with the ability
of health care providers and others to operate the health care delivery
and payment system in an effective and efficient manner,'' which would
undermine what Congress intended.\51\
---------------------------------------------------------------------------
\47\ NCVHS serves as the Secretary's statutory public advisory
body for health data, statistics, privacy, and national health
information policy and HIPAA. NCVHS also advises the Secretary,
``reports regularly to Congress on HIPAA implementation, and serves
as a forum for interaction between HHS and interested private sector
groups on a range of health data issues.'' Nat'l Comm. On Vital and
Health Statistics, ``About NCVHS,'' https://ncvhs.hhs.gov/; see also
``NCVHS 60th Anniversary Symposium and History,'' U.S. Dep't of
Health and Human Servs., at 28-29 (Feb. 2011), https://ncvhs.hhs.gov/wp-content/uploads/2014/05/60_years_of_difference.pdf.
\48\ See section 264(a) and (d) of Public Law 104-191 (codified
at 42 U.S.C. 1320d-2 note).
\49\ Letter from NCVHS Chair Don E. Detmer to HHS Sec'y Donna E.
Shalala (June 27, 1997) (forwarding NCVHS recommendations), https://ncvhs.hhs.gov/rrp/june-27-1997-letter-to-the-secretary-with-recommendations-on-health-privacy-and-confidentiality/.
\50\ Id. at Principal Findings and Recommendations.
\51\ Id.
---------------------------------------------------------------------------
NCVHS further recommended that ``any rules regulating disclosures
of identifiable health information be as clear and as narrow as
possible. Each group of users must be required to justify their need
for health information and must accept reasonable substantive and
procedural limitations on access.'' \52\ According to NCVHS, this would
allow for the disclosures that society deemed necessary and appropriate
while providing individuals with clear expectations regarding their
health information privacy.
---------------------------------------------------------------------------
\52\ Id. at Third-Party Disclosures.
---------------------------------------------------------------------------
As we noted in the 2023 Privacy Rule NPRM,\53\ Congress
contemplated that the Department's rulemaking authorities under HIPAA
would not be static. Congress specifically built in a mechanism to
adapt such regulations as technology and health care evolve, directing
that the Secretary review and modify the Administrative Simplification
standards as determined appropriate, but not more frequently than once
every 12 months.\54\ That statutory directive complements the
Secretary's general rulemaking authority to ``make and publish such
rules and regulations, not inconsistent with this chapter, as may be
necessary to the efficient administration of the functions with which
each is charged under this chapter.'' \55\
---------------------------------------------------------------------------
\53\ 88 FR 23506, 23513 (Apr. 17, 2023).
\54\ See section 1174(b)(1) of Public Law 104-191 (codified at
42 U.S.C. 1320d-3).
\55\ Section 1102 of the SSA (codified at 42 U.S.C. 1302).
---------------------------------------------------------------------------
2. Health Information Technology for Economic and Clinical Health
(HITECH) Act
On February 17, 2009, Congress enacted the Health Information
Technology for Economic and Clinical Health Act of 2009 (HITECH Act)
\56\ to promote the widespread adoption and standardization of health
information technology (health IT). The HITECH Act included additional
HIPAA privacy and security requirements for covered entities and
business associates and expanded certain rights of individuals with
respect to their PHI.
---------------------------------------------------------------------------
\56\ Title XIII of Division A and Title IV of Division B of the
American Recovery and Reinvestment Act of 2009, Public Law 111-5,
123 Stat. 115 (Feb. 17, 2009) (codified at 42 U.S.C. 201 note).
---------------------------------------------------------------------------
Congress understood the importance of a relationship between a
connected health IT landscape, ``a necessary and vital component of
health care reform,'' \57\ and privacy and security standards when it
enacted the HITECH Act. The Purpose statement of an accompanying House
of Representatives report \58\ on the Energy and Commerce Recovery and
Reinvestment Act \59\ recognizes that ``[i]n addition to costs,
concerns about the security and privacy of health information have also
been regarded as an obstacle to the adoption of [health IT].'' The
Senate Report for S. 336 \60\ similarly acknowledges that
``[i]nformation technology systems linked securely and with strong
privacy protections can improve the quality and efficiency of health
care while producing significant cost savings.'' \61\ As the Department
explained in the 2013 regulation referred to as the ``Omnibus Rule''
\62\ and discussed in greater detail below, the HITECH Act's additional
HIPAA privacy and security requirements \63\ supported Congress' goal
of promoting widespread adoption and interoperability of health IT by
``strengthen[ing] the privacy and security protections for health
information established by HIPAA.'' \64\
---------------------------------------------------------------------------
\57\ C. Stephen Redhead, Cong. Rsch. Serv., R40161, ``The Health
Information Technology for Economic and Clinical Health (HITECH)
Act,'' (2009), https://crsreports.congress.gov/product/pdf/R/R40161/9 (``[Health IT], which generally refers to the use of computer
applications in medical practice, is widely viewed as a necessary
and vital component of health care reform.'').
\58\ H.R. Rep. No. 111-7, at 74 (2009), accompanying H.R. 629,
111th Cong.
\59\ H.R. 629, Energy and Commerce Recovery and Reinvestment Act
of 2009, introduced in the House on January 22, 2009, contained
nearly identical provisions to subtitle D of the HITECH Act.
\60\ Congress enacted the American Recovery and Reinvestment Act
of 2009, which included the HITECH Act, on February 17, 2009. While
it was the House version of the bill, H.R. 1, that was enacted, the
Senate version, S. 336, contained nearly identical provisions to
subtitle D of the HITECH Act.
\61\ S. Rep. No. 111-3 accompanying S. 336, 111th Cong., at 59
(2009).
\62\ 78 FR 5566 (Jan. 25, 2013).
\63\ Subtitle D of title XIII of the HITECH Act (codified at 42
U.S.C. 17921, 42 U.S.C. 17931-17941, and 42 U.S.C. 17951-17953).
\64\ 78 FR 5566, 5568 (Jan. 25, 2013).
---------------------------------------------------------------------------
In passing the HITECH Act, Congress instructed the Department that
any new health IT standards adopted under section 3004 of the Public
Health Service Act (PHSA) must take into account the privacy and
security requirements of the HIPAA Rules.\65\ Congress also affirmed
that the existing HIPAA Rules were to remain in effect to the extent
that they are consistent with the HITECH Act and directed the Secretary
to revise the HIPAA Rules as necessary for consistency with the
[[Page 32982]]
HITECH Act.\66\ Congress confirmed that the new law was not intended to
have any effect on authorities already granted under HIPAA to the
Department, including section 264 of that statute and the regulations
issued under that provision.\67\ Congress thus affirmed the Secretary's
ongoing rulemaking authority to modify the Privacy Rule's standards and
implementation specifications as often as every 12 months when
appropriate, including to strengthen privacy and security protections
for IIHI.
---------------------------------------------------------------------------
\65\ Section 3009(a)(1)(B) of the PHSA, as added by section
13101 of the HITECH Act (codified at 42 U.S.C. 300jj-19(a)(1)).
\66\ Section 13421(b) of the HITECH Act (codified at 42 U.S.C.
17951).
\67\ Section 3009(a)(1)(A) of the PHSA, as added by section
13101 of the HITECH Act (codified at 42 U.S.C. 300jj-19(a)(1)).
---------------------------------------------------------------------------
B. Regulatory History
The Secretary has delegated the authority to administer the HIPAA
Rules and to make decisions regarding their implementation,
interpretation, and enforcement to the HHS Office for Civil Rights
(OCR).\68\ Since the enactment of the HITECH Act, the Department has
exercised its authority to modify the Privacy Rule several times--in
2013, 2014, and 2016.\69\
---------------------------------------------------------------------------
\68\ See U.S. Dep't of Health and Hum. Servs., Off. of the
Sec'y, Off. for Civil Rights; Statement of Delegation of Authority,
65 FR 82381 (Dec. 28, 2000); U.S. Dep't of Health and Hum. Servs.,
Off. of the Sec'y, Off. for Civil Rights; Delegation of Authority,
74 FR 38630 (Aug. 4, 2009); U.S. Dep't of Health and Hum. Servs.,
Off. of the Sec'y, Statement of Organization, Functions and
Delegations of Authority, 81 FR 95622 (Dec. 28, 2016).
\69\ See 78 FR 5566 (Jan. 25, 2013); 79 FR 7290 (Feb. 6, 2014);
81 FR 382 (Jan. 6, 2016).
---------------------------------------------------------------------------
1. 2000 Privacy Rule
As directed by HIPAA, the Department provided a series of
recommendations to Congress for a potential new law that would address
the confidentiality of IIHI.\70\ Congress did not act within its three-
year self-imposed deadline. Accordingly, the Department published a
proposed rule on November 3, 1999,\71\ and issued the first final rule
establishing ``Standards for Privacy of Individually Identifiable
Health Information'' (``2000 Privacy Rule'') on December 28, 2000.\72\
---------------------------------------------------------------------------
\70\ See U.S. Dep't of Health and Hum. Servs., Off. of the
Assistant Sec'y for Plan. and Evaluation, ``Recommendations of the
Secretary of Health and Human Services, pursuant to section 264 of
the Health Insurance Portability and Accountability Act of 1996,''
Section I.A. (Sept. 1997), https://aspe.hhs.gov/reports/confidentiality-individually-identifiable-health-information.
\71\ 64 FR 59918 (Nov. 3, 1999).
\72\ 65 FR 82462 (Dec. 28, 2000).
---------------------------------------------------------------------------
The primary goal of the Privacy Rule was to provide greater
protection to individuals' privacy to engender a trusting relationship
between individuals and health care providers. As announced, the final
rule set standards to protect the privacy of IIHI to ``begin to address
growing public concerns that advances in electronic technology and
evolution in the health care industry are resulting, or may result, in
a substantial erosion of the privacy surrounding'' health
information.\73\ On the eve of that rule's issuance, the President
issued an Executive Order recognizing the importance of protecting
individual privacy, explaining that ``[p]rotecting the privacy of
patients' protected health information promotes trust in the health
care system. It improves the quality of health care by fostering an
environment in which patients can feel more comfortable in providing
health care professionals with accurate and detailed information about
their personal health.'' \74\
---------------------------------------------------------------------------
\73\ Id.
\74\ See Executive Order 13181 (Dec. 20, 2000), 65 FR 81321.
---------------------------------------------------------------------------
Since its promulgation, the Privacy Rule has protected PHI by
limiting the circumstances under which covered entities and their
business associates (collectively, ``regulated entities'') are
permitted or required to use or disclose PHI and by requiring covered
entities to have safeguards in place to protect the privacy of PHI. In
adopting these regulations, the Department acknowledged the need to
balance several competing factors, including existing legal
expectations, individuals' privacy expectations, and societal
expectations.\75\ The Department noted in the preamble that the large
number of comments from individuals and groups representing individuals
demonstrated the deep public concern about the need to protect the
privacy of IIHI and constituted evidence of the importance of
protecting privacy and the potential adverse consequences to
individuals and their health if such protections are not extended.\76\
Through its policy choices in the 2000 Privacy Rule, the Department
struck a balance between competing interests--the necessity of
protecting privacy and the public interest in using identifiable health
information for vital public and private purposes--in a way that was
also workable for the varied stakeholders.\77\
---------------------------------------------------------------------------
\75\ See 65 FR 82462, 82471 (Dec. 28, 2000).
\76\ See id. at 82472.
\77\ See id.
---------------------------------------------------------------------------
In the 2000 Privacy Rule, the Department established ``general
rules'' for uses and disclosures of PHI, codified at 45 CFR
164.502.\78\ The 2000 Privacy Rule also specified the circumstances in
which a covered entity was required to obtain an individual's
consent,\79\ authorization,\80\ or the opportunity for the individual
to agree or object.\81\ Additionally, it established rules for when a
covered entity is permitted to use or disclose PHI without an
individual's consent, authorization, or opportunity to agree or
object.\82\ In particular, the Privacy Rule permits certain uses and
disclosures of PHI, without the individual's authorization, for
identified activities that benefit the community, such as public health
activities, judicial and administrative proceedings, law enforcement
purposes, and research.\83\
---------------------------------------------------------------------------
\78\ 65 FR 82462 (Dec. 28, 2000).
\79\ 45 CFR 164.506 was originally titled ``Consent for uses or
disclosures to carry out treatment, payment, or health care
operations.''
\80\ 45 CFR 164.508.
\81\ 45 CFR 164.510.
\82\ 45 CFR 164.512.
\83\ See 64 FR 59918, 59955 (Nov. 3, 1999).
---------------------------------------------------------------------------
The Privacy Rule also established the rights of individuals with
respect to their PHI, including the right to receive adequate notice of
a covered entity's privacy practices, the right to request restrictions
of uses and disclosures, the right to access (i.e., to inspect and
obtain a copy of) their PHI, the right to request an amendment of their
PHI, and the right to receive an accounting of disclosures.\84\
---------------------------------------------------------------------------
\84\ See 45 CFR 164.520, 164.522, 164.524, 164.526, and 164.528.
---------------------------------------------------------------------------
In the 2000 Privacy Rule, the Secretary exercised her statutory
authority to adopt 45 CFR 160.104(a), which reserves the Secretary's
ability to modify any standard or implementation specification adopted
under the Administrative Simplification provisions.\85\ The Secretary
first invoked this modification authority to amend the Privacy Rule in
2002 \86\ and made additional modifications in 2013,\87\ and 2016,\88\
as described below.
---------------------------------------------------------------------------
\85\ See 65 FR 82462, 82800 (Dec. 28, 2000).
\86\ See 67 FR 53182 (Aug. 14, 2002).
\87\ 78 FR 5566 (Jan. 25, 2013).
\88\ 81 FR 382 (Jan. 6, 2016).
---------------------------------------------------------------------------
2. 2002 Privacy Rule
After publication of the 2000 Privacy Rule, the Department received
many inquiries and unsolicited comments about the Privacy Rule's
effects and operation. As a result, the Department opened the 2000
Privacy Rule for further comment in February 2001, less than one month
before the effective date and 25 months before the compliance date for
most covered entities, and issued clarifying guidance on its
implementation.\89\ NCVHS' Subcommittee on Privacy, Confidentiality and
Security held public
[[Page 32983]]
hearings about the 2000 Privacy Rule. From those hearings, the
Department obtained additional information about concerns related to
key provisions and their potential unintended consequences for health
care quality and access.\90\ On March 27, 2002, the Department proposed
modifications to the 2000 Privacy Rule to clarify the requirements and
correct potential problems that could threaten access to, or quality
of, health care.\91\
---------------------------------------------------------------------------
\89\ 66 FR 12738 (Feb. 28, 2001).
\90\ 67 FR 53182, 53183 (Aug. 14, 2002).
\91\ 67 FR 14775 (Mar. 27, 2002).
---------------------------------------------------------------------------
In response to comments on the proposed rule, the Department
finalized modifications to the Privacy Rule on August 14, 2002 (``2002
Privacy Rule'').\92\ This final rule clarified HIPAA's requirements
while maintaining strong protections for the privacy of IIHI.\93\ These
modifications addressed certain workability issues, including but not
limited to clarifying distinctions between health care operations and
marketing; modifying the minimum necessary standard to exclude
disclosures authorized by individuals and clarify its operation;
eliminating the consent requirement for uses and disclosures of PHI for
treatment, payment, or health care operations (TPO), and to otherwise
clarify the role of consent in the Privacy Rule; and making other
modifications and conforming amendments consistent with the proposed
rule. The Department also included modifications to the provisions
permitting the use or disclosure of PHI for public health activities
and for research activities without consent, authorization, or an
opportunity to agree or object.
---------------------------------------------------------------------------
\92\ 67 FR 53182 (Aug. 14, 2002). See the final rule for changes
in the entirety. The 2002 Privacy Rule was issued before the
compliance date for the 2000 Privacy Rule. Thus, covered entities
never implemented the 2000 Privacy Rule. Instead, they implemented
the 2000 Privacy Rule as modified by the 2002 Privacy Rule.
\93\ See 67 FR 53182 (Aug. 14, 2002).
---------------------------------------------------------------------------
3. 2013 Omnibus Rule
Following the enactment of the HITECH Act, the Department issued an
NPRM, entitled ``Modifications to the HIPAA Privacy, Security, and
Enforcement Rules Under the Health Information Technology for Economic
and Clinical Health [HITECH] Act'' (``2010 NPRM''),\94\ which proposed
to implement certain HITECH Act requirements. In 2013, the Department
issued the final rule, Modifications to the HIPAA Privacy, Security,
Enforcement, and Breach Notification Rules Under the Health Information
Technology for Economic and Clinical Health [HITECH] Act and the
Genetic Information Nondiscrimination Act, and Other Modifications to
the HIPAA Rules (``2013 Omnibus Rule''),\95\ which implemented many of
the new HITECH Act requirements, including strengthening individuals'
privacy rights related to their PHI.
---------------------------------------------------------------------------
\94\ 75 FR 40868 (July 14, 2010).
\95\ 78 FR 5566 (Jan. 25, 2013). In addition to finalizing
requirements of the HITECH Act that were proposed in the 2010 NPRM,
the Department adopted modifications to the Enforcement Rule not
previously adopted in an earlier interim final rule, 74 FR 56123
(Oct. 30, 2009), and to the Breach Notification Rule not previously
adopted in an interim final rule, 74 FR 42739 (Aug. 24, 2009). The
Department also finalized previously proposed Privacy Rule
modifications as required by GINA, 74 FR 51698 (Oct. 7, 2009).
---------------------------------------------------------------------------
The Department also finalized regulatory provisions that were not
required by the HITECH Act, but were necessary to address the
workability and effectiveness of the Privacy Rule and to increase
flexibility for and decrease burden on regulated entities.\96\ In the
2010 NPRM, the Department noted that it had not amended the Privacy
Rule since 2002.\97\ It further explained that information gleaned from
contact with the public since that time, enforcement experience, and
technical corrections needed to eliminate ambiguity provided the
impetus for the Department's actions to make certain regulatory
changes.\98\
---------------------------------------------------------------------------
\96\ See 78 FR 5566 (Jan. 25, 2013) (explaining that the
Department was using its general authority under HIPAA to make a
number of changes to the Privacy Rule that were intended to increase
workability and flexibility, decrease burden, and better harmonize
the requirements with those under other Departmental regulations).
The Department's general authority to modify the Privacy Rule is
codified in HIPAA section 264(c), and OCR conducts rulemaking under
HIPAA based on authority granted by the Secretary.
\97\ See 75 FR 40868, 40871 (July 14, 2010).
\98\ 75 FR 40868, 40871 (July 14, 2010).
---------------------------------------------------------------------------
For example, the Department modified its prior interpretation of
the Privacy Rule requirement at 45 CFR 164.508(c)(1)(iv) that a
description of a research purpose must be study specific.\99\ The
Department explained that, under its new interpretation, the research
purposes need only be described adequately such that it would be
reasonable for an individual to expect that their PHI could be used or
disclosed for such future research.\100\ In the 2013 Omnibus Rule, the
Department explained that this change was based on the concerns
expressed by covered entities, researchers, and other commenters on the
2010 NPRM that the former requirement did not represent current
research practices. The Department provided a similar explanation for
its modifications to the Privacy Rule that permit certain disclosures
of student immunization records to schools without an
authorization.\101\ Additionally, based on a recommendation made at an
NCVHS meeting, the Department requested comment on and finalized
proposed revisions to the definition of PHI to exclude information
regarding an individual who has been deceased for more than 50
years.\102\ For the latter, the Department noted that it was balancing
the privacy interests of decedents' living relatives and other affected
individuals against the legitimate needs of public archivists to obtain
records.\103\
---------------------------------------------------------------------------
\99\ See 78 FR 5566, 5611 (Jan. 25, 2013).
\100\ See id. at 5612.
\101\ Id. at 5616-17. See also 45 CFR 164.512(b)(1).
\102\ 78 FR 5566, 5614 (Jan. 25, 2013). See also 45 CFR
164.502(f) and the definition of ``Protected health information'' at
45 CFR 160.103, excluding IIHI regarding a person who has been
deceased for more than 50 years.
\103\ In addition to the rulemakings discussed here, the
Department has modified the Privacy Rule for workability purposes
and in response to changes in circumstances on two other occasions,
and it issued another notice of proposed rulemaking in 2021 for the
same reasons. See 79 FR 7289 (Feb. 6, 2014), 81 FR 382 (Jan. 6,
2016), and 86 FR 6446 (Jan. 21, 2021).
---------------------------------------------------------------------------
None of the changes described in the paragraph above were required
by the HITECH Act. Rather, the Department determined that it was
necessary to promulgate these changes pursuant to its existing general
rulemaking authority under HIPAA. NCVHS and the public also recommended
other changes between the publication of the 2002 Privacy Rule and the
2013 Omnibus Rule, including the creation of specific categories of
PHI, such as ``Sexuality and Reproductive Health Information'' that
would allow for special protections of such PHI.\104\ The Department
declined to propose specific protections for certain categories of PHI
at that time because of concerns about the ability of regulated
entities to segment PHI and the effects on care coordination. Many of
those concerns are still present and so, the Department did not propose
and determined not to establish a specific category of particularly
sensitive PHI in this rulemaking. Instead, as discussed more fully
below, the Department is finalizing a purpose-based prohibition against
certain uses and disclosures.
---------------------------------------------------------------------------
\104\ See Letter from NCVHS Chair Simon P. Cohn to HHS Sec'y
Michael O. Leavitt (June 22, 2006), https://ncvhs.hhs.gov/rrp/june-22-2006-letter-to-the-secretary-recommendations-regarding-privacy-and-confidentiality-in-the-nationwide-health-information-network/;
Letter from NCVHS Chair Simon P. Cohn to HHS Sec'y Michael O.
Leavitt (Feb. 20, 2008) (listing categories of health information
that are commonly considered to contain sensitive information),
https://ncvhs.hhs.gov/wp-content/uploads/2014/05/080220lt.pdf;
Letter from NCVHS Chair Justine M. Carr to HHS Sec'y Kathleen
Sebelius (Nov. 10, 2010) (forwarding NCVHS recommendations), https://ncvhs.hhs.gov/wp-content/uploads/2014/05/101110lt.pdf.
---------------------------------------------------------------------------
[[Page 32984]]
4. 2024 Privacy Rule
On April 17, 2023, the Department issued an NPRM \105\ to modify
the Privacy Rule for the purpose of prohibiting uses and disclosures of
PHI for criminal, civil, or administrative investigations or
proceedings against persons for seeking, obtaining, providing, or
facilitating reproductive health care that is lawful under the
circumstances in which it is provided. To properly execute the HIPAA
statutory mandate, and in accordance with the regulatory authority
granted to it by Congress, the Department continually monitors and
evaluates the evolving environment for health information privacy
nationally, including the interaction of the Privacy Rule and state
statutes and regulations governing the privacy of health information.
In keeping with the Department's practice, this final rule accommodates
state autonomy to the extent consistent with the need to maintain rules
for health information privacy that serve HIPAA's objectives. The
regulation thus preempts state law only to the extent necessary to
achieve Congress' directive to establish a standard for the privacy of
IIHI for the purpose of improving the effectiveness of the health care
system. As discussed below, achieving that objective requires
individuals to trust that their health care providers will maintain
privacy of PHI about lawful reproductive health care. In addition,
NCVHS held a virtual public meeting that included a discussion about
the proposed rule on June 14, 2023,\106\ and provided recommendations
to the Department based on this discussion, briefings at their July
2022 \107\ and December 2022 \108\ meetings, and the expertise of its
members.\109\ The resultant public record and subsequent
recommendations submitted to the Department by NCVHS, along with other
public comments on the 2023 Privacy Rule NPRM, informed the development
of these modifications.
---------------------------------------------------------------------------
\105\ 88 FR 23506.
\106\ See Meeting of NCVHS (June 14, 2023), https://ncvhs.hhs.gov/meetings/full-committee-meeting-13/.
\107\ See Meeting of NCVHS, Briefing on Legislative Developments
in Data Privacy (July 21, 2022), https://ncvhs.hhs.gov/meetings/full-committee-meeting-11/.
\108\ See Meeting of NCVHS, Briefing by Cason Schmit (Dec. 7,
2022), https://ncvhs.hhs.gov/meetings/full-committee-meeting-12/.
\109\ Letter from NCVHS Chair Jacki Monson to HHS Sec'y Xavier
Becerra (June 14, 2023) (forwarding NCVHS recommendations), https://ncvhs.hhs.gov/wp-content/uploads/2023/06/NCVHS-Comments-on-HIPAA-Reproduction-Health-NPRM-Final-508.pdf.
---------------------------------------------------------------------------
III. Justification for This Rulemaking
A. HIPAA Encourages Trust and Confidence by Carefully Balancing
Individuals' Privacy Interests With Others' Interests in Using or
Disclosing PHI
1. Privacy Protections Ensure That Individuals Have Access to, and Are
Comfortable Accessing, High-Quality Health Care
The goal of a functioning health care system is to provide high-
quality health care that results in the best possible outcomes for
individuals. To achieve that goal, a functioning health care system
depends in part on individuals trusting health care providers. Thus,
trust between individuals and health care providers is essential to an
individual's health and well-being.\110\ Protecting the privacy of an
individual's health information is ``a crucial element for honest
health discussions.'' \111\ The original Hippocratic Oath required
physicians to pledge to maintain the confidentiality of health
information they learn about individuals.\112\ Without confidence that
private information will remain private, individuals--to their own
detriment--are reluctant to share information with health care
providers.
---------------------------------------------------------------------------
\110\ See Jennifer Richmond et al., ``Development and Validation
of the Trust in My Doctor, Trust in Doctors in General, and Trust in
the Health Care Team Scales,'' 298 Social Science & Medicine 114827
(2022), https://www.sciencedirect.com/science/article/abs/pii/S0277953622001332?via%3Dihub; see also Fallon E. Chipidza et al.,
``Impact of the Doctor-Patient Relationship,'' The Primary Care
Companion for CNS Disorders (Oct. 2015), https://www.psychiatrist.com/pcc/delivery/patient-physician-communication/impact-doctor-patient-relationship/. See Testimony (transcribed) of
William G. Plested, III, M.D., Member, Board of Trustees, American
Medical Association, Hearing on Confidentiality of Patient Medical
Records before House of Representatives Committee on Ways and Means,
Subcommittee on Health (Feb. 17, 2000), https://www.govinfo.gov/content/pkg/CHRG-106hhrg66897/html/CHRG-106hhrg66897.htm. (``Trust
is the foundation of the patient/physician relationship.'')
\111\ See Am. Med. Ass'n, ``Patient Perspectives Around Data
Privacy,'' (2022), https://www.ama-assn.org/system/files/ama-patient-data-privacy-survey-results.pdf.
\112\ See John C. Moskop et al., ``From Hippocrates to HIPAA:
Privacy and Confidentiality in Emergency Medicine--Part I:
Conceptual, Moral, and Legal Foundations,'' 45 Ann Emerg. Med.1
(Jan. 2005) (quoting the Oath of Hippocrates, ``What I may see or
hear in the course of the treatment or even outside of the treatment
in regard to the life of men, which on no account one must spread
abroad, I will keep to myself [. . .].''), https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7132445/#bib1.
---------------------------------------------------------------------------
When proposing the 2000 Privacy Rule, the Department recognized
that individuals may be deterred from seeking needed health care if
they do not trust that their sensitive information will be kept
private.\113\ The Department described its policy choices as stemming
from a motivation to develop and maintain a relationship of trust
between individuals and health care providers. The Department explained
that a fundamental assumption of the 2000 Privacy Rule was that the
greatest benefits of improved privacy protection would be realized in
the future as individuals gain increasing trust in their health care
provider's ability to maintain the confidentiality of their health
information.\114\ As a result, the Privacy Rule strengthened
protections for health information privacy, including the right of
individuals to determine who has access to their health information.
---------------------------------------------------------------------------
\113\ See 64 FR 59918, 60006 (Nov. 3, 1999) (In the 1999 Privacy
Rule NPRM, the Department discussed confidentiality as an important
component of trust between individuals and health care providers and
cited a 1994 consumer privacy survey that indicated that a lack of
privacy may deter patients from obtaining preventive care and
treatment.). See id. at 60019.
\114\ See 64 FR 59918, 60006 (Nov. 3, 1999).
---------------------------------------------------------------------------
Despite the Privacy Rule's rights and protections, individuals do
not have confidence that their IIHI is being protected adequately. In a
2022 survey on patient privacy, the American Medical Association (AMA)
found that, of 1,000 patients surveyed: (1) nearly 75% were concerned
about protecting the privacy of their own health information; and (2)
59% of patients worried about health data being used by companies to
discriminate against them or their loved ones.\115\ According to the
AMA, a lack of health information privacy raises many questions about
circumstances that could put individuals and health care providers in
legal peril, and that the ``primary purpose of increasing [health
information] privacy is to build public trust, not inhibit data
exchange.'' \116\
---------------------------------------------------------------------------
\115\ See ``Patient Perspectives Around Data Privacy,'' supra
note 111.
\116\ Id. at 2.
---------------------------------------------------------------------------
The Federal Government also has a strong interest in ensuring that
individuals have access to high-quality health care.\117\ This is true
at both an
[[Page 32985]]
individual and population level. In the 2000 Privacy Rule, the
Department noted that high-quality health care depends on an individual
being able to share sensitive information with their health care
provider based on the trust that the information shared will be
protected and kept confidential.\118\ An effective health care system
requires an individual to share sensitive health information with their
health care providers. They do so with the reasonable expectation that
this information is going to be used to treat them. The prospect of the
disclosure of highly sensitive PHI by regulated entities can result in
medical mistrust and the deterioration of the confidential, safe
environment that is necessary to provide high-quality health care,
operate a functional health care system, and improve the public's
health generally.\119\ High-quality health care cannot be attained
without patient candor. Health care providers rely on an individual's
health information to diagnose them and provide them with appropriate
treatment options and may not be able to reach an accurate diagnosis or
recommend the best course of action for the individual if the
individual's medical records lack complete information about their
health history. However, an individual may be unwilling to seek
treatment or share highly sensitive PHI when they are concerned about
the confidentiality and security of PHI provided to treating health
care providers.\120\ The Department has long recognized that health
care professionals who lose the trust of their patients cannot deliver
high-quality care.\121\ Similarly, if a health care provider does not
trust that the PHI they include in an individual's medical records will
be kept private, the health care provider may leave gaps or include
inaccuracies when preparing medical records, creating a risk that
ongoing or future health care would be compromised. In contrast,
heightened confidentiality and privacy protections enable a health care
provider to feel confident maintaining full and complete medical
records.
---------------------------------------------------------------------------
\117\ See Testimony (transcribed) of Peter R. Orszag, Director,
Congressional Budget Office, Hearing on Comparative Clinical
Effectiveness before House of Representatives Committee on Ways and
Means, Subcommittee on Health, 2007 WL 1686358 (June 12, 2007)
(``because federal health insurance programs play a large role in
financing medical care and represent a significant expenditure, the
federal government itself has an interest in evaluations of the
effectiveness of different health care approaches''); Statement of
Sen. Durenberger introducing S.1836, American Health Quality Act of
1991 and reading bill text, 137 Cong. Rec. S26720 (Oct. 17, 1991)
(``[T]he Federal Government has a demonstrated interest in assessing
the quality of care, access to care, and the costs of care through
the evaluative activities of several Federal agencies.'').
\118\ See 65 FR 82462, 82463 (Dec. 28, 2000).
\119\ See, e.g., Brooke Rockwern et al., Medical Informatics
Committee and Ethics, Professionalism and Human Rights Committee of
the American College of Physicians, ``Health Information Privacy,
Protection, and Use in the Expanding Digital Health Ecosystem: A
Position Paper of the American College of Physicians,'' 174 Ann
Intern Med. 994 (Jul. 2021) (discussing the need for trust in the
health care system as necessary to mitigate a global pandemic);
Johanna Birkh[auml]uer et. al, ``Trust in the Health Care
Professional and Health Outcome: A Meta-Analysis,'' 12 PLoS One
e0170988 (Feb. 7, 2017). See also Eric Boodman, ``In a doctor's
suspicion after a miscarriage, a glimpse of expanding medical
mistrust,'' STAT News (June 29, 2022), https://www.statnews.com/2022/06/29/doctor-suspicion-after-miscarriage-glimpse-of-expanding-medical-mistrust/ (Sarah Prager, professor of obstetrics and
gynecology at the University of Washington, stating that it is a bad
precedent if clinical spaces become unsafe for patients because,
``[a health care provider's] ability to take care of patients relies
on trust, and that will be impossible moving forward.'').
\120\ See ``Development and Validation of the Trust in My
Doctor, Trust in Doctors in General, and Trust in the Health Care
Team Scales,'' supra note 110; Bradley E. Iott et al., ``Trust and
Privacy: How Patient Trust in Providers is Related to Privacy
Behaviors and Attitudes,'' 2019 AMIA Annu Symp Proc 487 (Mar. 2020),
https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7153104/; Pamela Sankar
et al., ``Patient Perspectives of Medical Confidentiality: a Review
of the Literature,'' 18 J. of Gen. Internal Med. 659 (Aug. 2003),
https://pubmed.ncbi.nlm.nih.gov/12911650/.
\121\ See 65 FR 82462, 82468 (Dec. 28, 2000).
---------------------------------------------------------------------------
Incomplete medical records and health care avoidance not only
inhibit the quality of health care an individual receives; they are
also detrimental to efforts to improve public health. The objective of
public health is to prevent disease in and improve the health of
populations. Barriers that undermine the willingness of individuals to
seek health care in a timely manner or to provide complete and accurate
health information to their health care providers undermine the overall
objective of public health. For example, individuals who are not candid
with their health care providers because of concerns about potential
negative consequences of a loss of privacy may withhold information
about a variety of health matters that have public health implications,
such as communicable diseases or vaccinations.\122\ Experience also
shows that medical mistrust--especially in communities of color and
other communities that have been marginalized or negatively affected by
historical and current health care disparities--can create damaging and
chilling effects on individuals' willingness to seek appropriate and
lawful health care for medical conditions that can worsen without
treatment.\123\
---------------------------------------------------------------------------
\122\ See Letter from NCVHS Chair Simon P. Cohn, supra note 104,
at 2 (2006) (with forwarded NCVHS recommendations, ``Individual
trust in the privacy and confidentiality of their personal health
information also promotes public health, because individuals with
potentially contagious or communicable diseases are not inhibited
from seeking treatment.'').
\123\ See Texas Dep't of State Health Servs., ``Texas Maternal
Mortality and Morbidity Review Committee and Department of State
Health Services Joint Biennial Report 2022,'' at 41 (Dec. 2022)
https://www.dshs.texas.gov/sites/default/files/legislative/2022-Reports/2022-MMMRC-DSHS-Joint-Biennial-Report.pdf; Lynn M. Paltrow
et al., ``Arrests of and forced interventions on pregnant women in
the United States, 1973-2005: implications for women's legal status
and public health,'' 38 J. Health Pol. Pol'y Law 299 (2013) (finding
that hospital staff are most likely to report pregnant low-income
and patients of color, especially Black women, to the authorities.);
Terri-ann Monique Thompson et al., ``Racism Runs Through It:
Examining the Sexual and Reproductive Health Experience of Black
Women in the South,'' 41 Health Affairs 195 (Feb. 2022) (discussing
how individual racism affects reproductive health care use by
undermining the patient-doctor relationship), https://www.healthaffairs.org/doi/10.1377/hlthaff.2021.01422); Joli Hunt,
``Maternal Mortality among Black Women in the United States,''
Ballard Brief (July 2021), https://ballardbrief.byu.edu/issue-briefs/maternal-mortality-among-black-women-in-the-united-states/
(discussing the disproportionately high rate of Black maternal
mortality and morbidity); Austin Frakt, ``Bad Medicine: The Harm
that Comes from Racism,'' The New York Times (July 8, 2020), https://www.nytimes.com/2020/01/13/upshot/bad-medicine-the-harm-that-comes-from-racism.html.
---------------------------------------------------------------------------
2. The Department's Approach to the Privacy Rule Has Long Sought To
Balance the Interests of Individuals and Society
While recognizing the importance of preserving individuals' trust,
the Department has consistently taken the approach of balancing the
interests of the individual in the privacy of their PHI with society's
interests, including in the free flow of information that enables the
provision of effective and efficient health care services. Such an
approach derives from Congress's direction, in 1996, to improve the
efficiency and effectiveness of the health care system by encouraging
the development of a health information system while taking into
account the privacy of IIHI and the uses and disclosures of such
information that should be authorized or required.\124\ In past
rulemakings, the Department has made revisions to the Privacy Rule to
balance an individual's privacy expectations with a covered entity's
need for information for reimbursement and quality purposes.\125\ As
the Department previously explained, ``Patient privacy must be balanced
against other public goods, such as research and the risk of
compromising such research projects if researchers could not continue
to use such data.'' \126\ The 2000 Privacy Rule included permissions
for regulated entities to disclose PHI under certain conditions,
including for judicial and administrative proceedings and law
enforcement purposes, because an individual's right to privacy in
information about themselves is not absolute. For example, it does not
prevent reporting of public health information on communicable
diseases, nor does it prevent law enforcement
[[Page 32986]]
from obtaining information when due process has been observed.\127\
---------------------------------------------------------------------------
\124\ 42 U.S.C. 1320d note and 1320d-2 note.
\125\ See 67 FR 53182, 53216 (Aug. 14, 2002).
\126\ Id. at 53226.
\127\ 65 FR 82462, 82464 (Dec. 28, 2000).
---------------------------------------------------------------------------
In more recent rulemakings revising the Privacy Rule, the
Department has continued its efforts to build and maintain individuals'
trust in the health care system while balancing the interests of
individuals with those of others. For example, in explaining revisions
made as part of the 2013 Omnibus Rule, the Department recognized that
covered entities must balance protecting the privacy of health
information with sharing health information with those responsible for
ensuring public health and safety.\128\ The Privacy Rule was also
revised in 2016 (``2016 Privacy Rule'') in accordance with an
administration-wide effort to curb gun violence across the nation.\129\
The 2016 Privacy Rule was tailored to authorize the disclosure of a
limited set of PHI \130\ for a narrow, specific purpose, that is, to
permit only regulated entities that are state agencies or other
entities designated by a state to collect and report information to the
National Instant Criminal Background Check System (NICS) or a lawful
authority making an adjudication or commitment as described by 18
U.S.C. 922(g)(4) to disclose to NICS the identities of individuals who
are subject to a Federal ``mental health prohibitor,'' that
disqualifies them from shipping, transporting, possessing, or receiving
a firearm. As explained in the 2016 Privacy Rule, the Federal mental
health prohibitor applies only to the extent that the individual is
involuntarily committed or determined by a court or other lawful
authority to be a danger to self or others, or is unable to manage
their own affairs because of a mental illness or condition.\131\
Similar to this final rule, the 2016 Privacy Rule balanced public
safety goals with individuals' privacy interests by clearly limiting
permissible disclosures to those that are necessary to ensure that
individuals are not discouraged from seeking lawful health care, in
this case, voluntary treatment for mental health needs.\132\ In the
2013 Omnibus Rule and 2016 Privacy Rule, the Department ensured that
the disclosures were necessary for the public good and were not for the
purpose of harming the individual. This approach is consistent with the
NCVHS recommendations to the Secretary relating to health information
privacy: ``The Committee strongly supports limiting use and disclosure
of identifiable information to the minimum amount necessary to
accomplish the purpose. The Committee also strongly believes that when
identifiable health information is made available for non-health uses,
patients deserve a strong assurance that the data will not be used to
harm them.'' \133\
---------------------------------------------------------------------------
\128\ See 78 FR 5566, 5616 (Jan. 25, 2013).
\129\ 81 FR 382 (Jan. 6, 2016); see, e.g., 78 FR 4297 (Jan. 22,
2013) and 78 FR 4295 (Jan. 22, 2013); see also Colleen Curtis,
``President Obama Announces New Measures to Prevent Gun Violence,''
The White House President Barack Obama (Jan. 16, 2013), https://obamawhitehouse.archives.gov/blog/2013/01/16/president-obama-announces-new-measures-prevent-gun-violence.
\130\ This PHI includes limited demographic and certain other
information needed for the purposes of reporting to NICS. 45 CFR
164.512(k)(7)(iii)(A). In preamble, the Department explained that
generally the information described at 45 CFR 164.512(k)(7)(iii)(A)
would be limited to the data elements required to create a NICS
record and certain other elements to the extent that they are
necessary to exclude false matches: Social Security number, State of
residence, height, weight, place of birth, eye color, hair color,
and race. 81 FR 382, 390 (Jan. 6, 2016).
\131\ 81 FR 382, 386-388 (Jan. 6, 2016).
\132\ Id. The Department addressed concerns about the possible
chilling effect on individuals seeking health care by explaining
that (1) the permission is limited to only those covered entities
that order the involuntary commitments or make the other
adjudications that cause individuals to be subject to the Federal
mental health prohibitor, or that serve as repositories of such
information for NICS reporting purposes; (2) the specified regulated
entities are permitted to disclose NICS data only to designated
repositories or the NICS; (3) the information that may be disclosed
is limited to certain demographic or other information that is
necessary for NICS reporting; and (4) the rulemaking did not expand
the permission to encompass State law prohibitor information.
\133\ Letter from NCVHS Chair Don E. Detmer to HHS Sec'y Donna
E. Shalala (June 27, 1997) (forwarding NCVHS recommendations),
https://ncvhs.hhs.gov/rrp/june-27-1997-letter-to-the-secretary-with-recommendations-on-health-privacy-and-confidentiality/.
---------------------------------------------------------------------------
Consistent with Congress's directive to promulgate ``standards with
respect to the privacy of [IIHI]'' that, among other things, address
the ``uses and disclosures of such information that should be
authorized or required,'' \134\ the Department recognizes a variety of
interests with respect to health information. These include
individuals' interests in the privacy of their health information,
society's interests in ensuring the effectiveness of the health care
system, and other interests of society in using IIHI for certain non-
health care purposes. As part of balancing these interests, the
Department has also recognized that it may be necessary to afford
additional protection to certain types of health information because
those types of information are particularly sensitive and often involve
highly personal health care decisions. For example, the Department
affords special privacy protections to psychotherapy notes. These
protections are afforded in part because of the particularly sensitive
information those notes contain and in part because of the unique
function of these records, which are by definition maintained
separately from an individual's medical record.\135\ As we previously
explained, the primary value of psychotherapy notes is to the specific
provider, and the promise of strict confidentiality helps to ensure
that the patient will feel comfortable freely and completely disclosing
very personal information essential to successful treatment.\136\ The
Department elaborated that even the possibility of disclosure may
impede development of the confidential relationship necessary for
successful treatment because of the sensitive nature of the problems
for which individuals consult psychotherapists and the potential
embarrassment that may be engendered by the disclosure of confidential
communications made during counseling sessions.\137\ Therefore, to
support the development and maintenance of an individual's trust and
protect the relationship between an individual and their therapist, the
Privacy Rule permits the disclosure of psychotherapy notes without an
individual's authorization only in limited circumstances, such as to
avert a serious and imminent threat to health or safety. Those limited
circumstances do not include judicial and administrative proceedings or
law enforcement purposes unless the disclosure is ``necessary to
prevent or lessen a serious and imminent threat to the health or safety
of a person or the public.'' \138\
---------------------------------------------------------------------------
\134\ 42 U.S.C. 1320d-2 note.
\135\ See 45 CFR 164.501 (definition of ``Psychotherapy
notes'').
\136\ See 64 FR 59918, 59941 (Nov. 3, 1999).
\137\ See id.
\138\ 45 CFR 164.508(a)(2).
---------------------------------------------------------------------------
Information about an individual's reproductive health and
associated health care is also especially sensitive and has long been
recognized as such. As stated in the AMA's Principles of Medical
Ethics, the ``decision to terminate a pregnancy should be made
privately within the relationship of trust between patient and
physician in keeping with the patient's unique values and needs and the
physician's best professional judgment.'' \139\ NCVHS first noted
reproductive health information as an example of a category of health
information commonly considered to contain sensitive information in
[[Page 32987]]
2006.\140\ Between 2005 and 2010, NCVHS held nine hearings that
addressed questions about sensitive information in medical records and
identified additional categories of sensitive information beyond those
addressed in Federal and state law, including ``sexuality and
reproductive health information.'' In several letters to the Secretary
during that period, NCVHS recommended that the Department identify and
define categories of sensitive information, including ``reproductive
health.'' \141\ In a 2010 letter to the Secretary, NCVHS elaborated
that, after extensive testimony on sensitive categories of health
information, ``reproductive health'' should be expanded to ``sexuality
and reproductive health information,'' because:
---------------------------------------------------------------------------
\139\ Council on Ethical and Judicial Affairs, ``Ethics,
Amendment to Opinion 4.2.7, Abortion H-140.823,'' Am. Med. Ass'n
(2022), https://policysearch.ama-assn.org/policyfinder/detail/%224.2.7%20Abortion%22?uri=%2FAMADoc%2FHOD.xml-H-140.823.xml.
\140\ See Letter from NCVHS Chair Simon P. Cohn (2006), supra
note 104.
\141\ See Letter from NCVHS Chair Simon P. Cohn (2006), supra
note 104; Letter from NCVHS Chair Simon P. Cohn (2008), supra note
104; Letter from NCVHS Chair Justine M. Carr (2010), supra note 104.
Information about sexuality and reproductive history is often
very sensitive. Some reproductive issues may expose people to
political controversy (such as protests from abortion proponents),
and public knowledge of an individual's reproductive history may
place [them] at risk of stigmatization.'' Additionally, individuals
may wish to have their reproductive history segmented so that it is
not viewed by family members who otherwise have access to their
records. Parents may wish to delay telling their offspring about
adoption, gamete donation, or the use of other forms of assisted
reproduction technology in their conception, and, thus, it may be
important to have the capacity to segment these records.\142\
---------------------------------------------------------------------------
\142\ See Letter from NCVHS Chair Justine M. Carr (2010), supra
note 104.
The Department did not provide specific protections for certain
categories of PHI upon receipt of the recommendation or as part of the
2013 Omnibus Rule because of concerns about the ability of regulated
entities to segment PHI and the effects on care coordination. While we
recognized the sensitive nature of reproductive health information
before this rulemaking, the Department believed that the Supreme
Court's recognition of a constitutional right to abortion coupled with
the privacy protections afforded by the HIPAA Rules provided the
necessary trust to promote access to and quality of health care. As a
result of the changed legal landscape for reproductive health care
broadly, including abortion, the range of circumstances in which PHI
about legal reproductive health care could be sought and used in
investigations or to impose liability expanded significantly. Now that
states have much broader power to criminalize and regulate reproductive
choices--and that some states have already exercised that power in a
variety of ways \143\--individuals legitimately have a far greater fear
that especially sensitive information about lawful health care will not
be kept private. This changed environment requires additional privacy
protections to help restore the Privacy Rule's carefully-struck balance
between individual and societal interests. Because the concerns
regarding segmentation and the negative impact on care coordination
remain, the Department did not propose and is not establishing a new
category of particularly sensitive PHI in this final rule. Instead, as
discussed more fully below, the Department is finalizing its proposed
purpose-based prohibition against certain uses and disclosures.
---------------------------------------------------------------------------
\143\ See LePage v. Center for Reproductive Medicine, SC-2022-
0515 (Feb. 16, 2024).
---------------------------------------------------------------------------
B. Developments in the Legal Environment Are Eroding Individuals' Trust
in the Health Care System
The Supreme Court's decision in Dobbs overturned Roe v. Wade \144\
and Planned Parenthood of Southeastern Pennsylvania v. Casey,\145\
thereby enabling states to significantly restrict access to
abortion.\146\ Following the Supreme Court's decision, the legal
landscape has shifted as laws significantly restricting access to
abortion have in fact become effective in some jurisdictions. This
change has also led to questions about both the current and future
lawfulness of other types of reproductive health care, and therefore,
the ability of individuals to access such health care.\147\ Thus, this
shift may interfere with the longstanding expectations of individuals,
established by HIPAA and the Privacy Rule, with respect to the privacy
of their PHI.\148\ For example, while the Privacy Rule currently
permits, but does not require, uses and disclosures of PHI for certain
purposes,\149\ including when another law requires a regulated entity
to make the use or disclosure,\150\ regulated entities after Dobbs may
feel compelled by other applicable law to use or disclose PHI to law
enforcement or other persons who may use that health information
against an individual, a regulated entity, or another person who has
sought, obtained, provided, or facilitated reproductive health care,
even when such health care is lawful in the circumstances in which the
health care is obtained.\151\
---------------------------------------------------------------------------
\144\ 410 U.S. 113 (1973).
\145\ 505 U.S. 833 (1992).
\146\ Dobbs, 597 U.S. 299-302.
\147\ See, e.g., Carmel Shachar et al., ``Informational Privacy
After Dobbs,'' 75 Ala. L. Rev. 1 (2023), https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4570500 and Andrzej Kulczycki, ``Dobbs:
Navigating the New Quagmire and Its Impacts on Abortion and
Reproductive Health Care,'' Health Education & Behavior (2022),
https://doi.org/10.1177/10901981221125430.
\148\ See, e.g., Kayte Spector-Bagdady & Michelle M. Mello,
``Protecting the Privacy of Reproductive Health Information After
the Fall of Roe v. Wade,'' 3 JAMA Network e222656 (June 30, 2022),
https://jamanetwork.com/journals/jama-health-forum/fullarticle/2794032; Lisa G. Gill, ``What does the overturn of Roe v. Wade mean
for you?,'' Consumer Reports (June 24, 2022), https://www.consumerreports.org/health-privacy/what-does-the-overturn-of-roe-v-wade-mean-for-you-a1957506408/.
\149\ 45 CFR 164.502(a)(1).
\150\ 45 CFR 164.512(a).
\151\ See Laura J. Faherty et al. ``Consensus Guidelines and
State Policies: The Gap Between Principle and Practice at the
Intersection of Substance Use and Pregnancy,'' American Journal of
Obstetrics & Gynecology Maternal-Fetal Medicine (Aug. 2020)
(discussing a concern raised by multiple organizations that pregnant
women will hesitate to seek prenatal care and addiction treatment
during pregnancy because their concerns that disclosing substance
use to health care providers will increase the likelihood that they
will face legal penalties); see also ``Informational Privacy After
Dobbs,'' supra note 147.
---------------------------------------------------------------------------
As a consequence of these developments in Federal and state law, an
individual's expectation of privacy of their health information
(irrespective of whether an individual is or was pregnant) is
threatened by the potential use or disclosure of PHI to identify
persons who seek, obtain, provide, or facilitate lawful reproductive
health care. Thus, these developments have created an environment in
which individuals are more likely to fear that their PHI will be
requested from regulated entities for use against individuals, health
care providers, and others, merely because such persons sought,
obtained, provided, or facilitated lawful reproductive health
care.\152\ The potential increased demand for PHI for these purposes is
not limited to states in which providing or obtaining certain
reproductive health care is no longer legal. Rather, the changes in the
legal landscape have nationwide implications, not only because of their
effects on the relationship between health care providers and
individuals, but also because of the potential effects on the flow of
health information across state lines. For example, an individual who
travels out-of-state to obtain reproductive health care that is lawful
under the circumstances in which it is provided may now be reluctant to
have that information disclosed to a health care provider in their home
state if they
[[Page 32988]]
fear that it may then be used against them or a loved one in their home
state. A health care provider may be unable to provide appropriate
health care if they are unaware of the individual's recent health
history, which could have significant negative health consequences.
Individuals and health care providers may also be reluctant to disclose
PHI to health plans with a multi-state presence because of concerns
that one of those states will seek to obtain that PHI to investigate or
impose liability on the individual or the health care provider, even if
there is no nexus with that state other than the presence of the health
plan in that state. Such reluctance may have significant ramifications
for access to reproductive health care, given the cost associated with
obtaining such health care, and health care generally.
---------------------------------------------------------------------------
\152\ See, e.g., Yvonne Lindgren et al., ``Reclaiming Tort Law
to Protect Reproductive Rights,'' 75 Alabama L. Rev. 355 (2023),
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4435834.
---------------------------------------------------------------------------
Additionally, PHI is more likely to be transmitted across state
lines as the electronic exchange of PHI increases because it is easier
and more efficient to send information electronically. For instance,
the Trusted Exchange Framework and Common Agreement (TEFCA) initiative
established under the 21st Century Cures Act and the Centers for
Medicare & Medicaid Services (CMS) Interoperability and Prior
Authorization Final Rule will spur greater use and disclosure of PHI by
regulated entities and to health apps and others.\153\ Different
components of a health information exchange/health information network
(HIE/HIN) may be located in different states, meaning that the PHI may
be transmitted across state lines, and thus affected by laws severely
restricting access to reproductive health care, even where both the
health care and the recipient of the PHI are located in states where
access to such health care is not substantially restricted.
---------------------------------------------------------------------------
\153\ See section 3001(c) of the PHSA, as amended by section
4003(b) of the 21st Century Cures Act, Public Law 114-255, 130 Stat.
1165 (codified at 42 U.S.C. 300jj-11(c)). For more information, see
Office of the Nat'l Coordinator for Health Info. Tech., ``Trusted
Exchange Framework and Common Agreement (TEFCA),'' https://www.healthit.gov/topic/interoperability/policy/trusted-exchange-framework-and-common-agreement-tefca; See also 89 FR 8758 (Feb. 8,
2024); ``CMS Interoperability and Prior Authorization Final Rule
CMS-0057-F,'' Centers for Medicare & Medicaid (Jan. 17, 2024),
https://www.cms.gov/newsroom/fact-sheets/cms-interoperability-and-prior-authorization-final-rule-cms-0057-f.
---------------------------------------------------------------------------
According to commenters, individuals are increasingly concerned
about the confidentiality of discussions with their health care
providers. As a result, some individuals are not confiding fully in
their health care providers, increasing the risk that their medical
records will not be complete and accurate, leading to decreases in
health care quality and safety. This lack of openness is also likely to
affect the information and treatment recommendations health care
providers provide to individuals because health care providers will not
be sufficiently informed to provide thorough and accurate information
and guidance.\154\
---------------------------------------------------------------------------
\154\ See Eric Boodman, ``In a doctor's suspicion after a
miscarriage, a glimpse of expanding medical mistrust,'' STAT News
(June 29, 2022), https://www.statnews.com/2022/06/29/doctor-
suspicion-after-miscarriage-glimpse-of-expanding-medical-mistrust/
#:~:text=In%20a%20doctor's%20suspicion%20after,glimpse%20of%20expandi
ng%20medical%20mistrust&text=The%20idea%20that%20she,used%20contracep
tives%20and%20trusted%20them.
---------------------------------------------------------------------------
Individuals are not alone in their fears. Indeed, according to
commenters, some health care providers are afraid to provide lawful
health care because they are concerned that in doing so, they risk
being subjected to investigation and possible liability.\155\ The
Department is aware that some health care providers, such as clinicians
and pharmacies, are hesitant to provide lawful health care or lawfully
prescribe or fill prescriptions for medications that can result in
pregnancy loss, even when the health care or those prescriptions are
intended to treat individuals for other health matters, because of fear
of law enforcement action.\156\ Some health care providers are also not
providing individuals with information to address concerns about their
reproductive health, even where their communications would be lawful,
out of fear of criminal prosecution, civil suit, or loss of their
clinical license.\157\ This may result in individuals making decisions
about their health care with incomplete information, which could have
serious implications for health outcomes. These fears also increase the
risk that individual medical records will not be maintained with
completeness and accuracy, which will in turn affect the quality of
health care provided to individuals and their safety. Fears about
potential prosecution, even when Federal law protects the actions of
health care providers, are likely to negatively affect the accuracy of
medical records maintained by health care providers and thereby harm
individuals.
---------------------------------------------------------------------------
\155\ See also Melissa Suran, ``As Laws Restricting Health Care
Surge, Some US Physicians Choose Between Fight or Flight,'' JAMA,
329(22):1899-1903 (May 17, 2023) (discussing a maternal-fetal
medicine specialist who stated that she moved to another state
because of legislation that restricts evidence-based health care and
prevents her from fulfilling her ethical obligation to protect her
patients' health.), https://pubmed.ncbi.nlm.nih.gov/37195699/.
\156\ See Off. for Civil Rights, ``HHS Office for Civil Rights
Resolves Complaints with CVS and Walgreens to Ensure Timely Access
to Medications for Women and Support Persons with Disabilities,''
U.S. Dep't of Health and Human Servs. (June 16, 2023), https://www.hhs.gov/civil-rights/for-providers/compliance-enforcement/agreements/cvs-walgreens/index.html. See also Kathryn Starzyk et
al., ``More than half of patients with a rheumatic disease or
immunologic condition undergoing methotrexate treatment reside in
states in which the overturning of Roe v. Wade can jeopardize access
to medications with abortifacient potential,'' 75 Arthritis
Rheumatol 328 (Feb. 2023); see also Celine Castronuovo, ``Many
Female Arthritis Drug Users Face Restrictions After Dobbs,''
Bloomberg Law (Nov. 14, 2022) (noting that 16 out of 524 patients
responding to a survey indicated that they've had trouble getting
methotrexate, their arthritis medication, since the Dobbs decision.)
https://news.bloomberglaw.com/health-law-and-business/many-female-arthritis-drug-users-face-restrictions-after-dobbs; Interview with
Donald Miller, PharmD, ``Methotrexate access becomes challenging for
some patients following Supreme Court decision on abortion,''
Pharmacy Times (July 20, 2022), https://www.pharmacytimes.com/view/methotrexate-access-becomes-challenging-for-patients-following-supreme-court-decision-on-abortion; Jamie Ducharme, ``Abortion
restrictions may be making it harder for patients to get a cancer
and arthritis drug,'' Time (July 6, 2022), https://time.com/6194179/abortion-restrictions-methotrexate-cancer-arthritis/; Katie Shepherd
& Frances Stead Sellers, ``Abortion bans complicate access to drugs
for cancer, arthritis, even ulcers,'' The Washington Post (Aug. 8,
2022), https://www.washingtonpost.com/health/2022/08/08/abortion-bans-methotrexate-mifepristone-rheumatoid-arthritis/.
\157\ See Michelle Oberman & Lisa Soleymani Lehmann, ``Doctors'
duty to provide abortion information,'' J. of Law and Biosciences.
(Sept. 1, 2023) https://www.ncbi.nlm.nih.gov/pmc/articles/PMC10474560/; Whitney Arey et al., ``Abortion Access and Medically
Complex Pregnancies Before and After Texas Senate Bill 8,'' 141
Obstet Gynecol. 995 (May 1, 2023) (concluding that ``Abortion
restrictions limit shared decision making, compromise patient care,
and put pregnant people's health at risk.''); ``1 Year Without
Roe,'' Center for American Progress (Jun. 23, 2023) (where a
physician detailed her fear about speaking freely with her patients
after Dobbs ``worried a vigilante posing as a new patient would
attempt to bait her into talking about abortion and attempt to sue
her, and she sometimes skirts the topic of abortion when speaking
with patients about their health care options.'')
---------------------------------------------------------------------------
As explained by commenters and supported by research, these
impingements on the privacy of health information about reproductive
health care are likely to have a disproportionately greater effect on
women, individuals of reproductive age, and individuals from
communities that have been historically underserved, marginalized, or
subject to discrimination or systemic disadvantage by virtue of their
race, disability, social or economic status, geographic location, or
environment.\158\ Historically
[[Page 32989]]
underserved and marginalized individuals are also more likely to be the
subjects of investigations and other activities to impose liability for
seeking or obtaining reproductive health care, even where such health
care is lawful under the circumstances in which it is provided.\159\
They are also less likely to have adequate access to legal counsel to
defend themselves from such actions.\160\ These inequities may be
exacerbated where individuals face multiple, intersecting disparities,
such as having limited English proficiency \161\ and disability.\162\
Such individuals are thus especially likely to be concerned that
information they share with their health care providers about their
reproductive health care will not remain private. This is particularly
true considering the historic lack of trust, negative experiences, and
fear of discrimination that many members of historically
underrepresented and marginalized communities and communities of color
have in the health care system; \163\ such individuals are more likely
to be deterred from seeking or obtaining health care--or from giving
their health care providers full information.
---------------------------------------------------------------------------
\158\ See Christine Dehlendorf et al., ``Disparities in Abortion
Rates: A Public Health Approach,'' Am. J. of Pub. Health (Oct.
2013), https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3780732/. See
also Kiara Alfonseca, ``Why Abortion Restrictions Disproportionately
Impact People of Color,'' ABC News (June 24, 2022), https://abcnews.go.com/Health/abortion-restrictions-disproportionately-impact-people-color/story?id=84467809; Dulce Gonzalez et al., Robert
Wood Johnson Foundation, ``Perceptions of Discrimination and Unfair
Judgment While Seeking Health Care'' (Mar. 31, 2021), https://www.rwjf.org/en/insights/our-research/2021/03/perceptions-of-discrimination-and-unfair-judgment-while-seeking-health-care.html;
Susan A. Cohen, ``Abortion and Women of Color: The Bigger Picture,''
11 Guttmacher Pol'y Rev. (Aug. 6, 2008), https://www.guttmacher.org/gpr/2008/08/abortion-and-women-color-bigger-picture; ``The
Disproportionate Harm of Abortion Bans: Spotlight on Dobbs v.
Jackson Women's Health,'' Center for Reproductive Rights (Nov. 29,
2021), https://reproductiverights.org/supreme-court-case-mississippi-abortion-ban-disproportionate-harm/ (``Abuses such as
forced sterilization of Black, Indigenous, and other people of color
and individuals with disabilities specifically exacerbate medical
mistrust within reproductive healthcare.'').
\159\ See Brief of Amici Curiae for Organizations Dedicated to
the Fight for Reproductive Justice--Mississippi in Action, et al. at
*35-36, Dobbs, 597 U.S. 215 (discussing the likelihood that
individuals, particularly those from marginalized communities who
terminate their pregnancies and anyone who assists them may be
disproportionally likely to face criminal investigation or arrest,
given the rates of incarceration of persons from such communities.);
see also Elizabeth Yuko, ``Women of Color Will Face More
Criminalized Pregnancies in Post-`Roe' America,'' Rolling Stone
(Jul. 7, 2020) (``Historically, we've seen the criminalization of
people of color, young people, and people with lower incomes who've
had miscarriages and other types of pregnancy losses that the state
deemed were their fault [. . .] These groups are the most likely to
be reported to law enforcement and investigated''); see also
Sentencing Project, State-by-State Data, https://www.sentencingproject.org/research/us-criminal-justice-data/ (last
visited Feb. 16, 2024) (U.S. Total: Imprisonment rate per 100,000
residents--355; Black/White disparity--4.8:1; Latinx/White
disparity--1.3:1); Racial Disparities in Incarceration, Vera
Institute of Justice (Aug. 21, 2023), https://trends.vera.org/
(Prison population rate per 100,000 residents ages 15 to 64. U.S.
total incarceration rate 2021 Q2--298, Asian American/Pacific
Islander incarceration rate 2021 Q2--100, Black/African American
incarceration rate 2021 Q2--1,310, Latinx incarceration rate 2021
Q2--671, Native American incarceration rate 2021 Q2--1,021, White
incarceration rate 2021 Q2--281).
\160\ See Columbia Law Sch. Hum. Rts. Inst. & and Ne. Univ. Sch.
of Law Program on Hum. Rts. and the Glob. Econ.,'' Equal Access to
Justice: Ensuring Meaningful Access to Counsel in Civil Cases,
Including Immigration Proceedings'' (July 2014), https://hri.law.columbia.edu/sites/default/files/publications/equal_access_to_justice_-_cerd_shadow_report.pdf. See also Lauren
Hoffman et al., Ctr. For Am. Progress, ``Report: State Abortion Bans
Will Harm Women and Families' Economic Security Across the US''
(Aug. 25, 2022), https://www.americanprogress.org/article/state-abortion-bans-will-harm-women-and-families-economic-security-across-the-us/.
\161\ See Myasar Ihmud, ``Lost in Translation: Language Barriers
to Accessing Justice in the American Court System,'' UIC Law Review
(2023) (discussing ``access to justice for [limited English
proficient (LEP)] individuals is hindered because they are unable to
communicate with the court or understand the proceedings. Case law
shows that, when unable to communicate with the court, LEP litigants
are unable to defend themselves appropriately in criminal or
immigration hearings, protect their homes, or keep custody of their
children.''), https://repository.law.uic.edu/cgi/viewcontent.cgi?article=2908&context=lawreview; see also ``Language
Access & Cultural Sensitivity,'' Legal Services Corporation (last
visited Feb. 21, 2024) (describing how legal aid organizations
should plan for providing meaningful access to language services. As
of 2013, ``close to 25 million people, about 8 percent of the
population, has limited English proficiency.''), https://www.lsc.gov/i-am-grantee/model-practices-innovations/language-access-cultural-sensitivity.
\162\ See, e.g., Gautam Gulati et al., ``The experience of law
enforcement officers interfacing with suspects who have an
intellectual disability--A systematic review,'' International
Journal of Law and Psychiatry (Sept.-Oct. 2020) (``It is not
uncommon for people with [intellectual disability] to be suspects or
accused persons when interfacing with Law Enforcement Officers
(LEOs) and therefore face arrest, interview and/or custody.''),
https://www.sciencedirect.com/science/article/pii/S016025272030073X.
\163\ See Leslie Read et al., The Deloitte Ctr. for Health
Solutions, ``Rebuilding Trust in Health Care: What Do Consumers
Want--and Need--Organizations to Do?,'' at 3 (Aug. 5, 2021) (With
focus groups of 525 individuals in the United States who identify as
Black, Hispanic, Asian, or Native American, ``[f]ifty-five percent
reported a negative experience where they lost trust in a health
care provider.''), https://www2.deloitte.com/us/en/insights/industry/health-care/trust-in-health-care-system.html; Liz Hamel et
al., Kaiser Family Foundation, ``The Undefeated Survey on Race and
Health,'' at 23 (Oct. 2020) (Percent who say they can trust the
health care system to do what is right for them or their community
almost all of the time or most of the time: Black adults: 44%;
Hispanic adults: 50%; White adults: 55%), https://files.kff.org/attachment/Report-Race-Health-and-COVID-19-The-Views-and-Experiences-of-Black-Americans.pdf; U.S. Dep't of Health and Hum.
Servs., Assistant Sec'y for Pol. & Eval., Off. of Health Pol.,
``Issue Brief: Health Insurance Coverage and Access to Care for
LGBTQ+ Individuals: Current Trends and Key Challenges,'' at 9 (June
2021) (A 2021 survey found that 18 percent of LGBTQ+ individuals
reported avoiding going to a doctor or seeking health care out of
concern that they would face discrimination or poor treatment
because of their sexual orientation or gender identity.), https://aspe.hhs.gov/sites/default/files/2021-07/lgbt-health-ib.pdf; Abigail
A. Sewell, ``Disaggregating Ethnoracial Disparities in Physician
Trust,'' Soc. Science Rsch. (Nov. 2015), https://pubmed.ncbi.nlm.nih.gov/26463531/; Irena Stepanikova et al.,
``Patients' Race, Ethnicity, Language, and Trust in a Physician,''
J. of Health and Soc. Behavior (Dec. 2006), https://pubmed.ncbi.nlm.nih.gov/17240927/.
---------------------------------------------------------------------------
Congress contemplated that the Department would need to modify
standards adopted under HIPAA's Administrative Simplification
provisions and directed the Secretary to review standards adopted under
42 U.S.C. 1320d-2 periodically.\164\ In accordance with this directive
and based on the Department's expertise and analysis and the recent
developments in the legal landscape, there is a compelling need to
provide additional protections to PHI about lawful reproductive health
care. Accordingly, consistent with Congress's directions to the
Department, in HIPAA, as amended by Genetic Information
Nondiscrimination Act (GINA) and the HITECH Act, to establish standards
and requirements for the electronic transmission of certain health
information, including the privacy thereof, for the development of a
health information system, the Department is restricting certain uses
and disclosures of PHI for particular non-health care purposes to
provide such protections.
---------------------------------------------------------------------------
\164\ Congress' directions regarding the issuance of standards
for the privacy of IIHI are codified at 42 U.S.C. 1320d-2 note. See
also 45 CFR 160.104(a).
---------------------------------------------------------------------------
C. To Protect the Trust Between Individuals and Health Care Providers,
the Department Is Restricting Certain Uses and Disclosures of PHI for
Particular Non-Health Care Purposes
As discussed above, Congress enacted HIPAA to improve the
efficiency and effectiveness of the health care system, which includes
ensuring that individuals have trust in the health care system.
Congress also directed the Department to develop standards with respect
to the privacy of IIHI as part of its decision to encourage the
development of a health information system. To preserve such trust, and
to encourage the development and use of a nationwide health information
system, it is appropriate and necessary for Federal law and policy to
protect the confidentiality of medical records, especially those that
are highly sensitive. Accordingly, to protect the trust between
individuals and health care providers, this rule restricts certain uses
and disclosures of PHI for particular non-health care purposes, i.e.,
for using or disclosing PHI to conduct a criminal, civil, or
administrative investigation into or to impose criminal, civil, or
administrative liability on any person for the mere act of seeking,
obtaining, providing, or facilitating
[[Page 32990]]
lawful reproductive health care, or to identify any person to initiate
such activities.
Information about reproductive health care is particularly
sensitive and requires heightened privacy protection. The Department's
approach is consistent with efforts across the Federal Government. For
example, the Department of Defense (DOD) has recognized such privacy
concerns. In a memorandum to DOD leaders, the Secretary of Defense
directed the DOD to ``[e]stablish additional privacy protections for
reproductive health care information'' for service members and
``[d]isseminate guidance that directs Department of Defense health care
providers that they may not notify or disclose reproductive health
information to commanders unless this presumption is overcome by
specific exceptions set forth in policy.'' \165\ The Federal Trade
Commission (FTC) has also recognized that information about personal
reproductive matters is ``particularly sensitive'' and has committed to
using the full scope of its authorities to protect consumers' privacy,
including the privacy of their health information and other sensitive
data.\166\ In business guidance, the FTC explained that ``[t]he
exposure of health information and medical conditions, especially data
related to sexual activity or reproductive health, may subject people
to discrimination, stigma, mental anguish, or other serious harms.''
\167\
---------------------------------------------------------------------------
\165\ Dep't of Defense, Memorandum Re: Ensuring Access to
Reproductive Health Care, at 1 (Oct. 20, 2022) (removed emphasis on
``not'' in original), https://media.defense.gov/2022/Oct/20/2003099747/-1/-1/1/MEMORANDUM-ENSURING-ACCESS-TO-REPRODUCTIVE-HEALTH-CARE.PDF.
\166\ Kristin Cohen, ``Location, health, and other sensitive
information: FTC committed to fully enforcing the law against
illegal use and sharing of highly sensitive data'', Federal Trade
Commission Business Blog (July 11, 2022), https://www.ftc.gov/business-guidance/blog/2022/07/location-health-and-other-sensitive-information-ftc-committed-fully-enforcing-law-against-illegal (last
accessed Nov. 15, 2022).
\167\ Id.
---------------------------------------------------------------------------
As discussed above, the Department has long provided special
protections for psychotherapy notes because of the sensitivity around
this information. However, unlike psychotherapy notes, which by their
very nature are easily segregated, reproductive health information is
not easily segregated. Additionally, regulated entities generally do
not have the ability to segment certain PHI such that regulated
entities could afford special protections for specific categories of
PHI.\168\ Where such technology is available, it is generally cost
prohibitive and burdensome to implement.\169\ Therefore, the Department
did not propose, and is not finalizing, a newly defined subset of PHI.
Creating such a subset would create barriers to disclosing PHI for care
coordination because the PHI would need to be segregated from the
remaining medical record. Instead, consistent with the Privacy Rule's
longstanding overall approach,\170\ the Department is finalizing a
purpose-based prohibition against certain uses and disclosures. This
rule seeks to protect individuals' privacy interests in their PHI about
reproductive health care and the interests of society in an effective
health care system by enabling individuals and licensed health care
professionals to make decisions about reproductive health care based on
a complete medical record, while balancing those interests with other
interests of society in obtaining PHI for certain non-health care
purposes.
---------------------------------------------------------------------------
\168\ See Daniel M. Walker et al., ``Interoperability in a Post-
Roe Era Sustaining Progress While Protecting Reproductive Health
Information,'' JAMA (Nov. 1, 2022) (discussing that segregation of
records for reproductive health care is more difficult than for SUD
treatment records because ``reproductive health services are often
provided in the same settings as other primary and acute care and
thus could be inferred or directly reflected in many parts of the
record.''), https://jamanetwork-com.ezproxyhhs.nihlibrary.nih.gov/journals/jama/fullarticle/2797865; See, e.g., 87 FR 74216, 74221
(Dec. 2, 2022) (noting that 42 CFR part 2 previously resulted in the
separation of SUD treatment records previous from other health
records, which led to the creation of data ``silos'' that hampered
the integration of SUD treatment records into covered entities'
electronic record systems and billing processes. When considering
amendments to the relevant statute, some lawmakers argued that the
silos perpetuated negative stereotypes about persons with SUD and
inhibited coordination of care during the opioid epidemic.). See
also Health Info. Tech. Advisory Comm., ``Health Information
Technology Advisory Committee (HITAC) Annual Report for Fiscal Year
2019,'' 2019 ONC Ann. Rep., at 37 (Feb. 19, 2020), https://www.healthit.gov/sites/default/files/page/2020-03/HITAC%20Annual%20Report%20for%20FY19_508.pdf (``The new
certification criteria that support the sharing of data via third-
party apps will help advance the use of data segmentation, but
adoption of this capability by the industry is not yet
widespread.'').
\169\ See 88 FR 23746, 23898 (Apr. 18, 2023) (explaining that
while there are standards for security labels for document-based
exchange that the Office of the National Coordinator for Health
Information Technology (ONC) adopted in full in 2020 for the
criteria in 45 CFR 170.315(b)(7) and (b)(8) to support the
application of security labels at a granular level for sending in
and receiving, standards to define the technical requirements for
the actions described by the security label vocabularies do not yet
exist. In the 21st Century Cures Act: Interoperability, Information
Blocking, and the ONC Health IT Certification Program Final Rule,
published in 2020, ONC estimated a cost of the certification
criteria and standards adopted for security labels in 45 CFR
170.315(b)(7) and (b)(8). The Department estimated the total cost to
developers could range from $2,910,400 to $6,933,600 and that it
would be a onetime cost. (85 FR 25926) The criteria do not include
the ability for health IT to take the actions described by the
security labels. Additionally, ONC did not require that health IT be
certified to the criteria described above, making it essentially
voluntary. Accordingly, the estimates for health IT developer and
health care provider costs were likely significantly lower than they
would have been if health IT were required to be certified to the
criteria for participation. Thus, the total cost of implementing
full segmentation capabilities is likely substantially higher than
the per-product cost estimates provided by the Department in that
rule). See also 88 FR 23746, 23875 (Apr. 18, 2023) (discussing
examples of challenges or technical limitations to electronic health
information segmentation that have been described to ONC).
\170\ See 64 FR 59918, at 59924, 59939, and 59955 (Nov. 3,
1999).
---------------------------------------------------------------------------
To assist in effectuating this prohibition, the Department is also
requiring regulated entities to obtain an attestation in certain
circumstances from the person requesting the use or disclosure stating
that the use or disclosure is not for a prohibited purpose. A person
(including a regulated entity or someone who requests PHI) who
knowingly and in violation of the Administrative Simplification
provisions obtains or discloses IIHI relating to another individual
would be subject to potential criminal liability.\171\ Thus, a person
who knowingly and in violation of HIPAA falsifies an attestation (e.g.,
makes a material misrepresentation about the intended uses of the PHI
requested) to obtain (or cause to be disclosed) an individual's IIHI
could be subject to the criminal penalties provided by the
statute.\172\ Additionally, a regulated entity is subject to potential
civil penalties for violations of the HIPAA Rules, including a failure
to obtain a valid attestation before disclosing PHI, where an
attestation is required.\173\ The purpose-based prohibition, in concert
with the attestation, will restrict the use and disclosure of PHI about
lawful reproductive health care where the use or disclosure could harm
HIPAA's overall goals of increasing trust in the health care system,
improving health care quality, and protecting individual privacy. At
the same time, it will allow uses and disclosures that either support
those goals or do not substantially interfere with their achievement.
---------------------------------------------------------------------------
\171\ See 42 U.S.C. 1320d-6(a).
\172\ See 42 U.S.C. 1320d-6(b).
\173\ See 42 U.S.C. 1320d-5. See also 45 CFR part 160, subparts
A, D, and E.
---------------------------------------------------------------------------
Consistent with the Privacy Rule's approach, the Department is
clarifying that the purpose-based prohibition applies only in certain
circumstances, recognizing the interests of both the Federal Government
and states while also protecting the information privacy interests of
persons who seek, obtain, provide, or facilitate lawful reproductive
health care. Thus, the Department is finalizing a Rule of
[[Page 32991]]
Applicability that balances the privacy interests of individuals and
the interests of society in an effective health care system with those
of society in the use of PHI for other non-health care purposes by
limiting the new prohibition to certain circumstances.
The Department's experience administering the Privacy Rule,
research cited below, our assessment of the needs of individuals and
health care providers in light of recent developments to the legal
landscape, public comments, and the Regulatory Impact Analysis, in
Section VI below, all provide support for the changes finalized in this
rulemaking. These changes will improve individuals' confidence in the
confidentiality of their PHI and their trust in the health care system,
creating myriad benefits for the health care system. Balancing the
privacy interests of individuals and the use of PHI for other societal
priorities will continue to support an effective health care system, as
Congress intended. This final rule will deter the creation of
inaccurate and incomplete medical records, which will help to support
the provision of appropriate lawful health care. Health care providers
base their treatment recommendations on PHI contained within existing
medical records, as well as information shared with them directly by
the individual. Thus, where individuals withhold information from their
health care providers about lawful health care, health care providers
may not be in possession of all of the necessary information to make an
informed recommendation for an appropriate treatment plan, which may
result in negative health outcomes at both the individual and
population level. It will also improve the confidence of individuals,
including among the Nation's most vulnerable communities, that they can
securely seek or obtain or share that they sought or obtained lawful
reproductive health care without that information being used or
disclosed for the purpose of investigating or imposing liability on
them for seeking or obtaining that lawful health care. By improving
individuals' confidence and trust in their relationships with their
health care providers, it will make individuals more likely to, for
example, comply with preventative health screening recommendations,
which will protect against a decline in individual and population
health outcomes related to missed preventative health screenings.
Additional intangible benefits from increased privacy protections in
this area include enhanced support for survivors of rape, incest, and
sex trafficking. The new attestation requirement discussed in greater
detail below will help to assure regulated entities of their ability to
operationalize these changes and avoid exposure to HIPAA liability for
impermissible disclosures.
IV. General Discussion of Public Comments
The Department received more than 25,900 comments in response to
its proposed rule. Overall, these comments represent the views of
approximately 51,500 individuals and 350 organizations. Slightly more
than half of the individuals and organizations who shared their views
expressed general support for the 2023 Privacy Rule NPRM and its
objectives. Less than one percent expressed mixed views. Organizational
commenters included professional and trade associations, including
those representing medical professionals, health plans, health care
providers, health information management professionals, health
information management system vendors, release-of-information vendors,
employers, epidemiologists, and attorneys. The Department also received
comments from advocacy organizations, including those representing
patients, privacy advocates, faith-based organizations, and civil
rights organizations. The NCVHS also provided comments, as did members
of Congress, state, local, and Tribal government officials and public
health authorities. Other commenters included health care systems,
hospitals, and health care professionals.
A. General Comments in Support of the Proposed Rule
Comment: Many commenters expressed general support for the proposed
rule and urged the Department to protect the privacy of individuals by
limiting uses and disclosures of PHI for certain purposes where the use
or disclosure of information is about reproductive health care that is
lawful under the circumstances in which such health care is provided.
Many health care providers and individuals emphasized the
importance of trusting relationships between individuals and their
health care providers. According to individual commenters, a trusting
relationship permits individuals to participate in sensitive and
difficult conversations with their health care providers and enables
health care providers to furnish high-quality and appropriate health
care and to maintain accurate and complete medical records, including
records that contain information about reproductive health care.
Many organizations also submitted comments that expressed agreement
with the Department's position on the importance of the relationship
between HIPAA and the HIPAA Rules and trust between individuals and
health care providers. For example, an organization commented that
privacy has long been a ``hallmark'' of medical care and agreed with
the Department that Congress recognized this principle when it enacted
HIPAA. Some organizations commented that the HIPAA framework of law and
rules provides individuals with the necessary trust and confidence to
seek reproductive health care without fear of being prosecuted or
targeted by law enforcement, including in medical emergencies.
Other commenters stated that a trusting confidential relationship
between an individual and a health care provider is an essential
prerequisite to the delivery of high-quality health care. They also
asserted that protective privacy laws, including HIPAA, help to ensure
that individuals do not forgo health care.
Many individuals asserted that the proposed safeguards are urgently
needed to provide individuals with the confidence to seek health care.
According to the commenters, the proposal would increase the likelihood
that pregnant individuals would receive essential health care, thus
improving their overall well-being. One commenter expressed support for
the proposal because they believe people should not be held liable or
face punishment for seeking, obtaining, providing, or facilitating
lawful health care. Another commenter expressed concerns that the
increase in state legislation targeting reproductive health care has
placed significant burdens on physicians and increased the risk of
maternal morbidity and mortality for individuals.
A few commenters also expressed agreement with the Department's
assertion that the proposed restrictions would clarify legal
obligations of regulated entities with respect to the disclosure of PHI
for certain non-health related purposes and would enable persons
requesting PHI, including health plans, to better understand when such
disclosures are permitted.
Response: The Department appreciates these comments and is
finalizing the proposed rule with modification, as described in greater
detail below. Consistent with HIPAA's goals, this final rule will
support the development and maintenance of trust between individuals
and their health care providers, encouraging individuals
[[Page 32992]]
to be forthright with health care providers regarding their health
history and providing valuable clarity to the regulated community and
individuals concerning their privacy rights with respect to lawfully
provided health care. In so doing, the Department helps to support
access to health care by increasing individuals' confidence in the
privacy of their PHI about lawfully provided reproductive health care.
We are taking these actions as a result of our ongoing evaluation of
the environment, including the legal landscape, and consistent with the
Privacy Rule's longstanding balance of individual privacy and societal
interests in PHI for non-health care purposes.
Comment: A wide cross-section of commenters, including individuals,
health care providers, patient advocacy organizations, reproductive
rights organizations, state law enforcement agencies, and others all
agreed that individuals who frequently experience discrimination
generally also experience it when seeking health care.
Many of these commenters urged the Department to recognize that
there is a trust deficit in relationships between individuals and
health care providers in communities that frequently experience
discrimination. Many commenters cited scholarly journals and research
articles showing that women of color especially suffer poorer medical
outcomes, including higher maternal mortality and denial of medical
interventions or treatments.
Commenters who answered the Department's request for comment about
whether members of ``historically underserved and minority
communities'' are more likely to be the subject of investigations into
or proceedings against persons in connection with seeking, obtaining,
providing, or facilitating lawful reproductive health care unanimously
responded in the affirmative. Some commenters expressed concern about
the current legal environment's disproportionately negative effect on
the privacy of women and members of marginalized and historically
underserved communities and communities of color, such as immigrants
who might avoid obtaining health care because of fears that their PHI
could be shared with government officials. In general, commenters
encouraged the Department to consider the likely negative implications
of reduced health information privacy when combined with these
disparities on health outcomes for members of marginalized and
historically underserved communities and communities of color when
crafting the final rule.
Some commenters expressed concern about the current legal
environment's disproportionately negative effect on the privacy of
members of marginalized and historically underserved communities and
communities of color, such as women of color, immigrants and American
Indians and Alaska Natives, who might withhold information from health
care providers or avoid obtaining health care because of fears that
their PHI could be shared with government officials or used to
investigate or impose liability on them.
Among commenters that addressed this topic, many supported the
Department's proposed purpose-based prohibition. Commenters stated that
the proposed rule would help to mitigate medical mistrust of
individuals in marginalized and historically underserved communities
and communities of color and reduce the racial disparities that result
from the increased criminalization of reproductive health care.
Several commenters also addressed the issue of the availability of
legal counsel among these communities. A few commenters asserted that
individuals who are members of marginalized and historically
underserved communities and communities of color are less likely to
have access to legal counsel, despite being more likely to be subjects
of investigations into or proceedings against persons in connection
with obtaining providing or facilitating lawful sexual and reproductive
health care and cited to related studies.
Response: We appreciate these comments and thank commenters for
sharing these important considerations. As we discussed in the 2023
Privacy Rule NPRM and again here, the experiences of individuals from
communities that have been historically underserved, marginalized, or
subject to discrimination or systemic disadvantage by virtue of their
race, disability, social or economic status, geographic location, or
environment have significant negative effects on their relationships
with health care providers and their willingness to seek necessary
health care. We agree that the current legal landscape has exacerbated
the health inequities that these individuals encounter when seeking
reproductive health care services. The Department expects that the
steps we have taken in this rule will meaningfully strengthen the
privacy of PHI about lawful reproductive health care, and as a result,
will help to mitigate the exacerbation of health disparities for
members of marginalized and historically underserved communities and
communities of color.
The Department is actively working to reduce health disparities. In
recent months, we released a new plan to address language barriers and
strengthen language access in health care,\174\ and issued three
proposed rules to address health disparities: one to revise existing
regulations to strengthen prohibitions against discrimination on the
basis of a disability in health care and human services programs; \175\
another to issue new regulations to advance non-discrimination in
health and human service programs for the LGBTQI+ community; \176\ and
a third to revise existing regulations to prohibit discrimination on
the basis of race, color, national origin, sex, age, and disability in
a range of health programs.\177\ The Department will continue to work
to address these concerns, ensure that individuals have access to and
do not forgo necessary health care, and build individuals' trust that
health care providers can and will protect the privacy of individuals'
sensitive health information.
---------------------------------------------------------------------------
\174\ Press Release, ``Breaking Language Barriers: Biden-Harris
Administration Announces New Plan to Address Language Barriers and
Strengthen Language Access,'' U.S. Dep't of Health and Human Servs.
(Nov. 15, 2023), https://www.hhs.gov/about/news/2023/11/15/breaking-language-barriers-biden-harris-administration-announces-new-plan-address-language-barriers-strengthen-language-access.html.
\175\ Press Release, ``HHS Issues New Proposed Rule to
Strengthen Prohibitions Against Discrimination on the Basis of a
Disability in Health Care and Human Services Programs,'' U.S. Dep't
of Health and Human Servs. (Sept. 7, 2023), https://www.hhs.gov/about/news/2023/09/07/hhs-issues-new-proposed-rule-to-strengthen-prohibitions-against-discrimination-on-basis-of-disability-in-health-care-and-human-services-programs.html.
\176\ Press Release, ``HHS Issues Proposed Rule to Advance Non-
discrimination in Health and Human Service Programs for LGBTQI+
Community,'' U.S. Dep't of Health and Human Servs. (July 11, 2023),
https://www.hhs.gov/about/news/2023/07/11/hhs-issues-proposed-rule-advance-non-discrimination-health-human-service-programs-lgbtqi-community.html.
\177\ Press Release, ``HHS Announces Proposed Rule to Strengthen
Nondiscrimination in Health Care,'' U.S. Dep't of Health and Human
Servs. (July 25, 2022), https://www.hhs.gov/about/news/2022/07/25/hhs-announces-proposed-rule-to-strengthen-nondiscrimination-in-health-care.html.
---------------------------------------------------------------------------
Comment: A few commenters agreed with the Department's position
that the proposed rule would appropriately protect individuals against
growing threats to their privacy with respect to PHI about reproductive
health care while permitting states to conduct law enforcement
activities.
Response: The Privacy Rule always has and continues to balance
privacy interests and other societal interests by permitting
disclosures of PHI to support
[[Page 32993]]
public policy goals, including disclosures to support certain criminal,
civil, and administrative law enforcement activities; the operation of
courts and tribunals; health oversight activities; the duties of
coroners and medical examiners; and the reporting of child abuse,
domestic violence, and neglect to appropriate authorities. We
appreciate these comments that recognized the growing threat to the
privacy of PHI and the need to strike an appropriate balance between
ensuring health care privacy and conducting law enforcement activities.
We are finalizing the proposed rule with modification as described in
greater detail below.
B. General Comments in Opposition to the Proposed Rule
Comment: Several commenters generally opposed the proposed rule
because of their opposition to certain types of reproductive health
care. Many commenters opposed the proposed rule generally because they
believed that it would harm women and children. Other commenters
expressed concern that the proposals would increase administrative
burdens and costs for health care providers; impede parental rights;
prevent mandatory reporting of child abuse or abuse, domestic violence,
and neglect; infringe upon states' rights; thwart law enforcement
investigations; inhibit disclosures for public health activities; and
protect those who engage in unlawful activities.
Response: The modifications to the Privacy Rule in this final rule
directly advance Congress' directive in HIPAA to improve the efficiency
and effectiveness of the health care system by encouraging the
development of a health information system through the establishment of
standards and requirements for the electronic transmission of certain
health information,\178\ including a standard for the privacy of IIHI
that, among other things, addresses the ``uses and disclosures of such
information that should be authorized or required.'' \179\ As discussed
in greater detail elsewhere in this final rule, a trusting relationship
between individuals and health care providers is the foundation of
effective health care. A primary goal of the Privacy Rule is to ensure
the privacy of an individual's PHI while permitting necessary uses and
disclosures of PHI that enable high-quality health care and protect the
health and well-being of all individuals, including women and children,
and the public.
---------------------------------------------------------------------------
\178\ See 42 U.S.C. 1320d note.
\179\ See 42 U.S.C. 1320d-2 note.
---------------------------------------------------------------------------
From the outset, the Department structured the Privacy Rule to
ensure that individuals do not forgo lawful health care when needed--or
withhold important information from their health care providers that
may affect the quality of health care they receive out of a fear that
their sensitive information would be revealed outside of their
relationship with their health care provider. The Department has long
been committed to protecting the privacy of PHI and providing the
opportunity for an authentic, trusting relationship between individuals
and health care providers. As we discussed in the 2023 Privacy Rule
NPRM and again here, this final rule will help engender trust between
individuals and health care providers and confidence in the health care
system. We believe that this confidence will eliminate some of the
burdens health care providers face in providing high-quality health
care, encourage health care providers to accurately document PHI in an
individual's medical record, and encourage individuals to provide
health care providers with their complete and accurate health history,
all of which will ultimately support better health outcomes. Nothing in
this final rule sets forth a particular standard of care or affects the
ability of health care providers to exercise their professional
judgment.
This final rule protects the relationship between individuals and
health care providers by protecting the privacy of PHI in circumstances
where recent legal developments have increased concerns about that
information being used and disclosed to harm persons who seek, obtain,
provide, or facilitate reproductive health care under circumstances in
which such health care is lawful, while continuing to permit uses and
disclosures that confer other social benefits. It is narrowly tailored
and respects the interests of both states and the Department. The final
rule continues to permit regulated entities to use or disclose PHI to
comply with certain mandatory reporting laws, for public health
activities, and for law enforcement purposes when the uses and
disclosures are compliant with the applicable provisions of the Privacy
Rule.
Further, consistent with the longstanding operation of the Privacy
Rule, this final rule requires that, in certain circumstances,
regulated entities obtain information from persons requesting PHI, such
as law enforcement, before the regulated entities may use or disclose
the requested PHI. The Department recognizes that this final rule may
increase the burden on those persons making requests for PHI, such as
federal and state law enforcement officials, by requiring, in certain
circumstances, that regulated entities obtain more information from
such persons than previously required, and may, at times, prevent
regulated entities from using or disclosing PHI that they previously
would have been permitted to use or disclose. For example, the
Department recognizes that situations may arise where a regulated
entity reasonably determines that reproductive health care was lawfully
provided, while at the same time, the person requesting the PHI (e.g.,
law enforcement) reasonably believes otherwise. In such circumstances,
where the regulated entity provided the reproductive health care, and
upon receiving a request for the PHI for a purpose that implicates the
prohibition, reasonably determines that the provision of reproductive
health care was lawful, the final rule would prohibit the regulated
entity from disclosing PHI for certain types of investigations into the
provision of such health care. This constitutes a change from the
current Privacy Rule, under which a regulated entity is permitted, but
not required, to make a use or disclosure under 45 CFR 164.512(f) of
information that is ``relevant and material to a legitimate'' law
enforcement inquiry, provided that certain conditions are met; these
conditions include, for example, that the request is specific and
limited in scope to the extent reasonably practicable given the purpose
for which the information is sought.\180\ Similarly, the Department
acknowledges that, where the regulated entity did not provide the
reproductive health care that is the subject of the investigation or
imposition of liability, the Rule of Applicability and Presumption,
discussed below, may require regulated entities to obtain additional
information, that is, factual information that demonstrates to the
regulated entity a substantial factual basis that the reproductive
health care was not lawful under the specific circumstances in which it
was provided, from persons requesting PHI before using or disclosing
the requested PHI.
---------------------------------------------------------------------------
\180\ See 45 CFR 164.512(f)(1)(ii)(C).
---------------------------------------------------------------------------
Consistent with HIPAA and the Department's longstanding approach in
the Privacy Rule, the Department is finalizing an approach that strikes
an appropriate balance between the privacy interests of individuals and
the interests of law enforcement, and private parties afforded legal
rights of action, in
[[Page 32994]]
obtaining PHI for certain non-health care purposes. While this approach
may adversely affect particular interests of law enforcement, and
private parties afforded legal rights of action, in some cases, the
Department believes that the final rule best balances these competing
interests by enhancing privacy protections without unduly interfering
with legitimate law enforcement activities and does so in a manner that
is consistent with the approach taken elsewhere in the Privacy Rule. As
explained above, individual privacy interests are especially strong
where individuals seek lawful reproductive health care. In particular,
individuals may forgo lawful health care or avoid disclosing previous
lawful health care to providers because they fear that their PHI will
be disclosed. The Department believes these concerns are exacerbated by
the prospect of state investigations into, and resulting intimidation
and criminalization of, health care providers for providing lawful
reproductive health care, as well as state laws encouraging state
residents to sue persons who facilitate individuals' access to legal
health care. The final rule addresses these interests by protecting
privacy in situations where the reproductive health care at issue is
especially likely to be lawful under the circumstances in which such
health care was provided. Where a regulated entity receives a request
for PHI about reproductive health care that the regulated entity
provided, such health care is likely to be lawful where the regulated
entity reasonably determines, based on all information in its
possession, that such health care was lawful under the circumstances in
which it was provided. Similarly, where a regulated entity receives a
request for PHI about reproductive health care that the regulated
entity did not provide, such health care is likely to be lawful where
law enforcement is unable to provide factual information that
demonstrates to the regulated entity a substantial factual basis that
the reproductive health care was not lawful under the specific
circumstances in which such health care was provided.
The Department recognizes that, in some cases, the approach adopted
in this final rule may inadvertently prohibit the disclosure of PHI
about reproductive health care that was unlawfully provided, such as
where a health care provider reasonably but incorrectly determines that
the reproductive health care it provided was lawful under the
circumstances in which such health care was provided. This is similar
to how the Privacy Rule has always potentially prevented the use or
disclosure of PHI that could be useful to law enforcement in certain
circumstances because the request for PHI does not meet the conditions
of the applicable permission. Nevertheless, given the importance of
protecting individual privacy in this area, the Department has
determined that the final rule adopts the appropriate balance between
individual privacy and the interests of other persons, such as law
enforcement. Specifically, the Department believes that the benefits to
individual privacy of a broadly protective rule outweigh the benefits
to societal interests in the use or disclosure of PHI from a narrower
rule. While a narrower rule would more broadly permit disclosures
related to PHI that might concern reproductive health care that is not
lawful under the circumstances in which it is provided, such a rule
would inadvertently permit more disclosures of PHI about lawful
reproductive health care. Accordingly, the Department concludes that
the final rule must be sufficiently broad to protect against such
disclosures, given the paramount importance of individual privacy in
this area.
Moreover, as explained above, individual privacy interests are
paramount to promote free and open communication between individuals
and their health care providers, thereby ensuring that individuals
receive high-quality care based on their accurate medical history.
Society has long recognized that information exchanged as part of a
specific relationship for which trust is paramount should be entitled
to heightened protection (e.g., marital privilege, attorney-client
privilege, doctor-patient privilege). Similarly, this final rule seeks
to address situations where privacy interests are especially important,
based both on the content of the information that is protected from
disclosure (concerning lawful reproductive health care) and the context
in which that information is shared (concerning a trust-based
relationship between individuals and their health care providers).
In contrast, the potential adverse effects of this final rule on
other interests, such as those of law enforcement, are limited by the
narrow scope of this final rule. This final rule does not seek to
prohibit disclosures of PHI where the request is for reasons other than
investigating or imposing liability on persons for the mere act of
seeking, obtaining, providing, or facilitating reproductive health care
that is lawful under the circumstances in which such health care is
provided. For example, as explained in the NPRM and below, the final
rule does not prohibit the use or disclosure of PHI for investigating
alleged violations of the Federal False Claims Act or a state
equivalent; conducting an audit by an Inspector General aimed at
protecting the integrity of the Medicare or Medicaid program where the
audit is not inconsistent with this final rule; investigating alleged
violations of Federal nondiscrimination laws or abusive conduct, such
as sexual assault, that occur in connection with reproductive health
care; or determining whether a person or entity violated 18 U.S.C. 248
regarding freedom of access to clinic entrances. In each of these
cases, the request is not made for the purpose of investigating or
imposing liability on any person for the mere act of seeking,
obtaining, providing, or facilitating reproductive health care.
Even when the request is for the purpose of investigating or
imposing liability on the mere act of seeking, obtaining, providing, or
facilitating reproductive health care, this final rule does not seek to
prohibit disclosures of PHI about reproductive health care that is not
lawful under the circumstances in which it was provided. Thus, in most
situations involving reproductive health care that is not lawful under
the circumstances in which it is provided, this final rule will not
prevent the use or disclosure of PHI to investigate or impose liability
on persons for such legal violations, provided such disclosures are
otherwise permitted by the Privacy Rule. Moreover, where a regulated
entity did not provide the reproductive health care at issue, this
final rule prohibits the use or disclosure of PHI where the person
making the request does not provide sufficient information to overcome
the presumption of legality. In such cases, law enforcement agencies
and other persons have a reduced interest in obtaining such PHI where
the information does not demonstrate to the regulated entity a
substantial factual basis that the reproductive health care was not
lawful under the circumstances in which such health care was provided.
This final rule does not prohibit the use or disclosure of PHI to
investigate or impose liability on persons where reproductive health
care is unlawful under the circumstances in which it is provided.
Instead, the final rule prohibits the use or disclosure of PHI in
narrowly tailored circumstances (i.e., where the use or disclosure is
to conduct an investigation or impose liability on a person for the
mere act of seeking, obtaining, providing, or facilitating reproductive
health care that
[[Page 32995]]
is lawful under the circumstances in which such health care is
provided, or to identify a person for such activities). For example,
once this final rule is in effect, a covered health care provider may
still disclose PHI to a medical licensing board investigating a health
care provider's actions related to their obligation to report suspected
elder abuse, assuming the disclosure meets the conditions of an
applicable Privacy Rule permission. This is because the final rule does
not bar the use or disclosure of PHI for health oversight purposes,
which is unrelated to the mere act of seeking, obtaining, providing, or
facilitating reproductive health care.
Additionally, even where the final rule prohibits the use or
disclosure of PHI to investigate potentially unlawful reproductive
health care (i.e., where a regulated entity reasonably determines that
the reproductive health care they provided was lawful, or where the
presumption of legality is not overcome), law enforcement retains other
ways of investigating reproductive health care that they suspect may
have been unlawfully provided. For example, law enforcement retains the
use of other traditional and otherwise lawful investigatory means for
obtaining information, such as conducting witness interviews and
accessing other sources of information not covered by HIPAA. The final
rule is therefore tailored to protect the relationship between
individuals and their health care providers specifically, while leaving
unaffected law enforcement's ability to conduct investigations using
information from other sources.
With respect to commenters' concerns about parental rights, this
final rule also does not interfere with the ability of states to define
the nature of the relationship between a minor and a parent or
guardian.
Comment: A few commenters that expressed negative views asserted
that the proposed rule exceeded the Department's statutory authority
under HIPAA or was beyond the Department's rulemaking authority. Some
commenters stated that the rulemaking was arbitrary and capricious and
would make it difficult for law enforcement to investigate reproductive
health care and engage in health oversight activities and would require
health care providers to provide certain types of health care against
which they have objections. Some commenters expressed concern about the
balance of powers between the states and the federal government. Other
commenters suggested that the proposals preempt state laws serving
public health, safety, and welfare.
Response: As discussed above, Congress explicitly stated that the
purpose of HIPAA's Administrative Simplification provisions was to
improve the efficiency and effectiveness of the health care system. For
the health care system to be effective, individuals must trust that
information that they share with health care providers about lawful
health care will remain private. Accordingly, since their inception,
the HIPAA Rules have required that regulated entities narrowly tailor
disclosures to law enforcement to protect an individual's privacy.\181\
While the Department is adopting an approach in this final rule that is
more protective of privacy interests than the current Privacy Rule in
certain circumstances, these changes are necessary to appropriately
balance privacy interests and the interests of law enforcement, and
private parties afforded legal rights of action, in light of the
changing legal environment. This is discussed in detail above. In both
the 2023 Privacy Rule NPRM and this final rule, the Department cited to
multiple studies documenting the real-world harm to health and health
care in the changing legal environment. As explained above, the
Department acknowledges that this final rule may affect certain state
interests in obtaining PHI to investigate potentially unlawful
reproductive health care, but the Department has tailored the final
rule to strike the appropriate balance between privacy interests and
state interests. This final rule limits the potential harm to
individuals, health care providers, and others resulting from the
disclosure of PHI to investigate or punish individuals for the mere act
of seeking, obtaining, providing, or facilitating reproductive health
care that is lawful under the circumstances in which such health care
is provided. We emphasize that nothing in this rule or any of the HIPAA
Rules requires a health care provider to provide any type of health
care, including any type of reproductive health care.
---------------------------------------------------------------------------
\181\ See, e.g., 45 CFR 164.512(f) and 164.514(d)(3)(iii).
---------------------------------------------------------------------------
Comment: Several commenters asserted that the proposed rule would
impede states' enforcement of their own laws, including those
concerning sexual assault and sex trafficking. Many commenters opposed
the proposed rule because they believed it would inhibit the ability of
states to investigate or enforce laws prohibiting minors from obtaining
certain types of health care and prevent the commenters from reporting
minors who they believe are coerced into obtaining such health care to
authorities.
Response: This rule does not prohibit the disclosure of PHI for
investigating allegations of or imposing liability for sexual assault,
sex trafficking, or coercing minors into obtaining reproductive health
care. Rather, this final rule modifies the existing HIPAA Privacy Rule
standards by prohibiting uses and disclosures of PHI to investigate or
impose liability on individuals, regulated entities, or other persons
for the mere act of seeking, obtaining, providing, or facilitating
reproductive health care that is lawful under the circumstances in
which such reproductive health care is provided, or to identify any
person to investigate or impose liability on them for such purposes.
Accordingly, requests for the disclosure of PHI to investigate such
allegations of or impose liability for such crimes do not fall within
the final rule's prohibition, and the presumption of lawfulness
likewise would not be triggered because the prohibition would not
apply. A regulated entity therefore would not be prohibited from
disclosing an individual's PHI when subpoenaed by law enforcement for
the purpose of investigating such allegations, assuming that law
enforcement provided a valid attestation and met the other conditions
of the applicable permission.
Moreover, as explained above, the final rule is tailored to
prohibit disclosures related to lawful reproductive health care,
thereby reducing the interference with law enforcement interests to
create an appropriate balance with privacy interests.
Comment: Some states expressed concern that the proposed rule would
intrude into areas where the HIPAA Rules have previously acknowledged
state control, such as enforcement of state and local laws, regulation
of the practice of health care, and reporting of abuse.
Response: This final rule balances the interests of individuals in
the privacy of their PHI and of society in an effective health care
system with those of society in obtaining PHI for certain non-health
care purposes. The Privacy Rule always has and continues to permit
disclosures of PHI to support public policy goals, including
disclosures to support criminal, civil, and administrative law
enforcement activities; the operation of courts and tribunals; health
oversight activities; the duties of coroners and medical examiners; and
the reporting of child abuse, domestic violence, and neglect to
appropriate authorities. As explained above, while the final rule
adopts an approach that is more
[[Page 32996]]
protective of privacy interests in certain circumstances than the
previous Privacy Rule, the final rule continues to balance the
interests that HIPAA Rules have long sought to protect with those of
society in PHI.
C. Other General Comments on the Proposed Rule
Comment: Commenters urged the Department to provide enhanced
privacy protections for health information that is not covered by
existing frameworks or specifically addressed in the proposed rule. A
few professional associations expressed support for revising the
Privacy Rule to provide stronger protection for the privacy of
reproductive health care information and urged the Department to modify
the Privacy Rule to provide even stronger protections than those
proposed in the 2023 Privacy Rule NPRM.
Response: The Department's authority under HIPAA is limited to
protecting the privacy of IIHI that is maintained or transmitted by
covered entities and, in some cases, their business associates.
Specific modifications to the Privacy Rule to protect the privacy of
PHI are described in greater detail below. Consistent with the
Department's longstanding approach with respect to the Privacy Rule,
the modifications we are finalizing in this rule strike a balance
between protecting an individual's right to health information privacy
with the interests of society in permitting the disclosure of PHI to
support the investigation or imposition of liability for unlawful
conduct. In particular, the final rule does not prohibit the disclosure
of PHI about reproductive health care that was unlawfully provided,
because an individual's privacy interests in reproductive health care
that is not lawful (e.g., a particular type of reproductive health care
that is provided by a nurse practitioner in a state that requires that
type of reproductive health care to be provided by a physician) are
comparatively lower than a state's interests in investigating and
imposing liability on persons for unlawful reproductive health care. We
will continue to monitor legal developments and their effects on
individual privacy as we consider the need for future modifications to
the Privacy Rule.
Comment: Several commenters questioned how the proposed rule would
affect their current business associate and data exchange agreements.
Response: The modifications in this final rule may require
regulated entities to revise existing business associate agreements
where such agreements permit regulated entities to engage in activities
that are no longer permitted under the revised Privacy Rule. Regulated
entities must be in compliance with the provisions of this rule by
December 23, 2024.
Comment: A few commenters requested clarification of whether minors
and legal adults have the same protections under the Privacy Rule and
whether this rule would alter existing protections.
Response: The final rule does not change how the Privacy Rule
applies to adults and minors. Thus, all of the protections provided to
PHI by this final rule apply equally to adults and minors. For example,
under this final rule, a regulated entity is prohibited from using or
disclosing a minor's PHI for the purposes prohibited under 45 CFR
164.502(a)(5)(iii). The Privacy Rule generally permits a parent to have
access to the medical records about their child as their minor child's
personal representative when such access is consistent with state or
other law, with limited exceptions.\182\ Additional information about
how the Privacy Rule applies to minors can be found at 45 CFR
164.502(g) and on the OCR website.\183\
---------------------------------------------------------------------------
\182\ See 45 CFR 164.502(g) (describing personal
representatives) and 164.524(a)(3) (describing reviewable grounds
for denial of access to PHI by a personal representative).
\183\ Off. for Civil Rights, ``Health Information Privacy,''
U.S. Dep't of Health and Human Servs., https://www.hhs.gov/hipaa/index.html.
---------------------------------------------------------------------------
Comment: Many commenters urged the Department to take an
educational approach, rather than a punitive one, with respect to
enforcement against regulated entities. In addition, many commenters
addressed the need for resources and education for successful
implementation of the proposed changes to the Privacy Rule. They called
for the Department to collaborate with and educate regulated entities,
individuals, and others affected by the proposed revisions, such as law
enforcement, as well as for the Department to partner with other
Federal agencies and state governments to conduct the education. Some
suggested that educational resources should include multiple media
formats and a centralized platform.
Response: The Department frequently issues non-binding guidance and
conducts outreach to help regulated entities achieve compliance. We
appreciate these recommendations and will consider these topics for
future guidance. Regulated entities are expected to comply with the
Privacy Rule as revised once the compliance date has passed.
V. Summary of Final Rule Provisions and Public Comments and Responses
The Department is modifying the Privacy Rule to strengthen privacy
protections for individuals' PHI by adding a new category of prohibited
uses and disclosures of PHI. This final rule prohibits a regulated
entity from using or disclosing an individual's PHI for the purpose of
conducting a criminal, civil, or administrative investigation into or
imposing criminal, civil, or administrative liability on any person for
the mere act of seeking, obtaining, providing, or facilitating
reproductive health care that is lawful under the circumstances in
which it is provided, meaning that it is either: (1) lawful under the
circumstances in which such health care is provided and in the state in
which it is provided; or (2) protected, required, or authorized by
Federal law, including the United States Constitution, regardless of
the state in which such health care is provided. In both of these
circumstances, as explained above, the interests of the individual in
the privacy of their PHI and of society in ensuring an effective health
care system outweighs those of society in the use of PHI for non-health
care purposes. To operationalize this modification, the Department is
revising or clarifying certain definitions and terms that apply to the
Privacy Rule, as well as other HIPAA Rules. This final rule also
prohibits a regulated entity from using or disclosing an individual's
PHI for the purpose of identifying an individual, health care provider,
or other person for the purpose of initiating such an investigation or
proceeding against the individual, a health care provider, or other
person in connection with seeking, obtaining, providing, or
facilitating reproductive health care that is lawful under the
circumstances in which it is provided.
To effectuate these proposals, the Department is finalizing
conforming and clarifying changes to the HIPAA Rules. These changes
include, but are not limited to, clarifying the definition of
``person'' to reflect longstanding statutory language defining the
term; adopting new definitions of ``public health'' surveillance,
investigation, or intervention, and ``reproductive health care'';
adding a new category of prohibited uses and disclosures; clarifying
that a regulated entity may not decline to recognize a person as a
personal representative for the purposes of the Privacy Rule because
they provide or facilitate reproductive health care for an individual;
imposing a new
[[Page 32997]]
requirement that, in certain circumstances, regulated entities must
first obtain an attestation that a requested use or disclosure is not
for a prohibited purpose; and requiring modifications to covered
entities' NPPs to inform individuals that their PHI may not be used or
disclosed for a purpose prohibited under this final rule.
The Department's section-by-section description of the final rule
is below.
A. Section 160.103 Definitions
1. Clarifying the Definition of ``Person''
HIPAA does not define the term ``person.'' \184\ The HIPAA Rules
have long defined ``person'' to mean ``a natural person, trust or
estate, partnership, corporation, professional association or
corporation, or other entity, public or private.'' \185\ This meaning
was based on the definition of ``person'' adopted by Congress in the
original SSA, as an ``individual, a trust or estate, a partnership, or
a corporation.'' \186\
---------------------------------------------------------------------------
\184\ See 42 U.S.C. 1320d-1320d-8.
\185\ 45 CFR 160.103.
\186\ See section 1101(3) of Public Law 74-271, 49 Stat. 620
(Aug. 14, 1935) (codified at 42 U.S.C. 1301(3)).
---------------------------------------------------------------------------
In 2002, Congress enacted 1 U.S.C. 8, which defines ``person,''
``human being,'' ``child,'' and ``individual.'' \187\ The statute
specifies that these definitions shall apply when ``determining the
meaning of any Act of Congress, or of any ruling, regulation, or
interpretation of the various administrative bureaus and agencies of
the United States.'' \188\ The Department understands 1 U.S.C. 8 to
provide definitions of ``person,'' ``individual,'' and ``child'' that
do not include a fertilized egg, embryo, or fetus, and are consistent
with the Department's understanding of those terms, as used in the SSA,
HIPAA, and the HIPAA Rules.
---------------------------------------------------------------------------
\187\ 1 U.S.C. 8(a). The Department is not opining on whether
any state law confers a particular legal status upon a fertilized
egg, embryo, or fetus. Rather, the Department cites to this statute
to help define the scope of privacy protections that attach pursuant
to HIPAA and its implementing regulations.
\188\ Id.
---------------------------------------------------------------------------
The Department proposed to clarify the term ``natural person'' in a
manner consistent with 1 U.S.C. 8.\189\ Thus, the Department proposed
to clarify that all terms subsumed within the definition of ``natural
person,'' such as ``individual,'' \190\ are limited to the confines of
the term ``person.'' \191\ As discussed in the 2023 Privacy Rule NPRM,
the purpose of this proposal was to better explain to regulated
entities and other stakeholders the parameters of an ``individual''
whose PHI is protected by the HIPAA Rules.
---------------------------------------------------------------------------
\189\ 88 FR 23506, 23523 (Apr. 17, 2023).
\190\ 45 CFR 160.103 (definition of ``Individual'').
\191\ See Sharon T. Phelan, ``The Prenatal Record and the
Initial Prenatal Visit,'' The Glob. Libr. of Women's Med. (last
updated Jan. 2008) (PHI about the fetus is included in the mother's
PHI), https://www.glowm.com/section-view/heading/The%20Prenatal%20Record%20and%20the%20Initial%20Prenatal%20Visit/item/107#.Y7WRKofMKUl.
---------------------------------------------------------------------------
Many individuals and organizations commented on the proposal to
clarify the definition ``person.'' Organizational commenters, including
professional associations representing health care providers, advocacy
groups, and academic departments, generally supported the proposal.
Several commenters applauded the proposed clarification because they
believed it would limit disclosures of PHI in cases where no individual
has been harmed.
Most opponents of the proposed clarification were individuals
participating in form letter campaigns who expressed concern that the
proposal might diminish access to prenatal care. Others asserted that
the proposed clarification would contradict or conflict with existing
laws, such as mandatory reporting laws and Federal statutes that rely
upon a different definition of ``person.''
The final rule adopts the proposed clarification of the definition
of person, to mean a ``natural person (meaning a human being who is
born alive), trust or estate, partnership, corporation, professional
association or corporation, or other entity, public or private.''
Therefore, an ``individual,'' ``child,'' or ``victim'' (e.g., a victim
of crime) under the HIPAA Rules must be a natural person. As we
explained in the 2023 Privacy Rule NPRM, this clarification is
consistent with the SSA, HIPAA, and 1 U.S.C. 8. This clarification
applies only to regulations issued pursuant to the Administrative
Simplification provisions of HIPAA.\192\
---------------------------------------------------------------------------
\192\ See 42 U.S.C. 1320d.
---------------------------------------------------------------------------
This clarification is consistent with the Privacy Rule's
longstanding definitions of ``person'' \193\ and ``individual,'' \194\
as applied to Privacy Rule provisions permitting certain types of
reports or other disclosures of PHI. For example, a regulated entity is
permitted to disclose PHI about an individual who the regulated entity
reasonably believes to be a victim of abuse, neglect, or domestic
violence only where the individual is a ``natural person.'' \195\ In
addition, because a ``victim'' necessarily is a natural person, the
permission to disclose PHI to avert a serious threat to health or
safety at 45 CFR 164.512(j)(i) does not permit disclosures when the
perceived threat does not involve the health or safety of a natural
person or the public, or when an individual has not caused serious
physical harm to a natural person.
---------------------------------------------------------------------------
\193\ 45 CFR 160.103 (definition of ``Person''). The Department
first defined the term ``person'' in the HIPAA Rules as part of the
2003 Civil Money Penalties: Procedures for Investigations,
Imposition of Penalties, and Hearings Interim Final Rule (2003
Interim Final Rule) to distinguish a ``natural person'' who could
testify in the context of administrative proceedings from an
``entity'' (defined therein as a ``legal person'') on whose behalf a
person would testify. See 45 CFR 160.502 of the 2003 Interim Final
Rule, 68 FR 18895, 18898 (Apr. 17, 2003) (Person is defined to mean
a natural person or a legal person).
\194\ 45 CFR 160.103 (definition of ``Individual''). The
definition of ``individual'' in the HIPAA Rules was first adopted in
the 2000 Privacy Rule.
\195\ See 45 CFR 164.512(c)(1). This provision explicitly
excludes reports of child abuse, which are addressed by 45 CFR
164.512(b)(1).
---------------------------------------------------------------------------
Comment: Many organizational commenters expressed support for the
proposal to clarify the definition of ``person.''
One commenter stated that this clarification should prevent law
enforcement from attempting to avoid the proposed prohibition.
According to another commenter, this proposed clarification is crucial
as stakeholders adapt to the current reproductive health landscape.
Several commenters expressed support for the Department's proposal
but requested additional clarifications. For example, one commenter
recommended that the Department clarify whether the definition would
preempt state laws.
Response: We take the opportunity to emphasize here that the
clarification only applies to the HIPAA Rules and explains certain
terms that apply to the permissions for uses and disclosures of PHI by
regulated entities. We do not believe it is necessary to further
clarify the final regulatory text because the current definition
remains unchanged other than to incorporate the plain wording of 1
U.S.C. 8.
Comment: A few commenters expressed opposition to the Department's
proposed clarification of ``person'' as tantamount to eliminating legal
protections for and recognition of categories of human beings based on
developmental stage. Some commenters maintained that the proposed
clarification of ``person'' was inaccurate.
Several commenters opposed the proposed clarification of ``person''
because it would affect the provision of prenatal care.
A few commenters asserted that the proposed clarification would
prevent the collection of medical information about reproductive health
care for
[[Page 32998]]
important purposes, such as public health and research.
Response: We are clarifying the definition of person consistent
with applicable Federal law only for the purpose of applying HIPAA's
Administrative Simplification provisions. This clarification will not
affect how the term ``person'' is applied for purposes of other laws,
affect any rights or protections provided by any other law, or affect
standards of health care, including prenatal care.
This final rule does not affect the reporting of vital statistics,
nor does it affect the ability of regulated entities to use and
disclose PHI for research. The Privacy Rule's standards for uses and
disclosures for public health surveillance, investigations, and
interventions, or for health oversight activities, are discussed
elsewhere.
Comment: Several commenters requested additional clarifications to
the Department's proposed clarification of ``person.'' A few commenters
asserted that the proposed clarification would be overly expansive.
Most of these same commenters disagreed with the Department's
interpretation of 1 U.S.C. 8.\196\ Commenters asserted that the
clarification was inconsistent or conflicted with other laws.
---------------------------------------------------------------------------
\196\ 1 U.S.C. 8(a).
---------------------------------------------------------------------------
Response: The clarified definition of person that we are finalizing
in this rule does not change the Department's interpretation of the
term or change definitions under other law, such as state law. It also
is consistent with Federal law, including 1 U.S.C. 8, which
specifically applies to Federal regulations, and other examples cited
by commenters. For example, both GINA and the Privacy Rule protect the
genetic information of a fetus carried by a pregnant individual as the
PHI of the pregnant individual.\197\
---------------------------------------------------------------------------
\197\ Public Law 110-233, 122 Stat. 881. See generally Off. for
Civil Rights, ``Health Information Privacy, Genetic Information,''
U.S. Dep't of Health and Human Servs. (Content last reviewed June
16, 2017), https://www.hhs.gov/hipaa/for-professionals/special-
topics/genetic-information/
index.html#:~:text=The%20Genetic%20Information%20Nondiscrimination%20
Act,into%20two%20sections%2C%20or%20Titles.
---------------------------------------------------------------------------
The other laws cited by commenters address policy concerns that are
different from those health information privacy issues addressed under
HIPAA and do not address personhood. Even if those statutes did adopt
different understandings of who is a ``person,'' the Department has the
authority to clarify or define terms that apply to the Administrative
Simplification regulations issued pursuant to HIPAA. Additionally, the
definition in the final rule of 1 U.S.C. 8 is appropriate because it is
consistent with the Department's longstanding interpretation of the
term in the context of HIPAA's Administrative Simplification provisions
and associated regulations. Many Federal and state laws operate with
differing definitions of common terms, to which existing legal
standards that govern how such differences are to be interpreted would
apply.\198\
---------------------------------------------------------------------------
\198\ See 45 CFR 164.524. See also William Baude & Stephen E.
Sachs, ``The Law of Interpretation,'' 130 Harv. L. Rev. 1079 (2017).
---------------------------------------------------------------------------
Comment: A few commenters asserted that the proposal would expand
minors' access to hormone therapy or surgeries without requiring
parental consent.
Response: The final rule's clarification to define the term
``person'' does not affect the ability of a parent to make decisions
related to health care for an individual who is an unemancipated
minor,\199\ and nothing in this rule dictates a standard of care. The
application of this definition is limited to the HIPAA Rules.
---------------------------------------------------------------------------
\199\ 45 CFR 164.502(g).
---------------------------------------------------------------------------
Comment: A few commenters asserted that the proposed clarification
would help to prevent the misapplication of child abuse laws to
individuals who engage in certain behaviors while pregnant (e.g., use
of an illicit substance or alcohol). Several other commenters expressed
concern that this definition would limit the ability of a regulated
entity to apply the Privacy Rule permission to use or disclose PHI to
prevent a serious and imminent threat to a fertilized egg, embryo, or
fetus.
Response: Under this final rule, a regulated entity would continue
to be permitted to disclose PHI about an individual who the covered
entity reasonably believes is a victim of child abuse or neglect,
consistent with 45 CFR 164.512(b)(1)(ii), or a victim of abuse,
neglect, or domestic violence, consistent with 45 CFR 164.512(c), to a
government authority, including a social service or protective services
agency, authorized by law to receive reports of such abuse, neglect, or
domestic violence under the circumstances set forth under 45 CFR
164.512(c) where the individual meets the clarified definition of
person. The Privacy Rule permission concerning serious and imminent
threats \200\ applies to threats to a person, consistent with the
definition as clarified by this final rule, or the public.
---------------------------------------------------------------------------
\200\ See 45 CFR 164.512(j)(1)(i).
---------------------------------------------------------------------------
2. Interpreting Terms Used in Section 1178(b) of the Social Security
Act Reporting of Disease or Injury, Birth, or Death
Section 1178(a) of the SSA provides that HIPAA generally preempts
contrary state laws with certain limited exceptions, such as those
described in section 1178(b).\201\ Specifically, section 1178(b)
excepts from HIPAA's general preemption authority laws that provide for
certain public health reporting, such as the reporting of disease or
injury, birth, or death.\202\ HIPAA does not define the terms in
section 1178(b) that govern the scope of this exception to HIPAA's
general preemption authority, nor has the Department previously defined
such terms through rulemaking.
---------------------------------------------------------------------------
\201\ 42 U.S.C. 1320d-7(a)
\202\ 42 U.S.C. 1320d-7(b).
---------------------------------------------------------------------------
The Department recognizes that such public health reporting
activities are an important means of identifying threats to the health
and safety of the public. Accordingly, when a public health authority
\203\ has furnished documentation of its authority \204\ to collect or
receive such information, the Privacy Rule permits a regulated entity,
without an individual's authorization, to use or disclose PHI to
specified persons for public health activities.\205\ These activities
include all of the vital statistics reporting activities described in
section 1178(b), including reporting of diseases and injuries, birth,
or death.\206\
---------------------------------------------------------------------------
\203\ 45 CFR 164.501 (definition of ``Public health
authority'').
\204\ 45 CFR 164.514(h).
\205\ This is unchanged by this final rule.
\206\ See 45 CFR 164.512(b). The Privacy Rule addresses its
interactions with laws governing excepted public health activities
in two sections: 45 CFR 164.512(a), Standard: Uses and disclosures
required by law, and 45 CFR 164.512(b), Standard: Uses and
disclosures for public health activities.
---------------------------------------------------------------------------
The Department proposed to interpret in preamble key terms used in
section 1178(b) to clarify when HIPAA's general preemption authority
applies. Specifically, the Department proposed an interpretation of
section 1178(b) that would clarify that HIPAA's general preemption
authority applies to laws that require regulated entities to use or
disclose PHI for a purpose that would be prohibited under the proposed
rule. Under this interpretation, the Privacy Rule permission to use or
disclose PHI without an individual's authorization for the reporting of
disease or injury, birth, or death \207\ would not permit the use or
disclosure of PHI for a criminal, civil, or administrative
investigation into or proceeding against a person in connection with
seeking, obtaining,
[[Page 32999]]
providing, or facilitating reproductive health care. The Department did
not intend this clarification to prevent disclosures of PHI from
regulated entities to public health authorities for public health
purposes that have been and continue to be permitted under the Privacy
Rule. Nor did the Department intend for this proposed clarification to
prevent disclosures of PHI by regulated entities under other
permissions in the Privacy Rule, such as for law enforcement
purposes,\208\ when made consistent with the conditions of the relevant
permission and where the purpose of the disclosure is not one for which
a use or disclosure would have been prohibited under 45 CFR
164.502(a)(5)(iii) as proposed.
---------------------------------------------------------------------------
\207\ 45 CFR 164.512(b).
\208\ 45 CFR 164.512(f).
---------------------------------------------------------------------------
The Department did not propose to define ``disease or injury,''
``birth,'' or ``death,'' because we believed that these terms, when
read with the definition of ``person'' and in the broader context of
HIPAA, would exclude information about reproductive health care without
the need for further clarification.\209\ However, the Department
invited public comment on whether it would be beneficial to make such
clarification.
---------------------------------------------------------------------------
\209\ 88 FR 23506, 23523 (Apr. 17, 2023).
---------------------------------------------------------------------------
Few commenters addressed interpretation of these terms. Some
commenters expressed concern that the Department's interpretation would
prevent beneficial public health reporting about certain types of
reproductive health care, while others requested that the Department
prohibit public health reporting about certain types of reproductive
health care. Some commenters on this issue agreed with the Department's
interpretation and clarification of the terms used in 1178(b). Several
of these commenters requested that the Department define or clarify
these terms because reporting standards are inconsistent across states.
The Department declines to add definitions for ``disease or
injury,'' ``birth,'' or ``death'' to the Privacy Rule in this final
rule. However, we offer the discussion below to provide additional
context on our interpretation of these terms.
At the time of HIPAA's enactment, state laws provided for the
reporting of disease or injury, birth, or death by covered health care
providers and other persons.\210\ State public health reporting systems
were well established and involved close collaboration between the
state, local, or territorial jurisdiction and the Federal
Government.\211\ Reports generally were made to public health
authorities or, in some specific cases, law enforcement (e.g.,
reporting of gunshot wounds).\212\ Similar public health reporting
systems continue to exist today.
---------------------------------------------------------------------------
\210\ The 1996-98 Report of the NCVHS to the Secretary describes
various types of activities considered to be public health during
the era in which HIPAA was enacted, such as the collection of public
health surveillance data on health status and health outcomes and
vital statistics information. See Nat'l Comm. On Vital and Health
Stats., Report of The National Committee on Vital and Health
Statistics, 1996-98, (Dec. 1999), https://ncvhs.hhs.gov/wp-content/uploads/2018/03/90727nv-508.pdf.
\211\ Id.
\212\ Id.
---------------------------------------------------------------------------
Reporting of ``disease or injury'' commonly refers to diagnosable
health conditions reported for limited purposes such as workers'
compensation, tort claims, or communicable or other disease or injury
tracking efforts. States, territories, and Tribal governments require
health care providers (e.g., physicians, laboratories) and some others
(e.g., medical examiners, coroners, veterinarians,\213\ local boards of
health) to report cases of certain diseases or conditions that affect
public health, such as coronavirus disease 2019 (COVID-19), malaria,
and foodborne illnesses.\214\ Such reporting enables public health
practitioners to study and explain diseases and their spread, along
with determining appropriate actions to prevent and respond to
outbreaks.\215\ States also require health care providers to report
incidents of certain types of injuries, such as those caused by
gunshots, knives, or burns.\216\ Various Federal statutes use the
phrase ``disease or injury'' similarly to refer to events such as
workplace injuries for purposes of compensation.\217\
---------------------------------------------------------------------------
\213\ Richard N. Danila et al., ``Legal Authority for Infectious
Disease Reporting in the United States: Case Study of the 2009 H1N1
Influenza Pandemic,'' 105 a.m. J. Public Health 13 (Jan. 2015).
\214\ See ``Reportable Diseases,'' MedlinePlus, https://medlineplus.gov/ency/article/001929.htm (accessed Oct. 19, 2022).
See also Nat'l Notifiable Diseases Surveillance Sys., ``What is Case
Surveillance?,'' Ctrs. for Disease Control and Prevention (July 20,
2022), https://www.cdc.gov/nndss/about/index.html.
\215\ See ``Reportable Diseases,'' supra note 215. Such
reporting is a type of public health surveillance activity.
\216\ See Victims Rts. Law Ctr., ``Mandatory Reporting of Non-
Accidental Injuries: A State-by-State Guide'' (May 2014), http://4e5ae7d17e.nxcli.net/wp-content/uploads/2021/01/Mandatory-Reporting-of-Non-Accidental-Injury-Statutes-by-State.pdf.
\217\ See, e.g., 38 U.S.C. 1110 (referring to an ``injury
suffered or disease contracted''); 10 U.S.C. 972 (discussing time
lost as a result of ``disease or injury''); 38 U.S.C. 3500
(providing education for certain children whose parent suffered ``a
disease or injury'' incurred or aggravated in the Armed Forces); see
also 5 U.S.C. 8707 (insurance provision discussing compensation as a
result of ``disease or injury''); 33 U.S.C. 765 (discussing
retirement for disability as a result of ``disease or injury''); 15
U.S.C. 2607(c) (requiring chemical manufacturers to maintain records
of ``occupational disease or injury'').
---------------------------------------------------------------------------
The limited meaning given to the terms ``disease'' and ``injury''
for purposes of public health reporting is clear from HIPAA's broader
context. For instance, interpreting ``injury'' reporting to include
disclosures about all instances of suspected criminal abuse would
render the specific permission to report ``child abuse''
superfluous.\218\ And interpreting ``disease'' reporting to include
disclosures about any sort of disease for any purpose would both
eviscerate HIPAA's general provisions protecting PHI and make
superfluous the statutory requirement to not invalidate laws providing
for public health surveillance, or public health investigation or
intervention. For example, ``disease management activities'' constitute
``health care'' under the Privacy Rule. As such, a broad interpretation
of ``disease or injury'' reporting could make potentially all the
health records detailing a particular individual's treatment for any
disease or injury disclosable to a public health authority or others
unrelated to the health care.\219\ Consequently, the Department has
long understood ``disease or injury'' to narrowly refer to diagnosable
health conditions reported for limited purposes such as workers'
compensation, tort claims or in compliance with Federal laws that
require states to conduct surveillance of specific diseases and
injuries related to public health or Federal funding.\220\
---------------------------------------------------------------------------
\218\ 45 CFR 164.512(b)(ii).
\219\ See 65 FR 82462, 82571 (Dec. 28, 2000) (recognizing that
``disease management activities'' often constitute ``health care''
under HIPAA); Id. at 82777 (discussing the importance of privacy for
information about cancer, a ``disease'' that causes an
``indisputable'' ``societal burden''); Id. at 82778 (discussing the
importance of privacy for information about sexually transmitted
diseases, including Human Immunodeficiency Virus/Acquired
Immunodeficiency Syndrome (HIV/AIDS)); Id. at 82463-64 (noting that
numerous states adopted laws protecting health information relating
to certain health conditions such as communicable diseases, cancer,
HIV/AIDS, and other stigmatized conditions.); Id. at 82731 (finding
that there are no persuasive reasons to provide information
contained within disease registries with special treatment as
compared with other information that may be used to make decisions
about an individual).
\220\ See, e.g., 65 FR 82462, 82517 (Dec. 28, 2000) (discussing
tort litigation as information that could implicate IIHI); Id. at
82542 (discussing workers' compensation); Id. at 82527 (separately
addressing disclosures about ``abuse, neglect or domestic violence''
and limiting such disclosures to only two circumstances, even if
expressly authorized by state statute or regulation).
---------------------------------------------------------------------------
With respect to reporting of ``births'' and ``deaths,'' such vital
statistics are reported by health care providers to the vital
registration systems operated in
[[Page 33000]]
various jurisdictions \221\ legally responsible for the registration of
vital events.\222\ State laws require birth certificates to be
completed for all births, and Federal law mandates the national
collection and publication of births and other vital statistics
data.\223\ Tracking and reporting death is a complex and decentralized
process with a variety of systems used by more than 6,000 local vital
registrars.\224\ When HIPAA was enacted, the Model State Vital
Statistics Act and Regulations, which is followed by most states,\225\
included distinct categories for ``live births,'' ``fetal deaths,'' and
``induced terminations of pregnancy,'' with instructions that abortions
``shall not be reported as fetal deaths.'' \226\ In light of that
common understanding at the time of HIPAA's enactment, it is clear that
the reporting of abortions is not included in the category of reporting
of deaths for the purposes of HIPAA and does not fall within the scope
of state death reporting activities that Congress specifically
designated as excepted from preemption by HIPAA.
---------------------------------------------------------------------------
\221\ See ``Public Health Professionals Gateway, Public Health
Systems & Best Practices, Health Department Governance,'' Ctrs. for
Disease Control and Prevention (Nov. 25, 2022), https://www.cdc.gov/publichealthgateway/sitesgovernance/index.html.
\222\ See the list of events included in vital events, Nat'l
Ctr. for Health Stats., ``About the National Vital Statistics
System,'' Ctrs. for Disease Control and Prevention (Jan. 4, 2016),
https://www.cdc.gov/nchs/nvss/about_nvss.htm.
\223\ See Nat'l Ctr. for Health Stats., ``Birth Data,'' Ctrs.
for Disease Control and Prevention (Dec. 6, 2022), https://www.cdc.gov/nchs/nvss/births.htm.
\224\ See Ctrs. For Disease Control and Surveillance, ``How
Tracking Deaths Protects Health,'' (July 2018), https://www.cdc.gov/surveillance/pdfs/Tracking-Deaths-protects-healthh.pdf.
\225\ See Nat'l Ctr. for Health Stats., Ctrs. for Disease
Control and Prevention, ``State Definitions and Reporting
Requirements: For Live Births, Fetal Deaths, and Induced
Terminations of Pregnancy,'' at 5 (1997), https://www.cdc.gov/nchs/data/misc/itop97.pdf.
\226\ Nat'l Ctr. for Health Stats., Ctrs. for Disease Control
and Prevention, ``Model State Vital Statistics Act and
Regulations,'' at 8 (1992), https://www.cdc.gov/nchs/data/misc/mvsact92b.pdf.
---------------------------------------------------------------------------
More generally, while Congress exempted certain ``[p]ublic health''
laws from preemption,\227\ Congress chose not to create a general
exception for criminal laws or other laws that address the disclosure
of information about similar types of activities outside of the public
health context.
---------------------------------------------------------------------------
\227\ 42 U.S.C. 1178(b) (codified in HIPAA at 42 U.S.C. 1320d-
7).
---------------------------------------------------------------------------
For all these reasons, state laws requiring the use or disclosure
of PHI for the purpose of investigating or imposing liability on a
person for the mere act of seeking, obtaining, providing, or
facilitating health care, or identifying a person for such activities,
are subject to HIPAA's general preemption provision. Similarly, the
Privacy Rule's public health provisions that permit the disclosure of
PHI for the reporting of disease or injury, birth, or death do not
include permission to use or disclose PHI for the purpose of
investigating or imposing liability on a person for the mere act of
seeking, obtaining, providing, or facilitating health care, or
identifying a person for such activities. This general distinction
between public health activities and investigation and enforcement
activities is not limited to reproductive health care. Nevertheless, as
discussed elsewhere in this final rule, the Department has chosen to
strike a balance between privacy interests and other public policy
interests. Consistent with the Department's longstanding approach that
has allowed disclosures for law enforcement purposes in certain
circumstances, the new prohibitions set forth in this rule apply only
to lawful reproductive health care. State authorities cannot rely on
the Privacy Rule's permissions for disclosures related to disease or
injury, birth, or death to obtain PHI for the purpose of investigating
or imposing liability for the provision of reproductive health care.
However, as discussed above, state authorities may be able to invoke
other permissions, such as the permission for disclosures for law
enforcement purposes, to obtain such PHI where such disclosure is to
investigate or impose liability on a person when the reproductive
health care at issue is unlawful under the circumstances in which it is
provided.
Comment: A few commenters expressed support for the Department's
interpretation and clarification of the terms used in section 1178(b)
of the SSA. A few commenters recommended that the Department define,
rather than clarify, these terms. Some commenters requested that the
Department further clarify the terms ``disease or injury,'' ``birth,''
and ``death,'' to explicitly exclude information about reproductive
health care. Other commenters expressed opposition to the Department's
clarifications.
Response: We decline to define ``disease or injury,'' ``birth,'' or
``death'' in this final rule. The Department's understanding of these
terms is consistent with the Model State Vital Statistics Act and
Regulations and its application in the context of the passage of HIPAA.
We believe that the 2023 Privacy Rule NPRM preamble discussion is
sufficient to clarify that such reporting does not include the use or
disclosure of PHI for investigating or imposing liability on a person
for the mere act of seeking, obtaining, providing, or facilitating
health care, including reproductive health care, or to identify a
person for such activities.
Defining ``Public health,'' as used in the terms ``public health
surveillance,'' ``public health investigation,'' and ``public health
intervention.''
Section 1178(b) also excepts state laws providing for ``public
health surveillance, or public health investigation or intervention''
from HIPAA's general preemption authority.\228\ Neither HIPAA nor the
Privacy Rule currently defines ``public health surveillance'' or
``public health investigation or intervention.'' Consistent with the
statute, the Privacy Rule expressly permits a regulated entity to use
or disclose PHI for ``public health'' surveillance, investigation, or
intervention.\229\ The Department proposed to define public health, as
used in the terms ``public health surveillance,'' ``public health
investigations,'' and ``public health interventions,'' to mean
population-level activities to prevent disease and promote health of
populations. In preamble to the 2023 Privacy Rule NPRM, the Department
described public health surveillance as the ongoing, systematic
collection, analysis, and interpretation of health-related data
essential to planning, implementation, and evaluation of public health
practice.\230\ The Department explained that public health
investigations or interventions include monitoring real-time health
status and identifying patterns to develop strategies to address
chronic diseases and injuries, as well as using real-time data to
identify and respond to acute outbreaks, emergencies, and other health
hazards.\231\ Public health surveillance, investigations, or
interventions safeguard the health of the community by addressing
ongoing or prospective population-level issues such as the spread of
communicable diseases, even where these activities involve
[[Page 33001]]
individual-level investigations or interventions.
---------------------------------------------------------------------------
\228\ Section 1178(a) of HIPAA.
\229\ See 45 CFR 164.512(b)(1)(i); Off. for Civil Rights,
``Disclosures for Public Health Activities,'' U.S. Dep't of Health
and Human Servs., https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/disclosures-public-health-activities/index.html
(accessed Oct. 19, 2022).
\230\ See ``Introduction to Public Health Surveillance,'' Ctrs.
for Disease Control and Prevention (Nov. 15, 2018), https://www.cdc.gov/training/publichealth101/surveillance.html.
\231\ See ``Public Health Professionals Gateway, Ten Essential
Public Health Services,'' Ctrs. for Disease Control and Prevention
(Dec. 1, 2022), https://www.cdc.gov/publichealthgateway/publichealthservices/essentialhealthservices.html.
---------------------------------------------------------------------------
The Department also proposed to expressly exclude certain
activities from the definition of public health to distinguish between
public health activities and certain criminal investigations.
Specifically, the Department proposed to provide in regulatory text
that the Privacy Rule's permissions to use and disclose PHI for the
``public health'' activities of surveillance, investigations, or
interventions do not include criminal, civil, or administrative
investigations into, or proceedings against, any person in connection
with seeking, obtaining, providing, or facilitating reproductive health
care, nor do they include identifying any person for the purpose of
initiating such investigations or proceedings. The Department stated
that any such actions are not public health activities that would be
subject to the exception to HIPAA's general preemption authority for
state laws providing for ``public health surveillance, or public health
investigation or intervention.'' \232\
---------------------------------------------------------------------------
\232\ Section 1178(a) of SSA.
---------------------------------------------------------------------------
Commenters expressed mixed views on the proposal to define ``public
health'' in the context of ``public health surveillance,'' ``public
health investigations'' or ``public health interventions.'' Commenters
expressing opposition to the proposal either disagreed with the
Department's assertion that public health activities do not involve
uses and disclosures that would be prohibited by the rule or asserted
that the proposal would prevent public health reporting of reproductive
health care. Some commenters generally supported the goal of the
proposal but expressed concern that inclusion of the proposed language
about ``population-level'' activities could prevent essential public
health activities that involve specific persons, such as reporting data
about specific health care services provided to specific persons that
have a ``population-level'' effect and investigating the spread of
communicable diseases.
Some commenters asserted that the proposal would frustrate states'
ability to enforce their laws not related to public health, such as
laws banning health care such as abortion. Supporters asserted that the
proposal would help to prevent PHI from being disclosed for a purpose
that would be prohibited under the proposed rule. Supportive commenters
also expressed concern about states obtaining PHI based on an
interpretation of ``public health investigations'' that includes the
mandatory reporting of pregnant individuals who engage in certain
activities, such as substance use. Other commenters asserted that
disclosures of PHI to public health authorities should be limited
because of the potential for PHI to be redisclosed for purposes that
otherwise would be prohibited under the Privacy Rule.
The final rule adopts the proposed definition with some
modifications. The final rule maintains the proposed rule's focus on
activities aimed at preventing disease and improving the health of
populations. This definition does not prevent disclosures of PHI by
covered entities to public health authorities for public health
activities that have long been permitted under the Privacy Rule. As
discussed in the 2023 Privacy Rule NPRM, since the time of HIPAA's
enactment, public health activities related to surveillance,
investigation, or intervention have been widely understood to refer to
activities aimed at improving the health of a population. For example,
legal dictionaries define ``public health'' as ``[t]he health of the
community at large,'' or ``[t]he healthful or sanitary condition of the
general body of people or the community en masse; esp., the methods of
maintaining the health of the community, as by preventive medicine or
organized care for the sick.'' \233\ Stedman's Medical Dictionary
defines ``public health'' as ``the art and science of community health,
concerned with statistics, epidemiology, hygiene, and the prevention
and eradication of epidemic diseases; an effort organized by society to
promote, protect, and restore the people's health; public health is a
social institution, a service, and a practice.'' \234\ The Centers for
Disease Control and Prevention (CDC) and the Agency for Toxic
Substances and Disease Registry have described ``public health
surveillance'' as ``the ongoing systematic collection, analysis and
interpretation of outcome-specific data for use in the planning,
implementation, and evaluation of public health practice.'' \235\ And
many states similarly define ``public health'' to mean activities to
support population health.\236\ The Department likewise has used the
term public health in this way since it first adopted the Privacy
Rule.\237\
---------------------------------------------------------------------------
\233\ ``Health, Public Health,'' Black's Law Dictionary (11th
ed. 2019).
\234\ ``Public Health,'' Stedman's Medical Dictionary 394520.
\235\ Jonathan Weinstein, In Re Miguel M., 55 N.Y.L. Sch. L.
Rev. 389, 390 (2010) (citing Stephen B. Thacker, ``Historical
Development,'' in Principles and Practice of Public Health
Surveillance 1 (Steven M. Teutsch & R. Elliott Churchill eds., 2d
ed., 2000)), https://digitalcommons.nyls.edu/cgi/viewcontent.cgi?article=1599&context=nyls_law_review.
\236\ See, e.g., Richard A. Goodman et al., ``Forensic
Epidemiology: Law at the Intersection of Public Health and Criminal
Investigations,'' 31 J. of Law, Med. & Ethics 684, 689-90 (2003);
La. Rev. Stat. Ann. Sec. 40:3.1 (2011) (defining threats to public
health as nuisances ``including but not limited to communicable,
contagious, and infectious diseases, as well as illnesses, diseases,
and genetic disorders or abnormalities''); N.C. Gen. Stat. sec.
130A-141.1(a) (2010) (defining public health investigations as the
``surveillance of an illness, condition, or symptoms that may
indicate the existence of a communicable disease or condition'').
\237\ See, e.g., 65 FR 82462, 82464 (Dec. 28, 2000) (noting that
reporting of public health information on communicable diseases is
not prevented by individuals' right to information privacy); Id. at
82467 (discussing the importance of accurate medical records in
recognizing troubling public health trends and in assessing the
effectiveness of public health efforts); Id. at 82473 (discussing
disclosure to ``a department of public health''); Id. at 82525
(recognizing that it may be necessary to disclose PHI about
communicable diseases when conducting a public health intervention
or investigation); Id. at 82526 (recognizing that an entity acts as
a ``public health authority'' when, in its role as a component of
the public health department, it conducts infectious disease
surveillance); Stephen B. Thacker, Epidemiology Program Office,
Ctrs. for Disease Control and Prevention, ``HIPAA Privacy Rule and
Public Health: Guidance from CDC and the U.S. Department of Health
and Human Services,'' 52 MMWR 1 (Apr. 11, 2003), https://www.cdc.gov/mmwr/preview/mmwrhtml/m2e411a1.htm (describing what
traditionally are considered to be ``public health activities'' that
require PHI).
---------------------------------------------------------------------------
Public health surveillance, public health investigations, and
public health interventions are activities that address population
health concerns and have generalized public benefit \238\ to the health
of a population, including activities that involve specific persons.
Examples of activities that prevent disease in and promote the health
of populations include vaccination campaigns to eradicate communicable
disease, surveillance of a community's use of emergency services after
a natural disaster to improve allocation of resources to meet health
needs, and investigation of the source of an outbreak of food
poisoning. As explained in the preamble to the 2023 Privacy Rule
NPRM,\239\ there is a widely recognized distinction between public
health activities, which primarily focus on improving the health of
populations, and criminal investigations, which primarily focus on
identifying and imposing liability on persons who have
[[Page 33002]]
violated the law.\240\ States and other local governing authorities
maintain criminal codes that are distinct and separate from public
health reporting laws,\241\ although some jurisdictions enforce
required public health reporting through criminal statutes. Different
governmental bodies are responsible for enforcing these separate codes,
and public health officials do not typically investigate activities
enforced under criminal statutes or laws.\242\ Federal laws also
generally treat public health investigations as distinct from criminal
investigations.\243\ Maintaining a clear distinction between public
health investigations and criminal investigations serves HIPAA's
broader purposes.\244\
---------------------------------------------------------------------------
\238\ See Miguel M. v. Barron, 950 NE2d 107, at 111 (2011)
(explaining ``[t]he apparent purpose of the public health exception
is to facilitate government activities that protect large numbers of
people from epidemics, environmental hazards, and the like, or that
advance public health by accumulating valuable statistical
information.'').
\239\ 88 FR 23510, 23525 (Apr. 17, 2023).
\240\ See Miguel M. v. Barron at 111, supra note 239 (concluding
that ``[t]o disclose private information about particular people,
for the purpose of preventing those people from harming themselves
or others, effects a very substantial invasion of privacy without
the sort of generalized public benefit that would come from, for
example, tracing the course of an infectious disease.'').
\241\ For example, traditional public health reporting laws grew
from colonial requirements that physicians report disease. These
requirements transitioned to state regulatory requirements imposed
by public health departments on authority granted to them by states.
See Ctrs. for Disease Control and Prevention, ``Public Health Law
101, Disease Reporting and Public Health Surveillance,'' at 12 and
14 (Jan. 16, 2009), https://www.cdc.gov/phlp/docs/phl101/PHL101-Unit-5-16Jan09-Secure.pdf. See also, e.g., Code of Georgia 31-12-2
(2021) (authority to require disease reporting).
\242\ See ``Public Health,'' supra note 235 (``Many cities have
a `public health department' or other agency responsible for
maintaining the public health; Federal laws dealing with health are
administered by the Department of Health and Human Services.''); see
also ``Forensic Epidemiology: Law at the Intersection of Public
Health and Criminal Investigations,'' supra note 237, at 689.
\243\ See Camara v. Municipal Ct. of City & Cty. of S.F., 387
U.S. 523, 535-37 (1967) (discussing administrative inspections under
the Fourth Amendment, such as those aimed at addressing ``conditions
which are hazardous to public health and safety,'' and not ``aimed
at the discovery of evidence of crime''); 42 U.S.C. 241(d)(D)
(prohibiting disclosure of private information from research
subjects in ``criminal'' and other proceedings); 42 U.S.C. 290dd-
2(c) (prohibiting substance abuse records from being used in
criminal proceedings).
\244\ See ``Forensic Epidemiology: Law at the Intersection of
Public Health and Criminal Investigations,'' supra note 237, at 687
(discussing reasons why ``an association of public health with law
enforcement'' may be ``to the detriment of routine public health
practice''). See also 45 CFR 164.512(b)(1)(i) (including ``public
health investigations'' as an activity carried out by a public
health authority that is authorized by law to carry out public
health activities).
---------------------------------------------------------------------------
The Department concludes that neither section 1178(b) nor the
Privacy Rule's permissions to use and disclose PHI for the ``public
health'' activities of surveillance, investigation, or intervention
include conducting criminal, civil, or administrative investigations
into, or imposing criminal, civil, or administrative liability on any
person for the mere act of seeking, obtaining, providing, or
facilitating health care, including reproductive health care, nor do
they include the identification of any person for such purposes. Such
actions are not public health activities. As described above, this
distinction between public health activities and other investigation
and enforcement activities is not limited to reproductive health care.
Public health surveillance, investigations, or interventions ensure the
health of the community as a whole by addressing ongoing or prospective
population-level issues such as the spread of communicable diseases,
even where they involve interventions involving specific individuals.
Such surveillance systems provide the necessary data to examine and
potentially develop interventions to improve the public's health, such
as providing education or resources to support individuals' access to
health care and improve health outcomes and are not affected by this
final rule.\245\ U.S. states, territories, and Tribal governments
participate in bilateral agreements with the Federal Government to
share data on conditions that affect public health.\246\ The CDC's
Division of Reproductive Health collects reproductive health data in
support of national and state-based population surveillance systems to
assess maternal complications, mortality and pregnancy-related
disparities, and the numbers and characteristics of individuals who
obtain legal induced abortions.\247\ This final rule does not affect
CDC's ability to collect this information now or in the future.
Importantly, disclosures to public health authorities permitted by the
Privacy Rule are limited to the ``minimum necessary'' to accomplish the
public health purpose.\248\ In some cases, regulated entities need
disclose only de-identified data \249\ to meet the public health
purpose.
---------------------------------------------------------------------------
\245\ See ``Improving the Role of Health Departments in
Activities Related to Abortion,'' Am. Pub. Health Ass'n (Oct. 26,
2021), https://www.apha.org/Policies-and-Advocacy/Public-Health-Policy-Statements/Policy-Database/2022/01/07/Improving-Health-Department-Role-in-Activities-Related-to-Abortion.
\246\ See ``Reportable diseases,'' supra note 215. See also
``What is Case Surveillance?,'' supra note 215.
\247\ See ``Reproductive Health, About Us,'' Ctrs. for Disease
Control and Prevention (Apr. 20, 2022), https://www.cdc.gov/reproductivehealth/drh/about-us/index.htm; and ``Reproductive
Health, CDCs Abortion Surveillance System FAQs,'' Ctrs. for Disease
Control and Prevention (Nov. 17, 2022), https://www.cdc.gov/reproductivehealth/data_stats/abortion.htm.
\248\ See 45 CFR 164.502(b).
\249\ See 45 CFR 164.514(a).
---------------------------------------------------------------------------
By contrast, efforts to conduct criminal, civil, and administrative
investigations or impose criminal, civil, and administrative liability
on any person for the mere act of seeking, obtaining, providing, or
facilitating health care generally target specific persons for
particular conduct; they are not designed to address population-level
health concerns and are not limited to information authorized to be
collected by a public health or similar government authority for a
public health activity. Thus, the exceptions in section 1178(b) for
``public health'' investigations, interventions, or surveillance do not
limit the Department's ability to prohibit uses or disclosures of PHI
for other purposes, such as judicial and administrative proceedings or
law enforcement purposes. While the Department has chosen as a policy
matter to continue to permit uses or disclosures of PHI for law
enforcement and other purposes in certain contexts, it is adopting a
different balance where such uses or disclosures are about reproductive
health care that is lawful under the circumstances in which it was
provided.
While retaining the focus on activities to prevent disease and
promote the health of populations, this final rule clarifies that
population-level activities ``include identifying, monitoring,
preventing, or mitigating ongoing or prospective threats to the health
or safety of a population, which may involve the collection of
protected health information.'' This clarification addresses
commenters' concerns that regulated entities would no longer be able to
report information that states need to conduct public health functions
intended to protect against prospective or ongoing threats at the
population level, even if at times they necessarily will focus on
individuals while doing so (through contact tracing, quarantine or
isolation, and the like). The Department does not intend this
clarification to prevent disclosures of PHI from covered entities to
public health authorities for public health activities that have long
been and continue to be permitted under the Privacy Rule. These changes
clarify that public health, as used in the specified terms, broadly
includes activities to prevent disease in and promote the health of
populations. The changes also confirm that the Department does not
require a public health authority to supply an attestation to a covered
entity to receive PHI of an individual where that disclosure is
intended to prevent disease in or promote the health of populations.
The intended purpose of including ``population-level'' was to
facilitate
[[Page 33003]]
public health activities that protect large numbers of people from
epidemics, environmental hazards, and the like. However, we believe
that the language that clarifies that population-level activities
``include identifying, monitoring, preventing, or mitigating ongoing or
prospective threats to the health or safety of a population, which may
involve the collection of protected health information,'' sufficiently
serves this purpose of addressing uses and disclosures of PHI that are
necessary to accomplish the overarching goals of public health.
The last sentence of the proposed definition, which described what
are not public health activities, is also revised in the final rule for
consistency with the general distinction between activities of public
health surveillance, investigation, and intervention and activities of
investigating or imposing liability on a person for the mere act of
seeking, obtaining, providing, or facilitating health care, or
identifying a person for such activities, as well as the standard the
Department is adopting at 45 CFR 164.502(a)(5)(iii), which is discussed
further in that section of this rule. Thus, while a state might assert
that investigating or imposing liability on persons for the mere act of
seeking, obtaining, providing, or facilitating health care satisfies
the definition of ``public health,'' their interpretation would not
supersede the definition of ``public health'' in the context of public
health surveillance, investigations, or interventions that the
Department is adopting under its own Federal statutory authority to
administer the HIPAA Rules.
Comment: A few organizations expressed support for the proposed
definition of ``public health'' without further elaboration. Several
commenters expressed support for the proposed definition of ``public
health'' because it would prevent PHI from being disclosed for a
prohibited purpose. A few commenters expressed support for the proposal
because they believed that information reported for public health
purposes could be requested, re-identified (in the case of de-
identified information), or further disclosed to law enforcement for
purposes for which the Department proposed to prohibit uses and
disclosures.
Several commenters expressed support for the proposed definition of
``public health'' and the existing standard that limits public health
disclosures of PHI to the minimum necessary information to achieve the
purpose.
Response: Consistent with the NPRM, the Department agrees with the
commenters who stated that it is important to define ``public health''
in the context of public health surveillance, investigation, or
intervention to ensure that PHI is not disclosed for a purpose
prohibited under 45 CFR 164.502(a)(5)(iii). Disclosures of PHI for
public health purposes continue to be subject to the minimum necessary
standard, which limits the use and disclosure of PHI to the minimum
necessary to achieve the specified purpose; in some circumstances, de-
identified information may suffice. However, many public health
activities do require identifiable data, such as for interventions
involving individuals, to protect against prospective or ongoing
threats to health or safety at the population level, and the Privacy
Rule does not prohibit such uses and disclosures.
When making disclosures to public officials that are permitted
under 45 CFR 164.512, if the public official represents that the
information requested is the minimum necessary for the stated purpose,
regulated entities are permitted, but not required, to rely on that
representation, if such reliance is reasonable under the
circumstances.\250\ Such reliance may not be reasonable where the
request appears to be overly broad when compared to the stated purpose
of the request (e.g., where a public health authority requests the
disclosure of PHI of all individuals who received treatment for uterine
bleeding when the stated purpose is to investigate infection control
practices by an obstetrician/gynecologist in a state where law
enforcement has publicly announced its intention to investigate
individuals for traveling out of state to seek or obtain reproductive
health care that is lawful under the circumstances in which it is
provided).
---------------------------------------------------------------------------
\250\ 45 CFR 164.514(d)(3)(iii)(A); see also 45 CFR
164.514(h)(2)(ii) and (iii).
---------------------------------------------------------------------------
Comment: A few commenters asserted that law enforcement generally
interprets public health investigations to include criminal
investigations and prosecutions and the NPRM proposed definition would
complicate such investigations by limiting the amount of PHI that could
be disclosed to law enforcement.
Response: The Department has adopted a definition of ``public
health'' in the context of public health surveillance, investigation,
and intervention that sets clear parameters between such activities and
law enforcement activities conducted to impose liability for the mere
act of seeking, obtaining, providing, or facilitating health care.
Public health surveillance, investigation, and intervention do not
include efforts to attach liability to persons for specific acts of
seeking, obtaining, providing, or facilitating health care.
This definition is consistent with the longstanding distinction
made by the Department between public health activities and law
enforcement activities as described above.
Comment: Several commenters expressed support for the Department's
proposal generally but recommended further clarifications or revisions
to it, especially regarding the limitation to ``population-level''
activities. A few commenters raised questions about the difference
between the proposed definition of ``public health'' and the permission
for public health activities under 45 CFR 164.512(b)(1)(i) and
recommended that the Department clarify the definition to ensure that
public health agencies are able to obtain health information for
administrative or civil proceedings, such as quarantine or isolation in
cases involving infectious diseases.
Response: The Department has modified the definition of ``public
health'' in the context of public health surveillance, investigation,
or intervention to clarify that such activities include identifying,
monitoring, preventing, or mitigating ongoing or prospective threats to
the health or safety of a population, which may involve the collection
of PHI. This change addresses commenters' concerns that under the
proposed definition, regulated entities would no longer be able to
report PHI that is required to address population-level concerns.
Comment: Several commenters raised concerns that the proposed
definition of ``public health'' would circumvent states' interests
related to public health. A few commenters expressed opposition to the
Department's clarification of public health because they believed that
states should have the ability to conduct surveillance, investigations,
or interventions concerning certain types of health care for public
health purposes. Several commenters asserted that the proposal would
frustrate the ability of states to enforce their laws prohibiting
access to certain types of health care. Conversely, a commenter
requested that the Department explicitly exclude reproductive health
care from the proposed definition of ``public health,'' so it would not
be reportable to public health agencies.
Response: We disagree with commenters' assertions that this final
rule will prevent the reporting of vital statistics or other public
health
[[Page 33004]]
activities. A covered entity may continue to use or disclose PHI for
all the public health activities and purposes listed in section
1178(b). We also decline to explicitly exclude reproductive health care
from the definition of ``public health'' because doing so could hinder
beneficial public health activities. Instead, this definition supports
this final rule's prohibition against certain uses and disclosures of
PHI by clarifying that public health surveillance, investigation, and
intervention exclude conducting a criminal, civil, or administrative
investigation into any person, or the imposing criminal, civil, or
administrative liability on any person for the mere act of seeking,
obtaining, providing, or facilitating health care, or identifying any
person for such activities. Such excluded activities include those with
the purposes that are prohibited at 45 CFR 164.502(a)(5)(iii).
Comment: A few commenters believed that defining ``investigation,''
``intervention,'' or ``surveillance'' was unnecessary or recommended
against doing so and requested that the Department clarify that such
terms do not encompass any prohibited purposes. One commenter requested
that the Department define these terms to expressly exclude information
related to reproductive health care.
Response: We are not defining the terms ``investigation,''
``intervention,'' or ``surveillance'' in this rule. However, we are
providing extensive interpretation in the preamble to clarify that such
activities in the public health context do not encompass conducting a
criminal, civil, or administrative investigation into any person, or
imposing criminal, civil, or administrative liability on any person for
the mere act of seeking, obtaining, providing, or facilitating health
care, or identifying any person for such activities, including those
for which use or disclosure of PHI is prohibited by 45 CFR
164.502(a)(5)(iii).
Reporting of Child Abuse
In accordance with section 1178(b) of HIPAA, the Privacy Rule
permits a regulated entity to use or disclose PHI to report known or
suspected child abuse or neglect if the report is made to a public
health authority or other appropriate government authority that is
authorized by law to receive such reports.\251\ The Privacy Rule limits
disclosures of PHI made pursuant to this permission to the minimum
necessary to make the report.\252\
---------------------------------------------------------------------------
\251\ See 45 CFR 164.512(b)(1)(ii).
\252\ See 45 CFR 164.502(b) and 164.514(d).
---------------------------------------------------------------------------
As the Department explained in the 2023 Privacy Rule NPRM, at the
time HIPAA was enacted, ``most, if not all, states had laws that
mandated reporting of child abuse or neglect to the appropriate
authorities.'' \253\ Additionally, when Congress enacted HIPAA, it had
already addressed child abuse reporting in other laws, such as the
Victims of Child Abuse Act of 1990 \254\ and the Child Abuse Prevention
and Treatment Act.\255\ For example, 34 U.S.C. 20341(a)(1), a provision
of the original Victims of Child Abuse Act of 1990 that is still in
place today, requires certain professionals to report suspected abuse
when working on Federal land or in a federally operated (or contracted)
facility.\256\ As used in these statutes, the term ``child abuse'' does
not include activities related to reproductive health care, such as
abortion.
---------------------------------------------------------------------------
\253\ 65 FR 82462, 82527 (Dec. 28, 2000).
\254\ Public Law 101-647, 104 Stat. 4789 (codified at 18 U.S.C.
3509).
\255\ Public Law 93-247, 88 Stat. (codified at 42 U.S.C. 5101
note).
\256\ See 34 U.S.C. 20341(a)(1), originally enacted as part of
the Victims of Child Abuse Act of 1990 and codified at 42 U.S.C.
13031, which was editorially reclassified as 34 U.S.C. 20341, Crime
Control and Law Enforcement. For the purposes of such mandated
reporting, see 34 U.S.C. 20341(c)(1) for definition of ``child
abuse.''
---------------------------------------------------------------------------
In the 2023 Privacy Rule NPRM, the Department discussed that it has
long interpreted ``child abuse,'' as used in the Privacy Rule and
section 1178(b) of HIPAA, to exclude conduct based solely on a person
seeking, obtaining, providing, or facilitating reproductive health
care.\257\ This interpretation is consistent with the public health
aims of improving access to health care for individuals, including
reproductive health care, and with relevant statutes at the time HIPAA
was enacted, as described above. The Department also stated that this
interpretation prohibits a regulated entity from disclosing PHI in
reliance on the permission for reporting ``child abuse'' where the
alleged victim does not meet the definition of ``person'' or ``child,''
consistent with both 1 U.S.C. 8 and section 1178(b). Additionally,
consistent with previous rulemaking under HIPAA, the Department
clarified in the preamble that it did not intend for the interpretation
to disrupt longstanding state or Federal child abuse reporting
requirements that apply to regulated entities.\258\
---------------------------------------------------------------------------
\257\ 88 FR 23506, 23526 (Apr. 17, 2023).
\258\ 65 FR 82462, 82527 (Dec. 28, 2000).
---------------------------------------------------------------------------
The Department also made several clarifications in preamble
concerning our interpretation of section 1178(b) and the Privacy Rule's
public health permission and how we distinguish between public health
reporting and disclosures for law enforcement purposes or judicial and
administrative proceedings.
Comment: Many commenters supported the Department's clarification
and agreed that it would preserve trust between individuals and health
care providers, but also requested additional clarification from the
Department on its implementation. Few opposed the clarification; those
who did expressed concerns about the potential for the clarification to
prevent state-mandated reporting in certain circumstances. Many
commenters expressed mixed views about the Department's interpretation.
Response: The Department is moving forward with its interpretation
as described in the NPRM. As noted above, this final rule does not
alter the Privacy Rule's reliance on other applicable law with respect
to determining who has the authority to act on behalf of an individual
who is an unemancipated minor in making decisions related to health
care, including lawful reproductive health care.\259\ The Privacy Rule
does not permit a regulated entity to disclose PHI as part of a report
of suspected child abuse based solely on the fact that a parent seeks
reproductive health care (e.g., treatment for a sexually transmitted
infection) for a child. However, the regulated entity is permitted to
make such disclosure where there is suspicion of sexual abuse that
could be the basis of permitted reporting.
---------------------------------------------------------------------------
\259\ See 45 CFR 164.502(g).
---------------------------------------------------------------------------
Congress defined the term ``child'' in 1 U.S.C. 8, and the term
``child'' in the Privacy Rule is consistent with that definition. As
such, the Department believes that to the extent this clarification
prohibits a regulated entity from disclosing PHI to report ``child
abuse'' under this permission in the Privacy Rule where the alleged
victim does not meet the definition of ``person,'' it is consistent
with both 1 U.S.C. 8 and section 1178(b).
The Department also reaffirms its clarification that the Privacy
Rule permission to report known or suspected child abuse or neglect
permits a disclosure only for the purpose of making a report, and the
PHI disclosed must be limited to the minimum necessary information for
the purpose of making a report.\260\ These provisions do not permit the
covered entity to disclose PHI in response to a request for the use or
disclosure of PHI to conduct a criminal, civil, or administrative
investigation into or impose criminal, civil, or administrative
liability on a
[[Page 33005]]
person based on suspected child abuse. Instead, as we explained in the
2023 Privacy Rule NPRM, any disclosure of PHI in response to this type
of request from an investigator, must meet the applicable Privacy Rule
conditions for disclosures for judicial and administrative proceedings
or law enforcement purposes, as applicable.\261\ That is the case
whether such disclosure is in follow up to the report made by the
covered entity (other than to clarify the PHI provided on the report)
or part of an investigation initiated based on an allegation or report
made by a person other than the covered entity.\262\
---------------------------------------------------------------------------
\260\ See 45 CFR 164.502(b) and 164.514(d).
\261\ See 45 CFR 164.512(e) and (f).
\262\ See 45 CFR 164.512(e) and (f).
---------------------------------------------------------------------------
Moreover, this clarification does not affect the ability of state
authorities to invoke other permissions for disclosure under the
Privacy Rule, such as the permission for disclosures for law
enforcement purposes, where they are seeking PHI related to unlawful
reproductive health care.\263\ Thus, the Department's interpretation of
``child abuse'' continues to support the protection of children while
also serving HIPAA's objectives of protecting the privacy of PHI to
promote individuals' trust in the health care system and preserving the
relationship between individuals and their health care providers.
---------------------------------------------------------------------------
\263\ 65 FR 82462, 82527 (Dec. 28, 2000).
---------------------------------------------------------------------------
Comment: A few commenters recommended that the Department expand
the clarification of child abuse to broadly address providing or
facilitating all health care, rather than just reproductive health
care.
Response: It is beyond the scope of this rule making to expand the
clarification to include the provision or facilitation of all lawful
health care. We appreciate the recommendations of commenters and will
take them under advisement for potential future rulemaking.
3. Adding a Definition of ``Reproductive Health Care''
Section 160.103 of the HIPAA Rules defines ``health care'' as
``care, services, or supplies related to the health of an individual.''
\264\ The definition clarifies that the term ``includes but is not
limited to'' several identified types of care, services, and procedures
\265\ and includes examples such as therapeutic, rehabilitative, or
maintenance care, as well as sale or dispensing of drugs or devices.
---------------------------------------------------------------------------
\264\ 45 CFR 160.103 (definition of ``Health care'').
\265\ These groupings are (1) ``[p]reventive, diagnostic,
therapeutic, rehabilitative, maintenance, or palliative care, and
counseling, service, assessment, or procedure with respect to the
physical or mental condition, or functional status, of an individual
or that affects the structure or function of the body'' and (2)
``[the s]ale or dispensing of a drug, device, equipment, or other
item in accordance with a prescription.'' It would also include
supplies purchased over the counter or furnished to the individual
by a person that does not meet the definition of a health care
provider under the HIPAA Rules. 45 CFR 164.103 (definition of
``Health care provider'').
---------------------------------------------------------------------------
The Department proposed to add and define a new term,
``reproductive health care,'' that would be a subset of the term
``health care.'' \266\ The Department proposed to define ``reproductive
health care'' as ``care, services, or supplies related to the
reproductive health of the individual.'' The Department noted in the
NPRM preamble that the HIPAA Rules define ``health care'' broadly.\267\
---------------------------------------------------------------------------
\266\ 88 FR 23506, 23527-28 (Apr. 17, 2023).
\267\ 88 FR 23506, 23527 (Apr. 17, 2023).
---------------------------------------------------------------------------
Consistent with the definition of ``health care'' in the HIPAA
Rules, the proposed definition of ``reproductive health care'' would
have applied broadly and included not only reproductive health care and
services furnished by a health care provider and supplies furnished in
accordance with a prescription, but also care, services, or supplies
furnished by other persons and non-prescription supplies purchased in
connection with an individual's reproductive health. The Department
proposed to use the term ``reproductive health care'' rather than
``reproductive health services'' to ensure that the term was
interpreted broadly to capture all health care that could be furnished
to address reproductive health, including the provision of medications
and devices, whether prescription or over-the-counter.
The Department discussed in preamble some of the types of care,
services, and supplies that were included in the proposed term. In
keeping with the Department's intention for ``reproductive health
care'' to be inclusive of all types of health care related to an
individual's reproductive system, the 2023 Privacy Rule NPRM preamble
indicated that the term would include, but not be limited to:
contraception, including emergency contraception; pregnancy-related
health care; fertility or infertility-related health care; and other
types of care, services, or supplies used for the diagnosis and
treatment of conditions related to the reproductive system. We also
provided a non-exhaustive list of examples of health care within each
of these categories of reproductive health care.
Consistent with the definition of ``health care'' adopted in 2000
in the HIPAA Rules, the Department did not propose a specific
definition of ``reproductive health'' but invited comment on whether
including a particular definition of ``reproductive health'' would be
beneficial.
Many commenters supported the proposal and agreed that it would
provide the necessary protections for individuals and others. Some
referenced existing definitions used by other legal authorities and
recommended the Department consider adopting or incorporating them in
some manner.
Some commenters opposed the proposal to provide an inclusive
definition of reproductive health care. Some commenters asserted that
the proposal lacked clarity and was too open-ended, making it difficult
to operationalize. Other commenters expressed concern that the proposed
definition would permit minors to consent to reproductive health care
without parental consent.
The final rule adopts the new term ``reproductive health care'' and
definition with three modifications. First, we replace ``care,
services, or supplies related to the reproductive health of the
individual'' with ``health care'' and add a citation to the HIPAA
Rules' definition of that term to clarify that reproductive health care
is a subset of ``health care.''
Second, we specify that the term means health care ``that affects
the health of the individual in all matters relating to the
reproductive system and to its functions and processes.'' In keeping
with the Department's intention for ``reproductive health care'' to be
interpreted broadly and inclusive of all types of health care related
to an individual's reproductive system, this additional language
clarifies that the definition encompasses the full range of health care
related to an individual's reproductive health.
Third, we add a statement reaffirming that the definition should
not be construed to establish a standard of care for or regulate what
constitutes clinically appropriate reproductive health care.
As discussed in the NPRM, this approach is consistent with the
approach the Department took when it adopted the definition of ``health
care'' in the HIPAA Rules. At that time, the Department explained that
listing specific activities would create the risk that important
activities would be left out and could also create confusion.\268\
---------------------------------------------------------------------------
\268\ 65 FR 82571 (Dec. 28, 2000).
---------------------------------------------------------------------------
By describing more fully the breadth of reproductive health care,
the definition may decrease the perceived burden to regulated entities
of complying with the rule by helping them determine whether a request
for
[[Page 33006]]
the use or disclosure of PHI includes PHI that is implicated by this
final rule.
To further clarify what is included in reproductive health care for
regulated entities, we provide a non-exclusive list of examples that
fit within the definition: contraception, including emergency
contraception; preconception screening and counseling; management of
pregnancy and pregnancy-related conditions, including pregnancy
screening, prenatal care, miscarriage management, treatment for
preeclampsia, hypertension during pregnancy, gestational diabetes,
molar or ectopic pregnancy, and pregnancy termination; fertility and
infertility diagnosis and treatment, including assisted reproductive
technology and its components \269\ (e.g., in vitro fertilization
(IVF)); diagnosis and treatment of conditions that affect the
reproductive system (e.g., perimenopause, menopause, endometriosis,
adenomyosis); and other types of care, services, and supplies used for
the diagnosis and treatment of conditions related to the reproductive
system (e.g., mammography, pregnancy-related nutrition services,
postpartum care products).
---------------------------------------------------------------------------
\269\ See ``What is Assisted Reproductive Technology?'' Centers
for Disease Control and Prevention (Oct. 8, 2019), https://www.cdc.gov/art/whatis.html and ``Fact Sheet: In Vitro Fertilization
(IVF) Use Across the United States,'' U.S. Dep't of Health and Human
Servs. (Mar. 13, 2024), https://www.hhs.gov/about/news/2024/03/13/fact-sheet-in-vitro-fertilization-ivf-use-across-united-states.html.
---------------------------------------------------------------------------
Additionally, the language in the definition stating that the
definition should not be construed to set forth a standard of care or
regulate what constitutes clinically appropriate reproductive health
care should not be read as limiting ``reproductive health care'' to
only health care that is determined to be appropriate by a health care
professional. Rather, it may be the individual who determines whether
the health care they receive, such as over-the-counter contraceptives,
is appropriate. Like the definition of ``health care,'' the definition
of reproductive health care is intended to be broad. Finally, we
clarify that meeting the definition is not sufficient for information
about such health care to be protected under the HIPAA Rules or this
final rule. Rather, the information about such health care still needs
to meet the definition of PHI.\270\
---------------------------------------------------------------------------
\270\ 45 CFR 160.103 (definition of ``Protected health
information'').
---------------------------------------------------------------------------
Comment: Some commenters expressed support for the proposed
definition of ``reproductive health care.'' Several commenters
specifically expressed their support for a broad definition of the term
for various reasons, including: ensuring that providers of reproductive
health care can continue to serve vulnerable communities and reduce
health care disparities; providing clarity; and mitigating the need for
clinical expertise and interpretation for each request for reproductive
health information. Other commenters expressed support for the term
because it would improve access to care and better reflect the breadth
of services that support an individual's reproductive health, enable
health care providers to continue to maintain appropriate data
safeguards, and enable individuals to feel comfortable disclosing their
information without fear of incrimination.
Many other commenters expressed opposition to the proposed
definition because it was too expansive and would encompass procedures
that they did not consider to be reproductive health care. Many
commenters explicitly requested that the definition exclude certain
types of health care. A few commenters recommended that the Department
narrow the proposed definition to apply only to records directly
involving certain specified services and clarify that the final
definition does not include other procedures or treatments related to
pregnancy or contraception. Another commenter expressed opposition to
the proposed definition of ``reproductive health care'' because they
believe that reproductive health information is no more sensitive than
other medical information and should not be treated differently.
One commenter opposed the proposed definition of ``reproductive
health care'' because they thought it would prevent health care
providers from disclosing PHI to other health care providers for
treatment, which would erode individual trust.
Several commenters requested that the Department expand the
proposed definition, be more specific in its meaning (e.g., provide
additional information about the types of care, services, or supplies
included in the definition), or replace it with a more expansive term
(e.g., ``sensitive personal health care'' meaning ``care, services, or
supplies related to the health of the individual which could expose any
person to civil or criminal liability for the mere act of seeking,
obtaining, providing, or facilitating such health care''). A commenter
urged the Department to define the term ``sexual and reproductive
health care'' to ensure that individuals have reproductive health care
privacy, regardless of their sexual orientation or gender identity.
Commenters offered several alternative definitions or terms, such
as ``including but not limited to services related to contraception,
sterilization, preconception care, maternity care, abortion care, and
counseling regarding reproductive health care''; the definition of
``reproductive health care services'' at 18 U.S.C. 248(e)(5);
``reproductive and sexual health care services'' as defined in
California Health and Safety Code section 1367.31; and limiting the
definition to capture only health care that is at risk of being
investigated or prosecuted because of Dobbs. Other commenters requested
additional precision or clarity in the definition. For example, a
commenter recommended that the definition include the specific codes
and data points that would constitute reproductive health care that
would be prohibited from disclosure under the proposed rule (e.g.,
International Classification of Diseases (ICD) codes related to
reproductive health, ABO blood type and Rh factor).
Several commenters urged the Department to narrow the proposed
definition because of operational concerns, including the redirection
of resources to making or obtaining legal determinations about whether
a particular type of care was reproductive health care. Some explained
that health information management staff generally do not have the
clinical expertise to determine what would constitute ``reproductive
health care,'' while another stated that physicians would also have
trouble discerning what health care would meet the proposed definition.
Another commenter recommended that the Department include only PHI that
is already reliably segregated in EHRs in the definition.
Many commenters requested that the Department further explain the
proposed definition either in preamble or the regulatory text. One
commenter suggested that in lieu of a definition of ``reproductive
health care,'' the Department include an extensive discussion of
examples in the preamble and provide entities flexibility to implement
policies or procedures that may be affected by the definition of
``reproductive health care'' in accordance with their operational
structures. A few commenters also recommended that the Department
provide examples in preamble discussion, rather than regulatory text.
One commenter recommended that the Department provide specific examples
to illustrate its meaning where there could be ambiguity. Several
commenters recommended that examples be included in the regulatory text
and provided specific examples of the types
[[Page 33007]]
of health care they thought should be included. Some commenters
recommended the Department include examples but did not specify whether
they should be in the preamble or in the regulatory text, while other
commenters requested that the Department include a non-exhaustive list
of examples of reproductive health care in both the regulation and
preamble.
Response: After consideration, we have finalized a definition
grounded in the Privacy Rule's long-established term ``health care.''
We provide a non-exhaustive list of examples in preamble above. We do
not explicitly address all of the many types of health care suggested
in comments to avoid creating the impression of a complete list. This
is also consistent with our approach regarding the definition of
``health care.'' We emphasize that this definition does not set or
affect standards of care, nor does it affect uses and disclosures of
PHI for treatment purposes. Operational concerns expressed by some
commenters are addressed in response to comments on the prohibition.
4. Whether the Department Should Define Any Additional Terms
The Department requested comments about whether it would be helpful
for the Department to define ``reproductive health'' or any additional
terms.\271\
---------------------------------------------------------------------------
\271\ 88 FR 23506, 23528 (Apr. 17, 2023).
---------------------------------------------------------------------------
Comment: Several commenters recommended that the Department define
``reproductive health'' because it would ensure that all covered
entities would be required to implement changes, or that the PHI of
individuals receiving certain types of health care would not be
disclosed to states where individuals who receive such health care is
being penalized.
Several commenters urged the Department to add the definition of
reproductive health adopted by the United Nations and World Health
Organization, while others recommended the adoption of the definition
articulated by the International Conference on Population and
Development in 1994. One commenter expressed opposition to adding a
definition of reproductive health as unnecessary, and another instead
recommended adoption of a precise definition of ``reproductive health
care.''
Another commenter recommended expanding the definition of PHI to
include certain digital data of entities not regulated under HIPAA
(e.g., information from period tracking apps). One commenter
recommended revising the definition of ``health oversight agency'' to
exclude agencies that investigate or prosecute activities related to
reproductive health care. Some commenters requested that the Department
define additional terms or clarify existing terms.
Rather than define additional terms, one commenter recommended that
the Department ensure that all the proposed definitions would be
aligned with the Office of the National Coordinator for Health
Information Technology (ONC) and CMS-mandated data elements for
Certified Electronic Health Record Technology products and in the
electronic clinical quality measures that health care providers are
required to report to CMS.
Response: We appreciate the feedback from commenters, but upon
further consideration, have concluded that defining any of the
additional terms or clarifying additional existing ones is not
necessary to support the implementation of this final rule. We also
clarify that because HIPAA only authorizes the Department to protect
IIHI used or disclosed by covered entities and their business
associates, we are not able to regulate information that individuals
themselves store and share using consumer health apps.
B. Section 164.502--Uses and Disclosures of Protected Health
Information: General Rules
Section 164.502 of the Privacy Rule contains the general rules
governing uses and disclosures of PHI. Paragraph (a)(1) of this section
sets forth the list of permitted uses and disclosures.
1. Clarifying When PHI May Be Used or Disclosed by Regulated Entities
Section 164.502(a)(1)(iv) generally permits a regulated entity to
use or disclose PHI pursuant to and in compliance with a valid
authorization under 45 CFR 164.508, except for uses and disclosures of
genetic information by a health plan for underwriting purposes
prohibited under 45 CFR 164.502(a)(5)(i). Thus, an authorization that
purports to allow a health plan to use or disclose PHI for that
prohibited purpose is not valid under the Privacy Rule.
The Department proposed to modify 45 CFR 164.502(a)(1)(iv) to
incorporate an additional limitation on the ability of a regulated
entity to use and disclose PHI pursuant to an individual's
authorization.\272\ Specifically, the Department's proposal would
prohibit a regulated entity from using or disclosing PHI pursuant to an
individual's authorization where the purpose of the disclosure is for a
criminal, civil, or administrative investigation or proceeding against
any person in connection with seeking, obtaining, providing, or
facilitating reproductive health care that is lawful under the
circumstances in which such health care is provided, or to identify any
person for the purpose of initiating such activities. As explained in
the 2023 Privacy Rule NPRM, the proposed modification was intended to
prevent the misuse of the general permission for a regulated entity to
use or disclose PHI pursuant to an individual's authorization to bypass
the proposed prohibition against using and disclosing PHI for purposes
that would be prohibited by proposed 45 CFR 164.502(a)(5)(iii).
---------------------------------------------------------------------------
\272\ 88 FR 23506, 23528-29 (Apr. 17, 2023).
---------------------------------------------------------------------------
The Department explained in the proposed rule that this change to
the authorization permission was necessary to protect individuals'
privacy by precluding any possibility that a third party, such as a law
enforcement official, could coerce or attempt to coerce an individual
into signing an authorization, thereby enabling the third party to
circumvent the prohibition proposed at 45 CFR 164.502(a)(5)(iii).
The Department also proposed to modify the general rules in 45 CFR
164.502(a)(1)(vi) to expressly condition certain uses and disclosures
made under 45 CFR 164.512 on the receipt of an attestation pursuant to
proposed 45 CFR 164.509, which is discussed below in greater detail.
For clarity, the Department proposed to revise 45 CFR 164.502(a)(1)(vi)
by replacing the sentence containing the conditions for certain
permitted uses and disclosures with a lettered list.
Public comments about the use of authorization to use and disclose
PHI for the purposes the Department proposed to prohibit in the 2023
Privacy Rule NPRM were generally divided between opposing views and
supportive views, although only a few comments expressed full support
for the proposal, as drafted. While many commenters shared the
Department's concerns about the potential for individuals to be coerced
into providing an authorization, some of these commenters nonetheless
opposed the proposal because it could limit beneficial disclosures,
cause uncertainty about the validity of an authorization, increase the
burden on regulated entities, or seem to conflict with state laws that
permit the disclosure of certain health information with the
individual's explicit written consent.
The Department received no comments on its proposal to replace the
[[Page 33008]]
sentence at 45 CFR 164.502(a)(1)(vi) with a lettered list. Comments on
the Department's proposal to condition certain disclosures made under
45 CFR 164.512 on the receipt of an attestation as required by proposed
45 CFR 164.509 are discussed below in greater detail.
The Department is not finalizing its proposal to prohibit a
regulated entity from using or disclosing an individual's PHI for the
specified purposes pursuant to and in compliance with an individual's
authorization. We agree with the majority of public comments discussed
in detail below that generally expressed the view that the Privacy
Rule's authorization requirements empower individuals to make decisions
about who has access to their PHI. We acknowledge that maintaining the
permission for regulated entities to obtain an individual's
authorization to use and disclose PHI could leave an individual exposed
to the potential for duress or coercion by a third party. It could also
expose a health care provider or other person who provides or
facilitates reproductive health care to liability in the event the
authorization is used to affect a disclosure for a prohibited purpose
in connection with lawful reproductive health care. However, we believe
that continuing to permit uses and disclosures pursuant to an
individual's authorization best preserves individual autonomy
concerning uses and disclosures of their PHI. Consistent with our
practice described above, the Department will monitor closely the
interaction of the revised Privacy Rule and the evolving legal
landscape to ensure an appropriate balance of protecting the privacy
interests of individuals and permitting access to PHI for non-health
care purposes.
As we discussed in the proposed rule, there is a relationship
between the provision allowing an individual to authorize a regulated
entity to use or disclose the individual's PHI to a third party and the
HITECH Act requirement that a regulated entity comply with an
individual's direction to transmit to another person an electronic copy
of the individual's PHI in an EHR (``individual access right to
direct'').\273\ Both enhance an individual's autonomy by providing them
with the ability to determine who can access the individual's PHI as
specified in the authorization or access request. Both also create an
opportunity for coercion or attempted coercion of an individual by
another person (e.g., a law enforcement official could attempt to
coerce an individual into providing the law enforcement official with
access to the individual's PHI by offering the individual a reduced
sentence for an alleged crime). And while we remain concerned about the
potential for coercion or attempted coercion, even if the Department
were to finalize the proposed limitation on uses and disclosures with
an authorization, the individual would retain the individual access
right to direct, which is enshrined in statute. We also believe it
would be inconsistent with the spirit of individual access right to
direct for the Department to limit the ability of an individual to
authorize a regulated entity to disclose their PHI to another person.
---------------------------------------------------------------------------
\273\ 42 U.S.C. 17935(e).
---------------------------------------------------------------------------
For the foregoing reasons, we are not finalizing this proposal, and
the language in 45 CFR 164.502(a)(1)(iv) remains unchanged.
Comment: While some commenters expressed concern about the
potential for coercion described in the proposed rule, they did not all
agree that it would be appropriate to address this concern by
prohibiting such disclosures pursuant to an authorization. Some
commenters asserted that coercion concerns would not be eliminated by
curtailing the ability of individuals to authorize disclosures of their
PHI in certain circumstances.
Some commenters explained that prohibiting individuals from
requesting disclosures of their PHI pursuant to an authorization for
prohibited purposes would create a significant burden for regulated
entities, primarily because of the frequent failure of persons
requesting the use or disclosure of PHI to provide sufficient detail
regarding the purpose of the request to allow them to determine if it
would be for a prohibited purpose.
A few commenters asserted that a HIPAA authorization is the safest
approach to ensuring an individual is aware of and agrees to the use or
disclosure of their PHI. One of those commenters recommended that the
Department permit a regulated entity to disclose PHI pursuant to a
valid authorization unless the covered entity has actual knowledge that
an authorization was not voluntary. A commenter recommended adding a
disclaimer or warning to the authorization to provide assurances that
an individual was not coerced into disclosing their PHI to law
enforcement or other third party that might seek to use the PHI for
improper purposes. Still another commenter recommended that the
Department require the authorization to indicate the types of sensitive
information the individual intends to share. One commenter recommended
that certain disclosures be accompanied by a notice of the individual's
rights under the Privacy Rule.
Response: We appreciate comments concerning this proposal and the
restriction of individuals' ability to maintain control over their PHI
by prohibiting the use of written authorization. The Privacy Rule's
written authorization requirements are the most objective means by
which an individual can provide direction to a regulated entity about
the use and disclosure of their PHI known to a regulated entity. The
right of individuals to access their PHI and choose to disclose their
PHI to another person is a cornerstone of HIPAA, and as such, we are
not proceeding with this proposal. The Department will continue to
monitor complaints we receive and the outcome of enforcement actions to
identify potential coercion and the effect of permitting individuals to
authorize the disclosure of PHI for purposes that are prohibited under
45 CFR 164.502(a)(5)(iii) on the relationship between health care
providers and individuals.
We also appreciate the comments that asserted that restricting the
ability of regulated entities to use an authorization to obtain PHI for
the purposes prohibited in this rulemaking could create a burden for
the regulated entities.
To the extent that individuals wish to authorize the use and
disclosure of their PHI, particularly when a request is not clear, or
when a request seeks only partial parts of a record, a written
authorization provides the regulated entity with the opportunity to
clarify, with both the individual and the person requesting the
disclosure, the PHI that will be disclosed. State laws that require
regulated entities to obtain an individual's written consent are
generally considered more privacy protective, and thus are not
preempted.
Comment: Several commenters expressed support for eliminating the
ability of regulated entities to use or disclose PHI pursuant to an
authorization in certain circumstances because of the potential for
harm to individuals as proposed. One commenter described the potential
negative effects of permitting uses and disclosures pursuant to an
authorization in certain circumstances on individuals from historically
marginalized communities. Another commenter asserted that individuals
frequently do not read consent forms provided to them for signature for
a variety of reasons, including proficiency. Some commenters expressed
concerns that individuals who are the subject of a
[[Page 33009]]
criminal investigation or prosecution would be placed in situations
where it would not be possible to obtain a voluntary authorization
(e.g., a custodial situation), or that law enforcement could seek to
persuade an individual to provide them with access to the individual's
PHI through improper means.
Response: We continue to share the concern expressed by commenters
about the potential for coercion or harassment of individuals,
particularly those in marginalized or underserved communities, to
provide authorization for the use or disclosure of their PHI. According
to many reports and data cited by the Department and commenters, such
individuals more often experience negative interactions with law
enforcement or other prosecutorial authorities. We urge HIPAA regulated
entities to be mindful of Privacy Rule requirements that could help
mitigate the potential for harm resulting from coercion or difficulties
individuals may experience in understanding an authorization. For
example, 45 CFR 164.508(b)(2)(v) holds invalid authorizations that
include ``material information [. . .] known by the covered entity to
be false''; 45 CFR 164.508(c)(1)(iv) requires that every authorization
include a description of each purpose of the requested use or
disclosure; and 45 CFR 164.508(c)(3), requires the authorization be
written in plain language.\274\ The Department will continue to monitor
complaints, questions, and enforcement outcomes for potential harm from
disclosures resulting from authorizations.
---------------------------------------------------------------------------
\274\ In the preamble to the 2000 Privacy Rule, we explained
that a covered entity could meet HIPAA plain language requirements
by organizing material to serve the reader; writing short sentences
in the active voice; using pronouns; using common, everyday
language; and dividing material into short sections. 65 FR 82462,
82548 (Dec. 28, 2000).
---------------------------------------------------------------------------
Comment: A few commenters requested clarifications of how the
proposal would affect other disclosures made pursuant to the Privacy
Rule, including disclosures to the individual's attorney, and whether
the Department intended it to apply to other consumer-initiated
requests, such as part of an Application Programming Interface (API).
A commenter recommended that health care providers be permitted to
refuse to release PHI to any consumer health app when the information
could lead to civil or criminal repercussions for the health care
provider unless the app developer signs a binding agreement that
protects them.
Response: We are not finalizing the proposal, but state here that
the Department did not intend to affect or disrupt the ability of
covered entities to make other disclosures of PHI pursuant to a written
authorization under the Privacy Rule. Additionally, as discussed above,
individuals have the right to obtain a copy of their PHI and the
individual access right to direct, which could involve releasing PHI to
a consumer health app or an API. With respect to EHR and technology
vendors and other third parties who facilitate the exchange of PHI on
behalf of covered entities, we continue to stress that valid business
associate agreements are required by the Privacy Rule and necessary to
protect the privacy of the individuals who are the subject of the PHI.
ONC also has made clear that it intends to advance technologies that
support requirements already extant under the HIPAA Privacy Rule.\275\
Additionally, the Department continues to urge covered entities that
have direct contact with individuals to educate such individuals on the
risks of disclosing their PHI to persons that are not regulated by
HIPAA.\276\ We will continue to ensure that regulated entities enter
into business associate agreements as required by the Privacy
Rule.\277\ We will continue to monitor complaints, questions, and
enforcement outcomes.
---------------------------------------------------------------------------
\275\ 89 FR 1192, 1302 (Jan. 9, 2024). See also Off. for Civil
Rights, ``Information Blocking Regulations Work In Concert with
HIPAA Rules and Other Privacy Laws to Support Health Information
Privacy,'' U.S. Dep't of Health and Human Servs. (Apr. 12, 2023),
https://www.healthit.gov/buzz-blog/information-blocking/information-blocking-regulations-work-in-concert-with-hipaa-rules-and-other-privacy-laws-to-support-health-information-privacy.
\276\ See, e.g., Off. for Civil Rights, ``Resource for Health
Care Providers on Educating Patients about Privacy and Security
Risks to Protected Health Information when Using Remote
Communication Technologies for Telehealth,'' U.S. Dep't of Health
and Human Servs., https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/resource-health-care-providers-educating-patients/index.html.
\277\ See 45 CFR 164.502(a)(3) and (e). See also 45 CFR
164.504(e).
---------------------------------------------------------------------------
Comment: Many commenters addressed the relationship between the
Department's proposal to eliminate the option for an individual to
request disclosure of their information for the prohibited purposes
pursuant to an authorization and the individual right of access,
particularly, the right of an individual to direct a regulated entity
to transmit to a third party an electronic copy of their PHI in an EHR.
Several commenters recommended that the Department curtail the
individual access right to direct. Some commenters expressed concern
about the potential for individuals to be coerced into providing access
to their PHI to third parties. A few commenters expressed concerns that
some third parties sell PHI for purposes adverse to individuals'
interests, including some of the purposes described in the 2023 Privacy
Rule NPRM.
A few commenters provided recommendations for ways to educate
individuals regarding their rights under the Privacy Rule.
Response: Although we appreciate the comments on this topic, any
modifications to the individual access right to direct are beyond the
scope of this rulemaking. We reiterate here that covered entities and
their technology vendors that meet the definition of business
associates must ensure that valid business associate agreements are in
place,\278\ and we urge them to facilitate individuals' awareness of
the risks of using third-party consumer apps that are not regulated by
HIPAA.\279\ The Department continues to appreciate the identification
of better education resources for individuals and health care providers
and commits to providing educational resources through its website,
regional offices, and webinars.
---------------------------------------------------------------------------
\278\ For information about what a business associate is and the
requirements for business associate agreements, see Off. for Civil
Rights, ``Business Associate Contracts,'' U.S. Dep't of Health and
Human Servs. (Jan. 25, 2013), https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html.
\279\ Off. for Civil Rights, ``Protecting the Privacy and
Security of Your Health Information When Using Your Personal Cell
Phone or Tablet,'' U.S. Dep't of Health and Human Servs. (June 29,
2022), https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/cell-phone-hipaa/index.html.
---------------------------------------------------------------------------
2. Adding a New Category of Prohibited Uses and Disclosures
Generally, the Privacy Rule prohibits the use or disclosure of PHI
except as permitted or required by the Privacy Rule. Paragraph (a)(5)
of section 164.502 contains specific purposes for which the Privacy
Rule explicitly prohibits the use and disclosure of PHI. Section
164.502(a)(5)(i) prohibits most health plans from using or disclosing
PHI that is genetic information for underwriting purposes, while 45 CFR
164.502(a)(5)(ii) prohibits a regulated entity from selling PHI, except
when they have obtained a valid authorization from the individual who
is the subject of the PHI.
The Department proposed to add a new paragraph, 45 CFR
164.502(a)(5)(iii), to prohibit regulated entities from using or
disclosing an individual's PHI for certain additional purposes, and to
describe the scope, applicability, and limitations of the prohibition.
Similar to most other
[[Page 33010]]
prohibitions within the Privacy Rule, this prohibition would be
purpose-based, rather than a blanket prohibition against uses and
disclosures of certain types of PHI.\280\ The Department's rationale
for this approach was four-fold: (1) to be consistent with the existing
Privacy Rule permissible use and disclosure structure with which
regulated entities are familiar, including the permission to disclose
to law enforcement for certain purposes; (2) to avoid imposing a
requirement on regulated entities that would necessitate the adoption
and implementation of costly technology upgrades to enable data
segmentation; \281\ (3) to recognize that PHI about an individual's
reproductive health care may be used or disclosed for a wide variety of
purposes, and permitting the use or disclosure of PHI for some of those
purposes would erode individuals' ability to trust in the health care
system; and (4) to avoid any misperception that the Department is
setting a standard of care or substituting its judgment for that of
individuals and licensed health care professionals.
---------------------------------------------------------------------------
\280\ 88 FR 23506, 23529-33 (Apr. 17, 2023).
\281\ The Department does not oppose efforts to implement or
employ technology that is capable of segmenting data. Rather, the
Department's proposal was informed by the recognition that the
technology deployed by most regulated entities today is not capable
of doing so.
---------------------------------------------------------------------------
Proposed 45 CFR 164.502(a)(5)(iii)(A) would establish a new
prohibition against the use or disclosure of PHI. Section
(a)(5)(iii)(A)(1) would prohibit the use or disclosure of PHI where the
use or disclosure is for a criminal, civil, or administrative
investigation into or proceeding against any person in connection with
seeking, obtaining, providing, or facilitating reproductive health
care. Section 164.502(a)(5)(iii)(A)(2) would prohibit the use or
disclosure of PHI to identify any person for the purpose of initiating
a criminal, civil, or administrative investigation into or proceeding
against any person in connection with seeking, obtaining, providing, or
facilitating reproductive health care.
The Department proposed 45 CFR 164.502(a)(5)(iii)(B) to explain
that ``seeking, obtaining, providing, or facilitating'' would include,
but not be limited to, expressing interest in, inducing, using,
performing, furnishing, paying for, disseminating information about,
arranging, insuring, assisting, or otherwise taking action to engage in
reproductive health care; or attempting any of the same. As the
Department explained in the 2023 Privacy Rule NPRM, the proposed
prohibition would apply to any request for PHI to facilitate a
criminal, civil, or administrative investigation or proceeding against
any person, or to identify any person to initiate an investigation or
proceeding, where the basis for the investigation, proceeding, or
identification is that the person sought, obtained, provided, or
facilitated reproductive health care that is lawful under the
circumstances in which such health care is provided. The Department
further explained that, consistent with its HIPAA authority, the
prohibition would preempt state or other laws requiring a regulated
entity to use or disclose PHI in response to a court order or other
type of legal process for a purpose prohibited under the proposed rule.
Conversely, the prohibition would not preempt laws that require the use
or disclosure of PHI for other purposes, such as: public health
activities; \282\ investigations of sexual assault committed against an
individual where such use or disclosure is conditioned upon the receipt
of an attestation; or investigations into human and sex trafficking,
child abuse, or professional misconduct or licensing inquiries.\283\
---------------------------------------------------------------------------
\282\ See supra discussion of ``Public health'' for more
information on what constitutes a ``public health activity'' under
the Privacy Rule.
\283\ 88 FR 23506, 23532 (Apr. 17, 2023).
---------------------------------------------------------------------------
The Department also proposed to subject this prohibition to a Rule
of Applicability in 45 CFR 164.502(a)(5)(iii)(C). As the Department
explained, the proposed prohibition in 45 CFR 164.502(a)(5)(iii) would
prohibit a regulated entity from using or disclosing PHI for certain
purposes against any person in connection with seeking, obtaining,
providing, or facilitating reproductive health care that is ``lawful
under the circumstances in which such health care is provided.'' \284\
The Department further explained that it proposed a framework for
regulated entities to determine whether the reproductive health care at
issue was lawful under the circumstances in which such health care was
provided. The proposed language of the Rule of Applicability under this
rule would apply where one or more of three specified conditions exist.
---------------------------------------------------------------------------
\284\ Id. at 23510, 23522, and 23531.
---------------------------------------------------------------------------
The first condition, as proposed in 45 CFR
164.502(a)(5)(iii)(C)(1), addressed reproductive health care provided
outside of the state that authorized the investigation or proceeding
where such health care is lawful in the state where it is provided. In
the proposed rule, we also clarified that the proposal would apply the
prohibition in a situation in which the health care is ongoing, has
been completed, or has not yet been obtained, provided, or facilitated.
The proposed prohibition would recognize that any interest of society
in conducting an investigation or proceeding against a person would
require balancing with, and generally be outweighed by, the interests
of society in protecting the privacy interests of individuals when they
access lawful health care. As discussed above, privacy interests are
heightened with respect to reproductive health care that is lawful
under the circumstances in which it is provided as compared to the
interests of law enforcement, and private parties afforded legal rights
of action, in investigating or imposing liability for actions related
to lawful reproductive health care.
The second condition, proposed in 45 CFR 164.502(a)(5)(iii)(C)(2),
addressed reproductive health care protected, required, or authorized
by Federal law, regardless of the state in which such health care is
provided. It would apply the prohibition to reproductive health care
that is lawful under the applicable Federal law and where the
investigation or proceeding is against any person in connection with
seeking, obtaining, providing, or facilitating reproductive health
care. It would apply, for example, where the underlying reproductive
health care continues to be protected by the Constitution, such as
contraception, or is expressly required or authorized under Federal
law.\285\
---------------------------------------------------------------------------
\285\ See Griswold v. Connecticut, 381 U.S. 479 (1965);
Eisenstadt v. Baird, 405 U.S. 438 (1972); Dobbs, 597 U.S. 345
(Kavanaugh, J., concurring) (Dobbs ``does not threaten or cast doubt
on'' the precedents providing constitutional protection for
contraception).
---------------------------------------------------------------------------
The third condition, proposed in 45 CFR 164.502(a)(5)(iii)(C)(3),
would apply the prohibition when the relevant criminal, civil, or
administrative investigation or proceeding is in connection with any
person seeking, obtaining, providing, or facilitating reproductive
health care that is provided in a state consistent with and permitted
by the law of that same state.
The Department also proposed a Rule of Construction in 45 CFR
164.502(a)(5)(iii)(D) that provided that the proposed prohibition
should not be construed to prohibit a use or disclosure of PHI
otherwise permitted by the Privacy Rule unless such use or disclosure
is primarily for the purpose of investigating or imposing liability on
any person for the mere act of seeking, obtaining, providing, or
facilitating reproductive health care.\286\ The Department proposed the
Rule of Construction to avoid an erroneous interpretation of the
prohibition
[[Page 33011]]
standard, which otherwise could have been construed to prevent
regulated entities from using or disclosing PHI for the purpose of
defending themselves or others against allegations that they sought,
obtained, provided, or facilitated reproductive health care that was
not lawful under the circumstances in which it was provided.
---------------------------------------------------------------------------
\286\ See proposed 45 CFR 164.502(a)(5)(iii)(D). See also 88 FR
23506, 23552-53 (Apr. 17, 2023).
---------------------------------------------------------------------------
Most of the comments addressing the proposed prohibition expressed
support for the Department's purpose-based approach and the principle
that the Privacy Rule should prohibit the use and disclosure of PHI for
a criminal, civil, or administrative investigation into or proceeding
against any person, or to identify any person to initiate a criminal,
civil, or administrative investigation into or proceeding against any
person, in connection with seeking, obtaining, providing, or
facilitating lawful reproductive health care. At the same time, the
Department received many comments that expressed concern about the
proposal's clarity and regulated entities' ability to operationalize
the Rule of Applicability and Rule of Construction. For example,
commenters asserted that to the extent the proposed rule would require
regulated entities to determine whether the requested PHI was about
reproductive health care that was lawful under the circumstances in
which it was provided, making such a determination could be unduly
burdensome when the request was about reproductive health care that was
not provided by the regulated entity that received the request and
could expose them to legal risk in the absence of additional guidance
or a safe harbor. Other commenters expressed concern that applying the
prohibition would undermine the ability of states to enforce their own
health care laws.
Commenters who addressed the proposed Rule of Construction also
expressed confusion about how the Department intended ``primarily'' or
``primarily for the purpose of'' to be interpreted. Many either
requested examples of uses and disclosures that were ``primarily'' for
the underlying prohibited purposes. In lieu of the proposal to avoid
liability based on ``the mere act of'' seeking, obtaining, providing,
or facilitating reproductive health care, a few commenters suggested
expanding the proposed definition or modifying existing permissions to
explicitly exclude conduct based solely on seeking, obtaining,
providing, or facilitating certain types of health care.
The Department is finalizing the proposed prohibition that
restricts the ability of regulated entities to use or disclose PHI for
activities with the purpose of investigating or imposing liability on
any person for the mere act of seeking, obtaining, providing, or
facilitating reproductive health care that is lawful under the
circumstances in which it was provided, or to identify any person for
such purposes, with modifications to improve clarity and ease
implementation for regulated entities.
The Department is retaining its purpose-based approach in the final
rule in light of concerns about the ability of regulated entities to
segment certain types of data and in recognition that PHI about an
individual's reproductive health may be reflected throughout an
individual's longitudinal health record, in addition to being
maintained by a wide variety of regulated entities.
As we discussed in the 2023 Privacy Rule NPRM, the Department
recognizes that diseases and conditions that are not directly related
to an individual's reproductive health may be affected by or have
bearing on the individual's reproductive health and the reproductive
health care they are eligible to receive, and vice versa. Thus, it may
be necessary for all types of health care providers to maintain
complete and accurate medical records to ensure that subsequent health
care providers are adequately informed in making diagnoses or
recommending courses of treatment. For example, an individual with a
chronic cardiac or endocrine condition may become pregnant, placing
additional strain on the individual's cardiovascular or endocrine
system. In such cases, it is essential that their cardiologist or
endocrinologist be informed of the pregnancy and consulted as necessary
to ensure appropriate health care is provided to the individual because
such conditions may have bearing on their pregnancy.
Additionally, the final rule revises the prohibition standard at 45
CFR 164.502(a)(5)(iii) by incorporating language from the proposed Rule
of Construction to clarify the purposes for which the Department
prohibits uses or disclosures of PHI. In 45 CFR
164.502(a)(5)(iii)(A)(1) and (2), the Department incorporates the
``mere act of'' language of the proposed Rule of Construction to
clarify that the prohibited uses and disclosures of PHI are tied to
imposing criminal, civil, or administrative liability for the ``mere
act of'' seeking, obtaining, providing, or facilitating reproductive
care and not just ``in connection to'' such acts.\287\ Section
164.502(a)(5)(iii)(A)(1) combines the criminal, civil, or
administrative investigations language from the proposed prohibition
standard with the proposed Rule of Construction to prohibit regulated
entities from using or disclosing PHI for activities conducted for the
purpose of a criminal, civil, or administrative investigation into any
person for the mere act of seeking, obtaining, providing, or
facilitating reproductive health care. Section 164.502(a)(5)(iii)(A)(2)
separates and replaces the ``or proceeding against'' language from the
first condition of the proposed prohibition standard with ``to impose
criminal, civil, or administrative liability on'' and incorporates
language from the proposed Rule of Construction to prohibit regulated
entities from using or disclosing PHI for activities conducted for the
purpose of imposing criminal, civil, or administrative liability on any
person for the mere act of seeking, obtaining, providing, or
facilitating reproductive health care. Similar to proposed 45 CFR
164.502(a)(5)(iii)(A)(2), 45 CFR 164.502(a)(5)(iii)(A)(3) now addresses
the use or disclosure of PHI to identify any person for the activities
described in the other conditions of the prohibition standard. To the
extent the purpose in 45 CFR 164.502(a)(5)(iii)(A)(1) relates to
activities conducted for an investigation, the purpose in 45 CFR
164.502(a)(5)(iii)(A)(2) relates to the activities to impose liability,
including activities that would flow from that investigation, whether
it be in the form of proceedings to consider censure, medical license
revocation, the imposition of fines or other penalties, or detainment
or imprisonment, or the actual imposition of such liability.
---------------------------------------------------------------------------
\287\ Section 164.502(a)(5)(iii)(A)(3) incorporates the same
language by reference to 45 CFR 164.502(a)(5)(iii)(A)(1) and (A)(2).
---------------------------------------------------------------------------
The prohibition against the uses and disclosures of PHI finalized
in 45 CFR 164.502(a)(5)(iii)(A) is subject to the Rule of Applicability
that the Department is finalizing in 45 CFR 164.502(a)(5)(iii)(B). As
discussed in the proposed rule and finalized herein, the Rule of
Applicability modifies the prohibition standard to make clear that the
prohibition encompasses the use or disclosure of PHI for any activities
conducted for the purpose of investigating or imposing liability on any
person for the mere act of seeking, obtaining, providing, or
facilitating reproductive health care that the regulated entity that
has received the request for PHI has reasonably determined is lawful
under the circumstances in which such health care is provided. The
prohibition's
[[Page 33012]]
reference to the ``mere act'' of seeking, obtaining, providing, or
facilitating lawful reproductive health care includes the reasons that
the reproductive health care was sought or provided (e.g., an
investigation into whether a particular abortion was necessary to save
a pregnant person's life would constitute an investigation into the
``mere act'' of seeking, obtaining, providing, or facilitating
reproductive health care). The reference to ``mere act'' operates the
same way with respect to activities conducted to identify any
individual for the purposes described above. This includes but is not
limited to law enforcement investigations, third party investigations
in furtherance of civil proceedings, state licensure proceedings,
criminal prosecutions, and family law proceedings. Examples of
criminal, civil, or administrative investigations or activities to
impose liability for which regulated entities would be prohibited from
using or disclosing PHI would also include a civil suit brought by a
person exercising a private right of action provided for under state
law against an individual or health care provider who obtained,
provided, or facilitated a lawful abortion, or a law enforcement
investigation into a health care provider for lawfully providing or
facilitating the disposal of an embryo at the direction of the
individual.
The Department acknowledges that this final rule will not prohibit
the use or disclosure of PHI in all instances in which persons request
the use or disclosure of PHI for an investigation or to impose
liability on a person for seeking, obtaining, providing, or
facilitating reproductive health care. As discussed extensively in
Section III of this rule, the Privacy Rule has long balanced the
privacy interests of individuals with that of society in obtaining PHI
for certain non-health care purposes. Accordingly, we acknowledge that
in some circumstances, an individual's privacy interest in obtaining
lawful care will outweigh law enforcement's interests in the PHI for
certain non-health care purposes, while in others, law enforcement's
interests in the PHI will outweigh the privacy interests of
individuals. As we discussed above in Section III and in the proposed
rule, recent developments in the legal landscape have made information
about an individual's reproductive health more likely to be sought for
punitive non-health care purposes, such as targeting individuals for
seeking lawful reproductive health care outside of their home state,
and therefore more likely to be subject to disclosure by regulated
entities if the requested disclosure is permitted under the Privacy
Rule. The Department's approach in this rulemaking limits the
application of the prohibition to situations in which reproductive
health care meets one of the conditions of the Rule of Applicability.
Accordingly, the prohibition applies only where individuals' privacy
interests outweigh the interests of law enforcement, and private
parties afforded legal rights of action, in obtaining individuals' PHI
for the non-health care purpose of investigating or imposing liability
for reproductive health care that was not lawful under the
circumstances in which it was provided.
We also acknowledge, as we did in the proposed rule, that in some
circumstances, the Privacy Rule imposes greater restrictions on uses
and disclosures of PHI than state privacy laws, and the prohibition may
delay or hamper enforcement of certain other state laws (e.g., laws
governing access to reproductive health care). Such circumstances were
contemplated by Congress when it enacted HIPAA.\288\ For example, a
state law might require a covered entity to disclose PHI to law
enforcement in furtherance of an investigation, while the final rule
may prohibit such a disclosure. In such cases, the provisions of the
Privacy Rule would preempt the application of contrary provisions of
state law, and the regulated entity could not disclose the PHI.\289\
However, as discussed above in section III, we reiterate that not all
methods to investigate the lawfulness of reproductive health care are
foreclosed by this rule.
---------------------------------------------------------------------------
\288\ 42 U.S.C. 1320d-7(a)(1) (providing the general rule that,
with limited exceptions, a provision or requirement under HIPAA
supersedes any contrary provision of state law); see also section
264(c)(2) of Public Law 104-191 (codified at 42 U.S.C. 1320d-2 note)
and 45 CFR 160.203.
\289\ See final 45 CFR 164.509, and discussion below.
---------------------------------------------------------------------------
The Department emphasizes that the prohibition does not apply in
circumstances that fall outside of its terms. Where a person requesting
PHI identifies a legal basis for the request beyond the mere act of a
person having sought, obtained, provided, or facilitated reproductive
health care that was lawful under the circumstances in which it was
provided, the prohibition at 45 CFR 164.502(a)(5)(iii) would not apply.
Similarly, if a person obtains reproductive health care that was
unlawful, such health care would not be lawful under the circumstances
in which it was provided, and the prohibition would not apply. Where
the prohibition does not apply, the Privacy Rule permits the requested
PHI to be used or disclosed, provided that the use or disclosure is
otherwise permitted by the Privacy Rule (i.e., the request meets the
requirements of an applicable permission and is accompanied by a valid
attestation as described by 45 CFR 164.509, where required). The
Department reminds the public that persons who request PHI under false
pretenses may be subject to criminal penalties under HIPAA.\290\
---------------------------------------------------------------------------
\290\ See 42 U.S.C. 1320d-6.
---------------------------------------------------------------------------
The Rule of Applicability, as discussed below, vests the
determination of whether the reproductive health care was lawful under
the circumstances it was provided with the regulated entity that
receives the request for PHI and requires that such determination be
reasonable. The regulatory presumption, also discussed below, replaces
the proposed requirement that a regulated entity make a determination
regarding the lawfulness of the reproductive health care where someone
other than the regulated entity that receives the request provided such
health care. The new language requires that the reproductive health
care at issue be presumed lawful under the circumstances in which such
health care is provided when provided by a person other than the
regulated entity receiving the request. This helps to ensure that the
regulated entity is not required to make a determination about the
lawfulness of such health care. The presumption may be overcome if
certain conditions are met.
In the proposed rule, the Department provided examples that remain
helpful in illustrating the operation of the clarified prohibition and
how it continues to permit uses and disclosures for legitimate
interests.\291\ For example, the prohibition does not restrict a
regulated entity from using or disclosing PHI to a health oversight
agency conducting health oversight activities, such as investigating
whether reproductive health care was actually provided or appropriately
billed in connection with a claim for such services, or investigating
substandard medical care or patient abuse.\292\ However, as discussed
above, investigating substandard medical care
[[Page 33013]]
or patient abuse may not be used as a pretext for investigating
reproductive health care for purposes that are otherwise prohibited by
this final rule. In another example, the rule does not bar a regulated
entity from using or disclosing PHI to investigate an alleged violation
of the Federal False Claims Act or a state equivalent based on unusual
prescribing or billing patterns for erectile dysfunction medication.
---------------------------------------------------------------------------
\291\ 88 FR 23506, 23532-33 (Apr. 17, 2023).
\292\ See 45 CFR 164.512(d)(1)(i) through (iv) for health
oversight activities for which the Privacy Rule permits uses and
disclosures of PHI. See also the National Association of Medicaid
Fraud Control Units, described at https://www.naag.org/about-naag/namfcu/. All 53 federally certified Medicaid Fraud Control Units
voluntarily subscribe to this organization. This final rule does not
interfere with any State's ability to meet their statutory
obligations to combat health care fraud related to Medicaid.
---------------------------------------------------------------------------
This final rule also does not prohibit the use or disclosure of PHI
where the PHI is sought to investigate or impose liability on a person
for submitting a false claim for reproductive health care for payment
to the government. In such a case, the request is not made for the
purpose of investigating or imposing liability on a person for the mere
act of seeking, obtaining, providing, or facilitating reproductive
health care. Instead, the purpose of the request for PHI is to
investigate or impose liability on a person for an alleged violation of
the Federal False Claims Act or a state equivalent.\293\ As another
example, the revised prohibition standard generally does not prohibit
the disclosure of PHI to an Inspector General where the PHI is sought
to conduct an audit aimed at protecting the integrity of the Medicare
or Medicaid Program where the audit is not inconsistent with this final
rule. This is because the request is generally not being made for the
purpose of investigating or imposing liability on a person for the mere
act of providing the reproductive health care itself. The prohibition
also makes clear that the use or disclosure of PHI is permitted where
the purpose of the use or disclosure is to investigate alleged
violations of Federal nondiscrimination laws or abusive conduct, such
as sexual assault, that may occur in connection with reproductive
health care. The prohibition likewise makes clear that the use or
disclosure of PHI is permitted where the purpose of the use or
disclosure is to penalize the provision of reproductive health care
that is not lawful, as defined by the Rule of Applicability at 45 CFR
164.502(a)(5)(iii)(B), as long as a Privacy Rule permission applies.
---------------------------------------------------------------------------
\293\ 31 U.S.C. 3729-3733.
---------------------------------------------------------------------------
Under the prohibition, a regulated entity could respond to a
request for relevant records in a criminal or civil investigation
pursuant to 18 U.S.C. 248 regarding freedom of access to clinic
entrances. Investigations under this provision are conducted for the
purpose of determining whether a person physically obstructed,
intimidated, or interfered with persons providing ``reproductive health
services,'' \294\ or attempted to do so. Thus, they do not involve
investigating or imposing liability on a person for the mere act of
seeking, obtaining, providing, or facilitating reproductive health care
that was reasonably determined to be lawful under the circumstances in
which such health care was provided by the regulated entity that
received the request for PHI.
---------------------------------------------------------------------------
\294\ 18 U.S.C. 248(e)(5) (definition of ``Reproductive health
services'').
---------------------------------------------------------------------------
The final rule retains the proposal's prohibition against the use
or disclosure of PHI for activities conducted for the purpose of
investigating or imposing liability on ``any person'' for the mere act
of seeking, obtaining, providing, or facilitating reproductive health
care that is lawful under the circumstances in which such health care
is provided, or for identifying ``any person'' for such activities.
``Any person'' means, based on the HIPAA Rules' definition of
``person,'' \295\ that the prohibition is not limited to use or
disclosure of PHI for use against the individual; rather, the
prohibition applies to the use or disclosure of PHI against a regulated
entity, or any other person, including an individual or entity, who may
have obtained, provided, or facilitated lawful reproductive health
care.\296\
---------------------------------------------------------------------------
\295\ 45 CFR 160.103 (definition of ``Person'').
\296\ Note that in Section V.A.1, the Department is clarifying
the definition of ``person,'' although that clarification does not
affect the analysis in this paragraph.
---------------------------------------------------------------------------
The Department has always and continues to recognize that there may
be a public interest and benefit in disclosing PHI for limited non-
health care purposes, including enforcing duly enacted laws. The
Department has also always sought to balance competing interests in
individual privacy and the use and disclosure of PHI for particular
purposes in the Privacy Rule. We balance these competing interests by
considering both the harm to individuals that results from the use or
disclosure of PHI (e.g., loss of trust in the health care system,
potential for financial liability or detainment) and the countervailing
interests in disclosure. As discussed above, the Department finds that
the final rule reflects the appropriate balance between these interests
by prohibiting the use and disclosure of PHI for activities conducted
for the purpose of investigating or imposing liability on ``any
person'' for the mere act of seeking, obtaining, providing, or
facilitating reproductive health care that is lawful under the
circumstances in which such health care is provided, or for identifying
``any person'' for such activities.
Accordingly, the final rule adopts, with modifications discussed
below, the proposed Rule of Applicability and re-designates it as 45
CFR 164.502(a)(5)(iii)(B). The final rule text also adds the word
``only'' in 45 CFR 164.502(a)(5)(iii)(B) to make clear that the
prohibition's application is limited to the use or disclosure of PHI
``only'' where one or more of the conditions set forth in the Rule of
Applicability exists.
To address concerns from commenters about how to determine whether
reproductive health care is ``lawful,'' the Department finalizes a
revised Rule of Applicability at 45 CFR 164.502(a)(5)(iii)(B).
Specifically, the Rule of Applicability, as finalized, requires that a
regulated entity that receives a request for PHI make a reasonable
determination about the lawfulness of the reproductive health care in
the circumstances in which such health care was provided, where
lawfulness is described by 45 CFR 164.502(a)(5)(iii)(B)(1)-(3). Thus, a
regulated entity that receives the request for PHI must decide whether
it would be reasonable for a similarly situated regulated entity to
determine, as provided in the Rule of Applicability, that the
reproductive health care is lawful under the circumstances in which
such health care is provided.
To make the reasonableness determination, that is, to determine
whether it would be reasonable for a similarly situated regulated
entity to determine that one or more of the conditions of the Rule of
Applicability applies, a regulated entity receiving the request for PHI
must evaluate the facts and circumstances under which the reproductive
health care was provided. Such facts and circumstances include but are
not limited to the individual's diagnosis and prognosis, the time such
health care was provided, the location where such health care was
provided, and the particular health care provider who provided the
health care. This approach is consistent with the current and
longstanding practice under the Privacy Rule, whereby a covered entity
is responsible for determining whether a requested use or disclosure is
permitted under one or more of the permissions set forth in the Privacy
Rule. For example, a regulated entity is permitted to make a use or
disclosure of PHI where ``required by law'' pursuant to 45 CFR
164.512(a). To make a use or disclosure under that permission, the
regulated entity cannot rely on assertions from the person making the
request, but rather, must itself evaluate the relevant law to determine
whether
[[Page 33014]]
the use or disclosure is ``required by law'' and thus permitted under
that permission. As discussed above, the Department recognizes that
this approach may prevent uses or disclosures in support of some law
enforcement investigations (e.g., where a health care provider
reasonably determines that its provision of reproductive health care
was lawful, but where law enforcement reasonably disagrees or does not
provide sufficient factual information for a regulated entity to
determine that there is a substantial factual basis that the
reproductive health care was not lawful under the circumstances in
which such health care was provided). However, we believe that, in
these narrow circumstances, the interests of law enforcement, and
private parties afforded legal rights of action, are outweighed by
privacy interests and that the current approach strikes the appropriate
balance between these competing interests.
The Department is retaining the proposed framework for identifying
the circumstances in which reproductive health care is lawful, and thus
the prohibition applies. However, we are modifying the regulatory text
of the Rule of Applicability to clarify its conditions. As revised, the
regulatory text combines the first and third conditions of the Rule of
Applicability into a revised 45 CFR 164.502(a)(5)(iii)(B)(1) that
focuses on whether the reproductive health care at issue is lawful
under the circumstances in which such health care is provided. Under
the revised condition, the circumstances in which the prohibition
applies are determined by the law of the state in which the health care
is provided.
As proposed in the 2023 Privacy Rule NPRM, the first and third
conditions, when considered together, would have given the impression
that the Department was drawing a distinction between reproductive
health care provided in-state or out-of-state, although outcomes would
have been the same. As the Department explained in the proposed rule,
both the first and third conditions would have prohibited a regulated
entity from using or disclosing PHI where the reproductive health care
was permitted by the law of the state in which it was provided (e.g.,
for pregnancy termination that occurs before a state-specific
gestational limit or under a relevant exception in a state law
restricting pregnancy termination such as when the pregnancy is the
result of rape or incest or because the life of the pregnant individual
is endangered, for reproductive health care that is generally permitted
but must be provided by a specific type of health care professional or
in a certain place of service). The outcome of the analysis remains the
same under this final rule, which combines the first and third
conditions of the Rule of Applicability into one condition. Thus, the
revision improves the clarity of the Rule of Applicability by focusing
solely on whether the reproductive health care was lawful under the
circumstances in which it was provided.
Additionally, the final rule modifies the regulatory text in 45 CFR
164.502(a)(5)(iii)(B)(2) to include an express reference to the U.S.
Constitution as a source of Federal law for determining whether
reproductive health care is lawful under the circumstances in which
such health care is provided. The Department has always intended to
include the U.S. Constitution as a source of Federal law, and the final
regulatory text now explicitly reflects this. The regulatory text also
makes clear that the U.S. Constitution is not the sole source of
Federal law and that Federal statutes, regulations, and policies may be
the relevant legal authority for determining whether the reproductive
health care is protected, required, or authorized under Federal law.
This final rule in no way supersedes applicable state law pertaining to
the lawfulness of reproductive health care.
To address commenters' concerns about obligating regulated entities
to determine whether reproductive health care that occurred outside of
the regulated entity is lawful, the Department is adding a new
presumption provision at 45 CFR 164.502(a)(5)(iii)(C). It presumes the
reproductive health care at issue was lawful under the circumstances in
which such health care was provided when it was provided by a person
other than the regulated entity receiving the request. The presumption
can be overcome where the regulated entity has either actual knowledge,
or factual information supplied by the person requesting the use or
disclosure, that demonstrates a substantial factual basis that the
reproductive health care was not lawful under the specific
circumstances in which it was provided. The first ground to overcome
the presumption--concerning ``actual knowledge''--accounts for
situations where the regulated entity has actual knowledge that the
reproductive health care was not lawful. The second ground to overcome
the presumption--concerning ``factual information''--accounts for
situations where the person making the request has demonstrated to the
regulated entity that there is a substantial factual basis that the
reproductive health care was unlawful under the circumstances in which
such health care was provided. To satisfy the second ground, the
regulated entity must obtain from the person making the request
sufficient threshold factual evidence that demonstrates to the
regulated entity a substantial factual basis that the reproductive
health care was not lawful under the circumstances in which such health
care was provided.
For example, an investigator requests information from a health
plan about claims for coverage of certain reproductive health care
provided by a particular health care provider. The health plan must
presume that the reproductive health care was lawful unless the health
plan has actual knowledge that the reproductive health care was not
lawful or the investigator supplied information that demonstrates a
substantial factual basis to believe that the reproductive health care
was not lawful under these circumstances. The latter condition could be
met where the investigator provides the regulated entity with various
types of documentation. For example, persons requesting PHI could
provide the regulated entity with affidavits supplied by complainants
that contain the circumstances under which the reproductive health care
was provided. In this example, the presumption would be overcome, and
the health plan would be permitted to use or disclose the PHI, assuming
that all applicable conditions of the Privacy Rule were otherwise met.
In contrast, if the investigator requests the same information but only
provides an anonymous report of a particular health care provider
providing reproductive health care that is not lawful under the
circumstances in which it is provided, the health plan would not have a
substantial factual basis to believe that the reproductive health care
was not lawful. Accordingly, this final rule would prohibit the health
plan from disclosing the requested PHI unless the investigator provides
sufficient information to overcome the presumption and the use or
disclosure is otherwise permitted by the Privacy Rule. The conditions
of making the use or disclosure would include, as described elsewhere
in this final rule, obtaining a valid attestation if the relevant
permission requires one.
The Department emphasizes that, as demonstrated by the numerous
comments on this issue, this regulatory presumption is necessary for
workability by the regulated entities subject to this final rule. We
recognize that when a regulated entity did not provide the reproductive
health care at
[[Page 33015]]
issue, it may not have access to all of the relevant information,
including medical records with the necessary information, to determine
whether prior reproductive health care obtained by an individual was
lawful. We clarify that regulated entities are not expected to conduct
research or perform an analysis of an individual's PHI to determine
whether prior reproductive health care was lawful under the
circumstances in which it was provided when such health care was
provided by someone other than the regulated entity that receives the
request for the use or disclosure of PHI.
We also reiterate that this final rule is intended to support and
clarify the privacy interests of individuals availing themselves of
lawful reproductive health care, and not to thwart the interests of
states in conducting lawful investigations or imposing liability on the
provision of unlawful reproductive health care. While this new
regulatory presumption may make it more difficult for a state to
investigate whether reproductive health care was unlawful under the
circumstances in which it was provided (e.g., when other sources of
information that is not PHI are unavailable), as discussed above, the
Department has considered those interests and determined that the
effects are justified by countervailing privacy benefits. Moreover, as
also explained above, society's interest in obtaining PHI in such
circumstances is reduced, particularly in light of its continued
ability to obtain information from other sources. The Department also
emphasizes that it is not applying a blanket presumption that all
reproductive health care reflected in a regulated entity's records was
lawful under the circumstances in which it was provided. Instead, the
presumption applies only where the reproductive health care at issue is
provided by someone other than the regulated entity that received the
request for the use or disclosure of PHI, and it may be overcome in the
circumstances identified above.
In contrast, where a request for PHI is made to the regulated
entity that provided the relevant reproductive health care, the
regulated entity is responsible for determining whether it provided
reproductive health care that was lawful under the circumstances in
which it was provided, including, as discussed above, a review of all
available relevant evidence bearing on whether the reproductive health
care was lawful under the circumstances in which it was provided. If
the regulated entity reasonably determines that the health care was
lawfully provided, the prohibition applies, and the regulated entity
may not make the use or disclosure.
To illustrate how the presumption would apply, consider a hospital
that has PHI about the provision of reproductive health care by a
different facility. The hospital is not expected to conduct research or
perform analysis into whether reproductive health care obtained at a
different facility from another health care provider was lawful under
the circumstances in which such health care was provided. Accordingly,
the regulated entity, if they receive a request for PHI to which the
prohibition at 45 CFR 164.502(a)(5)(iii) may apply, is not expected to
review the individual's PHI to determine the lawfulness of the prior
reproductive health care. In such situations, the regulated entity is
also not expected to research other states' laws to determine whether
the reproductive health care was lawful under the circumstances in
which it was provided, nor are they expected to consult with an
attorney to do the same. Rather, the presumption standard allows the
regulated entity to limit their review to information supplied by the
person making the request for the use or disclosure of PHI where the
request addresses reproductive health care provided by someone other
than the regulated entity receiving the request. Thus, a regulated
entity that did not provide the reproductive health care must presume
that the reproductive health care was lawful under the circumstances in
which it was provided unless the conditions of rebutting the
presumption are met.
Consider a different example in which a law enforcement official
from State A issues a subpoena to a hospital in State A to request the
PHI of an individual from State A who is suspected of obtaining
reproductive health care in State B that would have been unlawful under
the law of State A if provided there. The hospital did not provide the
reproductive health care in question, nor did the individual provide
information to the hospital about who may have provided such health
care. At the time the law enforcement official issues the subpoena, the
individual is no longer in the hospital, nor is the individual
receiving treatment at the hospital. Additionally, the law enforcement
official provided no information in the subpoena that would make it
reasonable for the hospital to determine that the reproductive health
care at issue was not lawful in the circumstances in which it was
provided, that is, to determine that the reproductive health care was
not lawful under the law of State B or was not protected, required, or
authorized by Federal law. In this case, the hospital did not have
actual knowledge that, nor did the information supplied to it by the
law enforcement official making the request demonstrate to the hospital
a substantial factual basis that, the individual had previously
received unlawful reproductive health care; therefore, the reproductive
health care is presumed to have been provided under circumstances in
which it was lawful to provide such health care. Accordingly, this
final rule would prohibit the hospital from disclosing the requested
PHI unless the law enforcement official provides sufficient information
to overcome the presumption and the use or disclosure is otherwise
permitted by the Privacy Rule. This includes, as described elsewhere in
this final rule, receipt of a valid attestation if the relevant
permission requires one.
Conversely, if the hospital is provided with factual information
that demonstrates a substantial factual basis that the reproductive
health care at issue was not lawful under the specific circumstances in
which such health care was provided, the presumption would be overcome.
When a presumption is overcome or rebutted, the Rule of Applicability
at 45 CFR 164.502(a)(5)(iii)(B) cannot be satisfied (i.e., the
regulated entity has actual knowledge, or has received factual
information from the person requesting the PHI to determine that there
is substantial factual basis to believe, that the reproductive health
care was not lawful under the circumstances in which it was provided),
and thus, the use or disclosure would not be prohibited under the final
rule. As such, the Privacy Rule would permit, but would not require,
the hospital to disclose the PHI in response to the subpoena where the
use or disclosure meets the requirements of an applicable permission,
including the receipt of a valid attestation where required.
In another example, a law enforcement agency presents a covered
entity's business associate, such as a cloud service provider, with a
subpoena for the PHI of an individual who received reproductive health
care as part of its investigation into the health care provider who
provided such health care for the provision of that health care. The
PHI is encrypted, and the business associate does not have the key to
decrypt it or is not permitted under the terms of its business
associate agreement with the covered entity to decrypt the PHI. Thus,
the business associate lacks a complete view of the individual's PHI
and did not provide
[[Page 33016]]
the underlying reproductive health care. Additionally, the business
associate has no actual knowledge that the reproductive health care was
unlawful, nor did the person requesting the PHI supply it with
information that demonstrates to the business associate a substantial
factual basis that the reproductive health care was not lawful under
the specific circumstances in which such health care was provided. In
such a case, the presumption that the reproductive health care at issue
was lawful applies. If the law enforcement agency does not present more
information to overcome the presumption, the Privacy Rule prohibits the
business associate from disclosing the requested PHI in response to the
subpoena, even if the law enforcement agency has provided an
attestation; in this circumstance, the attestation would not be valid
because the disclosure is for a purpose that is prohibited by 45 CFR
164.502(a)(5)(iii).
The presumption serves a different purpose than the attestation,
which is required when there is a request for PHI potentially related
to reproductive health care for certain permitted purposes under the
Privacy Rule, as discussed further below. In contrast with the
attestation, the presumption applies only where a request for PHI
involves a purpose prohibited under 45 CFR 164.502(a)(5)(iii) and the
reproductive health care at issue was provided by someone other than
the regulated entity that received the request for PHI, so the
regulated entity does not have first-hand knowledge of the
circumstances in which the reproductive health care was provided.
Because the situations in which the presumption applies involve
purposes prohibited under 45 CFR 164.502(a)(5)(iii), it is not
reasonable for a regulated entity to rely, without additional
information, on a statement from the person requesting the use or
disclosure, including the statement required in the attestation by 45
CFR 164.509(b)(1)(ii), that the request is not made for a prohibited
purpose or that the underlying reproductive health care was unlawful.
Thus, such statement alone does not satisfy 45 CFR
164.502(a)(5)(iii)(C)(2). However, if a person requesting the use or
disclosure of PHI provides the regulated entity with sufficient
information, separate and distinct from the attestation itself, that
demonstrates to the regulated entity a substantial factual basis that
the reproductive health care was not lawful under the specific
circumstances in which such health care was provided, the presumption
would be overcome; in this scenario, the Privacy Rule would permit, but
would not require, the regulated entity to disclose the PHI in response
to the subpoena. The presumption may also be overcome by, for example,
a spontaneous statement from the individual about the circumstances
under which they obtained reproductive health care.
As we explained above, this final rule, consistent with the
Department's longstanding approach to the Privacy Rule, balances
competing interests between the privacy expectations of individuals and
society's interests in PHI for certain non-health care purposes. For
example, since its inception, the Privacy Rule has permitted a covered
entity to rely, if such reliance is reasonable under the circumstances,
on a requested disclosure as the minimum necessary for the stated
purpose when making disclosures to public officials that are permitted
under 45 CFR 164.512, if the public official represents that the
information requested is the minimum necessary for the stated
purpose(s).\297\ Elsewhere in the Privacy Rule, covered entities are
required to make a determination of whether it is ``reasonable under
the circumstances'' to rely on documentation, statements, or
representations from a person requesting PHI to verify the identity of
the person requesting PHI and the authority of the person to access the
PHI.\298\ In the case of public officials, we have previously explained
that covered entities must verify the identity of the request by
examination of reasonable evidence, such as written statement of
identity on agency letterhead, an identification badge, or similar
proof of official status. In addition, where explicit written evidence
of legal process or other authority is required before disclosure may
be made, a public official's proof of identity and oral statement that
the request is authorized by law are not sufficient to constitute the
required reasonable evidence of the legal process or authority.\299\ In
both instances, the Privacy Rule permits regulated entities to rely on
representations made by public officials where it is reasonable to do
so but makes clear that in some instances, documentary or other
evidentiary proof is needed.\300\
---------------------------------------------------------------------------
\297\ See 45 CFR 164.514(d)(3)(iii)(A) and 65 FR 82462, 82545,
and 82547 (Dec. 28, 2000).
\298\ 45 CFR 164.514(h)(2) and 65 FR 82462, 82546-47 (Dec. 28,
2000).
\299\ See 45 CFR 164.514(h) and 65 FR 82462, 82546-47 (Dec. 28,
2000).
\300\ See 65 FR 82462, 82545 (Dec. 28, 2000) (``[. . .] covered
entities making disclosures to public officials that are permitted
under Sec. 164.512 may rely on the representations of a public
official that the information requested is the minimum
necessary.''); see also id. at 82547 (further discussing
verification of identity and authority of persons requesting PHI in
45 CFR 164.514(h) and the requirements in 45 CFR 164.512 for the
circumstances under which covered entities must make reasonable
determinations about the sufficiency of proof of identify and
authority based on documentary evidence, contrasted with a
reasonable reliance on verbal representations when necessary to
avert a pending emergency or imminent threat to the health or safety
of a person or the public pursuant to 45 CFR 164.512(j)(1)(i)).
---------------------------------------------------------------------------
In this final rule, the Department has enshrined the requirement
that a regulated entity make a reasonable determination of whether PHI
should be disclosed in response to a request from law enforcement, or
other official, in regulatory text and determined that is not
reasonable to rely solely on representations of law enforcement or
other officials without a written attestation. This approach is due to
the high potential for harm to the individual who is the subject of the
PHI or to persons who are subject to liability for the mere act of
seeking, obtaining, providing or facilitating reproductive health care.
Further, as we discussed above, even in the scenario where a state
official seeks PHI to investigate whether the underlying reproductive
health care was unlawful, a regulated entity's reasonable determination
that the conditions of the prohibition set forth in the Rule of
Applicability are met means that the prohibition applies and the
regulated entity is prohibited from using or disclosing the PHI. This
does not foreclose the ability of state officials to investigate the
circumstances surrounding the provision of the reproductive health
care, including through the collection of information from sources that
are not regulated under HIPAA, to determine whether a health care
provider or other person may have acted unlawfully. Rather, this final
rule prohibits the use or disclosure of PHI when it is being used to
investigate or impose liability on a person for the mere act of
seeking, obtaining, providing, or facilitating lawful reproductive
health care, or to identify any person to initiate such activities.
Indeed, the individual's privacy interests are especially strong where
individuals seek lawful reproductive health care and risk either
avoiding such lawful health care or being less than truthful with their
health care providers because they fear that their PHI will be
disclosed.
The Department is re-designating proposed 45 CFR
164.502(a)(5)(iii)(B) as 45 CFR 164.502(a)(5)(iii)(D) and modifying it
in response to the
[[Page 33017]]
commenters who provided examples of situations where they could
reasonably expect to receive a request for PHI that might relate to
``seeking, obtaining, providing, or facilitating reproductive health
care.'' To address these concerns, the Department is revising the list
of activities in 45 CFR 164.502(a)(5)(iii)(D) that explain the scope of
actions taken by persons that the Department is protecting against
impermissible requests for PHI. Specifically, the Department is adding
the terms ``administering,'' ``authorizing,'' ``providing coverage
for,'' ``approving,'' and ``counseling about'' to the current list of
descriptive activities in the proposed rule and removing ``inducing''
from the list. We are removing ``inducing'' from the list in response
to concerns from commenters that the prohibition might apply in
circumstances where individuals are coerced to obtain reproductive
health care. It was never the Department's intention for the
prohibition on the use or disclosure of PHI to apply in such
circumstances. Rather, we intended it to refer to situations in which a
health care provider ``induces'' labor under circumstances in which
such health care is lawful; however, we believe our intended meaning of
``inducing'' is encompassed in other terms in the list. The revised
list better explains the type of activities in which a person may be
engaged and about which the Department intends to prevent the use or
disclosure of PHI.
The Department is not finalizing a separate Rule of Construction
because the need is obviated by incorporating the key content into the
prohibition itself at 45 CFR 164.502(a)(5)(iii). The Department
proposed the Rule of Construction to clarify that 45 CFR
164.502(a)(5)(iii) should not be construed to prohibit a use or
disclosure of PHI otherwise permitted by the Privacy Rule unless such
use or disclosure is ``primarily for the purpose of'' investigating or
imposing liability on any person for the mere act of seeking,
obtaining, providing, or facilitating reproductive health care. By
incorporating the Rule of Construction into the main standard and
removing the proposed ``primarily for the purpose of'' language, the
Department now more clearly conveys its intent to prohibit the use and
disclosure of PHI for the specified purposes only when it relates to
the ``mere act of'' seeking, obtaining, providing, or facilitating
reproductive health care. As discussed in greater detail below in our
responses to comments, this change is designed to reduce confusion for
regulated entities about how to reconcile and apply the Rule of
Construction with the main prohibition standard and does not change the
scope of the prohibition as proposed. The revisions and restructuring
of regulatory text formerly included in the Rule of Construction
improve readability and reduce redundancy. Likewise, the final rule
incorporates other minor wording changes to improve readability and
updates regulatory text references to other paragraphs to accurately
reflect the organization of this section.
Comment: Many commenters expressed support for the Department's
proposal to create a new category of prohibited uses and disclosures
about reproductive health care. A few of these commenters explained the
rationale for their support as based on the proposed approach's balance
of preventing harm to individuals from certain uses and disclosures and
permitting beneficial uses and disclosures, while providing regulated
entities with clarity with respect to when uses and disclosures of PHI
would be permitted.
A few commenters agreed with the Department's view that a purpose-
based prohibition is preferable to other approaches to protecting the
privacy of individuals that would require labeling or segmenting of
PHI. Other commenters focused on how the proposal would better
facilitate HIPAA's goals of providing high-quality health care and
encouraging the flow of information to covered entities.
Response: The approach we are taking in this final rule preserves
the ability of regulated entities to use and disclose PHI for permitted
purposes while also enhancing protections for PHI, to strike the
appropriate balance between privacy interests and other societal
interests, including law enforcement. As discussed above, the
Department's approach will lead to numerous benefits associated with
enhanced privacy protections.
Comment: A few commenters asserted that the Department's proposal
would provide a consistent standard for all states to follow.
Response: The Department believes this final rule will provide
clear standards for regulated entities, especially health care
providers, by incorporating the prohibition into the Privacy Rule.
However, we stress that the prohibition attaches to only requests for
uses and disclosures that are for a prohibited purpose where the
reproductive health care is lawful under the circumstances in which
such health care is provided. Different states and localities have
promulgated different standards for the lawfulness of reproductive
health care.
Comment: A few commenters expressed their appreciation that the
proposal encompassed a broad range of reproductive health care and
explained the importance of ensuring that a final rule protects any
health information about reproductive health care.
Response: As the Department acknowledged in the 2023 Privacy Rule
NPRM, many routine medical examinations and treatments could involve
PHI about an individual's reproductive health or reproductive organs
and systems. This final rule is not limited to PHI about abortion. The
Department recognized the impracticability of attempting to parse out
the types of reproductive health care that should be subject to the
prohibition and those that should not be. For this reason, and in
keeping with the existing scheme of the Privacy Rule, the Department
proposed and is finalizing a purpose-based approach to prohibiting the
use and disclosure of any PHI for use against any person for seeking,
obtaining, providing, or facilitating reproductive health care that is
lawful under the circumstances in which such health care is provided. A
regulated entity that receives a request for PHI is charged with making
a reasonable determination of whether the conditions of lawfulness set
forth in the Rule of Applicability apply. To further assist regulated
entities in understanding the broad scope of ``reproductive health
care,'' we provide in the preamble a non-exclusive list of examples
that fit within the definition.
Comment: Some commenters expressed opposition to this proposal,
asserting that the proposed new category would interfere with the
enforcement of state laws that restrict or regulate abortion or that
the proposal would make it more difficult for regulated entities to
determine whether a requested use or disclosure of PHI is permitted
under the Privacy Rule because it lacked sufficient specificity.
Response: The Department is finalizing a narrowly tailored
prohibition that will only apply when an individual's privacy interest
in lawfully obtained reproductive health care outweighs society's
interest in obtaining PHI for non-health care purposes. As discussed
above, the Department has adopted an approach that strikes the
appropriate balance between privacy interests and other interests,
including law enforcement interests in accessing PHI to investigate or
impose liability on persons for seeking, obtaining, providing, or
facilitating reproductive health care that
[[Page 33018]]
is unlawful under the circumstances in which such health care is
provided. To help regulated entities operationalize the prohibition,
the Department is finalizing an attestation requirement in 45 CFR
164.509 in which persons requesting PHI under a permission that is
mostly likely to be used to request PHI for a purpose prohibited by 45
CFR 164.502(a)(5)(iii) must attest that the request is not subject to
the prohibition. The Department acknowledges that requests for a
purpose prohibited by 45 CFR 164.502(a)(5)(iii) may be made pursuant to
another applicable permission and reminds regulated entities that they
must evaluate all requests made by a third party for the use or
disclosure of PHI to ensure that they are not for a prohibited purpose.
Requests not subject to the prohibition would still be subject to the
conditions of the relevant permissions in the Privacy Rule. When
requests for PHI meet the conditions for permissions in the Privacy
Rule, including conditions specified in 45 CFR 164.512, regulated
entities are permitted to use and disclose PHI in accordance with such
permissions.
Moreover, as we describe above, the Department is modifying the
final rule to clarify that the prohibition restricts the use and
disclosure of PHI for the enumerated purposes when connected to the
``mere act of'' seeking, obtaining, providing, or facilitating
reproductive health care. Thus, the prohibition does not prevent the
use or disclosure of the PHI about reproductive health care obtained by
an individual in all circumstances. Rather, it prevents the use or
disclosure of PHI when the purpose of the disclosure is to investigate
or impose liability on a person because they sought, obtained,
provided, or facilitated reproductive health care that was lawful under
the circumstances in which such health care was provided, as determined
by the regulated entity that received the request for PHI. For example,
a regulated entity would not be prohibited from disclosing an
individual's PHI when subpoenaed by law enforcement for the purpose of
investigating allegations of sexual assault by or of the individual,
assuming that law enforcement provided a valid attestation and met the
other conditions of the permission under which the request was made.
Comment: A commenter expressed opposition to the proposal and
asserted that it relied on the assumption that it would be readily
apparent or ascertainable whether particular reproductive health care
was lawfully provided. According to this commenter, persons who violate
the law have an interest in concealing their activity, and the proposal
would impede law enforcement investigations to determine whether
lawbreaking has occurred. Additionally, the commenter expressed their
concern that the proposal would represent a departure from the Privacy
Rule's existing approach to law enforcement investigations and
proceedings.
Response: The Department is finalizing a regulatory presumption to
address the narrow circumstance of when lawfulness is not readily
apparent to a regulated entity who is the recipient of a request for
the use or disclosure PHI when the regulated entity did not provide the
underlying reproductive health care. As we explained above, this final
rule is intended to support and clarify the privacy interests of
individuals availing themselves of lawful reproductive health care, and
not to thwart the interests of states and the Federal government in
conducting lawful investigations or imposing liability on the provision
of unlawful reproductive health care. While this new regulatory
presumption may make it more difficult for law enforcement officials to
investigate whether reproductive health care was unlawful under the
circumstances in which it was provided (e.g., when other sources of
information that is not PHI are unavailable), the Department has
considered those interests and determined that the effects are
justified by countervailing privacy benefits. We also reiterate here
that the presumption is not a blanket presumption. It only applies
where the reproductive health care at issue is provided by someone
other than the regulated entity that received the request for the use
or disclosure of PHI, and it may be overcome in the circumstances
identified above.
We note that the Privacy Rule has always and continues to permit
regulated entities to disclose PHI for law enforcement purposes,
subject to certain conditions or limitations. In this final rule, the
Department has found that changes in the legal landscape now
necessitate codifying a prohibition against uses and disclosures for
the purposes specified in 45 CFR 164.502(a)(5)(iii)(A), subject to the
Rule of Applicability in 45 CFR 164.502(a)(5)(iii)(B). The Department
is not otherwise changing the existing permissions in the Privacy Rule
that permit regulated entities to use or disclose PHI for law
enforcement purposes and other important non-health care purposes,
except as discussed elsewhere in this rule. These purposes include when
PHI is required by law to be disclosed for purposes other than those
prohibited by this final rule, for public health and health oversight
activities, for other law enforcement purposes not in conflict with
this rulemaking, for reports of child abuse, about decedents when not
prohibited by this final rule, and other purposes specified in the
Privacy Rule.
In particular, in the 2023 Privacy Rule NPRM, the Department
discussed the interaction of this rule with HIPAA's statutory
preemption provisions \301\ and explained that it was necessary to
preempt state laws that require the use and disclosure of PHI for the
purposes prohibited by this rule to give effect to the prohibition
consistent with HIPAA. As discussed above, to achieve the purpose for
which HIPAA was enacted, to enable the electronic exchange of
identifiable health information, we must protect the privacy of that
information to further individuals' trust in the health care system. As
finalized, the prohibition is limited only to circumstances in which
the privacy interests of an individual and the interests of society in
an effective health care system outweigh society's interest in
obtaining PHI for non-health care purposes.
---------------------------------------------------------------------------
\301\ See 88 FR 23506, 23530 (Apr. 17, 2023).
---------------------------------------------------------------------------
Comment: A commenter stated that, to the extent the ability of a
state to determine whether to investigate or bring a proceeding is
based on information in the possession of a regulated entity, the
proposed rule did not adequately address a state's need to regulate the
medical profession and health care facilities.
Response: As finalized, the prohibition prevents the use and
disclosure of PHI for certain purposes where a person sought, obtained,
provided, or facilitated reproductive health care that is lawful under
the circumstances in which such health care is provided. As discussed
above, the final rule strikes the appropriate balance between privacy
interests and other interests. Public officials remain free to
investigate the provision of health care by seeking information from
non-covered entities. Moreover, the prohibition does not prevent a
state from enforcing its laws. Instead, it protects the privacy of
individuals' PHI in certain circumstances.
Comment: A few commenters expressed concern that the proposed
prohibition may also affect the enforcement of Federal laws.
Response: The Department has consulted extensively with other
Federal agencies and officials in the
[[Page 33019]]
development of this rule, including the Attorney General, and does not
believe that this rule will impede the enforcement of Federal laws. As
discussed above, this rule carefully balances privacy and other
interests, applying only in certain narrowly tailored situations.
Comment: Numerous commenters recommended that the Department expand
the scope of the proposed prohibition to include other or all types of
stigmatized health care. A few commenters recommended expanding the
proposed prohibition to all health care or to provide individuals the
ability to prevent the disclosure of their PHI through HIEs.
Generally, commenters supporting expansion of the proposal's scope
expressed the belief that it was necessary for HIPAA to promote trust
between individuals and health care providers and to improve health
care quality and outcomes.
Several commenters explained that persons seeking, obtaining,
providing, or facilitating other types of health care are facing the
same challenges as described in the proposal with respect to
reproductive health care, including health care obtained outside of the
health care system, and provided examples of such challenges. Many
commenters also made recommendations for how the Department should
address those challenges.
Response: The Department is issuing this final rule to protect the
privacy of PHI when it is sought for activities to investigate or
impose liability on persons for the mere act of seeking, obtaining,
providing, or facilitating lawful reproductive health care. Lawfulness
is based on a reasonable determination made by a regulated entity that
has received a request for PHI for one of the purposes specified at 45
CFR 164.502(a)(5)(iii)(A) that at least one of the conditions in the
Rule of Applicability applies. We are finalizing a prohibition that is
not specific to certain procedures, laws, or types of providers.
Rather, the prohibition we finalize here requires regulated entities to
consider the purpose of the requested use or disclosure. To the extent
that the specific types of health care referenced by commenters above
meet the definition of reproductive health care, this final rule will
prevent the disclosure of PHI where it is sought for activities with
the purpose of investigating or imposing liability on any person for
the mere act of seeking, obtaining, providing, or facilitating
reproductive health care that is lawful under the circumstances in
which it is provided. In adopting a purpose-based prohibition, the
Department has chosen an administrable standard that reflects the
appropriate balance between protecting individuals' privacy interests
and allowing the use or disclosure of PHI in support of other important
societal interests. Additional privacy protections for information
about SUD treatment may be afforded to PHI in Part 2 records under Part
2.\302\
---------------------------------------------------------------------------
\302\ See 42 CFR part 2 and the 2024 Part 2 Rule for more
information about Part 2 and the protections afforded to Part 2
records.
---------------------------------------------------------------------------
Comment: In response to the Department's specific request about
whether it should require a regulated entity to obtain an individual's
authorization for any uses and disclosures of ``highly sensitive PHI''
or otherwise address such a defined category of PHI in the Privacy
Rule, a few commenters urged the Department to expand the proposed
prohibition to protect all people at risk of criminal or other
investigation for use of essential health care or care, services, or
supplies related to the health of the individual that could expose any
person to civil or criminal liability. Several commenters recommended
that the Department expand the scope of the proposed prohibition to,
variously, all ``highly sensitive health information,'' ``sensitive
personal health care,'' ``highly sensitive PHI,'' or ``highly sensitive
PHI and restricted health care service'' because of the potential harms
that could result if such health information were to be disclosed
without stringent privacy safeguards.
Several commenters asserted that creating a category of or separate
standard for ``highly sensitive PHI'' would cause significant confusion
because it would be difficult to define in a commonly understood
manner. According to these commenters, this would make compliance more
challenging and costly and further decrease the individual's privacy. A
few commenters expressed concern that creating a special category of
highly sensitive PHI would further stigmatize certain types of health
care.
Several commenters expressed concern that prohibiting or limiting
uses or disclosures of highly sensitive PHI for certain purposes may
negatively affect efforts to eliminate the need for data segmentation,
such as efforts to align the Privacy Rule and Part 2; reduce or
eliminate stigmatization of certain health conditions and diagnoses;
and improve health care management and health care coordination.
Response: We appreciate these comments and generally agree with
commenters who expressed concern that the Privacy Rule should address
the shifting legal landscape to ensure that it continues to protect
PHI, regardless of how the PHI is transmitted or maintained. We also
agree that to the extent possible, the Privacy Rule should promote
administrative efficiency and disincentivize adverse actions by health
care providers grounded in fear of prosecution or legal risks borne
from providing lawful health care to individuals, which may erode
patients' trust and confidence in the health care system and deter them
from seeking lawful health care. The Department's approach to
promulgating a narrowly tailored prohibition focused on clarifying the
use and disclosure of PHI for the purposes prohibited by this final
rule accomplishes these goals. As we explained in the 2023 Privacy Rule
NPRM and re-affirm in this final rule, recent developments in the legal
environment have made information about lawful reproductive health care
sought by or provided to an individual more likely to be of interest
for punitive non-health care purposes, and thus more likely to be used
or disclosed if sought for a purpose permitted under the Privacy Rule
today. As explained, the Department has identified concerns that the
use or disclosure of PHI for the prohibited purposes in this rule would
erode individuals' trust in the privacy of legal reproductive health
care. Such erosion would negatively affect relationships between
individuals and their health care providers, result in individuals
forgoing needed treatment, and make individuals less likely to share
pertinent health concerns with their health care providers. Modifying
the Privacy Rule to focus on and address this shifting landscape is the
most efficient way to return to a regulatory landscape that is balanced
and consistent with the goals of HIPAA.
We do not believe that it is necessary to modify the Privacy Rule
to prohibit the use and disclosure of PHI for any criminal, civil, or
administrative investigation or effort to impose criminal, civil, or
administrative liability related to all health care, services, or
supplies. Sections 164.512(e) and (f) already set forth the specified
conditions under which regulated entities may disclose PHI for judicial
and administrative proceedings and law enforcement purposes.
We decline to modify the prohibition to apply it to the use and
disclosure of ``highly sensitive PHI.'' We are persuaded by commenters
who voiced concern about the feasibility of defining the phrase such
that regulated entities would be able to understand and
[[Page 33020]]
operationalize it. We also find persuasive comments about the
compliance burden that would result from implementing such a
prohibition. While PHI about reproductive health care may be found
throughout an individual's record and may be collected or maintained by
multiple types of providers, the term ``reproductive health care'' is
defined in a manner that is clearly connected to the reproductive
system, its functions, and processes.\303\
---------------------------------------------------------------------------
\303\ See the finalized definition of ``Reproductive health
care'' at 45 CFR 160.103.
---------------------------------------------------------------------------
In contrast, applying the prohibition to all ``highly sensitive
PHI'' or any use or disclosure of PHI that results in harm, stigma, or
adverse result for an individual would be unworkable because of lack of
consensus about how to define such categories and would likely create
the issues with segmentation and care coordination discussed above. As
discussed above, the purpose of this final rule and narrowly crafted
prohibition is to adopt the appropriate balance in the Privacy Rule
between protecting individuals' privacy and permitting PHI to be used
and disclosed for other societal benefits. The commenters' objectives
reflect a desire to protect individuals, but their discussion does not
properly account for other societal interests that are supported by
certain disclosures of PHI, interests that the Privacy Rule has
balanced since its inception.
Comment: A commenter requested that the Department clarify that
state laws may protect the privacy of health information when the
Privacy Rule does not apply, such as when individuals' health
information is in the possession of a person that is not a regulated
entity, such as a friend or family member, or is stored on a personal
cellular phone or tablet.
Response: HIPAA provides the Department with the authority to
protect the privacy and security of IIHI that is maintained or
transmitted by covered entities, and in some cases, their business
associates. Other laws may apply where the HIPAA Rules do not. Guidance
on protecting the privacy and security of health information when using
a personal cell phone or tablet is available on OCR's website.\304\
---------------------------------------------------------------------------
\304\ See Off. for Civil Rights, ``Protecting the Privacy and
Security of Your Health Information When Using Your Personal Cell
Phone or Tablet,'' U.S. Dep't of Health and Human Servs. (June 29,
2022), https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/cell-phone-hipaa/index.html.
---------------------------------------------------------------------------
Comment: Many commenters cited potential operational challenges
with the proposed prohibition and confirmed that current health IT
generally does not provide regulated entities with the ability to
segment PHI into specific categories afforded special protections. A
few commenters recommended that the Department work with EHR vendors to
modernize health care data management platforms to better address data
segmentation, while others recommended that the Department ensure
interagency coordination of data segmentation policies and provide
individuals with granular level of control over their PHI.
A few commenters requested that the Department address concerns
about the interaction between the minimum necessary standard and this
final rule.
A commenter asserted that privacy protections that do not account
for individual privacy preferences would result in individuals
withholding information from their health care providers, and some
health care providers electing not to generate or document certain
information from or about individuals.
Response: The prohibition, as finalized, should not implicate
additional data segmentation concerns beyond those that already exist.
We acknowledge the low adoption rate of data segmentation standards and
challenges related to the technical and administrative feasibility of
data segmentation (e.g., costs), and as discussed above, are finalizing
a purpose-based approach to address such concerns. The Department
continues its active engagement, particularly through ONC, to identify
robust data sharing standards that facilitate appropriate privacy
controls.
With respect to concerns about the Privacy Rule minimum necessary
standard, we do not anticipate that this final rule will affect the
ability of regulated entities subject to the standard to comply. First,
the prohibition is applicable only for the purposed uses and
disclosures specified in 45 CFR 164.502(a)(5)(iii). Regulated entities
must make reasonable efforts to limit the use or disclosure of PHI
pursuant to 45 CFR 164.512, other than 45 CFR 164.512(a), to the
minimum amount of PHI necessary to accomplish the intended purpose of
the use, disclosure, or request.\305\ Regulated entities are required
to have in place policies and procedures that outline how the entity
complies with the standard.\306\
---------------------------------------------------------------------------
\305\ See 45 CFR 164.502(b). Uses and disclosures of PHI
pursuant to 45 CFR 164.512(a) are limited to the relevant
requirements of such law. 45 CFR 164.512(a)(1).
\306\ 45 CFR 164.514(b).
---------------------------------------------------------------------------
Comment: A few commenters requested that the Department clarify the
roles and responsibilities of covered entities and business associates
with respect to compliance with the proposed prohibition and
attestation requirements and whether business associate agreements
would need to be amended to reflect the requirements of the final rule.
Response: The prohibition standard finalized in 45 CFR
164.502(a)(5)(iii)(A) applies directly to all regulated entities;
meaning, all HIPAA covered entities and business associates. We also
note that the finalized presumption of lawfulness for the underlying
health care, when applicable, directly applies to business associates,
as does the attestation requirement in 45 CFR 164.509. As such,
business associates of covered entities that hold PHI by virtue of
their business associate relationship with the covered entity are
subject to the express prohibition on using or disclosing PHI for the
specified purposes, regardless of whether the prohibition is specified
in the business associate agreement. The attestation requirement and
its application to business associates are discussed in greater detail
below.
Comment: A commenter expressed support for the application of the
proposal to health care providers, but also recognized states' interest
in ensuring that health care providers render health care in accordance
with the standard of care in that state. Another commenter questioned
the Department's authority under HIPAA to implement this provision.
Response: The Department is modifying the proposed definition of
``Reproductive health care'' to explicitly clarify that the definition
does not set a standard of care for or determine what constitutes
clinically appropriate reproductive health care. Additionally, as
discussed above, the application of this rule is limited to
reproductive health care that is lawful under the circumstances in
which such health care is provided as described at 45 CFR
164.502(a)(5)(iii)(B). Lawfulness is determined by the regulated entity
that receives the request for PHI, after a reasonable determination
that at least one of the conditions in the Rule of Applicability apply.
As explained above, the prohibition is carefully tailored to protect
the privacy of individuals' health information in circumstances where
the reproductive health care at issue was lawful under the
circumstances such care was provided, reflecting the appropriate
balance between privacy interests and other societal interests.
Comment: Many commenters recommended alternative or additional
[[Page 33021]]
approaches to the purpose-based prohibition, such as eliminating or
narrowing the permissions for use or disclosure of PHI without an
individual's authorization or limiting disclosures to third parties
subject to an individual's authorization.
A few commenters recommended that the Department revise specific
Privacy Rule permissions to clarify the use and disclosure of PHI for
certain administrative or law enforcement requests, instead of
promulgating a new prohibition.
Response: The Department's approach to prohibit the uses and
disclosures of PHI for the purposes described in this final rule is
consistent with the Privacy Rule's longstanding balancing of individual
privacy interests with society's interests in PHI for non-health care
purposes. Adopting the correct balance is necessary to preserve and
promote trust between individuals and health care providers. Instead of
modifying specific permissions at 45 CFR 164.512, we are finalizing
modifications that prohibit the use or disclosure of PHI to ensure the
correct balance, instead of modifying specific permissions at 45 CFR
164.512. Recognizing that requests that fall under these permissions
represent important public policy objectives (e.g., health oversight,
law enforcement, protection of individuals subject to abuse), the
Department is imposing a new attestation requirement, as described in
greater detail below, to protect against harm that may arise from the
use or disclosure of PHI for a purpose prohibited under 45 CFR
164.502(a)(5)(iii), which is more likely to occur when a person
requesting the use or disclosure of PHI relies on certain permissions.
The new attestation condition will also provide a mechanism that will
enable a regulated entity to better evaluate the request. The
Department declines to make additional changes at this time and will
consider these topics for future guidance. The Department also declines
to finalize its proposal to prevent an individual from requesting that
a regulated entity use or disclose PHI pursuant to a valid
authorization.
Comment: A few commenters questioned the ability of regulated
entities to use or disclose PHI in compliance with mandatory reporting
laws, such as laws requiring the reporting of suspected child abuse or
domestic violence.
A few of these commenters questioned whether mandatory reporting
requirements would change a regulated entity's duty to apply the
minimum necessary standard.
A few commenters asserted that mandatory reporting laws dissuade
individuals from seeking health care, prevent the development of trust
between individuals and health care providers, and generally are
implemented in an inequitable fashion that disproportionately apply to
individuals from marginalized or historically underserved communities
or communities of color.
Response: The Department acknowledges that there may be some
mandatory reporting laws that require a regulated entity to determine
whether a request for PHI is for a purpose prohibited by this rule.
However, whether in response to a mandatory reporting law or routine
request, the final rule's operation remains the same, that is, it
prohibits a regulated entity from using or disclosing PHI for a
prohibited purpose when the reproductive health care under
investigation or at the center of the activity to impose liability is
lawful under the circumstances that it was provided.
To the extent mandatory reporting requirements apply to the
reporting of PHI to public health authorities for public health
purposes, including PHI about reproductive health care, this final rule
does not prevent a regulated entity from complying with such mandate.
To aid stakeholders in understanding how the prohibition operates
with respect to public health reporting, the Department is clarifying
that the term ``Public health,'' as used in public health surveillance,
investigation, and intervention, includes identifying, monitoring,
preventing, or mitigating ongoing or prospective threats to the health
or safety of a population, which may involve the collection of PHI. In
so doing, we are clarifying that public health surveillance,
investigation, and intervention are outside of the scope of activities
prohibited by 45 CFR 164.502(a)(5)(iii). These changes will offer
additional protection to individuals who would otherwise be subject to
having their PHI disclosed for a prohibited purpose because the
underlying mandatory reporting requirement did not clearly specify its
relationship to public health. This final rule does not change the
minimum necessary standard or the circumstances in which the Privacy
Rule requires a regulated entity to apply the minimum necessary
standard.
Comment: Many commenters expressed concern that the purposes for
which the Department proposed to prohibit uses or disclosures would
interfere with the ability of law enforcement to conduct
investigations, including into coercion, child abuse, and sex
trafficking and assault, would prevent states from verifying state
licensure requirements, and would hamper the ability of health care
professionals to report illegal behavior by other health care
professionals.
Response: As discussed above, the prohibition applies only to
activities conducted for the purpose of investigating or imposing
liability on a person for the mere act of seeking, obtaining,
providing, or facilitating reproductive health care that is provided
under circumstances in which such health care is lawful. A regulated
entity is permitted to disclose PHI to a person who requests PHI for
other purposes if a permission applies and the underlying conditions of
the relevant permission are met, including the attestation condition,
if applicable.
Comment: A few commenters recommended that the Department establish
a safe harbor for the use or disclosure of PHI by regulated entities
for TPO.
Response: We appreciate the comment but do not believe such a safe
harbor is necessary. The Privacy Rule permits the disclosure of an
individual's PHI for TPO when the conditions set forth in the TPO
provisions of the rule are met.\307\ The prohibited uses and
disclosures codified in this rulemaking would rarely intersect with
uses and disclosures that qualify as TPO activities. As explained
above, to the extent a person requesting the use or disclosure of PHI
reasonably articulates a basis for a request that is not related to the
mere act of seeking, obtaining, providing, or facilitating reproductive
health care, a regulated entity may use or disclose the PHI where
otherwise permitted by the Privacy Rule.
---------------------------------------------------------------------------
\307\ See 45 CFR 164.506.
---------------------------------------------------------------------------
Comment: A commenter recommended that the Department clarify that
the prohibition applies to the activities of insurers and third-party
administrators of self-funded plans by adding ``administering,
authorizing, covering, approving, or gathering or providing information
about'' to the explanation of ``seeking, obtaining, providing, or
facilitating.''
Response: The prohibition applies to all activities that a person
could reasonably be expected to engage in with a regulated entity that
could result in a use or disclosure of PHI that might be sought for
prohibited purposes, including activities conducted or performed by or
on behalf of a health
[[Page 33022]]
plan, including a group health plan.\308\ Accordingly, the Department
has modified the scope of activities initially proposed in the 2023
Privacy Rule NPRM to better explain what it meant by seeking,
obtaining, providing, or facilitating reproductive health care. The
modified text is finalized at 45 CFR 164.502(a)(5)(iii)(D),\309\ and
adds administering, authorizing, providing coverage for, approving,
counseling about to the non-exhaustive list of example activities.
---------------------------------------------------------------------------
\308\ See 45 CFR 160.103 (definitions of ``health plan'' and
``group health plan'').
\309\ In the 2023 Privacy Rule NPRM, we proposed the Scope of
prohibition in 45 CFR 164.502(a)(5)(iii)(B).
---------------------------------------------------------------------------
Comment: Several commenters expressed support for the proposed Rule
of Applicability. A few commenters expressed support for the proposed
Rule of Applicability because it would reassure residents of the state
in which the lawful health care is provided and individuals who travel
to such states for lawful health care that their medical records will
not be disclosed for prohibited purposes.
Response: We are finalizing a modified Rule of Applicability as
described above.
Comment: Some comments expressed varying levels of support for the
Department's references to ``substantial interests'' by states or
superseding state laws. A few commenters disagreed with the
Department's assertion that states lack a legitimate interest in
conducting a criminal, civil, or administrative investigation or
proceeding into lawful reproductive health care where the investigation
is based on the mere fact that reproductive health care was or is being
provided. Others asserted that the proposed rule would be unworkable
and would assign health care providers and the Department the power to
determine whether reproductive health care was provided lawfully,
thereby affording them the authority to enforce certain state laws.
Response: As explained above, the Rule of Applicability reflects
the Department's careful balancing of privacy interests and other
societal interests. For the reasons explained above, the Department has
determined that the privacy interest of an individual and the interest
of society in an effective health care system outweigh the interests of
society in seeking the use of PHI for non-health care purposes that
could result in harm to the individual where a regulated entity that
receives a request for PHI reasonably determines that at least one of
the conditions in the Rule of Applicability applies. To help clarify
this discussion further, the Department provides examples where the
Rule of Applicability applies in this section of this final rule.
Comment: Several commenters recommended that the Department
eliminate the distinction between health care that is lawful and health
care that is not and that all forms of reproductive health care should
be protected from criminalization and government investigation.
Several commenters stated that the term ``lawful'' would
incorrectly suggest that receiving certain types of reproductive health
care could be unlawful, even though most prohibitions on reproductive
health care apply to providing or performing the health care, rather
than receiving it. They also questioned whether the proposed Rule of
Applicability would protect individuals who obtained reproductive
health care in another state.
Response: We are finalizing a Rule of Applicability at 45 CFR
164.502(a)(5)(iii)(B) that ensures the privacy of PHI when it is sought
to conduct an investigation into or impose liability on any person for
the mere act of seeking, obtaining, providing or facilitating
reproductive health care that is lawful under the circumstances in
which such health care is provided, consistent with applicable Federal
or state law. A regulated entity that receives a request for PHI must
make a reasonable determination that at least one of the conditions in
the Rule of Applicability applies. As discussed above, this approach
reflects a careful balance between privacy interests and other societal
interests.
Comment: Some commenters asserted that medical records should not
be used for purposes outside of the health care setting in ways that
could harm the subject of the records, particularly for law enforcement
or other governmental purposes. One commenter expressed concern that
disclosures of PHI would not be limited for all purposes, and that the
proposal would not prevent a state from pursuing actions where the
health care is later found to be unlawful. Another commenter asserted
that disclosing PHI to law enforcement in connection with an
investigation into reproductive health care is a secondary use of PHI
that would be directly at odds with the purpose for which the PHI was
collected, while others stated that the proposal risks deterring
individuals from seeking or obtaining necessary health care.
A few commenters expressed concerns that health care providers
could be inhibited from providing necessary health care, fully
educating individuals about their options, or documenting the health
care provided.
Response: When the Department promulgated the 2000 Privacy Rule, we
acknowledged that the rule balanced the privacy interests of
individuals with the interests of the public in ensuring PHI was
available for non-health purposes. As we explained in the 2023 Privacy
Rule NPRM, ``individuals' right to privacy in information about
themselves is not absolute. It does not, for instance, prevent
reporting of public health information on communicable diseases or stop
law enforcement from getting information when due process has been
observed.'' \310\ At the same time, in the 2023 Privacy Rule NPRM, the
Department acknowledged that adverse consequences do result when
individuals question the privacy of their health information and
explained that the purpose of HIPAA is to protect the privacy of
information and promote trust in the health care system to ensure that
individuals do not forgo lawful health care when needed or withhold
important information that may affect the quality of their health
care.\311\
---------------------------------------------------------------------------
\310\ 88 FR 23506, 23509 (Apr. 17, 2023) (citing 65 FR 82464
(Dec. 28, 2000)).
\311\ Id.
---------------------------------------------------------------------------
Accordingly, the Privacy Rule provides a clear framework to
operationalize these principles, and this final rule is intended to
balance these interests. The Privacy Rule does not protect information
received or maintained by entities other than those that are regulated
under HIPAA, including information that is used for a purpose other
than the purpose for which it was initially requested. This final rule
provides heightened protection, as necessary, to the privacy of PHI
where its use or disclosure may result in harm to a person in
connection with seeking, obtaining, providing, or facilitating
reproductive health care that is lawful under the circumstances in
which such health care is provided. With respect to other disclosures
to law enforcement or to other governmental interests, the Privacy Rule
includes other carefully crafted permissions that specify the
conditions under which such disclosures must be made to ensure a
reasonable balance between privacy and the public policies that
disclosure would serve.
Comment: Several commenters asserted that the proposed Rule of
Applicability would not protect all PHI pertaining to lawful health
care. For example, commenters suggested that the proposed Rule of
Applicability would be unlikely to protect individuals who
[[Page 33023]]
obtain care outside of the health care system and urged the Department
to clarify the final rule to strengthen protections for individuals who
receive care in this manner. As another example, a commenter expressed
concern that the proposal would not protect PHI for individuals who
obtain legal reproductive health care, but as a result of
complications, subsequently access health care in a state where the
same reproductive health care is illegal.
Response: The definition of ``reproductive health care'' is
discussed in greater detail above. As noted above, this final rule does
not establish a standard of care, nor does it regulate what constitutes
clinically appropriate health care.
Commenters who point out that different results may arise in
different states are correct, but this has been true since the
inception of the Privacy Rule because it sets a national floor for
privacy standards, rather than a universal rule. The prohibition
applies, and therefore liability attaches, when the prohibition is
violated, based on the ``circumstances in which such health care is
provided.'' Thus, a regulated entity is not permitted to disclose PHI
about reproductive health care that was provided in another state where
such health care was provided under circumstances in which it was
lawful to provide such health care, even where the individual
subsequently accesses related health care in a state where it would
have been unlawful to provide the underlying health care under the
circumstances in which such health care was provided. HIPAA liability
attaches in cases where attempts to circumvent the Privacy Rule result
in impermissible or wrongful uses or disclosures.\312\
---------------------------------------------------------------------------
\312\ See 42 U.S.C. 1320d-5 and 6.
---------------------------------------------------------------------------
We remind regulated entities that the Privacy Rule permits the use
or disclosure of PHI, without an individual's signed authorization,
only as expressly permitted or required by the Privacy Rule. For
example, where state or other applicable law prohibits certain
reproductive health care but does not expressly require a regulated
entity to report that an individual obtained the prohibited health
care, the Privacy Rule would not permit a disclosure to law enforcement
or other investigative body pursuant to the ``required by law''
permission (but could potentially allow it pursuant to other
provisions).\313\
---------------------------------------------------------------------------
\313\ See 45 CFR 164.512(a).
---------------------------------------------------------------------------
Comment: One commenter recommended the Department add language to
the proposed Rule of Applicability or elsewhere to ensure that there
would be protections for PHI where a health care provider believes the
health care is legal, even when the person requesting the use or
disclosure of PHI disputes the legality. A few commenters asserted that
the health care provider making the decision could be a party to the
reproductive health care at issue, making it a conflict of interest for
the health care provider to make the determination regarding the
lawfulness of the reproductive health care.
Response: We do not believe additional language is necessary
because, under the prohibition, the regulated entity--and not the
person making the request--is responsible for reasonably determining
whether health care was lawful before making a disclosure. As explained
above, this framework is consistent with how the Privacy Rule's
permissions are administered, whereby regulated entities must determine
whether a use or disclosure is permitted under the relevant permission.
For example, when evaluating whether a use or disclosure of PHI is
permitted because the use or disclosure is required by law, the
regulated entity must look to the relevant law to determine whether the
use or disclosure falls within that permission.\314\ Furthermore, as
with other use and disclosure provisions in the Privacy Rule, regulated
entities remain subject to HIPAA liability for impermissible or
wrongful disclosures. Neither the statute nor the Privacy Rule provides
an exception to such liability for circumstances involving conflicts of
interest.
---------------------------------------------------------------------------
\314\ See 45 CFR 164.512(a).
---------------------------------------------------------------------------
Comment: Many commenters expressed concern regarding the burden
imposed upon and resources that would be required for regulated
entities to determine whether the reproductive health care at issue was
lawful if they did not provide the health care at issue, particularly
considering the evolving nature of state law in this area. Several
commenters expressed concern that the proposal incorrectly assumes that
regulated entities would know where the reproductive health care at
issue occurred and inquired about specific scenarios, such as where
requests for PHI are received by clinical laboratories that have no
face-to-face interaction with individuals and that rely on information
provided by other covered entities. A few commenters asserted that
requiring regulated entities to make the required legal determinations
would not be conducive to building a trusting relationship between
individuals and health care providers.
Some commenters offered recommendations to the Department, such as
providing guidance for health care providers regarding their rights and
responsibilities under a final rule, revising the proposal to clarify
that there would be a presumption that reproductive health care
occurred under lawful circumstances, absent compelling evidence to the
contrary, particularly when an individual travels for health care, and
clarifying the Rule of Applicability by including examples in the
regulatory text.
Some commenters asserted that regulated entities in different
states or with different interpretations of certain state requirements
could reach different determinations about whether the reproductive
health care was provided lawfully, in part because of the lack of
clarity or consistency in the interpretation in these laws. Yet another
commenter recommended that the Department add an express directive
that, in the event of any ambiguity or unsettled law, the scope of what
is considered lawful should be interpreted consistently with the intent
of the rule to protect the privacy of PHI to the maximum extent
possible. A commenter recommended that where the regulated entity
decides in good faith, it should not be subject to penalties or
enforcement action if their determination is incorrect or if the
Department disagrees with the determination. Another commenter
recommended that the Department clarify that regulated entities may use
a reasonableness standard when making the determination about whether
state laws conflict with the Privacy Rule and are therefore preempted
by HIPAA.
A few commenters expressed concern about the potential
interpretation or application of the proposed Rule of Applicability,
particularly when the laws at issue are ambiguous. Commenters
recommended inclusion of language that PHI need not be disclosed to a
government agency or law enforcement if the health care provider deems,
in good faith, that the reproductive health care is lawful under the
circumstances in which it is provided, and that the Department clarify
the application of preemption or provide in preamble examples of each
condition of the proposed Rule of Applicability.
Response: We appreciate the many comments the Department received
in response to its inquiry asking whether the proposed Rule of
Applicability would be sufficiently clear to individuals and covered
entities, and
[[Page 33024]]
whether the provision should be made more specific or otherwise
modified. Considering the many comments expressing concern about the
burden associated with, the difficulty of, or the liability that could
attach when someone other than the person who provided the health care
must determine whether the underlying reproductive health care is
lawful, the Department is adding a regulatory presumption in the final
rule.
As discussed above, the regulatory presumption in 45 CFR
164.502(a)(5)(iii)(C) will permit a regulated entity receiving a PHI
request that may be subject to the prohibition to presume the
reproductive health care at issue was lawful under the circumstances in
which such health care was provided when provided by a person other
than the regulated entity receiving the request. The presumption
includes a knowledge requirement such that the regulated entity must
not have actual knowledge that the reproductive health care was
unlawful under the circumstances in which such health care was provided
or factual information supplied by the person requesting the use or
disclosure of PHI that demonstrates to the regulated entity a
substantial factual basis that the reproductive health care was not
lawful under the specific circumstances in which such health care was
provided.
Comment: A commenter asserted that the proposed rule would
unlawfully thwart enforcement of Federal criminal laws on reproductive
health care because the proposed rule would be limited to circumstances
where reproductive health care is permitted by state law, thereby
prohibiting disclosures for the purpose of enforcing Federal laws
pertaining to reproductive health care when they conflict with state
law. A few commenters expressed their support for the Department's
proposal that the prohibition against the use or disclosure of PHI
apply where certain Federal laws apply. A few commenters requested
greater specificity with respect to the application of Federal and
state laws on abortion.
Response: Federal laws that involve reproductive health care form
the underlying basis for examining whether reproductive health care was
protected, required, or authorized by Federal law under the
circumstances in which it was provided, pursuant to the 45 CFR
164.502(a)(5)(iii)(B)(2). Under this final rule, Federal and state
authorities retain the ability to investigate or impose liability on
persons where the investigation or imposition of liability is centered
upon the provision of reproductive health care that is unlawful under
the circumstances in which it is provided. As discussed above, this
rule reflects a careful balance between privacy interests and other
societal interests, and the prohibition is tailored to cover situations
where the reproductive health care was lawfully provided, whether state
or Federal law is at issue.
Comment: A few commenters provided examples of and expressed
concerns about the electronic availability of PHI about health care
lawfully provided in one state to health care providers in another
state where such health care would not have been lawful.
A few commenters requested that the Department clarify that
clinical laboratory testing involving a validated laboratory-developed
test used within a single laboratory certified pursuant to the Clinical
Laboratory Improvement Amendments of 1988 \315\ (CLIA) and the
implementing regulations, an in vitro diagnostic test cleared or
approved by the Food and Drug Administration (FDA), or a validated
laboratory-developed test that is an in vitro diagnostic test cleared
or approved by the FDA and used within a single CLIA-certified
laboratory would fall within the scope of reproductive health care that
would be ``authorized by Federal law'' for the purposes of the Rule of
Applicability. The commenters also recommended that a clinical
laboratory test furnished under the authority of a state with legal
requirements that are equal to or more stringent than CLIA's statutory
and regulatory requirements, and is therefore exempt from CLIA
requirements, also be considered ``authorized by Federal law'' for the
purposes of the Rule of Applicability.
---------------------------------------------------------------------------
\315\ Public Law 100-578, 102 Stat. 2903 (Oct. 31, 1988)
(codified at 42 U.S.C. 201 note).
---------------------------------------------------------------------------
Response: We interpret the language ``authorized by Federal law''
in the Rule of Applicability to include activities, including clinical
laboratory activities, that are conducted as allowed under applicable
Federal law, in circumstances where there is no conflicting state
restriction on the Federally authorized activity or where applicable
Federal law preempts a contrary state restriction. In such
circumstances, these activities are lawfully conducted because there
either is no relevant state restriction or Federal law preempts a
contrary state restriction. This provision thus reflects the
Department's careful balancing of privacy interests and other societal
interests in disclosure. As explained above, in circumstances where
reproductive health care is lawfully provided, privacy interests are
heightened while other societal interests in disclosure are reduced.
This final rule and the operation of HIPAA's general preemption
authority do not supersede applicable state law pertaining to the
lawfulness of reproductive health care.
Comment: One commenter expressed support for including the phrase
``based primarily'' to clarify that the proposed Rule of Construction
would only address situations where the purpose of the disclosure is to
investigate or impose liability because reproductive health care was
provided, rather than for an issue related to, but not focused on the
provision of such health care, such as the quality of the health care
provided or whether claims for certain health care were submitted
appropriately.
All other commenters recommended removing ``primarily'' to ensure
that there is consistent implementation. In the alternative, the
commenters recommended that the Department provide additional examples
of scenarios in which a situation would and would not be considered
``primarily for the purposes of'' or ``primarily based on'' the
provision of reproductive health care. One commenter asserted that the
definition is uncertain and could be interpreted as permitting
secondary or additional uses or disclosures. Another commenter
explained that permitting a use or disclosure where conducting the
investigation or imposing liability is only for a secondary or
incidental purpose would create too much risk for individuals and
health care providers and would undermine the intent of the proposed
prohibition. And another stated it is foreseeable that a requesting
entity could still use the PHI for one of the purposes for which the
Department proposed to prohibit uses or disclosures of PHI once they
have it if it was not the primary purpose of their request. A commenter
expressed concern that the language could be exploited to manufacture a
``primary'' purpose that would be permissible to permit PHI to be used
or disclosed for a prohibited purpose, particularly because the PHI
would lose the protections of the Privacy Rule once it is disclosed to
another person, unless that person is also a regulated entity. Another
commenter asserted that the proposed rule did not define ``primarily''
or ``mere act,'' nor did it provide sufficient examples to provide
regulated entities with sufficient information to understand the
proposal.
A commenter explained that a request for PHI is often for multiple
purposes
[[Page 33025]]
and recommended that the Department revise the proposed Rule of
Construction to allow the proposed prohibition to apply where at least
one of the purposes for which PHI is sought is to use or disclose the
information for a prohibited purpose. Similarly, this commenter
recommended the proposed attestation requirement in 45 CFR
164.509(b)(1) be revised to state that ``one of the uses or
disclosures'' is not prohibited by 45 CFR 164.502(a)(5)(iii).
Response: We agree with the commenter that explained that a request
for PHI may be multi-purposed. We also agree with commenters that
pointed out that as proposed, the regulatory Rule of Construction
appeared to create a secondary standard to consider whether a regulated
entity should be prohibited from using or disclosing PHI. As discussed
above, the Department is not finalizing a separate Rule of Construction
and is not incorporating the phrase ``primarily for the purpose of''
originally proposed in 45 CFR 164.502(a)(5)(iii)(D) into the final
prohibition standard. The modified prohibition standard more clearly
conveys that it only prohibits the use and disclosure of PHI for the
specified purposes when it relates to the mere act of seeking,
obtaining, providing, or facilitating lawful reproductive health care
in certain circumstances.
Comment: Commenters also recommended that the proposed Rule of
Construction prohibit health care providers from reporting individuals
for the sole reason of having received health care in a state where it
was not lawful. They described concerns about the effect of
interoperability and data sharing rules that give health care providers
ready access to individuals' full medical records and urged the
Department to expand the proposed Rule of Construction to mitigate the
risks created by the electronic exchange of PHI.
Response: The prohibition, as finalized, is narrowly tailored to
operate in a manner that protects the interests of individuals and
society in protecting the privacy of PHI while still allowing the use
or disclosure of PHI for certain non-health care purposes. We remind
regulated entities that they are generally prohibited from disclosing
PHI unless there is a specific provision of the Privacy Rule that
permits (or, in limited instances, requires) such disclosure. For
example, the Privacy Rule permits but does not require regulated
entities to disclose PHI about an individual, without the individual's
authorization, when such disclosure is required by another law and the
disclosure complies with the requirements of the other law.\316\ The
permission to disclose PHI as ``required by law'' is limited to a
``mandate contained in law that compels an entity to use or disclose
PHI and that is enforceable in a court of law.'' \317\ Further, where a
disclosure is required by law, the disclosure is limited to the
relevant requirements of such law.\318\ Disclosures that do not meet
the ``required by law'' definition of the HIPAA Rules,\319\ or that
exceed what is required by such law,'' \320\ are not permissible
disclosures under the required by law permission. Accordingly,
regulated entities are prohibited from proactively disclosing PHI under
the required by law permission at 45 CFR 164.512(a) absent a law
requiring mandatory reporting of such PHI.
---------------------------------------------------------------------------
\316\ See 45 CFR 164.512(a)(1).
\317\ See 45 CFR 164.103 (definition of ``Required by law'').
The definition provides additional explanation about what
constitutes a mandate contained in law.
\318\ See 45 CFR 164.512(a)(1).
\319\ See 45 CFR 164.103 (definition of ``Required by law'').
\320\ The Privacy Rule permits but does not require covered
entities to disclose PHI in response to an order of a court or
administrative tribunal. The Privacy Rule also permits but does not
require covered entities to disclose PHI in response to a subpoena,
discovery request, or other lawful process, but only when certain
conditions are met. See 45 CFR 164.512(e)(1). These provisions
cannot be used to make disclosures to law enforcement officials that
are restricted by 45 CFR 164.512(f). See 45 CFR 164.512(e)(2).
---------------------------------------------------------------------------
Comment: A few commenters asserted that the Department should
modify the regulatory text of the proposed prohibition to eliminate the
need for the proposed Rule of Construction because it is confusing and
appears to set forth two different standards.
Response: For the reasons discussed above, we agree and have
incorporated the Rule of Construction into the prohibition standard as
described above.
Comment: A commenter expressed concerns that beneficial uses or
disclosures, such as for conducting investigations into health care
fraud, would be too limited and would not address criminal, civil and
administrative proceedings, which are not related to receiving,
obtaining, facilitating, or providing reproductive health services
where the receipt or provision of these services could serve as
evidence of another crime.
Response: We disagree with concerns that beneficial uses or
disclosures would be too limited under the changes. If PHI is requested
for a purpose that is not prohibited and the request complies with the
conditions of an applicable permission, including the requirements of
the attestation condition are met, where applicable, the regulated
entity is permitted to comply with the request.
Comment: Another commenter cited studies to assert that the
proposed Rule of Construction would continue to permit health care
providers to proactively report on individuals. The commenter also
stated that the proposed rule would not clarify how it would interact
with mandatory reporting laws that could expose individuals and health
care providers to investigations based on the provision of reproductive
health care.
Response: The Privacy Rule does not permit a regulated entity to
disclose PHI for law enforcement purposes, proactively or otherwise,
without an individual's authorization when the disclosure is not made
pursuant to process or as otherwise required by law.\321\ This is true
currently and remains true under this final rule.
---------------------------------------------------------------------------
\321\ 45 CFR 164.512(f)(1).
---------------------------------------------------------------------------
As discussed above, HIPAA generally preempts state laws requiring
the use or disclosure of PHI, except in limited circumstances. Where
such mandatory reporting laws are not preempted by HIPAA, regulated
entities are limited to disclosing the minimum amount of PHI necessary
to comply with the mandatory reporting requirement or the relevant
requirements of such law.\322\
---------------------------------------------------------------------------
\322\ Whether the regulated entity is limited by the minimum
necessary standard or the relevant requirements of the law that
requires the reporting depends upon whether the regulated entity is
making the disclosure pursuant to 45 CFR 164.512(a) or some other
permission under 45 CFR 164.512. See 45 CFR 164.502(b)(v).
---------------------------------------------------------------------------
Comment: Several commenters responded to the question about whether
it would be beneficial for the Department to further clarify or provide
examples of uses or disclosures of PHI that would be permitted under a
final rule. All of these commenters agreed that it would be beneficial
for the Department to do so. Of those, several commenters specified
that the Department should provide such examples in the final
regulatory text. A few commenters who requested examples be provided
within the regulatory text also recommended that the language make
clear that the examples are illustrative.
Response: The Department declines to include examples of uses or
disclosures of PHI that would be permitted in this rule, in regulatory
text. We have provided illustrative examples above.
3. Clarifying Personal Representative Status in the Context of
Reproductive Health Care
Section 164.502(g) of the Privacy Rule contains the standard for
personal
[[Page 33026]]
representatives and generally requires a regulated entity to treat an
individual's personal representative as the individual if that person
has authority under applicable law (e.g., state law, court order) to
act on behalf of the individual in making decisions related to health
care.\323\ For example, the Privacy Rule would treat a legal guardian
of an individual who has been declared incompetent by a court as the
personal representative of that individual, if consistent with
applicable law.\324\ In this and certain other provisions, the
Department seeks to maintain the longstanding balance HIPAA strikes
between the interest of a state or other authorities to regulate health
and safety and protect vulnerable individuals \325\ with the goal of
maintaining the privacy protections established in the Privacy
Rule.\326\
---------------------------------------------------------------------------
\323\ See 45 CFR 164.502(g).
\324\ See 45 CFR 164.502(g)(3)(i). See also Off. for Civil
Rights, ``Personal Representatives,'' U.S. Dep't of Health and Human
Servs., https://www.hhs.gov/hipaa/for-individuals/personal-representatives/index.html.
\325\ See, e.g., 45 CFR 164.510(b)(3) and 164.512(j)(1)(i)(A).
\326\ See 65 FR 82462, 82471 (Dec. 28, 2000).
---------------------------------------------------------------------------
In the 2023 Privacy Rule NPRM, the Department expressed concern
that some regulated entities may interpret the Privacy Rule as
providing them with the ability to refuse to recognize as an
individual's personal representative a person who makes reproductive
health care decisions, on behalf of the individual, with which the
regulated entity disagrees.\327\ Under these circumstances, current
section 45 CFR 164.502(g)(5) of the Privacy Rule could be interpreted
to permit a regulated entity to assert that, by virtue of the personal
representative's involvement in the reproductive health care of the
individual, the regulated entity believes that the personal
representative is subjecting the individual to abuse. Further, this
regulated entity might exercise its professional judgment and decide
that it is in the best interest of the individual to not recognize the
personal representative's authority to make health care decisions for
that individual.
---------------------------------------------------------------------------
\327\ 88 FR 23506, 23533-34 (Apr. 17, 2023).
---------------------------------------------------------------------------
To protect the balance of interests struck by the Privacy Rule, the
Department proposed to modify 45 CFR 164.502 by adding a new paragraph
(g)(5)(iii). Proposed 45 CFR 164.502(g)(5)(iii) would ensure that a
regulated entity could not deny personal representative status to a
person where such status would otherwise be consistent with state and
other applicable law primarily because that person provided or
facilitated reproductive health care for an individual. The Department
expressed its belief that this proposal was narrowly tailored and
respected the interests of states and the Department by not unduly
interfering with the ability of states to define the nature of the
relationship between an individual and another person, including
between a minor and a parent, upon whom the state deems it appropriate
to bestow personal representative status. The proposal would, however,
maintain the existing HIPAA standard by ensuring personal
representative status, when otherwise consistent with state law, would
not be affected by the type of underlying health care sought.
Several commenters supported the Department's proposal to clarify
that the covered entity's reasonable basis for electing not to treat a
person as a personal representative of an individual, despite state law
or other requirements of the Privacy Rule, cannot be primarily because
the person has provided or facilitated reproductive health care. Other
commenters expressed concern about their ability to determine what
constitutes reproductive health care, as would be required to ascertain
whether the covered entity had a reasonable basis to elect not to treat
a person as an individual's personal representative. These commenters
requested that the Department provide additional clarity in regulatory
text or through examples. Other commenters questioned how the
Department's proposal would align with existing state law on parental
rights.
As discussed throughout this final rule, reproductive health care
is uniquely sensitive and must be treated accordingly. Thus, we are
finalizing 45 CFR 164.502(g)(5) with additional modifications as
follows. This final rule precludes the denial of personal
representative status where the basis of the denial is that the person
provided or facilitated reproductive health care instead of the
proposed standard that would have precluded denial ``primarily'' based
on these actions. This change clarifies that the covered entity does
not have to determine whether the reproductive health care is the
``primary'' basis for denying a person personal representative status.
Additionally, the final rule adds the term ``reasonable'' before
``belief'' to align with 45 CFR 164.502(g)(5)(i)(A), clarifying that
the basis of the covered entity's belief must be reasonable in the
circumstances. We are also renumbering paragraphs. Collectively, these
changes clarify that it is not reasonable to elect not to treat a
person as an individual's personal representative because the person
provides or facilitates reproductive health care for and at the request
of the individual. The Department is making these changes in response
to comments received on the 2023 Privacy Rule NPRM, which are further
discussed below.
Comment: Several commenters supported the Department's proposal to
clarify that the covered entity's basis for electing not to treat a
person as a personal representative of an individual, despite state law
or other requirements of the Privacy Rule, cannot be primarily because
the person has provided or facilitated reproductive health care.
Response: As explained throughout this final rule, reproductive
health care is uniquely sensitive and must be treated as such.
Accordingly, we are finalizing this proposal with modifications as
described above.
Comment: A commenter expressed concerns that regulated entities
would have difficulty determining whether the ``primary'' basis for the
belief that the individual has been or may be subjected to domestic
violence, abuse, or neglect by such person, or that treating such
person as the personal representative could endanger the individual
related to the provision or facilitation of the reproductive health
care, in some circumstances. The commenter requested that the
Department provide additional clarity in the regulatory text or through
examples.
Response: As discussed above, we have removed the term ``primary''
before ``basis'' and reorganized the provision. We believe this change
clarifies that the covered entity does not have to determine whether
the provision or facilitation of reproductive health care is the
``primary'' basis for believing that a person who is an individual's
personal representative under applicable law has abused, neglected, or
endangered the individual, or may do so in the future, such that the
covered entity would be permitted to deny the person personal
representative status.
Comment: A few commenters requested that the Department clarify
that other existing provisions pertaining to personal representatives
continue to apply, including the provision that a covered entity should
not treat a parent or guardian as a personal representative where state
law does not require a minor to obtain parental consent to lawfully
obtain health care.
Response: As discussed above, the Privacy Rule generally requires a
covered entity to treat a person who, under applicable law, has the
authority to act on behalf of an individual in making decisions related
to health care
[[Page 33027]]
as the individual's personal representative with respect to PHI
relevant to such personal representation, with limited exception.\328\
In this final rule, we are clarifying those limited exceptions apply to
this general rule.\329\ We did not propose, nor are we making any
additional changes to the Privacy Rule's provisions on personal
representatives. Nothing in this final rule is intended to alter any
other use or disclosure permissions for personal representatives, nor
does it interfere with the ability of states to define the nature of
the relationship between a minor and a parent or guardian.
---------------------------------------------------------------------------
\328\ See 45 CFR 164.502(g).
\329\ See 45 CFR 164.502(g)(3)(i).
---------------------------------------------------------------------------
Comment: A commenter asserted that the proposal could lead to
situations in which someone pretending to be a personal representative
of the individual would consent to reproductive health care for the
individual. According to a few commenters, the proposal would make it
easier for a person abusing an individual to obtain access to an
individual's PHI because of the limits imposed on the reasonable belief
provisions by the proposal. Another commenter asserted that the
proposal would hinder state investigations into crimes that affect an
individual's reproductive health where such crimes are committed by a
person meeting a state's definition of a personal representative.
Response: The Department has no reason to believe, and commenters
provided no evidence to suggest, that the final rule will lead to abuse
or undermine parental consent. Rather, the final rule will protect
sensitive PHI by clarifying that a regulated entity must treat a person
as a personal representative of an individual with respect to PHI
relevant to such personal representation if such person is, under
applicable law, authorized to act on behalf of the individual in making
decisions related to health care. This includes a court-appointed
guardian, a person with a power of attorney, or other persons with
legal authority to make health care decisions. Further, under 45 CFR
164.514(h), a covered entity must verify the identity of a person
requesting PHI and the authority of any such person to have access to
PHI, if the identity is not already known to the covered entity.
Additionally, the final rule allows a covered entity to elect not
to treat a person as a personal representative of an individual if the
covered entity, in the exercise of professional judgment, has a
reasonable belief that the individual has been or may be subjected to
domestic violence, abuse, or neglect by such person, or that treating
such person as the personal representative could endanger the
individual. The final rule only clarifies that the reasonable basis
cannot be the provision or facilitation of reproductive health care by
the person authorized by applicable law.
Comment: A few commenters recommended that the Department define
and interpret personal representative status in the context of
reproductive health care consistent with its current interpretation.
Response: We appreciate the comments but decline to specifically
define ``personal representative'' in the context of reproductive
health care. We are reducing compliance burdens by eliminating the need
for covered entities to determine whether the provision or facilitation
of reproductive health care was the ``primary'' basis for their belief
that an individual has been or may be subjected to domestic violence,
abuse, or neglect, or may be endangered by a person authorized by
applicable law to act as an individual's personal representative if the
covered entity treats the person as such, with respect to PHI relevant
to such personal representation.
Comment: A covered entity recommended that the Department set
reasonable threshold standards that covered entities would be required
to meet if they deny personal representative status to a person because
of any legal, social, or professional liability that could attach based
on such denials. The commenter further recommended that the Department
set objective universal thresholds for denials that are clear, concise,
and easily defined.
Response: We appreciate the comment but decline to set a reasonable
threshold standard that covered entities would be required to meet if
they deny personal representative status to a person. As discussed
above, the Department gives covered entities discretion to elect not to
treat a person as a personal representative of an individual if the
covered entity has a reasonable belief that the individual has been
subjected to domestic violence, abuse, or neglect by or would be in
danger from a person seeking to act as the personal representative,
except where the basis of the denial is that the person provided or
facilitated reproductive health care.
Response: As discussed above, a personal representative, with
authority under applicable law, stands in the shoes of the individual
and has the ability to act for the individual and exercise the
individual's rights. Thus, with very limited exceptions, covered
entities must provide the personal representative access to the
individual's PHI in accordance with 45 CFR 164.524 to the extent such
information is relevant to such representation.
4. Request for Comments
The Department requested comment on whether to eliminate or narrow
any existing permissions to use or disclose ``highly sensitive PHI.''
\330\ Most of the comments on this question are discussed in the
context of the prohibition.
---------------------------------------------------------------------------
\330\ 88 FR 23506, 23534 (Apr. 17, 2023).
---------------------------------------------------------------------------
C. Section 164.509--Uses and Disclosures for Which an Attestation Is
Required
1. Current Provision
The Privacy Rule currently separates uses and disclosures into
three categories: required, permitted, and prohibited. Permitted uses
and disclosures are further subdivided into those to carry out TPO;
\331\ those for which an individual's authorization is required; \332\
those requiring an opportunity for the individual to agree or object;
\333\ and those for which an authorization or opportunity to agree or
object is not required.\334\ For an individual's authorization to be
valid, the Privacy Rule requires that it contain certain specific
information to ensure that an individual authorizing a regulated entity
to use or disclose their PHI to another person knows and understands to
what it is they are agreeing.\335\
---------------------------------------------------------------------------
\331\ 45 CFR 164.506.
\332\ 45 CFR 164.508.
\333\ 45 CFR 164.510.
\334\ 45 CFR 164.512.
\335\ 45 CFR 164.508(b).
---------------------------------------------------------------------------
2. Proposed Rule
As we described in the 2023 Privacy Rule NPRM, a regulated entity
presented with a request for PHI would need to discern whether using or
disclosing PHI in response to the request would be prohibited. To
facilitate compliance with the proposed prohibition at 45 CFR
164.502(a)(5)(iii) while also providing a pathway for regulated
entities to disclose PHI for certain permitted purposes, the Department
proposed to require that a covered entity obtain an attestation from a
person requesting the use or disclosure of PHI in certain
circumstances.\336\
---------------------------------------------------------------------------
\336\ 88 FR 23506, 23534-37 (Apr. 17, 2023).
---------------------------------------------------------------------------
[[Page 33028]]
Specifically, the Department proposed to add a new section 45 CFR
164.509, ``Uses and disclosures for which an attestation is required.''
This proposed condition would require a regulated entity to obtain
certain assurances from the person requesting PHI potentially related
to reproductive health care before the PHI is used or disclosed, in the
form of a signed and dated written statement attesting that the use or
disclosure would not be for a purpose prohibited under 45 CFR
164.502(a)(5)(iii), where the person is making the request under the
Privacy Rule permissions at 45 CFR 164.512(d) (disclosures for health
oversight activities), (e) (disclosures for judicial and administrative
proceedings), (f) (disclosures for law enforcement purposes), or (g)(1)
(disclosures about decedents to coroners and medical examiners).
The proposed new section included a description of the proposed
attestation contents, including a statement that the use or disclosure
is not for a purpose the Department proposed to prohibit as described
at 45 CFR 164.502(a)(5)(iii). The 2023 Privacy Rule NPRM also included
a discussion about how the Department anticipated the proposed
attestation requirement would work in concert with Privacy Rule
permissions. Additionally, the proposed attestation provision would
also include the general requirements for a valid attestation, and
defects of an invalid attestation.\337\ The Department also proposed to
require that an attestation be written in plain language \338\ and to
prohibit it from being ``combined with'' any other document. Further,
the Department's proposal would explicitly permit the attestation to be
in an electronic format, as well as electronically signed by the person
requesting the disclosure.\339\ Under the proposal, the attestation
would be facially valid when the document meets the required elements
of the attestation proposal and includes an electronic signature that
is valid under applicable Federal and state law.\340\
---------------------------------------------------------------------------
\337\ Pursuant to 45 CFR 164.530(j), regulated entities would be
required to maintain a written or electronic copy of the
attestation.
\338\ The Federal plain language guidelines under the Plain
Writing Act of 2010 only applies to Federal agencies, but it serves
as a helpful resource. See 5 U.S.C. 105 and ``Federal plain language
guidelines,'' U.S. Gen. Servs. Admin., https://www.plainlanguage.gov/guidelines/.
\339\ Proposed 45 CFR 164.509(b)(1)(iv) and (c)(1)(iv).
\340\ While not explicitly stated in the Privacy Rule, the
Department previously issued guidance clarifying that authorizations
are permitted to be submitted and signed electronically. See Off.
for Civil Rights, ``Is a copy, facsimile, or electronically
transmitted version of a signed authorization valid under the
Privacy Rule?,'' U.S. Dep't of Health and Human Servs., HIPAA FAQ
#475 (Jan. 9, 2023), https://www.hhs.gov/hipaa/for-professionals/faq/475/is-a-copy-of-a-signed-authorization-valid/index.html and
Off. for Civil Rights, ``How do HIPAA authorizations apply to an
electronic health information exchange environment?,'' U.S. Dep't of
Health and Human Servs., HIPAA FAQ #554 (July 26, 2013), https://www.hhs.gov/hipaa/for-professionals/faq/554/how-do-hipaa-authorizations-apply-to-electronic-health-information/index.html.
---------------------------------------------------------------------------
Additionally, the proposal specified that each use or disclosure
request would require a new attestation.
The Department proposed that a regulated entity would be able to
rely on the attestation provided that it is objectively reasonable
under the circumstances for the regulated entity to believe the
statement required by 45 CFR 164.509(c)(1)(iv) that the requested
disclosure of PHI is not for a purpose prohibited by 45 CFR
164.502(a)(5)(iii), rather than requiring a regulated entity to
investigate the validity of an attestation.\341\ We explained that it
would not be objectively reasonable for a regulated entity to rely on
the representation of the person requesting PHI about whether the
reproductive health care was provided under circumstances in which it
was lawful to provide such health care. This is because we believed
that the regulated entity, not the person requesting the disclosure of
PHI, has the information about the provision of such health care that
is necessary to make this determination. Therefore, we explained that
this determination would need to be made by the regulated entity prior
to using or disclosing PHI in response to a request for a use or
disclosure of PHI that would require an attestation under the proposal.
---------------------------------------------------------------------------
\341\ This approach is consistent with 45 CFR 164.514(h), which
requires a regulated entity to verify the identity and legal
authority of a public official or a person acting on behalf of a
public official, and describes the type of documentation upon which
a regulated entity may rely, if such reliance is reasonable under
the circumstances, to do so. See also 45 CFR 164.514(d)(3)(iii)(A),
which permits a covered entity to rely, if such reliance is
reasonable under the circumstances, on a requested disclosure as the
minimum necessary for the stated purpose when making disclosures to
public officials that are permitted under 45 CFR 164.512, if the
public official represents that the information requested is the
minimum necessary for the stated purpose(s).
---------------------------------------------------------------------------
The attestation proposal also would require a regulated entity to
cease use or disclosure of PHI if the regulated entity develops reason
to believe, during the course of the use or disclosure, that the
representations contained within the attestation were materially
incorrect, leading to uses or disclosures for a prohibited
purpose.\342\ Relatedly, the 2023 Privacy Rule NPRM included a
discussion of the consequences of material misrepresentations that
cause the impermissible use or disclosure of IIHI relating to another
individual under HIPAA.
---------------------------------------------------------------------------
\342\ Proposed 45 CFR 164.509(d).
---------------------------------------------------------------------------
To reduce the burden on regulated entities implementing this
proposed attestation, the Department requested comment on whether it
should develop a model attestation that a regulated entity may use when
developing its own attestation templates. The Department did not
propose to require that regulated entities use the model attestation.
3. Overview of Public Comments
Most commenters expressed support for the proposal to require an
attestation for certain uses and disclosures. Some commenters
questioned why the Department did not extend the attestation
requirement directly to business associates, consistent with the
general prohibition and recommended that the attestation requirements
be applied to business associates.
Some of those commenters that supported the proposal to require an
attestation expressed concern or made additional recommendations about
its components, content, and scope, and the consequences for covered
entities that make inadvertent disclosures of PHI without an
attestation. A small number of opposing commenters also expressed
concerns about the effectiveness and administrative burden of the
proposed attestation requirement.
About half of the commenters concerned about the administrative
burden of the attestation expressed support for limiting the
applicability of the proposed attestation to certain types of uses and
disclosures of information, while the other half recommended expanding
the scope of the proposed attestation requirement to mitigate burdens
on covered entities or to increase privacy protections for individuals.
Many commenters expressed concern about the Department's statement
in the 2023 Privacy Rule NPRM that it would not be objectively
reasonable for a regulated entity to rely on the representation of a
person requesting the use or disclosure of PHI about whether the PHI
sought was related to lawful health care. Specifically, commenters
asserted that regulated entities may have difficulties determining
whether an attestation is ``objectively reasonable'' and were unlikely
to possess the information necessary to determine the purpose of a
person's request for the use or disclosure of PHI.
[[Page 33029]]
Most commenters urged the Department to expand the proposal beyond
requests for PHI potentially related to reproductive health care to
requests for any PHI because of the associated administrative burden of
identifying and segmenting PHI about reproductive health care from
other types of PHI. These commenters asserted that the burden would be
significant because such PHI can be found throughout the medical
record. Commenters also expressed concerns about the ability of EHRs to
segment data.
Most commenters recommended that the Department add to or modify
the content of the proposed attestation, including to add a statement
that the recipient pledges not to redisclose PHI to another party for
any of the prohibited purposes or that the request is for the minimum
amount of information necessary. Many supported the inclusion of a
signed declaration under penalty of perjury and a statement regarding
the penalties for perjury to add a layer of accountability.
4. Final Rule
As we explained in the 2023 Privacy Rule NPRM, it may be difficult
for regulated entities to distinguish between requests for the use and
disclosure of PHI based on whether the request is for a permitted or
prohibited purpose, which could lead regulated entities to deny use or
disclosure requests for permitted purposes. Additionally, absent an
enforcement mechanism, it is likely that persons requesting the use or
disclosure of PHI could seek to use Privacy Rule permissions for
purposes that are prohibited under the new 45 CFR 164.502(a)(5)(iii).
Accordingly, the Department is finalizing the proposed attestation
requirement, with modification, as described below. We intend to
publish a model attestation prior to the compliance date for this final
rule.
First, the Department is renumbering the attestation provision such
that the requirement is now 45 CFR 164.509(a)(1) and modifying that
requirement to hold business associates directly liable for compliance
with the attestation requirement. This change was made to address
concerns raised by commenters who questioned why the Department did not
extend the attestation requirement directly to business associates,
consistent with the general prohibition and with revisions made to the
HIPAA Rules in the 2013 Omnibus Rule, as required by the HITECH Act.
The Department has authority to take enforcement action against
business associates only for requirements for which the business
associate is directly liable.\343\ Thus, under the proposed attestation
requirement, a business associate would only have been required to
comply with the proposed 45 CFR 164.509 if such obligation was
explicitly included within its business associate agreement.\344\
---------------------------------------------------------------------------
\343\ Business associates became directly liable for compliance
with certain requirements of the HIPAA Rules under the HITECH Act.
Consistent with the HITECH Act, the 2013 Omnibus Rule identified the
portions of the HIPAA Rules that apply directly to business
associates and for which business associates are directly liable.
Prior to the HITECH Act and the Omnibus Rule, these requirements
applied to business associates and their subcontractors indirectly
through the requirements under 45 CFR 164.504(e) and 164.314(a),
which require that covered entities by contract require business
associates to limit uses and disclosures and implement HIPAA
Security Rule-like safeguards. See 78 FR 5566 (Jan. 25, 2013). See
also Off. for Civil Rights, ``Direct Liability of Business
Associates Fact Sheet,'' U.S. Dep't of Health and Human Servs. (July
16, 2021), https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/factsheet/index.html.
\344\ 45 CFR 164.504(e) and 164.314(a).
---------------------------------------------------------------------------
Both covered entities and business associates process requests for
PHI. The Privacy Rule permits regulated entities to determine whether a
business associate can respond to such requests or whether they are
required to defer to the covered entity.\345\ As noted by commenters,
while many PHI requests processed by a business associate pursuant to
45 CFR 164.512(d)-(g)(1) are processed on behalf of the covered entity,
persons may elect to request PHI directly from the business associate.
Thus, the Department has determined that it is appropriate to hold both
covered entities and business associates directly liable for compliance
with the attestation requirement. Expanding the attestation requirement
to apply to business associates will ensure that the business associate
is directly liable for compliance with it, regardless of whether
compliance with 45 CFR 164.509 is explicitly included in a BAA.
---------------------------------------------------------------------------
\345\ 45 CFR 164.504(e)(2)(i)(E).
---------------------------------------------------------------------------
The Department is also adopting the proposed attestation
requirement that a regulated entity obtain an attestation only for PHI
``potentially related to reproductive health care.'' As discussed in
the 2023 Privacy Rule NPRM, this will limit the number of requests that
require an attestation, and therefore, the burden of the attestation
requirement on regulated entities and persons requesting PHI. The
Department reminds regulated entities that they are permitted, but not
required, to respond to law enforcement requests for PHI where the
purpose of the request is not one for which regulated entities are
prohibited from disclosing PHI. By narrowing the scope of the
attestation to PHI ``potentially related to reproductive health care,''
the attestation requirement will not unnecessarily interfere with or
delay law enforcement investigations that do not involve PHI
``potentially related to reproductive health care.'' While in practice
this scope may be wide, we believe the privacy interests of individuals
who have obtained reproductive health care necessitates the inclusion
of ``potentially related'' PHI. We are concerned that extending the
attestation requirement to all PHI could unnecessarily delay law
enforcement investigations that are not for a purpose prohibited under
45 CFR 164.502(a)(5)(iii). We acknowledge commenters' concerns about
the ability of regulated entities to operationalize the attestation
condition and note that the requirement to obtain an attestation
applies where the request is for PHI ``potentially related to
reproductive health care,'' as opposed to PHI ``related to reproductive
health care.'' Consistent with the Department's instructions to
regulated entities since the Privacy Rule's inception, we have taken a
flexible approach to allow scalability based on a regulated entity's
activities and size. All regulated entities must take appropriate steps
to address privacy concerns. Regulated entities should weigh the costs
and benefits of alternative approaches when determining the scope and
extent of their compliance activities, including when developing
policies and procedures to comply with the Privacy Rule.\346\ The
Department will assess the progress of regulated entities' compliance
with this requirement and promulgate guidance as appropriate. The
Department also notes that with limited exceptions, the Privacy Rule
generally permits but does not require the use or disclosure of PHI
when the conditions set by the Privacy Rule for the specific use or
disclosure of PHI are met.
---------------------------------------------------------------------------
\346\ 65 FR 82462, 82471, and 82875 (Dec. 28, 2000).
---------------------------------------------------------------------------
The Department is adopting the proposed requirement that an
attestation be obtained where a request is made under the Privacy Rule
permissions at 45 CFR 164.512(d) (disclosures for health oversight
activities), (e) (disclosures for judicial and administrative
proceedings), (f) (disclosures for law enforcement purposes), or (g)(1)
(disclosures about decedents to coroners and medical examiners). This
requirement will help ensure that these Privacy Rule permissions cannot
be used to circumvent the new prohibition at 45
[[Page 33030]]
CFR 164.502(a)(5)(iii) and continue permitting essential disclosures,
while also limiting the attestation's burden on regulated entities by
providing a standard mechanism by which the regulated entity can
ascertain whether a requested use or disclosure is prohibited under
this final rule. The attestation requirement is intended to reduce the
burden of determining whether the PHI request is for a purpose
prohibited under 45 CFR 164.502(a)(5)(iii), but it does not absolve
regulated entities of the responsibility of making this determination,
nor does it absolve regulated entities of the responsibility for
ensuring that such requests meet the other conditions of the relevant
permission.
We are modifying the proposal by revising 45 CFR 164.509(a)(1) to
clarify that a regulated entity may not use or disclose PHI where the
use or disclosure does not meet all of the Privacy Rule's applicable
conditions, including the attestation requirement. While this is
consistent with the existing requirements of the Privacy Rule, we
determined that it was necessary to reiterate this requirement here
based on comments we received. Thus, when this final rule is read
holistically, a regulated entity is not permitted to use or disclose
PHI where such disclosure does not meet all of the Privacy Rule's
applicable conditions, including the attestation requirement.
We are also modifying the proposal by adding 45 CFR 164.509(a)(2)
to clarify that the use or disclosure of PHI based on a defective
attestation does not meet the attestation requirement. For example, the
attestation requirement would not be met if a regulated entity relies
on an attestation where it is not reasonable to do so because the
attestation would be defective under 45 CFR 164.509(b)(2)(v).
Accordingly, it would be a violation of the Privacy Rule if the
regulated entity makes a use or disclosure in response to a defective
attestation.
The Department is modifying the proposal to prohibit inclusion in
the attestation of any elements that are not specifically required by
45 CFR 164.509(c). This provision addresses concerns that regulated
entities might require persons requesting PHI to provide information
beyond that which is required under 45 CFR 164.509(c). Such additional
requirements could make it burdensome for persons requesting PHI to
submit a valid attestation when they make a request pursuant to 45 CFR
164.512(d), (e), (f), or (g)(1). Additionally, a person requesting PHI
is not required to use the specific attestation form provided by a
regulated entity, as long as the attestation provided by such person is
compliant with the requirements of 45 CFR 164.509.
Additionally, the Department is modifying the proposed prohibition
on compound attestations. Specifically, the final rule prohibits the
attestation from being ``combined with'' any other document. The
modification clarifies that while an attestation may not be combined
with other ``forms,'' additional documentation to support the
information provided in the attestation may be submitted. This
additional documentation may not replace or substitute for any of the
attestation's required elements. The attestation itself must be clearly
labeled, distinct from any surrounding text, and completed in its
entirety, but documentation to support the statement at 45 CFR
164.509(c)(1)(iv) or to overcome the presumption at 45 CFR
164.502(a)(5)(iii)(C) may be appended to the attestation. Thus, a
regulated entity must ensure that the required elements of the
attestation are met, and should review any additional documents
provided by the person making the request when making the required
determinations.
A regulated entity may use this information--the information on the
attestation combined with any additional documentation provided by the
person making the request for PHI--to make a reasonable determination
that the attestation is true, consistent with 45 CFR 164.509(b)(2)(v).
For example, an attestation would not be impermissibly ``combined
with'' a subpoena if it is attached to it, provided that the
attestation is clearly labeled as such. As another example, an
electronic attestation would not be impermissibly ``combined with''
another document where the attestation is on the same screen as the
other document, provided that the attestation is clearly and distinctly
labeled as such.
The Department is finalizing the proposed content requirements with
modifications as follows. Specifically, the Department is finalizing
the proposal that an attestation must include that the person
requesting the disclosure confirm the types of PHI that they are
requesting; clearly identify the name of the individual whose PHI is
being requested, if practicable, or if not practicable, the class of
individuals whose PHI is being requested; and confirm, in writing, that
the use or disclosure is not for a purpose prohibited under 45 CFR
164.502(a)(5)(iii). For purposes of the ``class of individuals''
described in 45 CFR 164.509(c)(1)(i)(B), the Department clarifies that
the requesting entity may describe such a class in general terms--for
example, as all individuals who were treated by a certain health care
provider or for whom a certain health care provider submitted claims,
all individuals who received a certain procedure, or all individuals
with given health insurance coverage.
As we proposed, we are finalizing a requirement that the
attestation include a clear statement that the use or disclosure is not
for a purpose prohibited under 45 CFR 164.502(a)(5)(iii). This
requirement may be satisfied with a series of checkboxes that
identifies why the use or disclosure is not prohibited under 45 CFR
164.502(a)(5)(iii) (i.e., the use or disclosure is not for a purpose
specified in 45 CFR 164.502(a)(5)(iii)(A); or the use or disclosure is
for a purpose that would be prohibited under 45 CFR
164.502(a)(5)(iii)(A), but the reproductive health care at issue was
not lawful under the circumstances in which it was provided so the Rule
of Applicability is not satisfied, and thus the prohibition does not
apply).
The Department is adding another new required element, a statement
that the attestation is signed with the understanding that a person who
knowingly and in violation of HIPAA obtains or discloses IIHI relating
to another individual, or discloses IIHI to another person, may be
subject to criminal liability.\347\ We believe that adding this
language satisfies the intent that led us to consider including a
penalty of perjury requirement and with applicable law. The statement
does not impose new liability on persons who sign an attestation;
instead, including the statement in the attestation ensures that
persons who request the use or disclosure of PHI for which an
attestation is required are on notice of and acknowledge the
consequences of making such requests under false pretenses.
---------------------------------------------------------------------------
\347\ See 42 U.S.C. 1320d-6(a).
---------------------------------------------------------------------------
The Department is also finalizing the proposed requirement that the
attestation must be written in plain language. Additionally, the
Department is finalizing its proposal to permit the attestation to be
in electronic format and for it to be electronically signed by the
person requesting the disclosure where such electronic signature is
valid under applicable law.\348\ The Department declines to mandate a
specific electronic format for the attestation.
---------------------------------------------------------------------------
\348\ 45 CFR 164.509(b)(1)(iii) and (c)(1)(vi).
---------------------------------------------------------------------------
As we proposed, an attestation will be limited to the specific use
or disclosure. Accordingly, each use or disclosure
[[Page 33031]]
request for PHI will require a new attestation.
There is no exception to the minimum necessary standard for uses
and disclosures made pursuant to an attestation under 45 CFR
164.509.\349\ Thus, a regulated entity will have to limit a use or
disclosure to the minimum necessary when provided in response to a
request that would be subject to the proposed attestation requirement,
unless one of the specified exceptions to the minimum necessary
standard in 45 CFR 164.502(b)(2) applies. Where the person requesting
the PHI is also a regulated entity, that person will also need to make
reasonable efforts to limit their request to the minimum necessary to
accomplish the intended purpose of the use, disclosure, or
request.\350\
---------------------------------------------------------------------------
\349\ 45 CFR 164.502(b). The minimum necessary standard of the
Privacy Rule applies to all uses and disclosures where a request
does not meet one of the specified exceptions in paragraph (b)(2).
\350\ 45 CFR 164.502(b)(1).
---------------------------------------------------------------------------
The Department is not requiring a regulated entity to investigate
the validity of an attestation provided by a person requesting a use or
disclosure of PHI. Rather, a regulated entity is generally permitted to
rely on the attestation if, under the circumstances, a regulated entity
reasonably determines that the request is not for investigating or
imposing liability for the mere act of seeking, obtaining, providing,
or facilitating allegedly unlawful reproductive health care. In
addition, a regulated entity is generally permitted to rely on the
attestation and any accompanying material if, under the circumstances,
a regulated entity reasonably could conclude (e.g., upon examination of
adequate supporting documentation provided by the person making the
request) that the requested disclosure of PHI is not for a purpose
prohibited by 45 CFR 164.502(a)(5)(iii), consistent with the approach
taken in the Privacy Rule \351\ and elsewhere in this final rule. If
such reliance is not reasonable, then the regulated entity may not rely
on the attestation. This is a change from the proposed language, which
permitted reliance based on an ``objectively reasonable'' standard. The
proposed standard was modified because a reasonable person standard is
inherently objective.\352\ Thus, including ``objectively'' in the
description of the standard was redundant.
---------------------------------------------------------------------------
\351\ This approach is consistent with 45 CFR 164.514(h), which
requires a covered entity to verify the identity and legal authority
of a public official or a person acting on behalf of the public
official and describes the type of documentation upon which
regulated entities can rely, if such reliance is reasonable under
the circumstances, to do so. See also 45 CFR 164.514(d)(3)(iii)(A),
which permits a covered entity to rely, if such reliance is
reasonable under the circumstances, on a requested disclosure as the
minimum necessary for the stated purpose when making disclosures to
public officials that are permitted under 45 CFR 164.512, if the
public official represents that the information requested is the
minimum necessary for the stated purpose(s).
\352\ E.g., Restatement (Second) Torts Sec. 283, comment b (Am.
L. Inst. 1965).
---------------------------------------------------------------------------
For requests involving allegedly unlawful reproductive health care,
the extent to which a regulated entity may reasonably rely on an
attestation depends in part on whether the regulated entity provided
the reproductive health care at issue. Under the final rule, it would
not be reasonable for a regulated entity to rely on the representation
made by a person requesting the use or disclosure of PHI that the
reproductive health care was unlawful under the circumstances in which
it was provided unless such representation meets the conditions set
forth in the presumption at 45 CFR 164.502(a)(5)(iii)(C). As discussed
above, under the presumption, reproductive health care is presumed to
be lawful under the circumstances in which such health care is provided
unless a regulated entity has actual knowledge, or information from the
person making the request that demonstrates to the regulated entity a
substantial factual basis that the reproductive health care was not
lawful under the specific circumstances in which such health care was
provided. Where the reproductive health care at issue was provided by a
person other than the regulated entity receiving the request for the
use or disclosure of PHI and the presumption is overcome, the regulated
entity is permitted to use or disclose PHI in response to the request
upon receipt of an attestation where it is reasonable to rely on the
representations made in the attestation. It is not reasonable for the
regulated entity to rely solely on a statement of the person requesting
the use or disclosure of PHI that the reproductive health care was
unlawful under the circumstances in which such health care was
provided. Instead, the person requesting the use or disclosure of PHI
must provide the regulated entity with information such that it would
constitute actual knowledge or that demonstrates to the regulated
entity a substantial factual basis that the reproductive health care
was not lawful under the specific circumstances in which such health
care was provided. A regulated entity that receives a request for PHI
involving reproductive health care provided by that regulated entity
should review the relevant PHI in its possession and other related
information (e.g., license of health care provider that provided the
health care, operating license for the facility in which such health
care was provided) to determine whether the reproductive health care
was lawful under the circumstances in which it was provided prior to
using or disclosing PHI in response to a request for PHI that requires
an attestation. Where the request is about reproductive health care
that is provided by the regulated entity receiving the request, it
would not be reasonable for a regulated entity to automatically rely on
a representation made by a person requesting the use or disclosure of
PHI about whether the reproductive health care was provided under the
circumstances in which it was lawful to provide such health care.
Rather, the regulated entity must review the individual's PHI to
consider the circumstances under which it provided the reproductive
health care to determine whether such reliance is reasonable.
Therefore, where the request involves the use or disclosure of PHI
potentially related to reproductive health care that was provided by
the recipient of the request, the regulated entity must make the
determination about whether it provided the health care lawfully prior
to using or disclosing PHI in response to a request that requires an
attestation.
For example, if a law enforcement official requested PHI
potentially related to reproductive health care to investigate a person
for the mere act of seeking, obtaining, providing or facilitating
allegedly unlawful reproductive health care, it would not be reasonable
for a regulated entity that receives such a request to rely solely on a
signed attestation that states that the reproductive health care was
not lawful under the circumstances in which it was provided, as set
forth in 45 CFR 164.502(a)(5)(iii)(B), and therefore, that the
requested disclosure is not for a purpose prohibited under 45 CFR
164.502(a)(5)(iii)(A). This is regardless of whether the regulated
entity receiving the request for PHI provided the reproductive health
care at issue. Assuming that the attestation is not facially deficient,
a regulated entity must consider the totality of the circumstances
surrounding the attestation and whether it is reasonable to rely on the
attestation in those circumstances. To determine whether it is
reasonable to rely on the attestation, a regulated entity should
consider, among other things: who is requesting the use or disclosure
of PHI; the permission upon which the person making the request is
relying; the
[[Page 33032]]
information provided to satisfy other conditions of the relevant
permission; the PHI requested and its relationship to the stated
purpose of the request; and, where the reproductive health care was
supplied by another person, whether the regulated entity has: (1)
actual knowledge that the reproductive health care was not lawful under
the circumstances in which it was provided; or (2) factual information
supplied by the person requesting the use or disclosure of PHI that
would demonstrate to a reasonable regulated entity a substantial
factual basis that the reproductive health care was not lawful under
the specific circumstances in which such health care was provided.
For example, a regulated entity receives an attestation from a
Federal law enforcement official, along with a court ordered warrant
demanding PHI potentially related to reproductive health care. The law
enforcement official represents that the request is about reproductive
health care that was not lawful under the circumstances in which such
health care was provided, but the official will not divulge more
information because they allege that doing so would jeopardize an
ongoing criminal investigation. In this example, if the regulated
entity itself provided the reproductive health care and, based on the
information in its possession, reasonably determines that such health
care was lawful under the circumstances in which it was provided, the
regulated entity may not disclose the requested PHI.
If the regulated entity did not provide the reproductive health
care, it may not disclose the requested PHI absent additional factual
information because the official requesting the PHI has not provided
sufficient information to overcome the presumption at 45 CFR
164.502(a)(5)(iii)(C). Further, it also would not be reasonable under
the circumstances for the regulated entity to rely on the attestation
that the information would not be used for a purpose prohibited by 45
CFR 164.502(a)(5)(iii) because of the presumption that the reproductive
health care was lawfully provided.
However, in cases where the presumption of lawfulness applies, the
regulated entity would be permitted to make the disclosure, for
example, where the law enforcement official provides additional factual
information for the regulated entity to determine that there is a
substantial factual basis that the reproductive health care was not
lawful under the circumstances in which such health care was provided.
As another example, a regulated entity could rebut the presumption of
lawfulness by relying on a sworn statement by a law enforcement
official that the PHI is necessary for an investigation into violations
of specific criminal codes unrelated to the provision of reproductive
health care (e.g., billing fraud) or an affidavit from an individual
that the individual obtained unlawful reproductive health care from a
different health care provider and the requested PHI is relevant to
that investigation. Similarly, if a regulated entity receives an
attestation from a Federal law enforcement official, along with a
court-ordered warrant demanding PHI potentially related to reproductive
health care, that both specify that the purpose of the request is not
for a purpose prohibited by 45 CFR 164.502(a)(5)(iii), the regulated
entity may rely on the attestation and warrant, subject to the
requirements of 45 CFR 164.512(f)(1)(ii)(A).
Lastly, this final rule requires a regulated entity to cease use or
disclosure of PHI if the regulated entity, during the course of the use
or disclosure, discovers information reasonably showing that the
representations contained within the attestation are materially
incorrect, leading to uses or disclosures for a prohibited
purpose.\353\ As we explained in the 2023 Privacy Rule NPRM, pursuant
to HIPAA, a person who knowingly and in violation of the Administrative
Simplification provisions obtains or discloses IIHI relating to another
individual or discloses IIHI to another person would be subject to
criminal liability.\354\ Thus, a person who knowingly and in violation
of HIPAA \355\ falsifies an attestation (e.g., makes material
misrepresentations about the intended uses of the PHI requested) to
obtain (or cause to be disclosed) an individual's IIHI could be subject
to criminal penalties as outlined in the statute.\356\ Additionally, a
disclosure made based on an attestation that contains material
misrepresentations after the regulated entity becomes aware of such
misrepresentations constitutes an impermissible disclosure, which
requires notifications of a breach to the individual, the Secretary,
and in some cases, the media.\357\
---------------------------------------------------------------------------
\353\ 45 CFR 164.509(d).
\354\ See 42 U.S.C. 1320d-6(a).
\355\ A person (including an employee or other individual) shall
be considered to have obtained or disclosed individually
identifiable health information in violation of this part if the
information is maintained by a covered entity (as defined in the
HIPAA privacy regulation described in section 1320d-9(b)(3) of this
title) and the individual obtained or disclosed such information
without authorization. Id.
\356\ See 42 U.S.C. 1320d-6(b).
\357\ 45 CFR 164.400 et seq. The HIPAA Breach Notification Rule,
45 CFR 164.400-414, requires HIPAA covered entities and their
business associates to provide notification following a breach of
unsecured PHI.
---------------------------------------------------------------------------
The attestation requirement does not replace the conditions of the
Privacy Rule's permissions for a regulated entity to disclose PHI,
including in response to a subpoena, discovery request, or other lawful
process, or administrative request. Instead, the attestation is
designed to work with the permissions and their requirements. If PHI is
disclosed pursuant to 45 CFR 164.512(e)(1)(ii) or (f)(1)(ii)(C), a
regulated entity will need to verify that the requirements of each
provision are met, in addition to satisfying the requirements of the
new attestation provision under 45 CFR 164.509. Furthermore, the
requirements of 45 CFR 164.528, the right to an accounting of
disclosures of PHI made by a covered entity, are not affected by the
attestation requirement. Thus, disclosures made pursuant to a
permission under 45 CFR 164.512(d), (e), (f), or (g) must be included
in the accounting, including when they are made pursuant to an
attestation.
5. Responses to Public Comments
Comment: Most commenters supported the proposal to require an
attestation for certain uses and disclosures. A few commenters
recognized the benefits of the attestation requirement, despite the
potential increase in administrative burden for regulated entities.
Many commenters opposed the proposal for what they described as
administrative burden, questionable effectiveness, and lack of clarity.
A few commenters stated that the requirements imposed an inappropriate
compliance burden on covered entities that would need to determine
whether a PHI request was ``potentially related'' to sensitive personal
health care, and, along with a health care provider who otherwise
supported the attestation, they recommended instead that the Department
impose requirements on the person requesting the use or disclosure of
PHI. Many commenters expressed concerns about the ability of covered
entities to operationalize the proposed requirement with the limitation
to PHI potentially related to reproductive health care because it would
require the ability to segment PHI, which the Department previously
acknowledged is generally unavailable. A few commenters questioned the
effectiveness of the proposed attestation
[[Page 33033]]
requirement, as compared to its potential burden, enforceability, and
effects on access to maternal and specialty health care.
Response: We agree with commenters that the attestation requirement
will bolster the privacy of PHI and acknowledge that implementation of
this important safeguard requires additional administrative activities
by regulated entities. The Department considered removing the
limitation on the application of the attestation condition to PHI
``potentially related to reproductive health care,'' but we are
concerned that expanding it to apply to all requests for PHI made for
specified purposes would impose even more burden on regulated entities.
The requirement is to determine whether the requested PHI is
``potentially related to reproductive health care,'' not whether it is
``related to reproductive health care.'' Thus, regulated entities are
not required to make an affirmative determination that the requested
PHI is in fact related to reproductive health care before requiring a
person requesting PHI to provide an attestation. We note that the focus
of the attestation requirement has been limited to PHI potentially
related to reproductive health care because the changes to the legal
landscape have heighted privacy concerns about reproductive health care
that is lawful under the circumstances in which such health care is
provided. We also note that the provision of an attestation itself is
not determinant of whether the request is for a prohibited purpose.
Rather, regulated entities must consider whether a request for PHI is
for a prohibited purpose, regardless of whether the request is made for
a purpose for which the Privacy Rule requires an attestation.
The Department is limited to applying the HIPAA Rules to those
entities covered by HIPAA (i.e., health plans, health care
clearinghouses, and health care providers that conduct covered
transactions) and to business associates, as provided under the HITECH
Act. Accordingly, the Department is limited to imposing obligations on
persons requesting the use or disclosure of PHI to those who are also
regulated entities.
The attestation condition has been drafted to promote the privacy
of information about lawful reproductive health care, including
maternal and specialty health care, while still permitting certain uses
of PHI. Regulated entities, including covered entities that specialize
in providing reproductive health care may determine, based on their
assessment of what PHI is potentially related to reproductive health
care, that an attestation must accompany all requests they receive for
the use or disclosure of any PHI made pursuant to and in compliance
with 45 CFR 164.512(d)-(g)(1). Further, the attestation requirement
only applies to the specified requests for PHI and should not affect
any intake of new patients or provision of maternal health care.
The Department is not requiring a regulated entity to investigate
the veracity of the information provided in support of an attestation
because doing so would impose a significant administrative burden on
regulated entities and persons requesting the use or disclosure of PHI
without proportional benefit. Additionally, requiring such an
investigation by the regulated entity may cause unnecessary delays to
law enforcement activities. Rather, the Department is finalizing a
regulated entity's ability to rely on the attestation provided that it
is reasonable under the circumstances for the regulated entity to
believe the statement required by 45 CFR 164.509(c)(1)(iv) that the
requested disclosure of PHI is not for a purpose prohibited by 45 CFR
164.502(a)(5)(iii). If such reliance is not reasonable, then the
regulated entity may not rely on the attestation.
A regulated entity that receives a request for PHI potentially
related to reproductive health care for purposes specified in 45 CFR
164.512(d), (e), (f), or (g)(1) may accept information, in addition to
the attestation, from the person requesting the PHI to support its
ability to make the determinations required by 45 CFR
164.502(a)(5)(iii) and 45 CFR 164.509(b)(v).
For example, it likely would not be reasonable for a regulated
entity to rely on an attestation from a public official who represents
that their request is for a purpose that is not prohibited, if the
request for PHI is overly broad for its purported purpose and the
public official has publicly stated that they will be investigating
health care providers for providing reproductive health care. In such
cases, regulated entities should consider the circumstances surrounding
an attestation to determine whether they can reasonably rely on the
attestation. Although we have modified the regulatory text by removing
``objectively,'' the standard remains unchanged in practice because a
reasonableness standard is an objective standard. As we also discussed
above, it is not reasonable for a regulated entity that provided the
reproductive health care at issue to rely on a representation made by a
person requesting the use or disclosure of PHI that the reproductive
health care at issue was unlawful under the circumstance in which such
health care was provided. A regulated entity that makes a disclosure
where it was not reasonable to rely on the representation made by the
person requesting the use or disclosure may be subject to enforcement
action by OCR.
Additionally, as discussed in greater detail above, a person who
knowingly and in violation of the Administrative Simplification
provisions obtains or discloses IIHI relating to another individual or
discloses IIHI to another person would be subject to criminal
liability.\358\ We believe that this provision serves as a deterrent
for those who otherwise might request PHI in violation of this final
rule. It also will continue to permit essential disclosures while
ensuring that Privacy Rule permissions cannot be used to circumvent the
new prohibition, thereby enhancing the privacy of individuals' PHI and
protecting other important interests.
---------------------------------------------------------------------------
\358\ See 42 U.S.C. 1320d-6(a).
---------------------------------------------------------------------------
Comment: Several commenters opposed the attestation proposal
because they believed that the proposal would make it more difficult
for law enforcement to request PHI and for entities to respond to such
requests, potentially putting them in situations where they need to
choose between complying with a court order and impermissibly
disclosing PHI. A few individuals stated that the proposal would have a
chilling effect on the ability of a state to conduct investigations or
proceedings for which the use or disclosure of PHI could be beneficial,
particularly in cases involving rape, incest, sex trafficking, domestic
violence, abuse, and neglect.
Response: We acknowledge that the attestation provision may require
regulated entities to obtain additional information from persons
requesting PHI in certain circumstances. As discussed above, this
condition is consistent with the operation of the Privacy Rule since
its inception, which has always required regulated entities to obtain
additional information from persons requesting PHI in certain
circumstances, such as where the use or disclosure is one for which an
authorization or opportunity to agree or object is not required.\359\
However, as also discussed above, any burden the attestation may impose
on persons requesting PHI is outweighed by the privacy interests that
this final rule is designed to protect.
---------------------------------------------------------------------------
\359\ See 45 CFR 164.512.
---------------------------------------------------------------------------
A person requesting PHI pursuant to 45 CFR 164.512(d)-(g)(1) may
elect to provide an attestation with their request, even if a
determination has not
[[Page 33034]]
yet been made concerning whether such request is for PHI potentially
related to reproductive health care. Similarly, the Privacy Rule does
not require a regulated entity to respond to requests for PHI.
Comment: Some commenters were concerned about the effect of the
attestation requirement on the electronic exchange of PHI and
recommended approaches for incorporating attestations into a HIE
environment. A commenter expressed concern that the requirement for an
attestation would delay or prevent automated data exchange using Fast
Healthcare Interoperability Resources[supreg] (FHIR[supreg]) APIs and
might impede innovation. They requested guidance on how to implement
the attestation condition in an HIE environment without impeding
regulated exchanges or industry innovations using extensive data
exchange via FHIR APIs. Commenters also recommended that the Department
issue guidance on implementing attestation policies in circumstances
not required by this rule that would not constitute information
blocking. A commenter encouraged the Department to implement processes
that limit the liability of health care providers for the actions of
third parties. For example, the commenter requested that the Department
clarify that a refusal to disclose PHI absent an attestation is
protected from a finding of information blocking.
Response: We do not believe that this final rule prevents the
disclosure of PHI via a HIE. We disagree that this requirement prevents
the exchange of data using FHIR APIs under these permissions or for
automated health data exchange more broadly. PHI can be disclosed as
requested if the regulated entity obtains a valid attestation and the
request meets the conditions of an applicable permission. The
attestation requirement does not affect any requests via FHIR API that
fall outside of the 45 CFR 164.512(d)-(g)(1) permissions. For example,
a disclosure of PHI from a covered health care provider to another
health care provider for care coordination purposes would not require
an attestation because the disclosure would not be for a purpose
addressed by 45 CFR 164.512(d)-(g)(1). The importance of ensuring the
protection of an individual's interests in the privacy of their PHI and
society in improving the effectiveness of the health care system far
outweigh any potential administrative burdens or delays in the
electronic exchange of PHI for non-health care purposes. Further,
compliance with applicable law does not constitute information
blocking.\360\ Thus, we do not believe additional regulatory language
is necessary at this time. OCR regularly collaborates with other
Federal agencies, including ONC, to develop guidance on compliance with
Federal standards and to address questions that arise about the ability
of regulated entities to comply with applicable laws.
---------------------------------------------------------------------------
\360\ See 42 U.S.C. 300jj-52(a)(1) (excluding from the
definition of ``information blocking'' practices that are likely to
interfere with, prevent, or materially discourage access, exchange,
or use of electronic health information if they are ``required by
law''; 85 FR 25642, 25794 (May 1, 2020) (explaining that ``required
by law'' specifically refers to interferences that are explicitly
required by state or Federal law). See also 89 FR 1192, 1351 (Jan.
9, 2024) (affirming that where applicable law prohibits access,
exchange, or use of information, practices in compliance with such
law are not considered to be information blocking and citing to
compliance with the Privacy Rule as an example of an applicable
law).
---------------------------------------------------------------------------
The permissions for which the Department is requiring that a
regulated entity obtain an attestation prior to using or disclosing PHI
are already conditioned upon meeting certain requirements, which
generally require manual review. The Department acknowledges that
certain persons may need to adjust their workflows to account for the
attestation requirement. While there may be some delays until new
processes are implemented, any disruptions will decrease over time.
Thus, we do not anticipate that this final rule will contribute to
additional delays in the disclosure of PHI.
The Department is finalizing a new regulatory presumption that
permits a regulated entity to presume reproductive health care provided
by another person was lawful unless the regulated entity has actual
knowledge or factual information supplied by the person requesting the
use or disclosure of PHI that demonstrates to the regulated entity a
substantial factual basis that the reproductive health care was not
lawful under the specific circumstances in which such health care was
provided. This presumption will facilitate the determination by the
regulated entity about whether a request for the use or disclosure of
PHI would be subject to the prohibition, and thus will reduce the risk
of an impermissible use or disclosure of the requested PHI, thereby
reducing the liability of regulated entities that receive requests for
PHI to which the prohibition may apply, but where they did not provide
the reproductive health care at issue.
Comment: Many commenters questioned the Department's rationale for
not extending the attestation requirement directly to business
associates, consistent with the general prohibition. Some commenters
recommended that the attestation requirement be applied to business
associates because persons requesting the use or disclosure of PHI may
directly approach a business associate for this PHI (and the business
associate agreement may permit such disclosures or be silent regarding
whether the business associate may respond to them). Commenters also
requested clarification of the responsibilities of business associates
with respect to attestations and questioned whether the proposal would
require amendment of their business associate agreements.
Response: As discussed above, we agree with the commenters that the
attestation requirement should apply directly to business associates
because they receive direct requests for PHI and are subject to the
general prohibition in the same manner as covered entities. Therefore,
we are modifying 45 CFR 164.509 to ensure that it expressly applies to
both covered entities and their business associates.
Comment: Although a few commenters expressed support for limiting
the attestation condition to requests regarding ``PHI potentially
related to reproductive health care,'' many commenters recommended that
the proposed requirement to obtain an attestation be broadly applied to
requests for any PHI. Many stated that it would be easier and more
efficient for regulated entities if all requests related to a
prohibited purpose required the attestation, regardless of the PHI
being requested. According to these commenters, this would allow the
regulated entity to avoid making any determinations regarding the PHI.
A few explained that expanding the requirement to all PHI would
appropriately place the burden of demonstrating that the requested
disclosure was permissible on the person making request.
Several commenters asserted that information related to
reproductive health care is potentially found in every department,
record, and system, including those that may not have a readily
apparent relationship to reproductive health care. As a result,
according to these commenters, it would be onerous and costly to
separate different types of health information in a medical record.
According to other commenters, the volume of records requests received
by health systems would render any requirement on a health care
provider to redact PHI from an individual's medical record in the
absence of an attestation overly burdensome and increase the risk of
unauthorized disclosure. Some
[[Page 33035]]
commenters explained that staff managing health information generally
do not have the legal or medical training to determine whether a PHI
request may be for PHI potentially related to reproductive health care,
particularly given the breadth of most requests (e.g., for all medical
records of an entity, of a particular health care provider or a
particular individual). These commenters also raised concerns that the
lack of legal or medical training could lead to inconsistent
application of the rule, the inadvertent disclosure of PHI potentially
related to reproductive health care, or delay the use or disclosure of
PHI, even when the individual has not sought or obtained reproductive
health care. Many commenters asserted that determining whether a
request for the use or disclosure of PHI includes PHI potentially
related to reproductive health care is difficult and a significant
burden on health information professionals, particularly where the
covered entity did not provide or facilitate the health care. According
to some commenters, some business associates, such as cloud services
providers, may not have the ability to determine whether the PHI that
they maintain includes PHI potentially related to reproductive health
care.
Some commenters posited that the result of this requirement would
be that health care providers would refuse to provide any PHI in
response to a request for the use or disclosure PHI on any matter that
could possibly be construed as potentially related to reproductive
health care. They and others stated that limiting the proposed
prohibition to one category of PHI would require regulated entities to
label or segment certain PHI within medical records, which would be
impractical and costly because EHRs are unable to reliably segregate or
flag PHI retrospectively.
Response: We acknowledge the comments from regulated entities that
expressed concerns about the effects of the limitation of the
attestation requirement to PHI potentially related to reproductive
health care. However, the Department is concerned that extending the
attestation requirement to all PHI could result in unintended
consequences, such as the potential delay of law enforcement
investigations that do not require PHI potentially related to
reproductive health care. By contrast, an attestation requirement is
necessary for PHI potentially related to reproductive health care
because of recent changes to the legal landscape that make it more
likely that PHI will be sought for punitive non-health care purposes,
and thus more likely to be subject to disclosure by regulated entities
if the requested disclosure is permissible under the Privacy Rule,
thereby harming the interests that HIPAA seeks to protect. Accordingly,
the Department is not modifying the attestation requirement that a
regulated entity obtain an attestation only for PHI potentially related
to reproductive health care.
The Department acknowledges that the attestation requirement may
increase the burden on regulated entities, but we disagree that
regulated entities are unable to make the required assessments of
attestations. Regulated entities currently conduct similar assessments
when determining whether PHI may be disclosed to a personal
representative, when making disclosures that are required by law or for
public health purposes, and for various other permitted purposes.
Regulated entities also regularly review medical records to comply with
minimum necessary requirements. The Department is cognizant that an
expanded attestation requirement could significantly increase burden if
it were to expand this requirement to all disclosures in the absence of
the sensitivities described in this final rule.
Comment: Many commenters supported the proposal to limit the
requirement to obtain an attestation with a request for uses and
disclosures for certain permissions, namely that have the greatest
potential to be connected with a purpose for which the Department
proposed to prohibit the use and disclosure of PHI. Some commenters
expressed their belief that the Department had identified the
appropriate permissions for which the attestation would provide
additional safeguards.
Many commenters suggested modifications, primarily expansions or
clarifications of the types of permitted uses and disclosures that
would be subject to the attestation. Generally, commenters explained
their belief that their recommended modifications would either mitigate
the burden of the requirement to ascertain the purposes of the
requested disclosure or increase privacy protections for individuals.
Commenters recommended multiple ways to expand the attestation
requirement, such as extending it to all permissions in 45 CFR 164.512;
disclosures required by law, for public health activities, and to avert
a serious threat to health or safety; disclosures for treatment
purposes to a person not regulated by HIPAA or disclosures to any
person who might use the PHI for a prohibited purpose; and any
disclosure at the discretion of the covered entity.
Response: The Department declines to expand the permissions for
which an attestation is required at this time. The Department
specifically chose to limit the attestation condition to the
permissions at 45 CFR 164.512(d)-(g)(1) because these permissions have
the greatest potential to result in the use or disclosure of an
individual's PHI for a purpose prohibited at 45 CFR 164.502(a)(5)(iii).
In the context of other permissions, where the risk of improper use or
disclosure is less, the benefits of an attestation condition would be
outweighed by the administrative burden of compliance. Accordingly, any
disclosures made pursuant to 45 CFR 164.512(b), which includes
disclosures for public health surveillance, investigations, or
interventions, do not require an attestation. However, we note that
requests made pursuant to other permissions of the rule remain subject
to and must be evaluated for compliance with the prohibition at 45 CFR
164.502(a)(5)(iii).
Comment: A commenter stated that no attestation should be needed
for judicial and administrative proceedings because current
requirements are adequate. Instead, the commenter requested that the
Department consider expanding procedural protections.
Response: We are finalizing the requirement that regulated entities
obtain an attestation as a condition of a use or disclosure of PHI for
judicial and administrative proceedings. As previously discussed, the
attestation requirement ensures that certain Privacy Rule permissions
are not used to circumvent the prohibition. The attestation requirement
also reduces the burden on regulated entities because it is
specifically designed to facilitate compliance with the prohibition
under 45 CFR 164.502(a)(5)(iii) by helping regulated entities determine
whether the use or disclosure of the requested PHI is permitted.
Although a court order, qualified protective order, satisfactory
assurance, or subpoena may have a restriction that prevents information
requested from being further disclosed, it protects PHI only after it
has been used or disclosed. Thus, the regulated entity's use or
disclosure of PHI could still violate the prohibition at 45 CFR
164.502(a)(5)(iii), even if that disclosure is made in response to a
court order, qualified protective order, satisfactory assurance, or
subpoena. The attestation requirement helps to mitigate the risk of
violations in these circumstances.
Comment: A few commenters expressed concerns about their ability to
implement the attestation requirement
[[Page 33036]]
in circumstances where the use or disclosure is triggered by a
mandatory reporting law or verbal request and recommended that no
attestation should be required in any case where disclosure of PHI is
required by law. According to the commenters, an attestation
requirement could require a significant change to operational workflows
for permitted disclosures and significantly impede operations for state
and local agencies that conduct death investigations and perform public
health studies and initiatives.
Response: The Privacy Rule at 45 CFR 164.512(a) permits certain
uses and disclosures of PHI that are required by law, including
notification of certain deaths by a covered health care provider to a
medical examiner, when those uses and disclosures are limited to the
requirements of such law. The attestation condition does not apply to
the mandatory disclosures made pursuant to 45 CFR 164.512(a). Other
mandatory reporting that is subject to 45 CFR 164.512(a)(2) has always
been subject to the additional requirements of 45 CFR 164.512(c), (e),
or (f). Further, mandatory reporting for public health activities
pursuant to 45 CFR 164.512(b) do not require an attestation.
The attestation condition applies if the regulated entity is making
a use or disclosure to a coroner or medical examiner pursuant to 45 CFR
164.512(g)(1). We understand that this may require regulated entities
to adjust their workflows to comply with this requirement. For example,
regulated entities could consider having an electronic attestation form
readily available for persons that request the use or disclosure of PHI
potentially related to reproductive health care because doing so may
reduce delays in the regulated entity's response time related to the
attestation condition. Thus, this condition will not significantly
impede operations for persons who request information because the
interruptions will decrease as they adjust their workflows to
accommodate the new condition.
We remind regulated entities that the prohibition in 45 CFR
164.502(a)(5)(iii) applies, regardless of whether the request for PHI
is made pursuant to a permission for which an attestation is required
or another permission.
Comment: Many commenters urged the Department to implement a
reasonable, good faith standard or a safe harbor for situations in
which a regulated entity discloses PHI and the person requesting the
PHI either uses or rediscloses it for a purpose that would be
prohibited under the proposed rule. Some commenters were concerned that
a covered entity will be liable for inadvertent disclosures of PHI and
sought the benefit of the affirmative defense afforded at 45 CFR
160.410(b)(2).
Response: The Department declines to add a ``good faith'' standard
or safe harbor to this final rule. As discussed above, the Department
is not finalizing a separate Rule of Construction and is not
incorporating the phrase ``primarily for the purpose of'' into the
final prohibition standard.
As we explained in the 2023 Privacy Rule NPRM, 45 CFR 164.509
requires a new attestation for each use or disclosure request; a single
attestation would not be sufficient to permit multiple uses or
disclosures. This requirement is unlike the authorization, where
generally, when a regulated entity receives a valid authorization, they
may continue to use or disclose PHI to the person requesting the use or
disclosure of PHI pursuant to that authorization after the initial
disclosure, provided that such subsequent uses and disclosures are
valid and related to that authorization. We understand that this may
constitute an additional administrative burden for both the regulated
entity and the person or entity requesting the information; however,
requiring an attestation for each use or disclosure is necessary to
ensure that certain Privacy Rule permissions are not used to circumvent
the new prohibition at 45 CFR 164.502(a)(5)(iii), and to permit
essential disclosures.
Comment: Some commenters expressed support for permitting a
regulated entity to rely on an attestation if ``it appears objectively
reasonable'' or ``when objectively reasonable'' and not requiring
covered entities to investigate the accuracy of an attestation, thereby
mitigating liability to the regulated entity, if not fully protecting
an individual. Many commenters expressed concern that it would not be
objectively reasonable for a regulated entity to rely on a
representation made by the person requesting the use or disclosure of
PHI that the PHI sought was related to unlawful health care. The
commenters requested a guarantee that a health care provider's reliance
on a ``facially valid'' attestation would be objectively reasonable
without requiring the entity to investigate the intentions of the
person requesting the use or disclosure of PHI and the validity of
their attestation. A commenter recommended that the final rule direct
regulated entities to take attestations at face value and hold harmless
regulated entities in the event of a false attestation.
Commenters offered several reasons for these recommendations,
including the burden on covered entities where they are required to
determine: (1) the veracity of every attestation; (2) whether an
attestation is required; and (3) whether the statement that the request
for the use or disclosure is not for a purpose prohibited under 45 CFR
164.502(a)(5)(iii) is objectively reasonable.
Response: To assist in effectuating the prohibition, this Final
Rule requires an attestation in some circumstances. We recognize the
potential burden on regulated entities to investigate the validity of
every attestation and do not require that they conduct a full
investigation in each instance. However, as discussed above, if an
attestation, on its face, meets the requirements at 45 CFR 164.509(c),
a regulated entity must consider the totality of the circumstances
surrounding the attestation and whether it is reasonable to rely on the
attestation in those circumstances. To determine whether it is
reasonable to rely on the attestation, a regulated entity should
consider, among other things: who is requesting the use or disclosure
of PHI; the permission upon which the person making the request is
relying; the information provided to satisfy other conditions of the
relevant permission; the PHI requested and its relationship to the
purpose of the request (i.e., does the request meet the minimum
necessary standard in relation to the purpose of the request); and,
where the presumption at 45 CFR 164.502(a)(5)(iii)(C) applies,
information provided by the person requesting the use or disclosure of
PHI to overcome that presumption.
For example, as discussed above, it may not be reasonable for a
regulated entity to rely on an attestation filed by a public official
that a request for PHI potentially related to reproductive health care
is not for a prohibited purpose when that public official has publicly
stated their interest in investigating or imposing liability on those
who seek, obtain, provide, or facilitate certain types of lawful
reproductive health care. If a regulated entity concludes that it would
not reasonable to rely on the attestation in this instance, the
regulated entity would be prohibited from disclosing the requested PHI
unless and until the public official provided additional information
that enables the regulated entity to assess the veracity of its
attestation. In contrast, it may be reasonable to rely on the
representation of a public official that a request for PHI potentially
related to reproductive
[[Page 33037]]
health care is not for a prohibited purpose if the stated purpose for
the request is to investigate insurance fraud and the public official
making the request is expressly authorized by law to conduct insurance
fraud investigations as part of their legal mandate. Therefore, as
discussed above, the Department is balancing these considerations by
finalizing language that generally permits a regulated entity to rely
on the attestation if it is reasonable for the regulated entity to
believe the statement that the requested disclosure of PHI is not for a
purpose prohibited by 45 CFR 164.502(a)(5)(iii).\361\ To further assist
regulated entities in determining whether it is reasonable to rely on
the attestation, the requirement that the attestation include a clear
statement that the use or disclosure is not for a prohibited purpose
under 45 CFR 164.502(a)(5)(iii) may be satisfied with a statement that
identifies why the use or disclosure is not prohibited, which could be
checkboxes that indicate that the use or disclosure is not for a
purpose described in 45 CFR 164.502(a)(5)(iii)(A), or that the
reproductive health care does not satisfy the Rule of Applicability at
45 CFR 164.502(a)(5)(iii)(B).
---------------------------------------------------------------------------
\361\ This approach is consistent with 45 CFR 164.514(h), which
requires a regulated entity to verify the identity and legal
authority of a public official or a person acting on behalf of the
public official and describes the type of documentation upon which
the regulated entity can rely, if such reliance is reasonable under
the circumstances, to do so. See also 45 CFR 164.514(d)(3)(iii)(A),
which permits a covered entity to rely, if such reliance is
reasonable under the circumstances, on a requested disclosure as the
minimum necessary for the stated purpose when making disclosures to
public officials that are permitted under 45 CFR 164.512, if the
public official represents that the information requested is the
minimum necessary for the stated purpose(s).
---------------------------------------------------------------------------
Where the request for the use or disclosure of PHI is made of the
regulated entity that provided the reproductive health care at issue,
the regulated entity should ensure that the reproductive health care
was not lawful under the circumstances in which such health care was
provided before using or disclosing the requested PHI. If the
reproductive health care at issue was provided under circumstances in
which such health care was lawful, the regulated entity must obtain an
attestation and determine whether it is reasonable to rely on the
attestation that the use or disclosure is not being requested to
conduct an investigation into or impose liability on any person for the
mere act of seeking, obtaining, providing, or facilitating such
reproductive health care. If the reproductive health care at issue was
provided under circumstances in which such health care was unlawful,
the regulated entity is permitted, but not required, to disclose the
PHI if the disclosure is meets the conditions of an applicable Privacy
Rule permission, which may include an attestation.
Regulated entities will not generally be held liable for disclosing
PHI to a person who signed the attestation under false pretenses,
provided that the requirements of 45 CFR 164.509 are met, and it is
reasonable under the circumstances for the regulated entity to believe
the statement that the requested disclosure of PHI is not for a purpose
prohibited by 45 CFR 164.502(a)(5)(iii).
Comment: A commenter recommended that the rule clarify the
relationship between the attestation and 45 CFR 164.514(h) regarding
verification requirements. They requested that the Department consider
making explicit in the Final Rule that reliance on legal process would
not be appropriate in the absence of an attestation.
Response: The verification requirement under 45 CFR 164.514(h)
\362\ is separate from the attestation requirement, and a regulated
entity must still comply with 45 CFR 164.514(h) when processing an
attestation. The final rule makes clear that the attestation
requirement will apply if the request for PHI potentially related to
reproductive health care is made pursuant to permissions under 45 CFR
164.512(d)-(g)(1), which may include disclosing PHI pursuant to a legal
process.
---------------------------------------------------------------------------
\362\ 45 CFR 164.514(h)(1) requires a regulated entity to verify
both the identity of the person requesting PHI and the authority of
any such person to have access to PHI, if the identity or authority
of such person is not known to the regulated entity. 45 CFR
164.514(h)(2)(ii) describes the information upon which a regulated
entity may rely, if such reliance is reasonable under the
circumstances, to verify the identity of a public official
requesting PHI or a person acting on behalf of a public official,
while 45 CFR 164.514(h)(2)(iii) describes the information upon which
a regulated entity may rely, if such reliance is reasonable under
the circumstances, to verify the authority of the public official
requesting PHI or a person acting on behalf of a public official.
---------------------------------------------------------------------------
Comment: Some commenters stated that it is difficult to determine
the purpose of a request for the use or disclosure of PHI because many
requests include only a general purpose. A commenter asserted that
staff would need to screen all incoming requests, a task that may
require legal or clinical expertise. Further, some commenters stated
that regulated entities may experience conflict with persons requesting
the use or disclosure of PHI about signing the form.
Response: This final rule prohibits the use and disclosure of PHI
for certain purposes and conditions disclosures for certain purposes
upon the receipt of an attestation. Thus, it is incumbent upon the
regulated entity receiving the request to determine whether disclosure
is in compliance with the Privacy Rule. To help the regulated entity
make such a determination, the Department is adding to the required
elements of the attestation a description of the purpose of the request
that is sufficient for the regulated entity to determine whether the
prohibition at 45 CFR164.502(a)(5)(iii) may apply to the request.
Requests for the use or disclosure of PHI for the specified purposes
are likely subject to heightened scrutiny by the regulated entity
currently because of other conditions imposed upon such disclosures by
the Privacy Rule, so additional expertise will not always be required
when processing a request for the use or disclosure of PHI and the
accompanying attestation. For example, under the Privacy Rule, a
regulated entity must determine whether a request for the use or
disclosure of PHI for a judicial or administrative proceeding made
using a subpoena, discovery request, or other lawful process, that is
not accompanied by an order of a court or administrative tribunal
contains ``satisfactory assurances'' that reasonable efforts have been
made by the person making the request either: (1) to ensure that the
individual who is the subject of the PHI that has been requested has
been given notice of the request; \363\ or (2) to secure a qualified
protective order that meets certain requirements specified in the
Privacy Rule.\364\ The Privacy Rule further details how regulated
entities are to determine whether they have received ``satisfactory
assurances'' for both options described above.\365\ Such requirements
ensure that a regulated entity must already carefully review requests
for such purposes, such that the attestation condition likely poses
minimal additional burden for such requests. In any event, the
Department believes that these administrative burdens are outweighed by
the privacy interests that this final rule seeks to protect.
---------------------------------------------------------------------------
\363\ 45 CFR 164.512(e)(1)(ii)(A).
\364\ 45 CFR 164.512(e)(1)(ii)(B).
\365\ 45 CFR 164.512(e)(1)(iii) and (iv).
---------------------------------------------------------------------------
Comment: Many commenters asserted that it would be reasonable to
require affirmative verification under penalty of perjury that the
request for the use or disclosure of PHI is not for a purpose
prohibited under 45 CFR 164.502(a)(5)(iii) because it would signal an
intent to penalize requests
[[Page 33038]]
made to contravene the prohibition; would incentivize persons
requesting the use or disclosure of PHI to consider whether their
request is for a purpose prohibited under 45 CFR 164.502(a)(5)(iii);
deter unlawful ``fishing expeditions'' or conceal improper intent; and
add a layer of accountability. Another commenter stated this heightened
standard would enable the covered entity to reasonably rely in good
faith on the substance of the attestation without further
investigation, delay, cost, burden, or dispute. According to the
commenter, a person making a request for the use or disclosure of PHI
in good faith should have minimal to no concern when providing a
statement signed under penalty of perjury. Another commenter supported
a requirement that a person requesting the use or disclosure of PHI
provide an affirmative verification made under penalty of perjury that
the use or disclosure is not for purpose prohibited under 45 CFR
164.502(a)(5)(iii) because it would suggest that evidence obtained
falsely would not be admissible in a legal proceeding. A commenter
asserted that it is important to ensure that the proposed attestations
would be as effective as possible, and including a signed declaration
made under penalty of perjury is critical to ensuring their
effectiveness in the current legal environment. A commenter endorsed
adding a statement regarding perjury to the proposed attestation
because it would place the person requesting the use or disclosure of
PHI on notice of the criminal penalties if the person were to violate
the proposed requirement.
A commenter asserted that the penalty of perjury requirement is a
common signature standard for legal and administrative proceedings and
expressed support for expanding it to other proceedings. The commenter
also expressed support for considering other options because of
concerns that the application and consequences of making a statement
under a penalty of perjury may lack clarity outside of certain
proceedings.
Response: We appreciate commenters' suggestions; however, the
Department ultimately decided that the addition of a penalty of perjury
would be unnecessary in light of the statutory criminal and civil
penalties under HIPAA. 42 U.S.C. 1320d-6 provides that any person who
knowingly and in violation of the Administrative Simplification
provisions obtains IIHI relating to another individual or discloses
IIHI to another person is subject to criminal liability.\366\ A
regulated entity is also subject to civil penalties for violations of
requirements of the HIPAA Rules.\367\ Thus, a person that requests PHI
who knowingly falsifies an attestation (e.g., makes material
misrepresentations as to the intended uses of the PHI requested) to
obtain PHI or cause PHI to be disclosed would be in violation of HIPAA
and could be subject to criminal penalties.\368\
---------------------------------------------------------------------------
\366\ See 42 U.S.C. 1320d-6(a).
\367\ See 42 U.S.C. 1320d-5. See also 45 CFR part 160, subparts
A, D, and E.
\368\ See 42 U.S.C. 1320d-6(b).
---------------------------------------------------------------------------
Comment: Some commenters expressed support for requiring that the
attestation include a statement that a person signing an attestation is
doing so under penalty of perjury, but they also questioned its ability
to prevent a person from requesting the use or disclosure of PHI for a
purpose prohibited under 45 CFR 164.502(a)(5)(iii) and recommended
additional requirements or alternatives. One commenter expressed
concern that there would be no disincentive for the recipient to submit
an attestation signed under false pretenses in the absence of
enforceable penalties. A different commenter questioned the efficacy of
a penalty of perjury requirement because the person requesting the use
or disclosure may not be the person that uses the PHI for a purpose
prohibited under 45 CFR 164.502(a)(5)(iii); it might be another person
who uses the information for a purpose prohibited under that provision.
According to the commenter, no criminal or other penalty would attach
because that other person did not sign the attestation. The commenter
also expressed concern that an attestation signed on behalf of an
entity may not be enforceable because the person who signed the
attestation did not have authority to bind the entity.
Commenters variously recommended that the Department include
language that the person requesting the use or disclosure of PHI would
not further use or disclose the PHI for a purpose prohibited under 45
CFR 164.502(a)(5)(iii) and that the requested information is the
minimum necessary, or require a search warrant or data use agreement
instead of an attestation. A commenter recommended that the Department
provide individuals with an actionable remedy, such as the right to
receive a portion of any civil money penalty assessed to the regulated
entity or the right to ``claw back'' the disclosure from the receiving
entity if the party that signed the attestation later violates its
terms.
Response: The Department understands and shares commenters'
concerns about redisclosures that would be prohibited by this rule if
the disclosure was made by a regulated entity. However, HIPAA limits
the Department's authority to regulating PHI maintained or transmitted
by a regulated entity, that is a covered entity or their business
associate. Accordingly, a person that is not a regulated entity
generally may use or disclose such information without further
limitation by the HIPAA Rules.
Requiring search warrants or data use agreements as a condition of
the use or disclosure of PHI is beyond the scope of this final rule.
With respect to the commenter's concern about situations in which a
person who does not have the appropriate authority requests PHI on
behalf of a public official, the Privacy Rule generally requires that a
regulated entity verify the identity and legal authority of persons
requesting PHI prior to making the disclosure.\369\ Where a disclosure
of PHI is to a public official or person acting on behalf of a public
official who has the authority to request the information, a regulated
entity may verify the authority of that public official by relying on,
if reliance is reasonable under the circumstances, either a written
statement of legal authority under which the information is requested
(or an oral statement, if the written statement is impracticable).\370\
Alternatively, a regulated entity may presume the public official's
legal authority if a request is made pursuant to legal process,
warrant, subpoena, order, or other legal process issued by a grand jury
or judicial administrative tribunal.\371\ We remind regulated entities
that a determination that a public official has the authority to make a
request for the use or disclosure does not mean that the Privacy Rule
permits them to obtain any and all information that the official
requests. In such circumstances, the regulated entity should carefully
review the conditions of the applicable permission to ensure that they
are met. Where the condition involves a warrant, subpoena, or similar
instrument, the regulated entity must also review the scope of the
authority granted by the warrant, subpoena, or order to determine the
extent of the PHI that it is permitted to disclose.\372\ Further, a
regulated entity may rely, if such reliance is reasonable under the
[[Page 33039]]
circumstances, on a requested disclosure by a public official as the
minimum necessary if the public official represents that the requested
PHI is the minimum necessary for the stated purpose.\373\
---------------------------------------------------------------------------
\369\ See 45 CFR 164.514(h); see also 65 FR 82462, 82541, and
82547 (Dec. 28, 2000).
\370\ 45 CFR 164.514(h)(2)(iii)(A).
\371\ 45 CFR 164.514(h)(2)(iii)(B).
\372\ 45 CFR 164.512(a)(1).
\373\ 45 CFR 164.514(d)(3)(iii)(A).
---------------------------------------------------------------------------
HIPAA specifies the remedies available to the Federal Government
where persons violate the statute's Administrative Simplification
provisions: civil monetary penalties \374\ and criminal fines and
imprisonment.\375\ HIPAA does not include a private right of action.
---------------------------------------------------------------------------
\374\ 42 U.S.C. 1320d-5.
\375\ 42 U.S.C. 1320d-6.
---------------------------------------------------------------------------
Comment: One commenter asked the Department to clarify that anyone
providing a false attestation would be held accountable for false
statements with appropriate or significant civil fines or criminal
penalties for the material misrepresentation. Another commenter
specifically recommended that the Department consider it a material
misrepresentation for a person to sign an attestation without an
objectively reasonable basis to suspect that the reproductive health
care of interest was unlawful under the circumstances in which such
health care was provided. The commenter asserted that the attestation
should include specific language that any person who is requesting the
use or disclosure of PHI because they believe the reproductive health
care was not lawful under the circumstances in which such health care
was provided must have a reasonable basis for that belief (e.g., a
statement from a witness) and that the absence of an articulable, fact-
based reasonable suspicion would constitute a material
misrepresentation. According to the commenter, such a requirement would
prevent fishing expeditions because persons requesting the use or
disclosure of PHI would be required to have an actual, objective reason
for believing that a person provided health care in violation of state
or Federal law.
Response: The Department agrees that it would be a material
misrepresentation if a person who signs an attestation does not have an
objectively reasonable basis to suspect that the reproductive health
care was provided under circumstances in which it was unlawful, and
that an objectively reasonable basis of suspicion requires specific and
articulable facts associated with the individual whose PHI is requested
and the health care they received. We decline to include a statement of
this position on the attestation because it is encompassed in the
language that requires persons making a request for PHI to attest that
they are not making the request for a prohibited purpose and the
language ensuring that persons making such requests are aware of the
potential liability for knowingly and in violation of HIPAA obtaining
IIHI relating to an individual or disclosing IIHI to another person.
Comment: Some commenters urged the Department to include additional
provisions to monitor and enforce the attestation condition, including
requiring that a court order, written attestation, or valid
authorization accompany requests for the use or disclosure of PHI for
legal or administrative proceedings or law enforcement investigations.
Response: The attestation condition does not replace the conditions
of the Privacy Rule's permissions for a regulated entity to disclose
PHI in response to a subpoena, discovery request, or other lawful
process,\376\ or administrative request.\377\ Instead, it is designed
to work with these permissions and associated condition. For PHI to be
disclosed pursuant to 45 CFR 164.512(e)(1)(ii) and (f)(1)(ii)(C), a
regulated entity must verify that the relevant conditions are met and
also satisfy the attestation condition at 45 CFR 164.509. We do not
believe it is necessary to include additional requirements to monitor
and enforce implementation of the attestation condition because a
person who knowingly and in violation of the Administrative
Simplification provisions obtains or discloses IIHI relating to another
individual or discloses IIHI to another person would be subject to
criminal liability.\378\
---------------------------------------------------------------------------
\376\ 45 CFR 165.512(e)(1)(ii).
\377\ 45 CFR 164.512(f)(1)(ii)(C).
\378\ See 42 U.S.C. 1320d-6(a).
---------------------------------------------------------------------------
Comment: Almost all commenters responding to the Department's
request for comment expressed support for a Department-developed model
attestation or sample language that could be used by regulated entities
to reduce the implementation burden of the attestation condition. A
large health care provider expressed appreciation for options that
would simplify the process for reviewing requests for the use or
disclosure of PHI made pursuant to 45 CFR 164.512(d)-(g)(1). Other
commenters asserted that a standard form would reduce unnecessary
variation, support a consistent approach, decrease implementation
costs, and make it easier for a regulated entity to identify requests
for the use or disclosure of PHI for purposes prohibited under 45 CFR
164.502(a)(5)(iii).
Several commenters suggested that a universal or standardized
attestation form would reduce the burden of the attestation
requirement, especially for smaller health care providers, and reduce
delays in the disclosure of PHI resulting from the need for legal
review or unfamiliarity with the format of an attestation provided by a
person requesting the use or disclosure of PHI. One of these commenters
stated this would also support electronic data exchange by
standardizing attestation fields and the format. Most commenters
expressed opposition to a Department-required format and recommended
that the Department permit covered entities to modify the language of
the attestation.
Some commenters requested that the model attestation include a
plain language explanation and a tip sheet or guidance for completion.
They also requested that the model be an electronic, fillable form with
a clear heading and that the editing capabilities be limited to the
specific required fields. Some commenters recommended that the model
attestation contain an outline of penalties for misuse of PHI.
A commenter requested that the Department guarantee that a health
care provider's good faith reliance on a model attestation form would
be objectively reasonable.
Response: We appreciate these recommendations and intend to publish
model attestation language before the compliance date of this final
rule. As discussed above, if an attestation, on its face, meets the
requirements at 45 CFR 164.509(c), a regulated entity must consider the
totality of the circumstances surrounding the attestation and whether
it is reasonable to rely on the attestation in those circumstances.
Comment: In response to the Department's request for comment on how
the proposed attestation would affect a regulated entity's process for
responding to regular or routine requests from certain persons, a few
commenters explained their current workflows and the resource
requirements for managing these requests.
Some commenters suggested that an attestation requirement might
require changes to workflows and discussed the changes that might be
made.
Response: The Department appreciates these insights into how
regulated entities currently respond to certain requests for the use or
disclosure of PHI. We confirm that a person requesting the use or
disclosure of PHI
[[Page 33040]]
pursuant to 45 CFR 164.512(d), (e), (f), or (g)(1) must provide the
regulated entity a signed and truthful attestation where the request is
for PHI potentially related to reproductive health care before the
regulated entity is permitted to use or disclose the requested PHI. The
Department will consider developing guidance and technical assistance
as needed on these topics in the future as necessary to ensure
compliance with the Privacy Rule, including both the prohibition at 45
CFR 164.502(a)(5)(iii) and 164.509. It may benefit a regulated entity
to require such documentation where the requested use or disclosure is
for TPO or in response to a valid authorization or individual right of
access request.
Comment: A few commenters recommended imposing obligations to limit
redisclosures of PHI for certain purposes.
A few commenters stated that a person requesting the use or
disclosure of PHI could seek a court order or provide a written
attestation to permit the regulated entity to make the disclosure in
question in the event they were unable to obtain an authorization.
Response: While we understand commenters' concerns regarding the
uses and disclosures of health information by entities not covered by
the Privacy Rule, the Department is limited to applying the HIPAA Rules
to those entities covered by HIPAA (i.e., health plans, health care
clearinghouses, and health care providers that conduct covered
transactions) and to business associates, as provided under the HITECH
Act.
In the 2023 Privacy Rule NPRM, the Department considered permitting
regulated entities to make uses or disclosures of PHI only after
obtaining a valid authorization. However, the Department rejected the
approach because requiring an authorization in all circumstances would
not reflect the appropriate balance between individual privacy
interests and other societal interests in disclosure. In particular,
individuals may decline to authorize disclosure of PHI even in
circumstances where their privacy interests are reduced and societal
interests in disclosure are heightened, such as where the reproductive
health care was unlawful under the circumstances in which it was
provided.
Comment: Some commenters requested that the Department provide
educational resources for regulated entities to implement the
attestation. A commenter encouraged the Department to strongly enforce
the attestation provision.
Response: We appreciate these recommendations and commit to
providing additional resources to assist regulated entities with
implementation of this rule.
Comment: In response to the Department's request for comment on
alternative documentation that could assist regulated entities in
complying with the proposed limitations on the use and disclosure of
PHI, some commenters recommended that an attestation always be
required, even if additional documentation is mandated, because the
attestation would place the person requesting the use or disclosure of
PHI on notice of the prohibition and to hold them accountable if they
use the PHI for a purpose prohibited by 45 CFR 164.502(a)(5)(iii), in
addition to helping a covered entity to determine whether the PHI is
being requested for a legitimate or prohibited purpose. Others agreed
because of the risk of coercion when authorizations are sought from
individuals for certain purposes.
Some commenters suggested that the Department require that a court
order, written attestation, or valid authorization accompany a request
for the use or disclosure of any PHI for legal or administrative
proceedings or law enforcement investigations because there are
circumstances under which it would be unlikely for a person to obtain
an authorization. Some commenters recommended that the Department not
require an attestation when the disclosure of PHI is required by law,
or when so ordered by a court of competent jurisdiction. A commenter
proposed that the Department permit regulated entities to make the
specified uses and disclosures with a written attestation, a HIPAA
authorization, or alternative documentation described by the
Department, including a court order, to minimize the administrative
burden.
Response: The Department appreciates the approaches recommended by
commenters to ensure that PHI requested is not for a prohibited
purpose. We also believe that the attestation will place the person
requesting the use or disclosure of PHI on notice of the prohibition
and serve to hold them accountable if they use the PHI for a purpose
prohibited by 45 CFR 164.502(a)(5)(iii). However, we have limited the
attestation requirement to requests for PHI that is potentially related
to reproductive health care. In addition, as discussed above, because
the Privacy Rule's authorization requirements empower individuals to
make decisions about who has access to their PHI, we are not adopting
the proposed exception to the permission to use or disclose PHI
pursuant to a valid authorization, nor are we adopting the other
recommendations made by commenters. The Department is not finalizing
its proposal to prohibit the disclosure of PHI for a purpose prohibited
by 45 CFR 164.502(a)(5)(iii) pursuant to an authorization. Accordingly,
the final rule permits the disclosure of an individual's PHI to another
person pursuant to a valid authorization, even if the disclosure would
otherwise be prohibited under this rule. Therefore, a regulated entity
may disclose PHI for a purpose that otherwise would be prohibited under
45 CFR 164.502(a)(5)(iii) by obtaining a valid authorization or
pursuant to the individual right of access. We reiterate that in all
cases, the conditions of the underlying permission must be met before a
regulated entity is permitted to use or disclose the requested PHI.
D. Section 164.512--Uses and Disclosures for Which an Authorization or
Opportunity To Agree or Object Is Not Required
1. Applying the Prohibition and Attestation Condition to Certain
Permitted Uses and Disclosures
Section 164.512 of the Privacy Rule contains the standards for uses
and disclosures for which an authorization or opportunity to agree or
object is not required. Many of the uses and disclosures addressed by
45 CFR 164.512 relate to government or administrative functions and are
described in the 2000 Privacy Rule preamble as ``national priority
purposes.'' \379\ These permissions for uses and disclosures were not
required by HIPAA; instead they represented the Secretary's previous
balancing of the privacy interests and expectations of individuals and
the interests of communities in making certain information available
for community purposes, such as for certain public health, health care
oversight, and research purposes.\380\ As discussed previously, the
Department, in its implementation of HIPAA, has sought to ensure that
individuals do not forgo health care when needed--or withhold important
information from their health care providers that may affect the
quality of health care they receive--out of a fear that their sensitive
information would be revealed outside of their relationships with their
health care providers.
---------------------------------------------------------------------------
\379\ 65 FR 82462, 82524 (Dec. 28, 2000).
\380\ See id. at 82471.
---------------------------------------------------------------------------
To clarify that the proposal at 45 CFR 164.502(a)(5)(iii) would
prohibit the use and disclosure of PHI in some
[[Page 33041]]
circumstances where such uses or disclosures are currently permitted,
the Department proposed to cite the proposed prohibition at the
beginning of the introductory text of 45 CFR 164.512 and condition
certain disclosures on the receipt of the attestation proposed at 45
CFR 164.509.\381\ The proposed modification would add the clause,
``Except as provided by 45 CFR 164.502(a)(5)(iii), [. . .]'' and add
``and 45 CFR 164.509'' to ``subject to the applicable requirements of
this section.'' This would create a new requirement to obtain an
attestation from the person requesting the use and disclosure of PHI as
a condition of making certain types of permitted uses and disclosures
of PHI. Thus, under the proposal and subject to the Department
finalizing the prohibition at paragraph (a)(5)(iii) of 45 CFR 164.502,
uses and disclosures of PHI for certain purposes would be prohibited
unless a regulated entity first obtained an attestation from the person
requesting the use and disclosure under proposed 45 CFR 164.509.
---------------------------------------------------------------------------
\381\ 88 FR 23506, 23537-38 (Apr. 17, 2023).
---------------------------------------------------------------------------
The Department also proposed to replace ``orally'' with
``verbally'' at the end of the introductory paragraph for clarity.
Overview of Public Comments
While many commenters addressed the proposals to add a prohibition
on the use and disclosure of PHI and to require an attestation in
certain circumstances, few commenters addressed the proposal to modify
the introductory paragraph to 45 CFR 164.512. Such commenters either
expressed support for it or requested additional guidance on the
Department's intention or the proposal's operation.
The Department is adopting its proposal without modification. As
discussed above, this change creates a new requirement for a regulated
entity to obtain an attestation from a person requesting the use or
disclosure of PHI as a condition of making certain types of permitted
uses and disclosures of PHI. For example, the Privacy Rule currently
permits uses and disclosures for health care oversight,\382\ judicial
and administrative proceedings,\383\ law enforcement purposes,\384\ and
about decedents to coroners and medical examiners,\385\ provided
specified conditions are met. When read in conjunction with the new
prohibition at 45 CFR 164.502(a)(5)(iii), uses and disclosures of PHI
for these purposes will be subject to an additional condition that the
regulated entity first obtain an attestation from the person requesting
the use and disclosure under the new attestation requirement at 45 CFR
164.509.
---------------------------------------------------------------------------
\382\ 45 CFR 164.512(d).
\383\ 45 CFR 164.512(e).
\384\ 45 CFR 164.512(f).
\385\ 45 CFR 164.512(g)(1).
---------------------------------------------------------------------------
The Department assumes that there will be instances in which state
or other law requires a regulated entity to use or disclose PHI for
health care oversight, judicial and administrative proceedings, law
enforcement purposes, or about decedents to coroners and medical
examiners for a purpose not related to one of the prohibited purposes
in 45 CFR 164.502(a)(5)(iii). The Department believes that a regulated
entity will be able to comply with such laws and the attestation
requirement. For example, a regulated entity may continue to disclose
PHI without an individual's authorization to a state medical board, a
prosecutor, or a coroner, in accordance with the Privacy Rule, when the
request is accompanied by the required attestation. As a result, a
regulated entity generally may continue to assist the state in carrying
out its health care oversight, judicial and administrative functions,
law enforcement, and coroner duties with the use or disclosure of PHI
once a facially valid attestation has been provided to the regulated
entity from whom PHI is sought. However, where an attestation is
required but not obtained, a state seeking information about an
individual's reproductive health or reproductive health care would need
to obtain such information from an entity not regulated under the
Privacy Rule \386\ or demonstrate that the regulated entity has actual
knowledge that the reproductive health care was not lawful under the
circumstances in which such health care was provided, thereby reversing
the presumption described at 45 CFR 164.502(a)(5)(iii)(C).
---------------------------------------------------------------------------
\386\ The Privacy Rule only applies to PHI, which is IIHI that
is maintained or transmitted by, for, or on behalf of a covered
entity. Thus, it does not apply to individuals' health information
when it is in the possession of a person that is not a regulated
entity, such as a friend, family member, or is stored on a personal
cellular telephone or tablet. See Off. for Civil Rights,
``Protecting the Privacy and Security of Your Health Information
When Using Your Personal Cell Phone or Tablet,'' U.S. Dep't of
Health and Human Servs. (June 29, 2022), https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/cell-phone-hipaa/index.html.
---------------------------------------------------------------------------
Additionally, we are replacing ``orally'' with ``verbally'' for
clarity. No substantive change is intended.
Comment: One commenter expressed support for the Department's
proposed revision to 45 CFR 164.512, while another commenter requested
additional examples or detail in preamble about what the Department
intends by this revision.
Response: The Department intends that the uses and disclosures of
PHI made in accordance with 45 CFR 164.512 would be subject to both the
45 CFR 164.502(a)(5)(iii) prohibition and the 45 CFR 164.509
attestation, when applicable, specifically uses or disclosures made for
health oversight activities,\387\ judicial and administrative
proceedings,\388\ law enforcement purposes,\389\ and about decedents to
coroners and medical examiners.\390\ For example, a regulated entity
may disclose PHI for law enforcement purposes, subject to the
conditions of the permission at 45 CFR 164.512(f), where the purpose of
the request for the use or disclosure is to investigate a sexual
assault and the person requesting the PHI provides the regulated entity
with a valid attestation signifying that the purpose of the request is
not for a prohibited purpose. Similarly, where a request meets the
requirements of 45 CFR 164.502(a)(5)(iii), a regulated entity may
disclose PHI for law enforcement purposes, subject to the conditions of
the permission at 45 CFR 164.512(f), where the purpose of the request
for the use or disclosure is to investigate the unlawful provision of
reproductive health care with a valid attestation signifying that the
purpose of the request is not one that is prohibited (i.e., that the
purpose of the use or disclosure is not to investigate or impose
liability on any person for the lawful provision of reproductive health
care). As another example, a regulated entity may disclose PHI to a
state Medicaid agency in accordance with 45 CFR 164.512(d) where the
purpose of the request is to ensure that the regulated entity is
providing the reproductive health care for which the regulated entity
has submitted claims for payment to Medicaid after obtaining an
attestation that meets the requirements of 45 CFR 164.509 from the
state Medicaid agency.
---------------------------------------------------------------------------
\387\ 45 CFR 164.512(d).
\388\ 45 CFR 164.512(e).
\389\ 45 CFR 164.512(f).
\390\ 45 CFR 164.512(g)(1).
---------------------------------------------------------------------------
Comment: One commenter requested clarification regarding the
intersection between the Department's proposed Rule of Construction at
45 CFR 164.502(a)(5)(iii)(D) and its proposal at 45 CFR 164.512.
Response: The Department is not adopting the proposed Rule of
Construction. Rather, the language of the proposal has been integrated
into the prohibition standard at 45 CFR 164.502(a)(5)(iii)(A). The
finalized prohibition standard requires a
[[Page 33042]]
regulated entity to ensure that they obtain a valid attestation from a
person requesting the use or disclosure of PHI for health oversight
activities, judicial and administrative proceedings, law enforcement
purposes, or about decedents to coroners or medical examiners, assuring
the regulated entity that the purpose of the request is not for a
purpose prohibited under 45 CFR 164.502(a)(5)(iii).
2. Making a Technical Correction to the Heading of 45 CFR 164.512(c)
and Clarifying That Providing or Facilitating Reproductive Health Care
Is Not Abuse, Neglect, or Domestic Violence
Paragraph (c) of 45 CFR 164.512 permits a regulated entity to
disclose PHI, under specified conditions, to an authorized government
agency where the regulated entity reasonably believes the individual is
a victim of abuse, neglect, or domestic violence. The regulatory text
includes a serial comma, which clearly indicates that the provision
addresses victims of three different types of crimes, but the heading
of this standard does not include the serial comma.
For grammatical clarity, the Department proposed to add the serial
comma after the word ``neglect'' in the heading of the standard
contained at 45 CFR 164.512(c).\391\
---------------------------------------------------------------------------
\391\ 88 FR 23506, 23538 (Apr. 17, 2023).
---------------------------------------------------------------------------
The Department also proposed to add a new paragraph (c)(3) to 45
CFR 164.512(c), with the heading ``Rule of construction,'' to clarify
that the permission to use or disclose PHI in reports of abuse,
neglect, or domestic violence does not permit uses or disclosures based
primarily on the provision or facilitation of reproductive health care
to the individual.\392\ The Department intended the proposed provision
to safeguard the privacy of individuals' PHI against claims that uses
and disclosures of that PHI are warranted because the provision or
facilitation of reproductive health care, in and of itself, may
constitute abuse, neglect, or domestic violence.
---------------------------------------------------------------------------
\392\ Id.
---------------------------------------------------------------------------
A few commenters supported the proposal because it would clarify
that providing or facilitating access to health care is not itself
abuse, neglect, or violence, while others expressed opposition to the
proposal because they believed it would prevent health care providers
from reporting abuse based on the provision of reproductive health
care, including potentially coerced reproductive health care.
Commenters both supported and opposed the inclusion of the phrase
``based primarily.''
The Department is finalizing the proposal to add the serial comma
after the word ``neglect'' in the heading of the standard contained at
45 CFR 164.512(c).
As we explained in the 2023 Privacy Rule NPRM, the Department is
concerned that recent state actions may lead regulated entities to
believe that they are permitted to make disclosures of PHI when they
believe that persons who provide or facilitate access to reproductive
health care are perpetrators of a crime simply because they provide or
facilitate access to reproductive health care. Thus, the Department is
clarifying that providing or facilitating access to lawful reproductive
health care itself is not abuse, neglect, or domestic violence for
purposes of the Privacy Rule. This is consistent with the Department's
understanding that the provision or facilitation of lawful health care
is not itself abuse, neglect, or domestic violence. Such clarification
has not previously been required, but recent developments in the legal
landscape have made it necessary for us to codify this interpretation
in the context of reproductive health care.
Accordingly, the Department is finalizing the proposed Rule of
Construction at 45 CFR 164.512(c)(3), with modification as follows. The
modification clarifies the circumstances under which regulated entities
that are mandatory reporters of abuse, neglect, or domestic violence
are permitted to make such reports. Specifically, we are replacing
``based primarily on'' with language specifying that the prohibition at
45 CFR 164.502(a)(5)(iii) cannot be circumvented by the permission to
use or disclose PHI to report abuse, neglect, or domestic violence
where the ``sole basis of'' the report is the provision or facilitation
of reproductive health care. Thus, the Department makes clear that it
may be reasonable for a covered entity that is a mandatory reporter to
believe that an individual is the victim of abuse, neglect, or domestic
violence and to make such report to the government authority authorized
by law to receive such reports in circumstances where the provision of
reproductive health care to the individual is but one factor prompting
the suspicion. For example, it would not be reasonable for a covered
entity to believe that an individual is the victim of domestic violence
solely because the individual's spouse facilitated the covered entity's
provision of reproductive health care to the individual.
Comment: A few commenters supported the Department's proposal. One
commenter asserted that providing or facilitating access to any type of
health care is not in and of itself abuse, neglect, or domestic
violence and urged the Department to expand the scope of this language,
particularly if the prohibition is similarly expanded in the final
rule.
Response: The Department appreciates the comments about the
modifications to 45 CFR 164.512(c). As discussed above, the scope of
the prohibition is limited to reproductive health care. The proposed
and final regulations are narrowly tailored and limited in scope to not
increase regulatory burden beyond appropriate public policy objectives.
Thus, we decline to expand the scope of this provision, as well.
Comment: A large coalition expressed concerns about mandatory
domestic violence and sexual assault reporting laws. According to the
coalition, mandatory reporting laws reduce the willingness of domestic
violence survivors to seek help, including health care, and that the
reports themselves worsen the situation for most survivors. The
coalition asserted that permitting the disclosure of PHI to law
enforcement and other agencies for reports of abuse, neglect, or
domestic violence isolates survivors of such abuse and puts them at
risk of losing their children. These commenters recommended that the
Department prevent such disclosures.
Some commenters expressed opposition to the proposal because they
believe it would put victims of domestic abuse at risk because it would
prevent health care providers from reporting abuse, including child
abuse, based on the provision or facilitation of reproductive health
care. A commenter asserted that the proposal would circumvent the
exception prohibiting disclosures to abusive persons at 45 CFR
164.512(b)(1)(ii). According to another commenter, the change would
chill the willingness of covered entities to cooperate with
investigations and judicial proceedings concerning individuals who may
have used reproductive health care, regardless of the matter being
adjudicated.
According to another commenter, the proposal is aimed at
undermining state laws and shielding persons who provide or facilitate
reproductive health care. Commenters expressed concern that the
proposal would prohibit reports of abuse, neglect, or domestic violence
because such reports are made for the purpose of investigating or
prosecuting a person for providing or facilitating
[[Page 33043]]
unlawful reproductive health care, and for committing sexual assault.
Response: The Department appreciates the concerns raised by the
commenters. Since publication of the final Privacy Rule in 2000, the
Department has acknowledged that covered entities, including covered
health care providers, may have legal obligations to report PHI in
certain circumstances, including about suspected victims of abuse,
neglect, or domestic violence. The Department did not propose to modify
the Privacy Rule's permission to disclose PHI at 45 CFR 164.512(c). The
Department declines to expand its proposal to eliminate the permission
for covered entities to disclose PHI to public health authorities, law
enforcement, and other government authority authorized by law to
receive reports of abuse, neglect, or domestic violence.
Additionally, the Department does not agree that covered entities
will be prevented from reporting PHI about victims of abuse, neglect,
or domestic violence. The new language at 45 CFR 164.512(c)(3) is
narrowly tailored to reduce the conflation between lawfully provided
reproductive health care and the view that such lawful health care, on
its own, is abuse. Readers are referred to the preamble discussion of
45 CFR 164.502(a)(5)(iii) that describes the scope of disclosure
changes which are being made applicable to 45 CFR 164.512(c).
The Department does not agree that the modifications circumvent the
exception prohibiting disclosures to abusive persons at 45 CFR
164.512(b)(1)(ii). The new language at 45 CFR 164.512(c)(3) does not
modify or change the current Privacy Rule provision for disclosures to
a public health authority or other appropriate government authority
authorized by law to receive reports of child abuse or neglect. We
believe the commenter is referring to 45 CFR 164.512(c)(2), which
requires a covered entity to inform an individual that a report has
been or will be made, and 45 CFR 164.512(c)(2)(ii), which removes the
requirement to inform the individual when the covered entity would be
informing a personal representative and the covered entity reasonably
believes the personal representative is responsible for the abuse,
neglect, or other injury, and that informing such person would not be
in the best interests of the individual as determined by the covered
entity, in the exercise of professional judgment. Because the new
language at 45 CFR 164.512(c)(3) operates as a limitation on
disclosure, it is not possible for the new provision to permit
disclosures in more circumstances than previously permitted, and
therefore does not circumvent the existing provision.
Comment: A commenter recommended that the Department clarify that
the proposed Rule of Applicability would not prohibit disclosure and
use of such records when they are sought for a defensive purpose by
revising the proposed Rule of Construction at 45 CFR 164.512(c)(3) to
more explicitly state that it permits such use or disclosure.
Response: The adopted Rule of Construction at 45 CFR 164.512(c)(3)
applies to disclosures permitted by 45 CFR 164.512(c), which are
explicitly to a government authority, including a social service or
protective services agency, authorized by law to receive reports of
abuse, neglect, or domestic violence. The Department is not aware of a
disclosure that otherwise meets the requirements specified at 45 CFR
164.512(c)(1) that would constitute a disclosure for defensive
purposes. Rather, disclosures of PHI for defensive purposes, such as a
disclosure to defend against a prosecution for criminal prosecution for
allegations of providing unlawful health care, are permitted by 45 CFR
164.512(f), as well as for health care operations when obtaining legal
services. To the extent that a disclosure for a defensive purpose meets
the applicable requirements and is permitted, the Department confirms
that the final rule language generally would not prohibit a disclosure.
Comment: A few commenters requested clarification of the standard
for determining what would constitute a report of abuse, neglect, or
domestic violence that is based primarily on the provision of
reproductive health care. Commenters also requested clarification about
the interaction between the proposed prohibition and the permission at
45 CFR 164.512(c).
Response: The Privacy Rule permits but does not require the
reporting of abuse, neglect, or domestic violence under certain
conditions.\393\ Under the final rule, the Department is clarifying
that this permission does not apply where the sole basis of the report
is the provision or facilitation of reproductive health care. With this
modification, the Department makes clear that it may be reasonable for
a covered entity that is a mandatory reporter to believe that an
individual is the victim of abuse, neglect, or domestic violence and to
make such report to the government authority authorized by law to
receive such reports in circumstances where the provision or
facilitation of reproductive health care is but one factor prompting
the suspicion. We also note, as discussed above with respect to 45 CFR
164.512(b)(1)(i), this permission allows a covered entity to report
known or suspected abuse, neglect, or domestic violence only for the
purpose of making a report. The PHI disclosed must be limited to the
minimum necessary information for the purpose of making a report.\394\
These provisions do not permit the covered entity to disclose PHI in
response to a request for the use or disclosure of PHI to conduct a
criminal, civil, or administrative investigation into or impose
criminal, civil, or administrative liability on a person based on
suspected abuse, neglect, or domestic violence. Thus, any disclosure of
PHI in response to a request from an investigator, whether in follow up
to the report made by the covered entity (other than to clarify the PHI
provided on the report) or as part of an investigation initiated based
on an allegation or report made by a person other than the covered
entity, must meet the conditions of disclosures for law enforcement
purposes or judicial and administrative proceedings.\395\
---------------------------------------------------------------------------
\393\ 45 CFR 164.512(c).
\394\ See 45 CFR 164.502(b) and 164.514(d).
\395\ See 45 CFR 164.512(e) and (f).
---------------------------------------------------------------------------
3. Clarifying the Permission for Disclosures Based on Administrative
Processes
Under 45 CFR 164.512(f)(1), a regulated entity may disclose PHI
pursuant to an administrative request, provided that: (1) the
information sought is relevant and material to a legitimate law
enforcement inquiry; (2) the request is specific and limited in scope
to the extent reasonably practicable in light of the purpose for which
the information is sought; and (3) de-identified information could not
reasonably be used. Examples of administrative requests include
administrative subpoena or summons, a civil or an authorized
investigative demand, or similar process authorized under law. The
examples of administrative requests provided in the regulatory text
include only requests that are enforceable in a court of law, and the
catchall ``or similar process authorized by law'' similarly is intended
to include only requests that, by law, require a response. This
interpretation is consistent with the Privacy Rule's definition of
``required by law,'' which enumerates these and other examples of
administrative requests that constitute ``a mandate contained in law
that compels an entity to make a use or disclosure of protected health
[[Page 33044]]
information and that is enforceable in a court of law.''
As we explained in the 2023 Privacy Rule NPRM, the Department has
become aware that some regulated entities may be interpreting 45 CFR
164.512(f)(1) in a manner that is inconsistent with the Department's
intent. Therefore, the Department proposed to clarify the types of
administrative processes that this provision was intended to
address.\396\
---------------------------------------------------------------------------
\396\ 88 FR 23506, 23538-39 (Apr. 17, 2023).
---------------------------------------------------------------------------
Specifically, the Department proposed to insert language to clarify
that the administrative processes that give rise to a permitted
disclosure include only requests that, by law, require a regulated
entity to respond. Accordingly, the proposal would specify that PHI may
be disclosed pursuant to an administrative request ``for which a
response is required by law.'' The Department does not consider this to
be a substantive change because the proposal was consistent with
express language of the preamble discussion on this topic in the 2000
Privacy Rule.\397\ The Department intends that the express inclusion of
this language will ensure that regulated entities more fully appreciate
the permitted uses and disclosures pursuant to 45 CFR
164.512(f)(1)(ii)(C).
---------------------------------------------------------------------------
\397\ See 65 FR 82462, 82531 (Dec. 28, 2000).
---------------------------------------------------------------------------
The Department received few comments on the proposal to clarify the
permission at 45 CFR 164.512(f)(1)(ii)(C). Comments were mixed, with
some support, some opposition, and some requesting additional
modifications or additional examples or guidance.
While the Department received few comments on this clarification,
the Department is aware of reports that covered entities are
misinterpreting the intention of the requirements of 45 CFR
164.512(f)(1)(ii)(C) that disclosures of PHI to law enforcement be
necessary and limited in scope. For example, a congressional inquiry
recently highlighted concerns about disclosures of PHI to law
enforcement from retail pharmacy chains. The inquiry found that some
pharmacy staff are providing PHI directly to law enforcement without
advice from their legal departments in part because their staff ``face
extreme pressure to immediately respond to law enforcement demands.''
\398\ Based on this inquiry, these disclosures often are made without a
warrant or subpoena issued by a court.\399\
---------------------------------------------------------------------------
\398\ See U.S. Senate Committee on Finance News Release (Dec.
12, 2023), https://www.finance.senate.gov/chairmans-news/wyden-jayapal-and-jacobs-inquiry-finds-pharmacies-fail-to-protect-the-privacy-of-americans-medical-records-hhs-must-update-health-privacy-rules (describing legislative inquiry into pharmacy chains and
release of health information in response to law enforcement). See
also Letter from Sen. Wyden and Reps. Jayapal and Jacobs to HHS
Sec'y Xavier Becerra (Dec. 12, 2023), https://www.finance.senate.gov/imo/media/doc/hhs_pharmacy_surveillance_letter_signed.pdf (describing findings
from Congressional oversight, including survey of chain pharmacies
about their processes for responding to law enforcement requests for
PHI).
\399\ See U.S. Senate Committee on Finance News Release, supra
note 399 and Letter from Sen. Wyden and Reps. Jayapal and Jacobs,
supra note 399; see also Remy Tumin, ``Pharmacies Shared Patient
Records Without a Warrant, an Inquiry Finds,'' The New York Times
(Dec. 13, 2023), https://www.nytimes.com/2023/12/13/us/pharmacy-records-abortion-privacy.html.
---------------------------------------------------------------------------
The Department is adopting the clarification as proposed because
regulated entities are misinterpreting the requirements of 45 CFR
164.512(f)(1)(ii)(C) that ensure that disclosures of PHI to law
enforcement are necessary and limited in scope. Accordingly, the
Department is adding to 45 CFR 164.512(f)(1)(ii)(C) language that
specifies that PHI may be disclosed pursuant to an administrative
request ``for which a response is required by law.'' Thus, the
regulatory text now clearly states that the administrative processes
for which a disclosure is permitted are limited to only requests that,
by law, require a regulated entity to respond, consistent with preamble
discussion on this topic in the 2000 Privacy Rule.\400\
---------------------------------------------------------------------------
\400\ See 65 FR 82462, 82531 (Dec. 28, 2000).
---------------------------------------------------------------------------
Comment: A few commenters supported the Department's proposed
clarification of 45 CFR 164.512(f)(1)(ii)(C). A commenter recommended
that the Department revise the language to refer to an administrative
subpoena or summons, a civil or other ``expressly'' authorized demand,
or other similar process. The commenter recommended that, at a minimum,
the Department prohibit disclosures in response to oral requests,
require all informal administrative requests be in writing, and require
qualifying administrative requests to obtain express supervisory
approval.
A commenter asserted, without providing examples, that there are
many disclosures currently made under Federal agencies' interpretations
of the Privacy Act of 1974 \401\ that would not be permitted under the
NPRM proposal.
---------------------------------------------------------------------------
\401\ Public Law 93-579, 88 Stat. 1896 (Dec. 31, 1974) (codified
at 5 U.S.C. 552a).
---------------------------------------------------------------------------
Response: The Department appreciates the comments on this
clarification. The Department understands the commenter's request to
add language identifying specific processes but declines to make the
suggested modification at this time. The Department is concerned that
references to specific items or actions could be understood to not
apply to similarly situated administrative requests understood by
different names. In guidance for law enforcement, the Department has
provided its interpretation that administrative requests must be
accompanied by a written statement.\402\
---------------------------------------------------------------------------
\402\ Off. for Civil Rights, ``Health Insurance Portability and
Accountability Act (HIPAA) Privacy Rule: A Guide for Law
Enforcement,'' https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/special/emergency/final_hipaa_guide_law_enforcement.pdf.
---------------------------------------------------------------------------
In addition, the Department does not control whether a verbal or
other non-written request is sufficient to meet the standards of
various jurisdictions for an administrative process that would require
a responding covered entity to be legally required to respond. The
Department understands that valid, justiciable reasons for responding
to a verbal or other non-written request may exist, such as an emergent
situation that requires an immediate response to avoid an adverse
outcome. The Department believes the additional text sufficiently
clarifies the misunderstandings of some regulated entities about what
constitutes administrative process for the purposes of this permission.
4. Request for Information on Current Processes for Receiving and
Addressing Requests Pursuant to 164.512(d) Through (g)(1)
The Department requested information and comments on certain
considerations to help inform development of the final rule.\403\ In
particular, the Department asked how regulated entities currently
receive and address requests for PHI when requested pursuant to the
Privacy Rule permissions at 45 CFR 164.512(d), (e), (f), or (g)(1), and
what effect expanding the scope of the proposed prohibition to include
any health care would have on the proposed attestation requirement and
the ability of regulated entities to implement it. Comments submitted
in response to the question about the effects of expanding the scope of
the proposed prohibition have been included in prior discussions of the
specific policy issues elsewhere, as applicable.
---------------------------------------------------------------------------
\403\ 88 FR 23506, 23539 (Apr. 17, 2023).
---------------------------------------------------------------------------
Comment: Several commenters responded to this request for
information concerning current processes for receiving certain requests
pursuant to 45 CFR 164.512 by providing specific information about how
they receive such requests. Some requests for PHI are received in hard
copy, either by mail or hand delivery, while others are received via
email. Still
[[Page 33045]]
others are received through the regulated entities online portal or
facsimile. In emergency circumstances, such requests may be received
verbally. Commenters generally receive assurances through hard copy,
email, their patient portal, and fax. A few commenters seek assurances
for every subsequent related request, while another commenter stated
that it does not require or obtain assurances for every subsequent
related request if the subsequent request is related to the initial
request for which the initial assurance was received.
A commenter asserted that the privacy interests at stake outweigh
potential administrative burdens and provided examples of state laws
that are more privacy protective than the Privacy Rule. The commenter
explained that the privacy landscape is constantly evolving, as do the
HIPAA Rules, and as such, regulated entities must adapt in response.
Response: The Department appreciates the information provided by
commenters explaining the processes by which regulated entities
currently receive requests for the use or disclosure of PHI for certain
purposes and the workflows of regulated entities to ensure that such
requests comply with the conditions of the applicable Privacy Rule
permissions. We reviewed and considered this information when
evaluating the burden of the proposed modifications to the Privacy Rule
during the development of this final rule.
E. Section 164.520--Notice of Privacy Practices for Protected Health
Information
1. Current Provision
The Privacy Rule generally requires that a covered entity provide
individuals with an NPP to ensure that they understand how a covered
entity may use and disclose their PHI, as well as their rights and the
covered entity's legal duties with respect to PHI.\404\ Section
164.520(b)(1)(ii) of the Privacy Rule describes the required contents
of the NPP, including descriptions of the types of permitted uses and
disclosures of their PHI. More specifically, the NPP must describe the
ways in which the covered entity may use and disclose PHI for TPO, as
well as each of the other purposes for which the covered entity is
permitted or required to use or disclose PHI without the individual's
written authorization. Additionally, the NPP must state the covered
entity's duties to protect privacy, provide a copy of the NPP, and
abide by the terms of the current notice. The NPP must also describe
individuals' rights, including the right to complain to HHS and to the
covered entity if they believe their privacy rights have been violated,
as well as other statements if the covered entity uses PHI for certain
activities, such as fundraising. The Privacy Rule does not, however,
currently require a covered entity to provide information about
specific prohibited uses and disclosures of PHI.
---------------------------------------------------------------------------
\404\ 45 CFR 164.520. Unlike many provisions of the Privacy
Rule, 45 CFR 164.520 applies only to covered entities, as opposed to
both covered entities and their business associates.
---------------------------------------------------------------------------
2. CARES Act
Section 3221(i) of the CARES Act directs the Secretary to modify
the NPP provisions at 45 CFR 164.520 to include new requirements for
covered entities that create or maintain PHI that is also a record of
SUD treatment provided by a Part 2 program (i.e., covered entities that
are Part 2 programs and covered entities that receive Part 2 records
from a Part 2 program). The CARES Act amended 42 U.S.C. 290dd-2 to
require the Department to revise Part 2 to more closely align with the
Privacy Rule.
3. Proposals in 2022 Part 2 NPRM and 2023 Privacy Rule NPRM
The Department proposed in December 2022 to modify both the Patient
Notice requirements at 42 CFR 2.22 and the NPP requirements at 45 CFR
164.520 to provide consistent notice requirements for all Part 2
records. Revisions to the Patient Notice requirements were addressed
and finalized in the 2024 Part 2 Rule, while modifications to the NPP
provisions proposed in the 2022 Part 2 NPRM were deferred to a future
rulemaking. The Department also separately proposed to modify the NPP
provisions to support reproductive health care privacy as part of the
2023 Privacy Rule NPRM.
As part of the 2022 Part 2 NPRM, the Department proposed several
changes to the NPP provisions. We proposed in a new paragraph (2) to 45
CFR 164.520(a) that individuals with Part 2 records that are created or
maintained by covered entities would have a right to adequate notice of
uses and disclosures, their rights, and the responsibilities of covered
entities with respect to such records. The Department also proposed to
remove 45 CFR 164.520(a)(3), the exception for providing inmates a copy
of the NPP, which would require covered entities that serve
correctional facilities to provide inmates with a copy of the NPP.
Additionally, the Department proposed revising 45 CFR 164.520(b)(1) to
specifically clarify that covered entities that maintain or receive
Part 2 records would need to provide an NPP that is written in plain
language and contains the notice's required elements. We also proposed
to modify 45 CFR 164.520(b)(1)(i) to replace ``medical'' with
``health'' information.
The Department also proposed in the 2022 Part 2 NPRM to incorporate
changes proposed to the NPP requirements in the 2021 Privacy Rule
NPRM,\405\ such as adding a requirement to include the email address
for a designated person who would be available to answer questions
about the covered entity's privacy practices; adding a permission for a
covered entity to provide information in its NPP concerning the
individual access right to direct copies of PHI to third parties when
the PHI is not in an EHR and the ability to request the transmission
using an authorization; and removing the requirement for a covered
entity to obtain a written acknowledgment of receipt of the NPP. The
Department is finalizing certain changes proposed in the 2022 Part 2
NPRM and the 2023 Privacy Rule NPRM that directly support the two final
rules.
---------------------------------------------------------------------------
\405\ 86 FR 6446 (Jan. 21, 2021).
---------------------------------------------------------------------------
In both the 2022 Part 2 NPRM and 2023 Privacy Rule NPRM, the
Department proposed to modify 45 CFR 164.520(b)(1)(ii), which requires
covered entities to describe for individuals the purposes for which a
covered entity is permitted to use and disclose PHI. Consistent with
the CARES Act, we proposed in the 2022 Part 2 NPRM to modify paragraph
(C) to clarify that where uses and disclosures are prohibited or
materially limited by other applicable law, ``other applicable law''
would include Part 2, while the Department proposed to clarify at
paragraph (D) that the requirement for a covered entity to include in
the NPP sufficient detail to place an individual on notice of the uses
and disclosures that are permitted or required by the Privacy Rule and
other applicable laws, including Part 2.
The Department further proposed to require in 45 CFR
164.520(b)(1)(iii), which requires covered entities to include
descriptions of certain activities in which the covered entity intends
to engage, in a new paragraph (D) the inclusion of a statement that
Part 2 records created or maintained by the covered entity will not be
used in certain proceedings against the individual without the
individual's written consent or a court order consistent with 42 CFR
part 2. Additionally, we proposed to require in a new paragraph (E)
that covered entities that intend to use Part 2 records for fundraising
include a statement that
[[Page 33046]]
such records may be used or disclosed for fundraising purposes only if
the individual grants written consent as provided in 42 CFR 2.31.
In 45 CFR 164.520(b)(1)(v)(C), which addresses a covered entity's
right to change the terms of its notice, we also proposed to simplify
and modify the regulatory text to clarify that this right is limited to
circumstances where such changes are not material or contrary to law.
The Department also proposed to add a new paragraph (4) to 45 CFR
164.520(d) to prohibit construing permissions for covered entities
participating in organized health care arrangements \406\ (OHCAs) to
disclose PHI between participants as negating obligations relating to
Part 2 records.
---------------------------------------------------------------------------
\406\ 45 CFR 160.103 (definition of ``Organized health care
arrangement'').
---------------------------------------------------------------------------
The 2023 Privacy Rule NPRM also proposed modifications to the NPP
requirements.\407\ Specifically, the Department proposed to modify 45
CFR 164.520(b)(1)(ii) by adding a new paragraph (F) to require a
covered entity to describe and provide an example of the types of uses
or disclosures prohibited by 45 CFR 164.502(a)(5)(iii), and to do so in
sufficient detail for an individual to understand the prohibition. We
also proposed adding a new paragraph (G) to 45 CFR 164.502(b)(1)(ii) to
describe each type of use and disclosure for which an attestation is
required under 45 CFR 164.509, with an example. Additionally, the
Department requested comment on whether it would benefit individuals
for the Department to require that covered entities include a statement
in the NPP that would explain that the recipient of the PHI would not
be bound by the proposed prohibition because the Privacy Rule would no
longer apply after PHI is disclosed for a permitted purpose to an
entity other than a regulated entity (e.g., disclosed to a non-covered
health care provider for treatment purposes).
---------------------------------------------------------------------------
\407\ 88 FR 23506, 23539 (Apr. 17, 2023).
---------------------------------------------------------------------------
4. Overview of Public Comments
We received many comments on the proposed NPP changes in both the
2022 Part 2 NPRM and the 2023 Privacy Rule NPRM. Some of the comments
on the 2022 Part 2 NPRM addressed both the NPP and the Patient Notice.
Comments concerning the Patient Notice are discussed in the 2024 Part 2
Rule.\408\ Commenters on the NPP proposals in the 2022 Part 2 NPRM
urged the Department to coordinate revisions to the NPP provisions
across its proposed and final rules. Commenters also requested guidance
about their ability to use a single form to satisfy both the NPP and
Patient Notice requirements. Commenters generally expressed support for
the Department's proposals to modify 45 CFR 164.520(a) and
164.520(b)(1) to apply the NPP requirements to certain entities, in
coordination with changes required by the CARES Act and consistent with
Part 2.
---------------------------------------------------------------------------
\408\ 89 FR 12472 (Feb. 16, 2024).
---------------------------------------------------------------------------
Commenters to the 2022 Part 2 NPRM generally did not express
opposition to the Department's proposed changes to paragraph (b)(iii)
of 45 CFR 164.520, although some did request additional guidance. We
received no comments on our proposed modifications to add a new
paragraph concerning OHCAs to 45 CFR 164.520(d).
Most commenters expressed support for the Department's 2023 Privacy
Rule NPRM proposals to revise the NPP requirements. Many also
recommended additional modifications to the NPP requirements or
clarifications to the requirements. Most also recommended that the
Department add a requirement that NPPs include a statement that would
explain that the recipient of PHI would not be bound by the proposed
prohibition because the Privacy Rule would no longer apply after PHI is
disclosed for a permitted purpose to an entity other than a regulated
entity (e.g., disclosed to a non-covered health care provider for
treatment purposes).
5. Final Rule
The Department published the 2024 Part 2 Rule on February 16, 2024.
It included modifications to the Patient Notice in 42 CFR 2.22 and
reserved modifications to the HIPAA NPP for a forthcoming HIPAA rule.
We address the modifications proposed in the 2022 Part 2 NPRM here, in
concert with the modifications proposed in the 2023 Privacy Rule NPRM.
As required by the CARES Act and in alignment with the Privacy
Rule, we are modifying the NPP provisions in multiple ways. First, we
are requiring in 45 CFR 164.520(a)(2) that covered entities that create
or maintain Part 2 records provide notice to individuals of the ways in
which those covered entities may use and disclose such records, and of
the individual's rights and the covered entities' responsibilities with
respect to such records. Second, we are revising 45 CFR 164.520(b)(1)
to clarify that a covered entity that receives or maintains records
subject to Part 2 must provide an NPP that is written in plain language
and that contains the elements required. For clarity, we have reordered
wording within this paragraph to refer to ``receiving or maintaining''
records, rather than ``maintaining or receiving'' records as initially
proposed.
Third, the Department is modifying 45 CFR 164.520(b)(1)(ii) to
revise paragraphs (C) and (D), and to add paragraphs (F), (G), and (H)
to clarify certain statements and add new statements that must be
included in an NPP. Consistent with the CARES Act, we are modifying
paragraph (C) to clarify that where NPP's descriptions of uses or
disclosures that are permitted for TPO or without an authorization must
reflect ``other applicable law'' that is more stringent than the
Privacy Rule, other applicable law includes Part 2. Likewise, we are
modifying paragraph (D) to clarify that Part 2 is specifically included
in the ``other applicable law'' referenced in the requirement to
describe uses and disclosures that are permitted for TPO or without an
authorization sufficiently to place an individual on notice of the uses
and disclosures that are permitted or required by the Privacy Rule and
other applicable law.
New paragraphs (F) and (G) provide individuals with additional
information about how their PHI may or may not be disclosed for
purposes addressed in this rule, furthering trust in the relationship
between regulated entities and individuals by ensuring that individuals
are aware that certain uses and disclosures of PHI are prohibited.
Specifically, paragraph (F) requires that the NPP contain a
description, including at least one example, of the types of uses and
disclosures prohibited under 45 CFR 164.502(a)(5)(iii) in sufficient
detail for an individual to understand the prohibition, while paragraph
(G) requires that the NPP contain a description, including at least one
example, of the types of uses and disclosures for which an attestation
is required under new 45 CFR 164.509.
Additionally, based on feedback from commenters, we are requiring
in a new paragraph (H) that covered entities include a statement
explaining to individuals that PHI disclosed pursuant to the Privacy
Rule may be subject to redisclosure and no longer protected by the
Privacy Rule.This will help individuals to make informed decisions
about to whom they provide access to or authorize the disclosure of
their PHI.
Under new paragraph (D) of 45 CFR 164.520(b)(1)(iii), the
Department is requiring that covered entities provide notice to
individuals that a Part 2 record, or testimony relaying the content of
such record, may not be used or disclosed in a civil, criminal,
administrative, or legislative proceeding against the individual absent
written
[[Page 33047]]
consent from the individual or a court order, consistent with the
requirements of 42 CFR part 2.
The Department is also finalizing a requirement at 45 CFR
164.520(b)(1)(iii)(E) that a covered entity must provide individuals
with a clear and conspicuous opportunity to elect not to receive any
fundraising communications before using Part 2 records for fundraising
purposes for the benefit of the covered entity.
Lastly, we are finalizing our proposal to add a new paragraph (4)
in 45 CFR 164.520(d) regarding joint notice by separate covered
entities. This modification clarifies that Part 2 requirements continue
to apply to Part 2 records maintained by covered entities that are part
of OHCAs.
We are not finalizing in this rule the proposal to remove the
exception to the NPP requirements for inmates of correctional
facilities in this rule because it would be better addressed within the
context of care coordination.
6. Responses to Public Comments
Comment: Commenters on both the 2022 Part 2 NPRM and the 2023
Privacy Rule NPRM urged the Department to coordinate any changes made
to the NPP provisions based on proposals made in the separate
rulemakings. According to the commenters, coordinating the changes to
the NPP requirements would help to ensure consistency, reduce the
administrative burden on covered entities, and ensure individual
understanding of the permitted uses and disclosures of their PHI,
including PHI that is also a Part 2 record. A few commenters on the
2022 Part 2 NPRM explained the different concerns that updates to the
NPP pose to covered entities of differing sizes, based on resource
constraints directly related to their size. Several commenters on the
2023 Privacy Rule NPRM requested that the Department provide sample
language and examples or provide an updated model NPP.
Response: As part of this rulemaking, the Department is finalizing
modifications to certain NPP requirements that were proposed in the
2022 Part 2 NPRM and the 2023 Privacy Rule NPRM. Thus, these changes
serve to implement certain requirements of the CARES Act and to support
reproductive health care privacy. The Department appreciates the
recommendations and will consider them for future guidance.
Comment: A few commenters on the 2022 Part 2 NPRM requested that
the Department clarify whether they would be permitted to use a single
document or form when providing notice statements to individuals to
ensure compliance by regulated entities and understanding of the
notices by individuals. A few commenters agreed that a single NPP would
reduce the administrative burden on regulated entities or be the most
effective way to convey privacy information to individuals and asked
for confirmation that this was permitted. A commenter requested that
the Department update the Patient Notice in a manner such that the NPP
header may be used in the combined notice if they are permitted to use
a combined NPP/Patient Notice.
Response: As we have provided previously in guidance on the Privacy
Rule and Part 2, notices issued by covered entities for different
purposes may be separate or combined, as long as all of the required
elements for both are included.\409\ Thus, it is acceptable under both
the Privacy Rule and Part 2 to meet the notice requirements of the
Privacy Rule, Part 2, and state law by either providing separate
notices or combining the required notices into a single notice, as long
as all of the required elements are included.
---------------------------------------------------------------------------
\409\ See also 82 FR 6052, 6082-83 (Jan. 18, 2017); Off. for
Civil Rights, ``Notice of Privacy Practices for Protected Health
Information,'' U.S. Dep't of Health and Human Servs. (July 26,
2013), https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/privacy-practices-for-protected-health-information/index.html.
---------------------------------------------------------------------------
Comment: A few commenters on the 2022 Part 2 NPRM and most of the
commenters on the 2023 Privacy Rule NPRM suggested the proposed
approach to modifying both the Patient Notice and NPP would bolster
transparency and the public's understanding of how their health
information is used or disclosed and collected. Many commenters on the
2023 Privacy Rule NPRM provided recommendations for ways in which the
Department could improve the NPP, including requiring that the NPP be
in plain language.
Response: The Department appreciates the comments on its proposal
to modify the NPP to align with changes made in the Patient Notice and
in support of reproductive health care privacy. The modifications will
bolster transparency and public understanding of how information is
used, disclosed, and protected. Covered entities have long been
required under 45 CFR 164.520(b)(1) to provide an NPP that is written
in plain language. Discussion of this requirement can be found in the
preamble to the 2000 Privacy Rule.\410\ The Department's model NPP
forms, available in both English and Spanish, provide one example of
how the plain language requirement may be met.\411\As discussed above,
we are modifying 45 CFR 164.520 to clarify that this requirement
applies to covered entities that use and disclose Part 2 records.
Additional resources on writing in plain language can be found at
https://plainlanguage.gov. Additionally, covered entities are required
to comply with all Federal nondiscrimination laws, including laws that
address language access requirements. Information about such
requirements is available at www.hhs.gov/hipaa.
---------------------------------------------------------------------------
\410\ 65 FR 82462, 82548-49 (Dec. 28, 2000).
\411\ Off. for Civil Rights, ``Model Notices of Privacy
Practices,'' U.S. Dep't of Health and Human Servs. (Apr. 8, 2013),
https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/model-notices-privacy-practices/index.html.
---------------------------------------------------------------------------
Comment: Commenters expressed concerns about the interplay of the
Part 2 Patient Notice requirements with the NPP, the burden on covered
entities to modify the NPP, and including the attestation requirement
in the NPP.
Response: We have sought to align the requirements for the Patient
Notice as closely as possible with the NPP requirements and to modify
the NPP requirements to allow for a combined Patient Notice and NPP.
The changes the Department is making to the NPP empower the individual
and improve health outcomes by improving the likelihood that health
care providers will make accurate diagnoses and informed treatment
recommendations to individuals. These changes to the NPP provide the
individual with clear information and reassurance about their privacy
rights and their ability to discuss their reproductive health and
related health care because they inform an individual that their PHI
may not be used or disclosed for certain purposes prohibited by new 45
CFR 164.502(a)(5)(iii). As such, the qualitative benefits of providing
individuals with information about how their PHI may be used and
disclosed under the Privacy Rule outweigh the quantitative burdens for
covered entities to revise their NPPs. Accordingly, we are finalizing
the modifications proposed to the NPP as part of the 2023 Privacy Rule
NPRM.
Comment: A majority of the commenters on the 2023 Privacy Rule NPRM
who expressed support for revising the NPP also recommended that the
Department require that the NPP include an explanation that the
prohibition or Privacy Rule generally would no longer apply to PHI that
has been disclosed for a permitted purpose to a person that is not a
regulated entity. A few commenters opposed the addition as unnecessary
or expressed concern about the potential length of the NPP. A
[[Page 33048]]
few of the commenters opposed adding such a statement because they
believed it could deter individuals from seeking reproductive health
care, increase individuals' mistrust of health care providers, or not
add to individuals' understanding of their rights and protections under
the Privacy Rule.
Response: In response to comments and in support of transparency
for individuals, the Department is finalizing a new requirement to
include in the NPP a statement adequate to put the individual on notice
of the potential for information disclosed pursuant to the Privacy Rule
to be subject to redisclosure by the recipient and no longer protected
by the Privacy Rule. This change will provide additional clarity to
individuals directly and assist covered entities in explaining the
limitations of the Privacy Rule to individuals. We believe that any
concerns about the negative effects of these modifications on length
are outweighed by their benefits to the individual.
Comment: Several commenters to the 2023 Privacy Rule NPRM requested
the Department provide additional time for compliance with the new NPP
requirements and exercise enforcement discretion for a period of time
after the compliance date.
Response: As noted above, we are finalizing certain modifications
to the NPP provisions that were proposed in the 2022 Part 2 NPRM rule
and other modifications to the same provisions that were proposed in
the 2023 Privacy Rule NPRM. To ease the burden on covered entities and
in compliance with 45 CFR 160.104, the Department is finalizing a
compliance date of February 16, 2026, for the NPP provisions. The
rationale for this compliance date is discussed in greater detail in
the discussion of Effective and Compliance Dates.
F. Section 164.535--Severability
In the NPRM, the Department included a discussion of severability
that explained how we believed the proposed rule should be interpreted
if any provision was held to be invalid or facially unenforceable. We
are finalizing a new 45 CFR 164.535 to codify this interpretation. The
Department intends that, if a specific regulatory provision in this
rule is found to be invalid or unenforceable, the remaining provisions
of the rule will remain in effect because they would still function
sensibly.
For example, the changes this final rule makes to the NPP
requirements in 45 CFR 164.520 (including the changes finalizing
proposals from the 2022 Part 2 NPRM) shall remain in full force and
effect to the extent that they are not directly related to a provision
in this rulemaking that is held to be invalid or unenforceable such
that notice of that provision is no longer necessary. Conversely, if
the NPP requirements are held to be invalid or unenforceable, the other
modifications shall remain in full force and effect to the extent that
they are not directly related to the NPP requirements.
As another example, we also intend that the revision in 45 CFR
160.103 to the definition of ``person'' shall remain in full force and
effect if any other provision is held to be invalid or unenforceable
because the new modified definition is not solely related to supporting
reproductive health care privacy and is consistent with the
Department's longstanding interpretation of the term and with regulated
entities' current understanding and practices.
Similarly, we are finalizing technical corrections to the heading
at 45 CFR 164.512(c) and a clarifying revision at 45 CFR 164.512(f)
regarding the permission for disclosures based on administrative
processes. Those changes are intended to remain in full force and
effect even if other parts of this final rule are held to be invalid or
unenforceable.
As another example, we also intend, if the addition in 45 CFR
160.103 of the definition of ``public health,'' as used in the terms
``public health surveillance,'' ``public health investigation,'' and
``public health intervention'' is held to be invalid and unenforceable,
the other modifications to the rules shall remain in full force and
effect to the extent that they are not directly related to the
definition of public health.
We further intend that if the rule is held to be invalid and
unenforceable with respect to its application to some types of health
care, it should be upheld with respect to other types (e.g., pregnancy
or abortion-related care).
We also intend that any provisions of the Privacy Rule that are
unchanged by this final rule shall remain in full force and effect if
any provision of this final rule is held to be invalid or
unenforceable.
These examples are illustrative and not exhaustive.
We received no comments on the language addressing severability in
the 2023 Privacy Rule NPRM.
G. Comments on Other Provisions of the HIPAA Rules
Comment: A few commenters expressed concerns that the Department
may grant exceptions to preemption and recommended that the Department
clarify the standards for which exceptions to preemption would be made
and consider strengthening these standards wherever possible or remove
the potential for exceptions entirely.
One commenter expressed concern that the proposed rule could
dissuade regulated entities from providing de-identified data for
research, while another commenter recommended that the Department
prohibit the sharing of de-identified reproductive health care data
except in limited circumstances to prevent the re-identification of
reproductive health data by third parties, such as law enforcement or
data brokers
Response: The process for requesting exceptions to preemption and
the standards for granting such requests are at 45 CFR 160.201 et seq.
We did not propose any modifications to these provisions as part of the
2023 Privacy Rule NPRM, and as such, do not finalize modifications in
this final rule.
The Department does not believe that this final rule will dissuade
regulated entities from providing de-identified data for research or
other purposes. Under the Privacy Rule, health information that meets
the standard and implementation specifications for de-identification
under 45 CFR 164.514 is considered not to be IIHI.\412\ HIPAA confers
on the Department the authority to set standards for the privacy of
IIHI, including for de-identification. We did not propose to modify the
de-identification standard as part of the 2023 Privacy Rule NPRM, and
as such, do not finalize modifications in this final rule.
---------------------------------------------------------------------------
\412\ 45 CFR 164.502(d)(2).
---------------------------------------------------------------------------
Comment: A commenter posited that the proposed rule's preemption of
contrary state laws was not sufficiently clear and recommended that the
Department reinforce the preemption provision in the final rule.
Response: The Department did not propose changes to the preemption
provisions of the HIPAA Rules, which are based in statute,\413\ and
believes that the provisions, in combination with our discussion of
preemption in the preamble, are sufficient.
---------------------------------------------------------------------------
\413\ See 45 CFR part 160, subpart B--Preemption of State Law.
\414\ 58 FR 51735 (Oct. 4, 1993).
---------------------------------------------------------------------------
VI. Regulatory Impact Analysis
A. Executive Order 12866 and Related Executive Orders on Regulatory
Review
The Department of Health and Human Services (HHS or ``Department'')
has examined the effects of this final rule under Executive Order
(E.O.) 12866, Regulatory Planning and Review,\414\ as
[[Page 33049]]
amended by E.O. 14094,\415\ E.O. 13563, Improving Regulation and
Regulatory Review,\416\ the Regulatory Flexibility Act \417\ (RFA), and
the Unfunded Mandates Reform Act of 1995 \418\ (UMRA). E.O.s 12866 and
13563 direct the Department to assess all costs and benefits of
available regulatory alternatives and, when regulation is necessary, to
select regulatory approaches that maximize net benefits (including
potential economic, environmental, public health and safety, and other
advantages; distributive effects; and equity). This final rule is
significant under section 3(f)(1) of E.O. 12866, as amended.
---------------------------------------------------------------------------
\415\ 88 FR 21879 (Apr. 11, 2023).
\416\ 76 FR 3821 (Jan. 21, 2011).
\417\ Public Law 96-354, 94 Stat. 1164 (codified at 5 U.S.C.
601-612).
\418\ Public Law 104-4, 109 Stat. 48 (codified at 2 U.S.C.
1501).
---------------------------------------------------------------------------
The RFA requires us to analyze regulatory options that would
minimize any significant effect of a rule on small entities. As
discussed in greater detail below, this analysis concludes, and the
Secretary certifies, that the rule will not result in a significant
economic effect on a substantial number of small entities.
The UMRA (section 202(a)) generally requires us to prepare a
written statement, which includes an assessment of anticipated costs
and benefits, before proposing ``any rule that includes any Federal
mandate that may result in the expenditure by State, local, and tribal
governments, in the aggregate, or by the private sector, of
$100,000,000 or more (adjusted annually for inflation) in any 1 year.''
\419\ The current threshold after adjustment for inflation is $177
million, using the most current (2023) Implicit Price Deflator for the
Gross Domestic Product. UMRA does not address the total cost of a rule.
Rather, it focuses on certain categories of cost, mainly Federal
mandate costs resulting from imposing enforceable duties on state,
local, or Tribal governments or the private sector; or increasing the
stringency of conditions in, or decreasing the funding of, state,
local, or Tribal governments under entitlement programs. This final
rule imposes mandates that would result in the expenditure by state,
local, and Tribal governments, in the aggregate, or by the private
sector, of more than $177 million in any one year. The impact analysis
in this final rule addresses such effects both qualitatively and
quantitatively. In general, each regulated entity, including government
entities that meet the definition of covered entity (e.g., state
Medicaid agencies), is required to adopt new policies and procedures
for responding to requests for the use or disclosure of protected
health information (PHI) for which an attestation is required and to
train its workforce members on the new requirements. Additionally,
although the Department has not quantified the costs, state, local, and
Tribal law enforcement agencies must analyze requests that they
initiate for the use or disclosure of PHI and provide regulated
entities with an attestation that the request is not for a prohibited
purpose in instances where the request is made for health oversight
activities, judicial and administrative proceedings, law enforcement
purposes, or about decedents to coroners and medical examiners, and is
for PHI potentially related to reproductive health care. One-time costs
for all regulated entities to change their policies will increase costs
above the UMRA threshold in one year. The Department initially
estimated that ongoing expenses for the new attestation condition would
not increase significantly, but we sought additional data to inform our
estimates. Although Medicaid makes Federal matching funds available for
states for certain administrative costs, these are limited to costs
specific to operating the Medicaid program. There are no Federal funds
directed at Health Insurance Portability and Accountability Act of 1996
(HIPAA) compliance activities.
---------------------------------------------------------------------------
\419\ Id. at sec. 202 (codified at 2 U.S.C. 1532(a)).
---------------------------------------------------------------------------
Pursuant to Subtitle E of the Small Business Regulatory Enforcement
Fairness Act of 1996,\420\ the Office of Management and Budget's
(OMB's) Office of Information and Regulatory Affairs has determined
that this final rule meets the criteria set forth in 5 U.S.C. 804(2)
because it is projected to have an annualized effect on the economy of
more than $100,000,000. Because of the large number of covered entities
that are subject to this final rule and the large number of individuals
with health plan coverage, any rule modifying the HIPAA Privacy Rule
that requires updating policies and procedures and the Notice of
Privacy Practices (NPP) and distributing the NPP to a percentage of
individuals is likely to meet the threshold in 5 U.S.C. 804(2).
---------------------------------------------------------------------------
\420\ Also referred to as the Congressional Review Act, 5 U.S.C.
801 et seq.
---------------------------------------------------------------------------
The Justification for this Rulemaking and Summary of Final Rule
Provisions section at the beginning of this preamble contain a summary
of this rule and describe the reasons it is needed. The Department
presents a detailed analysis below.
1. Summary of Costs and Benefits
The Department identified six general categories of quantifiable
costs arising from these proposals: (1) responding to requests for the
use or disclosure of PHI for which an attestation is required; (2)
revising business associate agreements; (3) updating the NPP and
posting it online; (4) developing new or modified policies and
procedures; (5) revising training programs for workforce members; and
(6) requesting an exception from HIPAA's general preemption authority.
The first five categories apply primarily to covered entities, while
the sixth category applies to states and other interested persons.
The Department estimates that the first-year costs attributable to
this final rule total approximately $595.0 million. These costs are
associated with covered entities responding to requests for the use or
disclosure of PHI that are conditioned upon an attestation; revising
business associate agreements; revising policies and procedures;
updating, posting, and mailing the NPP; and revising training programs
for workforce members, and with states or other persons requesting
exceptions from preemption. These costs also include increased
estimates for wages, postage, and the number of NPPs distributed by
health plans as compared to the baseline of existing annual cost and
burden estimates for these activities in the approved HIPAA information
collection. For years two through five, estimated annual costs of
approximately $20.9 million are attributable to ongoing costs related
to the attestation requirement. Table 1 reports the present value and
annualized estimates of the costs of this final rule covering a 5-year
time horizon. Using a 7% discount rate, the Department estimates this
final rule will result in annualized costs of $151.8 million; and using
a 3% discount rate, these annualized costs are $142.6 million.
[[Page 33050]]
Table 1--Accounting Table, Costs of the Rule
[$ Millions]
----------------------------------------------------------------------------------------------------------------
Primary Discount rate
Costs estimate Year dollars (%) Period covered
----------------------------------------------------------------------------------------------------------------
Present Value................................... $678.6 2022 Undiscounted 2024-2028
Present Value................................... 622.3 2022 7 2024-2028
Present Value................................... 653.1 2022 3 2024-2028
Annualized...................................... 151.8 2022 7 2024-2028
Annualized...................................... 142.6 2022 3 2024-2028
----------------------------------------------------------------------------------------------------------------
The changes to the Privacy Rule will likely result in important
benefits and some costs that the Department is unable to fully quantify
at this time. As explained further below, unquantified benefits include
improved trust and confidence between individuals and health care
providers; enhanced privacy and improved access to reproductive health
care and information, which may prevent increases in maternal mortality
and morbidity; increased accuracy and completeness in patient medical
records, which may prevent poor health outcomes; enhanced support for
survivors of rape, incest, and sex trafficking; and maintenance of
family economic stability by allowing families to determine the timing
and spacing of whether or when to be pregnant. Additionally, allowing
regulated entities to accept an attestation for requests for the use or
disclosure of PHI potentially related to reproductive health care, and
to presume that reproductive health care provided by another person was
lawful under the circumstances it was provided, will reduce potential
liability for regulated entities by providing some assurance with
respect to whether the requested disclosure is prohibited.
Table 2--Potential Non-Quantified Benefits for Covered Entities and
Individuals
------------------------------------------------------------------------
Benefits
-------------------------------------------------------------------------
Improve access to complete information about lawful reproductive health
care options, including for individuals who are pregnant or considering
a pregnancy (i.e., improve health literacy), by reducing concerns about
disclosure of PHI.
Maintain or reduce levels of maternal mortality and morbidity by
ensuring that individuals and their clinicians can freely communicate
and have access to complete information needed for quality lawful
health care, including coordination of care.
Decrease barriers to accessing prenatal health care by maintaining
privacy for individuals who seek a complete range of lawful
reproductive health care options.
Enhance mental health and emotional well-being of pregnant individuals
by reducing fear of potential disclosures of their PHI to investigate
or impose liability on a person for the mere act of seeking, obtaining,
providing, or facilitating lawful health care.
Improve or maintain trust between individuals and health care providers
by reducing the potential for health care providers to report PHI in a
manner that could harm the individuals' interests.
Prevent or reduce re-victimization of pregnant individuals who have
survived rape or incest by protecting their PHI from undue scrutiny.
Improve or maintain families' economic well-being by not exposing
individuals or their family members to costly investigations or
activities to impose liability for seeking, obtaining or facilitating
lawful reproductive health care.
Maintain the economic well-being of regulated entities by not exposing
regulated entities or workforce members to costly investigations or
activities to impose liability on them for engaging in lawful
activities.
Ensure individuals' ability to obtain full and complete information and
make lawful decisions concerning fertility- or infertility-related
health care that may include selection or disposal of embryos without
risk of PHI disclosure for criminal, civil, or administrative
investigations or activities to impose liability for engaging in lawful
activities.
------------------------------------------------------------------------
The Department also recognizes that there may be some costs that
are not readily quantifiable, notably, the potential burden on persons
requesting PHI to investigate or impose liability on persons for
seeking, obtaining, providing, or facilitating reproductive health care
that is not lawful under the circumstances in which such health care is
provided. As discussed elsewhere in this final rule, we acknowledge
that, in certain limited circumstances, the final rule may, prevent
persons from obtaining an individual's PHI, such as where the request
is directed to the health care provider that provided the reproductive
health care and that health care provider reasonably determines that
such health care was provided lawfully. However, the existing
permission for disclosures for law enforcement does not create a
mandate for disclosure to law enforcement agencies. Rather, it
establishes the conditions under which a regulated entity may disclose
PHI if it so chooses. Accordingly, consistent with how the Privacy Rule
has operated since its inception, persons whose requests for PHI are
declined by regulated entities may incur additional costs if they
choose to pursue their investigations through other methods and obtain
evidence from non-covered entities. We have not previously quantified
the costs to such persons for obtaining an individual's PHI, such as
where a law enforcement official is required to prepare a formal
administrative request or obtain a qualified protective order and we do
not do so here. We do not view the attestation requirement as changing
this calculus and have designed the attestation to impose a minimal
burden on requests for PHI related to lawful conduct by health care
providers by offering a model attestation form. Despite the minimal
formality of providing a signed attestation, some state law enforcement
agencies may experience the requirement as a burden, and we acknowledge
that potential as a non-quantifiable cost.
2. Baseline Conditions
The Privacy Rule, in conjunction with the Security and Breach
Notification Rules, protects the privacy and security of individuals'
PHI, that is, individually identifiable health information (IIHI)
transmitted by or maintained in electronic media or any other form or
[[Page 33051]]
medium, with certain exceptions. It limits the circumstances under
which regulated entities are permitted or required to use or disclose
PHI and requires covered entities to have safeguards in place to
protect the privacy of PHI. The Privacy Rule also establishes certain
rights for individuals with respect to their PHI and sets limits and
conditions on the uses and disclosures that may be made of such
information without an individual's authorization.
As explained in the preamble, the Department has the authority
under HIPAA to modify the Privacy Rule to prohibit the use or
disclosure of PHI for activities to conduct a criminal, civil, or
administrative investigation into or impose criminal, civil, or
administrative liability on any person for the mere act of seeking,
obtaining, providing, or facilitating reproductive health care that is
lawful under the circumstances in which it was provided, as well as to
identify any person for the purpose of initiating such activities. The
Privacy Rule has been modified several times since it was first issued
in 2000 to address statutory requirements, changed circumstances, and
concerns and issues raised by stakeholders regarding the effects of the
Privacy Rule on regulated entities, individuals, and others. Recently,
as the preamble discusses, changed circumstances resulting from new
inconsistencies in the regulation of reproductive health care
nationwide and the negative effects on individuals' expectations for
privacy and their relationships with their health care providers, as
well as the additional burdens imposed on regulated entities, require
the modifications made by this final rule.
For purposes of this Regulatory Impact Analysis (RIA), this final
rule adopts the list of covered entities and cost assumptions
identified in the Department's 2023 Information Collection Request
(ICR).\421\ The Department also relies on certain estimates and
assumptions from the 1999 Privacy Rule NPRM \422\ that remain relevant,
and the 2013 Omnibus Rule,\423\ as referenced in the analysis that
follows.
---------------------------------------------------------------------------
\421\ 88 FR 3997 (Jan. 23, 2023).
\422\ 64 FR 59918 (Nov. 3, 1999).
\423\ 78 FR 5566 (Jan. 25, 2013).
---------------------------------------------------------------------------
The Department quantitatively analyzes and monetizes the effect
that this final rule may have on regulated entities' actions to: revise
business associate agreements between covered entities and their
business associates, including release-of-information contractors;
create new forms; respond to certain types of requests for PHI; update
their NPPs; adopt policies and procedures to implement the requirements
of this final rule; and train their employees on the updated policies
and procedures. The Department analyzes the remaining benefits and
burdens qualitatively because of the uncertainty inherent in predicting
other concrete actions that such a diverse scope of regulated entities
might take in response to this rule.
Analytic Assumptions
The Department bases its assumptions for calculating estimated
costs and benefits on several publicly available datasets, including
data from the U.S. Census, the U.S. Department of Labor, Bureau of
Labor Statistics, Centers for Medicare & Medicaid Services, and the
Agency for Healthcare Research and Quality. For the purposes of this
analysis, the Department assumes that benefits plus indirect costs
equal approximately 100 percent of pre-tax wages and adjusts the hourly
wage rates by multiplying by two, for a fully loaded hourly wage rate.
The Department adopts this as the estimate of the hourly value of time
for changes in time use for on-the-job activities.
Implementing the regulatory changes likely will require covered
entities to engage workforce members or consultants for certain
activities. The Department assumes that a lawyer will draft or review
the new attestation form, revisions to business associate agreements,
revisions to the NPP, and required changes to HIPAA policies and
procedures. The Department expects that a training specialist will
revise the necessary HIPAA training and that a web designer will post
the updated NPP. The Department further anticipates that a workforce
member at the pay level of medical records specialist will confirm
receipt of required attestations. To the extent that these assumptions
affect the Department's estimate of costs, the Department solicited
comment on its assumptions, particularly assumptions in which the
Department identifies the level of workforce member (e.g., clerical
staff, professional) that will be engaged in activities and the amount
of time that particular types of workforce members spend conducting
activities related to this RIA as further described below. Table 3 also
lists pay rates for occupations referenced in the explanation of
estimated information collection burdens in Section F of this RIA and
related tables.
The Department received several comments about the occupations
engaged in certain activities and the time burden associated with them.
We reviewed these submissions and used the provided information to
revise the estimate for the cost of processing requests for the use or
disclosure of PHI that require an attestation. For more details, please
see the sections discussing the costs of the rule below.
The Department received no comment on the hourly value of time;
therefore, we retain all relevant assumptions laid out in the 2023
Privacy Rule NPRM, as described above (see Table 3 for a list of
occupations and corresponding wages).\424\
---------------------------------------------------------------------------
\424\ For each occupation performing activities as a result of
the final rule, the Department identifies a pre-tax hourly wage
using a database maintained by the Bureau of Labor Statistics. See
U.S. Dep't of Labor, ``Occupational Employment and Wages'' (May
2022), https://www.bls.gov/oes/current/oes_nat.htm.
[[Page 33052]]
Table 3--Occupational Pay Rates
------------------------------------------------------------------------
Mean hourly Fully loaded
Occupation code and title wage hourly wage
------------------------------------------------------------------------
00-0000 All Occupations................. $29.76 $59.52
43-3021 Billing and Posting Clerks...... 21.54 43.08
29-0000 Healthcare Practitioners and 46.52 93.04
Technical Occupations..................
29-9021 Health Information Technologists 31.38 62.76
and Medical Registrars.................
29-9099 Healthcare Practitioners and 32.78 65.56
Technical Workers, All Other...........
15-1212 Information Security Analysts... 57.63 115.26
23-1011 Lawyers......................... 78.74 157.48
13-1111 Management Analysts............. 50.32 100.64
11-9111 Medical and Health Services 61.53 123.06
Manager................................
29-2072 Medical Records Specialist...... 24.56 49.12
43-0000 Office and Administrative 21.90 43.80
Support Occupations....................
11-2030 Public Relations and Fundraising 68.56 137.12
Managers...............................
13-1151 Training and Development 33.59 67.18
Specialist.............................
43-4171 Receptionists and Information 16.64 33.28
Clerks.................................
15-1255 Web and Digital Interface 48.91 97.82
Designers..............................
------------------------------------------------------------------------
The Department assumes that most covered entities will be able to
incorporate changes to their workforce training into existing HIPAA
training programs rather than conduct a separate training because the
total time frame for compliance from date of finalization would be 240
days.\425\
---------------------------------------------------------------------------
\425\ This includes 60 days from publication of a final rule to
the effective date and an additional 180 days until the compliance
date.
---------------------------------------------------------------------------
Covered Entities Affected
The Department received no substantive comments on the number or
type of HIPAA covered entities affected by this rule; therefore, we
retain the methodology and entity estimates as described in the 2023
Privacy Rule NPRM and the baseline conditions section above.
To the extent that covered entities engage business associates to
perform activities under the rule, the Department assumes that any
additional costs will be borne by the covered entities through their
contractual agreements with business associates. The Department's
estimate that each revised business associate agreement will require no
more than 1 hour of a lawyer's labor assumes that the hourly burden
could be split between the covered entity and the business associate.
Thus, the Department calculated estimated costs based on the potential
number of business associate agreements that will be revised rather
than the number of covered entities or business associates with revised
business associate agreements.
The Department requested data on the number of business associates
(which may include health care clearinghouses acting in their role as
business associates of other covered entities) that would be affected
by the rule and the extent to which they may experience costs or other
burdens not already accounted for in the estimates of burdens for
revising business associate agreements. The Department also requested
comment on the number of business associate agreements that would need
to be revised, if any. We did not receive any actionable comments on
the number of affected business associates, the number of business
associate agreements, or any specific costs that business associates
might bear. For more details, see the section on business associate
agreements below.
The Department requested public comment on these estimates,
including estimates for third party administrators and pharmacies where
the Department has provided additional explanation. The Department
additionally requested detailed comment on any situations, other than
those identified here, in which covered entities would be affected by
this rulemaking. We did not receive any substantive comments related to
these issues.
Table 4--Estimated Number and Type of Covered Entities
----------------------------------------------------------------------------------------------------------------
Covered entities
-----------------------------------------------------------------------------------------------------------------
NAICS code Type of entity Firms Establishments
----------------------------------------------------------------------------------------------------------------
524114............................... Health and Medical Insurance Carriers 880 5,379
524292............................... Third Party Administrators........... 456 783
622.................................. Hospitals............................ 3,293 7,012
44611................................ Pharmacies........................... 19,540 \a\ 67,753
6211-6213............................ Office of Drs. & Other Professionals. 433,267 505,863
6215................................. Medical Diagnostic & Imaging......... 7,863 17,265
6214................................. Outpatient Care...................... 16,896 39,387
6219................................. Other Ambulatory Care................ 6,623 10,059
623.................................. Skilled Nursing & Residential 38,455 86,653
Facilities.
6216................................. Home Health Agencies................. 21,829 30,980
532283............................... Home Health Equipment Rental......... 611 3,197
-----------------------------------
Total............................ 549,713 774,331
----------------------------------------------------------------------------------------------------------------
\a\ Number of pharmacy establishments is taken from industry statistics.
[[Page 33053]]
Individuals Affected
The Department believes that the population of individuals
potentially affected by the rule is approximately 76 million
overall,\426\ representing nearly one-fourth of the U.S. population,
including approximately 6 million pregnant individuals annually and an
unknown number of individuals facing a potential pregnancy or pregnancy
risk due to sexual activity, contraceptive avoidance or failure, rape
(including statutory rape), and incest. According to Federal data, 78
percent of sexually active females received reproductive health care in
2015-2017.\427\
---------------------------------------------------------------------------
\426\ See U.S. Census Bureau, American Community Survey S0101,
AGE AND SEX 2022: ACS 5-Year Estimates Subject Tables (females aged
10-44), https://data.census.gov/table/ACSST1Y2022.S0101. The U.S.
Census Bureau uses the term ``sex'' to equate to an individual's
biological sex. ``Sex--Definition,'' U.S. Census Bureau (accessed
Mar. 20, 2024), https://www.census.gov/glossary/?term=Sex.
\427\ See ``Reproductive and Sexual Health,'' Sexually active
females who received reproductive health services (FP-7.1),
Healthypeople.gov, https://wayback.archive-it.org/5774/20220415172039/https:/www.healthypeople.gov/2020/leading-health-indicators/2020-lhi-topics/Reproductive-and-Sexual-Health/data.
---------------------------------------------------------------------------
The Department received comments related to the number of
individuals affected by the rule, some of which are summarized below.
One commenter asserted that the Department had overestimated the number
of affected individuals and urged reducing the estimate to 78 percent
of sexually active females (52.72 million). The same commenter also
argued that even this revised number might be an overestimate, and that
the number of individuals directly affected by the rule would be closer
to 50,400 a year. Another commenter suggested that the number of
individuals potentially affected by the proposed rule is much larger
than the estimate and that the estimate should include any individual
who was ever capable of bearing children and their family members.
Another commenter asserted that the Department was underestimating
the number of individuals that would be affected by the proposed rule
but did not include an estimate of their own.
After reviewing the comments, the Department is finalizing the
estimates of the number of individuals that will be affected by this
final rule as described above, which includes updates for 2022 data.
The Department considers a key category of individuals affected by this
final rule those who have the potential to become pregnant because
pregnancies may occur and result in a need for reproductive health care
nationwide. Pregnancy, concern about potential pregnancy, and the need
for reproductive health care do not recognize state boundaries or
regulatory timelines.
Commenters recommended data points above and below the Department's
proposed estimate of 74 million affected individuals. We believe that
the number of affected individuals is far greater than the total who
are survivors of sexual assault or sex trafficking (as recommended by a
commenter), yet less than the number of all individuals who have ever
been of childbearing age and their family members (as recommended by
another commenter). We recognize that the age range for the proposed
estimate of females, 10-44, imperfectly reflects the number of females
of childbearing age; however, the number of females over age 44 who
could become pregnant may be offset by the number of females aged 10-13
who are not yet capable of childbearing. We use the number of females
of potentially childbearing age as a proxy for the number of
individuals affected by the final rule as shown in Table 5 below.
---------------------------------------------------------------------------
\428\ See American Community Survey S0101, AGE AND SEX 2022: ACS
5-Year Estimates Subject Tables (females aged 10-44), supra note
427.
Table 5--Estimated Number of Individuals Affected
------------------------------------------------------------------------
Population
Females of potentially childbearing age \428\ estimate
------------------------------------------------------------------------
10 to 14 years...................................... 10,327,799
15 to 19 years...................................... 10,618,136
20 to 24 years...................................... 10,957,463
25 to 29 years...................................... 10,762,368
30 to 34 years...................................... 11,440,546
35 to 39 years...................................... 11,013,337
40 to 44 years...................................... 10,771,942
-------------------
Total........................................... 75,891,591
------------------------------------------------------------------------
3. Costs of the Rule
Below, the Department provides the basis for its estimated
quantifiable costs resulting from the changes to specific provisions of
the Privacy Rule. Many of the estimates are based on assumptions formed
through the Office for Civil Rights' (OCR's) experience with its
compliance and enforcement program and accounts from stakeholders
received at outreach events. The Department has quantified recurring
burdens for this final rule for obtaining an attestation from a person
requesting the use or disclosure of PHI potentially related to
reproductive health care for health oversight activities, judicial and
administrative proceedings, law enforcement purposes, and about
decedents to coroners or medical examiners.
The Department requested information or data points from commenters
to further refine its estimates and assumptions. We examine the most
substantive comments received in the cost section below. Additionally,
we received comments that are also discussed below on topics that are
not directly addressed in the cost section.
A commenter asserted that the Department did not account for the
additional costs associated with major depressive disorders that would
arise from the increase in abortions due to the rule. The Department
does not believe that is a valid benchmark for the effects of this
final rule, in part because we reject the premise, which is not backed
by medical evidence or data, that this final rule will result in an
increase in pregnancy terminations or depression.\429\ Further,
researchers have raised numerous concerns about the methodology of the
2011 study cited in
[[Page 33054]]
the comment.\430\ Accordingly, we are not including the costs
associated with treatment of depression in the cost section.
---------------------------------------------------------------------------
\429\ See M. Antonia Biggs et al., ``Women's Mental Health and
Well-being 5 Years After Receiving or Being Denied an Abortion: A
Prospective, Longitudinal Cohort Study,'' 74(2) JAMA Psychiatry 169,
177 (2017), https://jamanetwork.com/journals/jamapsychiatry/fullarticle/2592320. See also Julia R. Steinberg et al., ``The
association between first abortion and first-time non-fatal suicide
attempt: a longitudinal cohort study of Danish population
registries,'' 6(12) The Lancet Psychiatry 1031-1038 (Dec. 2019).
\430\ See Julia R. Steinberg et al., ``Fatal flaws in a recent
meta-analysis on abortion and mental health,'' 86(5) Contraception
430-7 (Nov. 2012), https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3646711/ (discussing errors and significant shortcomings of the
studies included in the 2011 meta-analysis that render its
conclusions invalid).
---------------------------------------------------------------------------
a. Costs Associated With Requests for Exception From Preemption
The Department anticipates that states with laws that restrict
access to reproductive health care are likely to seek an exception to
the requirements of this final rule that preempt state law. Given the
pace at which state laws governing access to reproductive health care
are changing, the Department is finalizing its proposed estimate that a
potential increase of 26 states \431\ will incur costs to develop a
request to except a provision of state law from HIPAA's general
preemption authority to submit to the Secretary.\432\ Based on existing
burden estimates for this activity,\433\ the Department is finalizing
its estimate that each exception request will require approximately 16
hours of labor at the rate of a general health care practitioner and
that approximately 26 states will make such requests. Thus, the
Department estimates that states will spend a total of 416 hours
requesting exception from preemption and monetize this as a one-time
cost of $38,705 [= 16 x 26 x $93.04].
---------------------------------------------------------------------------
\431\ See Lawrence O. Gostin et al., ``One Year After Dobbs--
Vast Changes to the Abortion Legal Landscape,'' 4(8) JAMA Health
Forum (2023), https://jamanetwork.com/journals/jama-health-forum/fullarticle/2808205 (counting 21 states with post-Dobbs limits that
are more restrictive than Roe v. Wade allowed) and Laura Deal,
``State Laws Restricting or Prohibiting Abortion,'' Congressional
Research Service (Jan. 22, 2024), https://crsreports.congress.gov/product/pdf/R/R47595. Because of the pace of change in this area,
the Department relies on a higher number than JAMA's 2023 figure as
a basis for its cost estimates.
\432\ See 45 CFR 160.201 et seq. for information about
exceptions to HIPAA's general preemption authority and the process
for requesting such an exception and the criteria for granting it.
\433\ ``Information Collection: Process for Requesting Exception
Determinations (states or persons),'' U.S. Gen. Servs. Admin. & Off.
of Mgmt. and Budget, https://www.reginfo.gov/public/do/PRAViewIC?ref_nbr=201909-0945-001&icID=10428.
---------------------------------------------------------------------------
b. Estimated Costs From Adding a Requirement for an Attestation for
Disclosures for Certain Purposes
Multiple commenters asserted that the projected attestation cost in
the proposed rule was incorrect and underestimated the true cost of
implementing the proposed requirement. One commenter asserted that the
proposed rule underestimated the time to review medical records for PHI
about reproductive health care and recommended that it be increased
significantly. The same commenter also suggested that the Department
adopt a requirement to obtain an individual's authorization, instead of
an attestation, because it would reduce costs. Other commenters
asserted that the proposed cost estimates for the attestation
requirement did not account for associated administrative burdens,
urged the Department to require an attestation for every request for
PHI to decrease overall costs by establishing a procedural norm, or
requested that the Department provide grants and trainings to regulated
entities to offset the costs of the attestation provision. Finally,
another commenter requested that the Department release a model
attestation form to decrease the cost burden for covered entities.
A few commenters asserted that the Department mis-identified the
types of staff that would performing specific components of the
attestation requirement. One posited that both a lawyer and a medical
professional would need to review medical records for the use or
disclosure of PHI in response to the proposed revisions to the Privacy
Rule. Another asserted that the person reviewing PHI in response to a
request for the use or disclosure of PHI would be a medical records
clerk.
The Department has modified the attestation requirement in response
to public comments. As discussed above, this final rule requires
regulated entities to obtain an attestation that the request for the
use or disclosure of PHI is not for a purpose prohibited by 45 CFR
164.502(a)(5)(iii) when the request is for certain purposes (health
oversight activities, judicial and administrative proceedings, law
enforcement purposes, and about decedents to coroners and medical
examiners) and is for PHI potentially related to reproductive health
care. Where the request is for a purpose that implicates 45 CFR
164.502(a)(5)(iii) and the reproductive health care was provided by
someone other than the regulated entity that received the request, such
health care is presumed lawful under the circumstances in which it was
provided unless the conditions of 45 CFR 164.502(a)(5)(iii)(C) are met.
We expect the presumption of lawfulness to lower the burden for
regulated entities to process requests for the use or disclosure of PHI
for which an attestation is required; however, we also acknowledge that
the proposed estimate did not fully represent the number of likely
requests for the use or disclosure of PHI. The Department declines to
require a valid authorization for these requests, as opposed to an
attestation, and no grants to offset costs will be needed because of
the lower estimated burden per request. The revised cost estimates
include review of each request for the use or disclosure of PHI for
health oversight activities, judicial and administrative proceedings,
law enforcement purposes, and about decedents to coroners and medical
examiners, to determine if an attestation has been provided and
administrative burdens associated with obtaining the attestation.
This final rule necessitates that regulated entities establish a
process for responding to requests for the use or disclosure of PHI for
which an attestation is required, such as reviewing and screening
requests that are not accompanied by a valid authorization and are not
a right of access request. We anticipate that across all regulated
entities, this final rule will result in approximately 2,794,201
requests that regulated entities need to review in connection with the
permissions under 45 CFR 164.512(d)-(g)(1). The Department estimates 5
minutes of average processing time per attestation based on the average
wage of a mix of several occupations: medical and health services
managers, medical records specialists, and health practitioners.\434\
For example, a medical records specialist may forward certain requests
for the use or disclosure of PHI (for health oversight activities,
judicial and administrative proceedings, law enforcement purposes, and
about decedents to coroners and medical examiners) to a manager to
review whether the request pertains to the lawfulness of reproductive
health care. A health practitioner may review a number of records
subject to a request for whether they contain PHI potentially related
to reproductive health care. We calculate the annual cost for initial
processing of the estimated 2,794,201 requests requiring attestations
to total $20,585,500 [2,794,201 x (5/60) x $88.41]. For almost all of
these requests, we believe that a brief review will be sufficient for a
regulated entity to make a final disclosure determination.
---------------------------------------------------------------------------
\434\ See supra, Table 3 of this RIA.
---------------------------------------------------------------------------
For a small number of these requests, approximately 1,300, we
assume that the brief review will not be sufficient; we assume that
these requests will require legal review. This figure is an estimate of
the number of requests that are generated to investigate or impose
liability on a person for the mere act of seeking or obtaining lawful
reproductive health care, including from a health care
[[Page 33055]]
provider in a state other than the state where the regulated entity is
located. The Department's estimate assumes that approximately 26 states
may seek to restrict access to out-of-state reproductive health care,
including reproductive health care that is lawful under the
circumstances in which it provided, and will initiate an average of 50
such requests annually. The Department estimates on average 1 hour of
review for such requests based on the wage of a lawyer.\435\ We
calculate the annual legal review cost for the estimated 1,300 requests
totals $204,724 [1,300 x 1 x $157.48]. This additional review increases
the cost of processing attestations to $20,790,224.
---------------------------------------------------------------------------
\435\ Id.
---------------------------------------------------------------------------
We anticipate that approximately one-quarter of requests that
result in legal reviews, approximately 325, will require additional
managerial review by the regulated entity before making a disclosure
decision. The Department estimates on average 3 hours of additional
review for each of these requests based on the wage of medical and
health insurance managers.\436\ We calculate a total cost for
additional actions for these requests of $119,984 [325 x 3 x $123.06].
The total annual estimated cost of processing attestations, including
all additional legal and managerial reviews, is $20,910,207.
---------------------------------------------------------------------------
\436\ Id.
---------------------------------------------------------------------------
Upon consideration of the estimated cost for regulated entities to
create a new attestation form, the Department is planning to develop a
model form to be available prior to the compliance date of this final
rule. This will save an estimated total of $60,970,823 [= 774,331 x
(30/60) x $157.48], based on 30 minutes of labor by a lawyer.
c. Costs Arising From Revised Business Associate Agreements
The Department anticipates that a certain percentage of business
associate agreements will likely need to be updated to reflect a
determination made by parties about their respective responsibilities
when either party receives requests for disclosures of PHI under 45 CFR
164.512(d), (e), (f), or (g)(1). For example, each of the parties to
the business associate agreement may need to notify the other party
when they have knowledge that a request is for an unlawful purpose and
allocate their respective responsibilities for handling these less
frequent requests. The Department is finalizing its proposed estimate
that each new or significantly modified contract between a business
associate and its subcontractors will require, on average, one hour of
labor by a lawyer at the wage reported in Table 3. We believe that
approximately 35 percent of 1 million business associates, or 350,000
entities, will decide to create or significantly modify subcontracts,
resulting in total costs of $55,118,000 [= 350,000 x $157.48].
A few commenters asserted that the Department's estimates for
business associates' costs were incorrect and that it should consider
additional costs. A commenter recommended that the Department adopt a
non-enforcement period to allow business associates to achieve
compliance and limit legal costs. Another commenter stated that the
Department did not adequately identify the costs that would be
associated with increased legal scrutiny of business associates as a
result of the proposed rule. And another commenter urged the Department
to consider the additional costs for renegotiated contracts as a result
of the proposed rule. Lastly, a commenter requested that the Department
apply the attestation requirement to business associates because it
would reduce the costs of the rule.
The Department has reviewed the comments and is adopting the 2023
Privacy Rule NPRM cost analysis in this final rule. Business associate
costs are adequately captured by the estimate for revising agreements.
Applying costs directly to business associates (as opposed to covered
entities) is distributional and will not alter the total impact of the
rule. The Department declines to create an additional non-enforcement
period for this provision of the final rule beyond the 180 days from
the date of publication for the final rule to the compliance date.\437\
The estimated cost for responding to requests for PHI for which an
attestation is required accounts for increased scrutiny of a small
number of requests for PHI, and the estimated costs for updating
business associate agreements accounts for renegotiation of an average
of one release of information vendor contract for nearly half of all
covered entities.
---------------------------------------------------------------------------
\437\ This includes 60 days from the date of publication to the
effective date, plus 120 days from the effective date to the
compliance date.
---------------------------------------------------------------------------
d. Costs Arising From Changes to the Notice of Privacy Practices
The final rule modifies the NPP to notify individuals that covered
entities cannot use or disclose PHI for certain purposes and that in
certain circumstances, covered entities must obtain an attestation from
a person requesting the PHI that affirms that the use or disclosure is
not for a purpose prohibited under 45 CFR 164.502(a)(5)(iii). The final
rule also modifies the NPP to align with changes proposed in the 2022
Part 2 NPRM. This includes requiring covered entities that create or
maintain Part 2 records to provide a notice that: addresses such
records; references Part 2 as ``other applicable law'' that is more
stringent than the Privacy Rule; explains that covered entities may not
use or disclose a Part 2 record in a civil, criminal, administrative,
or legislative proceeding against the individual absent written consent
from the individual or a court order; and clarifies the applicability
of Part 2 for organized health care arrangements that hold Part 2
records. Additionally, the final rule further modifies language for
fundraising by covered entities that use or disclose Part 2 records to
require a clear and conspicuous opt-out opportunity for patients.
Finally, the modifications require the NPP to explain that PHI
disclosed to a person other than a regulated entity is no longer
subject to the requirements of the Privacy Rule.
The Department believes the burden associated with revising the NPP
consists of costs related to developing and drafting the revised NPP
for covered entities. The Department estimates that the updating and
revising the language in the NPP will require 50 minutes of
professional legal services at the wage reported in Table 3. Across all
covered entities, the Department estimates a cost of $101,618,038 [=
774,331 x (50/60) x $157.48]. The Department does not anticipate any
new costs for health care providers associated with distribution of the
revised notice other than posting it on the entity's website (if it has
one) because health care providers have an ongoing obligation to
provide the notice to first-time patients that is already accounted for
in cost estimates for the HIPAA Rules. Health plans that post their NPP
online will incur minimal costs by posting the updated notice and then
including the updated NPP in the next annual mailing to
subscribers.\438\ Health plans that do not provide an annual mailing
will potentially incur an additional $12,743,700 in capital expenses
for mailing the revised NPP to an estimated 10 percent of the
150,000,000 health plan subscribers who receive a mailed, paper copy of
the notice, as well as the labor expense for an administrative support
staff member at the rate shown in Table 3 to complete the mailing, for
approximately $2,737,500 [= 62,500 hours x $43.80]. The Department
further estimates the cost of posting the revised NPP on the
[[Page 33056]]
covered entity's website will be 15 minutes of a web designer's time at
the wage reported in Table 3. Across all covered entities, the
Department estimates a cost of online posting as $18,936,265 [= 774,331
x (15/60) x $97.82].
---------------------------------------------------------------------------
\438\ 45 CFR 164.520(c)(1)(v)(A).
---------------------------------------------------------------------------
A commenter expressed concern that the Department was
underestimating the cost of mailing updates associated with changes to
NPP policies.
The Department is already accounting for the cost of mailing
updated NPPs within the estimated capital costs, which include printing
copies of NPPs that are provided in person and those that are mailed,
and postage for health plans that will need to conduct a mailing that
is off-cycle from its regular schedule. We estimate that half of NPPs
will need to be mailed and that health plans may include the updated
NPP with their next regular mailing to individuals.
e. Estimated Costs for Developing New or Modified Policies and
Procedures
The Department anticipates that covered entities will need to
develop new or modified policies and procedures for the new
requirements for attestations, the new category of prohibited uses and
disclosures, modifications to certain uses and disclosures permitted
under 45 CFR 164.512, and clarification of personal representative
qualifications. The Department is finalizing its proposed estimate that
the costs associated with developing such policies and procedures will
be the labor of a lawyer for 2.5 hours and that this expense represents
the largest area of cost for compliance with this final rule, for a
total of $304,854,115 [= 774,331 x 2.5 x $157.48].
A few commenters stated that the estimate for covered entities to
draft new policies was incorrect and provided additional information or
alternatives to reduce costs. A commenter stated that the time burden
for drafting new policies was insufficient and did not accurately
represent the amount of time it would take a covered entity to draft a
policy that complied with the proposed rule. Another commenter urged
the Department to include the costs for organizations to update their
privacy policies because of the proposed rule. A few commenters
requested that the Department provide organizations with additional
time to develop new policies that comply with the final rule.
The Department considered the concerns raised by commenters about
the burdens of the requirements to revise the Privacy Rule and made
several additional modifications in this final rule to reduce burdens
on regulated entities. For example, regulated entities are not required
to develop policies to routinely evaluate whether reproductive health
care that was provided by someone else was lawful. Instead, regulated
entities will need to develop policies to ensure that regulated
entities identify requests for health oversight activities, judicial
and administrative proceedings, law enforcement purposes, and about
decedents to coroners or medical examiners and procedures for obtaining
the required attestation if it is not provided with the request for the
use or disclosure of PHI. Additional policies will be required to
address requests for the above purposes that could result in a
prohibited use or disclosure, such as requests from law enforcement for
the use or disclosure of PHI that assert, without any other
information, that reproductive health care was provided unlawfully. The
updating of privacy policies is included in the overall cost of
updating policies and the estimate for updating the NPP. Because of
changes in the final rule that simplify compliance with the new
requirements, the Department is not adjusting the time burden for
revising or creating new policies and procedures.
f. Costs Associated With Training Workforce Members
The Department anticipates that covered entities will be able to
incorporate new content into existing HIPAA training requirements and
that the costs associated with doing so will be attributed to the labor
of a training specialist for an estimated 90 minutes for a total of
$78,029,335 [= 774,331 x (90/60) x $67.18].
A few commenters addressed training costs within the proposed rule,
including one who asserted that such costs could be reduced by ensuring
that the effective date for all of the provisions of the rule is the
same. Another commenter stated that covered entities would incur both a
one time and yearly training cost, with the yearly training cost
accounting for most of the total training cost in year 1.
The Department is finalizing the cost estimate for training
workforce members as proposed, which includes the cost of a training a
specialist to update the covered entity's HIPAA training program with
new content to include in training for workforce members within the
first year. Any further recurring component is likely to be implemented
into regularly scheduled employee training and will thus not be
directly attributable to this rule.
g. Total Quantifiable Costs
The Department summarizes in Table 6 the estimated nonrecurring
costs that covered entities and states will experience in the first
year of implementing the regulatory changes. The Department anticipates
that these costs will be for requesting exceptions from preemption of
contrary state law, implementing the attestation requirement, revising
business associate agreements, revising the NPP, mailing and posting it
online, revising policies and procedures, and updating HIPAA training
programs.
Table 6--New Nonrecurring Costs of Compliance With the Final Rule
----------------------------------------------------------------------------------------------------------------
Burden hours/ action x Total costs
Nonrecurring costs hourly wage Respondents (millions)
----------------------------------------------------------------------------------------------------------------
Exception Requests...................... 16 x $93.04............... 26 States................. $0.04
BA Agreements, Revising................. 1 x $157.48............... 350,000 BAAs.............. 55
NPP, Updating........................... 50/60 x $157.48........... 774,331 Covered entities.. 102
NPP, Mailing............................ 0.25/60 x $43.80.......... 15,000,000 Subscribers.... 3
NPP, Posting Online..................... 15/60 x $97.82............ 774,331 Covered entities.. 19
Policies & Procedures................... 150/60 x $157.48.......... 774,331 Covered entities.. 305
Training................................ 90/60 x $67.18............ 774,331 Covered entities.. 78
Capital Expenses, Mailing NPPs--Health $.85/NPP.................. 15,000,000 Subscribers.... 13
Plans.
-----------------------------------------------------------------------
Total Nonrecurring Burden........... .......................... .......................... \a\ 574
----------------------------------------------------------------------------------------------------------------
\a\ Totals may not add up due to rounding.
[[Page 33057]]
Table 7 summarizes the recurring costs that the Department
anticipates covered entities will incur annually as a result of the
regulatory changes. These new costs are based on responding to requests
for uses and disclosures of PHI that are conditioned upon an
attestation.
Table 7--Recurring Annual Costs of Compliance With the Final Rule \a\
----------------------------------------------------------------------------------------------------------------
Total annual
Recurring costs Burden hours x wage Respondents cost
(millions)
----------------------------------------------------------------------------------------------------------------
Disclosures for which an attestation is 232,850 x $88.41.......... 2,794,201................. $20,585,500
required.
Attestation investigation review........ 1,300 x $157.48........... 1,300..................... 204,724
Attestation additional actions.......... 975 x 123.06.............. 325....................... 119,984
-----------------------------------------------------------------------
Total Recurring Annual Burden....... .......................... .......................... 20,910,207
----------------------------------------------------------------------------------------------------------------
\a\ Totals may not add up due to rounding.
Costs Borne by the Department
The covered entities that are operated by the Department will be
affected by the changes in a similar manner to other covered entities,
and such costs have been factored into the estimates above.
The Department expects that it will incur costs related to drafting
and disseminating a model attestation form and information about the
regulatory changes to covered entities, including health care providers
and health plans. In addition, the Department anticipates that it may
incur a 26-fold increase in the number of requests for exceptions from
preemption of contrary state law in the first year after a final rule
becomes effective, at an estimated total cost of approximately $146,319
to analyze and develop responses for an average cost of $7,410 per
request. This increase is based on the number of states that have
enacted or are likely to enact laws restricting access to reproductive
health care \439\ and may seek to obtain individuals' PHI to enforce
those laws. This estimate assumes that the Department receives and
reviews exception requests from the 26 states, that half require a more
complex analysis, and that all requests result in a written response
within one year of the final rule's publication.
---------------------------------------------------------------------------
\439\ See ``One Year After Dobbs--Vast Changes to the Abortion
Legal Landscape,'' supra note 432 (counting 21 states with post-
Dobbs limits that are more restrictive than Roe v. Wade allowed) and
``State Laws Restricting or Prohibiting Abortion,'' supra note 432.
Because of the pace of change in this area, the Department relies on
a higher number than JAMA's 2023 figure as a basis for its cost
estimates.
---------------------------------------------------------------------------
Benefits of the Final Rule
The benefits of this final rule to individuals and families are
likely substantial, and yet are not fully quantifiable because the area
of health care this final rule addresses is among the most sensitive
and life-altering if privacy is violated. Additionally, the value of
privacy, which cannot be recovered once lost, and trust that privacy
will be protected by others, is difficult to quantify fully. Health
privacy has many significant benefits, such as promoting effective
communication between individuals and health care providers, preventing
discrimination, enhancing autonomy, supporting medical research, and
protecting the individual from unwanted exposure of sensitive health
information.\440\
---------------------------------------------------------------------------
\440\ See ``Trust and Privacy: How Patient Trust in Providers is
Related to Privacy Behaviors and Attitudes,'' supra note 120; Paige
Nong et al., ``Discrimination, trust, and withholding information
from providers: Implications for missing data and inequity,'' SSM--
Population Health (Apr. 7, 2022), https://www.sciencedirect.com/science/article/pii/S2352827322000714; See also S.J. Nass et al.,
``Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health
Through Research,'' Institute of Medicine (US) Committee on Health
Research and the Privacy of Health Information: The HIPAA Privacy
Rule (2009), https://www.ncbi.nlm.nih.gov/books/NBK9579/.
---------------------------------------------------------------------------
Notably, reproductive health care may include circumstances
resulting in a pregnancy, considerations concerning maternal and fetal
health, family genetic conditions, information concerning sexually
transmitted infections, and the relationship between prospective
parents (including victimization due to rape, incest, or sex
trafficking). Involuntary or poorly-timed disclosures can irreparably
harm relationships and reputations, and even result in job loss or
other negative consequences in the workplace,\441\ as well as
investigation, civil litigation or proceedings, and prosecution for
lawful activities.\442\ Additionally, fear of potential penalties or
liability that may result from disclosing information to a health care
provider about accessing reproductive health care may cast a long
shadow, decreasing trust between individuals and health care providers,
discouraging and deterring access to other valuable and necessary
health care, or compromising ongoing or subsequent care if an
individual's medical records are not accurate or complete.\443\ This
final rule will prevent or reduce the harms discussed here, resulting
in non-quantifiable benefits to individuals and their families,
friends, and health care providers. In particular, the role of trust in
the health care system and its importance to the provision of high-
quality health care is discussed extensively in Section III of this
preamble.
---------------------------------------------------------------------------
\441\ See Danielle Keats Citron & Daniel J. Solove, ``Privacy
Harms,'' GWU Legal Studies Research Paper No. 2021-11, GWU Law
School Public Law Research Paper No. 2021-11, 102 B.U. L. Rev. 793,
830-861 (Feb. 9, 2021), https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3782222.
\442\ See ``Reclaiming Tort Law to Protect Reproductive
Rights,'' supra note 152.
\443\ See Div. of Reproductive Health, Nat'l Ctr. for Chronic
Disease Prevention and Health Promotion, ``Women With Chronic
Conditions Struggle to Find Medications After Abortion Laws Limit
Access,'' Ctrs. for Disease Control and Prevention (Jan. 4, 2023),
https://www.cdc.gov/teenpregnancy/health-care-providers/index.htm;
see also Brittni Frederiksen et al., ``Abortion Bans May Limit
Essential Medications for Women with Chronic Conditions,'' Kaiser
Family Foundation (Nov. 17, 2022), https://www.kff.org/womens-health-policy/issue-brief/abortion-bans-may-limit-essential-medications-for-women-with-chronic-conditions/.
---------------------------------------------------------------------------
The Department anticipates that this final rule will increase
health literacy by improving access to complete information about
health care options for individuals.\444\ For example, the prohibition
on the use and disclosure of PHI for purposes of investigating or
imposing liability on an individual, a person assisting them, or their
health care provider for lawful health care will increase individuals'
access to complete information about their health care options because
they will have increased confidence to share information about their
life, including their health, with health care providers. In turn, the
receipt of more complete information from patients will enable
[[Page 33058]]
health care providers to provide more accurate and relevant medical
information about lawful reproductive health care, and the new
prohibition will enable them to do so without fear of serious and
costly professional repercussions.
---------------------------------------------------------------------------
\444\ See Lynn M. Yee et al., ``Association of Health Literacy
Among Nulliparous Individuals and Maternal and Neonatal Outcomes,''
JAMA Network Open (Sept. 1, 2021), https://jamanetwork.com/journals/jamanetworkopen/fullarticle/2783674.
---------------------------------------------------------------------------
This final rule will also contribute to increased access to
prenatal health care at the critical early stages of pregnancy by
affording individuals the assurance that they may obtain lawful
reproductive health care without fearing that records related to that
care would be subject to disclosure. For example, if a sexually active
individual fears they or their health care providers could be subject
to prosecution as a result of disclosure of their PHI, the individual
may avoid informing health care providers about symptoms or asking
questions of medical experts and may consequently fail to receive
necessary support and health care for a pregnancy diagnosis.\445\
Similarly, this final rule will likely contribute to a decreased rate
of maternal mortality and morbidity by improving access to information
about health services.\446\
---------------------------------------------------------------------------
\445\ See ``Texas Maternal Mortality and Morbidity Review
Committee and Department of State Health Services Joint Biennial
Report 2022,'' supra note 123.
\446\ See Helen Levy & Alex Janke, ``Health Literacy and Access
to Care,'' J. of Health Commc'n (2016), https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4924568/; see also Brief for
Zurawski, Zurawski v. State of Texas (No. D-1-GN-23-000968) (W.D.
Tex. 2023), https://reproductiverights.org/wp-content/uploads/2023/03/Zurawski-v-State-of-Texas-Complaint.pdf.
---------------------------------------------------------------------------
Additionally, this final rule will enhance the mental health and
emotional well-being of individuals seeking or obtaining lawful
reproductive health care by reducing fear that their PHI will be
disclosed to investigate or impose liability on the individual, their
health care provider, or any persons facilitating the individual's
access to lawful reproductive health care. This is especially important
for individuals who need access to reproductive health care because
they are survivors of rape, incest, or sex trafficking. For at least
some such individuals, certain types of reproductive health care,
including abortion, often remain legal even if pregnancy termination is
not available to the broader population under state law. The Department
expects that this final rule will help to prevent or reduce re-
victimization of pregnant individuals who have been subject to rape,
incest, or sex trafficking by protecting their PHI from disclosure.
Activities conducted to investigate and impose liability that rely
on that information may be costly to defend against and thus are
financially draining for the target of those activities and for persons
who are not the target of the activity but whose information may be
used as evidence against others. Witnesses or targets of such
activities may lose time from work and incur steep legal bills that
create unmanageable debt or otherwise harm the economic stability of
the individual, their family, and their health care provider. In the
absence of this final rule, much of the costs may be for defending
against the unwanted use or disclosure of PHI. Thus, the Department
expects that this final rule will contribute to families' economic
well-being by reducing the risk of exposure to costly activities to
investigate or impose liability on persons for lawful activities as a
result of disclosures of PHI.
This final rule will also contribute to improved continuity of care
and ongoing and subsequent health care for individuals, thereby
improving health outcomes. If a health care provider believes that PHI
is likely to be disclosed without the individual's or the health care
provider's knowledge or consent, possibly to initiate or be used in
criminal or civil proceedings against the individual, their health care
provider, or others, the health care provider is more likely to omit
information about an individual's medical history or condition, leave
gaps, or include inaccuracies when preparing the individual's medical
records. And if an individual's medical records lack complete
information about the individual's health history, a subsequent health
care provider may not be able to conduct an appropriate health
assessment to reach a sound diagnosis and recommend the best course of
action for the individual. Alternatively, health care providers may
withhold from the individual full and complete information about their
treatment options because of liability concerns stemming from fears
about the privacy of an individual's PHI.\447\ Heightened
confidentiality and privacy protections enable a health care provider
to feel confident maintaining full and complete patient records.
Without complete patient records, an individual is less likely to
receive appropriate ongoing or future health care, including correct
diagnoses, and will be impeded in making informed treatment decisions.
---------------------------------------------------------------------------
\447\ See Brief for Zurawski, at 10, supra note 447.
---------------------------------------------------------------------------
Comparison of Benefits and Costs
A few commenters stated that the 2023 Privacy Rule NPRM reflected
the staffing costs of covered entities in full. One posited that
covered entities will receive more requests for PHI because of changes
in the legal environment after Dobbs, which will require some regulated
entities that may not typically get such requests to adjust according
to the changes in the law and how it is enforced. Another commenter
stated that the proposed rule did not account for higher staffing costs
from more highly qualified employees. The commenters did not provide
any relevant data or discussion of methodology for how these costs
should be quantified. Therefore, the Department did not include any
additional labor costs in the economic analysis based on this comment.
A few additional commenters expressed general concerns related to
electronic health record (EHR) systems and data storage. One urged the
Department to include costs associated with updating EHR systems to
ensure compliance and to allow for data segmentation. Another asserted
that the current classifications for different types of PHI are not
clear enough for effective data segmentation, contributing to increased
costs. As a result, they recommended that the Department provide
clearer guidelines on the different types of PHI. The Department did
not attempt to estimate additional data maintenance or EHR-related
costs because any adjustments will be part of the regular cost of
business for regulated entities.
A commenter stated that the Department did not quantify the costs
associated with violations of the rule by regulated entities, such as
incurring a monetary penalty after impermissibly responding to a court
order. The Department does not quantify the costs of noncompliance as
part of its analysis. Whether a violation will result in a monetary
penalty is dependent on numerous factors and the aim of the
Department's enforcement is to bring regulated entities into
compliance.
A few commenters asserted that the proposed rule would make it more
difficult for law enforcement to investigate criminals for crimes
related to sex and recommended that the Department quantify this cost.
The Department acknowledges that the final rule may result in some
changes to procedures for handling law enforcement requests for PHI;
however, the burden on regulated entities is calculated in its cost
estimates. The Department is unable to quantify the burdens to law
enforcement resulting from this final rule. However, to address
concerns about victims' ability to disclose their PHI related to
reproductive health care, the final rule
[[Page 33059]]
permits individuals to authorize disclosures for any purpose, including
law enforcement investigations. Therefore, the Department is not
including costs to law enforcement in the quantified costs and benefits
analysis. The Department expects the totality of the benefits of this
final rule to outweigh the costs, particularly in light of the privacy
benefits for individuals who could become pregnant (nearly one-fourth
of the U.S. population in any given year) and seek access to lawful
health care without the risk of their PHI being used or disclosed in
furtherance of activities to conduct criminal, civil, or administrative
investigations or impose liability without their authorization. The
Department expects covered entities and individuals to benefit from
covered entities' increased confidence to be able to provide lawful
health care according to professional standards.
The Department's qualitative benefit-cost analysis asserts that the
regulatory changes in this final rule will support an individual's
privacy with respect to lawful health care, enhance the relationship
between health care providers and individuals, strengthen maternal
well-being and family stability, and support victims of rape, incest,
and sex trafficking. The regulatory changes will also aid health care
providers in developing and maintaining a high level of trust with
individuals and maintaining complete and accurate medical records to
aid ongoing and subsequent health care. Greater levels of trust will
further enable individuals to develop and maintain relationships with
health care providers, which would enhance continuity of health care
for all individuals receiving care from the health care provider, not
only individuals in need of reproductive health care.
The financial costs of this final rule will accrue primarily to
covered entities, particularly health care providers and health plans
in the first year after implementation of a final rule, with recurring
costs accruing annually at a lower rate.
B. Regulatory Alternatives to the Final Rule
In addition to regulatory proposals in the 2023 Privacy Rule NPRM
that are not adopted here, the Department considered several
alternatives to the policies finalized in this rule.
Define Public Health in the Context of Public Health Surveillance,
Intervention, or Investigation
The Department considered alternatives to the proposed definition
of ``public health'' in the context of public health surveillance,
investigation, and intervention, particularly the reference to
population-level activities. Specifically, the Department considered
whether to add ``individual-level'' to further distinguish public
health surveillance, investigation, and intervention from other
activities but did not adopt this approach because it would add a new
undefined term that would generate more complexity without adding
clarity. The Department also considered removing ``population-level''
from the definition in this final rule, but we are not adopting that
approach because it might lead people to believe that the focus of
public health is not on activities benefiting the population as a
whole. Additionally, the Department considered defining ``public
health'' surveillance, investigation, or intervention only in the
negative--that is, by listing activities that are excluded--but decided
not to adopt this approach to ensure that stakeholders understand what
public health surveillance, investigation, or intervention means.
Modify Prohibition To Presume That Reproductive Health Care Is Lawful
Absent Actual Knowledge
The Department considered adding a provision that would allow
regulated entities to presume that certain requests for PHI are about
reproductive health care that was lawful under the circumstances in
which such health care was provided where it was provided by someone
other than the regulated entity receiving the PHI request, unless the
regulated entity had actual knowledge that such health care was not
lawful under the circumstances in which it was provided. However, in
consultation with Federal partners, the Department decided to finalize
a second exception to the presumption to permit uses or disclosures of
PHI where privacy interests are reduced, as compared to the societal
interest in the PHI for certain non-health care purposes. This
exception is available where factual information supplied by the person
requesting the use or disclosure of PHI demonstrates to the regulated
entity a substantial factual basis that the reproductive health care
was not lawful under the specific circumstances in which such health
care was provided.
Administrative Requests by Law Enforcement
The Department received reports that not all regulated entities are
interpreting the administrative request provision correctly and
proposed a clarification to 45 CFR 164.512(f)(1)(ii)(C). To address
concerns that disclosures currently made under Federal agencies'
interpretations of the Privacy Act of 1974 \448\ would not be permitted
under the NPRM proposal, the Department considered adding qualifying
language to paragraph 45 CFR 164.512(f)(1)(ii)(C) to state that PHI may
be disclosed by a Federal agency in response to an administrative
request from law enforcement where the Federal agency is authorized,
but not required, to disclose under applicable law (see, e.g., the
Privacy Act and OMB 1975 Guidelines \449\). However, the Department
determined that the contemplated change was not necessary because the
intent of the Privacy Rule was adequately captured in the clarification
proposed in the NPRM and finalized in this rule at 45 CFR
164.512(f)(1)(ii)(C). As finalized, this provision permits disclosures
to law enforcement in response to ``an administrative request for which
response is required by law, including an administrative subpoena or
summons, a civil or an authorized investigative demand, or similar
process authorized under law.''
---------------------------------------------------------------------------
\448\ Public Law 93-579, 88 Stat. 1896 (Dec. 31, 1974) (codified
at 5 U.S.C. 552a).
\449\ 40 FR 28948, 28955 (July 9, 1975).
---------------------------------------------------------------------------
Scope of Prohibited Conduct
In response to public comments on the 2023 Privacy Rule NPRM, the
Department considered several approaches to outlining prohibited
conduct. One approach was creating a category of ``highly sensitive
PHI'' and prohibiting its use and disclosure in certain proceedings
based on the mere act of, for example, obtaining, providing, or aiding
that category of health care. The Department did not adopt this
category based on many concerns expressed in public comments. For
example, distinguishing between the sensitivity of different types of
PHI would require complicated subjective determinations, and
prohibiting or limiting uses or disclosures of highly sensitive PHI for
certain purposes could negatively affect efforts to eliminate data
segmentation and further stigmatize the types of health care included
in the ``highly sensitive'' category.
Another approach the Department considered was to require an
attestation for all requested uses and discloses of PHI under 45 CFR
164.512(d)-(g)(1), rather than limiting the requirement to only
requested uses and disclosures of PHI potentially related to
reproductive health care under such provisions. This would have reduced
the burden on
[[Page 33060]]
regulated entities to screen requested PHI for whether it contained
information potentially related to reproductive health care and
increased the burden on persons requesting PHI to evaluate and attest
to all requests for use and disclosure of PHI under 45 CFR 164.512(d)-
(g)(1). However, in recognition of the importance of oversight and law
enforcement entities' ability to obtain PHI for legitimate inquiries,
the Department decided not to require an attestation for all requests
under these provisions.
Requiring an Attestation Under Penalty of Perjury
The Department requested comments about the possibility of adding a
required penalty of perjury statement to strengthen the attestation
requirement but did not propose this statement in the 2023 Privacy Rule
NPRM. After reviewing public comments on this topic, the Department
considered adding a requirement that the attestation be signed by the
person requesting the use or disclosure of PHI under penalty of perjury
but did not adopt such a requirement in the final rule. As discussed in
greater detail above, a person who knowingly and in violation of the
Administrative Simplification provisions of HIPAA obtains or discloses
IIHI relating to another individual or discloses IIHI to another person
is subject to criminal liability.\450\ Thus, a person who knowingly and
in violation of HIPAA \451\ falsifies an attestation (e.g., makes
material misrepresentations about the intended uses of the PHI
requested) to obtain (or cause to be disclosed) an individual's IIHI
could be subject to criminal penalties as outlined in the statute. The
Department believes such penalties are sufficient to hold persons who
knowingly submit false attestations accountable for their actions and
deter such submissions entirely.
---------------------------------------------------------------------------
\450\ 42 U.S.C. 1320d-6(a).
\451\ A person (including an employee or other individual) shall
be considered to have obtained or disclosed individually
identifiable health information in violation of this part if the
information is maintained by a covered entity (as defined in the
HIPAA privacy regulation described in section 1320d-9(b)(3) of this
title) and the individual obtained or disclosed such information
without authorization. Id.
---------------------------------------------------------------------------
Right To Request Restrictions
In the 2023 Privacy Rule NPRM, the Department requested comments
regarding the right of individuals to request restrictions of uses and
disclosures of their PHI. We did not propose any changes to this
provision in the 2023 Privacy Rule NPRM, nor are we proposing or
finalizing any modifications to it at this time. We appreciate the
comments we received regarding expanding the rights to request
disclosures and will take them under advisement when we consider future
modifications to the Privacy Rule.
C. Regulatory Flexibility Act--Small Entity Analysis
The Department has examined the economic implications of this final
rule as required by the RFA. If a rule has a significant economic
impact on a substantial number of small entities, the RFA requires
agencies to analyze regulatory options that would reduce the economic
effect of the rule on small entities.
For purposes of the RFA, small entities include small businesses,
nonprofit organizations, and small governmental jurisdictions. The Act
defines ``small entities'' as (1) a proprietary firm meeting the size
standards of the Small Business Administration (SBA), (2) a nonprofit
organization that is not dominant in its field, and (3) a small
government jurisdiction of less than 50,000 population. A few
commenters raised concerns about the effects of the proposed rule on
small or rural providers and requested additional analysis, guidance,
or technical assistance from the Department to aid these entities. The
Department did not receive any public comments on the small business
analysis assumptions used in the NPRM. Accordingly, we are not changing
the baseline assumptions for this final rule. We have updated our
analysis of small entities for consistency with revisions to the RIA
for the costs and savings for covered entities. The Department has
determined that roughly 90 percent or more of all health care providers
meet the SBA size standard for a small business or are a nonprofit
organization. Therefore, the Department estimates that there are
696,898 small entities affected by the final rule.\452\ The SBA size
standard for health care providers ranges between a maximum of $16
million and $47 million in annual receipts, depending upon the type of
entity.\453\
---------------------------------------------------------------------------
\452\ 696,898 = 774,331 x .90.
\453\ See U.S. Small Business Administration, Table of Small
Business Size Standards (Mar. 17, 2023), https://www.sba.gov/sites/sbagov/files/2023-06/Table%20of%20Size%20Standards_Effective%20March%2017%2C%202023%20%282%29.pdf.
---------------------------------------------------------------------------
With respect to health insurers, the SBA size standard is a maximum
of $47 million in annual receipts, and for third party administrators
it is $45.5 million.\454\ While some insurers are classified as
nonprofit, it is possible they are dominant in their market. For
example, a number of Blue Cross/Blue Shield insurers are organized as
nonprofit entities; yet they dominate the health insurance market in
the states where they are licensed.\455\
---------------------------------------------------------------------------
\454\ Id.
\455\ Kaiser Family Foundation, ``Market Share and Enrollment of
Largest Three Insurers--Large Group Market'' (2019), https://www.kff.org/other/state-indicator/market-share-and-enrollment-of-largest-three-insurers-large-group-market/?currentTimeframe=0&sortModel=%7B%22colId%22:%22Location%22,%22sort%22:%22asc%22%7D.
---------------------------------------------------------------------------
For the reasons stated below, we do not expect that the cost of
compliance will be significant for small entities. Nor do we expect
that the cost of compliance will fall disproportionately on small
entities. Although many of the covered entities affected by this final
rule are small entities, they will not bear a disproportionate cost
burden compared to the other entities subject to the rule. The
projected total costs are discussed in detail in the RIA. The
Department does not view this as a substantial burden because the
result of the changes will be annualized costs per covered entity of
approximately $184 [= $142.6 million \456\/774,331 covered entities].
In the context of the RFA, HHS generally considers an economic impact
exceeding 3 percent of annual revenue to be significant, and 5 percent
or more of the affected small entities within an identified industry to
represent a substantial number. The quantified impact of $184 per
covered entity would only apply to covered entities whose annual
revenue is $6,133 or less. We believe almost all, if not all covered
entities have annual revenues that exceed this amount. Accordingly, the
Department has determined that this final rule is unlikely to affect a
substantial number of small entities that meet the RFA threshold. Thus,
this analysis concludes, and the Secretary certifies, that the rule
will not result in a significant economic effect on a substantial
number of small entities.
---------------------------------------------------------------------------
\456\ This figure represents annualized costs discounted at a 3%
rate.
---------------------------------------------------------------------------
D. Executive Order 13132--Federalism
As required by E.O. 13132 on Federalism, the Department has
examined the provisions in both the proposed and final regulation for
their effects on the relationship between the Federal Government and
the states. In the Department's view, the final regulation may have
federalism implications because it may have direct effects on the
states, the relationship between the Federal Government and states, and
on the distribution of power and responsibilities among various
[[Page 33061]]
levels of government relating to the disclosure of PHI.
The changes from this final rule flow from and are consistent with
the underlying statute, which authorizes the Secretary to issue
regulations that govern the privacy of PHI. The statute provides that,
with limited exceptions, such regulations supersede contrary provisions
of state law unless the provision of state law imposes more stringent
privacy protections than the Federal law.\457\
---------------------------------------------------------------------------
\457\ 42 U.S.C. 1320d-7(a)(1).
---------------------------------------------------------------------------
Section 3(b) of E.O. 13132 recognizes that national action limiting
the policymaking discretion of states will be imposed only where there
is constitutional and statutory authority for the action and the
national activity is appropriate when considering a problem of national
significance. The privacy of PHI is of national concern by virtue of
the scope of interstate health commerce. As described in the preamble
to the proposed rule and this final rule, recent state actions
affecting reproductive health care have undermined the longstanding
expectation among individuals in all states that their highly sensitive
reproductive health information will remain private and not be used
against them for seeking or obtaining legal health care. These state
actions thus directly threaten the trust that is essential to ensuring
access to, and quality of, lawful health care. HIPAA's provisions
reflect this position by authorizing the Secretary to promulgate
regulations to implement the Privacy Rule.
Section 4(a) of E.O. 13132 expressly contemplates preemption when
there is a conflict between exercising state and Federal authority
under a Federal statute. Section 4(b) of the E.O. authorizes preemption
of state law in the Federal rulemaking context when ``the exercise of
State authority directly conflicts with the exercise of Federal
authority under the Federal statute.'' The approach in this regulation
is consistent with the standards in the E.O. because it supersedes
state authority only when such authority is inconsistent with standards
established pursuant to the grant of Federal authority under the
statute.
State and local laws that impinge on the privacy protections for
PHI of individuals who obtain lawful reproductive health care undermine
Congress' directive to develop a health information system for the
purpose of improving the effectiveness of the health care system, which
requires that all individuals who receive health care legally are
assured a minimum level of privacy for their PHI. Congress established
specific, narrow exceptions to preemption that did not include the use
or disclosure of an individual's medical records for law enforcement
purposes generally. Nor did Congress include a specific exception to
preemption that would permit states to use PHI against that individual,
health care providers, or third parties merely for seeking, obtaining,
providing, or facilitating lawful health care.\458\ Both the personal
and public interest is served by protecting PHI so as not to undermine
an individual's access to and quality of lawful health care services
and their trust in the health care system.
---------------------------------------------------------------------------
\458\ 42 U.S.C. 1320d-7(a)(2)(A).
---------------------------------------------------------------------------
The Department anticipates that the most significant direct costs
on state and local governments would be the cost for state and local
government-operated covered entities to revise business associate
agreements, revise policies and procedures, update the NPP, update
training programs, and process requests for disclosures for which an
attestation is required. These costs would be similar in kind to those
borne by non-government operated covered entities. In addition, the
Department anticipates that approximately half of the states may choose
to file a request for an exception to preemption. The longstanding
regulatory provisions that govern preemption exception requests under
the HIPAA Rules would remain undisturbed by this rule.\459\ However,
based on the legal developments in some states that are described
elsewhere in this preamble, the Department anticipates that in the
first year of implementation of a final rule, more states will submit
requests for exceptions from preemption than have done so in the past.
The RIA above addresses these costs in detail.
---------------------------------------------------------------------------
\459\ 45 CFR 160.201 through 160.205.
---------------------------------------------------------------------------
Pursuant to the requirements set forth in section 8(a) of E.O.
13132, and by the signature affixed to the final rule, the Department
certifies that it has complied with the requirements of E.O. 13132,
including review and consideration of comments from state and local
government officials and the public about the interaction of this rule
with state activity, for the final rule in a meaningful and timely
manner.
E. Assessment of Federal Regulation and Policies on Families
Section 654 of the Treasury and General Government Appropriations
Act of 1999 \460\ requires Federal departments and agencies to
determine whether a proposed policy or regulation could affect family
well-being. If the determination is affirmative, then the Department or
agency must prepare an impact assessment to address criteria specified
in the law. This final rule is expected to strengthen the stability of
the family and marital commitment because it protects individual
privacy in the context of sensitive decisions about family planning.
The rule may be carried out only by the Federal Government because it
would modify Federal health privacy law, ensuring that American
families have confidence in the privacy of their information about
lawful reproductive health care, regardless of the state where they are
located when health care is provided. Such health care privacy is vital
for individuals who may become pregnant or who are capable of becoming
pregnant.
---------------------------------------------------------------------------
\460\ Public Law 105-277, 112 Stat. 2681 (Oct. 21, 1998).
---------------------------------------------------------------------------
F. Paperwork Reduction Act of 1995
Under the Paperwork Reduction Act of 1995 \461\ (PRA), agencies are
required to submit to OMB for review and approval any reporting or
record-keeping requirements inherent in a proposed or final rule and
are required to publish such proposed requirements for public comment.
To fairly evaluate whether an information collection should be approved
by the OMB, section 3506(c)(2)(A) of the PRA requires that the
Department solicit comment on the following issues:
---------------------------------------------------------------------------
\461\ Public Law 104-13, 109 Stat. 163 (May 22, 1995).
---------------------------------------------------------------------------
1. Whether the information collection is necessary and useful to
carry out the proper functions of the agency;
2. The accuracy of the agency's estimate of the information
collection burden;
3. The quality, utility, and clarity of the information to be
collected; and
4. Recommendations to minimize the information collection burden on
the affected public, including automated collection techniques.
The PRA requires consideration of the time, effort, and financial
resources necessary to meet the information collection requirements
referenced in this section. The Department considered public comments
on its assumptions and burden estimates in the 2023 Privacy Rule NPRM
and addresses those comments above in the discussion of benefits and
costs of this final rule.
In this RIA, the Department is revising certain information
collection requirements associated with this final rule and, as such,
is revising the information collection last prepared in
[[Page 33062]]
2023 and approved under OMB control #0945-0003. The revised information
collection describes all new and adjusted information collection
requirements for covered entities pursuant to the implementing
regulation for HIPAA at 45 CFR parts 160 and 164, the HIPAA Privacy,
Security, Breach Notification, and Enforcement Rules (``HIPAA Rules'').
The estimated annual labor burden presented by the regulatory
modifications in the first year of implementation, including
nonrecurring and recurring burdens, is 4,584,224 burden hours at a cost
of $582,242,165 \462\ and $20,910,207 of estimated annual labor costs
in years two through five. The overall total burden for respondents to
comply with the information collection requirements of all of the HIPAA
Privacy, Security, and Breach Notification Rules, including
nonrecurring and recurring burdens presented by program changes, is
953,982,236 burden hours at a cost of $107,336,705,941, plus
$197,364,010 in capital costs for a total estimated annual burden of
$107,534,069,951 in the first year following the effective date of the
final rule. Details describing the burden analysis for the proposals
associated with this RIA are presented below and explained further in
the ICR associated with this final rule.
---------------------------------------------------------------------------
\462\ This includes an increase of 416 burden hours and $36,442
in costs added to the existing information collection for requesting
exemption determinations under 45 CFR 160.204.
---------------------------------------------------------------------------
Explanation of Estimated Annualized Burden Hours
Below is a summary of the significant program changes and
adjustments made since the approved 2023 ICR; because the ICR addresses
regulatory burdens associated with the full suite of HIPAA Rules, the
changes and adjustments include updated data and estimates for some
provisions of the HIPAA Rules that are not affected by this final rule.
These program changes and adjustments form the bases for the burden
estimates presented in the ICR associated with this RIA.
Adjusted Estimated Annual Burdens of Compliance
(1) Increasing the number of covered entities from 700,000 to
774,331 based on program change.
(2) Increasing the number of respondents requesting exceptions to
state law preemption from 1 to 27 based on an expected reaction by
states that have enacted restrictions on reproductive health care
access.
(3) Increasing the burden hours by a factor of two for responding
to individuals' requests for restrictions on disclosures of their PHI
under 45 CFR 164.522 to represent a doubling of the expected requests.
(4) Updating the number of breaches for which notification is
required to reflect data in OCR's 2022 Report to Congress \463\ and
related burdens.
---------------------------------------------------------------------------
\463\ See Off. for Civil Rights, ``Annual Report to Congress on
Breaches of Unsecured Protected Health Information,'' U.S. Dep't of
Health and Human Servs. (2022), https://www.hhs.gov/hipaa/for-professionals/breach-notification/reports-congress/index.html.
---------------------------------------------------------------------------
(5) Increasing the number of estimated uses and disclosures for
research purposes.
(6) Increasing the total number of NPPs distributed by health plans
by 50% to total 300,000,000 due to the increase in number of Americans
with health coverage.
New Burdens Resulting from Program Changes
In addition to these changes, the Department added new annual
burdens as a result of program changes in the final rule:
(1) A nonrecurring burden of 1 hour for each of 350,000 business
associate agreements that is likely to be revised as a result of the
changes to handling requests for PHI under 45 CFR 164.512(d), (e), (f),
and (g)(1), to allocate responsibilities between covered entities and
their release-of-information contractors.
(2) A recurring burden of 5 minutes per request for staff to
determine whether an attestation is required for disclosure under 45
CFR 164.509.
(3) A recurring burden of 1 hour per request for legal review of
whether certain requests identified by staff as potentially requiring
an attestation pertain to the lawfulness of reproductive health care.
(4) A recurring burden of 3 hours per request for a percentage of
requests requiring legal review that might require additional manager
review to determine whether the requirements at 45 CFR 164.509 are met.
(5) A nonrecurring burden of 50 minutes per covered entity to
update the required content of its NPP.
(6) A nonrecurring burden of 15 minutes per covered entity for
posting an updated NPP online.
(7) A nonrecurring burden of 2.5 hours for each covered entity to
update its policies and procedures.
(8) A nonrecurring burden of 90 minutes for each covered entity to
update the content of its HIPAA training program.
List of Subjects
45 CFR Part 160
Health care, Health records, Preemption, Privacy, Public health,
Reproductive health care.
45 CFR Part 164
Health care, Health records, Privacy, Public health, Reporting and
recordkeeping requirements, Reproductive health care.
For the reasons stated in the preamble, the Department of Health
and Human Services amends 45 CFR subtitle A, subchapter C, parts 160
and 164 as set forth below:
PART 160--GENERAL ADMINISTRATIVE REQUIREMENTS
0
1. The authority citation for part 160 continues to read as follows:
Authority: 42 U.S.C. 1302(a); 42 U.S.C. 1320d-1320d-9; sec.
264, Pub. L. 104-191, 110 Stat. 2033-2034 (42 U.S.C. 1320d-2
(note)); 5 U.S.C. 552; secs. 13400-13424, Pub. L. 111-5, 123 Stat.
258-279; and sec. 1104 of Pub. L. 111-148, 124 Stat. 146-154.
0
2. Amend Sec. 160.103 by:
0
a. Revising the definition of ``Person''; and
0
b. Adding in alphabetical order the definitions of ``Public health''
and ``Reproductive health care''.
The revision and additions read as follows:
Sec. 160.103 Definitions.
* * * * *
Person means a natural person (meaning a human being who is born
alive), trust or estate, partnership, corporation, professional
association or corporation, or other entity, public or private.
* * * * *
Public health, as used in the terms ``public health surveillance,''
``public health investigation,'' and ``public health intervention,''
means population-level activities to prevent disease in and promote the
health of populations. Such activities include identifying, monitoring,
preventing, or mitigating ongoing or prospective threats to the health
or safety of a population, which may involve the collection of
protected health information. But such activities do not include those
with any of the following purposes:
(1) To conduct a criminal, civil, or administrative investigation
into any person for the mere act of seeking, obtaining, providing, or
facilitating health care.
(2) To impose criminal, civil, or administrative liability on any
person for the mere act of seeking, obtaining, providing, or
facilitating health care.
[[Page 33063]]
(3) To identify any person for any of the activities described at
paragraphs (1) or (2) of this definition.
Reproductive health care means health care, as defined in this
section, that affects the health of an individual in all matters
relating to the reproductive system and to its functions and processes.
This definition shall not be construed to set forth a standard of care
for or regulate what constitutes clinically appropriate reproductive
health care.
* * * * *
PART 164--SECURITY AND PRIVACY
0
3. The authority citation for part 164 continues to read as follows:
Authority: 42 U.S.C. 1302(a); 42 U.S.C. 1320d-1320d-9; sec.
264, Pub. L. 104-191, 110 Stat. 2033-2034 (42 U.S.C. 1320d-2(note));
and secs. 13400-13424, Pub. L. 111-5, 123 Stat. 258-279.
0
4. Amend Sec. 164.502 by
0
a. Revising paragraph (a)(1)(vi);
0
b. Adding paragraph (a)(5)(iii); and
0
c. Revising paragraph (g)(5).
The addition and revisions read as follows:
Sec. 164.502 Uses and disclosures of protected health information:
General rules.
(a) * * *
(1) * * *
(vi) As permitted by and in compliance with any of the following:
(A) This section.
(B) Section 164.512 and, where applicable, Sec. 164.509.
(C) Section 164.514(e), (f), or (g).
* * * * *
(5) * * *
(iii) Reproductive health care--(A) Prohibition. Subject to
paragraphs (a)(5)(iii)(B) and (C) of this section, a covered entity or
business associate may not use or disclose protected health information
for any of the following activities:
(1) To conduct a criminal, civil, or administrative investigation
into any person for the mere act of seeking, obtaining, providing, or
facilitating reproductive health care.
(2) To impose criminal, civil, or administrative liability on any
person for the mere act of seeking, obtaining, providing, or
facilitating reproductive health care.
(3) To identify any person for any purpose described in paragraphs
(a)(5)(iii)(A)(1) or (2) of this section.
(B) Rule of applicability. The prohibition at paragraph
(a)(5)(iii)(A) of this section applies only where the relevant activity
is in connection with any person seeking, obtaining, providing, or
facilitating reproductive health care, and the covered entity or
business associate that received the request for protected health
information has reasonably determined that one or more of the following
conditions exists:
(1) The reproductive health care is lawful under the law of the
state in which such health care is provided under the circumstances in
which it is provided.
(2) The reproductive health care is protected, required, or
authorized by Federal law, including the United States Constitution,
under the circumstances in which such health care is provided,
regardless of the state in which it is provided.
(3) The presumption at paragraph (a)(5)(iii)(C) of this section
applies.
(C) Presumption. The reproductive health care provided by another
person is presumed lawful under paragraph (a)(5)(iii)(B)(1) or (2) of
this section unless the covered entity or business associate has any of
the following:
(1) Actual knowledge that the reproductive health care was not
lawful under the circumstances in which it was provided.
(2) Factual information supplied by the person requesting the use
or disclosure of protected health information that demonstrates a
substantial factual basis that the reproductive health care was not
lawful under the specific circumstances in which it was provided.
(D) Scope. For the purposes of this subpart, seeking, obtaining,
providing, or facilitating reproductive health care includes, but is
not limited to, any of the following: expressing interest in, using,
performing, furnishing, paying for, disseminating information about,
arranging, insuring, administering, authorizing, providing coverage
for, approving, counseling about, assisting, or otherwise taking action
to engage in reproductive health care; or attempting any of the same.
* * * * *
(g) * * *
(5) Implementation specification: Abuse, neglect, endangerment
situations. Notwithstanding a State law or any requirement of this
paragraph to the contrary, a covered entity may elect not to treat a
person as the personal representative, provided that the conditions at
paragraphs (g)(5)(i) and (ii) of this section are met:
(i) Paragraphs (g)(5)(i)(A) and (B) of this section both apply.
(A) The covered entity has a reasonable belief that any of the
following is true:
(1) The individual has been or may be subjected to domestic
violence, abuse, or neglect by such person.
(2) Treating such person as the personal representative could
endanger the individual.
(B) The covered entity, in the exercise of professional judgment,
decides that it is not in the best interest of the individual to treat
the person as the individual's personal representative.
(ii) The covered entity does not have a reasonable belief under
paragraph (g)(5)(i)(A) of this section if the basis for their belief is
the provision or facilitation of reproductive health care by such
person for and at the request of the individual.
* * * * *
0
5. Add Sec. 164.509 to read as follows:
Sec. 164.509 Uses and disclosures for which an attestation is
required.
(a) Standard: Attestations for certain uses and disclosures of
protected health information to persons other than covered entities or
business associates. (1) A covered entity or business associate may not
use or disclose protected health information potentially related to
reproductive health care for purposes specified in Sec. 164.512(d),
(e), (f), or (g)(1), without obtaining an attestation that is valid
under paragraph (b)(1) of this section from the person requesting the
use or disclosure and complying with all applicable conditions of this
part.
(2) A covered entity or business associate that uses or discloses
protected health information potentially related to reproductive health
care for purposes specified in Sec. 164.512(d), (e), (f), or (g)(1),
in reliance on an attestation that is defective under paragraph (b)(2)
of this section, is not in compliance with this section.
(b) Implementation specifications: General requirements--(1) Valid
attestations. (i) A valid attestation is a document that meets the
requirements of paragraph (c)(1) of this section.
(ii) A valid attestation verifies that the use or disclosure is not
otherwise prohibited by Sec. 164.502(a)(5)(iii).
(iii) A valid attestation may be electronic, provided that it meets
the requirements in paragraph (c)(1) of this section, as applicable.
(2) Defective attestations. An attestation is not valid if the
document submitted has any of the following defects:
(i) The attestation lacks an element or statement required by
paragraph (c) of this section.
(ii) The attestation contains an element or statement not required
by paragraph (c) of this section
(iii) The attestation violates paragraph (b)(3) of this section.
[[Page 33064]]
(iv) The covered entity or business associate has actual knowledge
that material information in the attestation is false.
(v) A reasonable covered entity or business associate in the same
position would not believe that the attestation is true with respect to
the requirement at paragraph (c)(1)(iv) of this section.
(3) Compound attestation. An attestation may not be combined with
any other document except where such other document is needed to
satisfy the requirements at paragraph (c)(iv) of this section or at
Sec. 164.502(a)(5)(iii)(C), as applicable.
(c) Implementation specifications: Content requirements and other
obligations--(1) Required elements. A valid attestation under this
section must contain the following elements:
(i) A description of the information requested that identifies the
information in a specific fashion, including one of the following:
(A) The name of any individual(s) whose protected health
information is sought, if practicable.
(B) If including the name(s) of any individual(s) whose protected
health information is sought is not practicable, a description of the
class of individuals whose protected health information is sought.
(ii) The name or other specific identification of the person(s), or
class of persons, who are requested to make the use or disclosure.
(iii) The name or other specific identification of the person(s),
or class of persons, to whom the covered entity is to make the
requested use or disclosure.
(iv) A clear statement that the use or disclosure is not for a
purpose prohibited under Sec. 164.502(a)(5)(iii).
(v) A statement that a person may be subject to criminal penalties
pursuant to 42 U.S.C. 1320d-6 if that person knowingly and in violation
of HIPAA obtains individually identifiable health information relating
to an individual or discloses individually identifiable health
information to another person.
(vi) Signature of the person requesting the protected health
information, which may be an electronic signature, and date. If the
attestation is signed by a representative of the person requesting the
information, a description of such representative's authority to act
for the person must also be provided.
(2) Plain language requirement. The attestation must be written in
plain language.
(d) Material misrepresentations. If, during the course of using or
disclosing protected health information in reasonable reliance on a
facially valid attestation, a covered entity or business associate
discovers information reasonably showing that any representation made
in the attestation was materially false, leading to a use or disclosure
for a purpose prohibited under Sec. 164.502(a)(5)(iii), the covered
entity or business associate must cease such use or disclosure.
* * * * *
0
6. Amend Sec. 164.512 by:
0
a. Revising the introductory text and the paragraph (c) paragraph
heading;
0
b. Adding paragraph (c)(3); and
0
c. Revising paragraph (f)(1)(ii)(C) introductory text.
The revisions and addition read as follows:
Sec. 164.512 Uses and disclosures for which an authorization or
opportunity to agree or object is not required.
Except as provided by Sec. 164.502(a)(5)(iii), a covered entity
may use or disclose protected health information without the written
authorization of the individual, as described in Sec. 164.508, or the
opportunity for the individual to agree or object as described in Sec.
164.510, in the situations covered by this section, subject to the
applicable requirements of this section and Sec. 164.509. When the
covered entity is required by this section to inform the individual of,
or when the individual may agree to, a use or disclosure permitted by
this section, the covered entity's information and the individual's
agreement may be given verbally.
* * * * *
(c) Standard: Disclosures about victims of abuse, neglect, or
domestic violence--* * *
(3) Rule of construction. Nothing in this section shall be
construed to permit disclosures prohibited by Sec. 164.502(a)(5)(iii)
when the sole basis of the report of abuse, neglect, or domestic
violence is the provision or facilitation of reproductive health care.
* * * * *
(f) * * *
(1) * * *
(ii) * * *
(C) An administrative request for which response is required by
law, including an administrative subpoena or summons, a civil or an
authorized investigative demand, or similar process authorized under
law, provided that:
* * * * *
0
7. Amend Sec. 164.520 by:
0
a. Revising and republish paragraphs (a) and (b); and
0
b. Adding paragraph (d)(4).
The revisions and additions read as follows:
Sec. 164.520 Notice of privacy practices for protected health
information.
* * * * *
(a) Standard: Notice of privacy practices--(1) Right to notice.
Except as provided by paragraph (a)(3) or (4) of this section, an
individual has a right to adequate notice of the uses and disclosures
of protected health information that may be made by the covered entity,
and of the individual's rights and the covered entity's legal duties
with respect to protected health information.
(2) Notice requirements for covered entities creating or
maintaining records subject to 42 U.S.C. 290dd-2. As provided in 42 CFR
2.22, an individual who is the subject of records protected under 42
CFR part 2 has a right to adequate notice of the uses and disclosures
of such records, and of the individual's rights and the covered
entity's legal duties with respect to such records.
(3) Exception for group health plans. (i) An individual enrolled in
a group health plan has a right to notice:
(A) From the group health plan, if, and to the extent that, such an
individual does not receive health benefits under the group health plan
through an insurance contract with a health insurance issuer or HMO; or
(B) From the health insurance issuer or HMO with respect to the
group health plan through which such individuals receive their health
benefits under the group health plan.
(ii) A group health plan that provides health benefits solely
through an insurance contract with a health insurance issuer or HMO,
and that creates or receives protected health information in addition
to summary health information as defined in Sec. 164.504(a) or
information on whether the individual is participating in the group
health plan, or is enrolled in or has disenrolled from a health
insurance issuer or HMO offered by the plan, must:
(A) Maintain a notice under this section; and
(B) Provide such notice upon request to any person. The provisions
of paragraph (c)(1) of this section do not apply to such group health
plan.
(iii) A group health plan that provides health benefits solely
through an insurance contract with a health insurance issuer or HMO,
and does not create or receive protected health information other than
summary health information as defined in Sec. 164.504(a) or
information on whether an individual is participating in the group
health plan, or is enrolled in or has disenrolled from a health
insurance issuer or HMO
[[Page 33065]]
offered by the plan, is not required to maintain or provide a notice
under this section.
(4) Exception for inmates. An inmate does not have a right to
notice under this section, and the requirements of this section do not
apply to a correctional institution that is a covered entity.
(b) Implementation specifications: Content of notice--(1) Required
elements. The covered entity, including any covered entity receiving or
maintaining records subject to 42 U.S.C. 290dd-2, must provide a notice
that is written in plain language and that contains the elements
required by this paragraph.
(i) Header. The notice must contain the following statement as a
header or otherwise prominently displayed:
``THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE
USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.
PLEASE REVIEW IT CAREFULLY.''
(ii) Uses and disclosures. The notice must contain:
(A) A description, including at least one example, of the types of
uses and disclosures that the covered entity is permitted by this
subpart to make for each of the following purposes: treatment, payment,
and health care operations.
(B) A description of each of the other purposes for which the
covered entity is permitted or required by this subpart to use or
disclose protected health information without the individual's written
authorization.
(C) If a use or disclosure for any purpose described in paragraphs
(b)(1)(ii)(A) or (B) of this section is prohibited or materially
limited by other applicable law, such as 42 CFR part 2, the description
of such use or disclosure must reflect the more stringent law as
defined in Sec. 160.202 of this subchapter.
(D) For each purpose described in paragraph (b)(1)(ii)(A) or (B) of
this section, the description must include sufficient detail to place
the individual on notice of the uses and disclosures that are permitted
or required by this subpart and other applicable law, such as 42 CFR
part 2.
(E) A description of the types of uses and disclosures that require
an authorization under Sec. 164.508(a)(2)-(a)(4), a statement that
other uses and disclosures not described in the notice will be made
only with the individual's written authorization, and a statement that
the individual may revoke an authorization as provided by Sec.
164.508(b)(5).
(F) A description, including at least one example, of the types of
uses and disclosures prohibited under Sec. 164.502(a)(5)(iii) in
sufficient detail for an individual to understand the prohibition.
(G) A description, including at least one example, of the types of
uses and disclosures for which an attestation is required under Sec.
164.509.
(H) A statement adequate to put the individual on notice of the
potential for information disclosed pursuant to this subpart to be
subject to redisclosure by the recipient and no longer protected by
this subpart
(iii) Separate statements for certain uses or disclosures. If the
covered entity intends to engage in any of the following activities,
the description required by paragraph (b)(1)(ii)(A) or (B) of this
section must include a separate statement informing the individual of
such activities, as applicable:
(A) In accordance with Sec. 164.514(f)(1), the covered entity may
contact the individual to raise funds for the covered entity and the
individual has a right to opt out of receiving such communications;
(B) In accordance with Sec. 164.504(f), the group health plan, or
a health insurance issuer or HMO with respect to a group health plan,
may disclose protected health information to the sponsor of the plan;
(C) If a covered entity that is a health plan, excluding an issuer
of a long-term care policy falling within paragraph (1)(viii) of the
definition of health plan, intends to use or disclose protected health
information for underwriting purposes, a statement that the covered
entity is prohibited from using or disclosing protected health
information that is genetic information of an individual for such
purposes;
(D) Substance use disorder treatment records received from programs
subject to 42 CFR part 2, or testimony relaying the content of such
records, shall not be used or disclosed in civil, criminal,
administrative, or legislative proceedings against the individual
unless based on written consent, or a court order after notice and an
opportunity to be heard is provided to the individual or the holder of
the record, as provided in 42 CFR part 2. A court order authorizing use
or disclosure must be accompanied by a subpoena or other legal
requirement compelling disclosure before the requested record is used
or disclosed; or
(E) If a covered entity that creates or maintains records subject
to 42 CFR part 2 intends to use or disclose such records for
fundraising for the benefit of the covered entity, the individual must
first be provided with a clear and conspicuous opportunity to elect not
to receive any fundraising communications.
(iv) Individual rights. The notice must contain a statement of the
individual's rights with respect to protected health information and a
brief description of how the individual may exercise these rights, as
follows:
(A) The right to request restrictions on certain uses and
disclosures of protected health information as provided by Sec.
164.522(a), including a statement that the covered entity is not
required to agree to a requested restriction, except in case of a
disclosure restricted under Sec. 164.522(a)(1)(vi);
(B) The right to receive confidential communications of protected
health information as provided by Sec. 164.522(b), as applicable;
(C) The right to inspect and copy protected health information as
provided by Sec. 164.524;
(D) The right to amend protected health information as provided by
Sec. 164.526;
(E) The right to receive an accounting of disclosures of protected
health information as provided by Sec. 164.528; and
(F) The right of an individual, including an individual who has
agreed to receive the notice electronically in accordance with
paragraph (c)(3) of this section, to obtain a paper copy of the notice
from the covered entity upon request.
(v) Covered entity's duties. The notice must contain:
(A) A statement that the covered entity is required by law to
maintain the privacy of protected health information, to provide
individuals with notice of its legal duties and privacy practices, and
to notify affected individuals following a breach of unsecured
protected health information;
(B) A statement that the covered entity is required to abide by the
terms of the notice currently in effect; and
(C) For the covered entity to apply a change in a privacy practice
that is described in the notice to protected health information that
the covered entity created or received prior to issuing a revised
notice, in accordance with Sec. 164.530(i)(2)(ii), a statement that it
reserves the right to change the terms of its notice and to make the
new notice provisions effective for all protected health information
that it maintains. The statement must also describe how it will provide
individuals with a revised notice.
(vi) Complaints. The notice must contain a statement that
individuals may complain to the covered entity and
[[Page 33066]]
to the Secretary if they believe their privacy rights have been
violated, a brief description of how the individual may file a
complaint with the covered entity, and a statement that the individual
will not be retaliated against for filing a complaint.
(vii) Contact. The notice must contain the name, or title, and
telephone number of a person or office to contact for further
information as required by Sec. 164.530(a)(1)(ii).
(viii) Effective date. The notice must contain the date on which
the notice is first in effect, which may not be earlier than the date
on which the notice is printed or otherwise published.
(2) Optional elements. (i) In addition to the information required
by paragraph (b)(1) of this section, if a covered entity elects to
limit the uses or disclosures that it is permitted to make under this
subpart, the covered entity may describe its more limited uses or
disclosures in its notice, provided that the covered entity may not
include in its notice a limitation affecting its right to make a use or
disclosure that is required by law or permitted by Sec.
164.512(j)(1)(i).
(ii) For the covered entity to apply a change in its more limited
uses and disclosures to protected health information created or
received prior to issuing a revised notice, in accordance with Sec.
164.530(i)(2)(ii), the notice must include the statements required by
paragraph (b)(1)(v)(C) of this section.
(3) Revisions to the notice. The covered entity must promptly
revise and distribute its notice whenever there is a material change to
the uses or disclosures, the individual's rights, the covered entity's
legal duties, or other privacy practices stated in the notice. Except
when required by law, a material change to any term of the notice may
not be implemented prior to the effective date of the notice in which
such material change is reflected.
* * * * *
(d) * * *
* * * * *
(4) The permission in paragraph (d) of this section for covered
entities that participate in an organized health care arrangement to
issue a joint notice may not be construed to remove any obligations or
duties of entities creating or maintaining records subject to 42 U.S.C.
290dd-2, or to remove any rights of patients who are the subjects of
such records.
* * * * *
0
8. Add Sec. 164.535 to read as follows:
Sec. 164.535 Severability.
If any provision of the HIPAA Privacy Rule to Support Reproductive
Health Care Privacy is held to be invalid or unenforceable facially, or
as applied to any person, plaintiff, or circumstance, it shall be
construed to give maximum effect to the provision permitted by law,
unless such holding shall be one of utter invalidity or
unenforceability, in which case the provision shall be severable from
this part and shall not affect the remainder thereof or the application
of the provision to other persons not similarly situated or to other
dissimilar circumstances.
* * * * *
Xavier Becerra,
Secretary, Department of Health and Human Services.
[FR Doc. 2024-08503 Filed 4-22-24; 4:15 pm]
BILLING CODE 4153-01-P