[Federal Register Volume 89, Number 82 (Friday, April 26, 2024)]
[Rules and Regulations]
[Pages 32976-33066]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-08503]



[[Page 32975]]

Vol. 89

Friday,

No. 82

April 26, 2024

Part V





Department of Health and Human Services





-----------------------------------------------------------------------





45 CFR Parts 160 and 164





HIPAA Privacy Rule To Support Reproductive Health Care Privacy; Final 
Rule

  Federal Register / Vol. 89 , No. 82 / Friday, April 26, 2024 / Rules 
and Regulations  

[[Page 32976]]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Office of the Secretary

45 CFR Parts 160 and 164

RIN 0945-AA20


HIPAA Privacy Rule To Support Reproductive Health Care Privacy

AGENCY: Office for Civil Rights (OCR), Office of the Secretary, 
Department of Health and Human Services.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Department of Health and Human Services (HHS or 
``Department'') is issuing this final rule to modify the Standards for 
Privacy of Individually Identifiable Health Information (``Privacy 
Rule'') under the Health Insurance Portability and Accountability Act 
of 1996 (HIPAA) and the Health Information Technology for Economic and 
Clinical Health Act of 2009 (HITECH Act). The Department is issuing 
this final rule after careful consideration of all public comments 
received in response to the notice of proposed rulemaking (NPRM) for 
the HIPAA Privacy Rule to Support Reproductive Health Care Privacy 
(``2023 Privacy Rule NPRM'') and public comments received on proposals 
to revise provisions of the HIPAA Privacy Rule in the NPRM for the 
Confidentiality of Substance Use Disorder (SUD) Patient Records (``2022 
Part 2 NPRM'').

DATES: 
    Effective date: This final rule is effective on June 25, 2024.
    Compliance date: Persons subject to this regulation must comply 
with the applicable requirements of this final rule by December 23, 
2024, except for the applicable requirements of 45 CFR 164.520 in this 
final rule. Persons subject to this regulation must comply with the 
applicable requirements of 45 CFR 164.520 in this final rule by 
February 16, 2026.

FOR FURTHER INFORMATION CONTACT: Marissa Gordon-Nguyen at (202) 240-
3110 or (800) 537-7697 (TDD), or by email at [email protected].

SUPPLEMENTARY INFORMATION: 

Table of Contents

I. Executive Summary
    A. Overview
    B. Effective and Compliance Dates
    1. 2023 Privacy Rule NPRM
    2. Overview of Comments
    3. Final Rule
    4. Response to Public Comments
II. Statutory and Regulatory Background
    A. Statutory Authority and History
    1. Health Insurance Portability and Accountability Act of 1996 
(HIPAA)
    2. Health Information Technology for Economic and Clinical 
Health (HITECH) Act
    B. Regulatory History
    1. 2000 Privacy Rule
    2. 2002 Privacy Rule
    3. 2013 Omnibus Rule
    4. 2024 Privacy Rule
III. Justification for This Rulemaking
    A. HIPAA Encourages Trust and Confidence by Carefully Balancing 
Individuals' Privacy Interests With Others' Interests in Using or 
Disclosing PHI
    1. Privacy Protections Ensure That Individuals Have Access to, 
and Are Comfortable Accessing, High-Quality Health Care
    2. The Department's Approach to the Privacy Rule Has Long Sought 
To Balance the Interests of Individuals and Society
    B. Developments in the Legal Environment Are Eroding 
Individuals' Trust in the Health Care System
    C. To Protect the Trust Between Individuals and Health Care 
Providers, the Department Is Restricting Certain Uses and 
Disclosures of PHI for Particular Non-Health Care Purposes
IV. General Discussion of Public Comments
    A. General Comments in Support of the Proposed Rule
    B. General Comments in Opposition to the Proposed Rule
    C. Other General Comments on the Proposed Rule
V. Summary of Final Rule Provisions and Public Comments and 
Responses
    A. Section 160.103 Definitions
    1. Clarifying the Definition of ``Person''
    2. Interpreting Terms Used in Section 1178(b) of the Social 
Security Act
    3. Adding a Definition of ``Reproductive Health Care''
    4. Whether the Department Should Define Any Additional Terms
    B. Section 164.502--Uses and Disclosures of Protected Health 
Information: General Rules
    1. Clarifying When PHI May Be Used or Disclosed by Regulated 
Entities
    2. Adding a New Category of Prohibited Uses and Disclosures
    3. Clarifying Personal Representative Status in the Context of 
Reproductive Health Care
    4. Request for Comments
    C. Section 164.509--Uses and Disclosures for Which an 
Attestation is Required
    1. Current Provision
    2. Proposed Rule
    3. Overview of Public Comments
    4. Final Rule
    5. Responses to Public Comments
    D. Section 164.512--Uses and Disclosures for Which an 
Authorization or Opportunity To Agree or Object Is Not Required
    1. Applying the Prohibition and Attestation Condition to Certain 
Permitted Uses and Disclosures
    2. Making a Technical Correction to the Heading of 45 CFR 
164.512(c) and Clarifying That Providing or Facilitating 
Reproductive Health Care Is Not Abuse, Neglect, or Domestic Violence
    3. Clarifying the Permission for Disclosures Based on 
Administrative Processes
    4. Request for Information on Current Processes for Receiving 
and Addressing Requests Pursuant to 164.512(d) Through (g)(1)
    E. Section 164.520--Notice of Privacy Practices for Protected 
Health Information
    1. Current Provision
    2. CARES Act
    3. Proposals in 2022 Part 2 NPRM and 2023 Privacy Rule NPRM
    4. Overview of Public Comments
    5. Final Rule
    6. Responses to Public Comments
    F. Section 164.535--Severability
    G. Comments on Other Provisions of the HIPAA Rules
VI. Regulatory Impact Analysis
    A. Executive Order 12866 and Related Executive Orders on 
Regulatory Review
    1. Summary of Costs and Benefits
    2. Baseline Conditions
    3. Costs of the Rule
    B. Regulatory Alternatives to the Final Rule
    C. Regulatory Flexibility Act--Small Entity Analysis
    D. Executive Order 13132--Federalism
    E. Assessment of Federal Regulation and Policies on Families
    F. Paperwork Reduction Act of 1995
Explanation of Estimated Annualized Burden Hours

                            Table of Acronyms
------------------------------------------------------------------------
            Term                                Meaning
------------------------------------------------------------------------
AMA.........................  American Medical Association.
API.........................  Application Programming Interface.
CARES Act...................  Coronavirus Aid, Relief, and Economic
                               Security Act.
CDC.........................  Centers for Disease Control and
                               Prevention.
CLIA........................  Clinical Laboratory Improvement Amendments
                               of 1988.
CMS.........................  Centers for Medicare & Medicaid Services.
DOD.........................  Department of Defense.

[[Page 32977]]

 
Department or HHS...........  Department of Health and Human Services.
EHR.........................  Electronic Health Record.
E.O.........................  Executive Order.
FDA.........................  Food and Drug Administration.
FHIR[supreg]................  Fast Healthcare Interoperability
                               Resources[supreg].
FTC.........................  Federal Trade Commission.
GINA........................  Genetic Information Nondiscrimination Act
                               of 2008.
Health IT...................  Health Information Technology.
HIE.........................  Health Information Exchange.
HIPAA.......................  Health Insurance Portability and
                               Accountability Act of 1996.
HITECH Act..................  Health Information Technology for Economic
                               and Clinical Health Act of 2009.
ICR.........................  Information Collection Request.
IIHI........................  Individually Identifiable Health
                               Information.
NCVHS.......................  National Committee on Vital and Health
                               Statistics.
NICS........................  National Instant Criminal Background Check
                               System.
NPP.........................  Notice of Privacy Practices.
NPRM........................  Notice of Proposed Rulemaking.
OCR.........................  Office for Civil Rights.
OHCA........................  Organized Health Care Arrangement.
OMB.........................  Office of Management and Budget.
ONC.........................  Office of the National Coordinator for
                               Health Information Technology.
PHI.........................  Protected Health Information.
PRA.........................  Paperwork Reduction Act of 1995.
RFA.........................  Regulatory Flexibility Act.
RIA.........................  Regulatory Impact Analysis.
SBA.........................  Small Business Administration.
SSA.........................  Social Security Act of 1935.
TPO.........................  Treatment, Payment, or Health Care
                               Operations.
UMRA........................  Unfunded Mandates Reform Act of 1995.
------------------------------------------------------------------------

I. Executive Summary

A. Overview

    In this final rule, the Department of Health and Human Services 
(HHS or ``Department'') modifies certain provisions of the Standards 
for Privacy of Individually Identifiable Health Information (``Privacy 
Rule''), issued pursuant to section 264 of the Administrative 
Simplification provisions of title II, subtitle F, of the Health 
Insurance Portability and Accountability Act of 1996 (HIPAA).\1\ The 
Privacy Rule \2\ is one of several rules, collectively known as the 
HIPAA Rules,\3\ that protect the privacy and security of individuals' 
protected health information \4\ (PHI), which is individually 
identifiable health information \5\ (IIHI) transmitted by or maintained 
in electronic media or any other form or medium, with certain 
exceptions.\6\
---------------------------------------------------------------------------

    \1\ Subtitle F of title II of HIPAA (Pub. L. 104-191, 110 Stat. 
1936 (Aug. 21, 1996)) added a new part C to title XI of the Social 
Security Act of 1935 (SSA), Public Law 74-271, 49 Stat. 620 (Aug. 
14, 1935), (see sections 1171-1179 of the SSA (codified at 42 U.S.C. 
1320d-1320d-8)), as well as promulgating section 264 of HIPAA 
(codified at 42 U.S.C. 1320d-2 note), which authorizes the Secretary 
to promulgate regulations with respect to the privacy of 
individually identifiable health information. The Privacy Rule has 
subsequently been amended pursuant to the Genetic Information 
Nondiscrimination Act of 2008 (GINA), title I, section 105, Public 
Law 110-233, 122 Stat. 881 (May 21, 2008) (codified at 42 U.S.C. 
2000ff), and the Health Information Technology for Economic and 
Clinical Health (HITECH) Act of 2009, Public Law 111-5, 123 Stat. 
226 (Feb. 17, 2009) (codified at 42 U.S.C. 1390w-4(O)(2)).
    \2\ 45 CFR parts 160 and 164, subparts A and E. For a history of 
the Privacy Rule, see infra Section II.B., ``Regulatory History.''
    \3\ See also the HIPAA Security Rule, 45 CFR parts 160 and 164, 
subparts A and C; the HIPAA Breach Notification Rule, 45 CFR part 
164, subpart D; and the HIPAA Enforcement Rule, 45 CFR part 160, 
subparts C, D, and E.
    \4\ 45 CFR 160.103 (definition of ``Protected health 
information'').
    \5\ 42 U.S.C. 1320d. See also 45 CFR 160.103 (definition of 
``Individually identifiable health information'').
    \6\ At times throughout this final rule, the Department uses the 
terms ``health information'' or ``individuals' health information'' 
to refer generically to health information pertaining to an 
individual or individuals. In contrast, the Department's use of the 
term ``IIHI'' refers to a category of health information defined in 
HIPAA, and ``PHI'' is used to refer specifically to a category of 
IIHI that is defined by and subject to the privacy and security 
standards promulgated in the HIPAA Rules.
---------------------------------------------------------------------------

    The Privacy Rule requires the disclosure of PHI only in the 
following circumstances: when required by the Secretary to investigate 
a regulated entity's compliance with the Privacy Rule and to the 
individual pursuant to the individual's right of access and the 
individual's right to an accounting of disclosures.\7\ Any other uses 
or disclosures described in the Privacy Rule are either permitted or 
prohibited, as specified in the Privacy Rule. For example, the Privacy 
Rule permits, but does not require, a regulated entity to disclose PHI 
to conduct quality improvement activities when applicable conditions 
are met, and it prohibits a regulated entity from selling PHI except 
pursuant to and in compliance with 45 CFR 164.508(a)(4).\8\
---------------------------------------------------------------------------

    \7\ See 45 CFR 164.502(2) and (4).
    \8\ See 45 CFR 164.512(i) and 164.502(a)(5)(ii).
---------------------------------------------------------------------------

    In accordance with its statutory mandate, the Department 
promulgated the Privacy Rule and continues to administer and enforce it 
to ensure that individuals are not afraid to seek health care from, or 
share important information with, their health care providers because 
of a concern that their sensitive information will be disclosed outside 
of their relationship with their health care provider. Protecting 
privacy promotes trust between health care providers and individuals, 
advancing access to and improving the quality of health care. To 
achieve this goal, the Department generally has applied the same 
privacy standards to nearly all PHI, regardless of the type of health 
care at issue. Notably, special protections were given to psychotherapy 
notes, owing in part to the particularly

[[Page 32978]]

sensitive information those notes contain.\9\
---------------------------------------------------------------------------

    \9\ See 45 CFR 164.501 and 164.508(a)(2).
---------------------------------------------------------------------------

    Under its statutory authority to administer and enforce the HIPAA 
Rules, the Department may modify the HIPAA Rules as needed.\10\ The 
Supreme Court decision in Dobbs v. Jackson Women's Health Organization 
\11\ (Dobbs) overturned precedent that protected a constitutional right 
to abortion and altered the legal and health care landscape. This 
decision has far-reaching implications for reproductive health care 
beyond its effects on access to abortion.\12\ This changing legal 
landscape increases the likelihood that an individual's PHI may be 
disclosed in ways that cause harm to the interests that HIPAA seeks to 
protect, including the trust of individuals in health care providers 
and the health care system.\13\ The threat that PHI will be disclosed 
and used to conduct such an investigation against, or to impose 
liability upon, an individual or another person is likely to chill an 
individual's willingness to seek lawful health care treatment or to 
provide full information to their health care providers when obtaining 
that treatment, and on the willingness of health care providers to 
provide such care.\14\ These developments in the legal environment 
increase the potential that use and disclosure of PHI about an 
individual's reproductive health will undermine access to and the 
quality of health care generally.
---------------------------------------------------------------------------

    \10\ Section 1174(b)(1) of Public Law 104-191 (codified at 42 
U.S.C. 1320d-3).
    \11\ 597 U.S. 215 (2022).
    \12\ See Melissa Suran, ``Treating Cancer in Pregnant Patients 
After Roe v Wade Overturned,'' JAMA (Sept. 29, 2022), https://jamanetwork-com.hhsnih.idm.oclc.org/journals/jama/fullarticle/2797062?resultClick=1 and Rita Rubin, ``How Abortion Bans Could 
Affect Care for Miscarriage and Infertility,'' JAMA (June 28, 2022), 
https://jamanetwork-com.hhsnih.idm.oclc.org/journals/jama/fullarticle/2793921?resultClick=1.
    \13\ See infra National Committee on Vital and Health Statistics 
(NCVHS) discussion, Section II.A.1., expressing concern for harm 
caused by disclosing identifiable health information for non-health 
care purposes.
    \14\ See Whitney S. Rice et al. `` `Post-Roe' Abortion Policy 
Context Heightens Imperative for Multilevel, Comprehensive, 
Integrated Health Education,'' (Sept. 29, 2022), https://journals.sagepub.com/doi/full/10.1177/10901981221125399 (``New 
ethical and legal complexities around patient counseling are 
emerging, particularly in states limiting or eliminating abortion 
access, due to more extreme abortion restrictions. Clinicians in 
such contexts may be forced to adhere to legal requirements of 
states which run counter to well-being and desires of patients, 
violating the medical principles of beneficence and respect for 
patient autonomy'').
---------------------------------------------------------------------------

    In order to continue to protect privacy in a manner that promotes 
trust between individuals and health care providers and advances access 
to, and improves the quality of, health care, we have determined that 
the Privacy Rule must be modified to limit the circumstances in which 
provisions of the Privacy Rule permit the use or disclosure of an 
individual's PHI about reproductive health care for certain non-health 
care purposes, where such use or disclosure could be detrimental to 
privacy of the individual or another person or the individual's trust 
in their health care providers. This determination was informed by our 
expertise in administering the Privacy Rule, questions we have received 
from members of the public and Congress, comments we received on the 
2023 HIPAA Privacy Rule to Support Reproductive Health Care Privacy 
notice of proposed rulemaking (NPRM) (``2023 Privacy Rule NPRM''),\15\ 
and our analysis of the state of privacy for IIHI.
---------------------------------------------------------------------------

    \15\ 88 FR 23506 (Apr. 17, 2023).
---------------------------------------------------------------------------

    This final rule (``2024 Privacy Rule'') amends provisions of the 
Privacy Rule to strengthen privacy protections for highly sensitive PHI 
about the reproductive health care of an individual, and directly 
advances the purposes of HIPAA by setting minimum protections for PHI 
and providing peace of mind that is essential to individuals' ability 
to obtain lawful reproductive health care. This final rule balances the 
interests of society in obtaining PHI for non-health care purposes with 
the interests of the individual, the Federal Government, and society in 
protecting individual privacy, thereby improving the effectiveness of 
the health care system by ensuring that persons are not deterred from 
seeking, obtaining, providing, or facilitating reproductive health care 
that is lawful under the circumstances in which such health care is 
provided.
    The Department carefully analyzed state prohibitions and 
restrictions on an individual's ability to obtain high-quality health 
care and their effects on health information privacy and the 
relationships between individuals and their health care providers after 
Dobbs; assessed trends in state legislative activity with respect to 
the privacy of PHI; and conducted a thorough review of the text, 
history, and purposes of HIPAA and the Privacy Rule. The Department 
also engaged in extensive discussions with HHS agencies and other 
Federal departments, including the Department of Justice; consulted 
with the National Committee on Vital and Health Statistics (NCVHS) and 
the Attorney General as required by section 264(d) of HIPAA, and with 
Indian Tribes as required by Executive Order 13175; \16\ held listening 
sessions with and reviewed correspondence from stakeholders, including 
covered entities, states, individuals, and patient advocates; and 
reviewed correspondence to HHS from Members of Congress.\17\ The 
modifications made to the Privacy Rule by this final rule are the 
result of this work.
---------------------------------------------------------------------------

    \16\ See 65 FR 67249 (Nov. 11, 2000). See also Presidential 
Memorandum on Tribal Consultation and Strengthening Nation-to-Nation 
Relationships (Jan. 26, 2021), https://www.whitehouse.gov/briefing-room/presidential-actions/2021/01/26/memorandum-on-tribal-consultation-and-strengthening-nation-to-nation-relationships/ and 
Dep't of Health and Human Servs., Tribal Consultation Policy, 
https://www.hhs.gov/sites/default/files/iea/tribal/tribalconsultation/hhs-consultation-policy.pdf. See also 88 FR 23506 
(Apr. 17, 2023) (notice of Tribal consultation). The Department 
consulted with representatives of Tribal Nations on May 17, 2023. 
During the consultation, the representatives raised issues of health 
inequities and privacy of health information, specifically among 
American Indians and Alaskan Natives after Dobbs.
    \17\ Letter from U.S. Senator Tammy Baldwin et al. to HHS Sec'y 
Xavier Becerra (Mar. 7, 2023) (addressing HIPAA privacy regulations 
and Dobbs v. Jackson Women's Health Organization). Letter from U.S. 
Senator Patty Murray et al. to HHS Sec'y Xavier Becerra (Sept. 13, 
2022) (addressing HIPAA privacy regulations and Dobbs v. Jackson 
Women's Health Organization). Letter from U.S. Representative Earl 
Blumenauer et al. to HHS Sec'y Xavier Becerra (Aug. 30, 2022) 
(addressing HIPAA privacy regulations and Dobbs v. Jackson Women's 
Health Organization). Letter from U.S. Senator Michael F. Bennet et 
al. to HHS Sec'y Xavier Becerra (July 1, 2022) (addressing HIPAA 
privacy regulations and Dobbs v. Jackson Women's Health 
Organization).
---------------------------------------------------------------------------

B. Effective and Compliance Dates

1. 2023 Privacy Rule NPRM
    In the 2023 Privacy Rule NPRM, the Department proposed an effective 
date for a final rule that would occur 60 days after publication, and a 
compliance date that would occur 180 days after the effective date.\18\ 
Taken together, the two dates would give entities 240 days after 
publication to implement compliance measures. In the preamble to the 
proposed rule, the Department stated that it did not believe that the 
proposed rule would pose unique implementation challenges that would 
justify an extended compliance period (i.e., a period longer than the 
standard 180 days provided in 45 CFR 160.105).\19\ The Department also 
asserted that adherence to the standard compliance period is necessary 
to timely address the circumstances described in the 2023 Privacy Rule 
NPRM.
---------------------------------------------------------------------------

    \18\ See 88 FR 23506, 23510 (Apr. 17, 2023).
    \19\ See id.
---------------------------------------------------------------------------

2. Overview of Comments
    A commenter urged the Department to move quickly to issue the final 
rule and to provide a 180-day compliance period

[[Page 32979]]

as proposed. Some commenters requested that the Department provide 
additional time for regulated entities to comply with the proposed 
modifications to the Privacy Rule. Several commenters requested that 
the Department coordinate compliance deadlines across its rulemakings, 
while a few commenters specifically encouraged the Department to 
provide additional time for compliance with the modifications to the 
Notice of Privacy Practices (NPP) requirements proposed in the 2023 
Privacy Rule NPRM.
3. Final Rule
    This final rule is effective on June 25, 2024. Covered entities and 
business associates of all sizes will have 180 days beyond the 
effective date of the final rule to comply with the final rule's 
provisions, with the exception of the NPP provisions, which we address 
separately below. We understand that some covered entities and business 
associates remain concerned that a 180-day period may not provide 
sufficient time to come into compliance with the modified requirements. 
However, we believe that providing a 180-day compliance period best 
comports with section 1175(b)(2) of the Social Security Act of 1935 
(SSA), 42 U.S.C. 1320d-4, and our implementing provision at 45 CFR 
160.104(c)(1), which require the Secretary to provide at least a 180-
day period for covered entities to comply with modifications to 
standards and implementation specifications in the HIPAA Rules, and 
also that providing a 180-day compliance period best protects the 
privacy and security of individuals' PHI in a timely manner that 
reflects the urgency of addressing the changes in the legal landscape 
and their effects on individuals, regulated entities, and other 
persons, while balancing the burden imposed upon regulated entities of 
implementing this final rule.
    Section 160.104(a) permits the Department to adopt a modification 
to a standard or implementation specification adopted under the Privacy 
Rule no more frequently than once every 12 months.\20\ As discussed 
above, we are required to provide a minimum of a 180-day compliance 
period when adopting a modification, but we are permitted to provide a 
longer compliance period based on the extent of the modification and 
the time needed to comply with the modification in determining the 
compliance date for the modification.\21\ The Department makes every 
effort to consider the burden and cost of implementation for regulated 
entities when determining an appropriate compliance date.
---------------------------------------------------------------------------

    \20\ 45 CFR 160.104(a).
    \21\ 45 CFR 160.104(c)(2).
---------------------------------------------------------------------------

    While we recognize that regulated entities will need to revise and 
implement changes to their policies and procedures in response to the 
modifications in this final rule, we do not believe that these changes 
are so significant as to require more than a 180-day compliance period. 
This final rule narrowly tailors the application of its changes to 
certain limited circumstances involving lawful reproductive health care 
and clarifies that regulated entities are not expected to know or be 
aware of laws other than those with which they are required to comply. 
While it adds a condition to certain requests for uses and disclosures, 
the affected requests already require careful review by regulated 
entities for compliance with previously imposed conditions. Thus, we do 
not believe it will be difficult for regulated entities to adjust their 
policies and procedures to accommodate this new requirement. The other 
modifications finalized in this rule are in service of implementing the 
two changes above and impose minimal burden on regulated entities. 
Additionally, the Department believes, based on its evaluation of the 
evolving privacy landscape, that the changes made by this final rule 
are of particular urgency. Accordingly, we believe that a 180-day 
compliance period, combined with a 60-day effective date, is sufficient 
for regulated entities to make the changes required by most of the 
modifications in this final rule, with the exception of the NPP 
provisions.
    We separately consider the question of the compliance date for the 
modifications to the NPP provisions. In the 2022 Confidentiality of 
Substance Use Disorder (SUD) Patient Records NPRM (``2022 Part 2 
NPRM''),\22\ the Department proposed, among other things, to revise 45 
CFR 164.520 as required by section 3221 of the Coronavirus Aid, Relief, 
and Economic Security (CARES) Act.\23\ The Department proposed to 
provide the same compliance date for both the proposed modifications to 
45 CFR 164.520 and the more extensive modifications to 42 CFR part 2 
(``Part 2'').\24\ The 2024 Confidentiality of Substance Use Disorder 
(SUD) Patient Records Final Rule (``2024 Part 2 Rule'') explicitly 
noted that the Department was not finalizing the proposed modifications 
to the NPP provisions at that time, but that we planned to do so in a 
future HIPAA final rule.\25\ The Department also acknowledged that some 
covered entities might have NPPs that would not reflect updated changes 
to policies and procedures addressing how Part 2 records are used and 
disclosed. Rather than requiring covered entities to revise their NPPs 
twice in a short period of time, the Department announced in the 2024 
Part 2 Rule that it would exercise enforcement discretion related to 
the requirement that covered entities update their NPPs whenever 
material changes are made to privacy practices until the compliance 
date established by a future HIPAA final rule.\26\ The Department is 
finalizing the modifications to the NPP required by section 3221 of the 
CARES Act in this rule and aligning the effective and compliance dates 
for all of the modified NPP requirements with those of the 2024 Part 2 
Rule.
---------------------------------------------------------------------------

    \22\ 87 FR 74216 (Dec. 2, 2022).
    \23\ Public Law 116-136, 134 Stat. 281 (Mar. 27, 2020).
    \24\ 89 FR 12472 (Feb. 16, 2024).
    \25\ Id. at 12482, 12528, and 12530.
    \26\ Id. at 12482, 12528, and 12530.
---------------------------------------------------------------------------

    The compliance date of the 2024 Part 2 Rule is February 16, 2026, 
substantially later than the compliance date for most of this final 
rule, because of the significant changes required for compliance with 
the 2024 Part 2 Rule. Accordingly, in compliance with 45 CFR 160.104 
and consistent with the NPP proposals included in the 2022 Part 2 NPRM 
and public comment, we are aligning the compliance date for the NPP 
changes required by this final rule with the compliance date for the 
2024 Part 2 Rule so that covered entities regulated under both rules 
can implement all changes to their NPPs at the same time. Covered 
entities are expected to be in compliance with the modifications to 45 
CFR 164.520 on February 16, 2026.
4. Response to Public Comments
    Comment: One commenter expressed support for the proposal in the 
2023 Privacy Rule NPRM to establish a 180-day compliance date and urged 
the Department to issue a final rule quickly. Some commenters sought an 
extension of the compliance date for twelve to eighteen months, 
explaining that extensive policy and legal work, process and software 
changes, documentation and training would be required to implement the 
2023 Privacy Rule NPRM.
    One commenter suggested phasing in the attestation requirement so 
that ``downstream'' regulated entities, such as business associates and 
managed care organizations, would have a later compliance date than 
health care providers.

[[Page 32980]]

    Response: We appreciate the commenters' suggestions, but as 
discussed above, based on our assessment, we do not believe the 
modifications required by this final rule will require longer to 
implement.
    Comment: Some commenters requested that the Department coordinate 
compliance deadlines of final rules that revise the Privacy Rule or 
publish one final rule addressing the proposals in the NPRMs to enable 
regulated entities to leverage the resources required to implement the 
changes to achieve compliance with all of the new requirements at one 
time.
    One commenter explained that each NPRM would involve operational 
changes requiring significant resources and effort and expressed their 
belief that a single comprehensive final rule would allow regulated 
entities to make all of the required changes, including revisions to 
policies and procedures, development of new or revised workflows, 
electronic health record (EHR) updates, and technology enhancements.
    Response: We appreciate the commenters' suggestion, but we do not 
believe that it is necessary to fully align the compliance dates for 
the 2024 Part 2 Rule and the 2024 Privacy Rule. By imposing separate 
compliance deadlines, we are able to act more quickly to protect the 
privacy of PHI.
    However, consistent with 45 CFR 160.104 and as requested by public 
comment, we are applying the same compliance date for covered entities 
to revise their NPPs to address modifications made to 45 CFR 164.520 in 
response to and consistent with the CARES Act and to support 
reproductive health care privacy. The compliance date for the NPP 
provisions is February 16, 2026.\27\ Part 2 programs, including those 
that are covered entities, can choose to implement the changes to their 
NPPs that are required by the 2024 Part 2 Rule prior to the compliance 
date, but there is no requirement that they do so.
---------------------------------------------------------------------------

    \27\ 89 FR 12472 (Feb. 16, 2024).
---------------------------------------------------------------------------

II. Statutory and Regulatory Background

A. Statutory Authority and History

1. Health Insurance Portability and Accountability Act of 1996 (HIPAA)
    In 1996, Congress enacted HIPAA \28\ to reform the health care 
delivery system to ``improve portability and continuity of health 
insurance coverage in the group and individual markets.'' \29\ To 
enable health care delivery system reform, Congress included in HIPAA 
requirements for standards to support the electronic exchange of health 
information. According to section 261, ``[i]t is the purpose of this 
subtitle to improve [. . .] the efficiency and effectiveness of the 
health care system, by encouraging the development of a health 
information system through the establishment of standards and 
requirements for the electronic transmission of certain health 
information [. . .].'' \30\ Congress applied the Administrative 
Simplification provisions directly to three types of entities known as 
``covered entities''--health plans, health care clearinghouses, and 
health care providers who transmit information electronically in 
connection with a transaction for which HHS has adopted a standard.\31\
---------------------------------------------------------------------------

    \28\ Public Law 104-191, 110 Stat. 1936 (Aug. 21, 1996).
    \29\ See H.R. Rep. No. 104-496, at 66-67 (1996).
    \30\ 42 U.S.C. 1320d note (Statutory Notes and Related 
Subsidiaries: Purpose). Subtitle F also amended related provisions 
of the SSA.
    \31\ See section 262 of Public Law 104-191, adding section 1172 
to the SSA (codified at 42 U.S.C. 1320d-1). See also section 13404 
of the American Recovery and Reinvestment Act of 2009, Public Law 
111-5, 123 Stat. 115 (Feb. 17, 2009) (codified at 42 U.S.C. 17934) 
(applying privacy provisions and penalties to business associates of 
covered entities).
---------------------------------------------------------------------------

    Section 262(a) of HIPAA required the Secretary to adopt uniform 
standards ``to enable health information to be exchanged 
electronically.'' \32\ Congress directed the Secretary to adopt 
standards for unique identifiers to identify individuals, employers, 
health plans, and health care providers across the nation \33\ and 
standards for, among other things, transactions and data elements 
relating to health information,\34\ the security of that 
information,\35\ and verification of electronic signatures.\36\
---------------------------------------------------------------------------

    \32\ 42 U.S.C. 1320d2(a)(1).
    \33\ 42 U.S.C. 1320d-2(b)(1).
    \34\ 42 U.S.C. 1320d-2(a), (c), and (f).
    \35\ 42 U.S.C. 1320d-2(d).
    \36\ 42 U.S.C. 1320d-2(e).
---------------------------------------------------------------------------

    Congress recognized that the standardization of certain electronic 
health care transactions required by HIPAA posed risks to the privacy 
of confidential health information and viewed individual privacy, 
confidentiality, and data security as critical for orderly 
administrative simplification.\37\ Thus, as explained in the preamble 
to the 2023 Privacy Rule NPRM,\38\ Congress provided the Department 
with the authority to regulate the privacy of IIHI. According to one 
Member of Congress, privacy standards would create an additional layer 
of protection beyond the oath pledged by health care providers to keep 
information secure and, as described by another Member, would further 
protect information from being used in a ``malicious or discriminatory 
manner.'' \39\ Congress intended for the law to enhance individuals' 
trust in health care providers, which required that the law provide 
additional protection for the confidentiality of IIHI. As described by 
a Member of Congress: ``The bill would also establish strict security 
standards for health information because Americans clearly want to make 
sure that their health care records can only be used by the medical 
professionals that treat them. Often, we assume that because doctors 
take an oath of confidentiality that in fact all who touch their 
records operate by the same standards. Clearly, they do not.'' \40\ 
Moreover, Congress considered that health care reform required an 
approach that would not compromise privacy as health information became 
more accessible.\41\
---------------------------------------------------------------------------

    \37\ On a resolution waiving points of order against the 
Conference Report to H.R. 3103, members debated an ``erosion of 
privacy'' balanced against the administrative simplification 
provisions. Thus, from HIPAA's inception, privacy has been a central 
concern to be addressed as legislative changes eased disclosures of 
PHI. See 142 Cong. Rec. H9777 and H9780; see also H.R. Rep. No. 104-
736, at 177 and 264 (1996); 142 Cong. Rec. H9780 (daily ed. Aug. 1, 
1996) (statement of Rep. Sawyer); 142 Cong. Rec. H9792 (daily ed. 
Aug. 1, 1996) (statement of Rep. McDermott); and 142 Cong. Rec. 
S9515-16 (daily ed. Aug. 2, 1996) (statement of Sen. Simon).
    \38\ 88 FR 23506, 23511 (Apr. 17, 2023).
    \39\ See statement of Rep. Sawyer, supra note 37. See also 
statement of Sen. Simon, supra note 37.
    \40\ Statement of Rep. Sawyer, supra note 37.
    \41\ See H.R. Rep. No. 104-496 Part 1, at 99-100 (Mar. 25, 
1996).
---------------------------------------------------------------------------

    Accordingly, section 264(a) directed the Secretary to submit to 
Congress detailed recommendations for Federal ``standards with respect 
to the privacy of [IIHI]'' nationwide within one year of HIPAA's 
enactment.\42\ The statute made clear that the Secretary had the 
authority to promulgate regulations if Congress did not enact 
legislation covering these matters within three years.\43\ Congress 
directed the Secretary to ensure that the regulations promulgated 
``address at least'' the following three subjects: (1) the rights that 
an individual who is a subject of IIHI should have; (2) the procedures 
that should be established for the exercise of such rights; and (3) the 
uses and disclosures of such information that should be authorized or 
required.\44\
---------------------------------------------------------------------------

    \42\ 42 U.S.C. 1320d-2 note.
    \43\ Id.
    \44\ Id.
---------------------------------------------------------------------------

    Additionally, Congress provided a clear statement that HIPAA's 
provisions would ``supersede any contrary

[[Page 32981]]

provision of State law,'' with certain limited exceptions.\45\ One 
exception to this general preemption authority is for ``state privacy 
laws that are contrary to and more stringent than the corresponding 
federal standard, requirement, or implementation specification.'' \46\ 
Thus, Congress intended for the Department to create privacy standards 
to safeguard health information while respecting the ability of states 
to provide individuals with additional health information privacy.
---------------------------------------------------------------------------

    \45\ 42 U.S.C. 1320d-7.
    \46\ 65 FR 82580 (the exception applies under section 
1178(a)(2)(B) of the SSA and section 264(c)(2) of HIPAA).
---------------------------------------------------------------------------

    Congress required the Secretary to consult with the NCVHS,\47\ 
thereby ensuring that the Secretary's decisions reflected public and 
expert involvement and advice in carrying out the requirements of 
section 264.\48\ NCVHS sent its initial recommendations to the 
Secretary in a letter to the Secretary on June 27, 1997. Importantly, 
NCVHS advised that ``strong substantive and procedural protections'' 
should be imposed if health information were to be disclosed to law 
enforcement, and, where identifiable health information would be made 
available for non-health purposes, individuals should be afforded 
assurances that their data would not be used against them.\49\ 
Additionally, NCVHS ``unanimously'' recommended that ``[. . .] the 
Secretary and the Administration assign the highest priority to the 
development of a strong position on health privacy that provides the 
highest possible level of protection for the privacy rights of 
patients.'' \50\ NCVHS further noted that failure to do so would 
``undermine public confidence in the health care system, expose 
patients to continuing invasions of privacy, subject record keepers to 
potentially significant legal liability, and interfere with the ability 
of health care providers and others to operate the health care delivery 
and payment system in an effective and efficient manner,'' which would 
undermine what Congress intended.\51\
---------------------------------------------------------------------------

    \47\ NCVHS serves as the Secretary's statutory public advisory 
body for health data, statistics, privacy, and national health 
information policy and HIPAA. NCVHS also advises the Secretary, 
``reports regularly to Congress on HIPAA implementation, and serves 
as a forum for interaction between HHS and interested private sector 
groups on a range of health data issues.'' Nat'l Comm. On Vital and 
Health Statistics, ``About NCVHS,'' https://ncvhs.hhs.gov/; see also 
``NCVHS 60th Anniversary Symposium and History,'' U.S. Dep't of 
Health and Human Servs., at 28-29 (Feb. 2011), https://ncvhs.hhs.gov/wp-content/uploads/2014/05/60_years_of_difference.pdf.
    \48\ See section 264(a) and (d) of Public Law 104-191 (codified 
at 42 U.S.C. 1320d-2 note).
    \49\ Letter from NCVHS Chair Don E. Detmer to HHS Sec'y Donna E. 
Shalala (June 27, 1997) (forwarding NCVHS recommendations), https://ncvhs.hhs.gov/rrp/june-27-1997-letter-to-the-secretary-with-recommendations-on-health-privacy-and-confidentiality/.
    \50\ Id. at Principal Findings and Recommendations.
    \51\ Id.
---------------------------------------------------------------------------

    NCVHS further recommended that ``any rules regulating disclosures 
of identifiable health information be as clear and as narrow as 
possible. Each group of users must be required to justify their need 
for health information and must accept reasonable substantive and 
procedural limitations on access.'' \52\ According to NCVHS, this would 
allow for the disclosures that society deemed necessary and appropriate 
while providing individuals with clear expectations regarding their 
health information privacy.
---------------------------------------------------------------------------

    \52\ Id. at Third-Party Disclosures.
---------------------------------------------------------------------------

    As we noted in the 2023 Privacy Rule NPRM,\53\ Congress 
contemplated that the Department's rulemaking authorities under HIPAA 
would not be static. Congress specifically built in a mechanism to 
adapt such regulations as technology and health care evolve, directing 
that the Secretary review and modify the Administrative Simplification 
standards as determined appropriate, but not more frequently than once 
every 12 months.\54\ That statutory directive complements the 
Secretary's general rulemaking authority to ``make and publish such 
rules and regulations, not inconsistent with this chapter, as may be 
necessary to the efficient administration of the functions with which 
each is charged under this chapter.'' \55\
---------------------------------------------------------------------------

    \53\ 88 FR 23506, 23513 (Apr. 17, 2023).
    \54\ See section 1174(b)(1) of Public Law 104-191 (codified at 
42 U.S.C. 1320d-3).
    \55\ Section 1102 of the SSA (codified at 42 U.S.C. 1302).
---------------------------------------------------------------------------

2. Health Information Technology for Economic and Clinical Health 
(HITECH) Act
    On February 17, 2009, Congress enacted the Health Information 
Technology for Economic and Clinical Health Act of 2009 (HITECH Act) 
\56\ to promote the widespread adoption and standardization of health 
information technology (health IT). The HITECH Act included additional 
HIPAA privacy and security requirements for covered entities and 
business associates and expanded certain rights of individuals with 
respect to their PHI.
---------------------------------------------------------------------------

    \56\ Title XIII of Division A and Title IV of Division B of the 
American Recovery and Reinvestment Act of 2009, Public Law 111-5, 
123 Stat. 115 (Feb. 17, 2009) (codified at 42 U.S.C. 201 note).
---------------------------------------------------------------------------

    Congress understood the importance of a relationship between a 
connected health IT landscape, ``a necessary and vital component of 
health care reform,'' \57\ and privacy and security standards when it 
enacted the HITECH Act. The Purpose statement of an accompanying House 
of Representatives report \58\ on the Energy and Commerce Recovery and 
Reinvestment Act \59\ recognizes that ``[i]n addition to costs, 
concerns about the security and privacy of health information have also 
been regarded as an obstacle to the adoption of [health IT].'' The 
Senate Report for S. 336 \60\ similarly acknowledges that 
``[i]nformation technology systems linked securely and with strong 
privacy protections can improve the quality and efficiency of health 
care while producing significant cost savings.'' \61\ As the Department 
explained in the 2013 regulation referred to as the ``Omnibus Rule'' 
\62\ and discussed in greater detail below, the HITECH Act's additional 
HIPAA privacy and security requirements \63\ supported Congress' goal 
of promoting widespread adoption and interoperability of health IT by 
``strengthen[ing] the privacy and security protections for health 
information established by HIPAA.'' \64\
---------------------------------------------------------------------------

    \57\ C. Stephen Redhead, Cong. Rsch. Serv., R40161, ``The Health 
Information Technology for Economic and Clinical Health (HITECH) 
Act,'' (2009), https://crsreports.congress.gov/product/pdf/R/R40161/9 (``[Health IT], which generally refers to the use of computer 
applications in medical practice, is widely viewed as a necessary 
and vital component of health care reform.'').
    \58\ H.R. Rep. No. 111-7, at 74 (2009), accompanying H.R. 629, 
111th Cong.
    \59\ H.R. 629, Energy and Commerce Recovery and Reinvestment Act 
of 2009, introduced in the House on January 22, 2009, contained 
nearly identical provisions to subtitle D of the HITECH Act.
    \60\ Congress enacted the American Recovery and Reinvestment Act 
of 2009, which included the HITECH Act, on February 17, 2009. While 
it was the House version of the bill, H.R. 1, that was enacted, the 
Senate version, S. 336, contained nearly identical provisions to 
subtitle D of the HITECH Act.
    \61\ S. Rep. No. 111-3 accompanying S. 336, 111th Cong., at 59 
(2009).
    \62\ 78 FR 5566 (Jan. 25, 2013).
    \63\ Subtitle D of title XIII of the HITECH Act (codified at 42 
U.S.C. 17921, 42 U.S.C. 17931-17941, and 42 U.S.C. 17951-17953).
    \64\ 78 FR 5566, 5568 (Jan. 25, 2013).
---------------------------------------------------------------------------

    In passing the HITECH Act, Congress instructed the Department that 
any new health IT standards adopted under section 3004 of the Public 
Health Service Act (PHSA) must take into account the privacy and 
security requirements of the HIPAA Rules.\65\ Congress also affirmed 
that the existing HIPAA Rules were to remain in effect to the extent 
that they are consistent with the HITECH Act and directed the Secretary 
to revise the HIPAA Rules as necessary for consistency with the

[[Page 32982]]

HITECH Act.\66\ Congress confirmed that the new law was not intended to 
have any effect on authorities already granted under HIPAA to the 
Department, including section 264 of that statute and the regulations 
issued under that provision.\67\ Congress thus affirmed the Secretary's 
ongoing rulemaking authority to modify the Privacy Rule's standards and 
implementation specifications as often as every 12 months when 
appropriate, including to strengthen privacy and security protections 
for IIHI.
---------------------------------------------------------------------------

    \65\ Section 3009(a)(1)(B) of the PHSA, as added by section 
13101 of the HITECH Act (codified at 42 U.S.C. 300jj-19(a)(1)).
    \66\ Section 13421(b) of the HITECH Act (codified at 42 U.S.C. 
17951).
    \67\ Section 3009(a)(1)(A) of the PHSA, as added by section 
13101 of the HITECH Act (codified at 42 U.S.C. 300jj-19(a)(1)).
---------------------------------------------------------------------------

B. Regulatory History

    The Secretary has delegated the authority to administer the HIPAA 
Rules and to make decisions regarding their implementation, 
interpretation, and enforcement to the HHS Office for Civil Rights 
(OCR).\68\ Since the enactment of the HITECH Act, the Department has 
exercised its authority to modify the Privacy Rule several times--in 
2013, 2014, and 2016.\69\
---------------------------------------------------------------------------

    \68\ See U.S. Dep't of Health and Hum. Servs., Off. of the 
Sec'y, Off. for Civil Rights; Statement of Delegation of Authority, 
65 FR 82381 (Dec. 28, 2000); U.S. Dep't of Health and Hum. Servs., 
Off. of the Sec'y, Off. for Civil Rights; Delegation of Authority, 
74 FR 38630 (Aug. 4, 2009); U.S. Dep't of Health and Hum. Servs., 
Off. of the Sec'y, Statement of Organization, Functions and 
Delegations of Authority, 81 FR 95622 (Dec. 28, 2016).
    \69\ See 78 FR 5566 (Jan. 25, 2013); 79 FR 7290 (Feb. 6, 2014); 
81 FR 382 (Jan. 6, 2016).
---------------------------------------------------------------------------

1. 2000 Privacy Rule
    As directed by HIPAA, the Department provided a series of 
recommendations to Congress for a potential new law that would address 
the confidentiality of IIHI.\70\ Congress did not act within its three-
year self-imposed deadline. Accordingly, the Department published a 
proposed rule on November 3, 1999,\71\ and issued the first final rule 
establishing ``Standards for Privacy of Individually Identifiable 
Health Information'' (``2000 Privacy Rule'') on December 28, 2000.\72\
---------------------------------------------------------------------------

    \70\ See U.S. Dep't of Health and Hum. Servs., Off. of the 
Assistant Sec'y for Plan. and Evaluation, ``Recommendations of the 
Secretary of Health and Human Services, pursuant to section 264 of 
the Health Insurance Portability and Accountability Act of 1996,'' 
Section I.A. (Sept. 1997), https://aspe.hhs.gov/reports/confidentiality-individually-identifiable-health-information.
    \71\ 64 FR 59918 (Nov. 3, 1999).
    \72\ 65 FR 82462 (Dec. 28, 2000).
---------------------------------------------------------------------------

    The primary goal of the Privacy Rule was to provide greater 
protection to individuals' privacy to engender a trusting relationship 
between individuals and health care providers. As announced, the final 
rule set standards to protect the privacy of IIHI to ``begin to address 
growing public concerns that advances in electronic technology and 
evolution in the health care industry are resulting, or may result, in 
a substantial erosion of the privacy surrounding'' health 
information.\73\ On the eve of that rule's issuance, the President 
issued an Executive Order recognizing the importance of protecting 
individual privacy, explaining that ``[p]rotecting the privacy of 
patients' protected health information promotes trust in the health 
care system. It improves the quality of health care by fostering an 
environment in which patients can feel more comfortable in providing 
health care professionals with accurate and detailed information about 
their personal health.'' \74\
---------------------------------------------------------------------------

    \73\ Id.
    \74\ See Executive Order 13181 (Dec. 20, 2000), 65 FR 81321.
---------------------------------------------------------------------------

    Since its promulgation, the Privacy Rule has protected PHI by 
limiting the circumstances under which covered entities and their 
business associates (collectively, ``regulated entities'') are 
permitted or required to use or disclose PHI and by requiring covered 
entities to have safeguards in place to protect the privacy of PHI. In 
adopting these regulations, the Department acknowledged the need to 
balance several competing factors, including existing legal 
expectations, individuals' privacy expectations, and societal 
expectations.\75\ The Department noted in the preamble that the large 
number of comments from individuals and groups representing individuals 
demonstrated the deep public concern about the need to protect the 
privacy of IIHI and constituted evidence of the importance of 
protecting privacy and the potential adverse consequences to 
individuals and their health if such protections are not extended.\76\ 
Through its policy choices in the 2000 Privacy Rule, the Department 
struck a balance between competing interests--the necessity of 
protecting privacy and the public interest in using identifiable health 
information for vital public and private purposes--in a way that was 
also workable for the varied stakeholders.\77\
---------------------------------------------------------------------------

    \75\ See 65 FR 82462, 82471 (Dec. 28, 2000).
    \76\ See id. at 82472.
    \77\ See id.
---------------------------------------------------------------------------

    In the 2000 Privacy Rule, the Department established ``general 
rules'' for uses and disclosures of PHI, codified at 45 CFR 
164.502.\78\ The 2000 Privacy Rule also specified the circumstances in 
which a covered entity was required to obtain an individual's 
consent,\79\ authorization,\80\ or the opportunity for the individual 
to agree or object.\81\ Additionally, it established rules for when a 
covered entity is permitted to use or disclose PHI without an 
individual's consent, authorization, or opportunity to agree or 
object.\82\ In particular, the Privacy Rule permits certain uses and 
disclosures of PHI, without the individual's authorization, for 
identified activities that benefit the community, such as public health 
activities, judicial and administrative proceedings, law enforcement 
purposes, and research.\83\
---------------------------------------------------------------------------

    \78\ 65 FR 82462 (Dec. 28, 2000).
    \79\ 45 CFR 164.506 was originally titled ``Consent for uses or 
disclosures to carry out treatment, payment, or health care 
operations.''
    \80\ 45 CFR 164.508.
    \81\ 45 CFR 164.510.
    \82\ 45 CFR 164.512.
    \83\ See 64 FR 59918, 59955 (Nov. 3, 1999).
---------------------------------------------------------------------------

    The Privacy Rule also established the rights of individuals with 
respect to their PHI, including the right to receive adequate notice of 
a covered entity's privacy practices, the right to request restrictions 
of uses and disclosures, the right to access (i.e., to inspect and 
obtain a copy of) their PHI, the right to request an amendment of their 
PHI, and the right to receive an accounting of disclosures.\84\
---------------------------------------------------------------------------

    \84\ See 45 CFR 164.520, 164.522, 164.524, 164.526, and 164.528.
---------------------------------------------------------------------------

    In the 2000 Privacy Rule, the Secretary exercised her statutory 
authority to adopt 45 CFR 160.104(a), which reserves the Secretary's 
ability to modify any standard or implementation specification adopted 
under the Administrative Simplification provisions.\85\ The Secretary 
first invoked this modification authority to amend the Privacy Rule in 
2002 \86\ and made additional modifications in 2013,\87\ and 2016,\88\ 
as described below.
---------------------------------------------------------------------------

    \85\ See 65 FR 82462, 82800 (Dec. 28, 2000).
    \86\ See 67 FR 53182 (Aug. 14, 2002).
    \87\ 78 FR 5566 (Jan. 25, 2013).
    \88\ 81 FR 382 (Jan. 6, 2016).
---------------------------------------------------------------------------

2. 2002 Privacy Rule
    After publication of the 2000 Privacy Rule, the Department received 
many inquiries and unsolicited comments about the Privacy Rule's 
effects and operation. As a result, the Department opened the 2000 
Privacy Rule for further comment in February 2001, less than one month 
before the effective date and 25 months before the compliance date for 
most covered entities, and issued clarifying guidance on its 
implementation.\89\ NCVHS' Subcommittee on Privacy, Confidentiality and 
Security held public

[[Page 32983]]

hearings about the 2000 Privacy Rule. From those hearings, the 
Department obtained additional information about concerns related to 
key provisions and their potential unintended consequences for health 
care quality and access.\90\ On March 27, 2002, the Department proposed 
modifications to the 2000 Privacy Rule to clarify the requirements and 
correct potential problems that could threaten access to, or quality 
of, health care.\91\
---------------------------------------------------------------------------

    \89\ 66 FR 12738 (Feb. 28, 2001).
    \90\ 67 FR 53182, 53183 (Aug. 14, 2002).
    \91\ 67 FR 14775 (Mar. 27, 2002).
---------------------------------------------------------------------------

    In response to comments on the proposed rule, the Department 
finalized modifications to the Privacy Rule on August 14, 2002 (``2002 
Privacy Rule'').\92\ This final rule clarified HIPAA's requirements 
while maintaining strong protections for the privacy of IIHI.\93\ These 
modifications addressed certain workability issues, including but not 
limited to clarifying distinctions between health care operations and 
marketing; modifying the minimum necessary standard to exclude 
disclosures authorized by individuals and clarify its operation; 
eliminating the consent requirement for uses and disclosures of PHI for 
treatment, payment, or health care operations (TPO), and to otherwise 
clarify the role of consent in the Privacy Rule; and making other 
modifications and conforming amendments consistent with the proposed 
rule. The Department also included modifications to the provisions 
permitting the use or disclosure of PHI for public health activities 
and for research activities without consent, authorization, or an 
opportunity to agree or object.
---------------------------------------------------------------------------

    \92\ 67 FR 53182 (Aug. 14, 2002). See the final rule for changes 
in the entirety. The 2002 Privacy Rule was issued before the 
compliance date for the 2000 Privacy Rule. Thus, covered entities 
never implemented the 2000 Privacy Rule. Instead, they implemented 
the 2000 Privacy Rule as modified by the 2002 Privacy Rule.
    \93\ See 67 FR 53182 (Aug. 14, 2002).
---------------------------------------------------------------------------

3. 2013 Omnibus Rule
    Following the enactment of the HITECH Act, the Department issued an 
NPRM, entitled ``Modifications to the HIPAA Privacy, Security, and 
Enforcement Rules Under the Health Information Technology for Economic 
and Clinical Health [HITECH] Act'' (``2010 NPRM''),\94\ which proposed 
to implement certain HITECH Act requirements. In 2013, the Department 
issued the final rule, Modifications to the HIPAA Privacy, Security, 
Enforcement, and Breach Notification Rules Under the Health Information 
Technology for Economic and Clinical Health [HITECH] Act and the 
Genetic Information Nondiscrimination Act, and Other Modifications to 
the HIPAA Rules (``2013 Omnibus Rule''),\95\ which implemented many of 
the new HITECH Act requirements, including strengthening individuals' 
privacy rights related to their PHI.
---------------------------------------------------------------------------

    \94\ 75 FR 40868 (July 14, 2010).
    \95\ 78 FR 5566 (Jan. 25, 2013). In addition to finalizing 
requirements of the HITECH Act that were proposed in the 2010 NPRM, 
the Department adopted modifications to the Enforcement Rule not 
previously adopted in an earlier interim final rule, 74 FR 56123 
(Oct. 30, 2009), and to the Breach Notification Rule not previously 
adopted in an interim final rule, 74 FR 42739 (Aug. 24, 2009). The 
Department also finalized previously proposed Privacy Rule 
modifications as required by GINA, 74 FR 51698 (Oct. 7, 2009).
---------------------------------------------------------------------------

    The Department also finalized regulatory provisions that were not 
required by the HITECH Act, but were necessary to address the 
workability and effectiveness of the Privacy Rule and to increase 
flexibility for and decrease burden on regulated entities.\96\ In the 
2010 NPRM, the Department noted that it had not amended the Privacy 
Rule since 2002.\97\ It further explained that information gleaned from 
contact with the public since that time, enforcement experience, and 
technical corrections needed to eliminate ambiguity provided the 
impetus for the Department's actions to make certain regulatory 
changes.\98\
---------------------------------------------------------------------------

    \96\ See 78 FR 5566 (Jan. 25, 2013) (explaining that the 
Department was using its general authority under HIPAA to make a 
number of changes to the Privacy Rule that were intended to increase 
workability and flexibility, decrease burden, and better harmonize 
the requirements with those under other Departmental regulations). 
The Department's general authority to modify the Privacy Rule is 
codified in HIPAA section 264(c), and OCR conducts rulemaking under 
HIPAA based on authority granted by the Secretary.
    \97\ See 75 FR 40868, 40871 (July 14, 2010).
    \98\ 75 FR 40868, 40871 (July 14, 2010).
---------------------------------------------------------------------------

    For example, the Department modified its prior interpretation of 
the Privacy Rule requirement at 45 CFR 164.508(c)(1)(iv) that a 
description of a research purpose must be study specific.\99\ The 
Department explained that, under its new interpretation, the research 
purposes need only be described adequately such that it would be 
reasonable for an individual to expect that their PHI could be used or 
disclosed for such future research.\100\ In the 2013 Omnibus Rule, the 
Department explained that this change was based on the concerns 
expressed by covered entities, researchers, and other commenters on the 
2010 NPRM that the former requirement did not represent current 
research practices. The Department provided a similar explanation for 
its modifications to the Privacy Rule that permit certain disclosures 
of student immunization records to schools without an 
authorization.\101\ Additionally, based on a recommendation made at an 
NCVHS meeting, the Department requested comment on and finalized 
proposed revisions to the definition of PHI to exclude information 
regarding an individual who has been deceased for more than 50 
years.\102\ For the latter, the Department noted that it was balancing 
the privacy interests of decedents' living relatives and other affected 
individuals against the legitimate needs of public archivists to obtain 
records.\103\
---------------------------------------------------------------------------

    \99\ See 78 FR 5566, 5611 (Jan. 25, 2013).
    \100\ See id. at 5612.
    \101\ Id. at 5616-17. See also 45 CFR 164.512(b)(1).
    \102\ 78 FR 5566, 5614 (Jan. 25, 2013). See also 45 CFR 
164.502(f) and the definition of ``Protected health information'' at 
45 CFR 160.103, excluding IIHI regarding a person who has been 
deceased for more than 50 years.
    \103\ In addition to the rulemakings discussed here, the 
Department has modified the Privacy Rule for workability purposes 
and in response to changes in circumstances on two other occasions, 
and it issued another notice of proposed rulemaking in 2021 for the 
same reasons. See 79 FR 7289 (Feb. 6, 2014), 81 FR 382 (Jan. 6, 
2016), and 86 FR 6446 (Jan. 21, 2021).
---------------------------------------------------------------------------

    None of the changes described in the paragraph above were required 
by the HITECH Act. Rather, the Department determined that it was 
necessary to promulgate these changes pursuant to its existing general 
rulemaking authority under HIPAA. NCVHS and the public also recommended 
other changes between the publication of the 2002 Privacy Rule and the 
2013 Omnibus Rule, including the creation of specific categories of 
PHI, such as ``Sexuality and Reproductive Health Information'' that 
would allow for special protections of such PHI.\104\ The Department 
declined to propose specific protections for certain categories of PHI 
at that time because of concerns about the ability of regulated 
entities to segment PHI and the effects on care coordination. Many of 
those concerns are still present and so, the Department did not propose 
and determined not to establish a specific category of particularly 
sensitive PHI in this rulemaking. Instead, as discussed more fully 
below, the Department is finalizing a purpose-based prohibition against 
certain uses and disclosures.
---------------------------------------------------------------------------

    \104\ See Letter from NCVHS Chair Simon P. Cohn to HHS Sec'y 
Michael O. Leavitt (June 22, 2006), https://ncvhs.hhs.gov/rrp/june-22-2006-letter-to-the-secretary-recommendations-regarding-privacy-and-confidentiality-in-the-nationwide-health-information-network/; 
Letter from NCVHS Chair Simon P. Cohn to HHS Sec'y Michael O. 
Leavitt (Feb. 20, 2008) (listing categories of health information 
that are commonly considered to contain sensitive information), 
https://ncvhs.hhs.gov/wp-content/uploads/2014/05/080220lt.pdf; 
Letter from NCVHS Chair Justine M. Carr to HHS Sec'y Kathleen 
Sebelius (Nov. 10, 2010) (forwarding NCVHS recommendations), https://ncvhs.hhs.gov/wp-content/uploads/2014/05/101110lt.pdf.

---------------------------------------------------------------------------

[[Page 32984]]

4. 2024 Privacy Rule
    On April 17, 2023, the Department issued an NPRM \105\ to modify 
the Privacy Rule for the purpose of prohibiting uses and disclosures of 
PHI for criminal, civil, or administrative investigations or 
proceedings against persons for seeking, obtaining, providing, or 
facilitating reproductive health care that is lawful under the 
circumstances in which it is provided. To properly execute the HIPAA 
statutory mandate, and in accordance with the regulatory authority 
granted to it by Congress, the Department continually monitors and 
evaluates the evolving environment for health information privacy 
nationally, including the interaction of the Privacy Rule and state 
statutes and regulations governing the privacy of health information. 
In keeping with the Department's practice, this final rule accommodates 
state autonomy to the extent consistent with the need to maintain rules 
for health information privacy that serve HIPAA's objectives. The 
regulation thus preempts state law only to the extent necessary to 
achieve Congress' directive to establish a standard for the privacy of 
IIHI for the purpose of improving the effectiveness of the health care 
system. As discussed below, achieving that objective requires 
individuals to trust that their health care providers will maintain 
privacy of PHI about lawful reproductive health care. In addition, 
NCVHS held a virtual public meeting that included a discussion about 
the proposed rule on June 14, 2023,\106\ and provided recommendations 
to the Department based on this discussion, briefings at their July 
2022 \107\ and December 2022 \108\ meetings, and the expertise of its 
members.\109\ The resultant public record and subsequent 
recommendations submitted to the Department by NCVHS, along with other 
public comments on the 2023 Privacy Rule NPRM, informed the development 
of these modifications.
---------------------------------------------------------------------------

    \105\ 88 FR 23506.
    \106\ See Meeting of NCVHS (June 14, 2023), https://ncvhs.hhs.gov/meetings/full-committee-meeting-13/.
    \107\ See Meeting of NCVHS, Briefing on Legislative Developments 
in Data Privacy (July 21, 2022), https://ncvhs.hhs.gov/meetings/full-committee-meeting-11/.
    \108\ See Meeting of NCVHS, Briefing by Cason Schmit (Dec. 7, 
2022), https://ncvhs.hhs.gov/meetings/full-committee-meeting-12/.
    \109\ Letter from NCVHS Chair Jacki Monson to HHS Sec'y Xavier 
Becerra (June 14, 2023) (forwarding NCVHS recommendations), https://ncvhs.hhs.gov/wp-content/uploads/2023/06/NCVHS-Comments-on-HIPAA-Reproduction-Health-NPRM-Final-508.pdf.
---------------------------------------------------------------------------

III. Justification for This Rulemaking

A. HIPAA Encourages Trust and Confidence by Carefully Balancing 
Individuals' Privacy Interests With Others' Interests in Using or 
Disclosing PHI

1. Privacy Protections Ensure That Individuals Have Access to, and Are 
Comfortable Accessing, High-Quality Health Care
    The goal of a functioning health care system is to provide high-
quality health care that results in the best possible outcomes for 
individuals. To achieve that goal, a functioning health care system 
depends in part on individuals trusting health care providers. Thus, 
trust between individuals and health care providers is essential to an 
individual's health and well-being.\110\ Protecting the privacy of an 
individual's health information is ``a crucial element for honest 
health discussions.'' \111\ The original Hippocratic Oath required 
physicians to pledge to maintain the confidentiality of health 
information they learn about individuals.\112\ Without confidence that 
private information will remain private, individuals--to their own 
detriment--are reluctant to share information with health care 
providers.
---------------------------------------------------------------------------

    \110\ See Jennifer Richmond et al., ``Development and Validation 
of the Trust in My Doctor, Trust in Doctors in General, and Trust in 
the Health Care Team Scales,'' 298 Social Science & Medicine 114827 
(2022), https://www.sciencedirect.com/science/article/abs/pii/S0277953622001332?via%3Dihub; see also Fallon E. Chipidza et al., 
``Impact of the Doctor-Patient Relationship,'' The Primary Care 
Companion for CNS Disorders (Oct. 2015), https://www.psychiatrist.com/pcc/delivery/patient-physician-communication/impact-doctor-patient-relationship/. See Testimony (transcribed) of 
William G. Plested, III, M.D., Member, Board of Trustees, American 
Medical Association, Hearing on Confidentiality of Patient Medical 
Records before House of Representatives Committee on Ways and Means, 
Subcommittee on Health (Feb. 17, 2000), https://www.govinfo.gov/content/pkg/CHRG-106hhrg66897/html/CHRG-106hhrg66897.htm. (``Trust 
is the foundation of the patient/physician relationship.'')
    \111\ See Am. Med. Ass'n, ``Patient Perspectives Around Data 
Privacy,'' (2022), https://www.ama-assn.org/system/files/ama-patient-data-privacy-survey-results.pdf.
    \112\ See John C. Moskop et al., ``From Hippocrates to HIPAA: 
Privacy and Confidentiality in Emergency Medicine--Part I: 
Conceptual, Moral, and Legal Foundations,'' 45 Ann Emerg. Med.1 
(Jan. 2005) (quoting the Oath of Hippocrates, ``What I may see or 
hear in the course of the treatment or even outside of the treatment 
in regard to the life of men, which on no account one must spread 
abroad, I will keep to myself [. . .].''), https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7132445/#bib1.
---------------------------------------------------------------------------

    When proposing the 2000 Privacy Rule, the Department recognized 
that individuals may be deterred from seeking needed health care if 
they do not trust that their sensitive information will be kept 
private.\113\ The Department described its policy choices as stemming 
from a motivation to develop and maintain a relationship of trust 
between individuals and health care providers. The Department explained 
that a fundamental assumption of the 2000 Privacy Rule was that the 
greatest benefits of improved privacy protection would be realized in 
the future as individuals gain increasing trust in their health care 
provider's ability to maintain the confidentiality of their health 
information.\114\ As a result, the Privacy Rule strengthened 
protections for health information privacy, including the right of 
individuals to determine who has access to their health information.
---------------------------------------------------------------------------

    \113\ See 64 FR 59918, 60006 (Nov. 3, 1999) (In the 1999 Privacy 
Rule NPRM, the Department discussed confidentiality as an important 
component of trust between individuals and health care providers and 
cited a 1994 consumer privacy survey that indicated that a lack of 
privacy may deter patients from obtaining preventive care and 
treatment.). See id. at 60019.
    \114\ See 64 FR 59918, 60006 (Nov. 3, 1999).
---------------------------------------------------------------------------

    Despite the Privacy Rule's rights and protections, individuals do 
not have confidence that their IIHI is being protected adequately. In a 
2022 survey on patient privacy, the American Medical Association (AMA) 
found that, of 1,000 patients surveyed: (1) nearly 75% were concerned 
about protecting the privacy of their own health information; and (2) 
59% of patients worried about health data being used by companies to 
discriminate against them or their loved ones.\115\ According to the 
AMA, a lack of health information privacy raises many questions about 
circumstances that could put individuals and health care providers in 
legal peril, and that the ``primary purpose of increasing [health 
information] privacy is to build public trust, not inhibit data 
exchange.'' \116\
---------------------------------------------------------------------------

    \115\ See ``Patient Perspectives Around Data Privacy,'' supra 
note 111.
    \116\ Id. at 2.
---------------------------------------------------------------------------

    The Federal Government also has a strong interest in ensuring that 
individuals have access to high-quality health care.\117\ This is true 
at both an

[[Page 32985]]

individual and population level. In the 2000 Privacy Rule, the 
Department noted that high-quality health care depends on an individual 
being able to share sensitive information with their health care 
provider based on the trust that the information shared will be 
protected and kept confidential.\118\ An effective health care system 
requires an individual to share sensitive health information with their 
health care providers. They do so with the reasonable expectation that 
this information is going to be used to treat them. The prospect of the 
disclosure of highly sensitive PHI by regulated entities can result in 
medical mistrust and the deterioration of the confidential, safe 
environment that is necessary to provide high-quality health care, 
operate a functional health care system, and improve the public's 
health generally.\119\ High-quality health care cannot be attained 
without patient candor. Health care providers rely on an individual's 
health information to diagnose them and provide them with appropriate 
treatment options and may not be able to reach an accurate diagnosis or 
recommend the best course of action for the individual if the 
individual's medical records lack complete information about their 
health history. However, an individual may be unwilling to seek 
treatment or share highly sensitive PHI when they are concerned about 
the confidentiality and security of PHI provided to treating health 
care providers.\120\ The Department has long recognized that health 
care professionals who lose the trust of their patients cannot deliver 
high-quality care.\121\ Similarly, if a health care provider does not 
trust that the PHI they include in an individual's medical records will 
be kept private, the health care provider may leave gaps or include 
inaccuracies when preparing medical records, creating a risk that 
ongoing or future health care would be compromised. In contrast, 
heightened confidentiality and privacy protections enable a health care 
provider to feel confident maintaining full and complete medical 
records.
---------------------------------------------------------------------------

    \117\ See Testimony (transcribed) of Peter R. Orszag, Director, 
Congressional Budget Office, Hearing on Comparative Clinical 
Effectiveness before House of Representatives Committee on Ways and 
Means, Subcommittee on Health, 2007 WL 1686358 (June 12, 2007) 
(``because federal health insurance programs play a large role in 
financing medical care and represent a significant expenditure, the 
federal government itself has an interest in evaluations of the 
effectiveness of different health care approaches''); Statement of 
Sen. Durenberger introducing S.1836, American Health Quality Act of 
1991 and reading bill text, 137 Cong. Rec. S26720 (Oct. 17, 1991) 
(``[T]he Federal Government has a demonstrated interest in assessing 
the quality of care, access to care, and the costs of care through 
the evaluative activities of several Federal agencies.'').
    \118\ See 65 FR 82462, 82463 (Dec. 28, 2000).
    \119\ See, e.g., Brooke Rockwern et al., Medical Informatics 
Committee and Ethics, Professionalism and Human Rights Committee of 
the American College of Physicians, ``Health Information Privacy, 
Protection, and Use in the Expanding Digital Health Ecosystem: A 
Position Paper of the American College of Physicians,'' 174 Ann 
Intern Med. 994 (Jul. 2021) (discussing the need for trust in the 
health care system as necessary to mitigate a global pandemic); 
Johanna Birkh[auml]uer et. al, ``Trust in the Health Care 
Professional and Health Outcome: A Meta-Analysis,'' 12 PLoS One 
e0170988 (Feb. 7, 2017). See also Eric Boodman, ``In a doctor's 
suspicion after a miscarriage, a glimpse of expanding medical 
mistrust,'' STAT News (June 29, 2022), https://www.statnews.com/2022/06/29/doctor-suspicion-after-miscarriage-glimpse-of-expanding-medical-mistrust/ (Sarah Prager, professor of obstetrics and 
gynecology at the University of Washington, stating that it is a bad 
precedent if clinical spaces become unsafe for patients because, 
``[a health care provider's] ability to take care of patients relies 
on trust, and that will be impossible moving forward.'').
    \120\ See ``Development and Validation of the Trust in My 
Doctor, Trust in Doctors in General, and Trust in the Health Care 
Team Scales,'' supra note 110; Bradley E. Iott et al., ``Trust and 
Privacy: How Patient Trust in Providers is Related to Privacy 
Behaviors and Attitudes,'' 2019 AMIA Annu Symp Proc 487 (Mar. 2020), 
https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7153104/; Pamela Sankar 
et al., ``Patient Perspectives of Medical Confidentiality: a Review 
of the Literature,'' 18 J. of Gen. Internal Med. 659 (Aug. 2003), 
https://pubmed.ncbi.nlm.nih.gov/12911650/.
    \121\ See 65 FR 82462, 82468 (Dec. 28, 2000).
---------------------------------------------------------------------------

    Incomplete medical records and health care avoidance not only 
inhibit the quality of health care an individual receives; they are 
also detrimental to efforts to improve public health. The objective of 
public health is to prevent disease in and improve the health of 
populations. Barriers that undermine the willingness of individuals to 
seek health care in a timely manner or to provide complete and accurate 
health information to their health care providers undermine the overall 
objective of public health. For example, individuals who are not candid 
with their health care providers because of concerns about potential 
negative consequences of a loss of privacy may withhold information 
about a variety of health matters that have public health implications, 
such as communicable diseases or vaccinations.\122\ Experience also 
shows that medical mistrust--especially in communities of color and 
other communities that have been marginalized or negatively affected by 
historical and current health care disparities--can create damaging and 
chilling effects on individuals' willingness to seek appropriate and 
lawful health care for medical conditions that can worsen without 
treatment.\123\
---------------------------------------------------------------------------

    \122\ See Letter from NCVHS Chair Simon P. Cohn, supra note 104, 
at 2 (2006) (with forwarded NCVHS recommendations, ``Individual 
trust in the privacy and confidentiality of their personal health 
information also promotes public health, because individuals with 
potentially contagious or communicable diseases are not inhibited 
from seeking treatment.'').
    \123\ See Texas Dep't of State Health Servs., ``Texas Maternal 
Mortality and Morbidity Review Committee and Department of State 
Health Services Joint Biennial Report 2022,'' at 41 (Dec. 2022) 
https://www.dshs.texas.gov/sites/default/files/legislative/2022-Reports/2022-MMMRC-DSHS-Joint-Biennial-Report.pdf; Lynn M. Paltrow 
et al., ``Arrests of and forced interventions on pregnant women in 
the United States, 1973-2005: implications for women's legal status 
and public health,'' 38 J. Health Pol. Pol'y Law 299 (2013) (finding 
that hospital staff are most likely to report pregnant low-income 
and patients of color, especially Black women, to the authorities.); 
Terri-ann Monique Thompson et al., ``Racism Runs Through It: 
Examining the Sexual and Reproductive Health Experience of Black 
Women in the South,'' 41 Health Affairs 195 (Feb. 2022) (discussing 
how individual racism affects reproductive health care use by 
undermining the patient-doctor relationship), https://www.healthaffairs.org/doi/10.1377/hlthaff.2021.01422); Joli Hunt, 
``Maternal Mortality among Black Women in the United States,'' 
Ballard Brief (July 2021), https://ballardbrief.byu.edu/issue-briefs/maternal-mortality-among-black-women-in-the-united-states/ 
(discussing the disproportionately high rate of Black maternal 
mortality and morbidity); Austin Frakt, ``Bad Medicine: The Harm 
that Comes from Racism,'' The New York Times (July 8, 2020), https://www.nytimes.com/2020/01/13/upshot/bad-medicine-the-harm-that-comes-from-racism.html.
---------------------------------------------------------------------------

2. The Department's Approach to the Privacy Rule Has Long Sought To 
Balance the Interests of Individuals and Society
    While recognizing the importance of preserving individuals' trust, 
the Department has consistently taken the approach of balancing the 
interests of the individual in the privacy of their PHI with society's 
interests, including in the free flow of information that enables the 
provision of effective and efficient health care services. Such an 
approach derives from Congress's direction, in 1996, to improve the 
efficiency and effectiveness of the health care system by encouraging 
the development of a health information system while taking into 
account the privacy of IIHI and the uses and disclosures of such 
information that should be authorized or required.\124\ In past 
rulemakings, the Department has made revisions to the Privacy Rule to 
balance an individual's privacy expectations with a covered entity's 
need for information for reimbursement and quality purposes.\125\ As 
the Department previously explained, ``Patient privacy must be balanced 
against other public goods, such as research and the risk of 
compromising such research projects if researchers could not continue 
to use such data.'' \126\ The 2000 Privacy Rule included permissions 
for regulated entities to disclose PHI under certain conditions, 
including for judicial and administrative proceedings and law 
enforcement purposes, because an individual's right to privacy in 
information about themselves is not absolute. For example, it does not 
prevent reporting of public health information on communicable 
diseases, nor does it prevent law enforcement

[[Page 32986]]

from obtaining information when due process has been observed.\127\
---------------------------------------------------------------------------

    \124\ 42 U.S.C. 1320d note and 1320d-2 note.
    \125\ See 67 FR 53182, 53216 (Aug. 14, 2002).
    \126\ Id. at 53226.
    \127\ 65 FR 82462, 82464 (Dec. 28, 2000).
---------------------------------------------------------------------------

    In more recent rulemakings revising the Privacy Rule, the 
Department has continued its efforts to build and maintain individuals' 
trust in the health care system while balancing the interests of 
individuals with those of others. For example, in explaining revisions 
made as part of the 2013 Omnibus Rule, the Department recognized that 
covered entities must balance protecting the privacy of health 
information with sharing health information with those responsible for 
ensuring public health and safety.\128\ The Privacy Rule was also 
revised in 2016 (``2016 Privacy Rule'') in accordance with an 
administration-wide effort to curb gun violence across the nation.\129\ 
The 2016 Privacy Rule was tailored to authorize the disclosure of a 
limited set of PHI \130\ for a narrow, specific purpose, that is, to 
permit only regulated entities that are state agencies or other 
entities designated by a state to collect and report information to the 
National Instant Criminal Background Check System (NICS) or a lawful 
authority making an adjudication or commitment as described by 18 
U.S.C. 922(g)(4) to disclose to NICS the identities of individuals who 
are subject to a Federal ``mental health prohibitor,'' that 
disqualifies them from shipping, transporting, possessing, or receiving 
a firearm. As explained in the 2016 Privacy Rule, the Federal mental 
health prohibitor applies only to the extent that the individual is 
involuntarily committed or determined by a court or other lawful 
authority to be a danger to self or others, or is unable to manage 
their own affairs because of a mental illness or condition.\131\ 
Similar to this final rule, the 2016 Privacy Rule balanced public 
safety goals with individuals' privacy interests by clearly limiting 
permissible disclosures to those that are necessary to ensure that 
individuals are not discouraged from seeking lawful health care, in 
this case, voluntary treatment for mental health needs.\132\ In the 
2013 Omnibus Rule and 2016 Privacy Rule, the Department ensured that 
the disclosures were necessary for the public good and were not for the 
purpose of harming the individual. This approach is consistent with the 
NCVHS recommendations to the Secretary relating to health information 
privacy: ``The Committee strongly supports limiting use and disclosure 
of identifiable information to the minimum amount necessary to 
accomplish the purpose. The Committee also strongly believes that when 
identifiable health information is made available for non-health uses, 
patients deserve a strong assurance that the data will not be used to 
harm them.'' \133\
---------------------------------------------------------------------------

    \128\ See 78 FR 5566, 5616 (Jan. 25, 2013).
    \129\ 81 FR 382 (Jan. 6, 2016); see, e.g., 78 FR 4297 (Jan. 22, 
2013) and 78 FR 4295 (Jan. 22, 2013); see also Colleen Curtis, 
``President Obama Announces New Measures to Prevent Gun Violence,'' 
The White House President Barack Obama (Jan. 16, 2013), https://obamawhitehouse.archives.gov/blog/2013/01/16/president-obama-announces-new-measures-prevent-gun-violence.
    \130\ This PHI includes limited demographic and certain other 
information needed for the purposes of reporting to NICS. 45 CFR 
164.512(k)(7)(iii)(A). In preamble, the Department explained that 
generally the information described at 45 CFR 164.512(k)(7)(iii)(A) 
would be limited to the data elements required to create a NICS 
record and certain other elements to the extent that they are 
necessary to exclude false matches: Social Security number, State of 
residence, height, weight, place of birth, eye color, hair color, 
and race. 81 FR 382, 390 (Jan. 6, 2016).
    \131\ 81 FR 382, 386-388 (Jan. 6, 2016).
    \132\ Id. The Department addressed concerns about the possible 
chilling effect on individuals seeking health care by explaining 
that (1) the permission is limited to only those covered entities 
that order the involuntary commitments or make the other 
adjudications that cause individuals to be subject to the Federal 
mental health prohibitor, or that serve as repositories of such 
information for NICS reporting purposes; (2) the specified regulated 
entities are permitted to disclose NICS data only to designated 
repositories or the NICS; (3) the information that may be disclosed 
is limited to certain demographic or other information that is 
necessary for NICS reporting; and (4) the rulemaking did not expand 
the permission to encompass State law prohibitor information.
    \133\ Letter from NCVHS Chair Don E. Detmer to HHS Sec'y Donna 
E. Shalala (June 27, 1997) (forwarding NCVHS recommendations), 
https://ncvhs.hhs.gov/rrp/june-27-1997-letter-to-the-secretary-with-recommendations-on-health-privacy-and-confidentiality/.
---------------------------------------------------------------------------

    Consistent with Congress's directive to promulgate ``standards with 
respect to the privacy of [IIHI]'' that, among other things, address 
the ``uses and disclosures of such information that should be 
authorized or required,'' \134\ the Department recognizes a variety of 
interests with respect to health information. These include 
individuals' interests in the privacy of their health information, 
society's interests in ensuring the effectiveness of the health care 
system, and other interests of society in using IIHI for certain non-
health care purposes. As part of balancing these interests, the 
Department has also recognized that it may be necessary to afford 
additional protection to certain types of health information because 
those types of information are particularly sensitive and often involve 
highly personal health care decisions. For example, the Department 
affords special privacy protections to psychotherapy notes. These 
protections are afforded in part because of the particularly sensitive 
information those notes contain and in part because of the unique 
function of these records, which are by definition maintained 
separately from an individual's medical record.\135\ As we previously 
explained, the primary value of psychotherapy notes is to the specific 
provider, and the promise of strict confidentiality helps to ensure 
that the patient will feel comfortable freely and completely disclosing 
very personal information essential to successful treatment.\136\ The 
Department elaborated that even the possibility of disclosure may 
impede development of the confidential relationship necessary for 
successful treatment because of the sensitive nature of the problems 
for which individuals consult psychotherapists and the potential 
embarrassment that may be engendered by the disclosure of confidential 
communications made during counseling sessions.\137\ Therefore, to 
support the development and maintenance of an individual's trust and 
protect the relationship between an individual and their therapist, the 
Privacy Rule permits the disclosure of psychotherapy notes without an 
individual's authorization only in limited circumstances, such as to 
avert a serious and imminent threat to health or safety. Those limited 
circumstances do not include judicial and administrative proceedings or 
law enforcement purposes unless the disclosure is ``necessary to 
prevent or lessen a serious and imminent threat to the health or safety 
of a person or the public.'' \138\
---------------------------------------------------------------------------

    \134\ 42 U.S.C. 1320d-2 note.
    \135\ See 45 CFR 164.501 (definition of ``Psychotherapy 
notes'').
    \136\ See 64 FR 59918, 59941 (Nov. 3, 1999).
    \137\ See id.
    \138\ 45 CFR 164.508(a)(2).
---------------------------------------------------------------------------

    Information about an individual's reproductive health and 
associated health care is also especially sensitive and has long been 
recognized as such. As stated in the AMA's Principles of Medical 
Ethics, the ``decision to terminate a pregnancy should be made 
privately within the relationship of trust between patient and 
physician in keeping with the patient's unique values and needs and the 
physician's best professional judgment.'' \139\ NCVHS first noted 
reproductive health information as an example of a category of health 
information commonly considered to contain sensitive information in

[[Page 32987]]

2006.\140\ Between 2005 and 2010, NCVHS held nine hearings that 
addressed questions about sensitive information in medical records and 
identified additional categories of sensitive information beyond those 
addressed in Federal and state law, including ``sexuality and 
reproductive health information.'' In several letters to the Secretary 
during that period, NCVHS recommended that the Department identify and 
define categories of sensitive information, including ``reproductive 
health.'' \141\ In a 2010 letter to the Secretary, NCVHS elaborated 
that, after extensive testimony on sensitive categories of health 
information, ``reproductive health'' should be expanded to ``sexuality 
and reproductive health information,'' because:
---------------------------------------------------------------------------

    \139\ Council on Ethical and Judicial Affairs, ``Ethics, 
Amendment to Opinion 4.2.7, Abortion H-140.823,'' Am. Med. Ass'n 
(2022), https://policysearch.ama-assn.org/policyfinder/detail/%224.2.7%20Abortion%22?uri=%2FAMADoc%2FHOD.xml-H-140.823.xml.
    \140\ See Letter from NCVHS Chair Simon P. Cohn (2006), supra 
note 104.
    \141\ See Letter from NCVHS Chair Simon P. Cohn (2006), supra 
note 104; Letter from NCVHS Chair Simon P. Cohn (2008), supra note 
104; Letter from NCVHS Chair Justine M. Carr (2010), supra note 104.

    Information about sexuality and reproductive history is often 
very sensitive. Some reproductive issues may expose people to 
political controversy (such as protests from abortion proponents), 
and public knowledge of an individual's reproductive history may 
place [them] at risk of stigmatization.'' Additionally, individuals 
may wish to have their reproductive history segmented so that it is 
not viewed by family members who otherwise have access to their 
records. Parents may wish to delay telling their offspring about 
adoption, gamete donation, or the use of other forms of assisted 
reproduction technology in their conception, and, thus, it may be 
important to have the capacity to segment these records.\142\
---------------------------------------------------------------------------

    \142\ See Letter from NCVHS Chair Justine M. Carr (2010), supra 
note 104.

    The Department did not provide specific protections for certain 
categories of PHI upon receipt of the recommendation or as part of the 
2013 Omnibus Rule because of concerns about the ability of regulated 
entities to segment PHI and the effects on care coordination. While we 
recognized the sensitive nature of reproductive health information 
before this rulemaking, the Department believed that the Supreme 
Court's recognition of a constitutional right to abortion coupled with 
the privacy protections afforded by the HIPAA Rules provided the 
necessary trust to promote access to and quality of health care. As a 
result of the changed legal landscape for reproductive health care 
broadly, including abortion, the range of circumstances in which PHI 
about legal reproductive health care could be sought and used in 
investigations or to impose liability expanded significantly. Now that 
states have much broader power to criminalize and regulate reproductive 
choices--and that some states have already exercised that power in a 
variety of ways \143\--individuals legitimately have a far greater fear 
that especially sensitive information about lawful health care will not 
be kept private. This changed environment requires additional privacy 
protections to help restore the Privacy Rule's carefully-struck balance 
between individual and societal interests. Because the concerns 
regarding segmentation and the negative impact on care coordination 
remain, the Department did not propose and is not establishing a new 
category of particularly sensitive PHI in this final rule. Instead, as 
discussed more fully below, the Department is finalizing its proposed 
purpose-based prohibition against certain uses and disclosures.
---------------------------------------------------------------------------

    \143\ See LePage v. Center for Reproductive Medicine, SC-2022-
0515 (Feb. 16, 2024).
---------------------------------------------------------------------------

B. Developments in the Legal Environment Are Eroding Individuals' Trust 
in the Health Care System

    The Supreme Court's decision in Dobbs overturned Roe v. Wade \144\ 
and Planned Parenthood of Southeastern Pennsylvania v. Casey,\145\ 
thereby enabling states to significantly restrict access to 
abortion.\146\ Following the Supreme Court's decision, the legal 
landscape has shifted as laws significantly restricting access to 
abortion have in fact become effective in some jurisdictions. This 
change has also led to questions about both the current and future 
lawfulness of other types of reproductive health care, and therefore, 
the ability of individuals to access such health care.\147\ Thus, this 
shift may interfere with the longstanding expectations of individuals, 
established by HIPAA and the Privacy Rule, with respect to the privacy 
of their PHI.\148\ For example, while the Privacy Rule currently 
permits, but does not require, uses and disclosures of PHI for certain 
purposes,\149\ including when another law requires a regulated entity 
to make the use or disclosure,\150\ regulated entities after Dobbs may 
feel compelled by other applicable law to use or disclose PHI to law 
enforcement or other persons who may use that health information 
against an individual, a regulated entity, or another person who has 
sought, obtained, provided, or facilitated reproductive health care, 
even when such health care is lawful in the circumstances in which the 
health care is obtained.\151\
---------------------------------------------------------------------------

    \144\ 410 U.S. 113 (1973).
    \145\ 505 U.S. 833 (1992).
    \146\ Dobbs, 597 U.S. 299-302.
    \147\ See, e.g., Carmel Shachar et al., ``Informational Privacy 
After Dobbs,'' 75 Ala. L. Rev. 1 (2023), https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4570500 and Andrzej Kulczycki, ``Dobbs: 
Navigating the New Quagmire and Its Impacts on Abortion and 
Reproductive Health Care,'' Health Education & Behavior (2022), 
https://doi.org/10.1177/10901981221125430.
    \148\ See, e.g., Kayte Spector-Bagdady & Michelle M. Mello, 
``Protecting the Privacy of Reproductive Health Information After 
the Fall of Roe v. Wade,'' 3 JAMA Network e222656 (June 30, 2022), 
https://jamanetwork.com/journals/jama-health-forum/fullarticle/2794032; Lisa G. Gill, ``What does the overturn of Roe v. Wade mean 
for you?,'' Consumer Reports (June 24, 2022), https://www.consumerreports.org/health-privacy/what-does-the-overturn-of-roe-v-wade-mean-for-you-a1957506408/.
    \149\ 45 CFR 164.502(a)(1).
    \150\ 45 CFR 164.512(a).
    \151\ See Laura J. Faherty et al. ``Consensus Guidelines and 
State Policies: The Gap Between Principle and Practice at the 
Intersection of Substance Use and Pregnancy,'' American Journal of 
Obstetrics & Gynecology Maternal-Fetal Medicine (Aug. 2020) 
(discussing a concern raised by multiple organizations that pregnant 
women will hesitate to seek prenatal care and addiction treatment 
during pregnancy because their concerns that disclosing substance 
use to health care providers will increase the likelihood that they 
will face legal penalties); see also ``Informational Privacy After 
Dobbs,'' supra note 147.
---------------------------------------------------------------------------

    As a consequence of these developments in Federal and state law, an 
individual's expectation of privacy of their health information 
(irrespective of whether an individual is or was pregnant) is 
threatened by the potential use or disclosure of PHI to identify 
persons who seek, obtain, provide, or facilitate lawful reproductive 
health care. Thus, these developments have created an environment in 
which individuals are more likely to fear that their PHI will be 
requested from regulated entities for use against individuals, health 
care providers, and others, merely because such persons sought, 
obtained, provided, or facilitated lawful reproductive health 
care.\152\ The potential increased demand for PHI for these purposes is 
not limited to states in which providing or obtaining certain 
reproductive health care is no longer legal. Rather, the changes in the 
legal landscape have nationwide implications, not only because of their 
effects on the relationship between health care providers and 
individuals, but also because of the potential effects on the flow of 
health information across state lines. For example, an individual who 
travels out-of-state to obtain reproductive health care that is lawful 
under the circumstances in which it is provided may now be reluctant to 
have that information disclosed to a health care provider in their home 
state if they

[[Page 32988]]

fear that it may then be used against them or a loved one in their home 
state. A health care provider may be unable to provide appropriate 
health care if they are unaware of the individual's recent health 
history, which could have significant negative health consequences. 
Individuals and health care providers may also be reluctant to disclose 
PHI to health plans with a multi-state presence because of concerns 
that one of those states will seek to obtain that PHI to investigate or 
impose liability on the individual or the health care provider, even if 
there is no nexus with that state other than the presence of the health 
plan in that state. Such reluctance may have significant ramifications 
for access to reproductive health care, given the cost associated with 
obtaining such health care, and health care generally.
---------------------------------------------------------------------------

    \152\ See, e.g., Yvonne Lindgren et al., ``Reclaiming Tort Law 
to Protect Reproductive Rights,'' 75 Alabama L. Rev. 355 (2023), 
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4435834.
---------------------------------------------------------------------------

    Additionally, PHI is more likely to be transmitted across state 
lines as the electronic exchange of PHI increases because it is easier 
and more efficient to send information electronically. For instance, 
the Trusted Exchange Framework and Common Agreement (TEFCA) initiative 
established under the 21st Century Cures Act and the Centers for 
Medicare & Medicaid Services (CMS) Interoperability and Prior 
Authorization Final Rule will spur greater use and disclosure of PHI by 
regulated entities and to health apps and others.\153\ Different 
components of a health information exchange/health information network 
(HIE/HIN) may be located in different states, meaning that the PHI may 
be transmitted across state lines, and thus affected by laws severely 
restricting access to reproductive health care, even where both the 
health care and the recipient of the PHI are located in states where 
access to such health care is not substantially restricted.
---------------------------------------------------------------------------

    \153\ See section 3001(c) of the PHSA, as amended by section 
4003(b) of the 21st Century Cures Act, Public Law 114-255, 130 Stat. 
1165 (codified at 42 U.S.C. 300jj-11(c)). For more information, see 
Office of the Nat'l Coordinator for Health Info. Tech., ``Trusted 
Exchange Framework and Common Agreement (TEFCA),'' https://www.healthit.gov/topic/interoperability/policy/trusted-exchange-framework-and-common-agreement-tefca; See also 89 FR 8758 (Feb. 8, 
2024); ``CMS Interoperability and Prior Authorization Final Rule 
CMS-0057-F,'' Centers for Medicare & Medicaid (Jan. 17, 2024), 
https://www.cms.gov/newsroom/fact-sheets/cms-interoperability-and-prior-authorization-final-rule-cms-0057-f.
---------------------------------------------------------------------------

    According to commenters, individuals are increasingly concerned 
about the confidentiality of discussions with their health care 
providers. As a result, some individuals are not confiding fully in 
their health care providers, increasing the risk that their medical 
records will not be complete and accurate, leading to decreases in 
health care quality and safety. This lack of openness is also likely to 
affect the information and treatment recommendations health care 
providers provide to individuals because health care providers will not 
be sufficiently informed to provide thorough and accurate information 
and guidance.\154\
---------------------------------------------------------------------------

    \154\ See Eric Boodman, ``In a doctor's suspicion after a 
miscarriage, a glimpse of expanding medical mistrust,'' STAT News 
(June 29, 2022), https://www.statnews.com/2022/06/29/doctor-
suspicion-after-miscarriage-glimpse-of-expanding-medical-mistrust/
#:~:text=In%20a%20doctor's%20suspicion%20after,glimpse%20of%20expandi
ng%20medical%20mistrust&text=The%20idea%20that%20she,used%20contracep
tives%20and%20trusted%20them.
---------------------------------------------------------------------------

    Individuals are not alone in their fears. Indeed, according to 
commenters, some health care providers are afraid to provide lawful 
health care because they are concerned that in doing so, they risk 
being subjected to investigation and possible liability.\155\ The 
Department is aware that some health care providers, such as clinicians 
and pharmacies, are hesitant to provide lawful health care or lawfully 
prescribe or fill prescriptions for medications that can result in 
pregnancy loss, even when the health care or those prescriptions are 
intended to treat individuals for other health matters, because of fear 
of law enforcement action.\156\ Some health care providers are also not 
providing individuals with information to address concerns about their 
reproductive health, even where their communications would be lawful, 
out of fear of criminal prosecution, civil suit, or loss of their 
clinical license.\157\ This may result in individuals making decisions 
about their health care with incomplete information, which could have 
serious implications for health outcomes. These fears also increase the 
risk that individual medical records will not be maintained with 
completeness and accuracy, which will in turn affect the quality of 
health care provided to individuals and their safety. Fears about 
potential prosecution, even when Federal law protects the actions of 
health care providers, are likely to negatively affect the accuracy of 
medical records maintained by health care providers and thereby harm 
individuals.
---------------------------------------------------------------------------

    \155\ See also Melissa Suran, ``As Laws Restricting Health Care 
Surge, Some US Physicians Choose Between Fight or Flight,'' JAMA, 
329(22):1899-1903 (May 17, 2023) (discussing a maternal-fetal 
medicine specialist who stated that she moved to another state 
because of legislation that restricts evidence-based health care and 
prevents her from fulfilling her ethical obligation to protect her 
patients' health.), https://pubmed.ncbi.nlm.nih.gov/37195699/.
    \156\ See Off. for Civil Rights, ``HHS Office for Civil Rights 
Resolves Complaints with CVS and Walgreens to Ensure Timely Access 
to Medications for Women and Support Persons with Disabilities,'' 
U.S. Dep't of Health and Human Servs. (June 16, 2023), https://www.hhs.gov/civil-rights/for-providers/compliance-enforcement/agreements/cvs-walgreens/index.html. See also Kathryn Starzyk et 
al., ``More than half of patients with a rheumatic disease or 
immunologic condition undergoing methotrexate treatment reside in 
states in which the overturning of Roe v. Wade can jeopardize access 
to medications with abortifacient potential,'' 75 Arthritis 
Rheumatol 328 (Feb. 2023); see also Celine Castronuovo, ``Many 
Female Arthritis Drug Users Face Restrictions After Dobbs,'' 
Bloomberg Law (Nov. 14, 2022) (noting that 16 out of 524 patients 
responding to a survey indicated that they've had trouble getting 
methotrexate, their arthritis medication, since the Dobbs decision.) 
https://news.bloomberglaw.com/health-law-and-business/many-female-arthritis-drug-users-face-restrictions-after-dobbs; Interview with 
Donald Miller, PharmD, ``Methotrexate access becomes challenging for 
some patients following Supreme Court decision on abortion,'' 
Pharmacy Times (July 20, 2022), https://www.pharmacytimes.com/view/methotrexate-access-becomes-challenging-for-patients-following-supreme-court-decision-on-abortion; Jamie Ducharme, ``Abortion 
restrictions may be making it harder for patients to get a cancer 
and arthritis drug,'' Time (July 6, 2022), https://time.com/6194179/abortion-restrictions-methotrexate-cancer-arthritis/; Katie Shepherd 
& Frances Stead Sellers, ``Abortion bans complicate access to drugs 
for cancer, arthritis, even ulcers,'' The Washington Post (Aug. 8, 
2022), https://www.washingtonpost.com/health/2022/08/08/abortion-bans-methotrexate-mifepristone-rheumatoid-arthritis/.
    \157\ See Michelle Oberman & Lisa Soleymani Lehmann, ``Doctors' 
duty to provide abortion information,'' J. of Law and Biosciences. 
(Sept. 1, 2023) https://www.ncbi.nlm.nih.gov/pmc/articles/PMC10474560/; Whitney Arey et al., ``Abortion Access and Medically 
Complex Pregnancies Before and After Texas Senate Bill 8,'' 141 
Obstet Gynecol. 995 (May 1, 2023) (concluding that ``Abortion 
restrictions limit shared decision making, compromise patient care, 
and put pregnant people's health at risk.''); ``1 Year Without 
Roe,'' Center for American Progress (Jun. 23, 2023) (where a 
physician detailed her fear about speaking freely with her patients 
after Dobbs ``worried a vigilante posing as a new patient would 
attempt to bait her into talking about abortion and attempt to sue 
her, and she sometimes skirts the topic of abortion when speaking 
with patients about their health care options.'')
---------------------------------------------------------------------------

    As explained by commenters and supported by research, these 
impingements on the privacy of health information about reproductive 
health care are likely to have a disproportionately greater effect on 
women, individuals of reproductive age, and individuals from 
communities that have been historically underserved, marginalized, or 
subject to discrimination or systemic disadvantage by virtue of their 
race, disability, social or economic status, geographic location, or 
environment.\158\ Historically

[[Page 32989]]

underserved and marginalized individuals are also more likely to be the 
subjects of investigations and other activities to impose liability for 
seeking or obtaining reproductive health care, even where such health 
care is lawful under the circumstances in which it is provided.\159\ 
They are also less likely to have adequate access to legal counsel to 
defend themselves from such actions.\160\ These inequities may be 
exacerbated where individuals face multiple, intersecting disparities, 
such as having limited English proficiency \161\ and disability.\162\ 
Such individuals are thus especially likely to be concerned that 
information they share with their health care providers about their 
reproductive health care will not remain private. This is particularly 
true considering the historic lack of trust, negative experiences, and 
fear of discrimination that many members of historically 
underrepresented and marginalized communities and communities of color 
have in the health care system; \163\ such individuals are more likely 
to be deterred from seeking or obtaining health care--or from giving 
their health care providers full information.
---------------------------------------------------------------------------

    \158\ See Christine Dehlendorf et al., ``Disparities in Abortion 
Rates: A Public Health Approach,'' Am. J. of Pub. Health (Oct. 
2013), https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3780732/. See 
also Kiara Alfonseca, ``Why Abortion Restrictions Disproportionately 
Impact People of Color,'' ABC News (June 24, 2022), https://abcnews.go.com/Health/abortion-restrictions-disproportionately-impact-people-color/story?id=84467809; Dulce Gonzalez et al., Robert 
Wood Johnson Foundation, ``Perceptions of Discrimination and Unfair 
Judgment While Seeking Health Care'' (Mar. 31, 2021), https://www.rwjf.org/en/insights/our-research/2021/03/perceptions-of-discrimination-and-unfair-judgment-while-seeking-health-care.html; 
Susan A. Cohen, ``Abortion and Women of Color: The Bigger Picture,'' 
11 Guttmacher Pol'y Rev. (Aug. 6, 2008), https://www.guttmacher.org/gpr/2008/08/abortion-and-women-color-bigger-picture; ``The 
Disproportionate Harm of Abortion Bans: Spotlight on Dobbs v. 
Jackson Women's Health,'' Center for Reproductive Rights (Nov. 29, 
2021), https://reproductiverights.org/supreme-court-case-mississippi-abortion-ban-disproportionate-harm/ (``Abuses such as 
forced sterilization of Black, Indigenous, and other people of color 
and individuals with disabilities specifically exacerbate medical 
mistrust within reproductive healthcare.'').
    \159\ See Brief of Amici Curiae for Organizations Dedicated to 
the Fight for Reproductive Justice--Mississippi in Action, et al. at 
*35-36, Dobbs, 597 U.S. 215 (discussing the likelihood that 
individuals, particularly those from marginalized communities who 
terminate their pregnancies and anyone who assists them may be 
disproportionally likely to face criminal investigation or arrest, 
given the rates of incarceration of persons from such communities.); 
see also Elizabeth Yuko, ``Women of Color Will Face More 
Criminalized Pregnancies in Post-`Roe' America,'' Rolling Stone 
(Jul. 7, 2020) (``Historically, we've seen the criminalization of 
people of color, young people, and people with lower incomes who've 
had miscarriages and other types of pregnancy losses that the state 
deemed were their fault [. . .] These groups are the most likely to 
be reported to law enforcement and investigated''); see also 
Sentencing Project, State-by-State Data, https://www.sentencingproject.org/research/us-criminal-justice-data/ (last 
visited Feb. 16, 2024) (U.S. Total: Imprisonment rate per 100,000 
residents--355; Black/White disparity--4.8:1; Latinx/White 
disparity--1.3:1); Racial Disparities in Incarceration, Vera 
Institute of Justice (Aug. 21, 2023), https://trends.vera.org/ 
(Prison population rate per 100,000 residents ages 15 to 64. U.S. 
total incarceration rate 2021 Q2--298, Asian American/Pacific 
Islander incarceration rate 2021 Q2--100, Black/African American 
incarceration rate 2021 Q2--1,310, Latinx incarceration rate 2021 
Q2--671, Native American incarceration rate 2021 Q2--1,021, White 
incarceration rate 2021 Q2--281).
    \160\ See Columbia Law Sch. Hum. Rts. Inst. & and Ne. Univ. Sch. 
of Law Program on Hum. Rts. and the Glob. Econ.,'' Equal Access to 
Justice: Ensuring Meaningful Access to Counsel in Civil Cases, 
Including Immigration Proceedings'' (July 2014), https://hri.law.columbia.edu/sites/default/files/publications/equal_access_to_justice_-_cerd_shadow_report.pdf. See also Lauren 
Hoffman et al., Ctr. For Am. Progress, ``Report: State Abortion Bans 
Will Harm Women and Families' Economic Security Across the US'' 
(Aug. 25, 2022), https://www.americanprogress.org/article/state-abortion-bans-will-harm-women-and-families-economic-security-across-the-us/.
    \161\ See Myasar Ihmud, ``Lost in Translation: Language Barriers 
to Accessing Justice in the American Court System,'' UIC Law Review 
(2023) (discussing ``access to justice for [limited English 
proficient (LEP)] individuals is hindered because they are unable to 
communicate with the court or understand the proceedings. Case law 
shows that, when unable to communicate with the court, LEP litigants 
are unable to defend themselves appropriately in criminal or 
immigration hearings, protect their homes, or keep custody of their 
children.''), https://repository.law.uic.edu/cgi/viewcontent.cgi?article=2908&context=lawreview; see also ``Language 
Access & Cultural Sensitivity,'' Legal Services Corporation (last 
visited Feb. 21, 2024) (describing how legal aid organizations 
should plan for providing meaningful access to language services. As 
of 2013, ``close to 25 million people, about 8 percent of the 
population, has limited English proficiency.''), https://www.lsc.gov/i-am-grantee/model-practices-innovations/language-access-cultural-sensitivity.
    \162\ See, e.g., Gautam Gulati et al., ``The experience of law 
enforcement officers interfacing with suspects who have an 
intellectual disability--A systematic review,'' International 
Journal of Law and Psychiatry (Sept.-Oct. 2020) (``It is not 
uncommon for people with [intellectual disability] to be suspects or 
accused persons when interfacing with Law Enforcement Officers 
(LEOs) and therefore face arrest, interview and/or custody.''), 
https://www.sciencedirect.com/science/article/pii/S016025272030073X.
    \163\ See Leslie Read et al., The Deloitte Ctr. for Health 
Solutions, ``Rebuilding Trust in Health Care: What Do Consumers 
Want--and Need--Organizations to Do?,'' at 3 (Aug. 5, 2021) (With 
focus groups of 525 individuals in the United States who identify as 
Black, Hispanic, Asian, or Native American, ``[f]ifty-five percent 
reported a negative experience where they lost trust in a health 
care provider.''), https://www2.deloitte.com/us/en/insights/industry/health-care/trust-in-health-care-system.html; Liz Hamel et 
al., Kaiser Family Foundation, ``The Undefeated Survey on Race and 
Health,'' at 23 (Oct. 2020) (Percent who say they can trust the 
health care system to do what is right for them or their community 
almost all of the time or most of the time: Black adults: 44%; 
Hispanic adults: 50%; White adults: 55%), https://files.kff.org/attachment/Report-Race-Health-and-COVID-19-The-Views-and-Experiences-of-Black-Americans.pdf; U.S. Dep't of Health and Hum. 
Servs., Assistant Sec'y for Pol. & Eval., Off. of Health Pol., 
``Issue Brief: Health Insurance Coverage and Access to Care for 
LGBTQ+ Individuals: Current Trends and Key Challenges,'' at 9 (June 
2021) (A 2021 survey found that 18 percent of LGBTQ+ individuals 
reported avoiding going to a doctor or seeking health care out of 
concern that they would face discrimination or poor treatment 
because of their sexual orientation or gender identity.), https://aspe.hhs.gov/sites/default/files/2021-07/lgbt-health-ib.pdf; Abigail 
A. Sewell, ``Disaggregating Ethnoracial Disparities in Physician 
Trust,'' Soc. Science Rsch. (Nov. 2015), https://pubmed.ncbi.nlm.nih.gov/26463531/; Irena Stepanikova et al., 
``Patients' Race, Ethnicity, Language, and Trust in a Physician,'' 
J. of Health and Soc. Behavior (Dec. 2006), https://pubmed.ncbi.nlm.nih.gov/17240927/.
---------------------------------------------------------------------------

    Congress contemplated that the Department would need to modify 
standards adopted under HIPAA's Administrative Simplification 
provisions and directed the Secretary to review standards adopted under 
42 U.S.C. 1320d-2 periodically.\164\ In accordance with this directive 
and based on the Department's expertise and analysis and the recent 
developments in the legal landscape, there is a compelling need to 
provide additional protections to PHI about lawful reproductive health 
care. Accordingly, consistent with Congress's directions to the 
Department, in HIPAA, as amended by Genetic Information 
Nondiscrimination Act (GINA) and the HITECH Act, to establish standards 
and requirements for the electronic transmission of certain health 
information, including the privacy thereof, for the development of a 
health information system, the Department is restricting certain uses 
and disclosures of PHI for particular non-health care purposes to 
provide such protections.
---------------------------------------------------------------------------

    \164\ Congress' directions regarding the issuance of standards 
for the privacy of IIHI are codified at 42 U.S.C. 1320d-2 note. See 
also 45 CFR 160.104(a).
---------------------------------------------------------------------------

C. To Protect the Trust Between Individuals and Health Care Providers, 
the Department Is Restricting Certain Uses and Disclosures of PHI for 
Particular Non-Health Care Purposes

    As discussed above, Congress enacted HIPAA to improve the 
efficiency and effectiveness of the health care system, which includes 
ensuring that individuals have trust in the health care system. 
Congress also directed the Department to develop standards with respect 
to the privacy of IIHI as part of its decision to encourage the 
development of a health information system. To preserve such trust, and 
to encourage the development and use of a nationwide health information 
system, it is appropriate and necessary for Federal law and policy to 
protect the confidentiality of medical records, especially those that 
are highly sensitive. Accordingly, to protect the trust between 
individuals and health care providers, this rule restricts certain uses 
and disclosures of PHI for particular non-health care purposes, i.e., 
for using or disclosing PHI to conduct a criminal, civil, or 
administrative investigation into or to impose criminal, civil, or 
administrative liability on any person for the mere act of seeking, 
obtaining, providing, or facilitating

[[Page 32990]]

lawful reproductive health care, or to identify any person to initiate 
such activities.
    Information about reproductive health care is particularly 
sensitive and requires heightened privacy protection. The Department's 
approach is consistent with efforts across the Federal Government. For 
example, the Department of Defense (DOD) has recognized such privacy 
concerns. In a memorandum to DOD leaders, the Secretary of Defense 
directed the DOD to ``[e]stablish additional privacy protections for 
reproductive health care information'' for service members and 
``[d]isseminate guidance that directs Department of Defense health care 
providers that they may not notify or disclose reproductive health 
information to commanders unless this presumption is overcome by 
specific exceptions set forth in policy.'' \165\ The Federal Trade 
Commission (FTC) has also recognized that information about personal 
reproductive matters is ``particularly sensitive'' and has committed to 
using the full scope of its authorities to protect consumers' privacy, 
including the privacy of their health information and other sensitive 
data.\166\ In business guidance, the FTC explained that ``[t]he 
exposure of health information and medical conditions, especially data 
related to sexual activity or reproductive health, may subject people 
to discrimination, stigma, mental anguish, or other serious harms.'' 
\167\
---------------------------------------------------------------------------

    \165\ Dep't of Defense, Memorandum Re: Ensuring Access to 
Reproductive Health Care, at 1 (Oct. 20, 2022) (removed emphasis on 
``not'' in original), https://media.defense.gov/2022/Oct/20/2003099747/-1/-1/1/MEMORANDUM-ENSURING-ACCESS-TO-REPRODUCTIVE-HEALTH-CARE.PDF.
    \166\ Kristin Cohen, ``Location, health, and other sensitive 
information: FTC committed to fully enforcing the law against 
illegal use and sharing of highly sensitive data'', Federal Trade 
Commission Business Blog (July 11, 2022), https://www.ftc.gov/business-guidance/blog/2022/07/location-health-and-other-sensitive-information-ftc-committed-fully-enforcing-law-against-illegal (last 
accessed Nov. 15, 2022).
    \167\ Id.
---------------------------------------------------------------------------

    As discussed above, the Department has long provided special 
protections for psychotherapy notes because of the sensitivity around 
this information. However, unlike psychotherapy notes, which by their 
very nature are easily segregated, reproductive health information is 
not easily segregated. Additionally, regulated entities generally do 
not have the ability to segment certain PHI such that regulated 
entities could afford special protections for specific categories of 
PHI.\168\ Where such technology is available, it is generally cost 
prohibitive and burdensome to implement.\169\ Therefore, the Department 
did not propose, and is not finalizing, a newly defined subset of PHI. 
Creating such a subset would create barriers to disclosing PHI for care 
coordination because the PHI would need to be segregated from the 
remaining medical record. Instead, consistent with the Privacy Rule's 
longstanding overall approach,\170\ the Department is finalizing a 
purpose-based prohibition against certain uses and disclosures. This 
rule seeks to protect individuals' privacy interests in their PHI about 
reproductive health care and the interests of society in an effective 
health care system by enabling individuals and licensed health care 
professionals to make decisions about reproductive health care based on 
a complete medical record, while balancing those interests with other 
interests of society in obtaining PHI for certain non-health care 
purposes.
---------------------------------------------------------------------------

    \168\ See Daniel M. Walker et al., ``Interoperability in a Post-
Roe Era Sustaining Progress While Protecting Reproductive Health 
Information,'' JAMA (Nov. 1, 2022) (discussing that segregation of 
records for reproductive health care is more difficult than for SUD 
treatment records because ``reproductive health services are often 
provided in the same settings as other primary and acute care and 
thus could be inferred or directly reflected in many parts of the 
record.''), https://jamanetwork-com.ezproxyhhs.nihlibrary.nih.gov/journals/jama/fullarticle/2797865; See, e.g., 87 FR 74216, 74221 
(Dec. 2, 2022) (noting that 42 CFR part 2 previously resulted in the 
separation of SUD treatment records previous from other health 
records, which led to the creation of data ``silos'' that hampered 
the integration of SUD treatment records into covered entities' 
electronic record systems and billing processes. When considering 
amendments to the relevant statute, some lawmakers argued that the 
silos perpetuated negative stereotypes about persons with SUD and 
inhibited coordination of care during the opioid epidemic.). See 
also Health Info. Tech. Advisory Comm., ``Health Information 
Technology Advisory Committee (HITAC) Annual Report for Fiscal Year 
2019,'' 2019 ONC Ann. Rep., at 37 (Feb. 19, 2020), https://www.healthit.gov/sites/default/files/page/2020-03/HITAC%20Annual%20Report%20for%20FY19_508.pdf (``The new 
certification criteria that support the sharing of data via third-
party apps will help advance the use of data segmentation, but 
adoption of this capability by the industry is not yet 
widespread.'').
    \169\ See 88 FR 23746, 23898 (Apr. 18, 2023) (explaining that 
while there are standards for security labels for document-based 
exchange that the Office of the National Coordinator for Health 
Information Technology (ONC) adopted in full in 2020 for the 
criteria in 45 CFR 170.315(b)(7) and (b)(8) to support the 
application of security labels at a granular level for sending in 
and receiving, standards to define the technical requirements for 
the actions described by the security label vocabularies do not yet 
exist. In the 21st Century Cures Act: Interoperability, Information 
Blocking, and the ONC Health IT Certification Program Final Rule, 
published in 2020, ONC estimated a cost of the certification 
criteria and standards adopted for security labels in 45 CFR 
170.315(b)(7) and (b)(8). The Department estimated the total cost to 
developers could range from $2,910,400 to $6,933,600 and that it 
would be a onetime cost. (85 FR 25926) The criteria do not include 
the ability for health IT to take the actions described by the 
security labels. Additionally, ONC did not require that health IT be 
certified to the criteria described above, making it essentially 
voluntary. Accordingly, the estimates for health IT developer and 
health care provider costs were likely significantly lower than they 
would have been if health IT were required to be certified to the 
criteria for participation. Thus, the total cost of implementing 
full segmentation capabilities is likely substantially higher than 
the per-product cost estimates provided by the Department in that 
rule). See also 88 FR 23746, 23875 (Apr. 18, 2023) (discussing 
examples of challenges or technical limitations to electronic health 
information segmentation that have been described to ONC).
    \170\ See 64 FR 59918, at 59924, 59939, and 59955 (Nov. 3, 
1999).
---------------------------------------------------------------------------

    To assist in effectuating this prohibition, the Department is also 
requiring regulated entities to obtain an attestation in certain 
circumstances from the person requesting the use or disclosure stating 
that the use or disclosure is not for a prohibited purpose. A person 
(including a regulated entity or someone who requests PHI) who 
knowingly and in violation of the Administrative Simplification 
provisions obtains or discloses IIHI relating to another individual 
would be subject to potential criminal liability.\171\ Thus, a person 
who knowingly and in violation of HIPAA falsifies an attestation (e.g., 
makes a material misrepresentation about the intended uses of the PHI 
requested) to obtain (or cause to be disclosed) an individual's IIHI 
could be subject to the criminal penalties provided by the 
statute.\172\ Additionally, a regulated entity is subject to potential 
civil penalties for violations of the HIPAA Rules, including a failure 
to obtain a valid attestation before disclosing PHI, where an 
attestation is required.\173\ The purpose-based prohibition, in concert 
with the attestation, will restrict the use and disclosure of PHI about 
lawful reproductive health care where the use or disclosure could harm 
HIPAA's overall goals of increasing trust in the health care system, 
improving health care quality, and protecting individual privacy. At 
the same time, it will allow uses and disclosures that either support 
those goals or do not substantially interfere with their achievement.
---------------------------------------------------------------------------

    \171\ See 42 U.S.C. 1320d-6(a).
    \172\ See 42 U.S.C. 1320d-6(b).
    \173\ See 42 U.S.C. 1320d-5. See also 45 CFR part 160, subparts 
A, D, and E.
---------------------------------------------------------------------------

    Consistent with the Privacy Rule's approach, the Department is 
clarifying that the purpose-based prohibition applies only in certain 
circumstances, recognizing the interests of both the Federal Government 
and states while also protecting the information privacy interests of 
persons who seek, obtain, provide, or facilitate lawful reproductive 
health care. Thus, the Department is finalizing a Rule of

[[Page 32991]]

Applicability that balances the privacy interests of individuals and 
the interests of society in an effective health care system with those 
of society in the use of PHI for other non-health care purposes by 
limiting the new prohibition to certain circumstances.
    The Department's experience administering the Privacy Rule, 
research cited below, our assessment of the needs of individuals and 
health care providers in light of recent developments to the legal 
landscape, public comments, and the Regulatory Impact Analysis, in 
Section VI below, all provide support for the changes finalized in this 
rulemaking. These changes will improve individuals' confidence in the 
confidentiality of their PHI and their trust in the health care system, 
creating myriad benefits for the health care system. Balancing the 
privacy interests of individuals and the use of PHI for other societal 
priorities will continue to support an effective health care system, as 
Congress intended. This final rule will deter the creation of 
inaccurate and incomplete medical records, which will help to support 
the provision of appropriate lawful health care. Health care providers 
base their treatment recommendations on PHI contained within existing 
medical records, as well as information shared with them directly by 
the individual. Thus, where individuals withhold information from their 
health care providers about lawful health care, health care providers 
may not be in possession of all of the necessary information to make an 
informed recommendation for an appropriate treatment plan, which may 
result in negative health outcomes at both the individual and 
population level. It will also improve the confidence of individuals, 
including among the Nation's most vulnerable communities, that they can 
securely seek or obtain or share that they sought or obtained lawful 
reproductive health care without that information being used or 
disclosed for the purpose of investigating or imposing liability on 
them for seeking or obtaining that lawful health care. By improving 
individuals' confidence and trust in their relationships with their 
health care providers, it will make individuals more likely to, for 
example, comply with preventative health screening recommendations, 
which will protect against a decline in individual and population 
health outcomes related to missed preventative health screenings. 
Additional intangible benefits from increased privacy protections in 
this area include enhanced support for survivors of rape, incest, and 
sex trafficking. The new attestation requirement discussed in greater 
detail below will help to assure regulated entities of their ability to 
operationalize these changes and avoid exposure to HIPAA liability for 
impermissible disclosures.

IV. General Discussion of Public Comments

    The Department received more than 25,900 comments in response to 
its proposed rule. Overall, these comments represent the views of 
approximately 51,500 individuals and 350 organizations. Slightly more 
than half of the individuals and organizations who shared their views 
expressed general support for the 2023 Privacy Rule NPRM and its 
objectives. Less than one percent expressed mixed views. Organizational 
commenters included professional and trade associations, including 
those representing medical professionals, health plans, health care 
providers, health information management professionals, health 
information management system vendors, release-of-information vendors, 
employers, epidemiologists, and attorneys. The Department also received 
comments from advocacy organizations, including those representing 
patients, privacy advocates, faith-based organizations, and civil 
rights organizations. The NCVHS also provided comments, as did members 
of Congress, state, local, and Tribal government officials and public 
health authorities. Other commenters included health care systems, 
hospitals, and health care professionals.

A. General Comments in Support of the Proposed Rule

    Comment: Many commenters expressed general support for the proposed 
rule and urged the Department to protect the privacy of individuals by 
limiting uses and disclosures of PHI for certain purposes where the use 
or disclosure of information is about reproductive health care that is 
lawful under the circumstances in which such health care is provided.
    Many health care providers and individuals emphasized the 
importance of trusting relationships between individuals and their 
health care providers. According to individual commenters, a trusting 
relationship permits individuals to participate in sensitive and 
difficult conversations with their health care providers and enables 
health care providers to furnish high-quality and appropriate health 
care and to maintain accurate and complete medical records, including 
records that contain information about reproductive health care.
    Many organizations also submitted comments that expressed agreement 
with the Department's position on the importance of the relationship 
between HIPAA and the HIPAA Rules and trust between individuals and 
health care providers. For example, an organization commented that 
privacy has long been a ``hallmark'' of medical care and agreed with 
the Department that Congress recognized this principle when it enacted 
HIPAA. Some organizations commented that the HIPAA framework of law and 
rules provides individuals with the necessary trust and confidence to 
seek reproductive health care without fear of being prosecuted or 
targeted by law enforcement, including in medical emergencies.
    Other commenters stated that a trusting confidential relationship 
between an individual and a health care provider is an essential 
prerequisite to the delivery of high-quality health care. They also 
asserted that protective privacy laws, including HIPAA, help to ensure 
that individuals do not forgo health care.
    Many individuals asserted that the proposed safeguards are urgently 
needed to provide individuals with the confidence to seek health care. 
According to the commenters, the proposal would increase the likelihood 
that pregnant individuals would receive essential health care, thus 
improving their overall well-being. One commenter expressed support for 
the proposal because they believe people should not be held liable or 
face punishment for seeking, obtaining, providing, or facilitating 
lawful health care. Another commenter expressed concerns that the 
increase in state legislation targeting reproductive health care has 
placed significant burdens on physicians and increased the risk of 
maternal morbidity and mortality for individuals.
    A few commenters also expressed agreement with the Department's 
assertion that the proposed restrictions would clarify legal 
obligations of regulated entities with respect to the disclosure of PHI 
for certain non-health related purposes and would enable persons 
requesting PHI, including health plans, to better understand when such 
disclosures are permitted.
    Response: The Department appreciates these comments and is 
finalizing the proposed rule with modification, as described in greater 
detail below. Consistent with HIPAA's goals, this final rule will 
support the development and maintenance of trust between individuals 
and their health care providers, encouraging individuals

[[Page 32992]]

to be forthright with health care providers regarding their health 
history and providing valuable clarity to the regulated community and 
individuals concerning their privacy rights with respect to lawfully 
provided health care. In so doing, the Department helps to support 
access to health care by increasing individuals' confidence in the 
privacy of their PHI about lawfully provided reproductive health care. 
We are taking these actions as a result of our ongoing evaluation of 
the environment, including the legal landscape, and consistent with the 
Privacy Rule's longstanding balance of individual privacy and societal 
interests in PHI for non-health care purposes.
    Comment: A wide cross-section of commenters, including individuals, 
health care providers, patient advocacy organizations, reproductive 
rights organizations, state law enforcement agencies, and others all 
agreed that individuals who frequently experience discrimination 
generally also experience it when seeking health care.
    Many of these commenters urged the Department to recognize that 
there is a trust deficit in relationships between individuals and 
health care providers in communities that frequently experience 
discrimination. Many commenters cited scholarly journals and research 
articles showing that women of color especially suffer poorer medical 
outcomes, including higher maternal mortality and denial of medical 
interventions or treatments.
    Commenters who answered the Department's request for comment about 
whether members of ``historically underserved and minority 
communities'' are more likely to be the subject of investigations into 
or proceedings against persons in connection with seeking, obtaining, 
providing, or facilitating lawful reproductive health care unanimously 
responded in the affirmative. Some commenters expressed concern about 
the current legal environment's disproportionately negative effect on 
the privacy of women and members of marginalized and historically 
underserved communities and communities of color, such as immigrants 
who might avoid obtaining health care because of fears that their PHI 
could be shared with government officials. In general, commenters 
encouraged the Department to consider the likely negative implications 
of reduced health information privacy when combined with these 
disparities on health outcomes for members of marginalized and 
historically underserved communities and communities of color when 
crafting the final rule.
    Some commenters expressed concern about the current legal 
environment's disproportionately negative effect on the privacy of 
members of marginalized and historically underserved communities and 
communities of color, such as women of color, immigrants and American 
Indians and Alaska Natives, who might withhold information from health 
care providers or avoid obtaining health care because of fears that 
their PHI could be shared with government officials or used to 
investigate or impose liability on them.
    Among commenters that addressed this topic, many supported the 
Department's proposed purpose-based prohibition. Commenters stated that 
the proposed rule would help to mitigate medical mistrust of 
individuals in marginalized and historically underserved communities 
and communities of color and reduce the racial disparities that result 
from the increased criminalization of reproductive health care.
    Several commenters also addressed the issue of the availability of 
legal counsel among these communities. A few commenters asserted that 
individuals who are members of marginalized and historically 
underserved communities and communities of color are less likely to 
have access to legal counsel, despite being more likely to be subjects 
of investigations into or proceedings against persons in connection 
with obtaining providing or facilitating lawful sexual and reproductive 
health care and cited to related studies.
    Response: We appreciate these comments and thank commenters for 
sharing these important considerations. As we discussed in the 2023 
Privacy Rule NPRM and again here, the experiences of individuals from 
communities that have been historically underserved, marginalized, or 
subject to discrimination or systemic disadvantage by virtue of their 
race, disability, social or economic status, geographic location, or 
environment have significant negative effects on their relationships 
with health care providers and their willingness to seek necessary 
health care. We agree that the current legal landscape has exacerbated 
the health inequities that these individuals encounter when seeking 
reproductive health care services. The Department expects that the 
steps we have taken in this rule will meaningfully strengthen the 
privacy of PHI about lawful reproductive health care, and as a result, 
will help to mitigate the exacerbation of health disparities for 
members of marginalized and historically underserved communities and 
communities of color.
    The Department is actively working to reduce health disparities. In 
recent months, we released a new plan to address language barriers and 
strengthen language access in health care,\174\ and issued three 
proposed rules to address health disparities: one to revise existing 
regulations to strengthen prohibitions against discrimination on the 
basis of a disability in health care and human services programs; \175\ 
another to issue new regulations to advance non-discrimination in 
health and human service programs for the LGBTQI+ community; \176\ and 
a third to revise existing regulations to prohibit discrimination on 
the basis of race, color, national origin, sex, age, and disability in 
a range of health programs.\177\ The Department will continue to work 
to address these concerns, ensure that individuals have access to and 
do not forgo necessary health care, and build individuals' trust that 
health care providers can and will protect the privacy of individuals' 
sensitive health information.
---------------------------------------------------------------------------

    \174\ Press Release, ``Breaking Language Barriers: Biden-Harris 
Administration Announces New Plan to Address Language Barriers and 
Strengthen Language Access,'' U.S. Dep't of Health and Human Servs. 
(Nov. 15, 2023), https://www.hhs.gov/about/news/2023/11/15/breaking-language-barriers-biden-harris-administration-announces-new-plan-address-language-barriers-strengthen-language-access.html.
    \175\ Press Release, ``HHS Issues New Proposed Rule to 
Strengthen Prohibitions Against Discrimination on the Basis of a 
Disability in Health Care and Human Services Programs,'' U.S. Dep't 
of Health and Human Servs. (Sept. 7, 2023), https://www.hhs.gov/about/news/2023/09/07/hhs-issues-new-proposed-rule-to-strengthen-prohibitions-against-discrimination-on-basis-of-disability-in-health-care-and-human-services-programs.html.
    \176\ Press Release, ``HHS Issues Proposed Rule to Advance Non-
discrimination in Health and Human Service Programs for LGBTQI+ 
Community,'' U.S. Dep't of Health and Human Servs. (July 11, 2023), 
https://www.hhs.gov/about/news/2023/07/11/hhs-issues-proposed-rule-advance-non-discrimination-health-human-service-programs-lgbtqi-community.html.
    \177\ Press Release, ``HHS Announces Proposed Rule to Strengthen 
Nondiscrimination in Health Care,'' U.S. Dep't of Health and Human 
Servs. (July 25, 2022), https://www.hhs.gov/about/news/2022/07/25/hhs-announces-proposed-rule-to-strengthen-nondiscrimination-in-health-care.html.
---------------------------------------------------------------------------

    Comment: A few commenters agreed with the Department's position 
that the proposed rule would appropriately protect individuals against 
growing threats to their privacy with respect to PHI about reproductive 
health care while permitting states to conduct law enforcement 
activities.
    Response: The Privacy Rule always has and continues to balance 
privacy interests and other societal interests by permitting 
disclosures of PHI to support

[[Page 32993]]

public policy goals, including disclosures to support certain criminal, 
civil, and administrative law enforcement activities; the operation of 
courts and tribunals; health oversight activities; the duties of 
coroners and medical examiners; and the reporting of child abuse, 
domestic violence, and neglect to appropriate authorities. We 
appreciate these comments that recognized the growing threat to the 
privacy of PHI and the need to strike an appropriate balance between 
ensuring health care privacy and conducting law enforcement activities. 
We are finalizing the proposed rule with modification as described in 
greater detail below.

B. General Comments in Opposition to the Proposed Rule

    Comment: Several commenters generally opposed the proposed rule 
because of their opposition to certain types of reproductive health 
care. Many commenters opposed the proposed rule generally because they 
believed that it would harm women and children. Other commenters 
expressed concern that the proposals would increase administrative 
burdens and costs for health care providers; impede parental rights; 
prevent mandatory reporting of child abuse or abuse, domestic violence, 
and neglect; infringe upon states' rights; thwart law enforcement 
investigations; inhibit disclosures for public health activities; and 
protect those who engage in unlawful activities.
    Response: The modifications to the Privacy Rule in this final rule 
directly advance Congress' directive in HIPAA to improve the efficiency 
and effectiveness of the health care system by encouraging the 
development of a health information system through the establishment of 
standards and requirements for the electronic transmission of certain 
health information,\178\ including a standard for the privacy of IIHI 
that, among other things, addresses the ``uses and disclosures of such 
information that should be authorized or required.'' \179\ As discussed 
in greater detail elsewhere in this final rule, a trusting relationship 
between individuals and health care providers is the foundation of 
effective health care. A primary goal of the Privacy Rule is to ensure 
the privacy of an individual's PHI while permitting necessary uses and 
disclosures of PHI that enable high-quality health care and protect the 
health and well-being of all individuals, including women and children, 
and the public.
---------------------------------------------------------------------------

    \178\ See 42 U.S.C. 1320d note.
    \179\ See 42 U.S.C. 1320d-2 note.
---------------------------------------------------------------------------

    From the outset, the Department structured the Privacy Rule to 
ensure that individuals do not forgo lawful health care when needed--or 
withhold important information from their health care providers that 
may affect the quality of health care they receive out of a fear that 
their sensitive information would be revealed outside of their 
relationship with their health care provider. The Department has long 
been committed to protecting the privacy of PHI and providing the 
opportunity for an authentic, trusting relationship between individuals 
and health care providers. As we discussed in the 2023 Privacy Rule 
NPRM and again here, this final rule will help engender trust between 
individuals and health care providers and confidence in the health care 
system. We believe that this confidence will eliminate some of the 
burdens health care providers face in providing high-quality health 
care, encourage health care providers to accurately document PHI in an 
individual's medical record, and encourage individuals to provide 
health care providers with their complete and accurate health history, 
all of which will ultimately support better health outcomes. Nothing in 
this final rule sets forth a particular standard of care or affects the 
ability of health care providers to exercise their professional 
judgment.
    This final rule protects the relationship between individuals and 
health care providers by protecting the privacy of PHI in circumstances 
where recent legal developments have increased concerns about that 
information being used and disclosed to harm persons who seek, obtain, 
provide, or facilitate reproductive health care under circumstances in 
which such health care is lawful, while continuing to permit uses and 
disclosures that confer other social benefits. It is narrowly tailored 
and respects the interests of both states and the Department. The final 
rule continues to permit regulated entities to use or disclose PHI to 
comply with certain mandatory reporting laws, for public health 
activities, and for law enforcement purposes when the uses and 
disclosures are compliant with the applicable provisions of the Privacy 
Rule.
    Further, consistent with the longstanding operation of the Privacy 
Rule, this final rule requires that, in certain circumstances, 
regulated entities obtain information from persons requesting PHI, such 
as law enforcement, before the regulated entities may use or disclose 
the requested PHI. The Department recognizes that this final rule may 
increase the burden on those persons making requests for PHI, such as 
federal and state law enforcement officials, by requiring, in certain 
circumstances, that regulated entities obtain more information from 
such persons than previously required, and may, at times, prevent 
regulated entities from using or disclosing PHI that they previously 
would have been permitted to use or disclose. For example, the 
Department recognizes that situations may arise where a regulated 
entity reasonably determines that reproductive health care was lawfully 
provided, while at the same time, the person requesting the PHI (e.g., 
law enforcement) reasonably believes otherwise. In such circumstances, 
where the regulated entity provided the reproductive health care, and 
upon receiving a request for the PHI for a purpose that implicates the 
prohibition, reasonably determines that the provision of reproductive 
health care was lawful, the final rule would prohibit the regulated 
entity from disclosing PHI for certain types of investigations into the 
provision of such health care. This constitutes a change from the 
current Privacy Rule, under which a regulated entity is permitted, but 
not required, to make a use or disclosure under 45 CFR 164.512(f) of 
information that is ``relevant and material to a legitimate'' law 
enforcement inquiry, provided that certain conditions are met; these 
conditions include, for example, that the request is specific and 
limited in scope to the extent reasonably practicable given the purpose 
for which the information is sought.\180\ Similarly, the Department 
acknowledges that, where the regulated entity did not provide the 
reproductive health care that is the subject of the investigation or 
imposition of liability, the Rule of Applicability and Presumption, 
discussed below, may require regulated entities to obtain additional 
information, that is, factual information that demonstrates to the 
regulated entity a substantial factual basis that the reproductive 
health care was not lawful under the specific circumstances in which it 
was provided, from persons requesting PHI before using or disclosing 
the requested PHI.
---------------------------------------------------------------------------

    \180\ See 45 CFR 164.512(f)(1)(ii)(C).
---------------------------------------------------------------------------

    Consistent with HIPAA and the Department's longstanding approach in 
the Privacy Rule, the Department is finalizing an approach that strikes 
an appropriate balance between the privacy interests of individuals and 
the interests of law enforcement, and private parties afforded legal 
rights of action, in

[[Page 32994]]

obtaining PHI for certain non-health care purposes. While this approach 
may adversely affect particular interests of law enforcement, and 
private parties afforded legal rights of action, in some cases, the 
Department believes that the final rule best balances these competing 
interests by enhancing privacy protections without unduly interfering 
with legitimate law enforcement activities and does so in a manner that 
is consistent with the approach taken elsewhere in the Privacy Rule. As 
explained above, individual privacy interests are especially strong 
where individuals seek lawful reproductive health care. In particular, 
individuals may forgo lawful health care or avoid disclosing previous 
lawful health care to providers because they fear that their PHI will 
be disclosed. The Department believes these concerns are exacerbated by 
the prospect of state investigations into, and resulting intimidation 
and criminalization of, health care providers for providing lawful 
reproductive health care, as well as state laws encouraging state 
residents to sue persons who facilitate individuals' access to legal 
health care. The final rule addresses these interests by protecting 
privacy in situations where the reproductive health care at issue is 
especially likely to be lawful under the circumstances in which such 
health care was provided. Where a regulated entity receives a request 
for PHI about reproductive health care that the regulated entity 
provided, such health care is likely to be lawful where the regulated 
entity reasonably determines, based on all information in its 
possession, that such health care was lawful under the circumstances in 
which it was provided. Similarly, where a regulated entity receives a 
request for PHI about reproductive health care that the regulated 
entity did not provide, such health care is likely to be lawful where 
law enforcement is unable to provide factual information that 
demonstrates to the regulated entity a substantial factual basis that 
the reproductive health care was not lawful under the specific 
circumstances in which such health care was provided.
    The Department recognizes that, in some cases, the approach adopted 
in this final rule may inadvertently prohibit the disclosure of PHI 
about reproductive health care that was unlawfully provided, such as 
where a health care provider reasonably but incorrectly determines that 
the reproductive health care it provided was lawful under the 
circumstances in which such health care was provided. This is similar 
to how the Privacy Rule has always potentially prevented the use or 
disclosure of PHI that could be useful to law enforcement in certain 
circumstances because the request for PHI does not meet the conditions 
of the applicable permission. Nevertheless, given the importance of 
protecting individual privacy in this area, the Department has 
determined that the final rule adopts the appropriate balance between 
individual privacy and the interests of other persons, such as law 
enforcement. Specifically, the Department believes that the benefits to 
individual privacy of a broadly protective rule outweigh the benefits 
to societal interests in the use or disclosure of PHI from a narrower 
rule. While a narrower rule would more broadly permit disclosures 
related to PHI that might concern reproductive health care that is not 
lawful under the circumstances in which it is provided, such a rule 
would inadvertently permit more disclosures of PHI about lawful 
reproductive health care. Accordingly, the Department concludes that 
the final rule must be sufficiently broad to protect against such 
disclosures, given the paramount importance of individual privacy in 
this area.
    Moreover, as explained above, individual privacy interests are 
paramount to promote free and open communication between individuals 
and their health care providers, thereby ensuring that individuals 
receive high-quality care based on their accurate medical history. 
Society has long recognized that information exchanged as part of a 
specific relationship for which trust is paramount should be entitled 
to heightened protection (e.g., marital privilege, attorney-client 
privilege, doctor-patient privilege). Similarly, this final rule seeks 
to address situations where privacy interests are especially important, 
based both on the content of the information that is protected from 
disclosure (concerning lawful reproductive health care) and the context 
in which that information is shared (concerning a trust-based 
relationship between individuals and their health care providers).
    In contrast, the potential adverse effects of this final rule on 
other interests, such as those of law enforcement, are limited by the 
narrow scope of this final rule. This final rule does not seek to 
prohibit disclosures of PHI where the request is for reasons other than 
investigating or imposing liability on persons for the mere act of 
seeking, obtaining, providing, or facilitating reproductive health care 
that is lawful under the circumstances in which such health care is 
provided. For example, as explained in the NPRM and below, the final 
rule does not prohibit the use or disclosure of PHI for investigating 
alleged violations of the Federal False Claims Act or a state 
equivalent; conducting an audit by an Inspector General aimed at 
protecting the integrity of the Medicare or Medicaid program where the 
audit is not inconsistent with this final rule; investigating alleged 
violations of Federal nondiscrimination laws or abusive conduct, such 
as sexual assault, that occur in connection with reproductive health 
care; or determining whether a person or entity violated 18 U.S.C. 248 
regarding freedom of access to clinic entrances. In each of these 
cases, the request is not made for the purpose of investigating or 
imposing liability on any person for the mere act of seeking, 
obtaining, providing, or facilitating reproductive health care.
    Even when the request is for the purpose of investigating or 
imposing liability on the mere act of seeking, obtaining, providing, or 
facilitating reproductive health care, this final rule does not seek to 
prohibit disclosures of PHI about reproductive health care that is not 
lawful under the circumstances in which it was provided. Thus, in most 
situations involving reproductive health care that is not lawful under 
the circumstances in which it is provided, this final rule will not 
prevent the use or disclosure of PHI to investigate or impose liability 
on persons for such legal violations, provided such disclosures are 
otherwise permitted by the Privacy Rule. Moreover, where a regulated 
entity did not provide the reproductive health care at issue, this 
final rule prohibits the use or disclosure of PHI where the person 
making the request does not provide sufficient information to overcome 
the presumption of legality. In such cases, law enforcement agencies 
and other persons have a reduced interest in obtaining such PHI where 
the information does not demonstrate to the regulated entity a 
substantial factual basis that the reproductive health care was not 
lawful under the circumstances in which such health care was provided.
    This final rule does not prohibit the use or disclosure of PHI to 
investigate or impose liability on persons where reproductive health 
care is unlawful under the circumstances in which it is provided. 
Instead, the final rule prohibits the use or disclosure of PHI in 
narrowly tailored circumstances (i.e., where the use or disclosure is 
to conduct an investigation or impose liability on a person for the 
mere act of seeking, obtaining, providing, or facilitating reproductive 
health care that

[[Page 32995]]

is lawful under the circumstances in which such health care is 
provided, or to identify a person for such activities). For example, 
once this final rule is in effect, a covered health care provider may 
still disclose PHI to a medical licensing board investigating a health 
care provider's actions related to their obligation to report suspected 
elder abuse, assuming the disclosure meets the conditions of an 
applicable Privacy Rule permission. This is because the final rule does 
not bar the use or disclosure of PHI for health oversight purposes, 
which is unrelated to the mere act of seeking, obtaining, providing, or 
facilitating reproductive health care.
    Additionally, even where the final rule prohibits the use or 
disclosure of PHI to investigate potentially unlawful reproductive 
health care (i.e., where a regulated entity reasonably determines that 
the reproductive health care they provided was lawful, or where the 
presumption of legality is not overcome), law enforcement retains other 
ways of investigating reproductive health care that they suspect may 
have been unlawfully provided. For example, law enforcement retains the 
use of other traditional and otherwise lawful investigatory means for 
obtaining information, such as conducting witness interviews and 
accessing other sources of information not covered by HIPAA. The final 
rule is therefore tailored to protect the relationship between 
individuals and their health care providers specifically, while leaving 
unaffected law enforcement's ability to conduct investigations using 
information from other sources.
    With respect to commenters' concerns about parental rights, this 
final rule also does not interfere with the ability of states to define 
the nature of the relationship between a minor and a parent or 
guardian.
    Comment: A few commenters that expressed negative views asserted 
that the proposed rule exceeded the Department's statutory authority 
under HIPAA or was beyond the Department's rulemaking authority. Some 
commenters stated that the rulemaking was arbitrary and capricious and 
would make it difficult for law enforcement to investigate reproductive 
health care and engage in health oversight activities and would require 
health care providers to provide certain types of health care against 
which they have objections. Some commenters expressed concern about the 
balance of powers between the states and the federal government. Other 
commenters suggested that the proposals preempt state laws serving 
public health, safety, and welfare.
    Response: As discussed above, Congress explicitly stated that the 
purpose of HIPAA's Administrative Simplification provisions was to 
improve the efficiency and effectiveness of the health care system. For 
the health care system to be effective, individuals must trust that 
information that they share with health care providers about lawful 
health care will remain private. Accordingly, since their inception, 
the HIPAA Rules have required that regulated entities narrowly tailor 
disclosures to law enforcement to protect an individual's privacy.\181\ 
While the Department is adopting an approach in this final rule that is 
more protective of privacy interests than the current Privacy Rule in 
certain circumstances, these changes are necessary to appropriately 
balance privacy interests and the interests of law enforcement, and 
private parties afforded legal rights of action, in light of the 
changing legal environment. This is discussed in detail above. In both 
the 2023 Privacy Rule NPRM and this final rule, the Department cited to 
multiple studies documenting the real-world harm to health and health 
care in the changing legal environment. As explained above, the 
Department acknowledges that this final rule may affect certain state 
interests in obtaining PHI to investigate potentially unlawful 
reproductive health care, but the Department has tailored the final 
rule to strike the appropriate balance between privacy interests and 
state interests. This final rule limits the potential harm to 
individuals, health care providers, and others resulting from the 
disclosure of PHI to investigate or punish individuals for the mere act 
of seeking, obtaining, providing, or facilitating reproductive health 
care that is lawful under the circumstances in which such health care 
is provided. We emphasize that nothing in this rule or any of the HIPAA 
Rules requires a health care provider to provide any type of health 
care, including any type of reproductive health care.
---------------------------------------------------------------------------

    \181\ See, e.g., 45 CFR 164.512(f) and 164.514(d)(3)(iii).
---------------------------------------------------------------------------

    Comment: Several commenters asserted that the proposed rule would 
impede states' enforcement of their own laws, including those 
concerning sexual assault and sex trafficking. Many commenters opposed 
the proposed rule because they believed it would inhibit the ability of 
states to investigate or enforce laws prohibiting minors from obtaining 
certain types of health care and prevent the commenters from reporting 
minors who they believe are coerced into obtaining such health care to 
authorities.
    Response: This rule does not prohibit the disclosure of PHI for 
investigating allegations of or imposing liability for sexual assault, 
sex trafficking, or coercing minors into obtaining reproductive health 
care. Rather, this final rule modifies the existing HIPAA Privacy Rule 
standards by prohibiting uses and disclosures of PHI to investigate or 
impose liability on individuals, regulated entities, or other persons 
for the mere act of seeking, obtaining, providing, or facilitating 
reproductive health care that is lawful under the circumstances in 
which such reproductive health care is provided, or to identify any 
person to investigate or impose liability on them for such purposes. 
Accordingly, requests for the disclosure of PHI to investigate such 
allegations of or impose liability for such crimes do not fall within 
the final rule's prohibition, and the presumption of lawfulness 
likewise would not be triggered because the prohibition would not 
apply. A regulated entity therefore would not be prohibited from 
disclosing an individual's PHI when subpoenaed by law enforcement for 
the purpose of investigating such allegations, assuming that law 
enforcement provided a valid attestation and met the other conditions 
of the applicable permission.
    Moreover, as explained above, the final rule is tailored to 
prohibit disclosures related to lawful reproductive health care, 
thereby reducing the interference with law enforcement interests to 
create an appropriate balance with privacy interests.
    Comment: Some states expressed concern that the proposed rule would 
intrude into areas where the HIPAA Rules have previously acknowledged 
state control, such as enforcement of state and local laws, regulation 
of the practice of health care, and reporting of abuse.
    Response: This final rule balances the interests of individuals in 
the privacy of their PHI and of society in an effective health care 
system with those of society in obtaining PHI for certain non-health 
care purposes. The Privacy Rule always has and continues to permit 
disclosures of PHI to support public policy goals, including 
disclosures to support criminal, civil, and administrative law 
enforcement activities; the operation of courts and tribunals; health 
oversight activities; the duties of coroners and medical examiners; and 
the reporting of child abuse, domestic violence, and neglect to 
appropriate authorities. As explained above, while the final rule 
adopts an approach that is more

[[Page 32996]]

protective of privacy interests in certain circumstances than the 
previous Privacy Rule, the final rule continues to balance the 
interests that HIPAA Rules have long sought to protect with those of 
society in PHI.

C. Other General Comments on the Proposed Rule

    Comment: Commenters urged the Department to provide enhanced 
privacy protections for health information that is not covered by 
existing frameworks or specifically addressed in the proposed rule. A 
few professional associations expressed support for revising the 
Privacy Rule to provide stronger protection for the privacy of 
reproductive health care information and urged the Department to modify 
the Privacy Rule to provide even stronger protections than those 
proposed in the 2023 Privacy Rule NPRM.
    Response: The Department's authority under HIPAA is limited to 
protecting the privacy of IIHI that is maintained or transmitted by 
covered entities and, in some cases, their business associates. 
Specific modifications to the Privacy Rule to protect the privacy of 
PHI are described in greater detail below. Consistent with the 
Department's longstanding approach with respect to the Privacy Rule, 
the modifications we are finalizing in this rule strike a balance 
between protecting an individual's right to health information privacy 
with the interests of society in permitting the disclosure of PHI to 
support the investigation or imposition of liability for unlawful 
conduct. In particular, the final rule does not prohibit the disclosure 
of PHI about reproductive health care that was unlawfully provided, 
because an individual's privacy interests in reproductive health care 
that is not lawful (e.g., a particular type of reproductive health care 
that is provided by a nurse practitioner in a state that requires that 
type of reproductive health care to be provided by a physician) are 
comparatively lower than a state's interests in investigating and 
imposing liability on persons for unlawful reproductive health care. We 
will continue to monitor legal developments and their effects on 
individual privacy as we consider the need for future modifications to 
the Privacy Rule.
    Comment: Several commenters questioned how the proposed rule would 
affect their current business associate and data exchange agreements.
    Response: The modifications in this final rule may require 
regulated entities to revise existing business associate agreements 
where such agreements permit regulated entities to engage in activities 
that are no longer permitted under the revised Privacy Rule. Regulated 
entities must be in compliance with the provisions of this rule by 
December 23, 2024.
    Comment: A few commenters requested clarification of whether minors 
and legal adults have the same protections under the Privacy Rule and 
whether this rule would alter existing protections.
    Response: The final rule does not change how the Privacy Rule 
applies to adults and minors. Thus, all of the protections provided to 
PHI by this final rule apply equally to adults and minors. For example, 
under this final rule, a regulated entity is prohibited from using or 
disclosing a minor's PHI for the purposes prohibited under 45 CFR 
164.502(a)(5)(iii). The Privacy Rule generally permits a parent to have 
access to the medical records about their child as their minor child's 
personal representative when such access is consistent with state or 
other law, with limited exceptions.\182\ Additional information about 
how the Privacy Rule applies to minors can be found at 45 CFR 
164.502(g) and on the OCR website.\183\
---------------------------------------------------------------------------

    \182\ See 45 CFR 164.502(g) (describing personal 
representatives) and 164.524(a)(3) (describing reviewable grounds 
for denial of access to PHI by a personal representative).
    \183\ Off. for Civil Rights, ``Health Information Privacy,'' 
U.S. Dep't of Health and Human Servs., https://www.hhs.gov/hipaa/index.html.
---------------------------------------------------------------------------

    Comment: Many commenters urged the Department to take an 
educational approach, rather than a punitive one, with respect to 
enforcement against regulated entities. In addition, many commenters 
addressed the need for resources and education for successful 
implementation of the proposed changes to the Privacy Rule. They called 
for the Department to collaborate with and educate regulated entities, 
individuals, and others affected by the proposed revisions, such as law 
enforcement, as well as for the Department to partner with other 
Federal agencies and state governments to conduct the education. Some 
suggested that educational resources should include multiple media 
formats and a centralized platform.
    Response: The Department frequently issues non-binding guidance and 
conducts outreach to help regulated entities achieve compliance. We 
appreciate these recommendations and will consider these topics for 
future guidance. Regulated entities are expected to comply with the 
Privacy Rule as revised once the compliance date has passed.

V. Summary of Final Rule Provisions and Public Comments and Responses

    The Department is modifying the Privacy Rule to strengthen privacy 
protections for individuals' PHI by adding a new category of prohibited 
uses and disclosures of PHI. This final rule prohibits a regulated 
entity from using or disclosing an individual's PHI for the purpose of 
conducting a criminal, civil, or administrative investigation into or 
imposing criminal, civil, or administrative liability on any person for 
the mere act of seeking, obtaining, providing, or facilitating 
reproductive health care that is lawful under the circumstances in 
which it is provided, meaning that it is either: (1) lawful under the 
circumstances in which such health care is provided and in the state in 
which it is provided; or (2) protected, required, or authorized by 
Federal law, including the United States Constitution, regardless of 
the state in which such health care is provided. In both of these 
circumstances, as explained above, the interests of the individual in 
the privacy of their PHI and of society in ensuring an effective health 
care system outweighs those of society in the use of PHI for non-health 
care purposes. To operationalize this modification, the Department is 
revising or clarifying certain definitions and terms that apply to the 
Privacy Rule, as well as other HIPAA Rules. This final rule also 
prohibits a regulated entity from using or disclosing an individual's 
PHI for the purpose of identifying an individual, health care provider, 
or other person for the purpose of initiating such an investigation or 
proceeding against the individual, a health care provider, or other 
person in connection with seeking, obtaining, providing, or 
facilitating reproductive health care that is lawful under the 
circumstances in which it is provided.
    To effectuate these proposals, the Department is finalizing 
conforming and clarifying changes to the HIPAA Rules. These changes 
include, but are not limited to, clarifying the definition of 
``person'' to reflect longstanding statutory language defining the 
term; adopting new definitions of ``public health'' surveillance, 
investigation, or intervention, and ``reproductive health care''; 
adding a new category of prohibited uses and disclosures; clarifying 
that a regulated entity may not decline to recognize a person as a 
personal representative for the purposes of the Privacy Rule because 
they provide or facilitate reproductive health care for an individual; 
imposing a new

[[Page 32997]]

requirement that, in certain circumstances, regulated entities must 
first obtain an attestation that a requested use or disclosure is not 
for a prohibited purpose; and requiring modifications to covered 
entities' NPPs to inform individuals that their PHI may not be used or 
disclosed for a purpose prohibited under this final rule.
    The Department's section-by-section description of the final rule 
is below.

A. Section 160.103 Definitions

1. Clarifying the Definition of ``Person''
    HIPAA does not define the term ``person.'' \184\ The HIPAA Rules 
have long defined ``person'' to mean ``a natural person, trust or 
estate, partnership, corporation, professional association or 
corporation, or other entity, public or private.'' \185\ This meaning 
was based on the definition of ``person'' adopted by Congress in the 
original SSA, as an ``individual, a trust or estate, a partnership, or 
a corporation.'' \186\
---------------------------------------------------------------------------

    \184\ See 42 U.S.C. 1320d-1320d-8.
    \185\ 45 CFR 160.103.
    \186\ See section 1101(3) of Public Law 74-271, 49 Stat. 620 
(Aug. 14, 1935) (codified at 42 U.S.C. 1301(3)).
---------------------------------------------------------------------------

    In 2002, Congress enacted 1 U.S.C. 8, which defines ``person,'' 
``human being,'' ``child,'' and ``individual.'' \187\ The statute 
specifies that these definitions shall apply when ``determining the 
meaning of any Act of Congress, or of any ruling, regulation, or 
interpretation of the various administrative bureaus and agencies of 
the United States.'' \188\ The Department understands 1 U.S.C. 8 to 
provide definitions of ``person,'' ``individual,'' and ``child'' that 
do not include a fertilized egg, embryo, or fetus, and are consistent 
with the Department's understanding of those terms, as used in the SSA, 
HIPAA, and the HIPAA Rules.
---------------------------------------------------------------------------

    \187\ 1 U.S.C. 8(a). The Department is not opining on whether 
any state law confers a particular legal status upon a fertilized 
egg, embryo, or fetus. Rather, the Department cites to this statute 
to help define the scope of privacy protections that attach pursuant 
to HIPAA and its implementing regulations.
    \188\ Id.
---------------------------------------------------------------------------

    The Department proposed to clarify the term ``natural person'' in a 
manner consistent with 1 U.S.C. 8.\189\ Thus, the Department proposed 
to clarify that all terms subsumed within the definition of ``natural 
person,'' such as ``individual,'' \190\ are limited to the confines of 
the term ``person.'' \191\ As discussed in the 2023 Privacy Rule NPRM, 
the purpose of this proposal was to better explain to regulated 
entities and other stakeholders the parameters of an ``individual'' 
whose PHI is protected by the HIPAA Rules.
---------------------------------------------------------------------------

    \189\ 88 FR 23506, 23523 (Apr. 17, 2023).
    \190\ 45 CFR 160.103 (definition of ``Individual'').
    \191\ See Sharon T. Phelan, ``The Prenatal Record and the 
Initial Prenatal Visit,'' The Glob. Libr. of Women's Med. (last 
updated Jan. 2008) (PHI about the fetus is included in the mother's 
PHI), https://www.glowm.com/section-view/heading/The%20Prenatal%20Record%20and%20the%20Initial%20Prenatal%20Visit/item/107#.Y7WRKofMKUl.
---------------------------------------------------------------------------

    Many individuals and organizations commented on the proposal to 
clarify the definition ``person.'' Organizational commenters, including 
professional associations representing health care providers, advocacy 
groups, and academic departments, generally supported the proposal. 
Several commenters applauded the proposed clarification because they 
believed it would limit disclosures of PHI in cases where no individual 
has been harmed.
    Most opponents of the proposed clarification were individuals 
participating in form letter campaigns who expressed concern that the 
proposal might diminish access to prenatal care. Others asserted that 
the proposed clarification would contradict or conflict with existing 
laws, such as mandatory reporting laws and Federal statutes that rely 
upon a different definition of ``person.''
    The final rule adopts the proposed clarification of the definition 
of person, to mean a ``natural person (meaning a human being who is 
born alive), trust or estate, partnership, corporation, professional 
association or corporation, or other entity, public or private.'' 
Therefore, an ``individual,'' ``child,'' or ``victim'' (e.g., a victim 
of crime) under the HIPAA Rules must be a natural person. As we 
explained in the 2023 Privacy Rule NPRM, this clarification is 
consistent with the SSA, HIPAA, and 1 U.S.C. 8. This clarification 
applies only to regulations issued pursuant to the Administrative 
Simplification provisions of HIPAA.\192\
---------------------------------------------------------------------------

    \192\ See 42 U.S.C. 1320d.
---------------------------------------------------------------------------

    This clarification is consistent with the Privacy Rule's 
longstanding definitions of ``person'' \193\ and ``individual,'' \194\ 
as applied to Privacy Rule provisions permitting certain types of 
reports or other disclosures of PHI. For example, a regulated entity is 
permitted to disclose PHI about an individual who the regulated entity 
reasonably believes to be a victim of abuse, neglect, or domestic 
violence only where the individual is a ``natural person.'' \195\ In 
addition, because a ``victim'' necessarily is a natural person, the 
permission to disclose PHI to avert a serious threat to health or 
safety at 45 CFR 164.512(j)(i) does not permit disclosures when the 
perceived threat does not involve the health or safety of a natural 
person or the public, or when an individual has not caused serious 
physical harm to a natural person.
---------------------------------------------------------------------------

    \193\ 45 CFR 160.103 (definition of ``Person''). The Department 
first defined the term ``person'' in the HIPAA Rules as part of the 
2003 Civil Money Penalties: Procedures for Investigations, 
Imposition of Penalties, and Hearings Interim Final Rule (2003 
Interim Final Rule) to distinguish a ``natural person'' who could 
testify in the context of administrative proceedings from an 
``entity'' (defined therein as a ``legal person'') on whose behalf a 
person would testify. See 45 CFR 160.502 of the 2003 Interim Final 
Rule, 68 FR 18895, 18898 (Apr. 17, 2003) (Person is defined to mean 
a natural person or a legal person).
    \194\ 45 CFR 160.103 (definition of ``Individual''). The 
definition of ``individual'' in the HIPAA Rules was first adopted in 
the 2000 Privacy Rule.
    \195\ See 45 CFR 164.512(c)(1). This provision explicitly 
excludes reports of child abuse, which are addressed by 45 CFR 
164.512(b)(1).
---------------------------------------------------------------------------

    Comment: Many organizational commenters expressed support for the 
proposal to clarify the definition of ``person.''
    One commenter stated that this clarification should prevent law 
enforcement from attempting to avoid the proposed prohibition. 
According to another commenter, this proposed clarification is crucial 
as stakeholders adapt to the current reproductive health landscape.
    Several commenters expressed support for the Department's proposal 
but requested additional clarifications. For example, one commenter 
recommended that the Department clarify whether the definition would 
preempt state laws.
    Response: We take the opportunity to emphasize here that the 
clarification only applies to the HIPAA Rules and explains certain 
terms that apply to the permissions for uses and disclosures of PHI by 
regulated entities. We do not believe it is necessary to further 
clarify the final regulatory text because the current definition 
remains unchanged other than to incorporate the plain wording of 1 
U.S.C. 8.
    Comment: A few commenters expressed opposition to the Department's 
proposed clarification of ``person'' as tantamount to eliminating legal 
protections for and recognition of categories of human beings based on 
developmental stage. Some commenters maintained that the proposed 
clarification of ``person'' was inaccurate.
    Several commenters opposed the proposed clarification of ``person'' 
because it would affect the provision of prenatal care.
    A few commenters asserted that the proposed clarification would 
prevent the collection of medical information about reproductive health 
care for

[[Page 32998]]

important purposes, such as public health and research.
    Response: We are clarifying the definition of person consistent 
with applicable Federal law only for the purpose of applying HIPAA's 
Administrative Simplification provisions. This clarification will not 
affect how the term ``person'' is applied for purposes of other laws, 
affect any rights or protections provided by any other law, or affect 
standards of health care, including prenatal care.
    This final rule does not affect the reporting of vital statistics, 
nor does it affect the ability of regulated entities to use and 
disclose PHI for research. The Privacy Rule's standards for uses and 
disclosures for public health surveillance, investigations, and 
interventions, or for health oversight activities, are discussed 
elsewhere.
    Comment: Several commenters requested additional clarifications to 
the Department's proposed clarification of ``person.'' A few commenters 
asserted that the proposed clarification would be overly expansive. 
Most of these same commenters disagreed with the Department's 
interpretation of 1 U.S.C. 8.\196\ Commenters asserted that the 
clarification was inconsistent or conflicted with other laws.
---------------------------------------------------------------------------

    \196\ 1 U.S.C. 8(a).
---------------------------------------------------------------------------

    Response: The clarified definition of person that we are finalizing 
in this rule does not change the Department's interpretation of the 
term or change definitions under other law, such as state law. It also 
is consistent with Federal law, including 1 U.S.C. 8, which 
specifically applies to Federal regulations, and other examples cited 
by commenters. For example, both GINA and the Privacy Rule protect the 
genetic information of a fetus carried by a pregnant individual as the 
PHI of the pregnant individual.\197\
---------------------------------------------------------------------------

    \197\ Public Law 110-233, 122 Stat. 881. See generally Off. for 
Civil Rights, ``Health Information Privacy, Genetic Information,'' 
U.S. Dep't of Health and Human Servs. (Content last reviewed June 
16, 2017), https://www.hhs.gov/hipaa/for-professionals/special-
topics/genetic-information/
index.html#:~:text=The%20Genetic%20Information%20Nondiscrimination%20
Act,into%20two%20sections%2C%20or%20Titles.
---------------------------------------------------------------------------

    The other laws cited by commenters address policy concerns that are 
different from those health information privacy issues addressed under 
HIPAA and do not address personhood. Even if those statutes did adopt 
different understandings of who is a ``person,'' the Department has the 
authority to clarify or define terms that apply to the Administrative 
Simplification regulations issued pursuant to HIPAA. Additionally, the 
definition in the final rule of 1 U.S.C. 8 is appropriate because it is 
consistent with the Department's longstanding interpretation of the 
term in the context of HIPAA's Administrative Simplification provisions 
and associated regulations. Many Federal and state laws operate with 
differing definitions of common terms, to which existing legal 
standards that govern how such differences are to be interpreted would 
apply.\198\
---------------------------------------------------------------------------

    \198\ See 45 CFR 164.524. See also William Baude & Stephen E. 
Sachs, ``The Law of Interpretation,'' 130 Harv. L. Rev. 1079 (2017).
---------------------------------------------------------------------------

    Comment: A few commenters asserted that the proposal would expand 
minors' access to hormone therapy or surgeries without requiring 
parental consent.
    Response: The final rule's clarification to define the term 
``person'' does not affect the ability of a parent to make decisions 
related to health care for an individual who is an unemancipated 
minor,\199\ and nothing in this rule dictates a standard of care. The 
application of this definition is limited to the HIPAA Rules.
---------------------------------------------------------------------------

    \199\ 45 CFR 164.502(g).
---------------------------------------------------------------------------

    Comment: A few commenters asserted that the proposed clarification 
would help to prevent the misapplication of child abuse laws to 
individuals who engage in certain behaviors while pregnant (e.g., use 
of an illicit substance or alcohol). Several other commenters expressed 
concern that this definition would limit the ability of a regulated 
entity to apply the Privacy Rule permission to use or disclose PHI to 
prevent a serious and imminent threat to a fertilized egg, embryo, or 
fetus.
    Response: Under this final rule, a regulated entity would continue 
to be permitted to disclose PHI about an individual who the covered 
entity reasonably believes is a victim of child abuse or neglect, 
consistent with 45 CFR 164.512(b)(1)(ii), or a victim of abuse, 
neglect, or domestic violence, consistent with 45 CFR 164.512(c), to a 
government authority, including a social service or protective services 
agency, authorized by law to receive reports of such abuse, neglect, or 
domestic violence under the circumstances set forth under 45 CFR 
164.512(c) where the individual meets the clarified definition of 
person. The Privacy Rule permission concerning serious and imminent 
threats \200\ applies to threats to a person, consistent with the 
definition as clarified by this final rule, or the public.
---------------------------------------------------------------------------

    \200\ See 45 CFR 164.512(j)(1)(i).
---------------------------------------------------------------------------

2. Interpreting Terms Used in Section 1178(b) of the Social Security 
Act Reporting of Disease or Injury, Birth, or Death
    Section 1178(a) of the SSA provides that HIPAA generally preempts 
contrary state laws with certain limited exceptions, such as those 
described in section 1178(b).\201\ Specifically, section 1178(b) 
excepts from HIPAA's general preemption authority laws that provide for 
certain public health reporting, such as the reporting of disease or 
injury, birth, or death.\202\ HIPAA does not define the terms in 
section 1178(b) that govern the scope of this exception to HIPAA's 
general preemption authority, nor has the Department previously defined 
such terms through rulemaking.
---------------------------------------------------------------------------

    \201\ 42 U.S.C. 1320d-7(a)
    \202\ 42 U.S.C. 1320d-7(b).
---------------------------------------------------------------------------

    The Department recognizes that such public health reporting 
activities are an important means of identifying threats to the health 
and safety of the public. Accordingly, when a public health authority 
\203\ has furnished documentation of its authority \204\ to collect or 
receive such information, the Privacy Rule permits a regulated entity, 
without an individual's authorization, to use or disclose PHI to 
specified persons for public health activities.\205\ These activities 
include all of the vital statistics reporting activities described in 
section 1178(b), including reporting of diseases and injuries, birth, 
or death.\206\
---------------------------------------------------------------------------

    \203\ 45 CFR 164.501 (definition of ``Public health 
authority'').
    \204\ 45 CFR 164.514(h).
    \205\ This is unchanged by this final rule.
    \206\ See 45 CFR 164.512(b). The Privacy Rule addresses its 
interactions with laws governing excepted public health activities 
in two sections: 45 CFR 164.512(a), Standard: Uses and disclosures 
required by law, and 45 CFR 164.512(b), Standard: Uses and 
disclosures for public health activities.
---------------------------------------------------------------------------

    The Department proposed to interpret in preamble key terms used in 
section 1178(b) to clarify when HIPAA's general preemption authority 
applies. Specifically, the Department proposed an interpretation of 
section 1178(b) that would clarify that HIPAA's general preemption 
authority applies to laws that require regulated entities to use or 
disclose PHI for a purpose that would be prohibited under the proposed 
rule. Under this interpretation, the Privacy Rule permission to use or 
disclose PHI without an individual's authorization for the reporting of 
disease or injury, birth, or death \207\ would not permit the use or 
disclosure of PHI for a criminal, civil, or administrative 
investigation into or proceeding against a person in connection with 
seeking, obtaining,

[[Page 32999]]

providing, or facilitating reproductive health care. The Department did 
not intend this clarification to prevent disclosures of PHI from 
regulated entities to public health authorities for public health 
purposes that have been and continue to be permitted under the Privacy 
Rule. Nor did the Department intend for this proposed clarification to 
prevent disclosures of PHI by regulated entities under other 
permissions in the Privacy Rule, such as for law enforcement 
purposes,\208\ when made consistent with the conditions of the relevant 
permission and where the purpose of the disclosure is not one for which 
a use or disclosure would have been prohibited under 45 CFR 
164.502(a)(5)(iii) as proposed.
---------------------------------------------------------------------------

    \207\ 45 CFR 164.512(b).
    \208\ 45 CFR 164.512(f).
---------------------------------------------------------------------------

    The Department did not propose to define ``disease or injury,'' 
``birth,'' or ``death,'' because we believed that these terms, when 
read with the definition of ``person'' and in the broader context of 
HIPAA, would exclude information about reproductive health care without 
the need for further clarification.\209\ However, the Department 
invited public comment on whether it would be beneficial to make such 
clarification.
---------------------------------------------------------------------------

    \209\ 88 FR 23506, 23523 (Apr. 17, 2023).
---------------------------------------------------------------------------

    Few commenters addressed interpretation of these terms. Some 
commenters expressed concern that the Department's interpretation would 
prevent beneficial public health reporting about certain types of 
reproductive health care, while others requested that the Department 
prohibit public health reporting about certain types of reproductive 
health care. Some commenters on this issue agreed with the Department's 
interpretation and clarification of the terms used in 1178(b). Several 
of these commenters requested that the Department define or clarify 
these terms because reporting standards are inconsistent across states.
    The Department declines to add definitions for ``disease or 
injury,'' ``birth,'' or ``death'' to the Privacy Rule in this final 
rule. However, we offer the discussion below to provide additional 
context on our interpretation of these terms.
    At the time of HIPAA's enactment, state laws provided for the 
reporting of disease or injury, birth, or death by covered health care 
providers and other persons.\210\ State public health reporting systems 
were well established and involved close collaboration between the 
state, local, or territorial jurisdiction and the Federal 
Government.\211\ Reports generally were made to public health 
authorities or, in some specific cases, law enforcement (e.g., 
reporting of gunshot wounds).\212\ Similar public health reporting 
systems continue to exist today.
---------------------------------------------------------------------------

    \210\ The 1996-98 Report of the NCVHS to the Secretary describes 
various types of activities considered to be public health during 
the era in which HIPAA was enacted, such as the collection of public 
health surveillance data on health status and health outcomes and 
vital statistics information. See Nat'l Comm. On Vital and Health 
Stats., Report of The National Committee on Vital and Health 
Statistics, 1996-98, (Dec. 1999), https://ncvhs.hhs.gov/wp-content/uploads/2018/03/90727nv-508.pdf.
    \211\ Id.
    \212\ Id.
---------------------------------------------------------------------------

    Reporting of ``disease or injury'' commonly refers to diagnosable 
health conditions reported for limited purposes such as workers' 
compensation, tort claims, or communicable or other disease or injury 
tracking efforts. States, territories, and Tribal governments require 
health care providers (e.g., physicians, laboratories) and some others 
(e.g., medical examiners, coroners, veterinarians,\213\ local boards of 
health) to report cases of certain diseases or conditions that affect 
public health, such as coronavirus disease 2019 (COVID-19), malaria, 
and foodborne illnesses.\214\ Such reporting enables public health 
practitioners to study and explain diseases and their spread, along 
with determining appropriate actions to prevent and respond to 
outbreaks.\215\ States also require health care providers to report 
incidents of certain types of injuries, such as those caused by 
gunshots, knives, or burns.\216\ Various Federal statutes use the 
phrase ``disease or injury'' similarly to refer to events such as 
workplace injuries for purposes of compensation.\217\
---------------------------------------------------------------------------

    \213\ Richard N. Danila et al., ``Legal Authority for Infectious 
Disease Reporting in the United States: Case Study of the 2009 H1N1 
Influenza Pandemic,'' 105 a.m. J. Public Health 13 (Jan. 2015).
    \214\ See ``Reportable Diseases,'' MedlinePlus, https://medlineplus.gov/ency/article/001929.htm (accessed Oct. 19, 2022). 
See also Nat'l Notifiable Diseases Surveillance Sys., ``What is Case 
Surveillance?,'' Ctrs. for Disease Control and Prevention (July 20, 
2022), https://www.cdc.gov/nndss/about/index.html.
    \215\ See ``Reportable Diseases,'' supra note 215. Such 
reporting is a type of public health surveillance activity.
    \216\ See Victims Rts. Law Ctr., ``Mandatory Reporting of Non-
Accidental Injuries: A State-by-State Guide'' (May 2014), http://4e5ae7d17e.nxcli.net/wp-content/uploads/2021/01/Mandatory-Reporting-of-Non-Accidental-Injury-Statutes-by-State.pdf.
    \217\ See, e.g., 38 U.S.C. 1110 (referring to an ``injury 
suffered or disease contracted''); 10 U.S.C. 972 (discussing time 
lost as a result of ``disease or injury''); 38 U.S.C. 3500 
(providing education for certain children whose parent suffered ``a 
disease or injury'' incurred or aggravated in the Armed Forces); see 
also 5 U.S.C. 8707 (insurance provision discussing compensation as a 
result of ``disease or injury''); 33 U.S.C. 765 (discussing 
retirement for disability as a result of ``disease or injury''); 15 
U.S.C. 2607(c) (requiring chemical manufacturers to maintain records 
of ``occupational disease or injury'').
---------------------------------------------------------------------------

    The limited meaning given to the terms ``disease'' and ``injury'' 
for purposes of public health reporting is clear from HIPAA's broader 
context. For instance, interpreting ``injury'' reporting to include 
disclosures about all instances of suspected criminal abuse would 
render the specific permission to report ``child abuse'' 
superfluous.\218\ And interpreting ``disease'' reporting to include 
disclosures about any sort of disease for any purpose would both 
eviscerate HIPAA's general provisions protecting PHI and make 
superfluous the statutory requirement to not invalidate laws providing 
for public health surveillance, or public health investigation or 
intervention. For example, ``disease management activities'' constitute 
``health care'' under the Privacy Rule. As such, a broad interpretation 
of ``disease or injury'' reporting could make potentially all the 
health records detailing a particular individual's treatment for any 
disease or injury disclosable to a public health authority or others 
unrelated to the health care.\219\ Consequently, the Department has 
long understood ``disease or injury'' to narrowly refer to diagnosable 
health conditions reported for limited purposes such as workers' 
compensation, tort claims or in compliance with Federal laws that 
require states to conduct surveillance of specific diseases and 
injuries related to public health or Federal funding.\220\
---------------------------------------------------------------------------

    \218\ 45 CFR 164.512(b)(ii).
    \219\ See 65 FR 82462, 82571 (Dec. 28, 2000) (recognizing that 
``disease management activities'' often constitute ``health care'' 
under HIPAA); Id. at 82777 (discussing the importance of privacy for 
information about cancer, a ``disease'' that causes an 
``indisputable'' ``societal burden''); Id. at 82778 (discussing the 
importance of privacy for information about sexually transmitted 
diseases, including Human Immunodeficiency Virus/Acquired 
Immunodeficiency Syndrome (HIV/AIDS)); Id. at 82463-64 (noting that 
numerous states adopted laws protecting health information relating 
to certain health conditions such as communicable diseases, cancer, 
HIV/AIDS, and other stigmatized conditions.); Id. at 82731 (finding 
that there are no persuasive reasons to provide information 
contained within disease registries with special treatment as 
compared with other information that may be used to make decisions 
about an individual).
    \220\ See, e.g., 65 FR 82462, 82517 (Dec. 28, 2000) (discussing 
tort litigation as information that could implicate IIHI); Id. at 
82542 (discussing workers' compensation); Id. at 82527 (separately 
addressing disclosures about ``abuse, neglect or domestic violence'' 
and limiting such disclosures to only two circumstances, even if 
expressly authorized by state statute or regulation).
---------------------------------------------------------------------------

    With respect to reporting of ``births'' and ``deaths,'' such vital 
statistics are reported by health care providers to the vital 
registration systems operated in

[[Page 33000]]

various jurisdictions \221\ legally responsible for the registration of 
vital events.\222\ State laws require birth certificates to be 
completed for all births, and Federal law mandates the national 
collection and publication of births and other vital statistics 
data.\223\ Tracking and reporting death is a complex and decentralized 
process with a variety of systems used by more than 6,000 local vital 
registrars.\224\ When HIPAA was enacted, the Model State Vital 
Statistics Act and Regulations, which is followed by most states,\225\ 
included distinct categories for ``live births,'' ``fetal deaths,'' and 
``induced terminations of pregnancy,'' with instructions that abortions 
``shall not be reported as fetal deaths.'' \226\ In light of that 
common understanding at the time of HIPAA's enactment, it is clear that 
the reporting of abortions is not included in the category of reporting 
of deaths for the purposes of HIPAA and does not fall within the scope 
of state death reporting activities that Congress specifically 
designated as excepted from preemption by HIPAA.
---------------------------------------------------------------------------

    \221\ See ``Public Health Professionals Gateway, Public Health 
Systems & Best Practices, Health Department Governance,'' Ctrs. for 
Disease Control and Prevention (Nov. 25, 2022), https://www.cdc.gov/publichealthgateway/sitesgovernance/index.html.
    \222\ See the list of events included in vital events, Nat'l 
Ctr. for Health Stats., ``About the National Vital Statistics 
System,'' Ctrs. for Disease Control and Prevention (Jan. 4, 2016), 
https://www.cdc.gov/nchs/nvss/about_nvss.htm.
    \223\ See Nat'l Ctr. for Health Stats., ``Birth Data,'' Ctrs. 
for Disease Control and Prevention (Dec. 6, 2022), https://www.cdc.gov/nchs/nvss/births.htm.
    \224\ See Ctrs. For Disease Control and Surveillance, ``How 
Tracking Deaths Protects Health,'' (July 2018), https://www.cdc.gov/surveillance/pdfs/Tracking-Deaths-protects-healthh.pdf.
    \225\ See Nat'l Ctr. for Health Stats., Ctrs. for Disease 
Control and Prevention, ``State Definitions and Reporting 
Requirements: For Live Births, Fetal Deaths, and Induced 
Terminations of Pregnancy,'' at 5 (1997), https://www.cdc.gov/nchs/data/misc/itop97.pdf.
    \226\ Nat'l Ctr. for Health Stats., Ctrs. for Disease Control 
and Prevention, ``Model State Vital Statistics Act and 
Regulations,'' at 8 (1992), https://www.cdc.gov/nchs/data/misc/mvsact92b.pdf.
---------------------------------------------------------------------------

    More generally, while Congress exempted certain ``[p]ublic health'' 
laws from preemption,\227\ Congress chose not to create a general 
exception for criminal laws or other laws that address the disclosure 
of information about similar types of activities outside of the public 
health context.
---------------------------------------------------------------------------

    \227\ 42 U.S.C. 1178(b) (codified in HIPAA at 42 U.S.C. 1320d-
7).
---------------------------------------------------------------------------

    For all these reasons, state laws requiring the use or disclosure 
of PHI for the purpose of investigating or imposing liability on a 
person for the mere act of seeking, obtaining, providing, or 
facilitating health care, or identifying a person for such activities, 
are subject to HIPAA's general preemption provision. Similarly, the 
Privacy Rule's public health provisions that permit the disclosure of 
PHI for the reporting of disease or injury, birth, or death do not 
include permission to use or disclose PHI for the purpose of 
investigating or imposing liability on a person for the mere act of 
seeking, obtaining, providing, or facilitating health care, or 
identifying a person for such activities. This general distinction 
between public health activities and investigation and enforcement 
activities is not limited to reproductive health care. Nevertheless, as 
discussed elsewhere in this final rule, the Department has chosen to 
strike a balance between privacy interests and other public policy 
interests. Consistent with the Department's longstanding approach that 
has allowed disclosures for law enforcement purposes in certain 
circumstances, the new prohibitions set forth in this rule apply only 
to lawful reproductive health care. State authorities cannot rely on 
the Privacy Rule's permissions for disclosures related to disease or 
injury, birth, or death to obtain PHI for the purpose of investigating 
or imposing liability for the provision of reproductive health care. 
However, as discussed above, state authorities may be able to invoke 
other permissions, such as the permission for disclosures for law 
enforcement purposes, to obtain such PHI where such disclosure is to 
investigate or impose liability on a person when the reproductive 
health care at issue is unlawful under the circumstances in which it is 
provided.
    Comment: A few commenters expressed support for the Department's 
interpretation and clarification of the terms used in section 1178(b) 
of the SSA. A few commenters recommended that the Department define, 
rather than clarify, these terms. Some commenters requested that the 
Department further clarify the terms ``disease or injury,'' ``birth,'' 
and ``death,'' to explicitly exclude information about reproductive 
health care. Other commenters expressed opposition to the Department's 
clarifications.
    Response: We decline to define ``disease or injury,'' ``birth,'' or 
``death'' in this final rule. The Department's understanding of these 
terms is consistent with the Model State Vital Statistics Act and 
Regulations and its application in the context of the passage of HIPAA. 
We believe that the 2023 Privacy Rule NPRM preamble discussion is 
sufficient to clarify that such reporting does not include the use or 
disclosure of PHI for investigating or imposing liability on a person 
for the mere act of seeking, obtaining, providing, or facilitating 
health care, including reproductive health care, or to identify a 
person for such activities.
    Defining ``Public health,'' as used in the terms ``public health 
surveillance,'' ``public health investigation,'' and ``public health 
intervention.''
    Section 1178(b) also excepts state laws providing for ``public 
health surveillance, or public health investigation or intervention'' 
from HIPAA's general preemption authority.\228\ Neither HIPAA nor the 
Privacy Rule currently defines ``public health surveillance'' or 
``public health investigation or intervention.'' Consistent with the 
statute, the Privacy Rule expressly permits a regulated entity to use 
or disclose PHI for ``public health'' surveillance, investigation, or 
intervention.\229\ The Department proposed to define public health, as 
used in the terms ``public health surveillance,'' ``public health 
investigations,'' and ``public health interventions,'' to mean 
population-level activities to prevent disease and promote health of 
populations. In preamble to the 2023 Privacy Rule NPRM, the Department 
described public health surveillance as the ongoing, systematic 
collection, analysis, and interpretation of health-related data 
essential to planning, implementation, and evaluation of public health 
practice.\230\ The Department explained that public health 
investigations or interventions include monitoring real-time health 
status and identifying patterns to develop strategies to address 
chronic diseases and injuries, as well as using real-time data to 
identify and respond to acute outbreaks, emergencies, and other health 
hazards.\231\ Public health surveillance, investigations, or 
interventions safeguard the health of the community by addressing 
ongoing or prospective population-level issues such as the spread of 
communicable diseases, even where these activities involve

[[Page 33001]]

individual-level investigations or interventions.
---------------------------------------------------------------------------

    \228\ Section 1178(a) of HIPAA.
    \229\ See 45 CFR 164.512(b)(1)(i); Off. for Civil Rights, 
``Disclosures for Public Health Activities,'' U.S. Dep't of Health 
and Human Servs., https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/disclosures-public-health-activities/index.html 
(accessed Oct. 19, 2022).
    \230\ See ``Introduction to Public Health Surveillance,'' Ctrs. 
for Disease Control and Prevention (Nov. 15, 2018), https://www.cdc.gov/training/publichealth101/surveillance.html.
    \231\ See ``Public Health Professionals Gateway, Ten Essential 
Public Health Services,'' Ctrs. for Disease Control and Prevention 
(Dec. 1, 2022), https://www.cdc.gov/publichealthgateway/publichealthservices/essentialhealthservices.html.
---------------------------------------------------------------------------

    The Department also proposed to expressly exclude certain 
activities from the definition of public health to distinguish between 
public health activities and certain criminal investigations. 
Specifically, the Department proposed to provide in regulatory text 
that the Privacy Rule's permissions to use and disclose PHI for the 
``public health'' activities of surveillance, investigations, or 
interventions do not include criminal, civil, or administrative 
investigations into, or proceedings against, any person in connection 
with seeking, obtaining, providing, or facilitating reproductive health 
care, nor do they include identifying any person for the purpose of 
initiating such investigations or proceedings. The Department stated 
that any such actions are not public health activities that would be 
subject to the exception to HIPAA's general preemption authority for 
state laws providing for ``public health surveillance, or public health 
investigation or intervention.'' \232\
---------------------------------------------------------------------------

    \232\ Section 1178(a) of SSA.
---------------------------------------------------------------------------

    Commenters expressed mixed views on the proposal to define ``public 
health'' in the context of ``public health surveillance,'' ``public 
health investigations'' or ``public health interventions.'' Commenters 
expressing opposition to the proposal either disagreed with the 
Department's assertion that public health activities do not involve 
uses and disclosures that would be prohibited by the rule or asserted 
that the proposal would prevent public health reporting of reproductive 
health care. Some commenters generally supported the goal of the 
proposal but expressed concern that inclusion of the proposed language 
about ``population-level'' activities could prevent essential public 
health activities that involve specific persons, such as reporting data 
about specific health care services provided to specific persons that 
have a ``population-level'' effect and investigating the spread of 
communicable diseases.
    Some commenters asserted that the proposal would frustrate states' 
ability to enforce their laws not related to public health, such as 
laws banning health care such as abortion. Supporters asserted that the 
proposal would help to prevent PHI from being disclosed for a purpose 
that would be prohibited under the proposed rule. Supportive commenters 
also expressed concern about states obtaining PHI based on an 
interpretation of ``public health investigations'' that includes the 
mandatory reporting of pregnant individuals who engage in certain 
activities, such as substance use. Other commenters asserted that 
disclosures of PHI to public health authorities should be limited 
because of the potential for PHI to be redisclosed for purposes that 
otherwise would be prohibited under the Privacy Rule.
    The final rule adopts the proposed definition with some 
modifications. The final rule maintains the proposed rule's focus on 
activities aimed at preventing disease and improving the health of 
populations. This definition does not prevent disclosures of PHI by 
covered entities to public health authorities for public health 
activities that have long been permitted under the Privacy Rule. As 
discussed in the 2023 Privacy Rule NPRM, since the time of HIPAA's 
enactment, public health activities related to surveillance, 
investigation, or intervention have been widely understood to refer to 
activities aimed at improving the health of a population. For example, 
legal dictionaries define ``public health'' as ``[t]he health of the 
community at large,'' or ``[t]he healthful or sanitary condition of the 
general body of people or the community en masse; esp., the methods of 
maintaining the health of the community, as by preventive medicine or 
organized care for the sick.'' \233\ Stedman's Medical Dictionary 
defines ``public health'' as ``the art and science of community health, 
concerned with statistics, epidemiology, hygiene, and the prevention 
and eradication of epidemic diseases; an effort organized by society to 
promote, protect, and restore the people's health; public health is a 
social institution, a service, and a practice.'' \234\ The Centers for 
Disease Control and Prevention (CDC) and the Agency for Toxic 
Substances and Disease Registry have described ``public health 
surveillance'' as ``the ongoing systematic collection, analysis and 
interpretation of outcome-specific data for use in the planning, 
implementation, and evaluation of public health practice.'' \235\ And 
many states similarly define ``public health'' to mean activities to 
support population health.\236\ The Department likewise has used the 
term public health in this way since it first adopted the Privacy 
Rule.\237\
---------------------------------------------------------------------------

    \233\ ``Health, Public Health,'' Black's Law Dictionary (11th 
ed. 2019).
    \234\ ``Public Health,'' Stedman's Medical Dictionary 394520.
    \235\ Jonathan Weinstein, In Re Miguel M., 55 N.Y.L. Sch. L. 
Rev. 389, 390 (2010) (citing Stephen B. Thacker, ``Historical 
Development,'' in Principles and Practice of Public Health 
Surveillance 1 (Steven M. Teutsch & R. Elliott Churchill eds., 2d 
ed., 2000)), https://digitalcommons.nyls.edu/cgi/viewcontent.cgi?article=1599&context=nyls_law_review.
    \236\ See, e.g., Richard A. Goodman et al., ``Forensic 
Epidemiology: Law at the Intersection of Public Health and Criminal 
Investigations,'' 31 J. of Law, Med. & Ethics 684, 689-90 (2003); 
La. Rev. Stat. Ann. Sec. 40:3.1 (2011) (defining threats to public 
health as nuisances ``including but not limited to communicable, 
contagious, and infectious diseases, as well as illnesses, diseases, 
and genetic disorders or abnormalities''); N.C. Gen. Stat. sec. 
130A-141.1(a) (2010) (defining public health investigations as the 
``surveillance of an illness, condition, or symptoms that may 
indicate the existence of a communicable disease or condition'').
    \237\ See, e.g., 65 FR 82462, 82464 (Dec. 28, 2000) (noting that 
reporting of public health information on communicable diseases is 
not prevented by individuals' right to information privacy); Id. at 
82467 (discussing the importance of accurate medical records in 
recognizing troubling public health trends and in assessing the 
effectiveness of public health efforts); Id. at 82473 (discussing 
disclosure to ``a department of public health''); Id. at 82525 
(recognizing that it may be necessary to disclose PHI about 
communicable diseases when conducting a public health intervention 
or investigation); Id. at 82526 (recognizing that an entity acts as 
a ``public health authority'' when, in its role as a component of 
the public health department, it conducts infectious disease 
surveillance); Stephen B. Thacker, Epidemiology Program Office, 
Ctrs. for Disease Control and Prevention, ``HIPAA Privacy Rule and 
Public Health: Guidance from CDC and the U.S. Department of Health 
and Human Services,'' 52 MMWR 1 (Apr. 11, 2003), https://www.cdc.gov/mmwr/preview/mmwrhtml/m2e411a1.htm (describing what 
traditionally are considered to be ``public health activities'' that 
require PHI).
---------------------------------------------------------------------------

    Public health surveillance, public health investigations, and 
public health interventions are activities that address population 
health concerns and have generalized public benefit \238\ to the health 
of a population, including activities that involve specific persons. 
Examples of activities that prevent disease in and promote the health 
of populations include vaccination campaigns to eradicate communicable 
disease, surveillance of a community's use of emergency services after 
a natural disaster to improve allocation of resources to meet health 
needs, and investigation of the source of an outbreak of food 
poisoning. As explained in the preamble to the 2023 Privacy Rule 
NPRM,\239\ there is a widely recognized distinction between public 
health activities, which primarily focus on improving the health of 
populations, and criminal investigations, which primarily focus on 
identifying and imposing liability on persons who have

[[Page 33002]]

violated the law.\240\ States and other local governing authorities 
maintain criminal codes that are distinct and separate from public 
health reporting laws,\241\ although some jurisdictions enforce 
required public health reporting through criminal statutes. Different 
governmental bodies are responsible for enforcing these separate codes, 
and public health officials do not typically investigate activities 
enforced under criminal statutes or laws.\242\ Federal laws also 
generally treat public health investigations as distinct from criminal 
investigations.\243\ Maintaining a clear distinction between public 
health investigations and criminal investigations serves HIPAA's 
broader purposes.\244\
---------------------------------------------------------------------------

    \238\ See Miguel M. v. Barron, 950 NE2d 107, at 111 (2011) 
(explaining ``[t]he apparent purpose of the public health exception 
is to facilitate government activities that protect large numbers of 
people from epidemics, environmental hazards, and the like, or that 
advance public health by accumulating valuable statistical 
information.'').
    \239\ 88 FR 23510, 23525 (Apr. 17, 2023).
    \240\ See Miguel M. v. Barron at 111, supra note 239 (concluding 
that ``[t]o disclose private information about particular people, 
for the purpose of preventing those people from harming themselves 
or others, effects a very substantial invasion of privacy without 
the sort of generalized public benefit that would come from, for 
example, tracing the course of an infectious disease.'').
    \241\ For example, traditional public health reporting laws grew 
from colonial requirements that physicians report disease. These 
requirements transitioned to state regulatory requirements imposed 
by public health departments on authority granted to them by states. 
See Ctrs. for Disease Control and Prevention, ``Public Health Law 
101, Disease Reporting and Public Health Surveillance,'' at 12 and 
14 (Jan. 16, 2009), https://www.cdc.gov/phlp/docs/phl101/PHL101-Unit-5-16Jan09-Secure.pdf. See also, e.g., Code of Georgia 31-12-2 
(2021) (authority to require disease reporting).
    \242\ See ``Public Health,'' supra note 235 (``Many cities have 
a `public health department' or other agency responsible for 
maintaining the public health; Federal laws dealing with health are 
administered by the Department of Health and Human Services.''); see 
also ``Forensic Epidemiology: Law at the Intersection of Public 
Health and Criminal Investigations,'' supra note 237, at 689.
    \243\ See Camara v. Municipal Ct. of City & Cty. of S.F., 387 
U.S. 523, 535-37 (1967) (discussing administrative inspections under 
the Fourth Amendment, such as those aimed at addressing ``conditions 
which are hazardous to public health and safety,'' and not ``aimed 
at the discovery of evidence of crime''); 42 U.S.C. 241(d)(D) 
(prohibiting disclosure of private information from research 
subjects in ``criminal'' and other proceedings); 42 U.S.C. 290dd-
2(c) (prohibiting substance abuse records from being used in 
criminal proceedings).
    \244\ See ``Forensic Epidemiology: Law at the Intersection of 
Public Health and Criminal Investigations,'' supra note 237, at 687 
(discussing reasons why ``an association of public health with law 
enforcement'' may be ``to the detriment of routine public health 
practice''). See also 45 CFR 164.512(b)(1)(i) (including ``public 
health investigations'' as an activity carried out by a public 
health authority that is authorized by law to carry out public 
health activities).
---------------------------------------------------------------------------

    The Department concludes that neither section 1178(b) nor the 
Privacy Rule's permissions to use and disclose PHI for the ``public 
health'' activities of surveillance, investigation, or intervention 
include conducting criminal, civil, or administrative investigations 
into, or imposing criminal, civil, or administrative liability on any 
person for the mere act of seeking, obtaining, providing, or 
facilitating health care, including reproductive health care, nor do 
they include the identification of any person for such purposes. Such 
actions are not public health activities. As described above, this 
distinction between public health activities and other investigation 
and enforcement activities is not limited to reproductive health care. 
Public health surveillance, investigations, or interventions ensure the 
health of the community as a whole by addressing ongoing or prospective 
population-level issues such as the spread of communicable diseases, 
even where they involve interventions involving specific individuals. 
Such surveillance systems provide the necessary data to examine and 
potentially develop interventions to improve the public's health, such 
as providing education or resources to support individuals' access to 
health care and improve health outcomes and are not affected by this 
final rule.\245\ U.S. states, territories, and Tribal governments 
participate in bilateral agreements with the Federal Government to 
share data on conditions that affect public health.\246\ The CDC's 
Division of Reproductive Health collects reproductive health data in 
support of national and state-based population surveillance systems to 
assess maternal complications, mortality and pregnancy-related 
disparities, and the numbers and characteristics of individuals who 
obtain legal induced abortions.\247\ This final rule does not affect 
CDC's ability to collect this information now or in the future. 
Importantly, disclosures to public health authorities permitted by the 
Privacy Rule are limited to the ``minimum necessary'' to accomplish the 
public health purpose.\248\ In some cases, regulated entities need 
disclose only de-identified data \249\ to meet the public health 
purpose.
---------------------------------------------------------------------------

    \245\ See ``Improving the Role of Health Departments in 
Activities Related to Abortion,'' Am. Pub. Health Ass'n (Oct. 26, 
2021), https://www.apha.org/Policies-and-Advocacy/Public-Health-Policy-Statements/Policy-Database/2022/01/07/Improving-Health-Department-Role-in-Activities-Related-to-Abortion.
    \246\ See ``Reportable diseases,'' supra note 215. See also 
``What is Case Surveillance?,'' supra note 215.
    \247\ See ``Reproductive Health, About Us,'' Ctrs. for Disease 
Control and Prevention (Apr. 20, 2022), https://www.cdc.gov/reproductivehealth/drh/about-us/index.htm; and ``Reproductive 
Health, CDCs Abortion Surveillance System FAQs,'' Ctrs. for Disease 
Control and Prevention (Nov. 17, 2022), https://www.cdc.gov/reproductivehealth/data_stats/abortion.htm.
    \248\ See 45 CFR 164.502(b).
    \249\ See 45 CFR 164.514(a).
---------------------------------------------------------------------------

    By contrast, efforts to conduct criminal, civil, and administrative 
investigations or impose criminal, civil, and administrative liability 
on any person for the mere act of seeking, obtaining, providing, or 
facilitating health care generally target specific persons for 
particular conduct; they are not designed to address population-level 
health concerns and are not limited to information authorized to be 
collected by a public health or similar government authority for a 
public health activity. Thus, the exceptions in section 1178(b) for 
``public health'' investigations, interventions, or surveillance do not 
limit the Department's ability to prohibit uses or disclosures of PHI 
for other purposes, such as judicial and administrative proceedings or 
law enforcement purposes. While the Department has chosen as a policy 
matter to continue to permit uses or disclosures of PHI for law 
enforcement and other purposes in certain contexts, it is adopting a 
different balance where such uses or disclosures are about reproductive 
health care that is lawful under the circumstances in which it was 
provided.
    While retaining the focus on activities to prevent disease and 
promote the health of populations, this final rule clarifies that 
population-level activities ``include identifying, monitoring, 
preventing, or mitigating ongoing or prospective threats to the health 
or safety of a population, which may involve the collection of 
protected health information.'' This clarification addresses 
commenters' concerns that regulated entities would no longer be able to 
report information that states need to conduct public health functions 
intended to protect against prospective or ongoing threats at the 
population level, even if at times they necessarily will focus on 
individuals while doing so (through contact tracing, quarantine or 
isolation, and the like). The Department does not intend this 
clarification to prevent disclosures of PHI from covered entities to 
public health authorities for public health activities that have long 
been and continue to be permitted under the Privacy Rule. These changes 
clarify that public health, as used in the specified terms, broadly 
includes activities to prevent disease in and promote the health of 
populations. The changes also confirm that the Department does not 
require a public health authority to supply an attestation to a covered 
entity to receive PHI of an individual where that disclosure is 
intended to prevent disease in or promote the health of populations.
    The intended purpose of including ``population-level'' was to 
facilitate

[[Page 33003]]

public health activities that protect large numbers of people from 
epidemics, environmental hazards, and the like. However, we believe 
that the language that clarifies that population-level activities 
``include identifying, monitoring, preventing, or mitigating ongoing or 
prospective threats to the health or safety of a population, which may 
involve the collection of protected health information,'' sufficiently 
serves this purpose of addressing uses and disclosures of PHI that are 
necessary to accomplish the overarching goals of public health.
    The last sentence of the proposed definition, which described what 
are not public health activities, is also revised in the final rule for 
consistency with the general distinction between activities of public 
health surveillance, investigation, and intervention and activities of 
investigating or imposing liability on a person for the mere act of 
seeking, obtaining, providing, or facilitating health care, or 
identifying a person for such activities, as well as the standard the 
Department is adopting at 45 CFR 164.502(a)(5)(iii), which is discussed 
further in that section of this rule. Thus, while a state might assert 
that investigating or imposing liability on persons for the mere act of 
seeking, obtaining, providing, or facilitating health care satisfies 
the definition of ``public health,'' their interpretation would not 
supersede the definition of ``public health'' in the context of public 
health surveillance, investigations, or interventions that the 
Department is adopting under its own Federal statutory authority to 
administer the HIPAA Rules.
    Comment: A few organizations expressed support for the proposed 
definition of ``public health'' without further elaboration. Several 
commenters expressed support for the proposed definition of ``public 
health'' because it would prevent PHI from being disclosed for a 
prohibited purpose. A few commenters expressed support for the proposal 
because they believed that information reported for public health 
purposes could be requested, re-identified (in the case of de-
identified information), or further disclosed to law enforcement for 
purposes for which the Department proposed to prohibit uses and 
disclosures.
    Several commenters expressed support for the proposed definition of 
``public health'' and the existing standard that limits public health 
disclosures of PHI to the minimum necessary information to achieve the 
purpose.
    Response: Consistent with the NPRM, the Department agrees with the 
commenters who stated that it is important to define ``public health'' 
in the context of public health surveillance, investigation, or 
intervention to ensure that PHI is not disclosed for a purpose 
prohibited under 45 CFR 164.502(a)(5)(iii). Disclosures of PHI for 
public health purposes continue to be subject to the minimum necessary 
standard, which limits the use and disclosure of PHI to the minimum 
necessary to achieve the specified purpose; in some circumstances, de-
identified information may suffice. However, many public health 
activities do require identifiable data, such as for interventions 
involving individuals, to protect against prospective or ongoing 
threats to health or safety at the population level, and the Privacy 
Rule does not prohibit such uses and disclosures.
    When making disclosures to public officials that are permitted 
under 45 CFR 164.512, if the public official represents that the 
information requested is the minimum necessary for the stated purpose, 
regulated entities are permitted, but not required, to rely on that 
representation, if such reliance is reasonable under the 
circumstances.\250\ Such reliance may not be reasonable where the 
request appears to be overly broad when compared to the stated purpose 
of the request (e.g., where a public health authority requests the 
disclosure of PHI of all individuals who received treatment for uterine 
bleeding when the stated purpose is to investigate infection control 
practices by an obstetrician/gynecologist in a state where law 
enforcement has publicly announced its intention to investigate 
individuals for traveling out of state to seek or obtain reproductive 
health care that is lawful under the circumstances in which it is 
provided).
---------------------------------------------------------------------------

    \250\ 45 CFR 164.514(d)(3)(iii)(A); see also 45 CFR 
164.514(h)(2)(ii) and (iii).
---------------------------------------------------------------------------

    Comment: A few commenters asserted that law enforcement generally 
interprets public health investigations to include criminal 
investigations and prosecutions and the NPRM proposed definition would 
complicate such investigations by limiting the amount of PHI that could 
be disclosed to law enforcement.
    Response: The Department has adopted a definition of ``public 
health'' in the context of public health surveillance, investigation, 
and intervention that sets clear parameters between such activities and 
law enforcement activities conducted to impose liability for the mere 
act of seeking, obtaining, providing, or facilitating health care. 
Public health surveillance, investigation, and intervention do not 
include efforts to attach liability to persons for specific acts of 
seeking, obtaining, providing, or facilitating health care.
    This definition is consistent with the longstanding distinction 
made by the Department between public health activities and law 
enforcement activities as described above.
    Comment: Several commenters expressed support for the Department's 
proposal generally but recommended further clarifications or revisions 
to it, especially regarding the limitation to ``population-level'' 
activities. A few commenters raised questions about the difference 
between the proposed definition of ``public health'' and the permission 
for public health activities under 45 CFR 164.512(b)(1)(i) and 
recommended that the Department clarify the definition to ensure that 
public health agencies are able to obtain health information for 
administrative or civil proceedings, such as quarantine or isolation in 
cases involving infectious diseases.
    Response: The Department has modified the definition of ``public 
health'' in the context of public health surveillance, investigation, 
or intervention to clarify that such activities include identifying, 
monitoring, preventing, or mitigating ongoing or prospective threats to 
the health or safety of a population, which may involve the collection 
of PHI. This change addresses commenters' concerns that under the 
proposed definition, regulated entities would no longer be able to 
report PHI that is required to address population-level concerns.
    Comment: Several commenters raised concerns that the proposed 
definition of ``public health'' would circumvent states' interests 
related to public health. A few commenters expressed opposition to the 
Department's clarification of public health because they believed that 
states should have the ability to conduct surveillance, investigations, 
or interventions concerning certain types of health care for public 
health purposes. Several commenters asserted that the proposal would 
frustrate the ability of states to enforce their laws prohibiting 
access to certain types of health care. Conversely, a commenter 
requested that the Department explicitly exclude reproductive health 
care from the proposed definition of ``public health,'' so it would not 
be reportable to public health agencies.
    Response: We disagree with commenters' assertions that this final 
rule will prevent the reporting of vital statistics or other public 
health

[[Page 33004]]

activities. A covered entity may continue to use or disclose PHI for 
all the public health activities and purposes listed in section 
1178(b). We also decline to explicitly exclude reproductive health care 
from the definition of ``public health'' because doing so could hinder 
beneficial public health activities. Instead, this definition supports 
this final rule's prohibition against certain uses and disclosures of 
PHI by clarifying that public health surveillance, investigation, and 
intervention exclude conducting a criminal, civil, or administrative 
investigation into any person, or the imposing criminal, civil, or 
administrative liability on any person for the mere act of seeking, 
obtaining, providing, or facilitating health care, or identifying any 
person for such activities. Such excluded activities include those with 
the purposes that are prohibited at 45 CFR 164.502(a)(5)(iii).
    Comment: A few commenters believed that defining ``investigation,'' 
``intervention,'' or ``surveillance'' was unnecessary or recommended 
against doing so and requested that the Department clarify that such 
terms do not encompass any prohibited purposes. One commenter requested 
that the Department define these terms to expressly exclude information 
related to reproductive health care.
    Response: We are not defining the terms ``investigation,'' 
``intervention,'' or ``surveillance'' in this rule. However, we are 
providing extensive interpretation in the preamble to clarify that such 
activities in the public health context do not encompass conducting a 
criminal, civil, or administrative investigation into any person, or 
imposing criminal, civil, or administrative liability on any person for 
the mere act of seeking, obtaining, providing, or facilitating health 
care, or identifying any person for such activities, including those 
for which use or disclosure of PHI is prohibited by 45 CFR 
164.502(a)(5)(iii).
Reporting of Child Abuse
    In accordance with section 1178(b) of HIPAA, the Privacy Rule 
permits a regulated entity to use or disclose PHI to report known or 
suspected child abuse or neglect if the report is made to a public 
health authority or other appropriate government authority that is 
authorized by law to receive such reports.\251\ The Privacy Rule limits 
disclosures of PHI made pursuant to this permission to the minimum 
necessary to make the report.\252\
---------------------------------------------------------------------------

    \251\ See 45 CFR 164.512(b)(1)(ii).
    \252\ See 45 CFR 164.502(b) and 164.514(d).
---------------------------------------------------------------------------

    As the Department explained in the 2023 Privacy Rule NPRM, at the 
time HIPAA was enacted, ``most, if not all, states had laws that 
mandated reporting of child abuse or neglect to the appropriate 
authorities.'' \253\ Additionally, when Congress enacted HIPAA, it had 
already addressed child abuse reporting in other laws, such as the 
Victims of Child Abuse Act of 1990 \254\ and the Child Abuse Prevention 
and Treatment Act.\255\ For example, 34 U.S.C. 20341(a)(1), a provision 
of the original Victims of Child Abuse Act of 1990 that is still in 
place today, requires certain professionals to report suspected abuse 
when working on Federal land or in a federally operated (or contracted) 
facility.\256\ As used in these statutes, the term ``child abuse'' does 
not include activities related to reproductive health care, such as 
abortion.
---------------------------------------------------------------------------

    \253\ 65 FR 82462, 82527 (Dec. 28, 2000).
    \254\ Public Law 101-647, 104 Stat. 4789 (codified at 18 U.S.C. 
3509).
    \255\ Public Law 93-247, 88 Stat. (codified at 42 U.S.C. 5101 
note).
    \256\ See 34 U.S.C. 20341(a)(1), originally enacted as part of 
the Victims of Child Abuse Act of 1990 and codified at 42 U.S.C. 
13031, which was editorially reclassified as 34 U.S.C. 20341, Crime 
Control and Law Enforcement. For the purposes of such mandated 
reporting, see 34 U.S.C. 20341(c)(1) for definition of ``child 
abuse.''
---------------------------------------------------------------------------

    In the 2023 Privacy Rule NPRM, the Department discussed that it has 
long interpreted ``child abuse,'' as used in the Privacy Rule and 
section 1178(b) of HIPAA, to exclude conduct based solely on a person 
seeking, obtaining, providing, or facilitating reproductive health 
care.\257\ This interpretation is consistent with the public health 
aims of improving access to health care for individuals, including 
reproductive health care, and with relevant statutes at the time HIPAA 
was enacted, as described above. The Department also stated that this 
interpretation prohibits a regulated entity from disclosing PHI in 
reliance on the permission for reporting ``child abuse'' where the 
alleged victim does not meet the definition of ``person'' or ``child,'' 
consistent with both 1 U.S.C. 8 and section 1178(b). Additionally, 
consistent with previous rulemaking under HIPAA, the Department 
clarified in the preamble that it did not intend for the interpretation 
to disrupt longstanding state or Federal child abuse reporting 
requirements that apply to regulated entities.\258\
---------------------------------------------------------------------------

    \257\ 88 FR 23506, 23526 (Apr. 17, 2023).
    \258\ 65 FR 82462, 82527 (Dec. 28, 2000).
---------------------------------------------------------------------------

    The Department also made several clarifications in preamble 
concerning our interpretation of section 1178(b) and the Privacy Rule's 
public health permission and how we distinguish between public health 
reporting and disclosures for law enforcement purposes or judicial and 
administrative proceedings.
    Comment: Many commenters supported the Department's clarification 
and agreed that it would preserve trust between individuals and health 
care providers, but also requested additional clarification from the 
Department on its implementation. Few opposed the clarification; those 
who did expressed concerns about the potential for the clarification to 
prevent state-mandated reporting in certain circumstances. Many 
commenters expressed mixed views about the Department's interpretation.
    Response: The Department is moving forward with its interpretation 
as described in the NPRM. As noted above, this final rule does not 
alter the Privacy Rule's reliance on other applicable law with respect 
to determining who has the authority to act on behalf of an individual 
who is an unemancipated minor in making decisions related to health 
care, including lawful reproductive health care.\259\ The Privacy Rule 
does not permit a regulated entity to disclose PHI as part of a report 
of suspected child abuse based solely on the fact that a parent seeks 
reproductive health care (e.g., treatment for a sexually transmitted 
infection) for a child. However, the regulated entity is permitted to 
make such disclosure where there is suspicion of sexual abuse that 
could be the basis of permitted reporting.
---------------------------------------------------------------------------

    \259\ See 45 CFR 164.502(g).
---------------------------------------------------------------------------

    Congress defined the term ``child'' in 1 U.S.C. 8, and the term 
``child'' in the Privacy Rule is consistent with that definition. As 
such, the Department believes that to the extent this clarification 
prohibits a regulated entity from disclosing PHI to report ``child 
abuse'' under this permission in the Privacy Rule where the alleged 
victim does not meet the definition of ``person,'' it is consistent 
with both 1 U.S.C. 8 and section 1178(b).
    The Department also reaffirms its clarification that the Privacy 
Rule permission to report known or suspected child abuse or neglect 
permits a disclosure only for the purpose of making a report, and the 
PHI disclosed must be limited to the minimum necessary information for 
the purpose of making a report.\260\ These provisions do not permit the 
covered entity to disclose PHI in response to a request for the use or 
disclosure of PHI to conduct a criminal, civil, or administrative 
investigation into or impose criminal, civil, or administrative 
liability on a

[[Page 33005]]

person based on suspected child abuse. Instead, as we explained in the 
2023 Privacy Rule NPRM, any disclosure of PHI in response to this type 
of request from an investigator, must meet the applicable Privacy Rule 
conditions for disclosures for judicial and administrative proceedings 
or law enforcement purposes, as applicable.\261\ That is the case 
whether such disclosure is in follow up to the report made by the 
covered entity (other than to clarify the PHI provided on the report) 
or part of an investigation initiated based on an allegation or report 
made by a person other than the covered entity.\262\
---------------------------------------------------------------------------

    \260\ See 45 CFR 164.502(b) and 164.514(d).
    \261\ See 45 CFR 164.512(e) and (f).
    \262\ See 45 CFR 164.512(e) and (f).
---------------------------------------------------------------------------

    Moreover, this clarification does not affect the ability of state 
authorities to invoke other permissions for disclosure under the 
Privacy Rule, such as the permission for disclosures for law 
enforcement purposes, where they are seeking PHI related to unlawful 
reproductive health care.\263\ Thus, the Department's interpretation of 
``child abuse'' continues to support the protection of children while 
also serving HIPAA's objectives of protecting the privacy of PHI to 
promote individuals' trust in the health care system and preserving the 
relationship between individuals and their health care providers.
---------------------------------------------------------------------------

    \263\ 65 FR 82462, 82527 (Dec. 28, 2000).
---------------------------------------------------------------------------

    Comment: A few commenters recommended that the Department expand 
the clarification of child abuse to broadly address providing or 
facilitating all health care, rather than just reproductive health 
care.
    Response: It is beyond the scope of this rule making to expand the 
clarification to include the provision or facilitation of all lawful 
health care. We appreciate the recommendations of commenters and will 
take them under advisement for potential future rulemaking.
3. Adding a Definition of ``Reproductive Health Care''
    Section 160.103 of the HIPAA Rules defines ``health care'' as 
``care, services, or supplies related to the health of an individual.'' 
\264\ The definition clarifies that the term ``includes but is not 
limited to'' several identified types of care, services, and procedures 
\265\ and includes examples such as therapeutic, rehabilitative, or 
maintenance care, as well as sale or dispensing of drugs or devices.
---------------------------------------------------------------------------

    \264\ 45 CFR 160.103 (definition of ``Health care'').
    \265\ These groupings are (1) ``[p]reventive, diagnostic, 
therapeutic, rehabilitative, maintenance, or palliative care, and 
counseling, service, assessment, or procedure with respect to the 
physical or mental condition, or functional status, of an individual 
or that affects the structure or function of the body'' and (2) 
``[the s]ale or dispensing of a drug, device, equipment, or other 
item in accordance with a prescription.'' It would also include 
supplies purchased over the counter or furnished to the individual 
by a person that does not meet the definition of a health care 
provider under the HIPAA Rules. 45 CFR 164.103 (definition of 
``Health care provider'').
---------------------------------------------------------------------------

    The Department proposed to add and define a new term, 
``reproductive health care,'' that would be a subset of the term 
``health care.'' \266\ The Department proposed to define ``reproductive 
health care'' as ``care, services, or supplies related to the 
reproductive health of the individual.'' The Department noted in the 
NPRM preamble that the HIPAA Rules define ``health care'' broadly.\267\
---------------------------------------------------------------------------

    \266\ 88 FR 23506, 23527-28 (Apr. 17, 2023).
    \267\ 88 FR 23506, 23527 (Apr. 17, 2023).
---------------------------------------------------------------------------

    Consistent with the definition of ``health care'' in the HIPAA 
Rules, the proposed definition of ``reproductive health care'' would 
have applied broadly and included not only reproductive health care and 
services furnished by a health care provider and supplies furnished in 
accordance with a prescription, but also care, services, or supplies 
furnished by other persons and non-prescription supplies purchased in 
connection with an individual's reproductive health. The Department 
proposed to use the term ``reproductive health care'' rather than 
``reproductive health services'' to ensure that the term was 
interpreted broadly to capture all health care that could be furnished 
to address reproductive health, including the provision of medications 
and devices, whether prescription or over-the-counter.
    The Department discussed in preamble some of the types of care, 
services, and supplies that were included in the proposed term. In 
keeping with the Department's intention for ``reproductive health 
care'' to be inclusive of all types of health care related to an 
individual's reproductive system, the 2023 Privacy Rule NPRM preamble 
indicated that the term would include, but not be limited to: 
contraception, including emergency contraception; pregnancy-related 
health care; fertility or infertility-related health care; and other 
types of care, services, or supplies used for the diagnosis and 
treatment of conditions related to the reproductive system. We also 
provided a non-exhaustive list of examples of health care within each 
of these categories of reproductive health care.
    Consistent with the definition of ``health care'' adopted in 2000 
in the HIPAA Rules, the Department did not propose a specific 
definition of ``reproductive health'' but invited comment on whether 
including a particular definition of ``reproductive health'' would be 
beneficial.
    Many commenters supported the proposal and agreed that it would 
provide the necessary protections for individuals and others. Some 
referenced existing definitions used by other legal authorities and 
recommended the Department consider adopting or incorporating them in 
some manner.
    Some commenters opposed the proposal to provide an inclusive 
definition of reproductive health care. Some commenters asserted that 
the proposal lacked clarity and was too open-ended, making it difficult 
to operationalize. Other commenters expressed concern that the proposed 
definition would permit minors to consent to reproductive health care 
without parental consent.
    The final rule adopts the new term ``reproductive health care'' and 
definition with three modifications. First, we replace ``care, 
services, or supplies related to the reproductive health of the 
individual'' with ``health care'' and add a citation to the HIPAA 
Rules' definition of that term to clarify that reproductive health care 
is a subset of ``health care.''
    Second, we specify that the term means health care ``that affects 
the health of the individual in all matters relating to the 
reproductive system and to its functions and processes.'' In keeping 
with the Department's intention for ``reproductive health care'' to be 
interpreted broadly and inclusive of all types of health care related 
to an individual's reproductive system, this additional language 
clarifies that the definition encompasses the full range of health care 
related to an individual's reproductive health.
    Third, we add a statement reaffirming that the definition should 
not be construed to establish a standard of care for or regulate what 
constitutes clinically appropriate reproductive health care.
    As discussed in the NPRM, this approach is consistent with the 
approach the Department took when it adopted the definition of ``health 
care'' in the HIPAA Rules. At that time, the Department explained that 
listing specific activities would create the risk that important 
activities would be left out and could also create confusion.\268\
---------------------------------------------------------------------------

    \268\ 65 FR 82571 (Dec. 28, 2000).
---------------------------------------------------------------------------

    By describing more fully the breadth of reproductive health care, 
the definition may decrease the perceived burden to regulated entities 
of complying with the rule by helping them determine whether a request 
for

[[Page 33006]]

the use or disclosure of PHI includes PHI that is implicated by this 
final rule.
    To further clarify what is included in reproductive health care for 
regulated entities, we provide a non-exclusive list of examples that 
fit within the definition: contraception, including emergency 
contraception; preconception screening and counseling; management of 
pregnancy and pregnancy-related conditions, including pregnancy 
screening, prenatal care, miscarriage management, treatment for 
preeclampsia, hypertension during pregnancy, gestational diabetes, 
molar or ectopic pregnancy, and pregnancy termination; fertility and 
infertility diagnosis and treatment, including assisted reproductive 
technology and its components \269\ (e.g., in vitro fertilization 
(IVF)); diagnosis and treatment of conditions that affect the 
reproductive system (e.g., perimenopause, menopause, endometriosis, 
adenomyosis); and other types of care, services, and supplies used for 
the diagnosis and treatment of conditions related to the reproductive 
system (e.g., mammography, pregnancy-related nutrition services, 
postpartum care products).
---------------------------------------------------------------------------

    \269\ See ``What is Assisted Reproductive Technology?'' Centers 
for Disease Control and Prevention (Oct. 8, 2019), https://www.cdc.gov/art/whatis.html and ``Fact Sheet: In Vitro Fertilization 
(IVF) Use Across the United States,'' U.S. Dep't of Health and Human 
Servs. (Mar. 13, 2024), https://www.hhs.gov/about/news/2024/03/13/fact-sheet-in-vitro-fertilization-ivf-use-across-united-states.html.
---------------------------------------------------------------------------

    Additionally, the language in the definition stating that the 
definition should not be construed to set forth a standard of care or 
regulate what constitutes clinically appropriate reproductive health 
care should not be read as limiting ``reproductive health care'' to 
only health care that is determined to be appropriate by a health care 
professional. Rather, it may be the individual who determines whether 
the health care they receive, such as over-the-counter contraceptives, 
is appropriate. Like the definition of ``health care,'' the definition 
of reproductive health care is intended to be broad. Finally, we 
clarify that meeting the definition is not sufficient for information 
about such health care to be protected under the HIPAA Rules or this 
final rule. Rather, the information about such health care still needs 
to meet the definition of PHI.\270\
---------------------------------------------------------------------------

    \270\ 45 CFR 160.103 (definition of ``Protected health 
information'').
---------------------------------------------------------------------------

    Comment: Some commenters expressed support for the proposed 
definition of ``reproductive health care.'' Several commenters 
specifically expressed their support for a broad definition of the term 
for various reasons, including: ensuring that providers of reproductive 
health care can continue to serve vulnerable communities and reduce 
health care disparities; providing clarity; and mitigating the need for 
clinical expertise and interpretation for each request for reproductive 
health information. Other commenters expressed support for the term 
because it would improve access to care and better reflect the breadth 
of services that support an individual's reproductive health, enable 
health care providers to continue to maintain appropriate data 
safeguards, and enable individuals to feel comfortable disclosing their 
information without fear of incrimination.
    Many other commenters expressed opposition to the proposed 
definition because it was too expansive and would encompass procedures 
that they did not consider to be reproductive health care. Many 
commenters explicitly requested that the definition exclude certain 
types of health care. A few commenters recommended that the Department 
narrow the proposed definition to apply only to records directly 
involving certain specified services and clarify that the final 
definition does not include other procedures or treatments related to 
pregnancy or contraception. Another commenter expressed opposition to 
the proposed definition of ``reproductive health care'' because they 
believe that reproductive health information is no more sensitive than 
other medical information and should not be treated differently.
    One commenter opposed the proposed definition of ``reproductive 
health care'' because they thought it would prevent health care 
providers from disclosing PHI to other health care providers for 
treatment, which would erode individual trust.
    Several commenters requested that the Department expand the 
proposed definition, be more specific in its meaning (e.g., provide 
additional information about the types of care, services, or supplies 
included in the definition), or replace it with a more expansive term 
(e.g., ``sensitive personal health care'' meaning ``care, services, or 
supplies related to the health of the individual which could expose any 
person to civil or criminal liability for the mere act of seeking, 
obtaining, providing, or facilitating such health care''). A commenter 
urged the Department to define the term ``sexual and reproductive 
health care'' to ensure that individuals have reproductive health care 
privacy, regardless of their sexual orientation or gender identity.
    Commenters offered several alternative definitions or terms, such 
as ``including but not limited to services related to contraception, 
sterilization, preconception care, maternity care, abortion care, and 
counseling regarding reproductive health care''; the definition of 
``reproductive health care services'' at 18 U.S.C. 248(e)(5); 
``reproductive and sexual health care services'' as defined in 
California Health and Safety Code section 1367.31; and limiting the 
definition to capture only health care that is at risk of being 
investigated or prosecuted because of Dobbs. Other commenters requested 
additional precision or clarity in the definition. For example, a 
commenter recommended that the definition include the specific codes 
and data points that would constitute reproductive health care that 
would be prohibited from disclosure under the proposed rule (e.g., 
International Classification of Diseases (ICD) codes related to 
reproductive health, ABO blood type and Rh factor).
    Several commenters urged the Department to narrow the proposed 
definition because of operational concerns, including the redirection 
of resources to making or obtaining legal determinations about whether 
a particular type of care was reproductive health care. Some explained 
that health information management staff generally do not have the 
clinical expertise to determine what would constitute ``reproductive 
health care,'' while another stated that physicians would also have 
trouble discerning what health care would meet the proposed definition. 
Another commenter recommended that the Department include only PHI that 
is already reliably segregated in EHRs in the definition.
    Many commenters requested that the Department further explain the 
proposed definition either in preamble or the regulatory text. One 
commenter suggested that in lieu of a definition of ``reproductive 
health care,'' the Department include an extensive discussion of 
examples in the preamble and provide entities flexibility to implement 
policies or procedures that may be affected by the definition of 
``reproductive health care'' in accordance with their operational 
structures. A few commenters also recommended that the Department 
provide examples in preamble discussion, rather than regulatory text. 
One commenter recommended that the Department provide specific examples 
to illustrate its meaning where there could be ambiguity. Several 
commenters recommended that examples be included in the regulatory text 
and provided specific examples of the types

[[Page 33007]]

of health care they thought should be included. Some commenters 
recommended the Department include examples but did not specify whether 
they should be in the preamble or in the regulatory text, while other 
commenters requested that the Department include a non-exhaustive list 
of examples of reproductive health care in both the regulation and 
preamble.
    Response: After consideration, we have finalized a definition 
grounded in the Privacy Rule's long-established term ``health care.'' 
We provide a non-exhaustive list of examples in preamble above. We do 
not explicitly address all of the many types of health care suggested 
in comments to avoid creating the impression of a complete list. This 
is also consistent with our approach regarding the definition of 
``health care.'' We emphasize that this definition does not set or 
affect standards of care, nor does it affect uses and disclosures of 
PHI for treatment purposes. Operational concerns expressed by some 
commenters are addressed in response to comments on the prohibition.
4. Whether the Department Should Define Any Additional Terms
    The Department requested comments about whether it would be helpful 
for the Department to define ``reproductive health'' or any additional 
terms.\271\
---------------------------------------------------------------------------

    \271\ 88 FR 23506, 23528 (Apr. 17, 2023).
---------------------------------------------------------------------------

    Comment: Several commenters recommended that the Department define 
``reproductive health'' because it would ensure that all covered 
entities would be required to implement changes, or that the PHI of 
individuals receiving certain types of health care would not be 
disclosed to states where individuals who receive such health care is 
being penalized.
    Several commenters urged the Department to add the definition of 
reproductive health adopted by the United Nations and World Health 
Organization, while others recommended the adoption of the definition 
articulated by the International Conference on Population and 
Development in 1994. One commenter expressed opposition to adding a 
definition of reproductive health as unnecessary, and another instead 
recommended adoption of a precise definition of ``reproductive health 
care.''
    Another commenter recommended expanding the definition of PHI to 
include certain digital data of entities not regulated under HIPAA 
(e.g., information from period tracking apps). One commenter 
recommended revising the definition of ``health oversight agency'' to 
exclude agencies that investigate or prosecute activities related to 
reproductive health care. Some commenters requested that the Department 
define additional terms or clarify existing terms.
    Rather than define additional terms, one commenter recommended that 
the Department ensure that all the proposed definitions would be 
aligned with the Office of the National Coordinator for Health 
Information Technology (ONC) and CMS-mandated data elements for 
Certified Electronic Health Record Technology products and in the 
electronic clinical quality measures that health care providers are 
required to report to CMS.
    Response: We appreciate the feedback from commenters, but upon 
further consideration, have concluded that defining any of the 
additional terms or clarifying additional existing ones is not 
necessary to support the implementation of this final rule. We also 
clarify that because HIPAA only authorizes the Department to protect 
IIHI used or disclosed by covered entities and their business 
associates, we are not able to regulate information that individuals 
themselves store and share using consumer health apps.

B. Section 164.502--Uses and Disclosures of Protected Health 
Information: General Rules

    Section 164.502 of the Privacy Rule contains the general rules 
governing uses and disclosures of PHI. Paragraph (a)(1) of this section 
sets forth the list of permitted uses and disclosures.
1. Clarifying When PHI May Be Used or Disclosed by Regulated Entities
    Section 164.502(a)(1)(iv) generally permits a regulated entity to 
use or disclose PHI pursuant to and in compliance with a valid 
authorization under 45 CFR 164.508, except for uses and disclosures of 
genetic information by a health plan for underwriting purposes 
prohibited under 45 CFR 164.502(a)(5)(i). Thus, an authorization that 
purports to allow a health plan to use or disclose PHI for that 
prohibited purpose is not valid under the Privacy Rule.
    The Department proposed to modify 45 CFR 164.502(a)(1)(iv) to 
incorporate an additional limitation on the ability of a regulated 
entity to use and disclose PHI pursuant to an individual's 
authorization.\272\ Specifically, the Department's proposal would 
prohibit a regulated entity from using or disclosing PHI pursuant to an 
individual's authorization where the purpose of the disclosure is for a 
criminal, civil, or administrative investigation or proceeding against 
any person in connection with seeking, obtaining, providing, or 
facilitating reproductive health care that is lawful under the 
circumstances in which such health care is provided, or to identify any 
person for the purpose of initiating such activities. As explained in 
the 2023 Privacy Rule NPRM, the proposed modification was intended to 
prevent the misuse of the general permission for a regulated entity to 
use or disclose PHI pursuant to an individual's authorization to bypass 
the proposed prohibition against using and disclosing PHI for purposes 
that would be prohibited by proposed 45 CFR 164.502(a)(5)(iii).
---------------------------------------------------------------------------

    \272\ 88 FR 23506, 23528-29 (Apr. 17, 2023).
---------------------------------------------------------------------------

    The Department explained in the proposed rule that this change to 
the authorization permission was necessary to protect individuals' 
privacy by precluding any possibility that a third party, such as a law 
enforcement official, could coerce or attempt to coerce an individual 
into signing an authorization, thereby enabling the third party to 
circumvent the prohibition proposed at 45 CFR 164.502(a)(5)(iii).
    The Department also proposed to modify the general rules in 45 CFR 
164.502(a)(1)(vi) to expressly condition certain uses and disclosures 
made under 45 CFR 164.512 on the receipt of an attestation pursuant to 
proposed 45 CFR 164.509, which is discussed below in greater detail. 
For clarity, the Department proposed to revise 45 CFR 164.502(a)(1)(vi) 
by replacing the sentence containing the conditions for certain 
permitted uses and disclosures with a lettered list.
    Public comments about the use of authorization to use and disclose 
PHI for the purposes the Department proposed to prohibit in the 2023 
Privacy Rule NPRM were generally divided between opposing views and 
supportive views, although only a few comments expressed full support 
for the proposal, as drafted. While many commenters shared the 
Department's concerns about the potential for individuals to be coerced 
into providing an authorization, some of these commenters nonetheless 
opposed the proposal because it could limit beneficial disclosures, 
cause uncertainty about the validity of an authorization, increase the 
burden on regulated entities, or seem to conflict with state laws that 
permit the disclosure of certain health information with the 
individual's explicit written consent.
    The Department received no comments on its proposal to replace the

[[Page 33008]]

sentence at 45 CFR 164.502(a)(1)(vi) with a lettered list. Comments on 
the Department's proposal to condition certain disclosures made under 
45 CFR 164.512 on the receipt of an attestation as required by proposed 
45 CFR 164.509 are discussed below in greater detail.
    The Department is not finalizing its proposal to prohibit a 
regulated entity from using or disclosing an individual's PHI for the 
specified purposes pursuant to and in compliance with an individual's 
authorization. We agree with the majority of public comments discussed 
in detail below that generally expressed the view that the Privacy 
Rule's authorization requirements empower individuals to make decisions 
about who has access to their PHI. We acknowledge that maintaining the 
permission for regulated entities to obtain an individual's 
authorization to use and disclose PHI could leave an individual exposed 
to the potential for duress or coercion by a third party. It could also 
expose a health care provider or other person who provides or 
facilitates reproductive health care to liability in the event the 
authorization is used to affect a disclosure for a prohibited purpose 
in connection with lawful reproductive health care. However, we believe 
that continuing to permit uses and disclosures pursuant to an 
individual's authorization best preserves individual autonomy 
concerning uses and disclosures of their PHI. Consistent with our 
practice described above, the Department will monitor closely the 
interaction of the revised Privacy Rule and the evolving legal 
landscape to ensure an appropriate balance of protecting the privacy 
interests of individuals and permitting access to PHI for non-health 
care purposes.
    As we discussed in the proposed rule, there is a relationship 
between the provision allowing an individual to authorize a regulated 
entity to use or disclose the individual's PHI to a third party and the 
HITECH Act requirement that a regulated entity comply with an 
individual's direction to transmit to another person an electronic copy 
of the individual's PHI in an EHR (``individual access right to 
direct'').\273\ Both enhance an individual's autonomy by providing them 
with the ability to determine who can access the individual's PHI as 
specified in the authorization or access request. Both also create an 
opportunity for coercion or attempted coercion of an individual by 
another person (e.g., a law enforcement official could attempt to 
coerce an individual into providing the law enforcement official with 
access to the individual's PHI by offering the individual a reduced 
sentence for an alleged crime). And while we remain concerned about the 
potential for coercion or attempted coercion, even if the Department 
were to finalize the proposed limitation on uses and disclosures with 
an authorization, the individual would retain the individual access 
right to direct, which is enshrined in statute. We also believe it 
would be inconsistent with the spirit of individual access right to 
direct for the Department to limit the ability of an individual to 
authorize a regulated entity to disclose their PHI to another person.
---------------------------------------------------------------------------

    \273\ 42 U.S.C. 17935(e).
---------------------------------------------------------------------------

    For the foregoing reasons, we are not finalizing this proposal, and 
the language in 45 CFR 164.502(a)(1)(iv) remains unchanged.
    Comment: While some commenters expressed concern about the 
potential for coercion described in the proposed rule, they did not all 
agree that it would be appropriate to address this concern by 
prohibiting such disclosures pursuant to an authorization. Some 
commenters asserted that coercion concerns would not be eliminated by 
curtailing the ability of individuals to authorize disclosures of their 
PHI in certain circumstances.
    Some commenters explained that prohibiting individuals from 
requesting disclosures of their PHI pursuant to an authorization for 
prohibited purposes would create a significant burden for regulated 
entities, primarily because of the frequent failure of persons 
requesting the use or disclosure of PHI to provide sufficient detail 
regarding the purpose of the request to allow them to determine if it 
would be for a prohibited purpose.
    A few commenters asserted that a HIPAA authorization is the safest 
approach to ensuring an individual is aware of and agrees to the use or 
disclosure of their PHI. One of those commenters recommended that the 
Department permit a regulated entity to disclose PHI pursuant to a 
valid authorization unless the covered entity has actual knowledge that 
an authorization was not voluntary. A commenter recommended adding a 
disclaimer or warning to the authorization to provide assurances that 
an individual was not coerced into disclosing their PHI to law 
enforcement or other third party that might seek to use the PHI for 
improper purposes. Still another commenter recommended that the 
Department require the authorization to indicate the types of sensitive 
information the individual intends to share. One commenter recommended 
that certain disclosures be accompanied by a notice of the individual's 
rights under the Privacy Rule.
    Response: We appreciate comments concerning this proposal and the 
restriction of individuals' ability to maintain control over their PHI 
by prohibiting the use of written authorization. The Privacy Rule's 
written authorization requirements are the most objective means by 
which an individual can provide direction to a regulated entity about 
the use and disclosure of their PHI known to a regulated entity. The 
right of individuals to access their PHI and choose to disclose their 
PHI to another person is a cornerstone of HIPAA, and as such, we are 
not proceeding with this proposal. The Department will continue to 
monitor complaints we receive and the outcome of enforcement actions to 
identify potential coercion and the effect of permitting individuals to 
authorize the disclosure of PHI for purposes that are prohibited under 
45 CFR 164.502(a)(5)(iii) on the relationship between health care 
providers and individuals.
    We also appreciate the comments that asserted that restricting the 
ability of regulated entities to use an authorization to obtain PHI for 
the purposes prohibited in this rulemaking could create a burden for 
the regulated entities.
    To the extent that individuals wish to authorize the use and 
disclosure of their PHI, particularly when a request is not clear, or 
when a request seeks only partial parts of a record, a written 
authorization provides the regulated entity with the opportunity to 
clarify, with both the individual and the person requesting the 
disclosure, the PHI that will be disclosed. State laws that require 
regulated entities to obtain an individual's written consent are 
generally considered more privacy protective, and thus are not 
preempted.
    Comment: Several commenters expressed support for eliminating the 
ability of regulated entities to use or disclose PHI pursuant to an 
authorization in certain circumstances because of the potential for 
harm to individuals as proposed. One commenter described the potential 
negative effects of permitting uses and disclosures pursuant to an 
authorization in certain circumstances on individuals from historically 
marginalized communities. Another commenter asserted that individuals 
frequently do not read consent forms provided to them for signature for 
a variety of reasons, including proficiency. Some commenters expressed 
concerns that individuals who are the subject of a

[[Page 33009]]

criminal investigation or prosecution would be placed in situations 
where it would not be possible to obtain a voluntary authorization 
(e.g., a custodial situation), or that law enforcement could seek to 
persuade an individual to provide them with access to the individual's 
PHI through improper means.
    Response: We continue to share the concern expressed by commenters 
about the potential for coercion or harassment of individuals, 
particularly those in marginalized or underserved communities, to 
provide authorization for the use or disclosure of their PHI. According 
to many reports and data cited by the Department and commenters, such 
individuals more often experience negative interactions with law 
enforcement or other prosecutorial authorities. We urge HIPAA regulated 
entities to be mindful of Privacy Rule requirements that could help 
mitigate the potential for harm resulting from coercion or difficulties 
individuals may experience in understanding an authorization. For 
example, 45 CFR 164.508(b)(2)(v) holds invalid authorizations that 
include ``material information [. . .] known by the covered entity to 
be false''; 45 CFR 164.508(c)(1)(iv) requires that every authorization 
include a description of each purpose of the requested use or 
disclosure; and 45 CFR 164.508(c)(3), requires the authorization be 
written in plain language.\274\ The Department will continue to monitor 
complaints, questions, and enforcement outcomes for potential harm from 
disclosures resulting from authorizations.
---------------------------------------------------------------------------

    \274\ In the preamble to the 2000 Privacy Rule, we explained 
that a covered entity could meet HIPAA plain language requirements 
by organizing material to serve the reader; writing short sentences 
in the active voice; using pronouns; using common, everyday 
language; and dividing material into short sections. 65 FR 82462, 
82548 (Dec. 28, 2000).
---------------------------------------------------------------------------

    Comment: A few commenters requested clarifications of how the 
proposal would affect other disclosures made pursuant to the Privacy 
Rule, including disclosures to the individual's attorney, and whether 
the Department intended it to apply to other consumer-initiated 
requests, such as part of an Application Programming Interface (API).
    A commenter recommended that health care providers be permitted to 
refuse to release PHI to any consumer health app when the information 
could lead to civil or criminal repercussions for the health care 
provider unless the app developer signs a binding agreement that 
protects them.
    Response: We are not finalizing the proposal, but state here that 
the Department did not intend to affect or disrupt the ability of 
covered entities to make other disclosures of PHI pursuant to a written 
authorization under the Privacy Rule. Additionally, as discussed above, 
individuals have the right to obtain a copy of their PHI and the 
individual access right to direct, which could involve releasing PHI to 
a consumer health app or an API. With respect to EHR and technology 
vendors and other third parties who facilitate the exchange of PHI on 
behalf of covered entities, we continue to stress that valid business 
associate agreements are required by the Privacy Rule and necessary to 
protect the privacy of the individuals who are the subject of the PHI. 
ONC also has made clear that it intends to advance technologies that 
support requirements already extant under the HIPAA Privacy Rule.\275\ 
Additionally, the Department continues to urge covered entities that 
have direct contact with individuals to educate such individuals on the 
risks of disclosing their PHI to persons that are not regulated by 
HIPAA.\276\ We will continue to ensure that regulated entities enter 
into business associate agreements as required by the Privacy 
Rule.\277\ We will continue to monitor complaints, questions, and 
enforcement outcomes.
---------------------------------------------------------------------------

    \275\ 89 FR 1192, 1302 (Jan. 9, 2024). See also Off. for Civil 
Rights, ``Information Blocking Regulations Work In Concert with 
HIPAA Rules and Other Privacy Laws to Support Health Information 
Privacy,'' U.S. Dep't of Health and Human Servs. (Apr. 12, 2023), 
https://www.healthit.gov/buzz-blog/information-blocking/information-blocking-regulations-work-in-concert-with-hipaa-rules-and-other-privacy-laws-to-support-health-information-privacy.
    \276\ See, e.g., Off. for Civil Rights, ``Resource for Health 
Care Providers on Educating Patients about Privacy and Security 
Risks to Protected Health Information when Using Remote 
Communication Technologies for Telehealth,'' U.S. Dep't of Health 
and Human Servs., https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/resource-health-care-providers-educating-patients/index.html.
    \277\ See 45 CFR 164.502(a)(3) and (e). See also 45 CFR 
164.504(e).
---------------------------------------------------------------------------

    Comment: Many commenters addressed the relationship between the 
Department's proposal to eliminate the option for an individual to 
request disclosure of their information for the prohibited purposes 
pursuant to an authorization and the individual right of access, 
particularly, the right of an individual to direct a regulated entity 
to transmit to a third party an electronic copy of their PHI in an EHR. 
Several commenters recommended that the Department curtail the 
individual access right to direct. Some commenters expressed concern 
about the potential for individuals to be coerced into providing access 
to their PHI to third parties. A few commenters expressed concerns that 
some third parties sell PHI for purposes adverse to individuals' 
interests, including some of the purposes described in the 2023 Privacy 
Rule NPRM.
    A few commenters provided recommendations for ways to educate 
individuals regarding their rights under the Privacy Rule.
    Response: Although we appreciate the comments on this topic, any 
modifications to the individual access right to direct are beyond the 
scope of this rulemaking. We reiterate here that covered entities and 
their technology vendors that meet the definition of business 
associates must ensure that valid business associate agreements are in 
place,\278\ and we urge them to facilitate individuals' awareness of 
the risks of using third-party consumer apps that are not regulated by 
HIPAA.\279\ The Department continues to appreciate the identification 
of better education resources for individuals and health care providers 
and commits to providing educational resources through its website, 
regional offices, and webinars.
---------------------------------------------------------------------------

    \278\ For information about what a business associate is and the 
requirements for business associate agreements, see Off. for Civil 
Rights, ``Business Associate Contracts,'' U.S. Dep't of Health and 
Human Servs. (Jan. 25, 2013), https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html.
    \279\ Off. for Civil Rights, ``Protecting the Privacy and 
Security of Your Health Information When Using Your Personal Cell 
Phone or Tablet,'' U.S. Dep't of Health and Human Servs. (June 29, 
2022), https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/cell-phone-hipaa/index.html.
---------------------------------------------------------------------------

2. Adding a New Category of Prohibited Uses and Disclosures
    Generally, the Privacy Rule prohibits the use or disclosure of PHI 
except as permitted or required by the Privacy Rule. Paragraph (a)(5) 
of section 164.502 contains specific purposes for which the Privacy 
Rule explicitly prohibits the use and disclosure of PHI. Section 
164.502(a)(5)(i) prohibits most health plans from using or disclosing 
PHI that is genetic information for underwriting purposes, while 45 CFR 
164.502(a)(5)(ii) prohibits a regulated entity from selling PHI, except 
when they have obtained a valid authorization from the individual who 
is the subject of the PHI.
    The Department proposed to add a new paragraph, 45 CFR 
164.502(a)(5)(iii), to prohibit regulated entities from using or 
disclosing an individual's PHI for certain additional purposes, and to 
describe the scope, applicability, and limitations of the prohibition. 
Similar to most other

[[Page 33010]]

prohibitions within the Privacy Rule, this prohibition would be 
purpose-based, rather than a blanket prohibition against uses and 
disclosures of certain types of PHI.\280\ The Department's rationale 
for this approach was four-fold: (1) to be consistent with the existing 
Privacy Rule permissible use and disclosure structure with which 
regulated entities are familiar, including the permission to disclose 
to law enforcement for certain purposes; (2) to avoid imposing a 
requirement on regulated entities that would necessitate the adoption 
and implementation of costly technology upgrades to enable data 
segmentation; \281\ (3) to recognize that PHI about an individual's 
reproductive health care may be used or disclosed for a wide variety of 
purposes, and permitting the use or disclosure of PHI for some of those 
purposes would erode individuals' ability to trust in the health care 
system; and (4) to avoid any misperception that the Department is 
setting a standard of care or substituting its judgment for that of 
individuals and licensed health care professionals.
---------------------------------------------------------------------------

    \280\ 88 FR 23506, 23529-33 (Apr. 17, 2023).
    \281\ The Department does not oppose efforts to implement or 
employ technology that is capable of segmenting data. Rather, the 
Department's proposal was informed by the recognition that the 
technology deployed by most regulated entities today is not capable 
of doing so.
---------------------------------------------------------------------------

    Proposed 45 CFR 164.502(a)(5)(iii)(A) would establish a new 
prohibition against the use or disclosure of PHI. Section 
(a)(5)(iii)(A)(1) would prohibit the use or disclosure of PHI where the 
use or disclosure is for a criminal, civil, or administrative 
investigation into or proceeding against any person in connection with 
seeking, obtaining, providing, or facilitating reproductive health 
care. Section 164.502(a)(5)(iii)(A)(2) would prohibit the use or 
disclosure of PHI to identify any person for the purpose of initiating 
a criminal, civil, or administrative investigation into or proceeding 
against any person in connection with seeking, obtaining, providing, or 
facilitating reproductive health care.
    The Department proposed 45 CFR 164.502(a)(5)(iii)(B) to explain 
that ``seeking, obtaining, providing, or facilitating'' would include, 
but not be limited to, expressing interest in, inducing, using, 
performing, furnishing, paying for, disseminating information about, 
arranging, insuring, assisting, or otherwise taking action to engage in 
reproductive health care; or attempting any of the same. As the 
Department explained in the 2023 Privacy Rule NPRM, the proposed 
prohibition would apply to any request for PHI to facilitate a 
criminal, civil, or administrative investigation or proceeding against 
any person, or to identify any person to initiate an investigation or 
proceeding, where the basis for the investigation, proceeding, or 
identification is that the person sought, obtained, provided, or 
facilitated reproductive health care that is lawful under the 
circumstances in which such health care is provided. The Department 
further explained that, consistent with its HIPAA authority, the 
prohibition would preempt state or other laws requiring a regulated 
entity to use or disclose PHI in response to a court order or other 
type of legal process for a purpose prohibited under the proposed rule. 
Conversely, the prohibition would not preempt laws that require the use 
or disclosure of PHI for other purposes, such as: public health 
activities; \282\ investigations of sexual assault committed against an 
individual where such use or disclosure is conditioned upon the receipt 
of an attestation; or investigations into human and sex trafficking, 
child abuse, or professional misconduct or licensing inquiries.\283\
---------------------------------------------------------------------------

    \282\ See supra discussion of ``Public health'' for more 
information on what constitutes a ``public health activity'' under 
the Privacy Rule.
    \283\ 88 FR 23506, 23532 (Apr. 17, 2023).
---------------------------------------------------------------------------

    The Department also proposed to subject this prohibition to a Rule 
of Applicability in 45 CFR 164.502(a)(5)(iii)(C). As the Department 
explained, the proposed prohibition in 45 CFR 164.502(a)(5)(iii) would 
prohibit a regulated entity from using or disclosing PHI for certain 
purposes against any person in connection with seeking, obtaining, 
providing, or facilitating reproductive health care that is ``lawful 
under the circumstances in which such health care is provided.'' \284\ 
The Department further explained that it proposed a framework for 
regulated entities to determine whether the reproductive health care at 
issue was lawful under the circumstances in which such health care was 
provided. The proposed language of the Rule of Applicability under this 
rule would apply where one or more of three specified conditions exist.
---------------------------------------------------------------------------

    \284\ Id. at 23510, 23522, and 23531.
---------------------------------------------------------------------------

    The first condition, as proposed in 45 CFR 
164.502(a)(5)(iii)(C)(1), addressed reproductive health care provided 
outside of the state that authorized the investigation or proceeding 
where such health care is lawful in the state where it is provided. In 
the proposed rule, we also clarified that the proposal would apply the 
prohibition in a situation in which the health care is ongoing, has 
been completed, or has not yet been obtained, provided, or facilitated. 
The proposed prohibition would recognize that any interest of society 
in conducting an investigation or proceeding against a person would 
require balancing with, and generally be outweighed by, the interests 
of society in protecting the privacy interests of individuals when they 
access lawful health care. As discussed above, privacy interests are 
heightened with respect to reproductive health care that is lawful 
under the circumstances in which it is provided as compared to the 
interests of law enforcement, and private parties afforded legal rights 
of action, in investigating or imposing liability for actions related 
to lawful reproductive health care.
    The second condition, proposed in 45 CFR 164.502(a)(5)(iii)(C)(2), 
addressed reproductive health care protected, required, or authorized 
by Federal law, regardless of the state in which such health care is 
provided. It would apply the prohibition to reproductive health care 
that is lawful under the applicable Federal law and where the 
investigation or proceeding is against any person in connection with 
seeking, obtaining, providing, or facilitating reproductive health 
care. It would apply, for example, where the underlying reproductive 
health care continues to be protected by the Constitution, such as 
contraception, or is expressly required or authorized under Federal 
law.\285\
---------------------------------------------------------------------------

    \285\ See Griswold v. Connecticut, 381 U.S. 479 (1965); 
Eisenstadt v. Baird, 405 U.S. 438 (1972); Dobbs, 597 U.S. 345 
(Kavanaugh, J., concurring) (Dobbs ``does not threaten or cast doubt 
on'' the precedents providing constitutional protection for 
contraception).
---------------------------------------------------------------------------

    The third condition, proposed in 45 CFR 164.502(a)(5)(iii)(C)(3), 
would apply the prohibition when the relevant criminal, civil, or 
administrative investigation or proceeding is in connection with any 
person seeking, obtaining, providing, or facilitating reproductive 
health care that is provided in a state consistent with and permitted 
by the law of that same state.
    The Department also proposed a Rule of Construction in 45 CFR 
164.502(a)(5)(iii)(D) that provided that the proposed prohibition 
should not be construed to prohibit a use or disclosure of PHI 
otherwise permitted by the Privacy Rule unless such use or disclosure 
is primarily for the purpose of investigating or imposing liability on 
any person for the mere act of seeking, obtaining, providing, or 
facilitating reproductive health care.\286\ The Department proposed the 
Rule of Construction to avoid an erroneous interpretation of the 
prohibition

[[Page 33011]]

standard, which otherwise could have been construed to prevent 
regulated entities from using or disclosing PHI for the purpose of 
defending themselves or others against allegations that they sought, 
obtained, provided, or facilitated reproductive health care that was 
not lawful under the circumstances in which it was provided.
---------------------------------------------------------------------------

    \286\ See proposed 45 CFR 164.502(a)(5)(iii)(D). See also 88 FR 
23506, 23552-53 (Apr. 17, 2023).
---------------------------------------------------------------------------

    Most of the comments addressing the proposed prohibition expressed 
support for the Department's purpose-based approach and the principle 
that the Privacy Rule should prohibit the use and disclosure of PHI for 
a criminal, civil, or administrative investigation into or proceeding 
against any person, or to identify any person to initiate a criminal, 
civil, or administrative investigation into or proceeding against any 
person, in connection with seeking, obtaining, providing, or 
facilitating lawful reproductive health care. At the same time, the 
Department received many comments that expressed concern about the 
proposal's clarity and regulated entities' ability to operationalize 
the Rule of Applicability and Rule of Construction. For example, 
commenters asserted that to the extent the proposed rule would require 
regulated entities to determine whether the requested PHI was about 
reproductive health care that was lawful under the circumstances in 
which it was provided, making such a determination could be unduly 
burdensome when the request was about reproductive health care that was 
not provided by the regulated entity that received the request and 
could expose them to legal risk in the absence of additional guidance 
or a safe harbor. Other commenters expressed concern that applying the 
prohibition would undermine the ability of states to enforce their own 
health care laws.
    Commenters who addressed the proposed Rule of Construction also 
expressed confusion about how the Department intended ``primarily'' or 
``primarily for the purpose of'' to be interpreted. Many either 
requested examples of uses and disclosures that were ``primarily'' for 
the underlying prohibited purposes. In lieu of the proposal to avoid 
liability based on ``the mere act of'' seeking, obtaining, providing, 
or facilitating reproductive health care, a few commenters suggested 
expanding the proposed definition or modifying existing permissions to 
explicitly exclude conduct based solely on seeking, obtaining, 
providing, or facilitating certain types of health care.
    The Department is finalizing the proposed prohibition that 
restricts the ability of regulated entities to use or disclose PHI for 
activities with the purpose of investigating or imposing liability on 
any person for the mere act of seeking, obtaining, providing, or 
facilitating reproductive health care that is lawful under the 
circumstances in which it was provided, or to identify any person for 
such purposes, with modifications to improve clarity and ease 
implementation for regulated entities.
    The Department is retaining its purpose-based approach in the final 
rule in light of concerns about the ability of regulated entities to 
segment certain types of data and in recognition that PHI about an 
individual's reproductive health may be reflected throughout an 
individual's longitudinal health record, in addition to being 
maintained by a wide variety of regulated entities.
    As we discussed in the 2023 Privacy Rule NPRM, the Department 
recognizes that diseases and conditions that are not directly related 
to an individual's reproductive health may be affected by or have 
bearing on the individual's reproductive health and the reproductive 
health care they are eligible to receive, and vice versa. Thus, it may 
be necessary for all types of health care providers to maintain 
complete and accurate medical records to ensure that subsequent health 
care providers are adequately informed in making diagnoses or 
recommending courses of treatment. For example, an individual with a 
chronic cardiac or endocrine condition may become pregnant, placing 
additional strain on the individual's cardiovascular or endocrine 
system. In such cases, it is essential that their cardiologist or 
endocrinologist be informed of the pregnancy and consulted as necessary 
to ensure appropriate health care is provided to the individual because 
such conditions may have bearing on their pregnancy.
    Additionally, the final rule revises the prohibition standard at 45 
CFR 164.502(a)(5)(iii) by incorporating language from the proposed Rule 
of Construction to clarify the purposes for which the Department 
prohibits uses or disclosures of PHI. In 45 CFR 
164.502(a)(5)(iii)(A)(1) and (2), the Department incorporates the 
``mere act of'' language of the proposed Rule of Construction to 
clarify that the prohibited uses and disclosures of PHI are tied to 
imposing criminal, civil, or administrative liability for the ``mere 
act of'' seeking, obtaining, providing, or facilitating reproductive 
care and not just ``in connection to'' such acts.\287\ Section 
164.502(a)(5)(iii)(A)(1) combines the criminal, civil, or 
administrative investigations language from the proposed prohibition 
standard with the proposed Rule of Construction to prohibit regulated 
entities from using or disclosing PHI for activities conducted for the 
purpose of a criminal, civil, or administrative investigation into any 
person for the mere act of seeking, obtaining, providing, or 
facilitating reproductive health care. Section 164.502(a)(5)(iii)(A)(2) 
separates and replaces the ``or proceeding against'' language from the 
first condition of the proposed prohibition standard with ``to impose 
criminal, civil, or administrative liability on'' and incorporates 
language from the proposed Rule of Construction to prohibit regulated 
entities from using or disclosing PHI for activities conducted for the 
purpose of imposing criminal, civil, or administrative liability on any 
person for the mere act of seeking, obtaining, providing, or 
facilitating reproductive health care. Similar to proposed 45 CFR 
164.502(a)(5)(iii)(A)(2), 45 CFR 164.502(a)(5)(iii)(A)(3) now addresses 
the use or disclosure of PHI to identify any person for the activities 
described in the other conditions of the prohibition standard. To the 
extent the purpose in 45 CFR 164.502(a)(5)(iii)(A)(1) relates to 
activities conducted for an investigation, the purpose in 45 CFR 
164.502(a)(5)(iii)(A)(2) relates to the activities to impose liability, 
including activities that would flow from that investigation, whether 
it be in the form of proceedings to consider censure, medical license 
revocation, the imposition of fines or other penalties, or detainment 
or imprisonment, or the actual imposition of such liability.
---------------------------------------------------------------------------

    \287\ Section 164.502(a)(5)(iii)(A)(3) incorporates the same 
language by reference to 45 CFR 164.502(a)(5)(iii)(A)(1) and (A)(2).
---------------------------------------------------------------------------

    The prohibition against the uses and disclosures of PHI finalized 
in 45 CFR 164.502(a)(5)(iii)(A) is subject to the Rule of Applicability 
that the Department is finalizing in 45 CFR 164.502(a)(5)(iii)(B). As 
discussed in the proposed rule and finalized herein, the Rule of 
Applicability modifies the prohibition standard to make clear that the 
prohibition encompasses the use or disclosure of PHI for any activities 
conducted for the purpose of investigating or imposing liability on any 
person for the mere act of seeking, obtaining, providing, or 
facilitating reproductive health care that the regulated entity that 
has received the request for PHI has reasonably determined is lawful 
under the circumstances in which such health care is provided. The 
prohibition's

[[Page 33012]]

reference to the ``mere act'' of seeking, obtaining, providing, or 
facilitating lawful reproductive health care includes the reasons that 
the reproductive health care was sought or provided (e.g., an 
investigation into whether a particular abortion was necessary to save 
a pregnant person's life would constitute an investigation into the 
``mere act'' of seeking, obtaining, providing, or facilitating 
reproductive health care). The reference to ``mere act'' operates the 
same way with respect to activities conducted to identify any 
individual for the purposes described above. This includes but is not 
limited to law enforcement investigations, third party investigations 
in furtherance of civil proceedings, state licensure proceedings, 
criminal prosecutions, and family law proceedings. Examples of 
criminal, civil, or administrative investigations or activities to 
impose liability for which regulated entities would be prohibited from 
using or disclosing PHI would also include a civil suit brought by a 
person exercising a private right of action provided for under state 
law against an individual or health care provider who obtained, 
provided, or facilitated a lawful abortion, or a law enforcement 
investigation into a health care provider for lawfully providing or 
facilitating the disposal of an embryo at the direction of the 
individual.
    The Department acknowledges that this final rule will not prohibit 
the use or disclosure of PHI in all instances in which persons request 
the use or disclosure of PHI for an investigation or to impose 
liability on a person for seeking, obtaining, providing, or 
facilitating reproductive health care. As discussed extensively in 
Section III of this rule, the Privacy Rule has long balanced the 
privacy interests of individuals with that of society in obtaining PHI 
for certain non-health care purposes. Accordingly, we acknowledge that 
in some circumstances, an individual's privacy interest in obtaining 
lawful care will outweigh law enforcement's interests in the PHI for 
certain non-health care purposes, while in others, law enforcement's 
interests in the PHI will outweigh the privacy interests of 
individuals. As we discussed above in Section III and in the proposed 
rule, recent developments in the legal landscape have made information 
about an individual's reproductive health more likely to be sought for 
punitive non-health care purposes, such as targeting individuals for 
seeking lawful reproductive health care outside of their home state, 
and therefore more likely to be subject to disclosure by regulated 
entities if the requested disclosure is permitted under the Privacy 
Rule. The Department's approach in this rulemaking limits the 
application of the prohibition to situations in which reproductive 
health care meets one of the conditions of the Rule of Applicability. 
Accordingly, the prohibition applies only where individuals' privacy 
interests outweigh the interests of law enforcement, and private 
parties afforded legal rights of action, in obtaining individuals' PHI 
for the non-health care purpose of investigating or imposing liability 
for reproductive health care that was not lawful under the 
circumstances in which it was provided.
    We also acknowledge, as we did in the proposed rule, that in some 
circumstances, the Privacy Rule imposes greater restrictions on uses 
and disclosures of PHI than state privacy laws, and the prohibition may 
delay or hamper enforcement of certain other state laws (e.g., laws 
governing access to reproductive health care). Such circumstances were 
contemplated by Congress when it enacted HIPAA.\288\ For example, a 
state law might require a covered entity to disclose PHI to law 
enforcement in furtherance of an investigation, while the final rule 
may prohibit such a disclosure. In such cases, the provisions of the 
Privacy Rule would preempt the application of contrary provisions of 
state law, and the regulated entity could not disclose the PHI.\289\ 
However, as discussed above in section III, we reiterate that not all 
methods to investigate the lawfulness of reproductive health care are 
foreclosed by this rule.
---------------------------------------------------------------------------

    \288\ 42 U.S.C. 1320d-7(a)(1) (providing the general rule that, 
with limited exceptions, a provision or requirement under HIPAA 
supersedes any contrary provision of state law); see also section 
264(c)(2) of Public Law 104-191 (codified at 42 U.S.C. 1320d-2 note) 
and 45 CFR 160.203.
    \289\ See final 45 CFR 164.509, and discussion below.
---------------------------------------------------------------------------

    The Department emphasizes that the prohibition does not apply in 
circumstances that fall outside of its terms. Where a person requesting 
PHI identifies a legal basis for the request beyond the mere act of a 
person having sought, obtained, provided, or facilitated reproductive 
health care that was lawful under the circumstances in which it was 
provided, the prohibition at 45 CFR 164.502(a)(5)(iii) would not apply. 
Similarly, if a person obtains reproductive health care that was 
unlawful, such health care would not be lawful under the circumstances 
in which it was provided, and the prohibition would not apply. Where 
the prohibition does not apply, the Privacy Rule permits the requested 
PHI to be used or disclosed, provided that the use or disclosure is 
otherwise permitted by the Privacy Rule (i.e., the request meets the 
requirements of an applicable permission and is accompanied by a valid 
attestation as described by 45 CFR 164.509, where required). The 
Department reminds the public that persons who request PHI under false 
pretenses may be subject to criminal penalties under HIPAA.\290\
---------------------------------------------------------------------------

    \290\ See 42 U.S.C. 1320d-6.
---------------------------------------------------------------------------

    The Rule of Applicability, as discussed below, vests the 
determination of whether the reproductive health care was lawful under 
the circumstances it was provided with the regulated entity that 
receives the request for PHI and requires that such determination be 
reasonable. The regulatory presumption, also discussed below, replaces 
the proposed requirement that a regulated entity make a determination 
regarding the lawfulness of the reproductive health care where someone 
other than the regulated entity that receives the request provided such 
health care. The new language requires that the reproductive health 
care at issue be presumed lawful under the circumstances in which such 
health care is provided when provided by a person other than the 
regulated entity receiving the request. This helps to ensure that the 
regulated entity is not required to make a determination about the 
lawfulness of such health care. The presumption may be overcome if 
certain conditions are met.
    In the proposed rule, the Department provided examples that remain 
helpful in illustrating the operation of the clarified prohibition and 
how it continues to permit uses and disclosures for legitimate 
interests.\291\ For example, the prohibition does not restrict a 
regulated entity from using or disclosing PHI to a health oversight 
agency conducting health oversight activities, such as investigating 
whether reproductive health care was actually provided or appropriately 
billed in connection with a claim for such services, or investigating 
substandard medical care or patient abuse.\292\ However, as discussed 
above, investigating substandard medical care

[[Page 33013]]

or patient abuse may not be used as a pretext for investigating 
reproductive health care for purposes that are otherwise prohibited by 
this final rule. In another example, the rule does not bar a regulated 
entity from using or disclosing PHI to investigate an alleged violation 
of the Federal False Claims Act or a state equivalent based on unusual 
prescribing or billing patterns for erectile dysfunction medication.
---------------------------------------------------------------------------

    \291\ 88 FR 23506, 23532-33 (Apr. 17, 2023).
    \292\ See 45 CFR 164.512(d)(1)(i) through (iv) for health 
oversight activities for which the Privacy Rule permits uses and 
disclosures of PHI. See also the National Association of Medicaid 
Fraud Control Units, described at https://www.naag.org/about-naag/namfcu/. All 53 federally certified Medicaid Fraud Control Units 
voluntarily subscribe to this organization. This final rule does not 
interfere with any State's ability to meet their statutory 
obligations to combat health care fraud related to Medicaid.
---------------------------------------------------------------------------

    This final rule also does not prohibit the use or disclosure of PHI 
where the PHI is sought to investigate or impose liability on a person 
for submitting a false claim for reproductive health care for payment 
to the government. In such a case, the request is not made for the 
purpose of investigating or imposing liability on a person for the mere 
act of seeking, obtaining, providing, or facilitating reproductive 
health care. Instead, the purpose of the request for PHI is to 
investigate or impose liability on a person for an alleged violation of 
the Federal False Claims Act or a state equivalent.\293\ As another 
example, the revised prohibition standard generally does not prohibit 
the disclosure of PHI to an Inspector General where the PHI is sought 
to conduct an audit aimed at protecting the integrity of the Medicare 
or Medicaid Program where the audit is not inconsistent with this final 
rule. This is because the request is generally not being made for the 
purpose of investigating or imposing liability on a person for the mere 
act of providing the reproductive health care itself. The prohibition 
also makes clear that the use or disclosure of PHI is permitted where 
the purpose of the use or disclosure is to investigate alleged 
violations of Federal nondiscrimination laws or abusive conduct, such 
as sexual assault, that may occur in connection with reproductive 
health care. The prohibition likewise makes clear that the use or 
disclosure of PHI is permitted where the purpose of the use or 
disclosure is to penalize the provision of reproductive health care 
that is not lawful, as defined by the Rule of Applicability at 45 CFR 
164.502(a)(5)(iii)(B), as long as a Privacy Rule permission applies.
---------------------------------------------------------------------------

    \293\ 31 U.S.C. 3729-3733.
---------------------------------------------------------------------------

    Under the prohibition, a regulated entity could respond to a 
request for relevant records in a criminal or civil investigation 
pursuant to 18 U.S.C. 248 regarding freedom of access to clinic 
entrances. Investigations under this provision are conducted for the 
purpose of determining whether a person physically obstructed, 
intimidated, or interfered with persons providing ``reproductive health 
services,'' \294\ or attempted to do so. Thus, they do not involve 
investigating or imposing liability on a person for the mere act of 
seeking, obtaining, providing, or facilitating reproductive health care 
that was reasonably determined to be lawful under the circumstances in 
which such health care was provided by the regulated entity that 
received the request for PHI.
---------------------------------------------------------------------------

    \294\ 18 U.S.C. 248(e)(5) (definition of ``Reproductive health 
services'').
---------------------------------------------------------------------------

    The final rule retains the proposal's prohibition against the use 
or disclosure of PHI for activities conducted for the purpose of 
investigating or imposing liability on ``any person'' for the mere act 
of seeking, obtaining, providing, or facilitating reproductive health 
care that is lawful under the circumstances in which such health care 
is provided, or for identifying ``any person'' for such activities. 
``Any person'' means, based on the HIPAA Rules' definition of 
``person,'' \295\ that the prohibition is not limited to use or 
disclosure of PHI for use against the individual; rather, the 
prohibition applies to the use or disclosure of PHI against a regulated 
entity, or any other person, including an individual or entity, who may 
have obtained, provided, or facilitated lawful reproductive health 
care.\296\
---------------------------------------------------------------------------

    \295\ 45 CFR 160.103 (definition of ``Person'').
    \296\ Note that in Section V.A.1, the Department is clarifying 
the definition of ``person,'' although that clarification does not 
affect the analysis in this paragraph.
---------------------------------------------------------------------------

    The Department has always and continues to recognize that there may 
be a public interest and benefit in disclosing PHI for limited non-
health care purposes, including enforcing duly enacted laws. The 
Department has also always sought to balance competing interests in 
individual privacy and the use and disclosure of PHI for particular 
purposes in the Privacy Rule. We balance these competing interests by 
considering both the harm to individuals that results from the use or 
disclosure of PHI (e.g., loss of trust in the health care system, 
potential for financial liability or detainment) and the countervailing 
interests in disclosure. As discussed above, the Department finds that 
the final rule reflects the appropriate balance between these interests 
by prohibiting the use and disclosure of PHI for activities conducted 
for the purpose of investigating or imposing liability on ``any 
person'' for the mere act of seeking, obtaining, providing, or 
facilitating reproductive health care that is lawful under the 
circumstances in which such health care is provided, or for identifying 
``any person'' for such activities.
    Accordingly, the final rule adopts, with modifications discussed 
below, the proposed Rule of Applicability and re-designates it as 45 
CFR 164.502(a)(5)(iii)(B). The final rule text also adds the word 
``only'' in 45 CFR 164.502(a)(5)(iii)(B) to make clear that the 
prohibition's application is limited to the use or disclosure of PHI 
``only'' where one or more of the conditions set forth in the Rule of 
Applicability exists.
    To address concerns from commenters about how to determine whether 
reproductive health care is ``lawful,'' the Department finalizes a 
revised Rule of Applicability at 45 CFR 164.502(a)(5)(iii)(B). 
Specifically, the Rule of Applicability, as finalized, requires that a 
regulated entity that receives a request for PHI make a reasonable 
determination about the lawfulness of the reproductive health care in 
the circumstances in which such health care was provided, where 
lawfulness is described by 45 CFR 164.502(a)(5)(iii)(B)(1)-(3). Thus, a 
regulated entity that receives the request for PHI must decide whether 
it would be reasonable for a similarly situated regulated entity to 
determine, as provided in the Rule of Applicability, that the 
reproductive health care is lawful under the circumstances in which 
such health care is provided.
    To make the reasonableness determination, that is, to determine 
whether it would be reasonable for a similarly situated regulated 
entity to determine that one or more of the conditions of the Rule of 
Applicability applies, a regulated entity receiving the request for PHI 
must evaluate the facts and circumstances under which the reproductive 
health care was provided. Such facts and circumstances include but are 
not limited to the individual's diagnosis and prognosis, the time such 
health care was provided, the location where such health care was 
provided, and the particular health care provider who provided the 
health care. This approach is consistent with the current and 
longstanding practice under the Privacy Rule, whereby a covered entity 
is responsible for determining whether a requested use or disclosure is 
permitted under one or more of the permissions set forth in the Privacy 
Rule. For example, a regulated entity is permitted to make a use or 
disclosure of PHI where ``required by law'' pursuant to 45 CFR 
164.512(a). To make a use or disclosure under that permission, the 
regulated entity cannot rely on assertions from the person making the 
request, but rather, must itself evaluate the relevant law to determine 
whether

[[Page 33014]]

the use or disclosure is ``required by law'' and thus permitted under 
that permission. As discussed above, the Department recognizes that 
this approach may prevent uses or disclosures in support of some law 
enforcement investigations (e.g., where a health care provider 
reasonably determines that its provision of reproductive health care 
was lawful, but where law enforcement reasonably disagrees or does not 
provide sufficient factual information for a regulated entity to 
determine that there is a substantial factual basis that the 
reproductive health care was not lawful under the circumstances in 
which such health care was provided). However, we believe that, in 
these narrow circumstances, the interests of law enforcement, and 
private parties afforded legal rights of action, are outweighed by 
privacy interests and that the current approach strikes the appropriate 
balance between these competing interests.
    The Department is retaining the proposed framework for identifying 
the circumstances in which reproductive health care is lawful, and thus 
the prohibition applies. However, we are modifying the regulatory text 
of the Rule of Applicability to clarify its conditions. As revised, the 
regulatory text combines the first and third conditions of the Rule of 
Applicability into a revised 45 CFR 164.502(a)(5)(iii)(B)(1) that 
focuses on whether the reproductive health care at issue is lawful 
under the circumstances in which such health care is provided. Under 
the revised condition, the circumstances in which the prohibition 
applies are determined by the law of the state in which the health care 
is provided.
    As proposed in the 2023 Privacy Rule NPRM, the first and third 
conditions, when considered together, would have given the impression 
that the Department was drawing a distinction between reproductive 
health care provided in-state or out-of-state, although outcomes would 
have been the same. As the Department explained in the proposed rule, 
both the first and third conditions would have prohibited a regulated 
entity from using or disclosing PHI where the reproductive health care 
was permitted by the law of the state in which it was provided (e.g., 
for pregnancy termination that occurs before a state-specific 
gestational limit or under a relevant exception in a state law 
restricting pregnancy termination such as when the pregnancy is the 
result of rape or incest or because the life of the pregnant individual 
is endangered, for reproductive health care that is generally permitted 
but must be provided by a specific type of health care professional or 
in a certain place of service). The outcome of the analysis remains the 
same under this final rule, which combines the first and third 
conditions of the Rule of Applicability into one condition. Thus, the 
revision improves the clarity of the Rule of Applicability by focusing 
solely on whether the reproductive health care was lawful under the 
circumstances in which it was provided.
    Additionally, the final rule modifies the regulatory text in 45 CFR 
164.502(a)(5)(iii)(B)(2) to include an express reference to the U.S. 
Constitution as a source of Federal law for determining whether 
reproductive health care is lawful under the circumstances in which 
such health care is provided. The Department has always intended to 
include the U.S. Constitution as a source of Federal law, and the final 
regulatory text now explicitly reflects this. The regulatory text also 
makes clear that the U.S. Constitution is not the sole source of 
Federal law and that Federal statutes, regulations, and policies may be 
the relevant legal authority for determining whether the reproductive 
health care is protected, required, or authorized under Federal law. 
This final rule in no way supersedes applicable state law pertaining to 
the lawfulness of reproductive health care.
    To address commenters' concerns about obligating regulated entities 
to determine whether reproductive health care that occurred outside of 
the regulated entity is lawful, the Department is adding a new 
presumption provision at 45 CFR 164.502(a)(5)(iii)(C). It presumes the 
reproductive health care at issue was lawful under the circumstances in 
which such health care was provided when it was provided by a person 
other than the regulated entity receiving the request. The presumption 
can be overcome where the regulated entity has either actual knowledge, 
or factual information supplied by the person requesting the use or 
disclosure, that demonstrates a substantial factual basis that the 
reproductive health care was not lawful under the specific 
circumstances in which it was provided. The first ground to overcome 
the presumption--concerning ``actual knowledge''--accounts for 
situations where the regulated entity has actual knowledge that the 
reproductive health care was not lawful. The second ground to overcome 
the presumption--concerning ``factual information''--accounts for 
situations where the person making the request has demonstrated to the 
regulated entity that there is a substantial factual basis that the 
reproductive health care was unlawful under the circumstances in which 
such health care was provided. To satisfy the second ground, the 
regulated entity must obtain from the person making the request 
sufficient threshold factual evidence that demonstrates to the 
regulated entity a substantial factual basis that the reproductive 
health care was not lawful under the circumstances in which such health 
care was provided.
    For example, an investigator requests information from a health 
plan about claims for coverage of certain reproductive health care 
provided by a particular health care provider. The health plan must 
presume that the reproductive health care was lawful unless the health 
plan has actual knowledge that the reproductive health care was not 
lawful or the investigator supplied information that demonstrates a 
substantial factual basis to believe that the reproductive health care 
was not lawful under these circumstances. The latter condition could be 
met where the investigator provides the regulated entity with various 
types of documentation. For example, persons requesting PHI could 
provide the regulated entity with affidavits supplied by complainants 
that contain the circumstances under which the reproductive health care 
was provided. In this example, the presumption would be overcome, and 
the health plan would be permitted to use or disclose the PHI, assuming 
that all applicable conditions of the Privacy Rule were otherwise met. 
In contrast, if the investigator requests the same information but only 
provides an anonymous report of a particular health care provider 
providing reproductive health care that is not lawful under the 
circumstances in which it is provided, the health plan would not have a 
substantial factual basis to believe that the reproductive health care 
was not lawful. Accordingly, this final rule would prohibit the health 
plan from disclosing the requested PHI unless the investigator provides 
sufficient information to overcome the presumption and the use or 
disclosure is otherwise permitted by the Privacy Rule. The conditions 
of making the use or disclosure would include, as described elsewhere 
in this final rule, obtaining a valid attestation if the relevant 
permission requires one.
    The Department emphasizes that, as demonstrated by the numerous 
comments on this issue, this regulatory presumption is necessary for 
workability by the regulated entities subject to this final rule. We 
recognize that when a regulated entity did not provide the reproductive 
health care at

[[Page 33015]]

issue, it may not have access to all of the relevant information, 
including medical records with the necessary information, to determine 
whether prior reproductive health care obtained by an individual was 
lawful. We clarify that regulated entities are not expected to conduct 
research or perform an analysis of an individual's PHI to determine 
whether prior reproductive health care was lawful under the 
circumstances in which it was provided when such health care was 
provided by someone other than the regulated entity that receives the 
request for the use or disclosure of PHI.
    We also reiterate that this final rule is intended to support and 
clarify the privacy interests of individuals availing themselves of 
lawful reproductive health care, and not to thwart the interests of 
states in conducting lawful investigations or imposing liability on the 
provision of unlawful reproductive health care. While this new 
regulatory presumption may make it more difficult for a state to 
investigate whether reproductive health care was unlawful under the 
circumstances in which it was provided (e.g., when other sources of 
information that is not PHI are unavailable), as discussed above, the 
Department has considered those interests and determined that the 
effects are justified by countervailing privacy benefits. Moreover, as 
also explained above, society's interest in obtaining PHI in such 
circumstances is reduced, particularly in light of its continued 
ability to obtain information from other sources. The Department also 
emphasizes that it is not applying a blanket presumption that all 
reproductive health care reflected in a regulated entity's records was 
lawful under the circumstances in which it was provided. Instead, the 
presumption applies only where the reproductive health care at issue is 
provided by someone other than the regulated entity that received the 
request for the use or disclosure of PHI, and it may be overcome in the 
circumstances identified above.
    In contrast, where a request for PHI is made to the regulated 
entity that provided the relevant reproductive health care, the 
regulated entity is responsible for determining whether it provided 
reproductive health care that was lawful under the circumstances in 
which it was provided, including, as discussed above, a review of all 
available relevant evidence bearing on whether the reproductive health 
care was lawful under the circumstances in which it was provided. If 
the regulated entity reasonably determines that the health care was 
lawfully provided, the prohibition applies, and the regulated entity 
may not make the use or disclosure.
    To illustrate how the presumption would apply, consider a hospital 
that has PHI about the provision of reproductive health care by a 
different facility. The hospital is not expected to conduct research or 
perform analysis into whether reproductive health care obtained at a 
different facility from another health care provider was lawful under 
the circumstances in which such health care was provided. Accordingly, 
the regulated entity, if they receive a request for PHI to which the 
prohibition at 45 CFR 164.502(a)(5)(iii) may apply, is not expected to 
review the individual's PHI to determine the lawfulness of the prior 
reproductive health care. In such situations, the regulated entity is 
also not expected to research other states' laws to determine whether 
the reproductive health care was lawful under the circumstances in 
which it was provided, nor are they expected to consult with an 
attorney to do the same. Rather, the presumption standard allows the 
regulated entity to limit their review to information supplied by the 
person making the request for the use or disclosure of PHI where the 
request addresses reproductive health care provided by someone other 
than the regulated entity receiving the request. Thus, a regulated 
entity that did not provide the reproductive health care must presume 
that the reproductive health care was lawful under the circumstances in 
which it was provided unless the conditions of rebutting the 
presumption are met.
    Consider a different example in which a law enforcement official 
from State A issues a subpoena to a hospital in State A to request the 
PHI of an individual from State A who is suspected of obtaining 
reproductive health care in State B that would have been unlawful under 
the law of State A if provided there. The hospital did not provide the 
reproductive health care in question, nor did the individual provide 
information to the hospital about who may have provided such health 
care. At the time the law enforcement official issues the subpoena, the 
individual is no longer in the hospital, nor is the individual 
receiving treatment at the hospital. Additionally, the law enforcement 
official provided no information in the subpoena that would make it 
reasonable for the hospital to determine that the reproductive health 
care at issue was not lawful in the circumstances in which it was 
provided, that is, to determine that the reproductive health care was 
not lawful under the law of State B or was not protected, required, or 
authorized by Federal law. In this case, the hospital did not have 
actual knowledge that, nor did the information supplied to it by the 
law enforcement official making the request demonstrate to the hospital 
a substantial factual basis that, the individual had previously 
received unlawful reproductive health care; therefore, the reproductive 
health care is presumed to have been provided under circumstances in 
which it was lawful to provide such health care. Accordingly, this 
final rule would prohibit the hospital from disclosing the requested 
PHI unless the law enforcement official provides sufficient information 
to overcome the presumption and the use or disclosure is otherwise 
permitted by the Privacy Rule. This includes, as described elsewhere in 
this final rule, receipt of a valid attestation if the relevant 
permission requires one.
    Conversely, if the hospital is provided with factual information 
that demonstrates a substantial factual basis that the reproductive 
health care at issue was not lawful under the specific circumstances in 
which such health care was provided, the presumption would be overcome. 
When a presumption is overcome or rebutted, the Rule of Applicability 
at 45 CFR 164.502(a)(5)(iii)(B) cannot be satisfied (i.e., the 
regulated entity has actual knowledge, or has received factual 
information from the person requesting the PHI to determine that there 
is substantial factual basis to believe, that the reproductive health 
care was not lawful under the circumstances in which it was provided), 
and thus, the use or disclosure would not be prohibited under the final 
rule. As such, the Privacy Rule would permit, but would not require, 
the hospital to disclose the PHI in response to the subpoena where the 
use or disclosure meets the requirements of an applicable permission, 
including the receipt of a valid attestation where required.
    In another example, a law enforcement agency presents a covered 
entity's business associate, such as a cloud service provider, with a 
subpoena for the PHI of an individual who received reproductive health 
care as part of its investigation into the health care provider who 
provided such health care for the provision of that health care. The 
PHI is encrypted, and the business associate does not have the key to 
decrypt it or is not permitted under the terms of its business 
associate agreement with the covered entity to decrypt the PHI. Thus, 
the business associate lacks a complete view of the individual's PHI 
and did not provide

[[Page 33016]]

the underlying reproductive health care. Additionally, the business 
associate has no actual knowledge that the reproductive health care was 
unlawful, nor did the person requesting the PHI supply it with 
information that demonstrates to the business associate a substantial 
factual basis that the reproductive health care was not lawful under 
the specific circumstances in which such health care was provided. In 
such a case, the presumption that the reproductive health care at issue 
was lawful applies. If the law enforcement agency does not present more 
information to overcome the presumption, the Privacy Rule prohibits the 
business associate from disclosing the requested PHI in response to the 
subpoena, even if the law enforcement agency has provided an 
attestation; in this circumstance, the attestation would not be valid 
because the disclosure is for a purpose that is prohibited by 45 CFR 
164.502(a)(5)(iii).
    The presumption serves a different purpose than the attestation, 
which is required when there is a request for PHI potentially related 
to reproductive health care for certain permitted purposes under the 
Privacy Rule, as discussed further below. In contrast with the 
attestation, the presumption applies only where a request for PHI 
involves a purpose prohibited under 45 CFR 164.502(a)(5)(iii) and the 
reproductive health care at issue was provided by someone other than 
the regulated entity that received the request for PHI, so the 
regulated entity does not have first-hand knowledge of the 
circumstances in which the reproductive health care was provided. 
Because the situations in which the presumption applies involve 
purposes prohibited under 45 CFR 164.502(a)(5)(iii), it is not 
reasonable for a regulated entity to rely, without additional 
information, on a statement from the person requesting the use or 
disclosure, including the statement required in the attestation by 45 
CFR 164.509(b)(1)(ii), that the request is not made for a prohibited 
purpose or that the underlying reproductive health care was unlawful. 
Thus, such statement alone does not satisfy 45 CFR 
164.502(a)(5)(iii)(C)(2). However, if a person requesting the use or 
disclosure of PHI provides the regulated entity with sufficient 
information, separate and distinct from the attestation itself, that 
demonstrates to the regulated entity a substantial factual basis that 
the reproductive health care was not lawful under the specific 
circumstances in which such health care was provided, the presumption 
would be overcome; in this scenario, the Privacy Rule would permit, but 
would not require, the regulated entity to disclose the PHI in response 
to the subpoena. The presumption may also be overcome by, for example, 
a spontaneous statement from the individual about the circumstances 
under which they obtained reproductive health care.
    As we explained above, this final rule, consistent with the 
Department's longstanding approach to the Privacy Rule, balances 
competing interests between the privacy expectations of individuals and 
society's interests in PHI for certain non-health care purposes. For 
example, since its inception, the Privacy Rule has permitted a covered 
entity to rely, if such reliance is reasonable under the circumstances, 
on a requested disclosure as the minimum necessary for the stated 
purpose when making disclosures to public officials that are permitted 
under 45 CFR 164.512, if the public official represents that the 
information requested is the minimum necessary for the stated 
purpose(s).\297\ Elsewhere in the Privacy Rule, covered entities are 
required to make a determination of whether it is ``reasonable under 
the circumstances'' to rely on documentation, statements, or 
representations from a person requesting PHI to verify the identity of 
the person requesting PHI and the authority of the person to access the 
PHI.\298\ In the case of public officials, we have previously explained 
that covered entities must verify the identity of the request by 
examination of reasonable evidence, such as written statement of 
identity on agency letterhead, an identification badge, or similar 
proof of official status. In addition, where explicit written evidence 
of legal process or other authority is required before disclosure may 
be made, a public official's proof of identity and oral statement that 
the request is authorized by law are not sufficient to constitute the 
required reasonable evidence of the legal process or authority.\299\ In 
both instances, the Privacy Rule permits regulated entities to rely on 
representations made by public officials where it is reasonable to do 
so but makes clear that in some instances, documentary or other 
evidentiary proof is needed.\300\
---------------------------------------------------------------------------

    \297\ See 45 CFR 164.514(d)(3)(iii)(A) and 65 FR 82462, 82545, 
and 82547 (Dec. 28, 2000).
    \298\ 45 CFR 164.514(h)(2) and 65 FR 82462, 82546-47 (Dec. 28, 
2000).
    \299\ See 45 CFR 164.514(h) and 65 FR 82462, 82546-47 (Dec. 28, 
2000).
    \300\ See 65 FR 82462, 82545 (Dec. 28, 2000) (``[. . .] covered 
entities making disclosures to public officials that are permitted 
under Sec.  164.512 may rely on the representations of a public 
official that the information requested is the minimum 
necessary.''); see also id. at 82547 (further discussing 
verification of identity and authority of persons requesting PHI in 
45 CFR 164.514(h) and the requirements in 45 CFR 164.512 for the 
circumstances under which covered entities must make reasonable 
determinations about the sufficiency of proof of identify and 
authority based on documentary evidence, contrasted with a 
reasonable reliance on verbal representations when necessary to 
avert a pending emergency or imminent threat to the health or safety 
of a person or the public pursuant to 45 CFR 164.512(j)(1)(i)).
---------------------------------------------------------------------------

    In this final rule, the Department has enshrined the requirement 
that a regulated entity make a reasonable determination of whether PHI 
should be disclosed in response to a request from law enforcement, or 
other official, in regulatory text and determined that is not 
reasonable to rely solely on representations of law enforcement or 
other officials without a written attestation. This approach is due to 
the high potential for harm to the individual who is the subject of the 
PHI or to persons who are subject to liability for the mere act of 
seeking, obtaining, providing or facilitating reproductive health care.
    Further, as we discussed above, even in the scenario where a state 
official seeks PHI to investigate whether the underlying reproductive 
health care was unlawful, a regulated entity's reasonable determination 
that the conditions of the prohibition set forth in the Rule of 
Applicability are met means that the prohibition applies and the 
regulated entity is prohibited from using or disclosing the PHI. This 
does not foreclose the ability of state officials to investigate the 
circumstances surrounding the provision of the reproductive health 
care, including through the collection of information from sources that 
are not regulated under HIPAA, to determine whether a health care 
provider or other person may have acted unlawfully. Rather, this final 
rule prohibits the use or disclosure of PHI when it is being used to 
investigate or impose liability on a person for the mere act of 
seeking, obtaining, providing, or facilitating lawful reproductive 
health care, or to identify any person to initiate such activities. 
Indeed, the individual's privacy interests are especially strong where 
individuals seek lawful reproductive health care and risk either 
avoiding such lawful health care or being less than truthful with their 
health care providers because they fear that their PHI will be 
disclosed.
    The Department is re-designating proposed 45 CFR 
164.502(a)(5)(iii)(B) as 45 CFR 164.502(a)(5)(iii)(D) and modifying it 
in response to the

[[Page 33017]]

commenters who provided examples of situations where they could 
reasonably expect to receive a request for PHI that might relate to 
``seeking, obtaining, providing, or facilitating reproductive health 
care.'' To address these concerns, the Department is revising the list 
of activities in 45 CFR 164.502(a)(5)(iii)(D) that explain the scope of 
actions taken by persons that the Department is protecting against 
impermissible requests for PHI. Specifically, the Department is adding 
the terms ``administering,'' ``authorizing,'' ``providing coverage 
for,'' ``approving,'' and ``counseling about'' to the current list of 
descriptive activities in the proposed rule and removing ``inducing'' 
from the list. We are removing ``inducing'' from the list in response 
to concerns from commenters that the prohibition might apply in 
circumstances where individuals are coerced to obtain reproductive 
health care. It was never the Department's intention for the 
prohibition on the use or disclosure of PHI to apply in such 
circumstances. Rather, we intended it to refer to situations in which a 
health care provider ``induces'' labor under circumstances in which 
such health care is lawful; however, we believe our intended meaning of 
``inducing'' is encompassed in other terms in the list. The revised 
list better explains the type of activities in which a person may be 
engaged and about which the Department intends to prevent the use or 
disclosure of PHI.
    The Department is not finalizing a separate Rule of Construction 
because the need is obviated by incorporating the key content into the 
prohibition itself at 45 CFR 164.502(a)(5)(iii). The Department 
proposed the Rule of Construction to clarify that 45 CFR 
164.502(a)(5)(iii) should not be construed to prohibit a use or 
disclosure of PHI otherwise permitted by the Privacy Rule unless such 
use or disclosure is ``primarily for the purpose of'' investigating or 
imposing liability on any person for the mere act of seeking, 
obtaining, providing, or facilitating reproductive health care. By 
incorporating the Rule of Construction into the main standard and 
removing the proposed ``primarily for the purpose of'' language, the 
Department now more clearly conveys its intent to prohibit the use and 
disclosure of PHI for the specified purposes only when it relates to 
the ``mere act of'' seeking, obtaining, providing, or facilitating 
reproductive health care. As discussed in greater detail below in our 
responses to comments, this change is designed to reduce confusion for 
regulated entities about how to reconcile and apply the Rule of 
Construction with the main prohibition standard and does not change the 
scope of the prohibition as proposed. The revisions and restructuring 
of regulatory text formerly included in the Rule of Construction 
improve readability and reduce redundancy. Likewise, the final rule 
incorporates other minor wording changes to improve readability and 
updates regulatory text references to other paragraphs to accurately 
reflect the organization of this section.
    Comment: Many commenters expressed support for the Department's 
proposal to create a new category of prohibited uses and disclosures 
about reproductive health care. A few of these commenters explained the 
rationale for their support as based on the proposed approach's balance 
of preventing harm to individuals from certain uses and disclosures and 
permitting beneficial uses and disclosures, while providing regulated 
entities with clarity with respect to when uses and disclosures of PHI 
would be permitted.
    A few commenters agreed with the Department's view that a purpose-
based prohibition is preferable to other approaches to protecting the 
privacy of individuals that would require labeling or segmenting of 
PHI. Other commenters focused on how the proposal would better 
facilitate HIPAA's goals of providing high-quality health care and 
encouraging the flow of information to covered entities.
    Response: The approach we are taking in this final rule preserves 
the ability of regulated entities to use and disclose PHI for permitted 
purposes while also enhancing protections for PHI, to strike the 
appropriate balance between privacy interests and other societal 
interests, including law enforcement. As discussed above, the 
Department's approach will lead to numerous benefits associated with 
enhanced privacy protections.
    Comment: A few commenters asserted that the Department's proposal 
would provide a consistent standard for all states to follow.
    Response: The Department believes this final rule will provide 
clear standards for regulated entities, especially health care 
providers, by incorporating the prohibition into the Privacy Rule. 
However, we stress that the prohibition attaches to only requests for 
uses and disclosures that are for a prohibited purpose where the 
reproductive health care is lawful under the circumstances in which 
such health care is provided. Different states and localities have 
promulgated different standards for the lawfulness of reproductive 
health care.
    Comment: A few commenters expressed their appreciation that the 
proposal encompassed a broad range of reproductive health care and 
explained the importance of ensuring that a final rule protects any 
health information about reproductive health care.
    Response: As the Department acknowledged in the 2023 Privacy Rule 
NPRM, many routine medical examinations and treatments could involve 
PHI about an individual's reproductive health or reproductive organs 
and systems. This final rule is not limited to PHI about abortion. The 
Department recognized the impracticability of attempting to parse out 
the types of reproductive health care that should be subject to the 
prohibition and those that should not be. For this reason, and in 
keeping with the existing scheme of the Privacy Rule, the Department 
proposed and is finalizing a purpose-based approach to prohibiting the 
use and disclosure of any PHI for use against any person for seeking, 
obtaining, providing, or facilitating reproductive health care that is 
lawful under the circumstances in which such health care is provided. A 
regulated entity that receives a request for PHI is charged with making 
a reasonable determination of whether the conditions of lawfulness set 
forth in the Rule of Applicability apply. To further assist regulated 
entities in understanding the broad scope of ``reproductive health 
care,'' we provide in the preamble a non-exclusive list of examples 
that fit within the definition.
    Comment: Some commenters expressed opposition to this proposal, 
asserting that the proposed new category would interfere with the 
enforcement of state laws that restrict or regulate abortion or that 
the proposal would make it more difficult for regulated entities to 
determine whether a requested use or disclosure of PHI is permitted 
under the Privacy Rule because it lacked sufficient specificity.
    Response: The Department is finalizing a narrowly tailored 
prohibition that will only apply when an individual's privacy interest 
in lawfully obtained reproductive health care outweighs society's 
interest in obtaining PHI for non-health care purposes. As discussed 
above, the Department has adopted an approach that strikes the 
appropriate balance between privacy interests and other interests, 
including law enforcement interests in accessing PHI to investigate or 
impose liability on persons for seeking, obtaining, providing, or 
facilitating reproductive health care that

[[Page 33018]]

is unlawful under the circumstances in which such health care is 
provided. To help regulated entities operationalize the prohibition, 
the Department is finalizing an attestation requirement in 45 CFR 
164.509 in which persons requesting PHI under a permission that is 
mostly likely to be used to request PHI for a purpose prohibited by 45 
CFR 164.502(a)(5)(iii) must attest that the request is not subject to 
the prohibition. The Department acknowledges that requests for a 
purpose prohibited by 45 CFR 164.502(a)(5)(iii) may be made pursuant to 
another applicable permission and reminds regulated entities that they 
must evaluate all requests made by a third party for the use or 
disclosure of PHI to ensure that they are not for a prohibited purpose. 
Requests not subject to the prohibition would still be subject to the 
conditions of the relevant permissions in the Privacy Rule. When 
requests for PHI meet the conditions for permissions in the Privacy 
Rule, including conditions specified in 45 CFR 164.512, regulated 
entities are permitted to use and disclose PHI in accordance with such 
permissions.
    Moreover, as we describe above, the Department is modifying the 
final rule to clarify that the prohibition restricts the use and 
disclosure of PHI for the enumerated purposes when connected to the 
``mere act of'' seeking, obtaining, providing, or facilitating 
reproductive health care. Thus, the prohibition does not prevent the 
use or disclosure of the PHI about reproductive health care obtained by 
an individual in all circumstances. Rather, it prevents the use or 
disclosure of PHI when the purpose of the disclosure is to investigate 
or impose liability on a person because they sought, obtained, 
provided, or facilitated reproductive health care that was lawful under 
the circumstances in which such health care was provided, as determined 
by the regulated entity that received the request for PHI. For example, 
a regulated entity would not be prohibited from disclosing an 
individual's PHI when subpoenaed by law enforcement for the purpose of 
investigating allegations of sexual assault by or of the individual, 
assuming that law enforcement provided a valid attestation and met the 
other conditions of the permission under which the request was made.
    Comment: A commenter expressed opposition to the proposal and 
asserted that it relied on the assumption that it would be readily 
apparent or ascertainable whether particular reproductive health care 
was lawfully provided. According to this commenter, persons who violate 
the law have an interest in concealing their activity, and the proposal 
would impede law enforcement investigations to determine whether 
lawbreaking has occurred. Additionally, the commenter expressed their 
concern that the proposal would represent a departure from the Privacy 
Rule's existing approach to law enforcement investigations and 
proceedings.
    Response: The Department is finalizing a regulatory presumption to 
address the narrow circumstance of when lawfulness is not readily 
apparent to a regulated entity who is the recipient of a request for 
the use or disclosure PHI when the regulated entity did not provide the 
underlying reproductive health care. As we explained above, this final 
rule is intended to support and clarify the privacy interests of 
individuals availing themselves of lawful reproductive health care, and 
not to thwart the interests of states and the Federal government in 
conducting lawful investigations or imposing liability on the provision 
of unlawful reproductive health care. While this new regulatory 
presumption may make it more difficult for law enforcement officials to 
investigate whether reproductive health care was unlawful under the 
circumstances in which it was provided (e.g., when other sources of 
information that is not PHI are unavailable), the Department has 
considered those interests and determined that the effects are 
justified by countervailing privacy benefits. We also reiterate here 
that the presumption is not a blanket presumption. It only applies 
where the reproductive health care at issue is provided by someone 
other than the regulated entity that received the request for the use 
or disclosure of PHI, and it may be overcome in the circumstances 
identified above.
    We note that the Privacy Rule has always and continues to permit 
regulated entities to disclose PHI for law enforcement purposes, 
subject to certain conditions or limitations. In this final rule, the 
Department has found that changes in the legal landscape now 
necessitate codifying a prohibition against uses and disclosures for 
the purposes specified in 45 CFR 164.502(a)(5)(iii)(A), subject to the 
Rule of Applicability in 45 CFR 164.502(a)(5)(iii)(B). The Department 
is not otherwise changing the existing permissions in the Privacy Rule 
that permit regulated entities to use or disclose PHI for law 
enforcement purposes and other important non-health care purposes, 
except as discussed elsewhere in this rule. These purposes include when 
PHI is required by law to be disclosed for purposes other than those 
prohibited by this final rule, for public health and health oversight 
activities, for other law enforcement purposes not in conflict with 
this rulemaking, for reports of child abuse, about decedents when not 
prohibited by this final rule, and other purposes specified in the 
Privacy Rule.
    In particular, in the 2023 Privacy Rule NPRM, the Department 
discussed the interaction of this rule with HIPAA's statutory 
preemption provisions \301\ and explained that it was necessary to 
preempt state laws that require the use and disclosure of PHI for the 
purposes prohibited by this rule to give effect to the prohibition 
consistent with HIPAA. As discussed above, to achieve the purpose for 
which HIPAA was enacted, to enable the electronic exchange of 
identifiable health information, we must protect the privacy of that 
information to further individuals' trust in the health care system. As 
finalized, the prohibition is limited only to circumstances in which 
the privacy interests of an individual and the interests of society in 
an effective health care system outweigh society's interest in 
obtaining PHI for non-health care purposes.
---------------------------------------------------------------------------

    \301\ See 88 FR 23506, 23530 (Apr. 17, 2023).
---------------------------------------------------------------------------

    Comment: A commenter stated that, to the extent the ability of a 
state to determine whether to investigate or bring a proceeding is 
based on information in the possession of a regulated entity, the 
proposed rule did not adequately address a state's need to regulate the 
medical profession and health care facilities.
    Response: As finalized, the prohibition prevents the use and 
disclosure of PHI for certain purposes where a person sought, obtained, 
provided, or facilitated reproductive health care that is lawful under 
the circumstances in which such health care is provided. As discussed 
above, the final rule strikes the appropriate balance between privacy 
interests and other interests. Public officials remain free to 
investigate the provision of health care by seeking information from 
non-covered entities. Moreover, the prohibition does not prevent a 
state from enforcing its laws. Instead, it protects the privacy of 
individuals' PHI in certain circumstances.
    Comment: A few commenters expressed concern that the proposed 
prohibition may also affect the enforcement of Federal laws.
    Response: The Department has consulted extensively with other 
Federal agencies and officials in the

[[Page 33019]]

development of this rule, including the Attorney General, and does not 
believe that this rule will impede the enforcement of Federal laws. As 
discussed above, this rule carefully balances privacy and other 
interests, applying only in certain narrowly tailored situations.
    Comment: Numerous commenters recommended that the Department expand 
the scope of the proposed prohibition to include other or all types of 
stigmatized health care. A few commenters recommended expanding the 
proposed prohibition to all health care or to provide individuals the 
ability to prevent the disclosure of their PHI through HIEs.
    Generally, commenters supporting expansion of the proposal's scope 
expressed the belief that it was necessary for HIPAA to promote trust 
between individuals and health care providers and to improve health 
care quality and outcomes.
    Several commenters explained that persons seeking, obtaining, 
providing, or facilitating other types of health care are facing the 
same challenges as described in the proposal with respect to 
reproductive health care, including health care obtained outside of the 
health care system, and provided examples of such challenges. Many 
commenters also made recommendations for how the Department should 
address those challenges.
    Response: The Department is issuing this final rule to protect the 
privacy of PHI when it is sought for activities to investigate or 
impose liability on persons for the mere act of seeking, obtaining, 
providing, or facilitating lawful reproductive health care. Lawfulness 
is based on a reasonable determination made by a regulated entity that 
has received a request for PHI for one of the purposes specified at 45 
CFR 164.502(a)(5)(iii)(A) that at least one of the conditions in the 
Rule of Applicability applies. We are finalizing a prohibition that is 
not specific to certain procedures, laws, or types of providers. 
Rather, the prohibition we finalize here requires regulated entities to 
consider the purpose of the requested use or disclosure. To the extent 
that the specific types of health care referenced by commenters above 
meet the definition of reproductive health care, this final rule will 
prevent the disclosure of PHI where it is sought for activities with 
the purpose of investigating or imposing liability on any person for 
the mere act of seeking, obtaining, providing, or facilitating 
reproductive health care that is lawful under the circumstances in 
which it is provided. In adopting a purpose-based prohibition, the 
Department has chosen an administrable standard that reflects the 
appropriate balance between protecting individuals' privacy interests 
and allowing the use or disclosure of PHI in support of other important 
societal interests. Additional privacy protections for information 
about SUD treatment may be afforded to PHI in Part 2 records under Part 
2.\302\
---------------------------------------------------------------------------

    \302\ See 42 CFR part 2 and the 2024 Part 2 Rule for more 
information about Part 2 and the protections afforded to Part 2 
records.
---------------------------------------------------------------------------

    Comment: In response to the Department's specific request about 
whether it should require a regulated entity to obtain an individual's 
authorization for any uses and disclosures of ``highly sensitive PHI'' 
or otherwise address such a defined category of PHI in the Privacy 
Rule, a few commenters urged the Department to expand the proposed 
prohibition to protect all people at risk of criminal or other 
investigation for use of essential health care or care, services, or 
supplies related to the health of the individual that could expose any 
person to civil or criminal liability. Several commenters recommended 
that the Department expand the scope of the proposed prohibition to, 
variously, all ``highly sensitive health information,'' ``sensitive 
personal health care,'' ``highly sensitive PHI,'' or ``highly sensitive 
PHI and restricted health care service'' because of the potential harms 
that could result if such health information were to be disclosed 
without stringent privacy safeguards.
    Several commenters asserted that creating a category of or separate 
standard for ``highly sensitive PHI'' would cause significant confusion 
because it would be difficult to define in a commonly understood 
manner. According to these commenters, this would make compliance more 
challenging and costly and further decrease the individual's privacy. A 
few commenters expressed concern that creating a special category of 
highly sensitive PHI would further stigmatize certain types of health 
care.
    Several commenters expressed concern that prohibiting or limiting 
uses or disclosures of highly sensitive PHI for certain purposes may 
negatively affect efforts to eliminate the need for data segmentation, 
such as efforts to align the Privacy Rule and Part 2; reduce or 
eliminate stigmatization of certain health conditions and diagnoses; 
and improve health care management and health care coordination.
    Response: We appreciate these comments and generally agree with 
commenters who expressed concern that the Privacy Rule should address 
the shifting legal landscape to ensure that it continues to protect 
PHI, regardless of how the PHI is transmitted or maintained. We also 
agree that to the extent possible, the Privacy Rule should promote 
administrative efficiency and disincentivize adverse actions by health 
care providers grounded in fear of prosecution or legal risks borne 
from providing lawful health care to individuals, which may erode 
patients' trust and confidence in the health care system and deter them 
from seeking lawful health care. The Department's approach to 
promulgating a narrowly tailored prohibition focused on clarifying the 
use and disclosure of PHI for the purposes prohibited by this final 
rule accomplishes these goals. As we explained in the 2023 Privacy Rule 
NPRM and re-affirm in this final rule, recent developments in the legal 
environment have made information about lawful reproductive health care 
sought by or provided to an individual more likely to be of interest 
for punitive non-health care purposes, and thus more likely to be used 
or disclosed if sought for a purpose permitted under the Privacy Rule 
today. As explained, the Department has identified concerns that the 
use or disclosure of PHI for the prohibited purposes in this rule would 
erode individuals' trust in the privacy of legal reproductive health 
care. Such erosion would negatively affect relationships between 
individuals and their health care providers, result in individuals 
forgoing needed treatment, and make individuals less likely to share 
pertinent health concerns with their health care providers. Modifying 
the Privacy Rule to focus on and address this shifting landscape is the 
most efficient way to return to a regulatory landscape that is balanced 
and consistent with the goals of HIPAA.
    We do not believe that it is necessary to modify the Privacy Rule 
to prohibit the use and disclosure of PHI for any criminal, civil, or 
administrative investigation or effort to impose criminal, civil, or 
administrative liability related to all health care, services, or 
supplies. Sections 164.512(e) and (f) already set forth the specified 
conditions under which regulated entities may disclose PHI for judicial 
and administrative proceedings and law enforcement purposes.
    We decline to modify the prohibition to apply it to the use and 
disclosure of ``highly sensitive PHI.'' We are persuaded by commenters 
who voiced concern about the feasibility of defining the phrase such 
that regulated entities would be able to understand and

[[Page 33020]]

operationalize it. We also find persuasive comments about the 
compliance burden that would result from implementing such a 
prohibition. While PHI about reproductive health care may be found 
throughout an individual's record and may be collected or maintained by 
multiple types of providers, the term ``reproductive health care'' is 
defined in a manner that is clearly connected to the reproductive 
system, its functions, and processes.\303\
---------------------------------------------------------------------------

    \303\ See the finalized definition of ``Reproductive health 
care'' at 45 CFR 160.103.
---------------------------------------------------------------------------

    In contrast, applying the prohibition to all ``highly sensitive 
PHI'' or any use or disclosure of PHI that results in harm, stigma, or 
adverse result for an individual would be unworkable because of lack of 
consensus about how to define such categories and would likely create 
the issues with segmentation and care coordination discussed above. As 
discussed above, the purpose of this final rule and narrowly crafted 
prohibition is to adopt the appropriate balance in the Privacy Rule 
between protecting individuals' privacy and permitting PHI to be used 
and disclosed for other societal benefits. The commenters' objectives 
reflect a desire to protect individuals, but their discussion does not 
properly account for other societal interests that are supported by 
certain disclosures of PHI, interests that the Privacy Rule has 
balanced since its inception.
    Comment: A commenter requested that the Department clarify that 
state laws may protect the privacy of health information when the 
Privacy Rule does not apply, such as when individuals' health 
information is in the possession of a person that is not a regulated 
entity, such as a friend or family member, or is stored on a personal 
cellular phone or tablet.
    Response: HIPAA provides the Department with the authority to 
protect the privacy and security of IIHI that is maintained or 
transmitted by covered entities, and in some cases, their business 
associates. Other laws may apply where the HIPAA Rules do not. Guidance 
on protecting the privacy and security of health information when using 
a personal cell phone or tablet is available on OCR's website.\304\
---------------------------------------------------------------------------

    \304\ See Off. for Civil Rights, ``Protecting the Privacy and 
Security of Your Health Information When Using Your Personal Cell 
Phone or Tablet,'' U.S. Dep't of Health and Human Servs. (June 29, 
2022), https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/cell-phone-hipaa/index.html.
---------------------------------------------------------------------------

    Comment: Many commenters cited potential operational challenges 
with the proposed prohibition and confirmed that current health IT 
generally does not provide regulated entities with the ability to 
segment PHI into specific categories afforded special protections. A 
few commenters recommended that the Department work with EHR vendors to 
modernize health care data management platforms to better address data 
segmentation, while others recommended that the Department ensure 
interagency coordination of data segmentation policies and provide 
individuals with granular level of control over their PHI.
    A few commenters requested that the Department address concerns 
about the interaction between the minimum necessary standard and this 
final rule.
    A commenter asserted that privacy protections that do not account 
for individual privacy preferences would result in individuals 
withholding information from their health care providers, and some 
health care providers electing not to generate or document certain 
information from or about individuals.
    Response: The prohibition, as finalized, should not implicate 
additional data segmentation concerns beyond those that already exist. 
We acknowledge the low adoption rate of data segmentation standards and 
challenges related to the technical and administrative feasibility of 
data segmentation (e.g., costs), and as discussed above, are finalizing 
a purpose-based approach to address such concerns. The Department 
continues its active engagement, particularly through ONC, to identify 
robust data sharing standards that facilitate appropriate privacy 
controls.
    With respect to concerns about the Privacy Rule minimum necessary 
standard, we do not anticipate that this final rule will affect the 
ability of regulated entities subject to the standard to comply. First, 
the prohibition is applicable only for the purposed uses and 
disclosures specified in 45 CFR 164.502(a)(5)(iii). Regulated entities 
must make reasonable efforts to limit the use or disclosure of PHI 
pursuant to 45 CFR 164.512, other than 45 CFR 164.512(a), to the 
minimum amount of PHI necessary to accomplish the intended purpose of 
the use, disclosure, or request.\305\ Regulated entities are required 
to have in place policies and procedures that outline how the entity 
complies with the standard.\306\
---------------------------------------------------------------------------

    \305\ See 45 CFR 164.502(b). Uses and disclosures of PHI 
pursuant to 45 CFR 164.512(a) are limited to the relevant 
requirements of such law. 45 CFR 164.512(a)(1).
    \306\ 45 CFR 164.514(b).
---------------------------------------------------------------------------

    Comment: A few commenters requested that the Department clarify the 
roles and responsibilities of covered entities and business associates 
with respect to compliance with the proposed prohibition and 
attestation requirements and whether business associate agreements 
would need to be amended to reflect the requirements of the final rule.
    Response: The prohibition standard finalized in 45 CFR 
164.502(a)(5)(iii)(A) applies directly to all regulated entities; 
meaning, all HIPAA covered entities and business associates. We also 
note that the finalized presumption of lawfulness for the underlying 
health care, when applicable, directly applies to business associates, 
as does the attestation requirement in 45 CFR 164.509. As such, 
business associates of covered entities that hold PHI by virtue of 
their business associate relationship with the covered entity are 
subject to the express prohibition on using or disclosing PHI for the 
specified purposes, regardless of whether the prohibition is specified 
in the business associate agreement. The attestation requirement and 
its application to business associates are discussed in greater detail 
below.
    Comment: A commenter expressed support for the application of the 
proposal to health care providers, but also recognized states' interest 
in ensuring that health care providers render health care in accordance 
with the standard of care in that state. Another commenter questioned 
the Department's authority under HIPAA to implement this provision.
    Response: The Department is modifying the proposed definition of 
``Reproductive health care'' to explicitly clarify that the definition 
does not set a standard of care for or determine what constitutes 
clinically appropriate reproductive health care. Additionally, as 
discussed above, the application of this rule is limited to 
reproductive health care that is lawful under the circumstances in 
which such health care is provided as described at 45 CFR 
164.502(a)(5)(iii)(B). Lawfulness is determined by the regulated entity 
that receives the request for PHI, after a reasonable determination 
that at least one of the conditions in the Rule of Applicability apply. 
As explained above, the prohibition is carefully tailored to protect 
the privacy of individuals' health information in circumstances where 
the reproductive health care at issue was lawful under the 
circumstances such care was provided, reflecting the appropriate 
balance between privacy interests and other societal interests.
    Comment: Many commenters recommended alternative or additional

[[Page 33021]]

approaches to the purpose-based prohibition, such as eliminating or 
narrowing the permissions for use or disclosure of PHI without an 
individual's authorization or limiting disclosures to third parties 
subject to an individual's authorization.
    A few commenters recommended that the Department revise specific 
Privacy Rule permissions to clarify the use and disclosure of PHI for 
certain administrative or law enforcement requests, instead of 
promulgating a new prohibition.
    Response: The Department's approach to prohibit the uses and 
disclosures of PHI for the purposes described in this final rule is 
consistent with the Privacy Rule's longstanding balancing of individual 
privacy interests with society's interests in PHI for non-health care 
purposes. Adopting the correct balance is necessary to preserve and 
promote trust between individuals and health care providers. Instead of 
modifying specific permissions at 45 CFR 164.512, we are finalizing 
modifications that prohibit the use or disclosure of PHI to ensure the 
correct balance, instead of modifying specific permissions at 45 CFR 
164.512. Recognizing that requests that fall under these permissions 
represent important public policy objectives (e.g., health oversight, 
law enforcement, protection of individuals subject to abuse), the 
Department is imposing a new attestation requirement, as described in 
greater detail below, to protect against harm that may arise from the 
use or disclosure of PHI for a purpose prohibited under 45 CFR 
164.502(a)(5)(iii), which is more likely to occur when a person 
requesting the use or disclosure of PHI relies on certain permissions. 
The new attestation condition will also provide a mechanism that will 
enable a regulated entity to better evaluate the request. The 
Department declines to make additional changes at this time and will 
consider these topics for future guidance. The Department also declines 
to finalize its proposal to prevent an individual from requesting that 
a regulated entity use or disclose PHI pursuant to a valid 
authorization.
    Comment: A few commenters questioned the ability of regulated 
entities to use or disclose PHI in compliance with mandatory reporting 
laws, such as laws requiring the reporting of suspected child abuse or 
domestic violence.
    A few of these commenters questioned whether mandatory reporting 
requirements would change a regulated entity's duty to apply the 
minimum necessary standard.
    A few commenters asserted that mandatory reporting laws dissuade 
individuals from seeking health care, prevent the development of trust 
between individuals and health care providers, and generally are 
implemented in an inequitable fashion that disproportionately apply to 
individuals from marginalized or historically underserved communities 
or communities of color.
    Response: The Department acknowledges that there may be some 
mandatory reporting laws that require a regulated entity to determine 
whether a request for PHI is for a purpose prohibited by this rule. 
However, whether in response to a mandatory reporting law or routine 
request, the final rule's operation remains the same, that is, it 
prohibits a regulated entity from using or disclosing PHI for a 
prohibited purpose when the reproductive health care under 
investigation or at the center of the activity to impose liability is 
lawful under the circumstances that it was provided.
    To the extent mandatory reporting requirements apply to the 
reporting of PHI to public health authorities for public health 
purposes, including PHI about reproductive health care, this final rule 
does not prevent a regulated entity from complying with such mandate.
    To aid stakeholders in understanding how the prohibition operates 
with respect to public health reporting, the Department is clarifying 
that the term ``Public health,'' as used in public health surveillance, 
investigation, and intervention, includes identifying, monitoring, 
preventing, or mitigating ongoing or prospective threats to the health 
or safety of a population, which may involve the collection of PHI. In 
so doing, we are clarifying that public health surveillance, 
investigation, and intervention are outside of the scope of activities 
prohibited by 45 CFR 164.502(a)(5)(iii). These changes will offer 
additional protection to individuals who would otherwise be subject to 
having their PHI disclosed for a prohibited purpose because the 
underlying mandatory reporting requirement did not clearly specify its 
relationship to public health. This final rule does not change the 
minimum necessary standard or the circumstances in which the Privacy 
Rule requires a regulated entity to apply the minimum necessary 
standard.
    Comment: Many commenters expressed concern that the purposes for 
which the Department proposed to prohibit uses or disclosures would 
interfere with the ability of law enforcement to conduct 
investigations, including into coercion, child abuse, and sex 
trafficking and assault, would prevent states from verifying state 
licensure requirements, and would hamper the ability of health care 
professionals to report illegal behavior by other health care 
professionals.
    Response: As discussed above, the prohibition applies only to 
activities conducted for the purpose of investigating or imposing 
liability on a person for the mere act of seeking, obtaining, 
providing, or facilitating reproductive health care that is provided 
under circumstances in which such health care is lawful. A regulated 
entity is permitted to disclose PHI to a person who requests PHI for 
other purposes if a permission applies and the underlying conditions of 
the relevant permission are met, including the attestation condition, 
if applicable.
    Comment: A few commenters recommended that the Department establish 
a safe harbor for the use or disclosure of PHI by regulated entities 
for TPO.
    Response: We appreciate the comment but do not believe such a safe 
harbor is necessary. The Privacy Rule permits the disclosure of an 
individual's PHI for TPO when the conditions set forth in the TPO 
provisions of the rule are met.\307\ The prohibited uses and 
disclosures codified in this rulemaking would rarely intersect with 
uses and disclosures that qualify as TPO activities. As explained 
above, to the extent a person requesting the use or disclosure of PHI 
reasonably articulates a basis for a request that is not related to the 
mere act of seeking, obtaining, providing, or facilitating reproductive 
health care, a regulated entity may use or disclose the PHI where 
otherwise permitted by the Privacy Rule.
---------------------------------------------------------------------------

    \307\ See 45 CFR 164.506.
---------------------------------------------------------------------------

    Comment: A commenter recommended that the Department clarify that 
the prohibition applies to the activities of insurers and third-party 
administrators of self-funded plans by adding ``administering, 
authorizing, covering, approving, or gathering or providing information 
about'' to the explanation of ``seeking, obtaining, providing, or 
facilitating.''
    Response: The prohibition applies to all activities that a person 
could reasonably be expected to engage in with a regulated entity that 
could result in a use or disclosure of PHI that might be sought for 
prohibited purposes, including activities conducted or performed by or 
on behalf of a health

[[Page 33022]]

plan, including a group health plan.\308\ Accordingly, the Department 
has modified the scope of activities initially proposed in the 2023 
Privacy Rule NPRM to better explain what it meant by seeking, 
obtaining, providing, or facilitating reproductive health care. The 
modified text is finalized at 45 CFR 164.502(a)(5)(iii)(D),\309\ and 
adds administering, authorizing, providing coverage for, approving, 
counseling about to the non-exhaustive list of example activities.
---------------------------------------------------------------------------

    \308\ See 45 CFR 160.103 (definitions of ``health plan'' and 
``group health plan'').
    \309\ In the 2023 Privacy Rule NPRM, we proposed the Scope of 
prohibition in 45 CFR 164.502(a)(5)(iii)(B).
---------------------------------------------------------------------------

    Comment: Several commenters expressed support for the proposed Rule 
of Applicability. A few commenters expressed support for the proposed 
Rule of Applicability because it would reassure residents of the state 
in which the lawful health care is provided and individuals who travel 
to such states for lawful health care that their medical records will 
not be disclosed for prohibited purposes.
    Response: We are finalizing a modified Rule of Applicability as 
described above.
    Comment: Some comments expressed varying levels of support for the 
Department's references to ``substantial interests'' by states or 
superseding state laws. A few commenters disagreed with the 
Department's assertion that states lack a legitimate interest in 
conducting a criminal, civil, or administrative investigation or 
proceeding into lawful reproductive health care where the investigation 
is based on the mere fact that reproductive health care was or is being 
provided. Others asserted that the proposed rule would be unworkable 
and would assign health care providers and the Department the power to 
determine whether reproductive health care was provided lawfully, 
thereby affording them the authority to enforce certain state laws.
    Response: As explained above, the Rule of Applicability reflects 
the Department's careful balancing of privacy interests and other 
societal interests. For the reasons explained above, the Department has 
determined that the privacy interest of an individual and the interest 
of society in an effective health care system outweigh the interests of 
society in seeking the use of PHI for non-health care purposes that 
could result in harm to the individual where a regulated entity that 
receives a request for PHI reasonably determines that at least one of 
the conditions in the Rule of Applicability applies. To help clarify 
this discussion further, the Department provides examples where the 
Rule of Applicability applies in this section of this final rule.
    Comment: Several commenters recommended that the Department 
eliminate the distinction between health care that is lawful and health 
care that is not and that all forms of reproductive health care should 
be protected from criminalization and government investigation.
    Several commenters stated that the term ``lawful'' would 
incorrectly suggest that receiving certain types of reproductive health 
care could be unlawful, even though most prohibitions on reproductive 
health care apply to providing or performing the health care, rather 
than receiving it. They also questioned whether the proposed Rule of 
Applicability would protect individuals who obtained reproductive 
health care in another state.
    Response: We are finalizing a Rule of Applicability at 45 CFR 
164.502(a)(5)(iii)(B) that ensures the privacy of PHI when it is sought 
to conduct an investigation into or impose liability on any person for 
the mere act of seeking, obtaining, providing or facilitating 
reproductive health care that is lawful under the circumstances in 
which such health care is provided, consistent with applicable Federal 
or state law. A regulated entity that receives a request for PHI must 
make a reasonable determination that at least one of the conditions in 
the Rule of Applicability applies. As discussed above, this approach 
reflects a careful balance between privacy interests and other societal 
interests.
    Comment: Some commenters asserted that medical records should not 
be used for purposes outside of the health care setting in ways that 
could harm the subject of the records, particularly for law enforcement 
or other governmental purposes. One commenter expressed concern that 
disclosures of PHI would not be limited for all purposes, and that the 
proposal would not prevent a state from pursuing actions where the 
health care is later found to be unlawful. Another commenter asserted 
that disclosing PHI to law enforcement in connection with an 
investigation into reproductive health care is a secondary use of PHI 
that would be directly at odds with the purpose for which the PHI was 
collected, while others stated that the proposal risks deterring 
individuals from seeking or obtaining necessary health care.
    A few commenters expressed concerns that health care providers 
could be inhibited from providing necessary health care, fully 
educating individuals about their options, or documenting the health 
care provided.
    Response: When the Department promulgated the 2000 Privacy Rule, we 
acknowledged that the rule balanced the privacy interests of 
individuals with the interests of the public in ensuring PHI was 
available for non-health purposes. As we explained in the 2023 Privacy 
Rule NPRM, ``individuals' right to privacy in information about 
themselves is not absolute. It does not, for instance, prevent 
reporting of public health information on communicable diseases or stop 
law enforcement from getting information when due process has been 
observed.'' \310\ At the same time, in the 2023 Privacy Rule NPRM, the 
Department acknowledged that adverse consequences do result when 
individuals question the privacy of their health information and 
explained that the purpose of HIPAA is to protect the privacy of 
information and promote trust in the health care system to ensure that 
individuals do not forgo lawful health care when needed or withhold 
important information that may affect the quality of their health 
care.\311\
---------------------------------------------------------------------------

    \310\ 88 FR 23506, 23509 (Apr. 17, 2023) (citing 65 FR 82464 
(Dec. 28, 2000)).
    \311\ Id.
---------------------------------------------------------------------------

    Accordingly, the Privacy Rule provides a clear framework to 
operationalize these principles, and this final rule is intended to 
balance these interests. The Privacy Rule does not protect information 
received or maintained by entities other than those that are regulated 
under HIPAA, including information that is used for a purpose other 
than the purpose for which it was initially requested. This final rule 
provides heightened protection, as necessary, to the privacy of PHI 
where its use or disclosure may result in harm to a person in 
connection with seeking, obtaining, providing, or facilitating 
reproductive health care that is lawful under the circumstances in 
which such health care is provided. With respect to other disclosures 
to law enforcement or to other governmental interests, the Privacy Rule 
includes other carefully crafted permissions that specify the 
conditions under which such disclosures must be made to ensure a 
reasonable balance between privacy and the public policies that 
disclosure would serve.
    Comment: Several commenters asserted that the proposed Rule of 
Applicability would not protect all PHI pertaining to lawful health 
care. For example, commenters suggested that the proposed Rule of 
Applicability would be unlikely to protect individuals who

[[Page 33023]]

obtain care outside of the health care system and urged the Department 
to clarify the final rule to strengthen protections for individuals who 
receive care in this manner. As another example, a commenter expressed 
concern that the proposal would not protect PHI for individuals who 
obtain legal reproductive health care, but as a result of 
complications, subsequently access health care in a state where the 
same reproductive health care is illegal.
    Response: The definition of ``reproductive health care'' is 
discussed in greater detail above. As noted above, this final rule does 
not establish a standard of care, nor does it regulate what constitutes 
clinically appropriate health care.
    Commenters who point out that different results may arise in 
different states are correct, but this has been true since the 
inception of the Privacy Rule because it sets a national floor for 
privacy standards, rather than a universal rule. The prohibition 
applies, and therefore liability attaches, when the prohibition is 
violated, based on the ``circumstances in which such health care is 
provided.'' Thus, a regulated entity is not permitted to disclose PHI 
about reproductive health care that was provided in another state where 
such health care was provided under circumstances in which it was 
lawful to provide such health care, even where the individual 
subsequently accesses related health care in a state where it would 
have been unlawful to provide the underlying health care under the 
circumstances in which such health care was provided. HIPAA liability 
attaches in cases where attempts to circumvent the Privacy Rule result 
in impermissible or wrongful uses or disclosures.\312\
---------------------------------------------------------------------------

    \312\ See 42 U.S.C. 1320d-5 and 6.
---------------------------------------------------------------------------

    We remind regulated entities that the Privacy Rule permits the use 
or disclosure of PHI, without an individual's signed authorization, 
only as expressly permitted or required by the Privacy Rule. For 
example, where state or other applicable law prohibits certain 
reproductive health care but does not expressly require a regulated 
entity to report that an individual obtained the prohibited health 
care, the Privacy Rule would not permit a disclosure to law enforcement 
or other investigative body pursuant to the ``required by law'' 
permission (but could potentially allow it pursuant to other 
provisions).\313\
---------------------------------------------------------------------------

    \313\ See 45 CFR 164.512(a).
---------------------------------------------------------------------------

    Comment: One commenter recommended the Department add language to 
the proposed Rule of Applicability or elsewhere to ensure that there 
would be protections for PHI where a health care provider believes the 
health care is legal, even when the person requesting the use or 
disclosure of PHI disputes the legality. A few commenters asserted that 
the health care provider making the decision could be a party to the 
reproductive health care at issue, making it a conflict of interest for 
the health care provider to make the determination regarding the 
lawfulness of the reproductive health care.
    Response: We do not believe additional language is necessary 
because, under the prohibition, the regulated entity--and not the 
person making the request--is responsible for reasonably determining 
whether health care was lawful before making a disclosure. As explained 
above, this framework is consistent with how the Privacy Rule's 
permissions are administered, whereby regulated entities must determine 
whether a use or disclosure is permitted under the relevant permission. 
For example, when evaluating whether a use or disclosure of PHI is 
permitted because the use or disclosure is required by law, the 
regulated entity must look to the relevant law to determine whether the 
use or disclosure falls within that permission.\314\ Furthermore, as 
with other use and disclosure provisions in the Privacy Rule, regulated 
entities remain subject to HIPAA liability for impermissible or 
wrongful disclosures. Neither the statute nor the Privacy Rule provides 
an exception to such liability for circumstances involving conflicts of 
interest.
---------------------------------------------------------------------------

    \314\ See 45 CFR 164.512(a).
---------------------------------------------------------------------------

    Comment: Many commenters expressed concern regarding the burden 
imposed upon and resources that would be required for regulated 
entities to determine whether the reproductive health care at issue was 
lawful if they did not provide the health care at issue, particularly 
considering the evolving nature of state law in this area. Several 
commenters expressed concern that the proposal incorrectly assumes that 
regulated entities would know where the reproductive health care at 
issue occurred and inquired about specific scenarios, such as where 
requests for PHI are received by clinical laboratories that have no 
face-to-face interaction with individuals and that rely on information 
provided by other covered entities. A few commenters asserted that 
requiring regulated entities to make the required legal determinations 
would not be conducive to building a trusting relationship between 
individuals and health care providers.
    Some commenters offered recommendations to the Department, such as 
providing guidance for health care providers regarding their rights and 
responsibilities under a final rule, revising the proposal to clarify 
that there would be a presumption that reproductive health care 
occurred under lawful circumstances, absent compelling evidence to the 
contrary, particularly when an individual travels for health care, and 
clarifying the Rule of Applicability by including examples in the 
regulatory text.
    Some commenters asserted that regulated entities in different 
states or with different interpretations of certain state requirements 
could reach different determinations about whether the reproductive 
health care was provided lawfully, in part because of the lack of 
clarity or consistency in the interpretation in these laws. Yet another 
commenter recommended that the Department add an express directive 
that, in the event of any ambiguity or unsettled law, the scope of what 
is considered lawful should be interpreted consistently with the intent 
of the rule to protect the privacy of PHI to the maximum extent 
possible. A commenter recommended that where the regulated entity 
decides in good faith, it should not be subject to penalties or 
enforcement action if their determination is incorrect or if the 
Department disagrees with the determination. Another commenter 
recommended that the Department clarify that regulated entities may use 
a reasonableness standard when making the determination about whether 
state laws conflict with the Privacy Rule and are therefore preempted 
by HIPAA.
    A few commenters expressed concern about the potential 
interpretation or application of the proposed Rule of Applicability, 
particularly when the laws at issue are ambiguous. Commenters 
recommended inclusion of language that PHI need not be disclosed to a 
government agency or law enforcement if the health care provider deems, 
in good faith, that the reproductive health care is lawful under the 
circumstances in which it is provided, and that the Department clarify 
the application of preemption or provide in preamble examples of each 
condition of the proposed Rule of Applicability.
    Response: We appreciate the many comments the Department received 
in response to its inquiry asking whether the proposed Rule of 
Applicability would be sufficiently clear to individuals and covered 
entities, and

[[Page 33024]]

whether the provision should be made more specific or otherwise 
modified. Considering the many comments expressing concern about the 
burden associated with, the difficulty of, or the liability that could 
attach when someone other than the person who provided the health care 
must determine whether the underlying reproductive health care is 
lawful, the Department is adding a regulatory presumption in the final 
rule.
    As discussed above, the regulatory presumption in 45 CFR 
164.502(a)(5)(iii)(C) will permit a regulated entity receiving a PHI 
request that may be subject to the prohibition to presume the 
reproductive health care at issue was lawful under the circumstances in 
which such health care was provided when provided by a person other 
than the regulated entity receiving the request. The presumption 
includes a knowledge requirement such that the regulated entity must 
not have actual knowledge that the reproductive health care was 
unlawful under the circumstances in which such health care was provided 
or factual information supplied by the person requesting the use or 
disclosure of PHI that demonstrates to the regulated entity a 
substantial factual basis that the reproductive health care was not 
lawful under the specific circumstances in which such health care was 
provided.
    Comment: A commenter asserted that the proposed rule would 
unlawfully thwart enforcement of Federal criminal laws on reproductive 
health care because the proposed rule would be limited to circumstances 
where reproductive health care is permitted by state law, thereby 
prohibiting disclosures for the purpose of enforcing Federal laws 
pertaining to reproductive health care when they conflict with state 
law. A few commenters expressed their support for the Department's 
proposal that the prohibition against the use or disclosure of PHI 
apply where certain Federal laws apply. A few commenters requested 
greater specificity with respect to the application of Federal and 
state laws on abortion.
    Response: Federal laws that involve reproductive health care form 
the underlying basis for examining whether reproductive health care was 
protected, required, or authorized by Federal law under the 
circumstances in which it was provided, pursuant to the 45 CFR 
164.502(a)(5)(iii)(B)(2). Under this final rule, Federal and state 
authorities retain the ability to investigate or impose liability on 
persons where the investigation or imposition of liability is centered 
upon the provision of reproductive health care that is unlawful under 
the circumstances in which it is provided. As discussed above, this 
rule reflects a careful balance between privacy interests and other 
societal interests, and the prohibition is tailored to cover situations 
where the reproductive health care was lawfully provided, whether state 
or Federal law is at issue.
    Comment: A few commenters provided examples of and expressed 
concerns about the electronic availability of PHI about health care 
lawfully provided in one state to health care providers in another 
state where such health care would not have been lawful.
    A few commenters requested that the Department clarify that 
clinical laboratory testing involving a validated laboratory-developed 
test used within a single laboratory certified pursuant to the Clinical 
Laboratory Improvement Amendments of 1988 \315\ (CLIA) and the 
implementing regulations, an in vitro diagnostic test cleared or 
approved by the Food and Drug Administration (FDA), or a validated 
laboratory-developed test that is an in vitro diagnostic test cleared 
or approved by the FDA and used within a single CLIA-certified 
laboratory would fall within the scope of reproductive health care that 
would be ``authorized by Federal law'' for the purposes of the Rule of 
Applicability. The commenters also recommended that a clinical 
laboratory test furnished under the authority of a state with legal 
requirements that are equal to or more stringent than CLIA's statutory 
and regulatory requirements, and is therefore exempt from CLIA 
requirements, also be considered ``authorized by Federal law'' for the 
purposes of the Rule of Applicability.
---------------------------------------------------------------------------

    \315\ Public Law 100-578, 102 Stat. 2903 (Oct. 31, 1988) 
(codified at 42 U.S.C. 201 note).
---------------------------------------------------------------------------

    Response: We interpret the language ``authorized by Federal law'' 
in the Rule of Applicability to include activities, including clinical 
laboratory activities, that are conducted as allowed under applicable 
Federal law, in circumstances where there is no conflicting state 
restriction on the Federally authorized activity or where applicable 
Federal law preempts a contrary state restriction. In such 
circumstances, these activities are lawfully conducted because there 
either is no relevant state restriction or Federal law preempts a 
contrary state restriction. This provision thus reflects the 
Department's careful balancing of privacy interests and other societal 
interests in disclosure. As explained above, in circumstances where 
reproductive health care is lawfully provided, privacy interests are 
heightened while other societal interests in disclosure are reduced. 
This final rule and the operation of HIPAA's general preemption 
authority do not supersede applicable state law pertaining to the 
lawfulness of reproductive health care.
    Comment: One commenter expressed support for including the phrase 
``based primarily'' to clarify that the proposed Rule of Construction 
would only address situations where the purpose of the disclosure is to 
investigate or impose liability because reproductive health care was 
provided, rather than for an issue related to, but not focused on the 
provision of such health care, such as the quality of the health care 
provided or whether claims for certain health care were submitted 
appropriately.
    All other commenters recommended removing ``primarily'' to ensure 
that there is consistent implementation. In the alternative, the 
commenters recommended that the Department provide additional examples 
of scenarios in which a situation would and would not be considered 
``primarily for the purposes of'' or ``primarily based on'' the 
provision of reproductive health care. One commenter asserted that the 
definition is uncertain and could be interpreted as permitting 
secondary or additional uses or disclosures. Another commenter 
explained that permitting a use or disclosure where conducting the 
investigation or imposing liability is only for a secondary or 
incidental purpose would create too much risk for individuals and 
health care providers and would undermine the intent of the proposed 
prohibition. And another stated it is foreseeable that a requesting 
entity could still use the PHI for one of the purposes for which the 
Department proposed to prohibit uses or disclosures of PHI once they 
have it if it was not the primary purpose of their request. A commenter 
expressed concern that the language could be exploited to manufacture a 
``primary'' purpose that would be permissible to permit PHI to be used 
or disclosed for a prohibited purpose, particularly because the PHI 
would lose the protections of the Privacy Rule once it is disclosed to 
another person, unless that person is also a regulated entity. Another 
commenter asserted that the proposed rule did not define ``primarily'' 
or ``mere act,'' nor did it provide sufficient examples to provide 
regulated entities with sufficient information to understand the 
proposal.
    A commenter explained that a request for PHI is often for multiple 
purposes

[[Page 33025]]

and recommended that the Department revise the proposed Rule of 
Construction to allow the proposed prohibition to apply where at least 
one of the purposes for which PHI is sought is to use or disclose the 
information for a prohibited purpose. Similarly, this commenter 
recommended the proposed attestation requirement in 45 CFR 
164.509(b)(1) be revised to state that ``one of the uses or 
disclosures'' is not prohibited by 45 CFR 164.502(a)(5)(iii).
    Response: We agree with the commenter that explained that a request 
for PHI may be multi-purposed. We also agree with commenters that 
pointed out that as proposed, the regulatory Rule of Construction 
appeared to create a secondary standard to consider whether a regulated 
entity should be prohibited from using or disclosing PHI. As discussed 
above, the Department is not finalizing a separate Rule of Construction 
and is not incorporating the phrase ``primarily for the purpose of'' 
originally proposed in 45 CFR 164.502(a)(5)(iii)(D) into the final 
prohibition standard. The modified prohibition standard more clearly 
conveys that it only prohibits the use and disclosure of PHI for the 
specified purposes when it relates to the mere act of seeking, 
obtaining, providing, or facilitating lawful reproductive health care 
in certain circumstances.
    Comment: Commenters also recommended that the proposed Rule of 
Construction prohibit health care providers from reporting individuals 
for the sole reason of having received health care in a state where it 
was not lawful. They described concerns about the effect of 
interoperability and data sharing rules that give health care providers 
ready access to individuals' full medical records and urged the 
Department to expand the proposed Rule of Construction to mitigate the 
risks created by the electronic exchange of PHI.
    Response: The prohibition, as finalized, is narrowly tailored to 
operate in a manner that protects the interests of individuals and 
society in protecting the privacy of PHI while still allowing the use 
or disclosure of PHI for certain non-health care purposes. We remind 
regulated entities that they are generally prohibited from disclosing 
PHI unless there is a specific provision of the Privacy Rule that 
permits (or, in limited instances, requires) such disclosure. For 
example, the Privacy Rule permits but does not require regulated 
entities to disclose PHI about an individual, without the individual's 
authorization, when such disclosure is required by another law and the 
disclosure complies with the requirements of the other law.\316\ The 
permission to disclose PHI as ``required by law'' is limited to a 
``mandate contained in law that compels an entity to use or disclose 
PHI and that is enforceable in a court of law.'' \317\ Further, where a 
disclosure is required by law, the disclosure is limited to the 
relevant requirements of such law.\318\ Disclosures that do not meet 
the ``required by law'' definition of the HIPAA Rules,\319\ or that 
exceed what is required by such law,'' \320\ are not permissible 
disclosures under the required by law permission. Accordingly, 
regulated entities are prohibited from proactively disclosing PHI under 
the required by law permission at 45 CFR 164.512(a) absent a law 
requiring mandatory reporting of such PHI.
---------------------------------------------------------------------------

    \316\ See 45 CFR 164.512(a)(1).
    \317\ See 45 CFR 164.103 (definition of ``Required by law''). 
The definition provides additional explanation about what 
constitutes a mandate contained in law.
    \318\ See 45 CFR 164.512(a)(1).
    \319\ See 45 CFR 164.103 (definition of ``Required by law'').
    \320\ The Privacy Rule permits but does not require covered 
entities to disclose PHI in response to an order of a court or 
administrative tribunal. The Privacy Rule also permits but does not 
require covered entities to disclose PHI in response to a subpoena, 
discovery request, or other lawful process, but only when certain 
conditions are met. See 45 CFR 164.512(e)(1). These provisions 
cannot be used to make disclosures to law enforcement officials that 
are restricted by 45 CFR 164.512(f). See 45 CFR 164.512(e)(2).
---------------------------------------------------------------------------

    Comment: A few commenters asserted that the Department should 
modify the regulatory text of the proposed prohibition to eliminate the 
need for the proposed Rule of Construction because it is confusing and 
appears to set forth two different standards.
    Response: For the reasons discussed above, we agree and have 
incorporated the Rule of Construction into the prohibition standard as 
described above.
    Comment: A commenter expressed concerns that beneficial uses or 
disclosures, such as for conducting investigations into health care 
fraud, would be too limited and would not address criminal, civil and 
administrative proceedings, which are not related to receiving, 
obtaining, facilitating, or providing reproductive health services 
where the receipt or provision of these services could serve as 
evidence of another crime.
    Response: We disagree with concerns that beneficial uses or 
disclosures would be too limited under the changes. If PHI is requested 
for a purpose that is not prohibited and the request complies with the 
conditions of an applicable permission, including the requirements of 
the attestation condition are met, where applicable, the regulated 
entity is permitted to comply with the request.
    Comment: Another commenter cited studies to assert that the 
proposed Rule of Construction would continue to permit health care 
providers to proactively report on individuals. The commenter also 
stated that the proposed rule would not clarify how it would interact 
with mandatory reporting laws that could expose individuals and health 
care providers to investigations based on the provision of reproductive 
health care.
    Response: The Privacy Rule does not permit a regulated entity to 
disclose PHI for law enforcement purposes, proactively or otherwise, 
without an individual's authorization when the disclosure is not made 
pursuant to process or as otherwise required by law.\321\ This is true 
currently and remains true under this final rule.
---------------------------------------------------------------------------

    \321\ 45 CFR 164.512(f)(1).
---------------------------------------------------------------------------

    As discussed above, HIPAA generally preempts state laws requiring 
the use or disclosure of PHI, except in limited circumstances. Where 
such mandatory reporting laws are not preempted by HIPAA, regulated 
entities are limited to disclosing the minimum amount of PHI necessary 
to comply with the mandatory reporting requirement or the relevant 
requirements of such law.\322\
---------------------------------------------------------------------------

    \322\ Whether the regulated entity is limited by the minimum 
necessary standard or the relevant requirements of the law that 
requires the reporting depends upon whether the regulated entity is 
making the disclosure pursuant to 45 CFR 164.512(a) or some other 
permission under 45 CFR 164.512. See 45 CFR 164.502(b)(v).
---------------------------------------------------------------------------

    Comment: Several commenters responded to the question about whether 
it would be beneficial for the Department to further clarify or provide 
examples of uses or disclosures of PHI that would be permitted under a 
final rule. All of these commenters agreed that it would be beneficial 
for the Department to do so. Of those, several commenters specified 
that the Department should provide such examples in the final 
regulatory text. A few commenters who requested examples be provided 
within the regulatory text also recommended that the language make 
clear that the examples are illustrative.
    Response: The Department declines to include examples of uses or 
disclosures of PHI that would be permitted in this rule, in regulatory 
text. We have provided illustrative examples above.
3. Clarifying Personal Representative Status in the Context of 
Reproductive Health Care
    Section 164.502(g) of the Privacy Rule contains the standard for 
personal

[[Page 33026]]

representatives and generally requires a regulated entity to treat an 
individual's personal representative as the individual if that person 
has authority under applicable law (e.g., state law, court order) to 
act on behalf of the individual in making decisions related to health 
care.\323\ For example, the Privacy Rule would treat a legal guardian 
of an individual who has been declared incompetent by a court as the 
personal representative of that individual, if consistent with 
applicable law.\324\ In this and certain other provisions, the 
Department seeks to maintain the longstanding balance HIPAA strikes 
between the interest of a state or other authorities to regulate health 
and safety and protect vulnerable individuals \325\ with the goal of 
maintaining the privacy protections established in the Privacy 
Rule.\326\
---------------------------------------------------------------------------

    \323\ See 45 CFR 164.502(g).
    \324\ See 45 CFR 164.502(g)(3)(i). See also Off. for Civil 
Rights, ``Personal Representatives,'' U.S. Dep't of Health and Human 
Servs., https://www.hhs.gov/hipaa/for-individuals/personal-representatives/index.html.
    \325\ See, e.g., 45 CFR 164.510(b)(3) and 164.512(j)(1)(i)(A).
    \326\ See 65 FR 82462, 82471 (Dec. 28, 2000).
---------------------------------------------------------------------------

    In the 2023 Privacy Rule NPRM, the Department expressed concern 
that some regulated entities may interpret the Privacy Rule as 
providing them with the ability to refuse to recognize as an 
individual's personal representative a person who makes reproductive 
health care decisions, on behalf of the individual, with which the 
regulated entity disagrees.\327\ Under these circumstances, current 
section 45 CFR 164.502(g)(5) of the Privacy Rule could be interpreted 
to permit a regulated entity to assert that, by virtue of the personal 
representative's involvement in the reproductive health care of the 
individual, the regulated entity believes that the personal 
representative is subjecting the individual to abuse. Further, this 
regulated entity might exercise its professional judgment and decide 
that it is in the best interest of the individual to not recognize the 
personal representative's authority to make health care decisions for 
that individual.
---------------------------------------------------------------------------

    \327\ 88 FR 23506, 23533-34 (Apr. 17, 2023).
---------------------------------------------------------------------------

    To protect the balance of interests struck by the Privacy Rule, the 
Department proposed to modify 45 CFR 164.502 by adding a new paragraph 
(g)(5)(iii). Proposed 45 CFR 164.502(g)(5)(iii) would ensure that a 
regulated entity could not deny personal representative status to a 
person where such status would otherwise be consistent with state and 
other applicable law primarily because that person provided or 
facilitated reproductive health care for an individual. The Department 
expressed its belief that this proposal was narrowly tailored and 
respected the interests of states and the Department by not unduly 
interfering with the ability of states to define the nature of the 
relationship between an individual and another person, including 
between a minor and a parent, upon whom the state deems it appropriate 
to bestow personal representative status. The proposal would, however, 
maintain the existing HIPAA standard by ensuring personal 
representative status, when otherwise consistent with state law, would 
not be affected by the type of underlying health care sought.
    Several commenters supported the Department's proposal to clarify 
that the covered entity's reasonable basis for electing not to treat a 
person as a personal representative of an individual, despite state law 
or other requirements of the Privacy Rule, cannot be primarily because 
the person has provided or facilitated reproductive health care. Other 
commenters expressed concern about their ability to determine what 
constitutes reproductive health care, as would be required to ascertain 
whether the covered entity had a reasonable basis to elect not to treat 
a person as an individual's personal representative. These commenters 
requested that the Department provide additional clarity in regulatory 
text or through examples. Other commenters questioned how the 
Department's proposal would align with existing state law on parental 
rights.
    As discussed throughout this final rule, reproductive health care 
is uniquely sensitive and must be treated accordingly. Thus, we are 
finalizing 45 CFR 164.502(g)(5) with additional modifications as 
follows. This final rule precludes the denial of personal 
representative status where the basis of the denial is that the person 
provided or facilitated reproductive health care instead of the 
proposed standard that would have precluded denial ``primarily'' based 
on these actions. This change clarifies that the covered entity does 
not have to determine whether the reproductive health care is the 
``primary'' basis for denying a person personal representative status. 
Additionally, the final rule adds the term ``reasonable'' before 
``belief'' to align with 45 CFR 164.502(g)(5)(i)(A), clarifying that 
the basis of the covered entity's belief must be reasonable in the 
circumstances. We are also renumbering paragraphs. Collectively, these 
changes clarify that it is not reasonable to elect not to treat a 
person as an individual's personal representative because the person 
provides or facilitates reproductive health care for and at the request 
of the individual. The Department is making these changes in response 
to comments received on the 2023 Privacy Rule NPRM, which are further 
discussed below.
    Comment: Several commenters supported the Department's proposal to 
clarify that the covered entity's basis for electing not to treat a 
person as a personal representative of an individual, despite state law 
or other requirements of the Privacy Rule, cannot be primarily because 
the person has provided or facilitated reproductive health care.
    Response: As explained throughout this final rule, reproductive 
health care is uniquely sensitive and must be treated as such. 
Accordingly, we are finalizing this proposal with modifications as 
described above.
    Comment: A commenter expressed concerns that regulated entities 
would have difficulty determining whether the ``primary'' basis for the 
belief that the individual has been or may be subjected to domestic 
violence, abuse, or neglect by such person, or that treating such 
person as the personal representative could endanger the individual 
related to the provision or facilitation of the reproductive health 
care, in some circumstances. The commenter requested that the 
Department provide additional clarity in the regulatory text or through 
examples.
    Response: As discussed above, we have removed the term ``primary'' 
before ``basis'' and reorganized the provision. We believe this change 
clarifies that the covered entity does not have to determine whether 
the provision or facilitation of reproductive health care is the 
``primary'' basis for believing that a person who is an individual's 
personal representative under applicable law has abused, neglected, or 
endangered the individual, or may do so in the future, such that the 
covered entity would be permitted to deny the person personal 
representative status.
    Comment: A few commenters requested that the Department clarify 
that other existing provisions pertaining to personal representatives 
continue to apply, including the provision that a covered entity should 
not treat a parent or guardian as a personal representative where state 
law does not require a minor to obtain parental consent to lawfully 
obtain health care.
    Response: As discussed above, the Privacy Rule generally requires a 
covered entity to treat a person who, under applicable law, has the 
authority to act on behalf of an individual in making decisions related 
to health care

[[Page 33027]]

as the individual's personal representative with respect to PHI 
relevant to such personal representation, with limited exception.\328\ 
In this final rule, we are clarifying those limited exceptions apply to 
this general rule.\329\ We did not propose, nor are we making any 
additional changes to the Privacy Rule's provisions on personal 
representatives. Nothing in this final rule is intended to alter any 
other use or disclosure permissions for personal representatives, nor 
does it interfere with the ability of states to define the nature of 
the relationship between a minor and a parent or guardian.
---------------------------------------------------------------------------

    \328\ See 45 CFR 164.502(g).
    \329\ See 45 CFR 164.502(g)(3)(i).
---------------------------------------------------------------------------

    Comment: A commenter asserted that the proposal could lead to 
situations in which someone pretending to be a personal representative 
of the individual would consent to reproductive health care for the 
individual. According to a few commenters, the proposal would make it 
easier for a person abusing an individual to obtain access to an 
individual's PHI because of the limits imposed on the reasonable belief 
provisions by the proposal. Another commenter asserted that the 
proposal would hinder state investigations into crimes that affect an 
individual's reproductive health where such crimes are committed by a 
person meeting a state's definition of a personal representative.
    Response: The Department has no reason to believe, and commenters 
provided no evidence to suggest, that the final rule will lead to abuse 
or undermine parental consent. Rather, the final rule will protect 
sensitive PHI by clarifying that a regulated entity must treat a person 
as a personal representative of an individual with respect to PHI 
relevant to such personal representation if such person is, under 
applicable law, authorized to act on behalf of the individual in making 
decisions related to health care. This includes a court-appointed 
guardian, a person with a power of attorney, or other persons with 
legal authority to make health care decisions. Further, under 45 CFR 
164.514(h), a covered entity must verify the identity of a person 
requesting PHI and the authority of any such person to have access to 
PHI, if the identity is not already known to the covered entity.
    Additionally, the final rule allows a covered entity to elect not 
to treat a person as a personal representative of an individual if the 
covered entity, in the exercise of professional judgment, has a 
reasonable belief that the individual has been or may be subjected to 
domestic violence, abuse, or neglect by such person, or that treating 
such person as the personal representative could endanger the 
individual. The final rule only clarifies that the reasonable basis 
cannot be the provision or facilitation of reproductive health care by 
the person authorized by applicable law.
    Comment: A few commenters recommended that the Department define 
and interpret personal representative status in the context of 
reproductive health care consistent with its current interpretation.
    Response: We appreciate the comments but decline to specifically 
define ``personal representative'' in the context of reproductive 
health care. We are reducing compliance burdens by eliminating the need 
for covered entities to determine whether the provision or facilitation 
of reproductive health care was the ``primary'' basis for their belief 
that an individual has been or may be subjected to domestic violence, 
abuse, or neglect, or may be endangered by a person authorized by 
applicable law to act as an individual's personal representative if the 
covered entity treats the person as such, with respect to PHI relevant 
to such personal representation.
    Comment: A covered entity recommended that the Department set 
reasonable threshold standards that covered entities would be required 
to meet if they deny personal representative status to a person because 
of any legal, social, or professional liability that could attach based 
on such denials. The commenter further recommended that the Department 
set objective universal thresholds for denials that are clear, concise, 
and easily defined.
    Response: We appreciate the comment but decline to set a reasonable 
threshold standard that covered entities would be required to meet if 
they deny personal representative status to a person. As discussed 
above, the Department gives covered entities discretion to elect not to 
treat a person as a personal representative of an individual if the 
covered entity has a reasonable belief that the individual has been 
subjected to domestic violence, abuse, or neglect by or would be in 
danger from a person seeking to act as the personal representative, 
except where the basis of the denial is that the person provided or 
facilitated reproductive health care.
    Response: As discussed above, a personal representative, with 
authority under applicable law, stands in the shoes of the individual 
and has the ability to act for the individual and exercise the 
individual's rights. Thus, with very limited exceptions, covered 
entities must provide the personal representative access to the 
individual's PHI in accordance with 45 CFR 164.524 to the extent such 
information is relevant to such representation.
4. Request for Comments
    The Department requested comment on whether to eliminate or narrow 
any existing permissions to use or disclose ``highly sensitive PHI.'' 
\330\ Most of the comments on this question are discussed in the 
context of the prohibition.
---------------------------------------------------------------------------

    \330\ 88 FR 23506, 23534 (Apr. 17, 2023).
---------------------------------------------------------------------------

C. Section 164.509--Uses and Disclosures for Which an Attestation Is 
Required

1. Current Provision
    The Privacy Rule currently separates uses and disclosures into 
three categories: required, permitted, and prohibited. Permitted uses 
and disclosures are further subdivided into those to carry out TPO; 
\331\ those for which an individual's authorization is required; \332\ 
those requiring an opportunity for the individual to agree or object; 
\333\ and those for which an authorization or opportunity to agree or 
object is not required.\334\ For an individual's authorization to be 
valid, the Privacy Rule requires that it contain certain specific 
information to ensure that an individual authorizing a regulated entity 
to use or disclose their PHI to another person knows and understands to 
what it is they are agreeing.\335\
---------------------------------------------------------------------------

    \331\ 45 CFR 164.506.
    \332\ 45 CFR 164.508.
    \333\ 45 CFR 164.510.
    \334\ 45 CFR 164.512.
    \335\ 45 CFR 164.508(b).
---------------------------------------------------------------------------

2. Proposed Rule
    As we described in the 2023 Privacy Rule NPRM, a regulated entity 
presented with a request for PHI would need to discern whether using or 
disclosing PHI in response to the request would be prohibited. To 
facilitate compliance with the proposed prohibition at 45 CFR 
164.502(a)(5)(iii) while also providing a pathway for regulated 
entities to disclose PHI for certain permitted purposes, the Department 
proposed to require that a covered entity obtain an attestation from a 
person requesting the use or disclosure of PHI in certain 
circumstances.\336\
---------------------------------------------------------------------------

    \336\ 88 FR 23506, 23534-37 (Apr. 17, 2023).

---------------------------------------------------------------------------

[[Page 33028]]

    Specifically, the Department proposed to add a new section 45 CFR 
164.509, ``Uses and disclosures for which an attestation is required.'' 
This proposed condition would require a regulated entity to obtain 
certain assurances from the person requesting PHI potentially related 
to reproductive health care before the PHI is used or disclosed, in the 
form of a signed and dated written statement attesting that the use or 
disclosure would not be for a purpose prohibited under 45 CFR 
164.502(a)(5)(iii), where the person is making the request under the 
Privacy Rule permissions at 45 CFR 164.512(d) (disclosures for health 
oversight activities), (e) (disclosures for judicial and administrative 
proceedings), (f) (disclosures for law enforcement purposes), or (g)(1) 
(disclosures about decedents to coroners and medical examiners).
    The proposed new section included a description of the proposed 
attestation contents, including a statement that the use or disclosure 
is not for a purpose the Department proposed to prohibit as described 
at 45 CFR 164.502(a)(5)(iii). The 2023 Privacy Rule NPRM also included 
a discussion about how the Department anticipated the proposed 
attestation requirement would work in concert with Privacy Rule 
permissions. Additionally, the proposed attestation provision would 
also include the general requirements for a valid attestation, and 
defects of an invalid attestation.\337\ The Department also proposed to 
require that an attestation be written in plain language \338\ and to 
prohibit it from being ``combined with'' any other document. Further, 
the Department's proposal would explicitly permit the attestation to be 
in an electronic format, as well as electronically signed by the person 
requesting the disclosure.\339\ Under the proposal, the attestation 
would be facially valid when the document meets the required elements 
of the attestation proposal and includes an electronic signature that 
is valid under applicable Federal and state law.\340\
---------------------------------------------------------------------------

    \337\ Pursuant to 45 CFR 164.530(j), regulated entities would be 
required to maintain a written or electronic copy of the 
attestation.
    \338\ The Federal plain language guidelines under the Plain 
Writing Act of 2010 only applies to Federal agencies, but it serves 
as a helpful resource. See 5 U.S.C. 105 and ``Federal plain language 
guidelines,'' U.S. Gen. Servs. Admin., https://www.plainlanguage.gov/guidelines/.
    \339\ Proposed 45 CFR 164.509(b)(1)(iv) and (c)(1)(iv).
    \340\ While not explicitly stated in the Privacy Rule, the 
Department previously issued guidance clarifying that authorizations 
are permitted to be submitted and signed electronically. See Off. 
for Civil Rights, ``Is a copy, facsimile, or electronically 
transmitted version of a signed authorization valid under the 
Privacy Rule?,'' U.S. Dep't of Health and Human Servs., HIPAA FAQ 
#475 (Jan. 9, 2023), https://www.hhs.gov/hipaa/for-professionals/faq/475/is-a-copy-of-a-signed-authorization-valid/index.html and 
Off. for Civil Rights, ``How do HIPAA authorizations apply to an 
electronic health information exchange environment?,'' U.S. Dep't of 
Health and Human Servs., HIPAA FAQ #554 (July 26, 2013), https://www.hhs.gov/hipaa/for-professionals/faq/554/how-do-hipaa-authorizations-apply-to-electronic-health-information/index.html.
---------------------------------------------------------------------------

    Additionally, the proposal specified that each use or disclosure 
request would require a new attestation.
    The Department proposed that a regulated entity would be able to 
rely on the attestation provided that it is objectively reasonable 
under the circumstances for the regulated entity to believe the 
statement required by 45 CFR 164.509(c)(1)(iv) that the requested 
disclosure of PHI is not for a purpose prohibited by 45 CFR 
164.502(a)(5)(iii), rather than requiring a regulated entity to 
investigate the validity of an attestation.\341\ We explained that it 
would not be objectively reasonable for a regulated entity to rely on 
the representation of the person requesting PHI about whether the 
reproductive health care was provided under circumstances in which it 
was lawful to provide such health care. This is because we believed 
that the regulated entity, not the person requesting the disclosure of 
PHI, has the information about the provision of such health care that 
is necessary to make this determination. Therefore, we explained that 
this determination would need to be made by the regulated entity prior 
to using or disclosing PHI in response to a request for a use or 
disclosure of PHI that would require an attestation under the proposal.
---------------------------------------------------------------------------

    \341\ This approach is consistent with 45 CFR 164.514(h), which 
requires a regulated entity to verify the identity and legal 
authority of a public official or a person acting on behalf of a 
public official, and describes the type of documentation upon which 
a regulated entity may rely, if such reliance is reasonable under 
the circumstances, to do so. See also 45 CFR 164.514(d)(3)(iii)(A), 
which permits a covered entity to rely, if such reliance is 
reasonable under the circumstances, on a requested disclosure as the 
minimum necessary for the stated purpose when making disclosures to 
public officials that are permitted under 45 CFR 164.512, if the 
public official represents that the information requested is the 
minimum necessary for the stated purpose(s).
---------------------------------------------------------------------------

    The attestation proposal also would require a regulated entity to 
cease use or disclosure of PHI if the regulated entity develops reason 
to believe, during the course of the use or disclosure, that the 
representations contained within the attestation were materially 
incorrect, leading to uses or disclosures for a prohibited 
purpose.\342\ Relatedly, the 2023 Privacy Rule NPRM included a 
discussion of the consequences of material misrepresentations that 
cause the impermissible use or disclosure of IIHI relating to another 
individual under HIPAA.
---------------------------------------------------------------------------

    \342\ Proposed 45 CFR 164.509(d).
---------------------------------------------------------------------------

    To reduce the burden on regulated entities implementing this 
proposed attestation, the Department requested comment on whether it 
should develop a model attestation that a regulated entity may use when 
developing its own attestation templates. The Department did not 
propose to require that regulated entities use the model attestation.
3. Overview of Public Comments
    Most commenters expressed support for the proposal to require an 
attestation for certain uses and disclosures. Some commenters 
questioned why the Department did not extend the attestation 
requirement directly to business associates, consistent with the 
general prohibition and recommended that the attestation requirements 
be applied to business associates.
    Some of those commenters that supported the proposal to require an 
attestation expressed concern or made additional recommendations about 
its components, content, and scope, and the consequences for covered 
entities that make inadvertent disclosures of PHI without an 
attestation. A small number of opposing commenters also expressed 
concerns about the effectiveness and administrative burden of the 
proposed attestation requirement.
    About half of the commenters concerned about the administrative 
burden of the attestation expressed support for limiting the 
applicability of the proposed attestation to certain types of uses and 
disclosures of information, while the other half recommended expanding 
the scope of the proposed attestation requirement to mitigate burdens 
on covered entities or to increase privacy protections for individuals.
    Many commenters expressed concern about the Department's statement 
in the 2023 Privacy Rule NPRM that it would not be objectively 
reasonable for a regulated entity to rely on the representation of a 
person requesting the use or disclosure of PHI about whether the PHI 
sought was related to lawful health care. Specifically, commenters 
asserted that regulated entities may have difficulties determining 
whether an attestation is ``objectively reasonable'' and were unlikely 
to possess the information necessary to determine the purpose of a 
person's request for the use or disclosure of PHI.

[[Page 33029]]

    Most commenters urged the Department to expand the proposal beyond 
requests for PHI potentially related to reproductive health care to 
requests for any PHI because of the associated administrative burden of 
identifying and segmenting PHI about reproductive health care from 
other types of PHI. These commenters asserted that the burden would be 
significant because such PHI can be found throughout the medical 
record. Commenters also expressed concerns about the ability of EHRs to 
segment data.
    Most commenters recommended that the Department add to or modify 
the content of the proposed attestation, including to add a statement 
that the recipient pledges not to redisclose PHI to another party for 
any of the prohibited purposes or that the request is for the minimum 
amount of information necessary. Many supported the inclusion of a 
signed declaration under penalty of perjury and a statement regarding 
the penalties for perjury to add a layer of accountability.
4. Final Rule
    As we explained in the 2023 Privacy Rule NPRM, it may be difficult 
for regulated entities to distinguish between requests for the use and 
disclosure of PHI based on whether the request is for a permitted or 
prohibited purpose, which could lead regulated entities to deny use or 
disclosure requests for permitted purposes. Additionally, absent an 
enforcement mechanism, it is likely that persons requesting the use or 
disclosure of PHI could seek to use Privacy Rule permissions for 
purposes that are prohibited under the new 45 CFR 164.502(a)(5)(iii). 
Accordingly, the Department is finalizing the proposed attestation 
requirement, with modification, as described below. We intend to 
publish a model attestation prior to the compliance date for this final 
rule.
    First, the Department is renumbering the attestation provision such 
that the requirement is now 45 CFR 164.509(a)(1) and modifying that 
requirement to hold business associates directly liable for compliance 
with the attestation requirement. This change was made to address 
concerns raised by commenters who questioned why the Department did not 
extend the attestation requirement directly to business associates, 
consistent with the general prohibition and with revisions made to the 
HIPAA Rules in the 2013 Omnibus Rule, as required by the HITECH Act. 
The Department has authority to take enforcement action against 
business associates only for requirements for which the business 
associate is directly liable.\343\ Thus, under the proposed attestation 
requirement, a business associate would only have been required to 
comply with the proposed 45 CFR 164.509 if such obligation was 
explicitly included within its business associate agreement.\344\
---------------------------------------------------------------------------

    \343\ Business associates became directly liable for compliance 
with certain requirements of the HIPAA Rules under the HITECH Act. 
Consistent with the HITECH Act, the 2013 Omnibus Rule identified the 
portions of the HIPAA Rules that apply directly to business 
associates and for which business associates are directly liable. 
Prior to the HITECH Act and the Omnibus Rule, these requirements 
applied to business associates and their subcontractors indirectly 
through the requirements under 45 CFR 164.504(e) and 164.314(a), 
which require that covered entities by contract require business 
associates to limit uses and disclosures and implement HIPAA 
Security Rule-like safeguards. See 78 FR 5566 (Jan. 25, 2013). See 
also Off. for Civil Rights, ``Direct Liability of Business 
Associates Fact Sheet,'' U.S. Dep't of Health and Human Servs. (July 
16, 2021), https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/factsheet/index.html.
    \344\ 45 CFR 164.504(e) and 164.314(a).
---------------------------------------------------------------------------

    Both covered entities and business associates process requests for 
PHI. The Privacy Rule permits regulated entities to determine whether a 
business associate can respond to such requests or whether they are 
required to defer to the covered entity.\345\ As noted by commenters, 
while many PHI requests processed by a business associate pursuant to 
45 CFR 164.512(d)-(g)(1) are processed on behalf of the covered entity, 
persons may elect to request PHI directly from the business associate. 
Thus, the Department has determined that it is appropriate to hold both 
covered entities and business associates directly liable for compliance 
with the attestation requirement. Expanding the attestation requirement 
to apply to business associates will ensure that the business associate 
is directly liable for compliance with it, regardless of whether 
compliance with 45 CFR 164.509 is explicitly included in a BAA.
---------------------------------------------------------------------------

    \345\ 45 CFR 164.504(e)(2)(i)(E).
---------------------------------------------------------------------------

    The Department is also adopting the proposed attestation 
requirement that a regulated entity obtain an attestation only for PHI 
``potentially related to reproductive health care.'' As discussed in 
the 2023 Privacy Rule NPRM, this will limit the number of requests that 
require an attestation, and therefore, the burden of the attestation 
requirement on regulated entities and persons requesting PHI. The 
Department reminds regulated entities that they are permitted, but not 
required, to respond to law enforcement requests for PHI where the 
purpose of the request is not one for which regulated entities are 
prohibited from disclosing PHI. By narrowing the scope of the 
attestation to PHI ``potentially related to reproductive health care,'' 
the attestation requirement will not unnecessarily interfere with or 
delay law enforcement investigations that do not involve PHI 
``potentially related to reproductive health care.'' While in practice 
this scope may be wide, we believe the privacy interests of individuals 
who have obtained reproductive health care necessitates the inclusion 
of ``potentially related'' PHI. We are concerned that extending the 
attestation requirement to all PHI could unnecessarily delay law 
enforcement investigations that are not for a purpose prohibited under 
45 CFR 164.502(a)(5)(iii). We acknowledge commenters' concerns about 
the ability of regulated entities to operationalize the attestation 
condition and note that the requirement to obtain an attestation 
applies where the request is for PHI ``potentially related to 
reproductive health care,'' as opposed to PHI ``related to reproductive 
health care.'' Consistent with the Department's instructions to 
regulated entities since the Privacy Rule's inception, we have taken a 
flexible approach to allow scalability based on a regulated entity's 
activities and size. All regulated entities must take appropriate steps 
to address privacy concerns. Regulated entities should weigh the costs 
and benefits of alternative approaches when determining the scope and 
extent of their compliance activities, including when developing 
policies and procedures to comply with the Privacy Rule.\346\ The 
Department will assess the progress of regulated entities' compliance 
with this requirement and promulgate guidance as appropriate. The 
Department also notes that with limited exceptions, the Privacy Rule 
generally permits but does not require the use or disclosure of PHI 
when the conditions set by the Privacy Rule for the specific use or 
disclosure of PHI are met.
---------------------------------------------------------------------------

    \346\ 65 FR 82462, 82471, and 82875 (Dec. 28, 2000).
---------------------------------------------------------------------------

    The Department is adopting the proposed requirement that an 
attestation be obtained where a request is made under the Privacy Rule 
permissions at 45 CFR 164.512(d) (disclosures for health oversight 
activities), (e) (disclosures for judicial and administrative 
proceedings), (f) (disclosures for law enforcement purposes), or (g)(1) 
(disclosures about decedents to coroners and medical examiners). This 
requirement will help ensure that these Privacy Rule permissions cannot 
be used to circumvent the new prohibition at 45

[[Page 33030]]

CFR 164.502(a)(5)(iii) and continue permitting essential disclosures, 
while also limiting the attestation's burden on regulated entities by 
providing a standard mechanism by which the regulated entity can 
ascertain whether a requested use or disclosure is prohibited under 
this final rule. The attestation requirement is intended to reduce the 
burden of determining whether the PHI request is for a purpose 
prohibited under 45 CFR 164.502(a)(5)(iii), but it does not absolve 
regulated entities of the responsibility of making this determination, 
nor does it absolve regulated entities of the responsibility for 
ensuring that such requests meet the other conditions of the relevant 
permission.
    We are modifying the proposal by revising 45 CFR 164.509(a)(1) to 
clarify that a regulated entity may not use or disclose PHI where the 
use or disclosure does not meet all of the Privacy Rule's applicable 
conditions, including the attestation requirement. While this is 
consistent with the existing requirements of the Privacy Rule, we 
determined that it was necessary to reiterate this requirement here 
based on comments we received. Thus, when this final rule is read 
holistically, a regulated entity is not permitted to use or disclose 
PHI where such disclosure does not meet all of the Privacy Rule's 
applicable conditions, including the attestation requirement.
    We are also modifying the proposal by adding 45 CFR 164.509(a)(2) 
to clarify that the use or disclosure of PHI based on a defective 
attestation does not meet the attestation requirement. For example, the 
attestation requirement would not be met if a regulated entity relies 
on an attestation where it is not reasonable to do so because the 
attestation would be defective under 45 CFR 164.509(b)(2)(v). 
Accordingly, it would be a violation of the Privacy Rule if the 
regulated entity makes a use or disclosure in response to a defective 
attestation.
    The Department is modifying the proposal to prohibit inclusion in 
the attestation of any elements that are not specifically required by 
45 CFR 164.509(c). This provision addresses concerns that regulated 
entities might require persons requesting PHI to provide information 
beyond that which is required under 45 CFR 164.509(c). Such additional 
requirements could make it burdensome for persons requesting PHI to 
submit a valid attestation when they make a request pursuant to 45 CFR 
164.512(d), (e), (f), or (g)(1). Additionally, a person requesting PHI 
is not required to use the specific attestation form provided by a 
regulated entity, as long as the attestation provided by such person is 
compliant with the requirements of 45 CFR 164.509.
    Additionally, the Department is modifying the proposed prohibition 
on compound attestations. Specifically, the final rule prohibits the 
attestation from being ``combined with'' any other document. The 
modification clarifies that while an attestation may not be combined 
with other ``forms,'' additional documentation to support the 
information provided in the attestation may be submitted. This 
additional documentation may not replace or substitute for any of the 
attestation's required elements. The attestation itself must be clearly 
labeled, distinct from any surrounding text, and completed in its 
entirety, but documentation to support the statement at 45 CFR 
164.509(c)(1)(iv) or to overcome the presumption at 45 CFR 
164.502(a)(5)(iii)(C) may be appended to the attestation. Thus, a 
regulated entity must ensure that the required elements of the 
attestation are met, and should review any additional documents 
provided by the person making the request when making the required 
determinations.
    A regulated entity may use this information--the information on the 
attestation combined with any additional documentation provided by the 
person making the request for PHI--to make a reasonable determination 
that the attestation is true, consistent with 45 CFR 164.509(b)(2)(v). 
For example, an attestation would not be impermissibly ``combined 
with'' a subpoena if it is attached to it, provided that the 
attestation is clearly labeled as such. As another example, an 
electronic attestation would not be impermissibly ``combined with'' 
another document where the attestation is on the same screen as the 
other document, provided that the attestation is clearly and distinctly 
labeled as such.
    The Department is finalizing the proposed content requirements with 
modifications as follows. Specifically, the Department is finalizing 
the proposal that an attestation must include that the person 
requesting the disclosure confirm the types of PHI that they are 
requesting; clearly identify the name of the individual whose PHI is 
being requested, if practicable, or if not practicable, the class of 
individuals whose PHI is being requested; and confirm, in writing, that 
the use or disclosure is not for a purpose prohibited under 45 CFR 
164.502(a)(5)(iii). For purposes of the ``class of individuals'' 
described in 45 CFR 164.509(c)(1)(i)(B), the Department clarifies that 
the requesting entity may describe such a class in general terms--for 
example, as all individuals who were treated by a certain health care 
provider or for whom a certain health care provider submitted claims, 
all individuals who received a certain procedure, or all individuals 
with given health insurance coverage.
    As we proposed, we are finalizing a requirement that the 
attestation include a clear statement that the use or disclosure is not 
for a purpose prohibited under 45 CFR 164.502(a)(5)(iii). This 
requirement may be satisfied with a series of checkboxes that 
identifies why the use or disclosure is not prohibited under 45 CFR 
164.502(a)(5)(iii) (i.e., the use or disclosure is not for a purpose 
specified in 45 CFR 164.502(a)(5)(iii)(A); or the use or disclosure is 
for a purpose that would be prohibited under 45 CFR 
164.502(a)(5)(iii)(A), but the reproductive health care at issue was 
not lawful under the circumstances in which it was provided so the Rule 
of Applicability is not satisfied, and thus the prohibition does not 
apply).
    The Department is adding another new required element, a statement 
that the attestation is signed with the understanding that a person who 
knowingly and in violation of HIPAA obtains or discloses IIHI relating 
to another individual, or discloses IIHI to another person, may be 
subject to criminal liability.\347\ We believe that adding this 
language satisfies the intent that led us to consider including a 
penalty of perjury requirement and with applicable law. The statement 
does not impose new liability on persons who sign an attestation; 
instead, including the statement in the attestation ensures that 
persons who request the use or disclosure of PHI for which an 
attestation is required are on notice of and acknowledge the 
consequences of making such requests under false pretenses.
---------------------------------------------------------------------------

    \347\ See 42 U.S.C. 1320d-6(a).
---------------------------------------------------------------------------

    The Department is also finalizing the proposed requirement that the 
attestation must be written in plain language. Additionally, the 
Department is finalizing its proposal to permit the attestation to be 
in electronic format and for it to be electronically signed by the 
person requesting the disclosure where such electronic signature is 
valid under applicable law.\348\ The Department declines to mandate a 
specific electronic format for the attestation.
---------------------------------------------------------------------------

    \348\ 45 CFR 164.509(b)(1)(iii) and (c)(1)(vi).
---------------------------------------------------------------------------

    As we proposed, an attestation will be limited to the specific use 
or disclosure. Accordingly, each use or disclosure

[[Page 33031]]

request for PHI will require a new attestation.
    There is no exception to the minimum necessary standard for uses 
and disclosures made pursuant to an attestation under 45 CFR 
164.509.\349\ Thus, a regulated entity will have to limit a use or 
disclosure to the minimum necessary when provided in response to a 
request that would be subject to the proposed attestation requirement, 
unless one of the specified exceptions to the minimum necessary 
standard in 45 CFR 164.502(b)(2) applies. Where the person requesting 
the PHI is also a regulated entity, that person will also need to make 
reasonable efforts to limit their request to the minimum necessary to 
accomplish the intended purpose of the use, disclosure, or 
request.\350\
---------------------------------------------------------------------------

    \349\ 45 CFR 164.502(b). The minimum necessary standard of the 
Privacy Rule applies to all uses and disclosures where a request 
does not meet one of the specified exceptions in paragraph (b)(2).
    \350\ 45 CFR 164.502(b)(1).
---------------------------------------------------------------------------

    The Department is not requiring a regulated entity to investigate 
the validity of an attestation provided by a person requesting a use or 
disclosure of PHI. Rather, a regulated entity is generally permitted to 
rely on the attestation if, under the circumstances, a regulated entity 
reasonably determines that the request is not for investigating or 
imposing liability for the mere act of seeking, obtaining, providing, 
or facilitating allegedly unlawful reproductive health care. In 
addition, a regulated entity is generally permitted to rely on the 
attestation and any accompanying material if, under the circumstances, 
a regulated entity reasonably could conclude (e.g., upon examination of 
adequate supporting documentation provided by the person making the 
request) that the requested disclosure of PHI is not for a purpose 
prohibited by 45 CFR 164.502(a)(5)(iii), consistent with the approach 
taken in the Privacy Rule \351\ and elsewhere in this final rule. If 
such reliance is not reasonable, then the regulated entity may not rely 
on the attestation. This is a change from the proposed language, which 
permitted reliance based on an ``objectively reasonable'' standard. The 
proposed standard was modified because a reasonable person standard is 
inherently objective.\352\ Thus, including ``objectively'' in the 
description of the standard was redundant.
---------------------------------------------------------------------------

    \351\ This approach is consistent with 45 CFR 164.514(h), which 
requires a covered entity to verify the identity and legal authority 
of a public official or a person acting on behalf of the public 
official and describes the type of documentation upon which 
regulated entities can rely, if such reliance is reasonable under 
the circumstances, to do so. See also 45 CFR 164.514(d)(3)(iii)(A), 
which permits a covered entity to rely, if such reliance is 
reasonable under the circumstances, on a requested disclosure as the 
minimum necessary for the stated purpose when making disclosures to 
public officials that are permitted under 45 CFR 164.512, if the 
public official represents that the information requested is the 
minimum necessary for the stated purpose(s).
    \352\ E.g., Restatement (Second) Torts Sec.  283, comment b (Am. 
L. Inst. 1965).
---------------------------------------------------------------------------

    For requests involving allegedly unlawful reproductive health care, 
the extent to which a regulated entity may reasonably rely on an 
attestation depends in part on whether the regulated entity provided 
the reproductive health care at issue. Under the final rule, it would 
not be reasonable for a regulated entity to rely on the representation 
made by a person requesting the use or disclosure of PHI that the 
reproductive health care was unlawful under the circumstances in which 
it was provided unless such representation meets the conditions set 
forth in the presumption at 45 CFR 164.502(a)(5)(iii)(C). As discussed 
above, under the presumption, reproductive health care is presumed to 
be lawful under the circumstances in which such health care is provided 
unless a regulated entity has actual knowledge, or information from the 
person making the request that demonstrates to the regulated entity a 
substantial factual basis that the reproductive health care was not 
lawful under the specific circumstances in which such health care was 
provided. Where the reproductive health care at issue was provided by a 
person other than the regulated entity receiving the request for the 
use or disclosure of PHI and the presumption is overcome, the regulated 
entity is permitted to use or disclose PHI in response to the request 
upon receipt of an attestation where it is reasonable to rely on the 
representations made in the attestation. It is not reasonable for the 
regulated entity to rely solely on a statement of the person requesting 
the use or disclosure of PHI that the reproductive health care was 
unlawful under the circumstances in which such health care was 
provided. Instead, the person requesting the use or disclosure of PHI 
must provide the regulated entity with information such that it would 
constitute actual knowledge or that demonstrates to the regulated 
entity a substantial factual basis that the reproductive health care 
was not lawful under the specific circumstances in which such health 
care was provided. A regulated entity that receives a request for PHI 
involving reproductive health care provided by that regulated entity 
should review the relevant PHI in its possession and other related 
information (e.g., license of health care provider that provided the 
health care, operating license for the facility in which such health 
care was provided) to determine whether the reproductive health care 
was lawful under the circumstances in which it was provided prior to 
using or disclosing PHI in response to a request for PHI that requires 
an attestation. Where the request is about reproductive health care 
that is provided by the regulated entity receiving the request, it 
would not be reasonable for a regulated entity to automatically rely on 
a representation made by a person requesting the use or disclosure of 
PHI about whether the reproductive health care was provided under the 
circumstances in which it was lawful to provide such health care. 
Rather, the regulated entity must review the individual's PHI to 
consider the circumstances under which it provided the reproductive 
health care to determine whether such reliance is reasonable. 
Therefore, where the request involves the use or disclosure of PHI 
potentially related to reproductive health care that was provided by 
the recipient of the request, the regulated entity must make the 
determination about whether it provided the health care lawfully prior 
to using or disclosing PHI in response to a request that requires an 
attestation.
    For example, if a law enforcement official requested PHI 
potentially related to reproductive health care to investigate a person 
for the mere act of seeking, obtaining, providing or facilitating 
allegedly unlawful reproductive health care, it would not be reasonable 
for a regulated entity that receives such a request to rely solely on a 
signed attestation that states that the reproductive health care was 
not lawful under the circumstances in which it was provided, as set 
forth in 45 CFR 164.502(a)(5)(iii)(B), and therefore, that the 
requested disclosure is not for a purpose prohibited under 45 CFR 
164.502(a)(5)(iii)(A). This is regardless of whether the regulated 
entity receiving the request for PHI provided the reproductive health 
care at issue. Assuming that the attestation is not facially deficient, 
a regulated entity must consider the totality of the circumstances 
surrounding the attestation and whether it is reasonable to rely on the 
attestation in those circumstances. To determine whether it is 
reasonable to rely on the attestation, a regulated entity should 
consider, among other things: who is requesting the use or disclosure 
of PHI; the permission upon which the person making the request is 
relying; the

[[Page 33032]]

information provided to satisfy other conditions of the relevant 
permission; the PHI requested and its relationship to the stated 
purpose of the request; and, where the reproductive health care was 
supplied by another person, whether the regulated entity has: (1) 
actual knowledge that the reproductive health care was not lawful under 
the circumstances in which it was provided; or (2) factual information 
supplied by the person requesting the use or disclosure of PHI that 
would demonstrate to a reasonable regulated entity a substantial 
factual basis that the reproductive health care was not lawful under 
the specific circumstances in which such health care was provided.
    For example, a regulated entity receives an attestation from a 
Federal law enforcement official, along with a court ordered warrant 
demanding PHI potentially related to reproductive health care. The law 
enforcement official represents that the request is about reproductive 
health care that was not lawful under the circumstances in which such 
health care was provided, but the official will not divulge more 
information because they allege that doing so would jeopardize an 
ongoing criminal investigation. In this example, if the regulated 
entity itself provided the reproductive health care and, based on the 
information in its possession, reasonably determines that such health 
care was lawful under the circumstances in which it was provided, the 
regulated entity may not disclose the requested PHI.
    If the regulated entity did not provide the reproductive health 
care, it may not disclose the requested PHI absent additional factual 
information because the official requesting the PHI has not provided 
sufficient information to overcome the presumption at 45 CFR 
164.502(a)(5)(iii)(C). Further, it also would not be reasonable under 
the circumstances for the regulated entity to rely on the attestation 
that the information would not be used for a purpose prohibited by 45 
CFR 164.502(a)(5)(iii) because of the presumption that the reproductive 
health care was lawfully provided.
    However, in cases where the presumption of lawfulness applies, the 
regulated entity would be permitted to make the disclosure, for 
example, where the law enforcement official provides additional factual 
information for the regulated entity to determine that there is a 
substantial factual basis that the reproductive health care was not 
lawful under the circumstances in which such health care was provided. 
As another example, a regulated entity could rebut the presumption of 
lawfulness by relying on a sworn statement by a law enforcement 
official that the PHI is necessary for an investigation into violations 
of specific criminal codes unrelated to the provision of reproductive 
health care (e.g., billing fraud) or an affidavit from an individual 
that the individual obtained unlawful reproductive health care from a 
different health care provider and the requested PHI is relevant to 
that investigation. Similarly, if a regulated entity receives an 
attestation from a Federal law enforcement official, along with a 
court-ordered warrant demanding PHI potentially related to reproductive 
health care, that both specify that the purpose of the request is not 
for a purpose prohibited by 45 CFR 164.502(a)(5)(iii), the regulated 
entity may rely on the attestation and warrant, subject to the 
requirements of 45 CFR 164.512(f)(1)(ii)(A).
    Lastly, this final rule requires a regulated entity to cease use or 
disclosure of PHI if the regulated entity, during the course of the use 
or disclosure, discovers information reasonably showing that the 
representations contained within the attestation are materially 
incorrect, leading to uses or disclosures for a prohibited 
purpose.\353\ As we explained in the 2023 Privacy Rule NPRM, pursuant 
to HIPAA, a person who knowingly and in violation of the Administrative 
Simplification provisions obtains or discloses IIHI relating to another 
individual or discloses IIHI to another person would be subject to 
criminal liability.\354\ Thus, a person who knowingly and in violation 
of HIPAA \355\ falsifies an attestation (e.g., makes material 
misrepresentations about the intended uses of the PHI requested) to 
obtain (or cause to be disclosed) an individual's IIHI could be subject 
to criminal penalties as outlined in the statute.\356\ Additionally, a 
disclosure made based on an attestation that contains material 
misrepresentations after the regulated entity becomes aware of such 
misrepresentations constitutes an impermissible disclosure, which 
requires notifications of a breach to the individual, the Secretary, 
and in some cases, the media.\357\
---------------------------------------------------------------------------

    \353\ 45 CFR 164.509(d).
    \354\ See 42 U.S.C. 1320d-6(a).
    \355\ A person (including an employee or other individual) shall 
be considered to have obtained or disclosed individually 
identifiable health information in violation of this part if the 
information is maintained by a covered entity (as defined in the 
HIPAA privacy regulation described in section 1320d-9(b)(3) of this 
title) and the individual obtained or disclosed such information 
without authorization. Id.
    \356\ See 42 U.S.C. 1320d-6(b).
    \357\ 45 CFR 164.400 et seq. The HIPAA Breach Notification Rule, 
45 CFR 164.400-414, requires HIPAA covered entities and their 
business associates to provide notification following a breach of 
unsecured PHI.
---------------------------------------------------------------------------

    The attestation requirement does not replace the conditions of the 
Privacy Rule's permissions for a regulated entity to disclose PHI, 
including in response to a subpoena, discovery request, or other lawful 
process, or administrative request. Instead, the attestation is 
designed to work with the permissions and their requirements. If PHI is 
disclosed pursuant to 45 CFR 164.512(e)(1)(ii) or (f)(1)(ii)(C), a 
regulated entity will need to verify that the requirements of each 
provision are met, in addition to satisfying the requirements of the 
new attestation provision under 45 CFR 164.509. Furthermore, the 
requirements of 45 CFR 164.528, the right to an accounting of 
disclosures of PHI made by a covered entity, are not affected by the 
attestation requirement. Thus, disclosures made pursuant to a 
permission under 45 CFR 164.512(d), (e), (f), or (g) must be included 
in the accounting, including when they are made pursuant to an 
attestation.
5. Responses to Public Comments
    Comment: Most commenters supported the proposal to require an 
attestation for certain uses and disclosures. A few commenters 
recognized the benefits of the attestation requirement, despite the 
potential increase in administrative burden for regulated entities.
    Many commenters opposed the proposal for what they described as 
administrative burden, questionable effectiveness, and lack of clarity. 
A few commenters stated that the requirements imposed an inappropriate 
compliance burden on covered entities that would need to determine 
whether a PHI request was ``potentially related'' to sensitive personal 
health care, and, along with a health care provider who otherwise 
supported the attestation, they recommended instead that the Department 
impose requirements on the person requesting the use or disclosure of 
PHI. Many commenters expressed concerns about the ability of covered 
entities to operationalize the proposed requirement with the limitation 
to PHI potentially related to reproductive health care because it would 
require the ability to segment PHI, which the Department previously 
acknowledged is generally unavailable. A few commenters questioned the 
effectiveness of the proposed attestation

[[Page 33033]]

requirement, as compared to its potential burden, enforceability, and 
effects on access to maternal and specialty health care.
    Response: We agree with commenters that the attestation requirement 
will bolster the privacy of PHI and acknowledge that implementation of 
this important safeguard requires additional administrative activities 
by regulated entities. The Department considered removing the 
limitation on the application of the attestation condition to PHI 
``potentially related to reproductive health care,'' but we are 
concerned that expanding it to apply to all requests for PHI made for 
specified purposes would impose even more burden on regulated entities. 
The requirement is to determine whether the requested PHI is 
``potentially related to reproductive health care,'' not whether it is 
``related to reproductive health care.'' Thus, regulated entities are 
not required to make an affirmative determination that the requested 
PHI is in fact related to reproductive health care before requiring a 
person requesting PHI to provide an attestation. We note that the focus 
of the attestation requirement has been limited to PHI potentially 
related to reproductive health care because the changes to the legal 
landscape have heighted privacy concerns about reproductive health care 
that is lawful under the circumstances in which such health care is 
provided. We also note that the provision of an attestation itself is 
not determinant of whether the request is for a prohibited purpose. 
Rather, regulated entities must consider whether a request for PHI is 
for a prohibited purpose, regardless of whether the request is made for 
a purpose for which the Privacy Rule requires an attestation.
    The Department is limited to applying the HIPAA Rules to those 
entities covered by HIPAA (i.e., health plans, health care 
clearinghouses, and health care providers that conduct covered 
transactions) and to business associates, as provided under the HITECH 
Act. Accordingly, the Department is limited to imposing obligations on 
persons requesting the use or disclosure of PHI to those who are also 
regulated entities.
    The attestation condition has been drafted to promote the privacy 
of information about lawful reproductive health care, including 
maternal and specialty health care, while still permitting certain uses 
of PHI. Regulated entities, including covered entities that specialize 
in providing reproductive health care may determine, based on their 
assessment of what PHI is potentially related to reproductive health 
care, that an attestation must accompany all requests they receive for 
the use or disclosure of any PHI made pursuant to and in compliance 
with 45 CFR 164.512(d)-(g)(1). Further, the attestation requirement 
only applies to the specified requests for PHI and should not affect 
any intake of new patients or provision of maternal health care.
    The Department is not requiring a regulated entity to investigate 
the veracity of the information provided in support of an attestation 
because doing so would impose a significant administrative burden on 
regulated entities and persons requesting the use or disclosure of PHI 
without proportional benefit. Additionally, requiring such an 
investigation by the regulated entity may cause unnecessary delays to 
law enforcement activities. Rather, the Department is finalizing a 
regulated entity's ability to rely on the attestation provided that it 
is reasonable under the circumstances for the regulated entity to 
believe the statement required by 45 CFR 164.509(c)(1)(iv) that the 
requested disclosure of PHI is not for a purpose prohibited by 45 CFR 
164.502(a)(5)(iii). If such reliance is not reasonable, then the 
regulated entity may not rely on the attestation.
    A regulated entity that receives a request for PHI potentially 
related to reproductive health care for purposes specified in 45 CFR 
164.512(d), (e), (f), or (g)(1) may accept information, in addition to 
the attestation, from the person requesting the PHI to support its 
ability to make the determinations required by 45 CFR 
164.502(a)(5)(iii) and 45 CFR 164.509(b)(v).
    For example, it likely would not be reasonable for a regulated 
entity to rely on an attestation from a public official who represents 
that their request is for a purpose that is not prohibited, if the 
request for PHI is overly broad for its purported purpose and the 
public official has publicly stated that they will be investigating 
health care providers for providing reproductive health care. In such 
cases, regulated entities should consider the circumstances surrounding 
an attestation to determine whether they can reasonably rely on the 
attestation. Although we have modified the regulatory text by removing 
``objectively,'' the standard remains unchanged in practice because a 
reasonableness standard is an objective standard. As we also discussed 
above, it is not reasonable for a regulated entity that provided the 
reproductive health care at issue to rely on a representation made by a 
person requesting the use or disclosure of PHI that the reproductive 
health care at issue was unlawful under the circumstance in which such 
health care was provided. A regulated entity that makes a disclosure 
where it was not reasonable to rely on the representation made by the 
person requesting the use or disclosure may be subject to enforcement 
action by OCR.
    Additionally, as discussed in greater detail above, a person who 
knowingly and in violation of the Administrative Simplification 
provisions obtains or discloses IIHI relating to another individual or 
discloses IIHI to another person would be subject to criminal 
liability.\358\ We believe that this provision serves as a deterrent 
for those who otherwise might request PHI in violation of this final 
rule. It also will continue to permit essential disclosures while 
ensuring that Privacy Rule permissions cannot be used to circumvent the 
new prohibition, thereby enhancing the privacy of individuals' PHI and 
protecting other important interests.
---------------------------------------------------------------------------

    \358\ See 42 U.S.C. 1320d-6(a).
---------------------------------------------------------------------------

    Comment: Several commenters opposed the attestation proposal 
because they believed that the proposal would make it more difficult 
for law enforcement to request PHI and for entities to respond to such 
requests, potentially putting them in situations where they need to 
choose between complying with a court order and impermissibly 
disclosing PHI. A few individuals stated that the proposal would have a 
chilling effect on the ability of a state to conduct investigations or 
proceedings for which the use or disclosure of PHI could be beneficial, 
particularly in cases involving rape, incest, sex trafficking, domestic 
violence, abuse, and neglect.
    Response: We acknowledge that the attestation provision may require 
regulated entities to obtain additional information from persons 
requesting PHI in certain circumstances. As discussed above, this 
condition is consistent with the operation of the Privacy Rule since 
its inception, which has always required regulated entities to obtain 
additional information from persons requesting PHI in certain 
circumstances, such as where the use or disclosure is one for which an 
authorization or opportunity to agree or object is not required.\359\ 
However, as also discussed above, any burden the attestation may impose 
on persons requesting PHI is outweighed by the privacy interests that 
this final rule is designed to protect.
---------------------------------------------------------------------------

    \359\ See 45 CFR 164.512.
---------------------------------------------------------------------------

    A person requesting PHI pursuant to 45 CFR 164.512(d)-(g)(1) may 
elect to provide an attestation with their request, even if a 
determination has not

[[Page 33034]]

yet been made concerning whether such request is for PHI potentially 
related to reproductive health care. Similarly, the Privacy Rule does 
not require a regulated entity to respond to requests for PHI.
    Comment: Some commenters were concerned about the effect of the 
attestation requirement on the electronic exchange of PHI and 
recommended approaches for incorporating attestations into a HIE 
environment. A commenter expressed concern that the requirement for an 
attestation would delay or prevent automated data exchange using Fast 
Healthcare Interoperability Resources[supreg] (FHIR[supreg]) APIs and 
might impede innovation. They requested guidance on how to implement 
the attestation condition in an HIE environment without impeding 
regulated exchanges or industry innovations using extensive data 
exchange via FHIR APIs. Commenters also recommended that the Department 
issue guidance on implementing attestation policies in circumstances 
not required by this rule that would not constitute information 
blocking. A commenter encouraged the Department to implement processes 
that limit the liability of health care providers for the actions of 
third parties. For example, the commenter requested that the Department 
clarify that a refusal to disclose PHI absent an attestation is 
protected from a finding of information blocking.
    Response: We do not believe that this final rule prevents the 
disclosure of PHI via a HIE. We disagree that this requirement prevents 
the exchange of data using FHIR APIs under these permissions or for 
automated health data exchange more broadly. PHI can be disclosed as 
requested if the regulated entity obtains a valid attestation and the 
request meets the conditions of an applicable permission. The 
attestation requirement does not affect any requests via FHIR API that 
fall outside of the 45 CFR 164.512(d)-(g)(1) permissions. For example, 
a disclosure of PHI from a covered health care provider to another 
health care provider for care coordination purposes would not require 
an attestation because the disclosure would not be for a purpose 
addressed by 45 CFR 164.512(d)-(g)(1). The importance of ensuring the 
protection of an individual's interests in the privacy of their PHI and 
society in improving the effectiveness of the health care system far 
outweigh any potential administrative burdens or delays in the 
electronic exchange of PHI for non-health care purposes. Further, 
compliance with applicable law does not constitute information 
blocking.\360\ Thus, we do not believe additional regulatory language 
is necessary at this time. OCR regularly collaborates with other 
Federal agencies, including ONC, to develop guidance on compliance with 
Federal standards and to address questions that arise about the ability 
of regulated entities to comply with applicable laws.
---------------------------------------------------------------------------

    \360\ See 42 U.S.C. 300jj-52(a)(1) (excluding from the 
definition of ``information blocking'' practices that are likely to 
interfere with, prevent, or materially discourage access, exchange, 
or use of electronic health information if they are ``required by 
law''; 85 FR 25642, 25794 (May 1, 2020) (explaining that ``required 
by law'' specifically refers to interferences that are explicitly 
required by state or Federal law). See also 89 FR 1192, 1351 (Jan. 
9, 2024) (affirming that where applicable law prohibits access, 
exchange, or use of information, practices in compliance with such 
law are not considered to be information blocking and citing to 
compliance with the Privacy Rule as an example of an applicable 
law).
---------------------------------------------------------------------------

    The permissions for which the Department is requiring that a 
regulated entity obtain an attestation prior to using or disclosing PHI 
are already conditioned upon meeting certain requirements, which 
generally require manual review. The Department acknowledges that 
certain persons may need to adjust their workflows to account for the 
attestation requirement. While there may be some delays until new 
processes are implemented, any disruptions will decrease over time. 
Thus, we do not anticipate that this final rule will contribute to 
additional delays in the disclosure of PHI.
    The Department is finalizing a new regulatory presumption that 
permits a regulated entity to presume reproductive health care provided 
by another person was lawful unless the regulated entity has actual 
knowledge or factual information supplied by the person requesting the 
use or disclosure of PHI that demonstrates to the regulated entity a 
substantial factual basis that the reproductive health care was not 
lawful under the specific circumstances in which such health care was 
provided. This presumption will facilitate the determination by the 
regulated entity about whether a request for the use or disclosure of 
PHI would be subject to the prohibition, and thus will reduce the risk 
of an impermissible use or disclosure of the requested PHI, thereby 
reducing the liability of regulated entities that receive requests for 
PHI to which the prohibition may apply, but where they did not provide 
the reproductive health care at issue.
    Comment: Many commenters questioned the Department's rationale for 
not extending the attestation requirement directly to business 
associates, consistent with the general prohibition. Some commenters 
recommended that the attestation requirement be applied to business 
associates because persons requesting the use or disclosure of PHI may 
directly approach a business associate for this PHI (and the business 
associate agreement may permit such disclosures or be silent regarding 
whether the business associate may respond to them). Commenters also 
requested clarification of the responsibilities of business associates 
with respect to attestations and questioned whether the proposal would 
require amendment of their business associate agreements.
    Response: As discussed above, we agree with the commenters that the 
attestation requirement should apply directly to business associates 
because they receive direct requests for PHI and are subject to the 
general prohibition in the same manner as covered entities. Therefore, 
we are modifying 45 CFR 164.509 to ensure that it expressly applies to 
both covered entities and their business associates.
    Comment: Although a few commenters expressed support for limiting 
the attestation condition to requests regarding ``PHI potentially 
related to reproductive health care,'' many commenters recommended that 
the proposed requirement to obtain an attestation be broadly applied to 
requests for any PHI. Many stated that it would be easier and more 
efficient for regulated entities if all requests related to a 
prohibited purpose required the attestation, regardless of the PHI 
being requested. According to these commenters, this would allow the 
regulated entity to avoid making any determinations regarding the PHI. 
A few explained that expanding the requirement to all PHI would 
appropriately place the burden of demonstrating that the requested 
disclosure was permissible on the person making request.
    Several commenters asserted that information related to 
reproductive health care is potentially found in every department, 
record, and system, including those that may not have a readily 
apparent relationship to reproductive health care. As a result, 
according to these commenters, it would be onerous and costly to 
separate different types of health information in a medical record. 
According to other commenters, the volume of records requests received 
by health systems would render any requirement on a health care 
provider to redact PHI from an individual's medical record in the 
absence of an attestation overly burdensome and increase the risk of 
unauthorized disclosure. Some

[[Page 33035]]

commenters explained that staff managing health information generally 
do not have the legal or medical training to determine whether a PHI 
request may be for PHI potentially related to reproductive health care, 
particularly given the breadth of most requests (e.g., for all medical 
records of an entity, of a particular health care provider or a 
particular individual). These commenters also raised concerns that the 
lack of legal or medical training could lead to inconsistent 
application of the rule, the inadvertent disclosure of PHI potentially 
related to reproductive health care, or delay the use or disclosure of 
PHI, even when the individual has not sought or obtained reproductive 
health care. Many commenters asserted that determining whether a 
request for the use or disclosure of PHI includes PHI potentially 
related to reproductive health care is difficult and a significant 
burden on health information professionals, particularly where the 
covered entity did not provide or facilitate the health care. According 
to some commenters, some business associates, such as cloud services 
providers, may not have the ability to determine whether the PHI that 
they maintain includes PHI potentially related to reproductive health 
care.
    Some commenters posited that the result of this requirement would 
be that health care providers would refuse to provide any PHI in 
response to a request for the use or disclosure PHI on any matter that 
could possibly be construed as potentially related to reproductive 
health care. They and others stated that limiting the proposed 
prohibition to one category of PHI would require regulated entities to 
label or segment certain PHI within medical records, which would be 
impractical and costly because EHRs are unable to reliably segregate or 
flag PHI retrospectively.
    Response: We acknowledge the comments from regulated entities that 
expressed concerns about the effects of the limitation of the 
attestation requirement to PHI potentially related to reproductive 
health care. However, the Department is concerned that extending the 
attestation requirement to all PHI could result in unintended 
consequences, such as the potential delay of law enforcement 
investigations that do not require PHI potentially related to 
reproductive health care. By contrast, an attestation requirement is 
necessary for PHI potentially related to reproductive health care 
because of recent changes to the legal landscape that make it more 
likely that PHI will be sought for punitive non-health care purposes, 
and thus more likely to be subject to disclosure by regulated entities 
if the requested disclosure is permissible under the Privacy Rule, 
thereby harming the interests that HIPAA seeks to protect. Accordingly, 
the Department is not modifying the attestation requirement that a 
regulated entity obtain an attestation only for PHI potentially related 
to reproductive health care.
    The Department acknowledges that the attestation requirement may 
increase the burden on regulated entities, but we disagree that 
regulated entities are unable to make the required assessments of 
attestations. Regulated entities currently conduct similar assessments 
when determining whether PHI may be disclosed to a personal 
representative, when making disclosures that are required by law or for 
public health purposes, and for various other permitted purposes. 
Regulated entities also regularly review medical records to comply with 
minimum necessary requirements. The Department is cognizant that an 
expanded attestation requirement could significantly increase burden if 
it were to expand this requirement to all disclosures in the absence of 
the sensitivities described in this final rule.
    Comment: Many commenters supported the proposal to limit the 
requirement to obtain an attestation with a request for uses and 
disclosures for certain permissions, namely that have the greatest 
potential to be connected with a purpose for which the Department 
proposed to prohibit the use and disclosure of PHI. Some commenters 
expressed their belief that the Department had identified the 
appropriate permissions for which the attestation would provide 
additional safeguards.
    Many commenters suggested modifications, primarily expansions or 
clarifications of the types of permitted uses and disclosures that 
would be subject to the attestation. Generally, commenters explained 
their belief that their recommended modifications would either mitigate 
the burden of the requirement to ascertain the purposes of the 
requested disclosure or increase privacy protections for individuals.
    Commenters recommended multiple ways to expand the attestation 
requirement, such as extending it to all permissions in 45 CFR 164.512; 
disclosures required by law, for public health activities, and to avert 
a serious threat to health or safety; disclosures for treatment 
purposes to a person not regulated by HIPAA or disclosures to any 
person who might use the PHI for a prohibited purpose; and any 
disclosure at the discretion of the covered entity.
    Response: The Department declines to expand the permissions for 
which an attestation is required at this time. The Department 
specifically chose to limit the attestation condition to the 
permissions at 45 CFR 164.512(d)-(g)(1) because these permissions have 
the greatest potential to result in the use or disclosure of an 
individual's PHI for a purpose prohibited at 45 CFR 164.502(a)(5)(iii). 
In the context of other permissions, where the risk of improper use or 
disclosure is less, the benefits of an attestation condition would be 
outweighed by the administrative burden of compliance. Accordingly, any 
disclosures made pursuant to 45 CFR 164.512(b), which includes 
disclosures for public health surveillance, investigations, or 
interventions, do not require an attestation. However, we note that 
requests made pursuant to other permissions of the rule remain subject 
to and must be evaluated for compliance with the prohibition at 45 CFR 
164.502(a)(5)(iii).
    Comment: A commenter stated that no attestation should be needed 
for judicial and administrative proceedings because current 
requirements are adequate. Instead, the commenter requested that the 
Department consider expanding procedural protections.
    Response: We are finalizing the requirement that regulated entities 
obtain an attestation as a condition of a use or disclosure of PHI for 
judicial and administrative proceedings. As previously discussed, the 
attestation requirement ensures that certain Privacy Rule permissions 
are not used to circumvent the prohibition. The attestation requirement 
also reduces the burden on regulated entities because it is 
specifically designed to facilitate compliance with the prohibition 
under 45 CFR 164.502(a)(5)(iii) by helping regulated entities determine 
whether the use or disclosure of the requested PHI is permitted. 
Although a court order, qualified protective order, satisfactory 
assurance, or subpoena may have a restriction that prevents information 
requested from being further disclosed, it protects PHI only after it 
has been used or disclosed. Thus, the regulated entity's use or 
disclosure of PHI could still violate the prohibition at 45 CFR 
164.502(a)(5)(iii), even if that disclosure is made in response to a 
court order, qualified protective order, satisfactory assurance, or 
subpoena. The attestation requirement helps to mitigate the risk of 
violations in these circumstances.
    Comment: A few commenters expressed concerns about their ability to 
implement the attestation requirement

[[Page 33036]]

in circumstances where the use or disclosure is triggered by a 
mandatory reporting law or verbal request and recommended that no 
attestation should be required in any case where disclosure of PHI is 
required by law. According to the commenters, an attestation 
requirement could require a significant change to operational workflows 
for permitted disclosures and significantly impede operations for state 
and local agencies that conduct death investigations and perform public 
health studies and initiatives.
    Response: The Privacy Rule at 45 CFR 164.512(a) permits certain 
uses and disclosures of PHI that are required by law, including 
notification of certain deaths by a covered health care provider to a 
medical examiner, when those uses and disclosures are limited to the 
requirements of such law. The attestation condition does not apply to 
the mandatory disclosures made pursuant to 45 CFR 164.512(a). Other 
mandatory reporting that is subject to 45 CFR 164.512(a)(2) has always 
been subject to the additional requirements of 45 CFR 164.512(c), (e), 
or (f). Further, mandatory reporting for public health activities 
pursuant to 45 CFR 164.512(b) do not require an attestation.
    The attestation condition applies if the regulated entity is making 
a use or disclosure to a coroner or medical examiner pursuant to 45 CFR 
164.512(g)(1). We understand that this may require regulated entities 
to adjust their workflows to comply with this requirement. For example, 
regulated entities could consider having an electronic attestation form 
readily available for persons that request the use or disclosure of PHI 
potentially related to reproductive health care because doing so may 
reduce delays in the regulated entity's response time related to the 
attestation condition. Thus, this condition will not significantly 
impede operations for persons who request information because the 
interruptions will decrease as they adjust their workflows to 
accommodate the new condition.
    We remind regulated entities that the prohibition in 45 CFR 
164.502(a)(5)(iii) applies, regardless of whether the request for PHI 
is made pursuant to a permission for which an attestation is required 
or another permission.
    Comment: Many commenters urged the Department to implement a 
reasonable, good faith standard or a safe harbor for situations in 
which a regulated entity discloses PHI and the person requesting the 
PHI either uses or rediscloses it for a purpose that would be 
prohibited under the proposed rule. Some commenters were concerned that 
a covered entity will be liable for inadvertent disclosures of PHI and 
sought the benefit of the affirmative defense afforded at 45 CFR 
160.410(b)(2).
    Response: The Department declines to add a ``good faith'' standard 
or safe harbor to this final rule. As discussed above, the Department 
is not finalizing a separate Rule of Construction and is not 
incorporating the phrase ``primarily for the purpose of'' into the 
final prohibition standard.
    As we explained in the 2023 Privacy Rule NPRM, 45 CFR 164.509 
requires a new attestation for each use or disclosure request; a single 
attestation would not be sufficient to permit multiple uses or 
disclosures. This requirement is unlike the authorization, where 
generally, when a regulated entity receives a valid authorization, they 
may continue to use or disclose PHI to the person requesting the use or 
disclosure of PHI pursuant to that authorization after the initial 
disclosure, provided that such subsequent uses and disclosures are 
valid and related to that authorization. We understand that this may 
constitute an additional administrative burden for both the regulated 
entity and the person or entity requesting the information; however, 
requiring an attestation for each use or disclosure is necessary to 
ensure that certain Privacy Rule permissions are not used to circumvent 
the new prohibition at 45 CFR 164.502(a)(5)(iii), and to permit 
essential disclosures.
    Comment: Some commenters expressed support for permitting a 
regulated entity to rely on an attestation if ``it appears objectively 
reasonable'' or ``when objectively reasonable'' and not requiring 
covered entities to investigate the accuracy of an attestation, thereby 
mitigating liability to the regulated entity, if not fully protecting 
an individual. Many commenters expressed concern that it would not be 
objectively reasonable for a regulated entity to rely on a 
representation made by the person requesting the use or disclosure of 
PHI that the PHI sought was related to unlawful health care. The 
commenters requested a guarantee that a health care provider's reliance 
on a ``facially valid'' attestation would be objectively reasonable 
without requiring the entity to investigate the intentions of the 
person requesting the use or disclosure of PHI and the validity of 
their attestation. A commenter recommended that the final rule direct 
regulated entities to take attestations at face value and hold harmless 
regulated entities in the event of a false attestation.
    Commenters offered several reasons for these recommendations, 
including the burden on covered entities where they are required to 
determine: (1) the veracity of every attestation; (2) whether an 
attestation is required; and (3) whether the statement that the request 
for the use or disclosure is not for a purpose prohibited under 45 CFR 
164.502(a)(5)(iii) is objectively reasonable.
    Response: To assist in effectuating the prohibition, this Final 
Rule requires an attestation in some circumstances. We recognize the 
potential burden on regulated entities to investigate the validity of 
every attestation and do not require that they conduct a full 
investigation in each instance. However, as discussed above, if an 
attestation, on its face, meets the requirements at 45 CFR 164.509(c), 
a regulated entity must consider the totality of the circumstances 
surrounding the attestation and whether it is reasonable to rely on the 
attestation in those circumstances. To determine whether it is 
reasonable to rely on the attestation, a regulated entity should 
consider, among other things: who is requesting the use or disclosure 
of PHI; the permission upon which the person making the request is 
relying; the information provided to satisfy other conditions of the 
relevant permission; the PHI requested and its relationship to the 
purpose of the request (i.e., does the request meet the minimum 
necessary standard in relation to the purpose of the request); and, 
where the presumption at 45 CFR 164.502(a)(5)(iii)(C) applies, 
information provided by the person requesting the use or disclosure of 
PHI to overcome that presumption.
    For example, as discussed above, it may not be reasonable for a 
regulated entity to rely on an attestation filed by a public official 
that a request for PHI potentially related to reproductive health care 
is not for a prohibited purpose when that public official has publicly 
stated their interest in investigating or imposing liability on those 
who seek, obtain, provide, or facilitate certain types of lawful 
reproductive health care. If a regulated entity concludes that it would 
not reasonable to rely on the attestation in this instance, the 
regulated entity would be prohibited from disclosing the requested PHI 
unless and until the public official provided additional information 
that enables the regulated entity to assess the veracity of its 
attestation. In contrast, it may be reasonable to rely on the 
representation of a public official that a request for PHI potentially 
related to reproductive

[[Page 33037]]

health care is not for a prohibited purpose if the stated purpose for 
the request is to investigate insurance fraud and the public official 
making the request is expressly authorized by law to conduct insurance 
fraud investigations as part of their legal mandate. Therefore, as 
discussed above, the Department is balancing these considerations by 
finalizing language that generally permits a regulated entity to rely 
on the attestation if it is reasonable for the regulated entity to 
believe the statement that the requested disclosure of PHI is not for a 
purpose prohibited by 45 CFR 164.502(a)(5)(iii).\361\ To further assist 
regulated entities in determining whether it is reasonable to rely on 
the attestation, the requirement that the attestation include a clear 
statement that the use or disclosure is not for a prohibited purpose 
under 45 CFR 164.502(a)(5)(iii) may be satisfied with a statement that 
identifies why the use or disclosure is not prohibited, which could be 
checkboxes that indicate that the use or disclosure is not for a 
purpose described in 45 CFR 164.502(a)(5)(iii)(A), or that the 
reproductive health care does not satisfy the Rule of Applicability at 
45 CFR 164.502(a)(5)(iii)(B).
---------------------------------------------------------------------------

    \361\ This approach is consistent with 45 CFR 164.514(h), which 
requires a regulated entity to verify the identity and legal 
authority of a public official or a person acting on behalf of the 
public official and describes the type of documentation upon which 
the regulated entity can rely, if such reliance is reasonable under 
the circumstances, to do so. See also 45 CFR 164.514(d)(3)(iii)(A), 
which permits a covered entity to rely, if such reliance is 
reasonable under the circumstances, on a requested disclosure as the 
minimum necessary for the stated purpose when making disclosures to 
public officials that are permitted under 45 CFR 164.512, if the 
public official represents that the information requested is the 
minimum necessary for the stated purpose(s).
---------------------------------------------------------------------------

    Where the request for the use or disclosure of PHI is made of the 
regulated entity that provided the reproductive health care at issue, 
the regulated entity should ensure that the reproductive health care 
was not lawful under the circumstances in which such health care was 
provided before using or disclosing the requested PHI. If the 
reproductive health care at issue was provided under circumstances in 
which such health care was lawful, the regulated entity must obtain an 
attestation and determine whether it is reasonable to rely on the 
attestation that the use or disclosure is not being requested to 
conduct an investigation into or impose liability on any person for the 
mere act of seeking, obtaining, providing, or facilitating such 
reproductive health care. If the reproductive health care at issue was 
provided under circumstances in which such health care was unlawful, 
the regulated entity is permitted, but not required, to disclose the 
PHI if the disclosure is meets the conditions of an applicable Privacy 
Rule permission, which may include an attestation.
    Regulated entities will not generally be held liable for disclosing 
PHI to a person who signed the attestation under false pretenses, 
provided that the requirements of 45 CFR 164.509 are met, and it is 
reasonable under the circumstances for the regulated entity to believe 
the statement that the requested disclosure of PHI is not for a purpose 
prohibited by 45 CFR 164.502(a)(5)(iii).
    Comment: A commenter recommended that the rule clarify the 
relationship between the attestation and 45 CFR 164.514(h) regarding 
verification requirements. They requested that the Department consider 
making explicit in the Final Rule that reliance on legal process would 
not be appropriate in the absence of an attestation.
    Response: The verification requirement under 45 CFR 164.514(h) 
\362\ is separate from the attestation requirement, and a regulated 
entity must still comply with 45 CFR 164.514(h) when processing an 
attestation. The final rule makes clear that the attestation 
requirement will apply if the request for PHI potentially related to 
reproductive health care is made pursuant to permissions under 45 CFR 
164.512(d)-(g)(1), which may include disclosing PHI pursuant to a legal 
process.
---------------------------------------------------------------------------

    \362\ 45 CFR 164.514(h)(1) requires a regulated entity to verify 
both the identity of the person requesting PHI and the authority of 
any such person to have access to PHI, if the identity or authority 
of such person is not known to the regulated entity. 45 CFR 
164.514(h)(2)(ii) describes the information upon which a regulated 
entity may rely, if such reliance is reasonable under the 
circumstances, to verify the identity of a public official 
requesting PHI or a person acting on behalf of a public official, 
while 45 CFR 164.514(h)(2)(iii) describes the information upon which 
a regulated entity may rely, if such reliance is reasonable under 
the circumstances, to verify the authority of the public official 
requesting PHI or a person acting on behalf of a public official.
---------------------------------------------------------------------------

    Comment: Some commenters stated that it is difficult to determine 
the purpose of a request for the use or disclosure of PHI because many 
requests include only a general purpose. A commenter asserted that 
staff would need to screen all incoming requests, a task that may 
require legal or clinical expertise. Further, some commenters stated 
that regulated entities may experience conflict with persons requesting 
the use or disclosure of PHI about signing the form.
    Response: This final rule prohibits the use and disclosure of PHI 
for certain purposes and conditions disclosures for certain purposes 
upon the receipt of an attestation. Thus, it is incumbent upon the 
regulated entity receiving the request to determine whether disclosure 
is in compliance with the Privacy Rule. To help the regulated entity 
make such a determination, the Department is adding to the required 
elements of the attestation a description of the purpose of the request 
that is sufficient for the regulated entity to determine whether the 
prohibition at 45 CFR164.502(a)(5)(iii) may apply to the request. 
Requests for the use or disclosure of PHI for the specified purposes 
are likely subject to heightened scrutiny by the regulated entity 
currently because of other conditions imposed upon such disclosures by 
the Privacy Rule, so additional expertise will not always be required 
when processing a request for the use or disclosure of PHI and the 
accompanying attestation. For example, under the Privacy Rule, a 
regulated entity must determine whether a request for the use or 
disclosure of PHI for a judicial or administrative proceeding made 
using a subpoena, discovery request, or other lawful process, that is 
not accompanied by an order of a court or administrative tribunal 
contains ``satisfactory assurances'' that reasonable efforts have been 
made by the person making the request either: (1) to ensure that the 
individual who is the subject of the PHI that has been requested has 
been given notice of the request; \363\ or (2) to secure a qualified 
protective order that meets certain requirements specified in the 
Privacy Rule.\364\ The Privacy Rule further details how regulated 
entities are to determine whether they have received ``satisfactory 
assurances'' for both options described above.\365\ Such requirements 
ensure that a regulated entity must already carefully review requests 
for such purposes, such that the attestation condition likely poses 
minimal additional burden for such requests. In any event, the 
Department believes that these administrative burdens are outweighed by 
the privacy interests that this final rule seeks to protect.
---------------------------------------------------------------------------

    \363\ 45 CFR 164.512(e)(1)(ii)(A).
    \364\ 45 CFR 164.512(e)(1)(ii)(B).
    \365\ 45 CFR 164.512(e)(1)(iii) and (iv).
---------------------------------------------------------------------------

    Comment: Many commenters asserted that it would be reasonable to 
require affirmative verification under penalty of perjury that the 
request for the use or disclosure of PHI is not for a purpose 
prohibited under 45 CFR 164.502(a)(5)(iii) because it would signal an 
intent to penalize requests

[[Page 33038]]

made to contravene the prohibition; would incentivize persons 
requesting the use or disclosure of PHI to consider whether their 
request is for a purpose prohibited under 45 CFR 164.502(a)(5)(iii); 
deter unlawful ``fishing expeditions'' or conceal improper intent; and 
add a layer of accountability. Another commenter stated this heightened 
standard would enable the covered entity to reasonably rely in good 
faith on the substance of the attestation without further 
investigation, delay, cost, burden, or dispute. According to the 
commenter, a person making a request for the use or disclosure of PHI 
in good faith should have minimal to no concern when providing a 
statement signed under penalty of perjury. Another commenter supported 
a requirement that a person requesting the use or disclosure of PHI 
provide an affirmative verification made under penalty of perjury that 
the use or disclosure is not for purpose prohibited under 45 CFR 
164.502(a)(5)(iii) because it would suggest that evidence obtained 
falsely would not be admissible in a legal proceeding. A commenter 
asserted that it is important to ensure that the proposed attestations 
would be as effective as possible, and including a signed declaration 
made under penalty of perjury is critical to ensuring their 
effectiveness in the current legal environment. A commenter endorsed 
adding a statement regarding perjury to the proposed attestation 
because it would place the person requesting the use or disclosure of 
PHI on notice of the criminal penalties if the person were to violate 
the proposed requirement.
    A commenter asserted that the penalty of perjury requirement is a 
common signature standard for legal and administrative proceedings and 
expressed support for expanding it to other proceedings. The commenter 
also expressed support for considering other options because of 
concerns that the application and consequences of making a statement 
under a penalty of perjury may lack clarity outside of certain 
proceedings.
    Response: We appreciate commenters' suggestions; however, the 
Department ultimately decided that the addition of a penalty of perjury 
would be unnecessary in light of the statutory criminal and civil 
penalties under HIPAA. 42 U.S.C. 1320d-6 provides that any person who 
knowingly and in violation of the Administrative Simplification 
provisions obtains IIHI relating to another individual or discloses 
IIHI to another person is subject to criminal liability.\366\ A 
regulated entity is also subject to civil penalties for violations of 
requirements of the HIPAA Rules.\367\ Thus, a person that requests PHI 
who knowingly falsifies an attestation (e.g., makes material 
misrepresentations as to the intended uses of the PHI requested) to 
obtain PHI or cause PHI to be disclosed would be in violation of HIPAA 
and could be subject to criminal penalties.\368\
---------------------------------------------------------------------------

    \366\ See 42 U.S.C. 1320d-6(a).
    \367\ See 42 U.S.C. 1320d-5. See also 45 CFR part 160, subparts 
A, D, and E.
    \368\ See 42 U.S.C. 1320d-6(b).
---------------------------------------------------------------------------

    Comment: Some commenters expressed support for requiring that the 
attestation include a statement that a person signing an attestation is 
doing so under penalty of perjury, but they also questioned its ability 
to prevent a person from requesting the use or disclosure of PHI for a 
purpose prohibited under 45 CFR 164.502(a)(5)(iii) and recommended 
additional requirements or alternatives. One commenter expressed 
concern that there would be no disincentive for the recipient to submit 
an attestation signed under false pretenses in the absence of 
enforceable penalties. A different commenter questioned the efficacy of 
a penalty of perjury requirement because the person requesting the use 
or disclosure may not be the person that uses the PHI for a purpose 
prohibited under 45 CFR 164.502(a)(5)(iii); it might be another person 
who uses the information for a purpose prohibited under that provision. 
According to the commenter, no criminal or other penalty would attach 
because that other person did not sign the attestation. The commenter 
also expressed concern that an attestation signed on behalf of an 
entity may not be enforceable because the person who signed the 
attestation did not have authority to bind the entity.
    Commenters variously recommended that the Department include 
language that the person requesting the use or disclosure of PHI would 
not further use or disclose the PHI for a purpose prohibited under 45 
CFR 164.502(a)(5)(iii) and that the requested information is the 
minimum necessary, or require a search warrant or data use agreement 
instead of an attestation. A commenter recommended that the Department 
provide individuals with an actionable remedy, such as the right to 
receive a portion of any civil money penalty assessed to the regulated 
entity or the right to ``claw back'' the disclosure from the receiving 
entity if the party that signed the attestation later violates its 
terms.
    Response: The Department understands and shares commenters' 
concerns about redisclosures that would be prohibited by this rule if 
the disclosure was made by a regulated entity. However, HIPAA limits 
the Department's authority to regulating PHI maintained or transmitted 
by a regulated entity, that is a covered entity or their business 
associate. Accordingly, a person that is not a regulated entity 
generally may use or disclose such information without further 
limitation by the HIPAA Rules.
    Requiring search warrants or data use agreements as a condition of 
the use or disclosure of PHI is beyond the scope of this final rule.
    With respect to the commenter's concern about situations in which a 
person who does not have the appropriate authority requests PHI on 
behalf of a public official, the Privacy Rule generally requires that a 
regulated entity verify the identity and legal authority of persons 
requesting PHI prior to making the disclosure.\369\ Where a disclosure 
of PHI is to a public official or person acting on behalf of a public 
official who has the authority to request the information, a regulated 
entity may verify the authority of that public official by relying on, 
if reliance is reasonable under the circumstances, either a written 
statement of legal authority under which the information is requested 
(or an oral statement, if the written statement is impracticable).\370\ 
Alternatively, a regulated entity may presume the public official's 
legal authority if a request is made pursuant to legal process, 
warrant, subpoena, order, or other legal process issued by a grand jury 
or judicial administrative tribunal.\371\ We remind regulated entities 
that a determination that a public official has the authority to make a 
request for the use or disclosure does not mean that the Privacy Rule 
permits them to obtain any and all information that the official 
requests. In such circumstances, the regulated entity should carefully 
review the conditions of the applicable permission to ensure that they 
are met. Where the condition involves a warrant, subpoena, or similar 
instrument, the regulated entity must also review the scope of the 
authority granted by the warrant, subpoena, or order to determine the 
extent of the PHI that it is permitted to disclose.\372\ Further, a 
regulated entity may rely, if such reliance is reasonable under the

[[Page 33039]]

circumstances, on a requested disclosure by a public official as the 
minimum necessary if the public official represents that the requested 
PHI is the minimum necessary for the stated purpose.\373\
---------------------------------------------------------------------------

    \369\ See 45 CFR 164.514(h); see also 65 FR 82462, 82541, and 
82547 (Dec. 28, 2000).
    \370\ 45 CFR 164.514(h)(2)(iii)(A).
    \371\ 45 CFR 164.514(h)(2)(iii)(B).
    \372\ 45 CFR 164.512(a)(1).
    \373\ 45 CFR 164.514(d)(3)(iii)(A).
---------------------------------------------------------------------------

    HIPAA specifies the remedies available to the Federal Government 
where persons violate the statute's Administrative Simplification 
provisions: civil monetary penalties \374\ and criminal fines and 
imprisonment.\375\ HIPAA does not include a private right of action.
---------------------------------------------------------------------------

    \374\ 42 U.S.C. 1320d-5.
    \375\ 42 U.S.C. 1320d-6.
---------------------------------------------------------------------------

    Comment: One commenter asked the Department to clarify that anyone 
providing a false attestation would be held accountable for false 
statements with appropriate or significant civil fines or criminal 
penalties for the material misrepresentation. Another commenter 
specifically recommended that the Department consider it a material 
misrepresentation for a person to sign an attestation without an 
objectively reasonable basis to suspect that the reproductive health 
care of interest was unlawful under the circumstances in which such 
health care was provided. The commenter asserted that the attestation 
should include specific language that any person who is requesting the 
use or disclosure of PHI because they believe the reproductive health 
care was not lawful under the circumstances in which such health care 
was provided must have a reasonable basis for that belief (e.g., a 
statement from a witness) and that the absence of an articulable, fact-
based reasonable suspicion would constitute a material 
misrepresentation. According to the commenter, such a requirement would 
prevent fishing expeditions because persons requesting the use or 
disclosure of PHI would be required to have an actual, objective reason 
for believing that a person provided health care in violation of state 
or Federal law.
    Response: The Department agrees that it would be a material 
misrepresentation if a person who signs an attestation does not have an 
objectively reasonable basis to suspect that the reproductive health 
care was provided under circumstances in which it was unlawful, and 
that an objectively reasonable basis of suspicion requires specific and 
articulable facts associated with the individual whose PHI is requested 
and the health care they received. We decline to include a statement of 
this position on the attestation because it is encompassed in the 
language that requires persons making a request for PHI to attest that 
they are not making the request for a prohibited purpose and the 
language ensuring that persons making such requests are aware of the 
potential liability for knowingly and in violation of HIPAA obtaining 
IIHI relating to an individual or disclosing IIHI to another person.
    Comment: Some commenters urged the Department to include additional 
provisions to monitor and enforce the attestation condition, including 
requiring that a court order, written attestation, or valid 
authorization accompany requests for the use or disclosure of PHI for 
legal or administrative proceedings or law enforcement investigations.
    Response: The attestation condition does not replace the conditions 
of the Privacy Rule's permissions for a regulated entity to disclose 
PHI in response to a subpoena, discovery request, or other lawful 
process,\376\ or administrative request.\377\ Instead, it is designed 
to work with these permissions and associated condition. For PHI to be 
disclosed pursuant to 45 CFR 164.512(e)(1)(ii) and (f)(1)(ii)(C), a 
regulated entity must verify that the relevant conditions are met and 
also satisfy the attestation condition at 45 CFR 164.509. We do not 
believe it is necessary to include additional requirements to monitor 
and enforce implementation of the attestation condition because a 
person who knowingly and in violation of the Administrative 
Simplification provisions obtains or discloses IIHI relating to another 
individual or discloses IIHI to another person would be subject to 
criminal liability.\378\
---------------------------------------------------------------------------

    \376\ 45 CFR 165.512(e)(1)(ii).
    \377\ 45 CFR 164.512(f)(1)(ii)(C).
    \378\ See 42 U.S.C. 1320d-6(a).
---------------------------------------------------------------------------

    Comment: Almost all commenters responding to the Department's 
request for comment expressed support for a Department-developed model 
attestation or sample language that could be used by regulated entities 
to reduce the implementation burden of the attestation condition. A 
large health care provider expressed appreciation for options that 
would simplify the process for reviewing requests for the use or 
disclosure of PHI made pursuant to 45 CFR 164.512(d)-(g)(1). Other 
commenters asserted that a standard form would reduce unnecessary 
variation, support a consistent approach, decrease implementation 
costs, and make it easier for a regulated entity to identify requests 
for the use or disclosure of PHI for purposes prohibited under 45 CFR 
164.502(a)(5)(iii).
    Several commenters suggested that a universal or standardized 
attestation form would reduce the burden of the attestation 
requirement, especially for smaller health care providers, and reduce 
delays in the disclosure of PHI resulting from the need for legal 
review or unfamiliarity with the format of an attestation provided by a 
person requesting the use or disclosure of PHI. One of these commenters 
stated this would also support electronic data exchange by 
standardizing attestation fields and the format. Most commenters 
expressed opposition to a Department-required format and recommended 
that the Department permit covered entities to modify the language of 
the attestation.
    Some commenters requested that the model attestation include a 
plain language explanation and a tip sheet or guidance for completion. 
They also requested that the model be an electronic, fillable form with 
a clear heading and that the editing capabilities be limited to the 
specific required fields. Some commenters recommended that the model 
attestation contain an outline of penalties for misuse of PHI.
    A commenter requested that the Department guarantee that a health 
care provider's good faith reliance on a model attestation form would 
be objectively reasonable.
    Response: We appreciate these recommendations and intend to publish 
model attestation language before the compliance date of this final 
rule. As discussed above, if an attestation, on its face, meets the 
requirements at 45 CFR 164.509(c), a regulated entity must consider the 
totality of the circumstances surrounding the attestation and whether 
it is reasonable to rely on the attestation in those circumstances.
    Comment: In response to the Department's request for comment on how 
the proposed attestation would affect a regulated entity's process for 
responding to regular or routine requests from certain persons, a few 
commenters explained their current workflows and the resource 
requirements for managing these requests.
    Some commenters suggested that an attestation requirement might 
require changes to workflows and discussed the changes that might be 
made.
    Response: The Department appreciates these insights into how 
regulated entities currently respond to certain requests for the use or 
disclosure of PHI. We confirm that a person requesting the use or 
disclosure of PHI

[[Page 33040]]

pursuant to 45 CFR 164.512(d), (e), (f), or (g)(1) must provide the 
regulated entity a signed and truthful attestation where the request is 
for PHI potentially related to reproductive health care before the 
regulated entity is permitted to use or disclose the requested PHI. The 
Department will consider developing guidance and technical assistance 
as needed on these topics in the future as necessary to ensure 
compliance with the Privacy Rule, including both the prohibition at 45 
CFR 164.502(a)(5)(iii) and 164.509. It may benefit a regulated entity 
to require such documentation where the requested use or disclosure is 
for TPO or in response to a valid authorization or individual right of 
access request.
    Comment: A few commenters recommended imposing obligations to limit 
redisclosures of PHI for certain purposes.
    A few commenters stated that a person requesting the use or 
disclosure of PHI could seek a court order or provide a written 
attestation to permit the regulated entity to make the disclosure in 
question in the event they were unable to obtain an authorization.
    Response: While we understand commenters' concerns regarding the 
uses and disclosures of health information by entities not covered by 
the Privacy Rule, the Department is limited to applying the HIPAA Rules 
to those entities covered by HIPAA (i.e., health plans, health care 
clearinghouses, and health care providers that conduct covered 
transactions) and to business associates, as provided under the HITECH 
Act.
    In the 2023 Privacy Rule NPRM, the Department considered permitting 
regulated entities to make uses or disclosures of PHI only after 
obtaining a valid authorization. However, the Department rejected the 
approach because requiring an authorization in all circumstances would 
not reflect the appropriate balance between individual privacy 
interests and other societal interests in disclosure. In particular, 
individuals may decline to authorize disclosure of PHI even in 
circumstances where their privacy interests are reduced and societal 
interests in disclosure are heightened, such as where the reproductive 
health care was unlawful under the circumstances in which it was 
provided.
    Comment: Some commenters requested that the Department provide 
educational resources for regulated entities to implement the 
attestation. A commenter encouraged the Department to strongly enforce 
the attestation provision.
    Response: We appreciate these recommendations and commit to 
providing additional resources to assist regulated entities with 
implementation of this rule.
    Comment: In response to the Department's request for comment on 
alternative documentation that could assist regulated entities in 
complying with the proposed limitations on the use and disclosure of 
PHI, some commenters recommended that an attestation always be 
required, even if additional documentation is mandated, because the 
attestation would place the person requesting the use or disclosure of 
PHI on notice of the prohibition and to hold them accountable if they 
use the PHI for a purpose prohibited by 45 CFR 164.502(a)(5)(iii), in 
addition to helping a covered entity to determine whether the PHI is 
being requested for a legitimate or prohibited purpose. Others agreed 
because of the risk of coercion when authorizations are sought from 
individuals for certain purposes.
    Some commenters suggested that the Department require that a court 
order, written attestation, or valid authorization accompany a request 
for the use or disclosure of any PHI for legal or administrative 
proceedings or law enforcement investigations because there are 
circumstances under which it would be unlikely for a person to obtain 
an authorization. Some commenters recommended that the Department not 
require an attestation when the disclosure of PHI is required by law, 
or when so ordered by a court of competent jurisdiction. A commenter 
proposed that the Department permit regulated entities to make the 
specified uses and disclosures with a written attestation, a HIPAA 
authorization, or alternative documentation described by the 
Department, including a court order, to minimize the administrative 
burden.
    Response: The Department appreciates the approaches recommended by 
commenters to ensure that PHI requested is not for a prohibited 
purpose. We also believe that the attestation will place the person 
requesting the use or disclosure of PHI on notice of the prohibition 
and serve to hold them accountable if they use the PHI for a purpose 
prohibited by 45 CFR 164.502(a)(5)(iii). However, we have limited the 
attestation requirement to requests for PHI that is potentially related 
to reproductive health care. In addition, as discussed above, because 
the Privacy Rule's authorization requirements empower individuals to 
make decisions about who has access to their PHI, we are not adopting 
the proposed exception to the permission to use or disclose PHI 
pursuant to a valid authorization, nor are we adopting the other 
recommendations made by commenters. The Department is not finalizing 
its proposal to prohibit the disclosure of PHI for a purpose prohibited 
by 45 CFR 164.502(a)(5)(iii) pursuant to an authorization. Accordingly, 
the final rule permits the disclosure of an individual's PHI to another 
person pursuant to a valid authorization, even if the disclosure would 
otherwise be prohibited under this rule. Therefore, a regulated entity 
may disclose PHI for a purpose that otherwise would be prohibited under 
45 CFR 164.502(a)(5)(iii) by obtaining a valid authorization or 
pursuant to the individual right of access. We reiterate that in all 
cases, the conditions of the underlying permission must be met before a 
regulated entity is permitted to use or disclose the requested PHI.

D. Section 164.512--Uses and Disclosures for Which an Authorization or 
Opportunity To Agree or Object Is Not Required

1. Applying the Prohibition and Attestation Condition to Certain 
Permitted Uses and Disclosures
    Section 164.512 of the Privacy Rule contains the standards for uses 
and disclosures for which an authorization or opportunity to agree or 
object is not required. Many of the uses and disclosures addressed by 
45 CFR 164.512 relate to government or administrative functions and are 
described in the 2000 Privacy Rule preamble as ``national priority 
purposes.'' \379\ These permissions for uses and disclosures were not 
required by HIPAA; instead they represented the Secretary's previous 
balancing of the privacy interests and expectations of individuals and 
the interests of communities in making certain information available 
for community purposes, such as for certain public health, health care 
oversight, and research purposes.\380\ As discussed previously, the 
Department, in its implementation of HIPAA, has sought to ensure that 
individuals do not forgo health care when needed--or withhold important 
information from their health care providers that may affect the 
quality of health care they receive--out of a fear that their sensitive 
information would be revealed outside of their relationships with their 
health care providers.
---------------------------------------------------------------------------

    \379\ 65 FR 82462, 82524 (Dec. 28, 2000).
    \380\ See id. at 82471.
---------------------------------------------------------------------------

    To clarify that the proposal at 45 CFR 164.502(a)(5)(iii) would 
prohibit the use and disclosure of PHI in some

[[Page 33041]]

circumstances where such uses or disclosures are currently permitted, 
the Department proposed to cite the proposed prohibition at the 
beginning of the introductory text of 45 CFR 164.512 and condition 
certain disclosures on the receipt of the attestation proposed at 45 
CFR 164.509.\381\ The proposed modification would add the clause, 
``Except as provided by 45 CFR 164.502(a)(5)(iii), [. . .]'' and add 
``and 45 CFR 164.509'' to ``subject to the applicable requirements of 
this section.'' This would create a new requirement to obtain an 
attestation from the person requesting the use and disclosure of PHI as 
a condition of making certain types of permitted uses and disclosures 
of PHI. Thus, under the proposal and subject to the Department 
finalizing the prohibition at paragraph (a)(5)(iii) of 45 CFR 164.502, 
uses and disclosures of PHI for certain purposes would be prohibited 
unless a regulated entity first obtained an attestation from the person 
requesting the use and disclosure under proposed 45 CFR 164.509.
---------------------------------------------------------------------------

    \381\ 88 FR 23506, 23537-38 (Apr. 17, 2023).
---------------------------------------------------------------------------

    The Department also proposed to replace ``orally'' with 
``verbally'' at the end of the introductory paragraph for clarity.
Overview of Public Comments
    While many commenters addressed the proposals to add a prohibition 
on the use and disclosure of PHI and to require an attestation in 
certain circumstances, few commenters addressed the proposal to modify 
the introductory paragraph to 45 CFR 164.512. Such commenters either 
expressed support for it or requested additional guidance on the 
Department's intention or the proposal's operation.
    The Department is adopting its proposal without modification. As 
discussed above, this change creates a new requirement for a regulated 
entity to obtain an attestation from a person requesting the use or 
disclosure of PHI as a condition of making certain types of permitted 
uses and disclosures of PHI. For example, the Privacy Rule currently 
permits uses and disclosures for health care oversight,\382\ judicial 
and administrative proceedings,\383\ law enforcement purposes,\384\ and 
about decedents to coroners and medical examiners,\385\ provided 
specified conditions are met. When read in conjunction with the new 
prohibition at 45 CFR 164.502(a)(5)(iii), uses and disclosures of PHI 
for these purposes will be subject to an additional condition that the 
regulated entity first obtain an attestation from the person requesting 
the use and disclosure under the new attestation requirement at 45 CFR 
164.509.
---------------------------------------------------------------------------

    \382\ 45 CFR 164.512(d).
    \383\ 45 CFR 164.512(e).
    \384\ 45 CFR 164.512(f).
    \385\ 45 CFR 164.512(g)(1).
---------------------------------------------------------------------------

    The Department assumes that there will be instances in which state 
or other law requires a regulated entity to use or disclose PHI for 
health care oversight, judicial and administrative proceedings, law 
enforcement purposes, or about decedents to coroners and medical 
examiners for a purpose not related to one of the prohibited purposes 
in 45 CFR 164.502(a)(5)(iii). The Department believes that a regulated 
entity will be able to comply with such laws and the attestation 
requirement. For example, a regulated entity may continue to disclose 
PHI without an individual's authorization to a state medical board, a 
prosecutor, or a coroner, in accordance with the Privacy Rule, when the 
request is accompanied by the required attestation. As a result, a 
regulated entity generally may continue to assist the state in carrying 
out its health care oversight, judicial and administrative functions, 
law enforcement, and coroner duties with the use or disclosure of PHI 
once a facially valid attestation has been provided to the regulated 
entity from whom PHI is sought. However, where an attestation is 
required but not obtained, a state seeking information about an 
individual's reproductive health or reproductive health care would need 
to obtain such information from an entity not regulated under the 
Privacy Rule \386\ or demonstrate that the regulated entity has actual 
knowledge that the reproductive health care was not lawful under the 
circumstances in which such health care was provided, thereby reversing 
the presumption described at 45 CFR 164.502(a)(5)(iii)(C).
---------------------------------------------------------------------------

    \386\ The Privacy Rule only applies to PHI, which is IIHI that 
is maintained or transmitted by, for, or on behalf of a covered 
entity. Thus, it does not apply to individuals' health information 
when it is in the possession of a person that is not a regulated 
entity, such as a friend, family member, or is stored on a personal 
cellular telephone or tablet. See Off. for Civil Rights, 
``Protecting the Privacy and Security of Your Health Information 
When Using Your Personal Cell Phone or Tablet,'' U.S. Dep't of 
Health and Human Servs. (June 29, 2022), https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/cell-phone-hipaa/index.html.
---------------------------------------------------------------------------

    Additionally, we are replacing ``orally'' with ``verbally'' for 
clarity. No substantive change is intended.
    Comment: One commenter expressed support for the Department's 
proposed revision to 45 CFR 164.512, while another commenter requested 
additional examples or detail in preamble about what the Department 
intends by this revision.
    Response: The Department intends that the uses and disclosures of 
PHI made in accordance with 45 CFR 164.512 would be subject to both the 
45 CFR 164.502(a)(5)(iii) prohibition and the 45 CFR 164.509 
attestation, when applicable, specifically uses or disclosures made for 
health oversight activities,\387\ judicial and administrative 
proceedings,\388\ law enforcement purposes,\389\ and about decedents to 
coroners and medical examiners.\390\ For example, a regulated entity 
may disclose PHI for law enforcement purposes, subject to the 
conditions of the permission at 45 CFR 164.512(f), where the purpose of 
the request for the use or disclosure is to investigate a sexual 
assault and the person requesting the PHI provides the regulated entity 
with a valid attestation signifying that the purpose of the request is 
not for a prohibited purpose. Similarly, where a request meets the 
requirements of 45 CFR 164.502(a)(5)(iii), a regulated entity may 
disclose PHI for law enforcement purposes, subject to the conditions of 
the permission at 45 CFR 164.512(f), where the purpose of the request 
for the use or disclosure is to investigate the unlawful provision of 
reproductive health care with a valid attestation signifying that the 
purpose of the request is not one that is prohibited (i.e., that the 
purpose of the use or disclosure is not to investigate or impose 
liability on any person for the lawful provision of reproductive health 
care). As another example, a regulated entity may disclose PHI to a 
state Medicaid agency in accordance with 45 CFR 164.512(d) where the 
purpose of the request is to ensure that the regulated entity is 
providing the reproductive health care for which the regulated entity 
has submitted claims for payment to Medicaid after obtaining an 
attestation that meets the requirements of 45 CFR 164.509 from the 
state Medicaid agency.
---------------------------------------------------------------------------

    \387\ 45 CFR 164.512(d).
    \388\ 45 CFR 164.512(e).
    \389\ 45 CFR 164.512(f).
    \390\ 45 CFR 164.512(g)(1).
---------------------------------------------------------------------------

    Comment: One commenter requested clarification regarding the 
intersection between the Department's proposed Rule of Construction at 
45 CFR 164.502(a)(5)(iii)(D) and its proposal at 45 CFR 164.512.
    Response: The Department is not adopting the proposed Rule of 
Construction. Rather, the language of the proposal has been integrated 
into the prohibition standard at 45 CFR 164.502(a)(5)(iii)(A). The 
finalized prohibition standard requires a

[[Page 33042]]

regulated entity to ensure that they obtain a valid attestation from a 
person requesting the use or disclosure of PHI for health oversight 
activities, judicial and administrative proceedings, law enforcement 
purposes, or about decedents to coroners or medical examiners, assuring 
the regulated entity that the purpose of the request is not for a 
purpose prohibited under 45 CFR 164.502(a)(5)(iii).
2. Making a Technical Correction to the Heading of 45 CFR 164.512(c) 
and Clarifying That Providing or Facilitating Reproductive Health Care 
Is Not Abuse, Neglect, or Domestic Violence
    Paragraph (c) of 45 CFR 164.512 permits a regulated entity to 
disclose PHI, under specified conditions, to an authorized government 
agency where the regulated entity reasonably believes the individual is 
a victim of abuse, neglect, or domestic violence. The regulatory text 
includes a serial comma, which clearly indicates that the provision 
addresses victims of three different types of crimes, but the heading 
of this standard does not include the serial comma.
    For grammatical clarity, the Department proposed to add the serial 
comma after the word ``neglect'' in the heading of the standard 
contained at 45 CFR 164.512(c).\391\
---------------------------------------------------------------------------

    \391\ 88 FR 23506, 23538 (Apr. 17, 2023).
---------------------------------------------------------------------------

    The Department also proposed to add a new paragraph (c)(3) to 45 
CFR 164.512(c), with the heading ``Rule of construction,'' to clarify 
that the permission to use or disclose PHI in reports of abuse, 
neglect, or domestic violence does not permit uses or disclosures based 
primarily on the provision or facilitation of reproductive health care 
to the individual.\392\ The Department intended the proposed provision 
to safeguard the privacy of individuals' PHI against claims that uses 
and disclosures of that PHI are warranted because the provision or 
facilitation of reproductive health care, in and of itself, may 
constitute abuse, neglect, or domestic violence.
---------------------------------------------------------------------------

    \392\ Id.
---------------------------------------------------------------------------

    A few commenters supported the proposal because it would clarify 
that providing or facilitating access to health care is not itself 
abuse, neglect, or violence, while others expressed opposition to the 
proposal because they believed it would prevent health care providers 
from reporting abuse based on the provision of reproductive health 
care, including potentially coerced reproductive health care. 
Commenters both supported and opposed the inclusion of the phrase 
``based primarily.''
    The Department is finalizing the proposal to add the serial comma 
after the word ``neglect'' in the heading of the standard contained at 
45 CFR 164.512(c).
    As we explained in the 2023 Privacy Rule NPRM, the Department is 
concerned that recent state actions may lead regulated entities to 
believe that they are permitted to make disclosures of PHI when they 
believe that persons who provide or facilitate access to reproductive 
health care are perpetrators of a crime simply because they provide or 
facilitate access to reproductive health care. Thus, the Department is 
clarifying that providing or facilitating access to lawful reproductive 
health care itself is not abuse, neglect, or domestic violence for 
purposes of the Privacy Rule. This is consistent with the Department's 
understanding that the provision or facilitation of lawful health care 
is not itself abuse, neglect, or domestic violence. Such clarification 
has not previously been required, but recent developments in the legal 
landscape have made it necessary for us to codify this interpretation 
in the context of reproductive health care.
    Accordingly, the Department is finalizing the proposed Rule of 
Construction at 45 CFR 164.512(c)(3), with modification as follows. The 
modification clarifies the circumstances under which regulated entities 
that are mandatory reporters of abuse, neglect, or domestic violence 
are permitted to make such reports. Specifically, we are replacing 
``based primarily on'' with language specifying that the prohibition at 
45 CFR 164.502(a)(5)(iii) cannot be circumvented by the permission to 
use or disclose PHI to report abuse, neglect, or domestic violence 
where the ``sole basis of'' the report is the provision or facilitation 
of reproductive health care. Thus, the Department makes clear that it 
may be reasonable for a covered entity that is a mandatory reporter to 
believe that an individual is the victim of abuse, neglect, or domestic 
violence and to make such report to the government authority authorized 
by law to receive such reports in circumstances where the provision of 
reproductive health care to the individual is but one factor prompting 
the suspicion. For example, it would not be reasonable for a covered 
entity to believe that an individual is the victim of domestic violence 
solely because the individual's spouse facilitated the covered entity's 
provision of reproductive health care to the individual.
    Comment: A few commenters supported the Department's proposal. One 
commenter asserted that providing or facilitating access to any type of 
health care is not in and of itself abuse, neglect, or domestic 
violence and urged the Department to expand the scope of this language, 
particularly if the prohibition is similarly expanded in the final 
rule.
    Response: The Department appreciates the comments about the 
modifications to 45 CFR 164.512(c). As discussed above, the scope of 
the prohibition is limited to reproductive health care. The proposed 
and final regulations are narrowly tailored and limited in scope to not 
increase regulatory burden beyond appropriate public policy objectives. 
Thus, we decline to expand the scope of this provision, as well.
    Comment: A large coalition expressed concerns about mandatory 
domestic violence and sexual assault reporting laws. According to the 
coalition, mandatory reporting laws reduce the willingness of domestic 
violence survivors to seek help, including health care, and that the 
reports themselves worsen the situation for most survivors. The 
coalition asserted that permitting the disclosure of PHI to law 
enforcement and other agencies for reports of abuse, neglect, or 
domestic violence isolates survivors of such abuse and puts them at 
risk of losing their children. These commenters recommended that the 
Department prevent such disclosures.
    Some commenters expressed opposition to the proposal because they 
believe it would put victims of domestic abuse at risk because it would 
prevent health care providers from reporting abuse, including child 
abuse, based on the provision or facilitation of reproductive health 
care. A commenter asserted that the proposal would circumvent the 
exception prohibiting disclosures to abusive persons at 45 CFR 
164.512(b)(1)(ii). According to another commenter, the change would 
chill the willingness of covered entities to cooperate with 
investigations and judicial proceedings concerning individuals who may 
have used reproductive health care, regardless of the matter being 
adjudicated.
    According to another commenter, the proposal is aimed at 
undermining state laws and shielding persons who provide or facilitate 
reproductive health care. Commenters expressed concern that the 
proposal would prohibit reports of abuse, neglect, or domestic violence 
because such reports are made for the purpose of investigating or 
prosecuting a person for providing or facilitating

[[Page 33043]]

unlawful reproductive health care, and for committing sexual assault.
    Response: The Department appreciates the concerns raised by the 
commenters. Since publication of the final Privacy Rule in 2000, the 
Department has acknowledged that covered entities, including covered 
health care providers, may have legal obligations to report PHI in 
certain circumstances, including about suspected victims of abuse, 
neglect, or domestic violence. The Department did not propose to modify 
the Privacy Rule's permission to disclose PHI at 45 CFR 164.512(c). The 
Department declines to expand its proposal to eliminate the permission 
for covered entities to disclose PHI to public health authorities, law 
enforcement, and other government authority authorized by law to 
receive reports of abuse, neglect, or domestic violence.
    Additionally, the Department does not agree that covered entities 
will be prevented from reporting PHI about victims of abuse, neglect, 
or domestic violence. The new language at 45 CFR 164.512(c)(3) is 
narrowly tailored to reduce the conflation between lawfully provided 
reproductive health care and the view that such lawful health care, on 
its own, is abuse. Readers are referred to the preamble discussion of 
45 CFR 164.502(a)(5)(iii) that describes the scope of disclosure 
changes which are being made applicable to 45 CFR 164.512(c).
    The Department does not agree that the modifications circumvent the 
exception prohibiting disclosures to abusive persons at 45 CFR 
164.512(b)(1)(ii). The new language at 45 CFR 164.512(c)(3) does not 
modify or change the current Privacy Rule provision for disclosures to 
a public health authority or other appropriate government authority 
authorized by law to receive reports of child abuse or neglect. We 
believe the commenter is referring to 45 CFR 164.512(c)(2), which 
requires a covered entity to inform an individual that a report has 
been or will be made, and 45 CFR 164.512(c)(2)(ii), which removes the 
requirement to inform the individual when the covered entity would be 
informing a personal representative and the covered entity reasonably 
believes the personal representative is responsible for the abuse, 
neglect, or other injury, and that informing such person would not be 
in the best interests of the individual as determined by the covered 
entity, in the exercise of professional judgment. Because the new 
language at 45 CFR 164.512(c)(3) operates as a limitation on 
disclosure, it is not possible for the new provision to permit 
disclosures in more circumstances than previously permitted, and 
therefore does not circumvent the existing provision.
    Comment: A commenter recommended that the Department clarify that 
the proposed Rule of Applicability would not prohibit disclosure and 
use of such records when they are sought for a defensive purpose by 
revising the proposed Rule of Construction at 45 CFR 164.512(c)(3) to 
more explicitly state that it permits such use or disclosure.
    Response: The adopted Rule of Construction at 45 CFR 164.512(c)(3) 
applies to disclosures permitted by 45 CFR 164.512(c), which are 
explicitly to a government authority, including a social service or 
protective services agency, authorized by law to receive reports of 
abuse, neglect, or domestic violence. The Department is not aware of a 
disclosure that otherwise meets the requirements specified at 45 CFR 
164.512(c)(1) that would constitute a disclosure for defensive 
purposes. Rather, disclosures of PHI for defensive purposes, such as a 
disclosure to defend against a prosecution for criminal prosecution for 
allegations of providing unlawful health care, are permitted by 45 CFR 
164.512(f), as well as for health care operations when obtaining legal 
services. To the extent that a disclosure for a defensive purpose meets 
the applicable requirements and is permitted, the Department confirms 
that the final rule language generally would not prohibit a disclosure.
    Comment: A few commenters requested clarification of the standard 
for determining what would constitute a report of abuse, neglect, or 
domestic violence that is based primarily on the provision of 
reproductive health care. Commenters also requested clarification about 
the interaction between the proposed prohibition and the permission at 
45 CFR 164.512(c).
    Response: The Privacy Rule permits but does not require the 
reporting of abuse, neglect, or domestic violence under certain 
conditions.\393\ Under the final rule, the Department is clarifying 
that this permission does not apply where the sole basis of the report 
is the provision or facilitation of reproductive health care. With this 
modification, the Department makes clear that it may be reasonable for 
a covered entity that is a mandatory reporter to believe that an 
individual is the victim of abuse, neglect, or domestic violence and to 
make such report to the government authority authorized by law to 
receive such reports in circumstances where the provision or 
facilitation of reproductive health care is but one factor prompting 
the suspicion. We also note, as discussed above with respect to 45 CFR 
164.512(b)(1)(i), this permission allows a covered entity to report 
known or suspected abuse, neglect, or domestic violence only for the 
purpose of making a report. The PHI disclosed must be limited to the 
minimum necessary information for the purpose of making a report.\394\ 
These provisions do not permit the covered entity to disclose PHI in 
response to a request for the use or disclosure of PHI to conduct a 
criminal, civil, or administrative investigation into or impose 
criminal, civil, or administrative liability on a person based on 
suspected abuse, neglect, or domestic violence. Thus, any disclosure of 
PHI in response to a request from an investigator, whether in follow up 
to the report made by the covered entity (other than to clarify the PHI 
provided on the report) or as part of an investigation initiated based 
on an allegation or report made by a person other than the covered 
entity, must meet the conditions of disclosures for law enforcement 
purposes or judicial and administrative proceedings.\395\
---------------------------------------------------------------------------

    \393\ 45 CFR 164.512(c).
    \394\ See 45 CFR 164.502(b) and 164.514(d).
    \395\ See 45 CFR 164.512(e) and (f).
---------------------------------------------------------------------------

3. Clarifying the Permission for Disclosures Based on Administrative 
Processes
    Under 45 CFR 164.512(f)(1), a regulated entity may disclose PHI 
pursuant to an administrative request, provided that: (1) the 
information sought is relevant and material to a legitimate law 
enforcement inquiry; (2) the request is specific and limited in scope 
to the extent reasonably practicable in light of the purpose for which 
the information is sought; and (3) de-identified information could not 
reasonably be used. Examples of administrative requests include 
administrative subpoena or summons, a civil or an authorized 
investigative demand, or similar process authorized under law. The 
examples of administrative requests provided in the regulatory text 
include only requests that are enforceable in a court of law, and the 
catchall ``or similar process authorized by law'' similarly is intended 
to include only requests that, by law, require a response. This 
interpretation is consistent with the Privacy Rule's definition of 
``required by law,'' which enumerates these and other examples of 
administrative requests that constitute ``a mandate contained in law 
that compels an entity to make a use or disclosure of protected health

[[Page 33044]]

information and that is enforceable in a court of law.''
    As we explained in the 2023 Privacy Rule NPRM, the Department has 
become aware that some regulated entities may be interpreting 45 CFR 
164.512(f)(1) in a manner that is inconsistent with the Department's 
intent. Therefore, the Department proposed to clarify the types of 
administrative processes that this provision was intended to 
address.\396\
---------------------------------------------------------------------------

    \396\ 88 FR 23506, 23538-39 (Apr. 17, 2023).
---------------------------------------------------------------------------

    Specifically, the Department proposed to insert language to clarify 
that the administrative processes that give rise to a permitted 
disclosure include only requests that, by law, require a regulated 
entity to respond. Accordingly, the proposal would specify that PHI may 
be disclosed pursuant to an administrative request ``for which a 
response is required by law.'' The Department does not consider this to 
be a substantive change because the proposal was consistent with 
express language of the preamble discussion on this topic in the 2000 
Privacy Rule.\397\ The Department intends that the express inclusion of 
this language will ensure that regulated entities more fully appreciate 
the permitted uses and disclosures pursuant to 45 CFR 
164.512(f)(1)(ii)(C).
---------------------------------------------------------------------------

    \397\ See 65 FR 82462, 82531 (Dec. 28, 2000).
---------------------------------------------------------------------------

    The Department received few comments on the proposal to clarify the 
permission at 45 CFR 164.512(f)(1)(ii)(C). Comments were mixed, with 
some support, some opposition, and some requesting additional 
modifications or additional examples or guidance.
    While the Department received few comments on this clarification, 
the Department is aware of reports that covered entities are 
misinterpreting the intention of the requirements of 45 CFR 
164.512(f)(1)(ii)(C) that disclosures of PHI to law enforcement be 
necessary and limited in scope. For example, a congressional inquiry 
recently highlighted concerns about disclosures of PHI to law 
enforcement from retail pharmacy chains. The inquiry found that some 
pharmacy staff are providing PHI directly to law enforcement without 
advice from their legal departments in part because their staff ``face 
extreme pressure to immediately respond to law enforcement demands.'' 
\398\ Based on this inquiry, these disclosures often are made without a 
warrant or subpoena issued by a court.\399\
---------------------------------------------------------------------------

    \398\ See U.S. Senate Committee on Finance News Release (Dec. 
12, 2023), https://www.finance.senate.gov/chairmans-news/wyden-jayapal-and-jacobs-inquiry-finds-pharmacies-fail-to-protect-the-privacy-of-americans-medical-records-hhs-must-update-health-privacy-rules (describing legislative inquiry into pharmacy chains and 
release of health information in response to law enforcement). See 
also Letter from Sen. Wyden and Reps. Jayapal and Jacobs to HHS 
Sec'y Xavier Becerra (Dec. 12, 2023), https://www.finance.senate.gov/imo/media/doc/hhs_pharmacy_surveillance_letter_signed.pdf (describing findings 
from Congressional oversight, including survey of chain pharmacies 
about their processes for responding to law enforcement requests for 
PHI).
    \399\ See U.S. Senate Committee on Finance News Release, supra 
note 399 and Letter from Sen. Wyden and Reps. Jayapal and Jacobs, 
supra note 399; see also Remy Tumin, ``Pharmacies Shared Patient 
Records Without a Warrant, an Inquiry Finds,'' The New York Times 
(Dec. 13, 2023), https://www.nytimes.com/2023/12/13/us/pharmacy-records-abortion-privacy.html.
---------------------------------------------------------------------------

    The Department is adopting the clarification as proposed because 
regulated entities are misinterpreting the requirements of 45 CFR 
164.512(f)(1)(ii)(C) that ensure that disclosures of PHI to law 
enforcement are necessary and limited in scope. Accordingly, the 
Department is adding to 45 CFR 164.512(f)(1)(ii)(C) language that 
specifies that PHI may be disclosed pursuant to an administrative 
request ``for which a response is required by law.'' Thus, the 
regulatory text now clearly states that the administrative processes 
for which a disclosure is permitted are limited to only requests that, 
by law, require a regulated entity to respond, consistent with preamble 
discussion on this topic in the 2000 Privacy Rule.\400\
---------------------------------------------------------------------------

    \400\ See 65 FR 82462, 82531 (Dec. 28, 2000).
---------------------------------------------------------------------------

    Comment: A few commenters supported the Department's proposed 
clarification of 45 CFR 164.512(f)(1)(ii)(C). A commenter recommended 
that the Department revise the language to refer to an administrative 
subpoena or summons, a civil or other ``expressly'' authorized demand, 
or other similar process. The commenter recommended that, at a minimum, 
the Department prohibit disclosures in response to oral requests, 
require all informal administrative requests be in writing, and require 
qualifying administrative requests to obtain express supervisory 
approval.
    A commenter asserted, without providing examples, that there are 
many disclosures currently made under Federal agencies' interpretations 
of the Privacy Act of 1974 \401\ that would not be permitted under the 
NPRM proposal.
---------------------------------------------------------------------------

    \401\ Public Law 93-579, 88 Stat. 1896 (Dec. 31, 1974) (codified 
at 5 U.S.C. 552a).
---------------------------------------------------------------------------

    Response: The Department appreciates the comments on this 
clarification. The Department understands the commenter's request to 
add language identifying specific processes but declines to make the 
suggested modification at this time. The Department is concerned that 
references to specific items or actions could be understood to not 
apply to similarly situated administrative requests understood by 
different names. In guidance for law enforcement, the Department has 
provided its interpretation that administrative requests must be 
accompanied by a written statement.\402\
---------------------------------------------------------------------------

    \402\ Off. for Civil Rights, ``Health Insurance Portability and 
Accountability Act (HIPAA) Privacy Rule: A Guide for Law 
Enforcement,'' https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/special/emergency/final_hipaa_guide_law_enforcement.pdf.
---------------------------------------------------------------------------

    In addition, the Department does not control whether a verbal or 
other non-written request is sufficient to meet the standards of 
various jurisdictions for an administrative process that would require 
a responding covered entity to be legally required to respond. The 
Department understands that valid, justiciable reasons for responding 
to a verbal or other non-written request may exist, such as an emergent 
situation that requires an immediate response to avoid an adverse 
outcome. The Department believes the additional text sufficiently 
clarifies the misunderstandings of some regulated entities about what 
constitutes administrative process for the purposes of this permission.
4. Request for Information on Current Processes for Receiving and 
Addressing Requests Pursuant to 164.512(d) Through (g)(1)
    The Department requested information and comments on certain 
considerations to help inform development of the final rule.\403\ In 
particular, the Department asked how regulated entities currently 
receive and address requests for PHI when requested pursuant to the 
Privacy Rule permissions at 45 CFR 164.512(d), (e), (f), or (g)(1), and 
what effect expanding the scope of the proposed prohibition to include 
any health care would have on the proposed attestation requirement and 
the ability of regulated entities to implement it. Comments submitted 
in response to the question about the effects of expanding the scope of 
the proposed prohibition have been included in prior discussions of the 
specific policy issues elsewhere, as applicable.
---------------------------------------------------------------------------

    \403\ 88 FR 23506, 23539 (Apr. 17, 2023).
---------------------------------------------------------------------------

    Comment: Several commenters responded to this request for 
information concerning current processes for receiving certain requests 
pursuant to 45 CFR 164.512 by providing specific information about how 
they receive such requests. Some requests for PHI are received in hard 
copy, either by mail or hand delivery, while others are received via 
email. Still

[[Page 33045]]

others are received through the regulated entities online portal or 
facsimile. In emergency circumstances, such requests may be received 
verbally. Commenters generally receive assurances through hard copy, 
email, their patient portal, and fax. A few commenters seek assurances 
for every subsequent related request, while another commenter stated 
that it does not require or obtain assurances for every subsequent 
related request if the subsequent request is related to the initial 
request for which the initial assurance was received.
    A commenter asserted that the privacy interests at stake outweigh 
potential administrative burdens and provided examples of state laws 
that are more privacy protective than the Privacy Rule. The commenter 
explained that the privacy landscape is constantly evolving, as do the 
HIPAA Rules, and as such, regulated entities must adapt in response.
    Response: The Department appreciates the information provided by 
commenters explaining the processes by which regulated entities 
currently receive requests for the use or disclosure of PHI for certain 
purposes and the workflows of regulated entities to ensure that such 
requests comply with the conditions of the applicable Privacy Rule 
permissions. We reviewed and considered this information when 
evaluating the burden of the proposed modifications to the Privacy Rule 
during the development of this final rule.

E. Section 164.520--Notice of Privacy Practices for Protected Health 
Information

1. Current Provision
    The Privacy Rule generally requires that a covered entity provide 
individuals with an NPP to ensure that they understand how a covered 
entity may use and disclose their PHI, as well as their rights and the 
covered entity's legal duties with respect to PHI.\404\ Section 
164.520(b)(1)(ii) of the Privacy Rule describes the required contents 
of the NPP, including descriptions of the types of permitted uses and 
disclosures of their PHI. More specifically, the NPP must describe the 
ways in which the covered entity may use and disclose PHI for TPO, as 
well as each of the other purposes for which the covered entity is 
permitted or required to use or disclose PHI without the individual's 
written authorization. Additionally, the NPP must state the covered 
entity's duties to protect privacy, provide a copy of the NPP, and 
abide by the terms of the current notice. The NPP must also describe 
individuals' rights, including the right to complain to HHS and to the 
covered entity if they believe their privacy rights have been violated, 
as well as other statements if the covered entity uses PHI for certain 
activities, such as fundraising. The Privacy Rule does not, however, 
currently require a covered entity to provide information about 
specific prohibited uses and disclosures of PHI.
---------------------------------------------------------------------------

    \404\ 45 CFR 164.520. Unlike many provisions of the Privacy 
Rule, 45 CFR 164.520 applies only to covered entities, as opposed to 
both covered entities and their business associates.
---------------------------------------------------------------------------

2. CARES Act
    Section 3221(i) of the CARES Act directs the Secretary to modify 
the NPP provisions at 45 CFR 164.520 to include new requirements for 
covered entities that create or maintain PHI that is also a record of 
SUD treatment provided by a Part 2 program (i.e., covered entities that 
are Part 2 programs and covered entities that receive Part 2 records 
from a Part 2 program). The CARES Act amended 42 U.S.C. 290dd-2 to 
require the Department to revise Part 2 to more closely align with the 
Privacy Rule.
3. Proposals in 2022 Part 2 NPRM and 2023 Privacy Rule NPRM
    The Department proposed in December 2022 to modify both the Patient 
Notice requirements at 42 CFR 2.22 and the NPP requirements at 45 CFR 
164.520 to provide consistent notice requirements for all Part 2 
records. Revisions to the Patient Notice requirements were addressed 
and finalized in the 2024 Part 2 Rule, while modifications to the NPP 
provisions proposed in the 2022 Part 2 NPRM were deferred to a future 
rulemaking. The Department also separately proposed to modify the NPP 
provisions to support reproductive health care privacy as part of the 
2023 Privacy Rule NPRM.
    As part of the 2022 Part 2 NPRM, the Department proposed several 
changes to the NPP provisions. We proposed in a new paragraph (2) to 45 
CFR 164.520(a) that individuals with Part 2 records that are created or 
maintained by covered entities would have a right to adequate notice of 
uses and disclosures, their rights, and the responsibilities of covered 
entities with respect to such records. The Department also proposed to 
remove 45 CFR 164.520(a)(3), the exception for providing inmates a copy 
of the NPP, which would require covered entities that serve 
correctional facilities to provide inmates with a copy of the NPP. 
Additionally, the Department proposed revising 45 CFR 164.520(b)(1) to 
specifically clarify that covered entities that maintain or receive 
Part 2 records would need to provide an NPP that is written in plain 
language and contains the notice's required elements. We also proposed 
to modify 45 CFR 164.520(b)(1)(i) to replace ``medical'' with 
``health'' information.
    The Department also proposed in the 2022 Part 2 NPRM to incorporate 
changes proposed to the NPP requirements in the 2021 Privacy Rule 
NPRM,\405\ such as adding a requirement to include the email address 
for a designated person who would be available to answer questions 
about the covered entity's privacy practices; adding a permission for a 
covered entity to provide information in its NPP concerning the 
individual access right to direct copies of PHI to third parties when 
the PHI is not in an EHR and the ability to request the transmission 
using an authorization; and removing the requirement for a covered 
entity to obtain a written acknowledgment of receipt of the NPP. The 
Department is finalizing certain changes proposed in the 2022 Part 2 
NPRM and the 2023 Privacy Rule NPRM that directly support the two final 
rules.
---------------------------------------------------------------------------

    \405\ 86 FR 6446 (Jan. 21, 2021).
---------------------------------------------------------------------------

    In both the 2022 Part 2 NPRM and 2023 Privacy Rule NPRM, the 
Department proposed to modify 45 CFR 164.520(b)(1)(ii), which requires 
covered entities to describe for individuals the purposes for which a 
covered entity is permitted to use and disclose PHI. Consistent with 
the CARES Act, we proposed in the 2022 Part 2 NPRM to modify paragraph 
(C) to clarify that where uses and disclosures are prohibited or 
materially limited by other applicable law, ``other applicable law'' 
would include Part 2, while the Department proposed to clarify at 
paragraph (D) that the requirement for a covered entity to include in 
the NPP sufficient detail to place an individual on notice of the uses 
and disclosures that are permitted or required by the Privacy Rule and 
other applicable laws, including Part 2.
    The Department further proposed to require in 45 CFR 
164.520(b)(1)(iii), which requires covered entities to include 
descriptions of certain activities in which the covered entity intends 
to engage, in a new paragraph (D) the inclusion of a statement that 
Part 2 records created or maintained by the covered entity will not be 
used in certain proceedings against the individual without the 
individual's written consent or a court order consistent with 42 CFR 
part 2. Additionally, we proposed to require in a new paragraph (E) 
that covered entities that intend to use Part 2 records for fundraising 
include a statement that

[[Page 33046]]

such records may be used or disclosed for fundraising purposes only if 
the individual grants written consent as provided in 42 CFR 2.31.
    In 45 CFR 164.520(b)(1)(v)(C), which addresses a covered entity's 
right to change the terms of its notice, we also proposed to simplify 
and modify the regulatory text to clarify that this right is limited to 
circumstances where such changes are not material or contrary to law. 
The Department also proposed to add a new paragraph (4) to 45 CFR 
164.520(d) to prohibit construing permissions for covered entities 
participating in organized health care arrangements \406\ (OHCAs) to 
disclose PHI between participants as negating obligations relating to 
Part 2 records.
---------------------------------------------------------------------------

    \406\ 45 CFR 160.103 (definition of ``Organized health care 
arrangement'').
---------------------------------------------------------------------------

    The 2023 Privacy Rule NPRM also proposed modifications to the NPP 
requirements.\407\ Specifically, the Department proposed to modify 45 
CFR 164.520(b)(1)(ii) by adding a new paragraph (F) to require a 
covered entity to describe and provide an example of the types of uses 
or disclosures prohibited by 45 CFR 164.502(a)(5)(iii), and to do so in 
sufficient detail for an individual to understand the prohibition. We 
also proposed adding a new paragraph (G) to 45 CFR 164.502(b)(1)(ii) to 
describe each type of use and disclosure for which an attestation is 
required under 45 CFR 164.509, with an example. Additionally, the 
Department requested comment on whether it would benefit individuals 
for the Department to require that covered entities include a statement 
in the NPP that would explain that the recipient of the PHI would not 
be bound by the proposed prohibition because the Privacy Rule would no 
longer apply after PHI is disclosed for a permitted purpose to an 
entity other than a regulated entity (e.g., disclosed to a non-covered 
health care provider for treatment purposes).
---------------------------------------------------------------------------

    \407\ 88 FR 23506, 23539 (Apr. 17, 2023).
---------------------------------------------------------------------------

4. Overview of Public Comments
    We received many comments on the proposed NPP changes in both the 
2022 Part 2 NPRM and the 2023 Privacy Rule NPRM. Some of the comments 
on the 2022 Part 2 NPRM addressed both the NPP and the Patient Notice. 
Comments concerning the Patient Notice are discussed in the 2024 Part 2 
Rule.\408\ Commenters on the NPP proposals in the 2022 Part 2 NPRM 
urged the Department to coordinate revisions to the NPP provisions 
across its proposed and final rules. Commenters also requested guidance 
about their ability to use a single form to satisfy both the NPP and 
Patient Notice requirements. Commenters generally expressed support for 
the Department's proposals to modify 45 CFR 164.520(a) and 
164.520(b)(1) to apply the NPP requirements to certain entities, in 
coordination with changes required by the CARES Act and consistent with 
Part 2.
---------------------------------------------------------------------------

    \408\ 89 FR 12472 (Feb. 16, 2024).
---------------------------------------------------------------------------

    Commenters to the 2022 Part 2 NPRM generally did not express 
opposition to the Department's proposed changes to paragraph (b)(iii) 
of 45 CFR 164.520, although some did request additional guidance. We 
received no comments on our proposed modifications to add a new 
paragraph concerning OHCAs to 45 CFR 164.520(d).
    Most commenters expressed support for the Department's 2023 Privacy 
Rule NPRM proposals to revise the NPP requirements. Many also 
recommended additional modifications to the NPP requirements or 
clarifications to the requirements. Most also recommended that the 
Department add a requirement that NPPs include a statement that would 
explain that the recipient of PHI would not be bound by the proposed 
prohibition because the Privacy Rule would no longer apply after PHI is 
disclosed for a permitted purpose to an entity other than a regulated 
entity (e.g., disclosed to a non-covered health care provider for 
treatment purposes).
5. Final Rule
    The Department published the 2024 Part 2 Rule on February 16, 2024. 
It included modifications to the Patient Notice in 42 CFR 2.22 and 
reserved modifications to the HIPAA NPP for a forthcoming HIPAA rule. 
We address the modifications proposed in the 2022 Part 2 NPRM here, in 
concert with the modifications proposed in the 2023 Privacy Rule NPRM.
    As required by the CARES Act and in alignment with the Privacy 
Rule, we are modifying the NPP provisions in multiple ways. First, we 
are requiring in 45 CFR 164.520(a)(2) that covered entities that create 
or maintain Part 2 records provide notice to individuals of the ways in 
which those covered entities may use and disclose such records, and of 
the individual's rights and the covered entities' responsibilities with 
respect to such records. Second, we are revising 45 CFR 164.520(b)(1) 
to clarify that a covered entity that receives or maintains records 
subject to Part 2 must provide an NPP that is written in plain language 
and that contains the elements required. For clarity, we have reordered 
wording within this paragraph to refer to ``receiving or maintaining'' 
records, rather than ``maintaining or receiving'' records as initially 
proposed.
    Third, the Department is modifying 45 CFR 164.520(b)(1)(ii) to 
revise paragraphs (C) and (D), and to add paragraphs (F), (G), and (H) 
to clarify certain statements and add new statements that must be 
included in an NPP. Consistent with the CARES Act, we are modifying 
paragraph (C) to clarify that where NPP's descriptions of uses or 
disclosures that are permitted for TPO or without an authorization must 
reflect ``other applicable law'' that is more stringent than the 
Privacy Rule, other applicable law includes Part 2. Likewise, we are 
modifying paragraph (D) to clarify that Part 2 is specifically included 
in the ``other applicable law'' referenced in the requirement to 
describe uses and disclosures that are permitted for TPO or without an 
authorization sufficiently to place an individual on notice of the uses 
and disclosures that are permitted or required by the Privacy Rule and 
other applicable law.
    New paragraphs (F) and (G) provide individuals with additional 
information about how their PHI may or may not be disclosed for 
purposes addressed in this rule, furthering trust in the relationship 
between regulated entities and individuals by ensuring that individuals 
are aware that certain uses and disclosures of PHI are prohibited. 
Specifically, paragraph (F) requires that the NPP contain a 
description, including at least one example, of the types of uses and 
disclosures prohibited under 45 CFR 164.502(a)(5)(iii) in sufficient 
detail for an individual to understand the prohibition, while paragraph 
(G) requires that the NPP contain a description, including at least one 
example, of the types of uses and disclosures for which an attestation 
is required under new 45 CFR 164.509.
    Additionally, based on feedback from commenters, we are requiring 
in a new paragraph (H) that covered entities include a statement 
explaining to individuals that PHI disclosed pursuant to the Privacy 
Rule may be subject to redisclosure and no longer protected by the 
Privacy Rule.This will help individuals to make informed decisions 
about to whom they provide access to or authorize the disclosure of 
their PHI.
    Under new paragraph (D) of 45 CFR 164.520(b)(1)(iii), the 
Department is requiring that covered entities provide notice to 
individuals that a Part 2 record, or testimony relaying the content of 
such record, may not be used or disclosed in a civil, criminal, 
administrative, or legislative proceeding against the individual absent 
written

[[Page 33047]]

consent from the individual or a court order, consistent with the 
requirements of 42 CFR part 2.
    The Department is also finalizing a requirement at 45 CFR 
164.520(b)(1)(iii)(E) that a covered entity must provide individuals 
with a clear and conspicuous opportunity to elect not to receive any 
fundraising communications before using Part 2 records for fundraising 
purposes for the benefit of the covered entity.
    Lastly, we are finalizing our proposal to add a new paragraph (4) 
in 45 CFR 164.520(d) regarding joint notice by separate covered 
entities. This modification clarifies that Part 2 requirements continue 
to apply to Part 2 records maintained by covered entities that are part 
of OHCAs.
    We are not finalizing in this rule the proposal to remove the 
exception to the NPP requirements for inmates of correctional 
facilities in this rule because it would be better addressed within the 
context of care coordination.
6. Responses to Public Comments
    Comment: Commenters on both the 2022 Part 2 NPRM and the 2023 
Privacy Rule NPRM urged the Department to coordinate any changes made 
to the NPP provisions based on proposals made in the separate 
rulemakings. According to the commenters, coordinating the changes to 
the NPP requirements would help to ensure consistency, reduce the 
administrative burden on covered entities, and ensure individual 
understanding of the permitted uses and disclosures of their PHI, 
including PHI that is also a Part 2 record. A few commenters on the 
2022 Part 2 NPRM explained the different concerns that updates to the 
NPP pose to covered entities of differing sizes, based on resource 
constraints directly related to their size. Several commenters on the 
2023 Privacy Rule NPRM requested that the Department provide sample 
language and examples or provide an updated model NPP.
    Response: As part of this rulemaking, the Department is finalizing 
modifications to certain NPP requirements that were proposed in the 
2022 Part 2 NPRM and the 2023 Privacy Rule NPRM. Thus, these changes 
serve to implement certain requirements of the CARES Act and to support 
reproductive health care privacy. The Department appreciates the 
recommendations and will consider them for future guidance.
    Comment: A few commenters on the 2022 Part 2 NPRM requested that 
the Department clarify whether they would be permitted to use a single 
document or form when providing notice statements to individuals to 
ensure compliance by regulated entities and understanding of the 
notices by individuals. A few commenters agreed that a single NPP would 
reduce the administrative burden on regulated entities or be the most 
effective way to convey privacy information to individuals and asked 
for confirmation that this was permitted. A commenter requested that 
the Department update the Patient Notice in a manner such that the NPP 
header may be used in the combined notice if they are permitted to use 
a combined NPP/Patient Notice.
    Response: As we have provided previously in guidance on the Privacy 
Rule and Part 2, notices issued by covered entities for different 
purposes may be separate or combined, as long as all of the required 
elements for both are included.\409\ Thus, it is acceptable under both 
the Privacy Rule and Part 2 to meet the notice requirements of the 
Privacy Rule, Part 2, and state law by either providing separate 
notices or combining the required notices into a single notice, as long 
as all of the required elements are included.
---------------------------------------------------------------------------

    \409\ See also 82 FR 6052, 6082-83 (Jan. 18, 2017); Off. for 
Civil Rights, ``Notice of Privacy Practices for Protected Health 
Information,'' U.S. Dep't of Health and Human Servs. (July 26, 
2013), https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/privacy-practices-for-protected-health-information/index.html.
---------------------------------------------------------------------------

    Comment: A few commenters on the 2022 Part 2 NPRM and most of the 
commenters on the 2023 Privacy Rule NPRM suggested the proposed 
approach to modifying both the Patient Notice and NPP would bolster 
transparency and the public's understanding of how their health 
information is used or disclosed and collected. Many commenters on the 
2023 Privacy Rule NPRM provided recommendations for ways in which the 
Department could improve the NPP, including requiring that the NPP be 
in plain language.
    Response: The Department appreciates the comments on its proposal 
to modify the NPP to align with changes made in the Patient Notice and 
in support of reproductive health care privacy. The modifications will 
bolster transparency and public understanding of how information is 
used, disclosed, and protected. Covered entities have long been 
required under 45 CFR 164.520(b)(1) to provide an NPP that is written 
in plain language. Discussion of this requirement can be found in the 
preamble to the 2000 Privacy Rule.\410\ The Department's model NPP 
forms, available in both English and Spanish, provide one example of 
how the plain language requirement may be met.\411\As discussed above, 
we are modifying 45 CFR 164.520 to clarify that this requirement 
applies to covered entities that use and disclose Part 2 records. 
Additional resources on writing in plain language can be found at 
https://plainlanguage.gov. Additionally, covered entities are required 
to comply with all Federal nondiscrimination laws, including laws that 
address language access requirements. Information about such 
requirements is available at www.hhs.gov/hipaa.
---------------------------------------------------------------------------

    \410\ 65 FR 82462, 82548-49 (Dec. 28, 2000).
    \411\ Off. for Civil Rights, ``Model Notices of Privacy 
Practices,'' U.S. Dep't of Health and Human Servs. (Apr. 8, 2013), 
https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/model-notices-privacy-practices/index.html.
---------------------------------------------------------------------------

    Comment: Commenters expressed concerns about the interplay of the 
Part 2 Patient Notice requirements with the NPP, the burden on covered 
entities to modify the NPP, and including the attestation requirement 
in the NPP.
    Response: We have sought to align the requirements for the Patient 
Notice as closely as possible with the NPP requirements and to modify 
the NPP requirements to allow for a combined Patient Notice and NPP. 
The changes the Department is making to the NPP empower the individual 
and improve health outcomes by improving the likelihood that health 
care providers will make accurate diagnoses and informed treatment 
recommendations to individuals. These changes to the NPP provide the 
individual with clear information and reassurance about their privacy 
rights and their ability to discuss their reproductive health and 
related health care because they inform an individual that their PHI 
may not be used or disclosed for certain purposes prohibited by new 45 
CFR 164.502(a)(5)(iii). As such, the qualitative benefits of providing 
individuals with information about how their PHI may be used and 
disclosed under the Privacy Rule outweigh the quantitative burdens for 
covered entities to revise their NPPs. Accordingly, we are finalizing 
the modifications proposed to the NPP as part of the 2023 Privacy Rule 
NPRM.
    Comment: A majority of the commenters on the 2023 Privacy Rule NPRM 
who expressed support for revising the NPP also recommended that the 
Department require that the NPP include an explanation that the 
prohibition or Privacy Rule generally would no longer apply to PHI that 
has been disclosed for a permitted purpose to a person that is not a 
regulated entity. A few commenters opposed the addition as unnecessary 
or expressed concern about the potential length of the NPP. A

[[Page 33048]]

few of the commenters opposed adding such a statement because they 
believed it could deter individuals from seeking reproductive health 
care, increase individuals' mistrust of health care providers, or not 
add to individuals' understanding of their rights and protections under 
the Privacy Rule.
    Response: In response to comments and in support of transparency 
for individuals, the Department is finalizing a new requirement to 
include in the NPP a statement adequate to put the individual on notice 
of the potential for information disclosed pursuant to the Privacy Rule 
to be subject to redisclosure by the recipient and no longer protected 
by the Privacy Rule. This change will provide additional clarity to 
individuals directly and assist covered entities in explaining the 
limitations of the Privacy Rule to individuals. We believe that any 
concerns about the negative effects of these modifications on length 
are outweighed by their benefits to the individual.
    Comment: Several commenters to the 2023 Privacy Rule NPRM requested 
the Department provide additional time for compliance with the new NPP 
requirements and exercise enforcement discretion for a period of time 
after the compliance date.
    Response: As noted above, we are finalizing certain modifications 
to the NPP provisions that were proposed in the 2022 Part 2 NPRM rule 
and other modifications to the same provisions that were proposed in 
the 2023 Privacy Rule NPRM. To ease the burden on covered entities and 
in compliance with 45 CFR 160.104, the Department is finalizing a 
compliance date of February 16, 2026, for the NPP provisions. The 
rationale for this compliance date is discussed in greater detail in 
the discussion of Effective and Compliance Dates.

F. Section 164.535--Severability

    In the NPRM, the Department included a discussion of severability 
that explained how we believed the proposed rule should be interpreted 
if any provision was held to be invalid or facially unenforceable. We 
are finalizing a new 45 CFR 164.535 to codify this interpretation. The 
Department intends that, if a specific regulatory provision in this 
rule is found to be invalid or unenforceable, the remaining provisions 
of the rule will remain in effect because they would still function 
sensibly.
    For example, the changes this final rule makes to the NPP 
requirements in 45 CFR 164.520 (including the changes finalizing 
proposals from the 2022 Part 2 NPRM) shall remain in full force and 
effect to the extent that they are not directly related to a provision 
in this rulemaking that is held to be invalid or unenforceable such 
that notice of that provision is no longer necessary. Conversely, if 
the NPP requirements are held to be invalid or unenforceable, the other 
modifications shall remain in full force and effect to the extent that 
they are not directly related to the NPP requirements.
    As another example, we also intend that the revision in 45 CFR 
160.103 to the definition of ``person'' shall remain in full force and 
effect if any other provision is held to be invalid or unenforceable 
because the new modified definition is not solely related to supporting 
reproductive health care privacy and is consistent with the 
Department's longstanding interpretation of the term and with regulated 
entities' current understanding and practices.
    Similarly, we are finalizing technical corrections to the heading 
at 45 CFR 164.512(c) and a clarifying revision at 45 CFR 164.512(f) 
regarding the permission for disclosures based on administrative 
processes. Those changes are intended to remain in full force and 
effect even if other parts of this final rule are held to be invalid or 
unenforceable.
    As another example, we also intend, if the addition in 45 CFR 
160.103 of the definition of ``public health,'' as used in the terms 
``public health surveillance,'' ``public health investigation,'' and 
``public health intervention'' is held to be invalid and unenforceable, 
the other modifications to the rules shall remain in full force and 
effect to the extent that they are not directly related to the 
definition of public health.
    We further intend that if the rule is held to be invalid and 
unenforceable with respect to its application to some types of health 
care, it should be upheld with respect to other types (e.g., pregnancy 
or abortion-related care).
    We also intend that any provisions of the Privacy Rule that are 
unchanged by this final rule shall remain in full force and effect if 
any provision of this final rule is held to be invalid or 
unenforceable.
    These examples are illustrative and not exhaustive.
    We received no comments on the language addressing severability in 
the 2023 Privacy Rule NPRM.

G. Comments on Other Provisions of the HIPAA Rules

    Comment: A few commenters expressed concerns that the Department 
may grant exceptions to preemption and recommended that the Department 
clarify the standards for which exceptions to preemption would be made 
and consider strengthening these standards wherever possible or remove 
the potential for exceptions entirely.
    One commenter expressed concern that the proposed rule could 
dissuade regulated entities from providing de-identified data for 
research, while another commenter recommended that the Department 
prohibit the sharing of de-identified reproductive health care data 
except in limited circumstances to prevent the re-identification of 
reproductive health data by third parties, such as law enforcement or 
data brokers
    Response: The process for requesting exceptions to preemption and 
the standards for granting such requests are at 45 CFR 160.201 et seq. 
We did not propose any modifications to these provisions as part of the 
2023 Privacy Rule NPRM, and as such, do not finalize modifications in 
this final rule.
    The Department does not believe that this final rule will dissuade 
regulated entities from providing de-identified data for research or 
other purposes. Under the Privacy Rule, health information that meets 
the standard and implementation specifications for de-identification 
under 45 CFR 164.514 is considered not to be IIHI.\412\ HIPAA confers 
on the Department the authority to set standards for the privacy of 
IIHI, including for de-identification. We did not propose to modify the 
de-identification standard as part of the 2023 Privacy Rule NPRM, and 
as such, do not finalize modifications in this final rule.
---------------------------------------------------------------------------

    \412\ 45 CFR 164.502(d)(2).
---------------------------------------------------------------------------

    Comment: A commenter posited that the proposed rule's preemption of 
contrary state laws was not sufficiently clear and recommended that the 
Department reinforce the preemption provision in the final rule.
    Response: The Department did not propose changes to the preemption 
provisions of the HIPAA Rules, which are based in statute,\413\ and 
believes that the provisions, in combination with our discussion of 
preemption in the preamble, are sufficient.
---------------------------------------------------------------------------

    \413\ See 45 CFR part 160, subpart B--Preemption of State Law.
    \414\ 58 FR 51735 (Oct. 4, 1993).
---------------------------------------------------------------------------

VI. Regulatory Impact Analysis

A. Executive Order 12866 and Related Executive Orders on Regulatory 
Review

    The Department of Health and Human Services (HHS or ``Department'') 
has examined the effects of this final rule under Executive Order 
(E.O.) 12866, Regulatory Planning and Review,\414\ as

[[Page 33049]]

amended by E.O. 14094,\415\ E.O. 13563, Improving Regulation and 
Regulatory Review,\416\ the Regulatory Flexibility Act \417\ (RFA), and 
the Unfunded Mandates Reform Act of 1995 \418\ (UMRA). E.O.s 12866 and 
13563 direct the Department to assess all costs and benefits of 
available regulatory alternatives and, when regulation is necessary, to 
select regulatory approaches that maximize net benefits (including 
potential economic, environmental, public health and safety, and other 
advantages; distributive effects; and equity). This final rule is 
significant under section 3(f)(1) of E.O. 12866, as amended.
---------------------------------------------------------------------------

    \415\ 88 FR 21879 (Apr. 11, 2023).
    \416\ 76 FR 3821 (Jan. 21, 2011).
    \417\ Public Law 96-354, 94 Stat. 1164 (codified at 5 U.S.C. 
601-612).
    \418\ Public Law 104-4, 109 Stat. 48 (codified at 2 U.S.C. 
1501).
---------------------------------------------------------------------------

    The RFA requires us to analyze regulatory options that would 
minimize any significant effect of a rule on small entities. As 
discussed in greater detail below, this analysis concludes, and the 
Secretary certifies, that the rule will not result in a significant 
economic effect on a substantial number of small entities.
    The UMRA (section 202(a)) generally requires us to prepare a 
written statement, which includes an assessment of anticipated costs 
and benefits, before proposing ``any rule that includes any Federal 
mandate that may result in the expenditure by State, local, and tribal 
governments, in the aggregate, or by the private sector, of 
$100,000,000 or more (adjusted annually for inflation) in any 1 year.'' 
\419\ The current threshold after adjustment for inflation is $177 
million, using the most current (2023) Implicit Price Deflator for the 
Gross Domestic Product. UMRA does not address the total cost of a rule. 
Rather, it focuses on certain categories of cost, mainly Federal 
mandate costs resulting from imposing enforceable duties on state, 
local, or Tribal governments or the private sector; or increasing the 
stringency of conditions in, or decreasing the funding of, state, 
local, or Tribal governments under entitlement programs. This final 
rule imposes mandates that would result in the expenditure by state, 
local, and Tribal governments, in the aggregate, or by the private 
sector, of more than $177 million in any one year. The impact analysis 
in this final rule addresses such effects both qualitatively and 
quantitatively. In general, each regulated entity, including government 
entities that meet the definition of covered entity (e.g., state 
Medicaid agencies), is required to adopt new policies and procedures 
for responding to requests for the use or disclosure of protected 
health information (PHI) for which an attestation is required and to 
train its workforce members on the new requirements. Additionally, 
although the Department has not quantified the costs, state, local, and 
Tribal law enforcement agencies must analyze requests that they 
initiate for the use or disclosure of PHI and provide regulated 
entities with an attestation that the request is not for a prohibited 
purpose in instances where the request is made for health oversight 
activities, judicial and administrative proceedings, law enforcement 
purposes, or about decedents to coroners and medical examiners, and is 
for PHI potentially related to reproductive health care. One-time costs 
for all regulated entities to change their policies will increase costs 
above the UMRA threshold in one year. The Department initially 
estimated that ongoing expenses for the new attestation condition would 
not increase significantly, but we sought additional data to inform our 
estimates. Although Medicaid makes Federal matching funds available for 
states for certain administrative costs, these are limited to costs 
specific to operating the Medicaid program. There are no Federal funds 
directed at Health Insurance Portability and Accountability Act of 1996 
(HIPAA) compliance activities.
---------------------------------------------------------------------------

    \419\ Id. at sec. 202 (codified at 2 U.S.C. 1532(a)).
---------------------------------------------------------------------------

    Pursuant to Subtitle E of the Small Business Regulatory Enforcement 
Fairness Act of 1996,\420\ the Office of Management and Budget's 
(OMB's) Office of Information and Regulatory Affairs has determined 
that this final rule meets the criteria set forth in 5 U.S.C. 804(2) 
because it is projected to have an annualized effect on the economy of 
more than $100,000,000. Because of the large number of covered entities 
that are subject to this final rule and the large number of individuals 
with health plan coverage, any rule modifying the HIPAA Privacy Rule 
that requires updating policies and procedures and the Notice of 
Privacy Practices (NPP) and distributing the NPP to a percentage of 
individuals is likely to meet the threshold in 5 U.S.C. 804(2).
---------------------------------------------------------------------------

    \420\ Also referred to as the Congressional Review Act, 5 U.S.C. 
801 et seq.
---------------------------------------------------------------------------

    The Justification for this Rulemaking and Summary of Final Rule 
Provisions section at the beginning of this preamble contain a summary 
of this rule and describe the reasons it is needed. The Department 
presents a detailed analysis below.
1. Summary of Costs and Benefits
    The Department identified six general categories of quantifiable 
costs arising from these proposals: (1) responding to requests for the 
use or disclosure of PHI for which an attestation is required; (2) 
revising business associate agreements; (3) updating the NPP and 
posting it online; (4) developing new or modified policies and 
procedures; (5) revising training programs for workforce members; and 
(6) requesting an exception from HIPAA's general preemption authority. 
The first five categories apply primarily to covered entities, while 
the sixth category applies to states and other interested persons.
    The Department estimates that the first-year costs attributable to 
this final rule total approximately $595.0 million. These costs are 
associated with covered entities responding to requests for the use or 
disclosure of PHI that are conditioned upon an attestation; revising 
business associate agreements; revising policies and procedures; 
updating, posting, and mailing the NPP; and revising training programs 
for workforce members, and with states or other persons requesting 
exceptions from preemption. These costs also include increased 
estimates for wages, postage, and the number of NPPs distributed by 
health plans as compared to the baseline of existing annual cost and 
burden estimates for these activities in the approved HIPAA information 
collection. For years two through five, estimated annual costs of 
approximately $20.9 million are attributable to ongoing costs related 
to the attestation requirement. Table 1 reports the present value and 
annualized estimates of the costs of this final rule covering a 5-year 
time horizon. Using a 7% discount rate, the Department estimates this 
final rule will result in annualized costs of $151.8 million; and using 
a 3% discount rate, these annualized costs are $142.6 million.

[[Page 33050]]



                                  Table 1--Accounting Table, Costs of the Rule
                                                  [$ Millions]
----------------------------------------------------------------------------------------------------------------
                                                      Primary                      Discount rate
                      Costs                          estimate      Year dollars         (%)       Period covered
----------------------------------------------------------------------------------------------------------------
Present Value...................................          $678.6            2022    Undiscounted       2024-2028
Present Value...................................           622.3            2022               7       2024-2028
Present Value...................................           653.1            2022               3       2024-2028
Annualized......................................           151.8            2022               7       2024-2028
Annualized......................................           142.6            2022               3       2024-2028
----------------------------------------------------------------------------------------------------------------

    The changes to the Privacy Rule will likely result in important 
benefits and some costs that the Department is unable to fully quantify 
at this time. As explained further below, unquantified benefits include 
improved trust and confidence between individuals and health care 
providers; enhanced privacy and improved access to reproductive health 
care and information, which may prevent increases in maternal mortality 
and morbidity; increased accuracy and completeness in patient medical 
records, which may prevent poor health outcomes; enhanced support for 
survivors of rape, incest, and sex trafficking; and maintenance of 
family economic stability by allowing families to determine the timing 
and spacing of whether or when to be pregnant. Additionally, allowing 
regulated entities to accept an attestation for requests for the use or 
disclosure of PHI potentially related to reproductive health care, and 
to presume that reproductive health care provided by another person was 
lawful under the circumstances it was provided, will reduce potential 
liability for regulated entities by providing some assurance with 
respect to whether the requested disclosure is prohibited.

   Table 2--Potential Non-Quantified Benefits for Covered Entities and
                               Individuals
------------------------------------------------------------------------
                                Benefits
-------------------------------------------------------------------------
Improve access to complete information about lawful reproductive health
 care options, including for individuals who are pregnant or considering
 a pregnancy (i.e., improve health literacy), by reducing concerns about
 disclosure of PHI.
Maintain or reduce levels of maternal mortality and morbidity by
 ensuring that individuals and their clinicians can freely communicate
 and have access to complete information needed for quality lawful
 health care, including coordination of care.
Decrease barriers to accessing prenatal health care by maintaining
 privacy for individuals who seek a complete range of lawful
 reproductive health care options.
Enhance mental health and emotional well-being of pregnant individuals
 by reducing fear of potential disclosures of their PHI to investigate
 or impose liability on a person for the mere act of seeking, obtaining,
 providing, or facilitating lawful health care.
Improve or maintain trust between individuals and health care providers
 by reducing the potential for health care providers to report PHI in a
 manner that could harm the individuals' interests.
Prevent or reduce re-victimization of pregnant individuals who have
 survived rape or incest by protecting their PHI from undue scrutiny.
Improve or maintain families' economic well-being by not exposing
 individuals or their family members to costly investigations or
 activities to impose liability for seeking, obtaining or facilitating
 lawful reproductive health care.
Maintain the economic well-being of regulated entities by not exposing
 regulated entities or workforce members to costly investigations or
 activities to impose liability on them for engaging in lawful
 activities.
Ensure individuals' ability to obtain full and complete information and
 make lawful decisions concerning fertility- or infertility-related
 health care that may include selection or disposal of embryos without
 risk of PHI disclosure for criminal, civil, or administrative
 investigations or activities to impose liability for engaging in lawful
 activities.
------------------------------------------------------------------------

    The Department also recognizes that there may be some costs that 
are not readily quantifiable, notably, the potential burden on persons 
requesting PHI to investigate or impose liability on persons for 
seeking, obtaining, providing, or facilitating reproductive health care 
that is not lawful under the circumstances in which such health care is 
provided. As discussed elsewhere in this final rule, we acknowledge 
that, in certain limited circumstances, the final rule may, prevent 
persons from obtaining an individual's PHI, such as where the request 
is directed to the health care provider that provided the reproductive 
health care and that health care provider reasonably determines that 
such health care was provided lawfully. However, the existing 
permission for disclosures for law enforcement does not create a 
mandate for disclosure to law enforcement agencies. Rather, it 
establishes the conditions under which a regulated entity may disclose 
PHI if it so chooses. Accordingly, consistent with how the Privacy Rule 
has operated since its inception, persons whose requests for PHI are 
declined by regulated entities may incur additional costs if they 
choose to pursue their investigations through other methods and obtain 
evidence from non-covered entities. We have not previously quantified 
the costs to such persons for obtaining an individual's PHI, such as 
where a law enforcement official is required to prepare a formal 
administrative request or obtain a qualified protective order and we do 
not do so here. We do not view the attestation requirement as changing 
this calculus and have designed the attestation to impose a minimal 
burden on requests for PHI related to lawful conduct by health care 
providers by offering a model attestation form. Despite the minimal 
formality of providing a signed attestation, some state law enforcement 
agencies may experience the requirement as a burden, and we acknowledge 
that potential as a non-quantifiable cost.
2. Baseline Conditions
    The Privacy Rule, in conjunction with the Security and Breach 
Notification Rules, protects the privacy and security of individuals' 
PHI, that is, individually identifiable health information (IIHI) 
transmitted by or maintained in electronic media or any other form or

[[Page 33051]]

medium, with certain exceptions. It limits the circumstances under 
which regulated entities are permitted or required to use or disclose 
PHI and requires covered entities to have safeguards in place to 
protect the privacy of PHI. The Privacy Rule also establishes certain 
rights for individuals with respect to their PHI and sets limits and 
conditions on the uses and disclosures that may be made of such 
information without an individual's authorization.
    As explained in the preamble, the Department has the authority 
under HIPAA to modify the Privacy Rule to prohibit the use or 
disclosure of PHI for activities to conduct a criminal, civil, or 
administrative investigation into or impose criminal, civil, or 
administrative liability on any person for the mere act of seeking, 
obtaining, providing, or facilitating reproductive health care that is 
lawful under the circumstances in which it was provided, as well as to 
identify any person for the purpose of initiating such activities. The 
Privacy Rule has been modified several times since it was first issued 
in 2000 to address statutory requirements, changed circumstances, and 
concerns and issues raised by stakeholders regarding the effects of the 
Privacy Rule on regulated entities, individuals, and others. Recently, 
as the preamble discusses, changed circumstances resulting from new 
inconsistencies in the regulation of reproductive health care 
nationwide and the negative effects on individuals' expectations for 
privacy and their relationships with their health care providers, as 
well as the additional burdens imposed on regulated entities, require 
the modifications made by this final rule.
    For purposes of this Regulatory Impact Analysis (RIA), this final 
rule adopts the list of covered entities and cost assumptions 
identified in the Department's 2023 Information Collection Request 
(ICR).\421\ The Department also relies on certain estimates and 
assumptions from the 1999 Privacy Rule NPRM \422\ that remain relevant, 
and the 2013 Omnibus Rule,\423\ as referenced in the analysis that 
follows.
---------------------------------------------------------------------------

    \421\ 88 FR 3997 (Jan. 23, 2023).
    \422\ 64 FR 59918 (Nov. 3, 1999).
    \423\ 78 FR 5566 (Jan. 25, 2013).
---------------------------------------------------------------------------

    The Department quantitatively analyzes and monetizes the effect 
that this final rule may have on regulated entities' actions to: revise 
business associate agreements between covered entities and their 
business associates, including release-of-information contractors; 
create new forms; respond to certain types of requests for PHI; update 
their NPPs; adopt policies and procedures to implement the requirements 
of this final rule; and train their employees on the updated policies 
and procedures. The Department analyzes the remaining benefits and 
burdens qualitatively because of the uncertainty inherent in predicting 
other concrete actions that such a diverse scope of regulated entities 
might take in response to this rule.
Analytic Assumptions
    The Department bases its assumptions for calculating estimated 
costs and benefits on several publicly available datasets, including 
data from the U.S. Census, the U.S. Department of Labor, Bureau of 
Labor Statistics, Centers for Medicare & Medicaid Services, and the 
Agency for Healthcare Research and Quality. For the purposes of this 
analysis, the Department assumes that benefits plus indirect costs 
equal approximately 100 percent of pre-tax wages and adjusts the hourly 
wage rates by multiplying by two, for a fully loaded hourly wage rate. 
The Department adopts this as the estimate of the hourly value of time 
for changes in time use for on-the-job activities.
    Implementing the regulatory changes likely will require covered 
entities to engage workforce members or consultants for certain 
activities. The Department assumes that a lawyer will draft or review 
the new attestation form, revisions to business associate agreements, 
revisions to the NPP, and required changes to HIPAA policies and 
procedures. The Department expects that a training specialist will 
revise the necessary HIPAA training and that a web designer will post 
the updated NPP. The Department further anticipates that a workforce 
member at the pay level of medical records specialist will confirm 
receipt of required attestations. To the extent that these assumptions 
affect the Department's estimate of costs, the Department solicited 
comment on its assumptions, particularly assumptions in which the 
Department identifies the level of workforce member (e.g., clerical 
staff, professional) that will be engaged in activities and the amount 
of time that particular types of workforce members spend conducting 
activities related to this RIA as further described below. Table 3 also 
lists pay rates for occupations referenced in the explanation of 
estimated information collection burdens in Section F of this RIA and 
related tables.
    The Department received several comments about the occupations 
engaged in certain activities and the time burden associated with them. 
We reviewed these submissions and used the provided information to 
revise the estimate for the cost of processing requests for the use or 
disclosure of PHI that require an attestation. For more details, please 
see the sections discussing the costs of the rule below.
    The Department received no comment on the hourly value of time; 
therefore, we retain all relevant assumptions laid out in the 2023 
Privacy Rule NPRM, as described above (see Table 3 for a list of 
occupations and corresponding wages).\424\
---------------------------------------------------------------------------

    \424\ For each occupation performing activities as a result of 
the final rule, the Department identifies a pre-tax hourly wage 
using a database maintained by the Bureau of Labor Statistics. See 
U.S. Dep't of Labor, ``Occupational Employment and Wages'' (May 
2022), https://www.bls.gov/oes/current/oes_nat.htm.

[[Page 33052]]



                     Table 3--Occupational Pay Rates
------------------------------------------------------------------------
                                            Mean hourly    Fully loaded
        Occupation code and title              wage         hourly wage
------------------------------------------------------------------------
00-0000 All Occupations.................          $29.76          $59.52
43-3021 Billing and Posting Clerks......           21.54           43.08
29-0000 Healthcare Practitioners and               46.52           93.04
 Technical Occupations..................
29-9021 Health Information Technologists           31.38           62.76
 and Medical Registrars.................
29-9099 Healthcare Practitioners and               32.78           65.56
 Technical Workers, All Other...........
15-1212 Information Security Analysts...           57.63          115.26
23-1011 Lawyers.........................           78.74          157.48
13-1111 Management Analysts.............           50.32          100.64
11-9111 Medical and Health Services                61.53          123.06
 Manager................................
29-2072 Medical Records Specialist......           24.56           49.12
43-0000 Office and Administrative                  21.90           43.80
 Support Occupations....................
11-2030 Public Relations and Fundraising           68.56          137.12
 Managers...............................
13-1151 Training and Development                   33.59           67.18
 Specialist.............................
43-4171 Receptionists and Information              16.64           33.28
 Clerks.................................
15-1255 Web and Digital Interface                  48.91           97.82
 Designers..............................
------------------------------------------------------------------------

    The Department assumes that most covered entities will be able to 
incorporate changes to their workforce training into existing HIPAA 
training programs rather than conduct a separate training because the 
total time frame for compliance from date of finalization would be 240 
days.\425\
---------------------------------------------------------------------------

    \425\ This includes 60 days from publication of a final rule to 
the effective date and an additional 180 days until the compliance 
date.
---------------------------------------------------------------------------

Covered Entities Affected
    The Department received no substantive comments on the number or 
type of HIPAA covered entities affected by this rule; therefore, we 
retain the methodology and entity estimates as described in the 2023 
Privacy Rule NPRM and the baseline conditions section above.
    To the extent that covered entities engage business associates to 
perform activities under the rule, the Department assumes that any 
additional costs will be borne by the covered entities through their 
contractual agreements with business associates. The Department's 
estimate that each revised business associate agreement will require no 
more than 1 hour of a lawyer's labor assumes that the hourly burden 
could be split between the covered entity and the business associate. 
Thus, the Department calculated estimated costs based on the potential 
number of business associate agreements that will be revised rather 
than the number of covered entities or business associates with revised 
business associate agreements.
    The Department requested data on the number of business associates 
(which may include health care clearinghouses acting in their role as 
business associates of other covered entities) that would be affected 
by the rule and the extent to which they may experience costs or other 
burdens not already accounted for in the estimates of burdens for 
revising business associate agreements. The Department also requested 
comment on the number of business associate agreements that would need 
to be revised, if any. We did not receive any actionable comments on 
the number of affected business associates, the number of business 
associate agreements, or any specific costs that business associates 
might bear. For more details, see the section on business associate 
agreements below.
    The Department requested public comment on these estimates, 
including estimates for third party administrators and pharmacies where 
the Department has provided additional explanation. The Department 
additionally requested detailed comment on any situations, other than 
those identified here, in which covered entities would be affected by 
this rulemaking. We did not receive any substantive comments related to 
these issues.

                             Table 4--Estimated Number and Type of Covered Entities
----------------------------------------------------------------------------------------------------------------
                                                Covered entities
-----------------------------------------------------------------------------------------------------------------
              NAICS code                           Type of entity                  Firms        Establishments
----------------------------------------------------------------------------------------------------------------
524114...............................  Health and Medical Insurance Carriers             880               5,379
524292...............................  Third Party Administrators...........             456                 783
622..................................  Hospitals............................           3,293               7,012
44611................................  Pharmacies...........................          19,540          \a\ 67,753
6211-6213............................  Office of Drs. & Other Professionals.         433,267             505,863
6215.................................  Medical Diagnostic & Imaging.........           7,863              17,265
6214.................................  Outpatient Care......................          16,896              39,387
6219.................................  Other Ambulatory Care................           6,623              10,059
623..................................  Skilled Nursing & Residential                  38,455              86,653
                                        Facilities.
6216.................................  Home Health Agencies.................          21,829              30,980
532283...............................  Home Health Equipment Rental.........             611               3,197
                                                                             -----------------------------------
    Total............................                                                549,713             774,331
----------------------------------------------------------------------------------------------------------------
\a\ Number of pharmacy establishments is taken from industry statistics.


[[Page 33053]]

Individuals Affected
    The Department believes that the population of individuals 
potentially affected by the rule is approximately 76 million 
overall,\426\ representing nearly one-fourth of the U.S. population, 
including approximately 6 million pregnant individuals annually and an 
unknown number of individuals facing a potential pregnancy or pregnancy 
risk due to sexual activity, contraceptive avoidance or failure, rape 
(including statutory rape), and incest. According to Federal data, 78 
percent of sexually active females received reproductive health care in 
2015-2017.\427\
---------------------------------------------------------------------------

    \426\ See U.S. Census Bureau, American Community Survey S0101, 
AGE AND SEX 2022: ACS 5-Year Estimates Subject Tables (females aged 
10-44), https://data.census.gov/table/ACSST1Y2022.S0101. The U.S. 
Census Bureau uses the term ``sex'' to equate to an individual's 
biological sex. ``Sex--Definition,'' U.S. Census Bureau (accessed 
Mar. 20, 2024), https://www.census.gov/glossary/?term=Sex.
    \427\ See ``Reproductive and Sexual Health,'' Sexually active 
females who received reproductive health services (FP-7.1), 
Healthypeople.gov, https://wayback.archive-it.org/5774/20220415172039/https:/www.healthypeople.gov/2020/leading-health-indicators/2020-lhi-topics/Reproductive-and-Sexual-Health/data.
---------------------------------------------------------------------------

    The Department received comments related to the number of 
individuals affected by the rule, some of which are summarized below. 
One commenter asserted that the Department had overestimated the number 
of affected individuals and urged reducing the estimate to 78 percent 
of sexually active females (52.72 million). The same commenter also 
argued that even this revised number might be an overestimate, and that 
the number of individuals directly affected by the rule would be closer 
to 50,400 a year. Another commenter suggested that the number of 
individuals potentially affected by the proposed rule is much larger 
than the estimate and that the estimate should include any individual 
who was ever capable of bearing children and their family members.
    Another commenter asserted that the Department was underestimating 
the number of individuals that would be affected by the proposed rule 
but did not include an estimate of their own.
    After reviewing the comments, the Department is finalizing the 
estimates of the number of individuals that will be affected by this 
final rule as described above, which includes updates for 2022 data. 
The Department considers a key category of individuals affected by this 
final rule those who have the potential to become pregnant because 
pregnancies may occur and result in a need for reproductive health care 
nationwide. Pregnancy, concern about potential pregnancy, and the need 
for reproductive health care do not recognize state boundaries or 
regulatory timelines.
    Commenters recommended data points above and below the Department's 
proposed estimate of 74 million affected individuals. We believe that 
the number of affected individuals is far greater than the total who 
are survivors of sexual assault or sex trafficking (as recommended by a 
commenter), yet less than the number of all individuals who have ever 
been of childbearing age and their family members (as recommended by 
another commenter). We recognize that the age range for the proposed 
estimate of females, 10-44, imperfectly reflects the number of females 
of childbearing age; however, the number of females over age 44 who 
could become pregnant may be offset by the number of females aged 10-13 
who are not yet capable of childbearing. We use the number of females 
of potentially childbearing age as a proxy for the number of 
individuals affected by the final rule as shown in Table 5 below.
---------------------------------------------------------------------------

    \428\ See American Community Survey S0101, AGE AND SEX 2022: ACS 
5-Year Estimates Subject Tables (females aged 10-44), supra note 
427.

            Table 5--Estimated Number of Individuals Affected
------------------------------------------------------------------------
                                                          Population
    Females of potentially childbearing age \428\          estimate
------------------------------------------------------------------------
10 to 14 years......................................          10,327,799
15 to 19 years......................................          10,618,136
20 to 24 years......................................          10,957,463
25 to 29 years......................................          10,762,368
30 to 34 years......................................          11,440,546
35 to 39 years......................................          11,013,337
40 to 44 years......................................          10,771,942
                                                     -------------------
    Total...........................................          75,891,591
------------------------------------------------------------------------

3. Costs of the Rule
    Below, the Department provides the basis for its estimated 
quantifiable costs resulting from the changes to specific provisions of 
the Privacy Rule. Many of the estimates are based on assumptions formed 
through the Office for Civil Rights' (OCR's) experience with its 
compliance and enforcement program and accounts from stakeholders 
received at outreach events. The Department has quantified recurring 
burdens for this final rule for obtaining an attestation from a person 
requesting the use or disclosure of PHI potentially related to 
reproductive health care for health oversight activities, judicial and 
administrative proceedings, law enforcement purposes, and about 
decedents to coroners or medical examiners.
    The Department requested information or data points from commenters 
to further refine its estimates and assumptions. We examine the most 
substantive comments received in the cost section below. Additionally, 
we received comments that are also discussed below on topics that are 
not directly addressed in the cost section.
    A commenter asserted that the Department did not account for the 
additional costs associated with major depressive disorders that would 
arise from the increase in abortions due to the rule. The Department 
does not believe that is a valid benchmark for the effects of this 
final rule, in part because we reject the premise, which is not backed 
by medical evidence or data, that this final rule will result in an 
increase in pregnancy terminations or depression.\429\ Further, 
researchers have raised numerous concerns about the methodology of the 
2011 study cited in

[[Page 33054]]

the comment.\430\ Accordingly, we are not including the costs 
associated with treatment of depression in the cost section.
---------------------------------------------------------------------------

    \429\ See M. Antonia Biggs et al., ``Women's Mental Health and 
Well-being 5 Years After Receiving or Being Denied an Abortion: A 
Prospective, Longitudinal Cohort Study,'' 74(2) JAMA Psychiatry 169, 
177 (2017), https://jamanetwork.com/journals/jamapsychiatry/fullarticle/2592320. See also Julia R. Steinberg et al., ``The 
association between first abortion and first-time non-fatal suicide 
attempt: a longitudinal cohort study of Danish population 
registries,'' 6(12) The Lancet Psychiatry 1031-1038 (Dec. 2019).
    \430\ See Julia R. Steinberg et al., ``Fatal flaws in a recent 
meta-analysis on abortion and mental health,'' 86(5) Contraception 
430-7 (Nov. 2012), https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3646711/ (discussing errors and significant shortcomings of the 
studies included in the 2011 meta-analysis that render its 
conclusions invalid).
---------------------------------------------------------------------------

a. Costs Associated With Requests for Exception From Preemption
    The Department anticipates that states with laws that restrict 
access to reproductive health care are likely to seek an exception to 
the requirements of this final rule that preempt state law. Given the 
pace at which state laws governing access to reproductive health care 
are changing, the Department is finalizing its proposed estimate that a 
potential increase of 26 states \431\ will incur costs to develop a 
request to except a provision of state law from HIPAA's general 
preemption authority to submit to the Secretary.\432\ Based on existing 
burden estimates for this activity,\433\ the Department is finalizing 
its estimate that each exception request will require approximately 16 
hours of labor at the rate of a general health care practitioner and 
that approximately 26 states will make such requests. Thus, the 
Department estimates that states will spend a total of 416 hours 
requesting exception from preemption and monetize this as a one-time 
cost of $38,705 [= 16 x 26 x $93.04].
---------------------------------------------------------------------------

    \431\ See Lawrence O. Gostin et al., ``One Year After Dobbs--
Vast Changes to the Abortion Legal Landscape,'' 4(8) JAMA Health 
Forum (2023), https://jamanetwork.com/journals/jama-health-forum/fullarticle/2808205 (counting 21 states with post-Dobbs limits that 
are more restrictive than Roe v. Wade allowed) and Laura Deal, 
``State Laws Restricting or Prohibiting Abortion,'' Congressional 
Research Service (Jan. 22, 2024), https://crsreports.congress.gov/product/pdf/R/R47595. Because of the pace of change in this area, 
the Department relies on a higher number than JAMA's 2023 figure as 
a basis for its cost estimates.
    \432\ See 45 CFR 160.201 et seq. for information about 
exceptions to HIPAA's general preemption authority and the process 
for requesting such an exception and the criteria for granting it.
    \433\ ``Information Collection: Process for Requesting Exception 
Determinations (states or persons),'' U.S. Gen. Servs. Admin. & Off. 
of Mgmt. and Budget, https://www.reginfo.gov/public/do/PRAViewIC?ref_nbr=201909-0945-001&icID=10428.
---------------------------------------------------------------------------

b. Estimated Costs From Adding a Requirement for an Attestation for 
Disclosures for Certain Purposes
    Multiple commenters asserted that the projected attestation cost in 
the proposed rule was incorrect and underestimated the true cost of 
implementing the proposed requirement. One commenter asserted that the 
proposed rule underestimated the time to review medical records for PHI 
about reproductive health care and recommended that it be increased 
significantly. The same commenter also suggested that the Department 
adopt a requirement to obtain an individual's authorization, instead of 
an attestation, because it would reduce costs. Other commenters 
asserted that the proposed cost estimates for the attestation 
requirement did not account for associated administrative burdens, 
urged the Department to require an attestation for every request for 
PHI to decrease overall costs by establishing a procedural norm, or 
requested that the Department provide grants and trainings to regulated 
entities to offset the costs of the attestation provision. Finally, 
another commenter requested that the Department release a model 
attestation form to decrease the cost burden for covered entities.
    A few commenters asserted that the Department mis-identified the 
types of staff that would performing specific components of the 
attestation requirement. One posited that both a lawyer and a medical 
professional would need to review medical records for the use or 
disclosure of PHI in response to the proposed revisions to the Privacy 
Rule. Another asserted that the person reviewing PHI in response to a 
request for the use or disclosure of PHI would be a medical records 
clerk.
    The Department has modified the attestation requirement in response 
to public comments. As discussed above, this final rule requires 
regulated entities to obtain an attestation that the request for the 
use or disclosure of PHI is not for a purpose prohibited by 45 CFR 
164.502(a)(5)(iii) when the request is for certain purposes (health 
oversight activities, judicial and administrative proceedings, law 
enforcement purposes, and about decedents to coroners and medical 
examiners) and is for PHI potentially related to reproductive health 
care. Where the request is for a purpose that implicates 45 CFR 
164.502(a)(5)(iii) and the reproductive health care was provided by 
someone other than the regulated entity that received the request, such 
health care is presumed lawful under the circumstances in which it was 
provided unless the conditions of 45 CFR 164.502(a)(5)(iii)(C) are met. 
We expect the presumption of lawfulness to lower the burden for 
regulated entities to process requests for the use or disclosure of PHI 
for which an attestation is required; however, we also acknowledge that 
the proposed estimate did not fully represent the number of likely 
requests for the use or disclosure of PHI. The Department declines to 
require a valid authorization for these requests, as opposed to an 
attestation, and no grants to offset costs will be needed because of 
the lower estimated burden per request. The revised cost estimates 
include review of each request for the use or disclosure of PHI for 
health oversight activities, judicial and administrative proceedings, 
law enforcement purposes, and about decedents to coroners and medical 
examiners, to determine if an attestation has been provided and 
administrative burdens associated with obtaining the attestation.
    This final rule necessitates that regulated entities establish a 
process for responding to requests for the use or disclosure of PHI for 
which an attestation is required, such as reviewing and screening 
requests that are not accompanied by a valid authorization and are not 
a right of access request. We anticipate that across all regulated 
entities, this final rule will result in approximately 2,794,201 
requests that regulated entities need to review in connection with the 
permissions under 45 CFR 164.512(d)-(g)(1). The Department estimates 5 
minutes of average processing time per attestation based on the average 
wage of a mix of several occupations: medical and health services 
managers, medical records specialists, and health practitioners.\434\ 
For example, a medical records specialist may forward certain requests 
for the use or disclosure of PHI (for health oversight activities, 
judicial and administrative proceedings, law enforcement purposes, and 
about decedents to coroners and medical examiners) to a manager to 
review whether the request pertains to the lawfulness of reproductive 
health care. A health practitioner may review a number of records 
subject to a request for whether they contain PHI potentially related 
to reproductive health care. We calculate the annual cost for initial 
processing of the estimated 2,794,201 requests requiring attestations 
to total $20,585,500 [2,794,201 x (5/60) x $88.41]. For almost all of 
these requests, we believe that a brief review will be sufficient for a 
regulated entity to make a final disclosure determination.
---------------------------------------------------------------------------

    \434\ See supra, Table 3 of this RIA.
---------------------------------------------------------------------------

    For a small number of these requests, approximately 1,300, we 
assume that the brief review will not be sufficient; we assume that 
these requests will require legal review. This figure is an estimate of 
the number of requests that are generated to investigate or impose 
liability on a person for the mere act of seeking or obtaining lawful 
reproductive health care, including from a health care

[[Page 33055]]

provider in a state other than the state where the regulated entity is 
located. The Department's estimate assumes that approximately 26 states 
may seek to restrict access to out-of-state reproductive health care, 
including reproductive health care that is lawful under the 
circumstances in which it provided, and will initiate an average of 50 
such requests annually. The Department estimates on average 1 hour of 
review for such requests based on the wage of a lawyer.\435\ We 
calculate the annual legal review cost for the estimated 1,300 requests 
totals $204,724 [1,300 x 1 x $157.48]. This additional review increases 
the cost of processing attestations to $20,790,224.
---------------------------------------------------------------------------

    \435\ Id.
---------------------------------------------------------------------------

    We anticipate that approximately one-quarter of requests that 
result in legal reviews, approximately 325, will require additional 
managerial review by the regulated entity before making a disclosure 
decision. The Department estimates on average 3 hours of additional 
review for each of these requests based on the wage of medical and 
health insurance managers.\436\ We calculate a total cost for 
additional actions for these requests of $119,984 [325 x 3 x $123.06]. 
The total annual estimated cost of processing attestations, including 
all additional legal and managerial reviews, is $20,910,207.
---------------------------------------------------------------------------

    \436\ Id.
---------------------------------------------------------------------------

    Upon consideration of the estimated cost for regulated entities to 
create a new attestation form, the Department is planning to develop a 
model form to be available prior to the compliance date of this final 
rule. This will save an estimated total of $60,970,823 [= 774,331 x 
(30/60) x $157.48], based on 30 minutes of labor by a lawyer.
c. Costs Arising From Revised Business Associate Agreements
    The Department anticipates that a certain percentage of business 
associate agreements will likely need to be updated to reflect a 
determination made by parties about their respective responsibilities 
when either party receives requests for disclosures of PHI under 45 CFR 
164.512(d), (e), (f), or (g)(1). For example, each of the parties to 
the business associate agreement may need to notify the other party 
when they have knowledge that a request is for an unlawful purpose and 
allocate their respective responsibilities for handling these less 
frequent requests. The Department is finalizing its proposed estimate 
that each new or significantly modified contract between a business 
associate and its subcontractors will require, on average, one hour of 
labor by a lawyer at the wage reported in Table 3. We believe that 
approximately 35 percent of 1 million business associates, or 350,000 
entities, will decide to create or significantly modify subcontracts, 
resulting in total costs of $55,118,000 [= 350,000 x $157.48].
    A few commenters asserted that the Department's estimates for 
business associates' costs were incorrect and that it should consider 
additional costs. A commenter recommended that the Department adopt a 
non-enforcement period to allow business associates to achieve 
compliance and limit legal costs. Another commenter stated that the 
Department did not adequately identify the costs that would be 
associated with increased legal scrutiny of business associates as a 
result of the proposed rule. And another commenter urged the Department 
to consider the additional costs for renegotiated contracts as a result 
of the proposed rule. Lastly, a commenter requested that the Department 
apply the attestation requirement to business associates because it 
would reduce the costs of the rule.
    The Department has reviewed the comments and is adopting the 2023 
Privacy Rule NPRM cost analysis in this final rule. Business associate 
costs are adequately captured by the estimate for revising agreements. 
Applying costs directly to business associates (as opposed to covered 
entities) is distributional and will not alter the total impact of the 
rule. The Department declines to create an additional non-enforcement 
period for this provision of the final rule beyond the 180 days from 
the date of publication for the final rule to the compliance date.\437\ 
The estimated cost for responding to requests for PHI for which an 
attestation is required accounts for increased scrutiny of a small 
number of requests for PHI, and the estimated costs for updating 
business associate agreements accounts for renegotiation of an average 
of one release of information vendor contract for nearly half of all 
covered entities.
---------------------------------------------------------------------------

    \437\ This includes 60 days from the date of publication to the 
effective date, plus 120 days from the effective date to the 
compliance date.
---------------------------------------------------------------------------

d. Costs Arising From Changes to the Notice of Privacy Practices
    The final rule modifies the NPP to notify individuals that covered 
entities cannot use or disclose PHI for certain purposes and that in 
certain circumstances, covered entities must obtain an attestation from 
a person requesting the PHI that affirms that the use or disclosure is 
not for a purpose prohibited under 45 CFR 164.502(a)(5)(iii). The final 
rule also modifies the NPP to align with changes proposed in the 2022 
Part 2 NPRM. This includes requiring covered entities that create or 
maintain Part 2 records to provide a notice that: addresses such 
records; references Part 2 as ``other applicable law'' that is more 
stringent than the Privacy Rule; explains that covered entities may not 
use or disclose a Part 2 record in a civil, criminal, administrative, 
or legislative proceeding against the individual absent written consent 
from the individual or a court order; and clarifies the applicability 
of Part 2 for organized health care arrangements that hold Part 2 
records. Additionally, the final rule further modifies language for 
fundraising by covered entities that use or disclose Part 2 records to 
require a clear and conspicuous opt-out opportunity for patients. 
Finally, the modifications require the NPP to explain that PHI 
disclosed to a person other than a regulated entity is no longer 
subject to the requirements of the Privacy Rule.
    The Department believes the burden associated with revising the NPP 
consists of costs related to developing and drafting the revised NPP 
for covered entities. The Department estimates that the updating and 
revising the language in the NPP will require 50 minutes of 
professional legal services at the wage reported in Table 3. Across all 
covered entities, the Department estimates a cost of $101,618,038 [= 
774,331 x (50/60) x $157.48]. The Department does not anticipate any 
new costs for health care providers associated with distribution of the 
revised notice other than posting it on the entity's website (if it has 
one) because health care providers have an ongoing obligation to 
provide the notice to first-time patients that is already accounted for 
in cost estimates for the HIPAA Rules. Health plans that post their NPP 
online will incur minimal costs by posting the updated notice and then 
including the updated NPP in the next annual mailing to 
subscribers.\438\ Health plans that do not provide an annual mailing 
will potentially incur an additional $12,743,700 in capital expenses 
for mailing the revised NPP to an estimated 10 percent of the 
150,000,000 health plan subscribers who receive a mailed, paper copy of 
the notice, as well as the labor expense for an administrative support 
staff member at the rate shown in Table 3 to complete the mailing, for 
approximately $2,737,500 [= 62,500 hours x $43.80]. The Department 
further estimates the cost of posting the revised NPP on the

[[Page 33056]]

covered entity's website will be 15 minutes of a web designer's time at 
the wage reported in Table 3. Across all covered entities, the 
Department estimates a cost of online posting as $18,936,265 [= 774,331 
x (15/60) x $97.82].
---------------------------------------------------------------------------

    \438\ 45 CFR 164.520(c)(1)(v)(A).
---------------------------------------------------------------------------

    A commenter expressed concern that the Department was 
underestimating the cost of mailing updates associated with changes to 
NPP policies.
    The Department is already accounting for the cost of mailing 
updated NPPs within the estimated capital costs, which include printing 
copies of NPPs that are provided in person and those that are mailed, 
and postage for health plans that will need to conduct a mailing that 
is off-cycle from its regular schedule. We estimate that half of NPPs 
will need to be mailed and that health plans may include the updated 
NPP with their next regular mailing to individuals.
e. Estimated Costs for Developing New or Modified Policies and 
Procedures
    The Department anticipates that covered entities will need to 
develop new or modified policies and procedures for the new 
requirements for attestations, the new category of prohibited uses and 
disclosures, modifications to certain uses and disclosures permitted 
under 45 CFR 164.512, and clarification of personal representative 
qualifications. The Department is finalizing its proposed estimate that 
the costs associated with developing such policies and procedures will 
be the labor of a lawyer for 2.5 hours and that this expense represents 
the largest area of cost for compliance with this final rule, for a 
total of $304,854,115 [= 774,331 x 2.5 x $157.48].
    A few commenters stated that the estimate for covered entities to 
draft new policies was incorrect and provided additional information or 
alternatives to reduce costs. A commenter stated that the time burden 
for drafting new policies was insufficient and did not accurately 
represent the amount of time it would take a covered entity to draft a 
policy that complied with the proposed rule. Another commenter urged 
the Department to include the costs for organizations to update their 
privacy policies because of the proposed rule. A few commenters 
requested that the Department provide organizations with additional 
time to develop new policies that comply with the final rule.
    The Department considered the concerns raised by commenters about 
the burdens of the requirements to revise the Privacy Rule and made 
several additional modifications in this final rule to reduce burdens 
on regulated entities. For example, regulated entities are not required 
to develop policies to routinely evaluate whether reproductive health 
care that was provided by someone else was lawful. Instead, regulated 
entities will need to develop policies to ensure that regulated 
entities identify requests for health oversight activities, judicial 
and administrative proceedings, law enforcement purposes, and about 
decedents to coroners or medical examiners and procedures for obtaining 
the required attestation if it is not provided with the request for the 
use or disclosure of PHI. Additional policies will be required to 
address requests for the above purposes that could result in a 
prohibited use or disclosure, such as requests from law enforcement for 
the use or disclosure of PHI that assert, without any other 
information, that reproductive health care was provided unlawfully. The 
updating of privacy policies is included in the overall cost of 
updating policies and the estimate for updating the NPP. Because of 
changes in the final rule that simplify compliance with the new 
requirements, the Department is not adjusting the time burden for 
revising or creating new policies and procedures.
f. Costs Associated With Training Workforce Members
    The Department anticipates that covered entities will be able to 
incorporate new content into existing HIPAA training requirements and 
that the costs associated with doing so will be attributed to the labor 
of a training specialist for an estimated 90 minutes for a total of 
$78,029,335 [= 774,331 x (90/60) x $67.18].
    A few commenters addressed training costs within the proposed rule, 
including one who asserted that such costs could be reduced by ensuring 
that the effective date for all of the provisions of the rule is the 
same. Another commenter stated that covered entities would incur both a 
one time and yearly training cost, with the yearly training cost 
accounting for most of the total training cost in year 1.
    The Department is finalizing the cost estimate for training 
workforce members as proposed, which includes the cost of a training a 
specialist to update the covered entity's HIPAA training program with 
new content to include in training for workforce members within the 
first year. Any further recurring component is likely to be implemented 
into regularly scheduled employee training and will thus not be 
directly attributable to this rule.
g. Total Quantifiable Costs
    The Department summarizes in Table 6 the estimated nonrecurring 
costs that covered entities and states will experience in the first 
year of implementing the regulatory changes. The Department anticipates 
that these costs will be for requesting exceptions from preemption of 
contrary state law, implementing the attestation requirement, revising 
business associate agreements, revising the NPP, mailing and posting it 
online, revising policies and procedures, and updating HIPAA training 
programs.

                        Table 6--New Nonrecurring Costs of Compliance With the Final Rule
----------------------------------------------------------------------------------------------------------------
                                            Burden hours/ action x                                  Total costs
           Nonrecurring costs                    hourly  wage                 Respondents           (millions)
----------------------------------------------------------------------------------------------------------------
Exception Requests......................  16 x $93.04...............  26 States.................           $0.04
BA Agreements, Revising.................  1 x $157.48...............  350,000 BAAs..............              55
NPP, Updating...........................  50/60 x $157.48...........  774,331 Covered entities..             102
NPP, Mailing............................  0.25/60 x $43.80..........  15,000,000 Subscribers....               3
NPP, Posting Online.....................  15/60 x $97.82............  774,331 Covered entities..              19
Policies & Procedures...................  150/60 x $157.48..........  774,331 Covered entities..             305
Training................................  90/60 x $67.18............  774,331 Covered entities..              78
Capital Expenses, Mailing NPPs--Health    $.85/NPP..................  15,000,000 Subscribers....              13
 Plans.
                                         -----------------------------------------------------------------------
    Total Nonrecurring Burden...........  ..........................  ..........................         \a\ 574
----------------------------------------------------------------------------------------------------------------
\a\ Totals may not add up due to rounding.


[[Page 33057]]

    Table 7 summarizes the recurring costs that the Department 
anticipates covered entities will incur annually as a result of the 
regulatory changes. These new costs are based on responding to requests 
for uses and disclosures of PHI that are conditioned upon an 
attestation.

                      Table 7--Recurring Annual Costs of Compliance With the Final Rule \a\
----------------------------------------------------------------------------------------------------------------
                                                                                                   Total annual
             Recurring costs                  Burden hours x wage             Respondents              cost
                                                                                                    (millions)
----------------------------------------------------------------------------------------------------------------
Disclosures for which an attestation is   232,850 x $88.41..........  2,794,201.................     $20,585,500
 required.
Attestation investigation review........  1,300 x $157.48...........  1,300.....................         204,724
Attestation additional actions..........  975 x 123.06..............  325.......................         119,984
                                         -----------------------------------------------------------------------
    Total Recurring Annual Burden.......  ..........................  ..........................      20,910,207
----------------------------------------------------------------------------------------------------------------
\a\ Totals may not add up due to rounding.

Costs Borne by the Department
    The covered entities that are operated by the Department will be 
affected by the changes in a similar manner to other covered entities, 
and such costs have been factored into the estimates above.
    The Department expects that it will incur costs related to drafting 
and disseminating a model attestation form and information about the 
regulatory changes to covered entities, including health care providers 
and health plans. In addition, the Department anticipates that it may 
incur a 26-fold increase in the number of requests for exceptions from 
preemption of contrary state law in the first year after a final rule 
becomes effective, at an estimated total cost of approximately $146,319 
to analyze and develop responses for an average cost of $7,410 per 
request. This increase is based on the number of states that have 
enacted or are likely to enact laws restricting access to reproductive 
health care \439\ and may seek to obtain individuals' PHI to enforce 
those laws. This estimate assumes that the Department receives and 
reviews exception requests from the 26 states, that half require a more 
complex analysis, and that all requests result in a written response 
within one year of the final rule's publication.
---------------------------------------------------------------------------

    \439\ See ``One Year After Dobbs--Vast Changes to the Abortion 
Legal Landscape,'' supra note 432 (counting 21 states with post-
Dobbs limits that are more restrictive than Roe v. Wade allowed) and 
``State Laws Restricting or Prohibiting Abortion,'' supra note 432. 
Because of the pace of change in this area, the Department relies on 
a higher number than JAMA's 2023 figure as a basis for its cost 
estimates.
---------------------------------------------------------------------------

Benefits of the Final Rule
    The benefits of this final rule to individuals and families are 
likely substantial, and yet are not fully quantifiable because the area 
of health care this final rule addresses is among the most sensitive 
and life-altering if privacy is violated. Additionally, the value of 
privacy, which cannot be recovered once lost, and trust that privacy 
will be protected by others, is difficult to quantify fully. Health 
privacy has many significant benefits, such as promoting effective 
communication between individuals and health care providers, preventing 
discrimination, enhancing autonomy, supporting medical research, and 
protecting the individual from unwanted exposure of sensitive health 
information.\440\
---------------------------------------------------------------------------

    \440\ See ``Trust and Privacy: How Patient Trust in Providers is 
Related to Privacy Behaviors and Attitudes,'' supra note 120; Paige 
Nong et al., ``Discrimination, trust, and withholding information 
from providers: Implications for missing data and inequity,'' SSM--
Population Health (Apr. 7, 2022), https://www.sciencedirect.com/science/article/pii/S2352827322000714; See also S.J. Nass et al., 
``Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health 
Through Research,'' Institute of Medicine (US) Committee on Health 
Research and the Privacy of Health Information: The HIPAA Privacy 
Rule (2009), https://www.ncbi.nlm.nih.gov/books/NBK9579/.
---------------------------------------------------------------------------

    Notably, reproductive health care may include circumstances 
resulting in a pregnancy, considerations concerning maternal and fetal 
health, family genetic conditions, information concerning sexually 
transmitted infections, and the relationship between prospective 
parents (including victimization due to rape, incest, or sex 
trafficking). Involuntary or poorly-timed disclosures can irreparably 
harm relationships and reputations, and even result in job loss or 
other negative consequences in the workplace,\441\ as well as 
investigation, civil litigation or proceedings, and prosecution for 
lawful activities.\442\ Additionally, fear of potential penalties or 
liability that may result from disclosing information to a health care 
provider about accessing reproductive health care may cast a long 
shadow, decreasing trust between individuals and health care providers, 
discouraging and deterring access to other valuable and necessary 
health care, or compromising ongoing or subsequent care if an 
individual's medical records are not accurate or complete.\443\ This 
final rule will prevent or reduce the harms discussed here, resulting 
in non-quantifiable benefits to individuals and their families, 
friends, and health care providers. In particular, the role of trust in 
the health care system and its importance to the provision of high-
quality health care is discussed extensively in Section III of this 
preamble.
---------------------------------------------------------------------------

    \441\ See Danielle Keats Citron & Daniel J. Solove, ``Privacy 
Harms,'' GWU Legal Studies Research Paper No. 2021-11, GWU Law 
School Public Law Research Paper No. 2021-11, 102 B.U. L. Rev. 793, 
830-861 (Feb. 9, 2021), https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3782222.
    \442\ See ``Reclaiming Tort Law to Protect Reproductive 
Rights,'' supra note 152.
    \443\ See Div. of Reproductive Health, Nat'l Ctr. for Chronic 
Disease Prevention and Health Promotion, ``Women With Chronic 
Conditions Struggle to Find Medications After Abortion Laws Limit 
Access,'' Ctrs. for Disease Control and Prevention (Jan. 4, 2023), 
https://www.cdc.gov/teenpregnancy/health-care-providers/index.htm; 
see also Brittni Frederiksen et al., ``Abortion Bans May Limit 
Essential Medications for Women with Chronic Conditions,'' Kaiser 
Family Foundation (Nov. 17, 2022), https://www.kff.org/womens-health-policy/issue-brief/abortion-bans-may-limit-essential-medications-for-women-with-chronic-conditions/.
---------------------------------------------------------------------------

    The Department anticipates that this final rule will increase 
health literacy by improving access to complete information about 
health care options for individuals.\444\ For example, the prohibition 
on the use and disclosure of PHI for purposes of investigating or 
imposing liability on an individual, a person assisting them, or their 
health care provider for lawful health care will increase individuals' 
access to complete information about their health care options because 
they will have increased confidence to share information about their 
life, including their health, with health care providers. In turn, the 
receipt of more complete information from patients will enable

[[Page 33058]]

health care providers to provide more accurate and relevant medical 
information about lawful reproductive health care, and the new 
prohibition will enable them to do so without fear of serious and 
costly professional repercussions.
---------------------------------------------------------------------------

    \444\ See Lynn M. Yee et al., ``Association of Health Literacy 
Among Nulliparous Individuals and Maternal and Neonatal Outcomes,'' 
JAMA Network Open (Sept. 1, 2021), https://jamanetwork.com/journals/jamanetworkopen/fullarticle/2783674.
---------------------------------------------------------------------------

    This final rule will also contribute to increased access to 
prenatal health care at the critical early stages of pregnancy by 
affording individuals the assurance that they may obtain lawful 
reproductive health care without fearing that records related to that 
care would be subject to disclosure. For example, if a sexually active 
individual fears they or their health care providers could be subject 
to prosecution as a result of disclosure of their PHI, the individual 
may avoid informing health care providers about symptoms or asking 
questions of medical experts and may consequently fail to receive 
necessary support and health care for a pregnancy diagnosis.\445\ 
Similarly, this final rule will likely contribute to a decreased rate 
of maternal mortality and morbidity by improving access to information 
about health services.\446\
---------------------------------------------------------------------------

    \445\ See ``Texas Maternal Mortality and Morbidity Review 
Committee and Department of State Health Services Joint Biennial 
Report 2022,'' supra note 123.
    \446\ See Helen Levy & Alex Janke, ``Health Literacy and Access 
to Care,'' J. of Health Commc'n (2016), https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4924568/; see also Brief for 
Zurawski, Zurawski v. State of Texas (No. D-1-GN-23-000968) (W.D. 
Tex. 2023), https://reproductiverights.org/wp-content/uploads/2023/03/Zurawski-v-State-of-Texas-Complaint.pdf.
---------------------------------------------------------------------------

    Additionally, this final rule will enhance the mental health and 
emotional well-being of individuals seeking or obtaining lawful 
reproductive health care by reducing fear that their PHI will be 
disclosed to investigate or impose liability on the individual, their 
health care provider, or any persons facilitating the individual's 
access to lawful reproductive health care. This is especially important 
for individuals who need access to reproductive health care because 
they are survivors of rape, incest, or sex trafficking. For at least 
some such individuals, certain types of reproductive health care, 
including abortion, often remain legal even if pregnancy termination is 
not available to the broader population under state law. The Department 
expects that this final rule will help to prevent or reduce re-
victimization of pregnant individuals who have been subject to rape, 
incest, or sex trafficking by protecting their PHI from disclosure.
    Activities conducted to investigate and impose liability that rely 
on that information may be costly to defend against and thus are 
financially draining for the target of those activities and for persons 
who are not the target of the activity but whose information may be 
used as evidence against others. Witnesses or targets of such 
activities may lose time from work and incur steep legal bills that 
create unmanageable debt or otherwise harm the economic stability of 
the individual, their family, and their health care provider. In the 
absence of this final rule, much of the costs may be for defending 
against the unwanted use or disclosure of PHI. Thus, the Department 
expects that this final rule will contribute to families' economic 
well-being by reducing the risk of exposure to costly activities to 
investigate or impose liability on persons for lawful activities as a 
result of disclosures of PHI.
    This final rule will also contribute to improved continuity of care 
and ongoing and subsequent health care for individuals, thereby 
improving health outcomes. If a health care provider believes that PHI 
is likely to be disclosed without the individual's or the health care 
provider's knowledge or consent, possibly to initiate or be used in 
criminal or civil proceedings against the individual, their health care 
provider, or others, the health care provider is more likely to omit 
information about an individual's medical history or condition, leave 
gaps, or include inaccuracies when preparing the individual's medical 
records. And if an individual's medical records lack complete 
information about the individual's health history, a subsequent health 
care provider may not be able to conduct an appropriate health 
assessment to reach a sound diagnosis and recommend the best course of 
action for the individual. Alternatively, health care providers may 
withhold from the individual full and complete information about their 
treatment options because of liability concerns stemming from fears 
about the privacy of an individual's PHI.\447\ Heightened 
confidentiality and privacy protections enable a health care provider 
to feel confident maintaining full and complete patient records. 
Without complete patient records, an individual is less likely to 
receive appropriate ongoing or future health care, including correct 
diagnoses, and will be impeded in making informed treatment decisions.
---------------------------------------------------------------------------

    \447\ See Brief for Zurawski, at 10, supra note 447.
---------------------------------------------------------------------------

Comparison of Benefits and Costs
    A few commenters stated that the 2023 Privacy Rule NPRM reflected 
the staffing costs of covered entities in full. One posited that 
covered entities will receive more requests for PHI because of changes 
in the legal environment after Dobbs, which will require some regulated 
entities that may not typically get such requests to adjust according 
to the changes in the law and how it is enforced. Another commenter 
stated that the proposed rule did not account for higher staffing costs 
from more highly qualified employees. The commenters did not provide 
any relevant data or discussion of methodology for how these costs 
should be quantified. Therefore, the Department did not include any 
additional labor costs in the economic analysis based on this comment.
    A few additional commenters expressed general concerns related to 
electronic health record (EHR) systems and data storage. One urged the 
Department to include costs associated with updating EHR systems to 
ensure compliance and to allow for data segmentation. Another asserted 
that the current classifications for different types of PHI are not 
clear enough for effective data segmentation, contributing to increased 
costs. As a result, they recommended that the Department provide 
clearer guidelines on the different types of PHI. The Department did 
not attempt to estimate additional data maintenance or EHR-related 
costs because any adjustments will be part of the regular cost of 
business for regulated entities.
    A commenter stated that the Department did not quantify the costs 
associated with violations of the rule by regulated entities, such as 
incurring a monetary penalty after impermissibly responding to a court 
order. The Department does not quantify the costs of noncompliance as 
part of its analysis. Whether a violation will result in a monetary 
penalty is dependent on numerous factors and the aim of the 
Department's enforcement is to bring regulated entities into 
compliance.
    A few commenters asserted that the proposed rule would make it more 
difficult for law enforcement to investigate criminals for crimes 
related to sex and recommended that the Department quantify this cost. 
The Department acknowledges that the final rule may result in some 
changes to procedures for handling law enforcement requests for PHI; 
however, the burden on regulated entities is calculated in its cost 
estimates. The Department is unable to quantify the burdens to law 
enforcement resulting from this final rule. However, to address 
concerns about victims' ability to disclose their PHI related to 
reproductive health care, the final rule

[[Page 33059]]

permits individuals to authorize disclosures for any purpose, including 
law enforcement investigations. Therefore, the Department is not 
including costs to law enforcement in the quantified costs and benefits 
analysis. The Department expects the totality of the benefits of this 
final rule to outweigh the costs, particularly in light of the privacy 
benefits for individuals who could become pregnant (nearly one-fourth 
of the U.S. population in any given year) and seek access to lawful 
health care without the risk of their PHI being used or disclosed in 
furtherance of activities to conduct criminal, civil, or administrative 
investigations or impose liability without their authorization. The 
Department expects covered entities and individuals to benefit from 
covered entities' increased confidence to be able to provide lawful 
health care according to professional standards.
    The Department's qualitative benefit-cost analysis asserts that the 
regulatory changes in this final rule will support an individual's 
privacy with respect to lawful health care, enhance the relationship 
between health care providers and individuals, strengthen maternal 
well-being and family stability, and support victims of rape, incest, 
and sex trafficking. The regulatory changes will also aid health care 
providers in developing and maintaining a high level of trust with 
individuals and maintaining complete and accurate medical records to 
aid ongoing and subsequent health care. Greater levels of trust will 
further enable individuals to develop and maintain relationships with 
health care providers, which would enhance continuity of health care 
for all individuals receiving care from the health care provider, not 
only individuals in need of reproductive health care.
    The financial costs of this final rule will accrue primarily to 
covered entities, particularly health care providers and health plans 
in the first year after implementation of a final rule, with recurring 
costs accruing annually at a lower rate.

B. Regulatory Alternatives to the Final Rule

    In addition to regulatory proposals in the 2023 Privacy Rule NPRM 
that are not adopted here, the Department considered several 
alternatives to the policies finalized in this rule.
Define Public Health in the Context of Public Health Surveillance, 
Intervention, or Investigation
    The Department considered alternatives to the proposed definition 
of ``public health'' in the context of public health surveillance, 
investigation, and intervention, particularly the reference to 
population-level activities. Specifically, the Department considered 
whether to add ``individual-level'' to further distinguish public 
health surveillance, investigation, and intervention from other 
activities but did not adopt this approach because it would add a new 
undefined term that would generate more complexity without adding 
clarity. The Department also considered removing ``population-level'' 
from the definition in this final rule, but we are not adopting that 
approach because it might lead people to believe that the focus of 
public health is not on activities benefiting the population as a 
whole. Additionally, the Department considered defining ``public 
health'' surveillance, investigation, or intervention only in the 
negative--that is, by listing activities that are excluded--but decided 
not to adopt this approach to ensure that stakeholders understand what 
public health surveillance, investigation, or intervention means.
Modify Prohibition To Presume That Reproductive Health Care Is Lawful 
Absent Actual Knowledge
    The Department considered adding a provision that would allow 
regulated entities to presume that certain requests for PHI are about 
reproductive health care that was lawful under the circumstances in 
which such health care was provided where it was provided by someone 
other than the regulated entity receiving the PHI request, unless the 
regulated entity had actual knowledge that such health care was not 
lawful under the circumstances in which it was provided. However, in 
consultation with Federal partners, the Department decided to finalize 
a second exception to the presumption to permit uses or disclosures of 
PHI where privacy interests are reduced, as compared to the societal 
interest in the PHI for certain non-health care purposes. This 
exception is available where factual information supplied by the person 
requesting the use or disclosure of PHI demonstrates to the regulated 
entity a substantial factual basis that the reproductive health care 
was not lawful under the specific circumstances in which such health 
care was provided.
Administrative Requests by Law Enforcement
    The Department received reports that not all regulated entities are 
interpreting the administrative request provision correctly and 
proposed a clarification to 45 CFR 164.512(f)(1)(ii)(C). To address 
concerns that disclosures currently made under Federal agencies' 
interpretations of the Privacy Act of 1974 \448\ would not be permitted 
under the NPRM proposal, the Department considered adding qualifying 
language to paragraph 45 CFR 164.512(f)(1)(ii)(C) to state that PHI may 
be disclosed by a Federal agency in response to an administrative 
request from law enforcement where the Federal agency is authorized, 
but not required, to disclose under applicable law (see, e.g., the 
Privacy Act and OMB 1975 Guidelines \449\). However, the Department 
determined that the contemplated change was not necessary because the 
intent of the Privacy Rule was adequately captured in the clarification 
proposed in the NPRM and finalized in this rule at 45 CFR 
164.512(f)(1)(ii)(C). As finalized, this provision permits disclosures 
to law enforcement in response to ``an administrative request for which 
response is required by law, including an administrative subpoena or 
summons, a civil or an authorized investigative demand, or similar 
process authorized under law.''
---------------------------------------------------------------------------

    \448\ Public Law 93-579, 88 Stat. 1896 (Dec. 31, 1974) (codified 
at 5 U.S.C. 552a).
    \449\ 40 FR 28948, 28955 (July 9, 1975).
---------------------------------------------------------------------------

Scope of Prohibited Conduct
    In response to public comments on the 2023 Privacy Rule NPRM, the 
Department considered several approaches to outlining prohibited 
conduct. One approach was creating a category of ``highly sensitive 
PHI'' and prohibiting its use and disclosure in certain proceedings 
based on the mere act of, for example, obtaining, providing, or aiding 
that category of health care. The Department did not adopt this 
category based on many concerns expressed in public comments. For 
example, distinguishing between the sensitivity of different types of 
PHI would require complicated subjective determinations, and 
prohibiting or limiting uses or disclosures of highly sensitive PHI for 
certain purposes could negatively affect efforts to eliminate data 
segmentation and further stigmatize the types of health care included 
in the ``highly sensitive'' category.
    Another approach the Department considered was to require an 
attestation for all requested uses and discloses of PHI under 45 CFR 
164.512(d)-(g)(1), rather than limiting the requirement to only 
requested uses and disclosures of PHI potentially related to 
reproductive health care under such provisions. This would have reduced 
the burden on

[[Page 33060]]

regulated entities to screen requested PHI for whether it contained 
information potentially related to reproductive health care and 
increased the burden on persons requesting PHI to evaluate and attest 
to all requests for use and disclosure of PHI under 45 CFR 164.512(d)-
(g)(1). However, in recognition of the importance of oversight and law 
enforcement entities' ability to obtain PHI for legitimate inquiries, 
the Department decided not to require an attestation for all requests 
under these provisions.
Requiring an Attestation Under Penalty of Perjury
    The Department requested comments about the possibility of adding a 
required penalty of perjury statement to strengthen the attestation 
requirement but did not propose this statement in the 2023 Privacy Rule 
NPRM. After reviewing public comments on this topic, the Department 
considered adding a requirement that the attestation be signed by the 
person requesting the use or disclosure of PHI under penalty of perjury 
but did not adopt such a requirement in the final rule. As discussed in 
greater detail above, a person who knowingly and in violation of the 
Administrative Simplification provisions of HIPAA obtains or discloses 
IIHI relating to another individual or discloses IIHI to another person 
is subject to criminal liability.\450\ Thus, a person who knowingly and 
in violation of HIPAA \451\ falsifies an attestation (e.g., makes 
material misrepresentations about the intended uses of the PHI 
requested) to obtain (or cause to be disclosed) an individual's IIHI 
could be subject to criminal penalties as outlined in the statute. The 
Department believes such penalties are sufficient to hold persons who 
knowingly submit false attestations accountable for their actions and 
deter such submissions entirely.
---------------------------------------------------------------------------

    \450\ 42 U.S.C. 1320d-6(a).
    \451\ A person (including an employee or other individual) shall 
be considered to have obtained or disclosed individually 
identifiable health information in violation of this part if the 
information is maintained by a covered entity (as defined in the 
HIPAA privacy regulation described in section 1320d-9(b)(3) of this 
title) and the individual obtained or disclosed such information 
without authorization. Id.
---------------------------------------------------------------------------

Right To Request Restrictions
    In the 2023 Privacy Rule NPRM, the Department requested comments 
regarding the right of individuals to request restrictions of uses and 
disclosures of their PHI. We did not propose any changes to this 
provision in the 2023 Privacy Rule NPRM, nor are we proposing or 
finalizing any modifications to it at this time. We appreciate the 
comments we received regarding expanding the rights to request 
disclosures and will take them under advisement when we consider future 
modifications to the Privacy Rule.

C. Regulatory Flexibility Act--Small Entity Analysis

    The Department has examined the economic implications of this final 
rule as required by the RFA. If a rule has a significant economic 
impact on a substantial number of small entities, the RFA requires 
agencies to analyze regulatory options that would reduce the economic 
effect of the rule on small entities.
    For purposes of the RFA, small entities include small businesses, 
nonprofit organizations, and small governmental jurisdictions. The Act 
defines ``small entities'' as (1) a proprietary firm meeting the size 
standards of the Small Business Administration (SBA), (2) a nonprofit 
organization that is not dominant in its field, and (3) a small 
government jurisdiction of less than 50,000 population. A few 
commenters raised concerns about the effects of the proposed rule on 
small or rural providers and requested additional analysis, guidance, 
or technical assistance from the Department to aid these entities. The 
Department did not receive any public comments on the small business 
analysis assumptions used in the NPRM. Accordingly, we are not changing 
the baseline assumptions for this final rule. We have updated our 
analysis of small entities for consistency with revisions to the RIA 
for the costs and savings for covered entities. The Department has 
determined that roughly 90 percent or more of all health care providers 
meet the SBA size standard for a small business or are a nonprofit 
organization. Therefore, the Department estimates that there are 
696,898 small entities affected by the final rule.\452\ The SBA size 
standard for health care providers ranges between a maximum of $16 
million and $47 million in annual receipts, depending upon the type of 
entity.\453\
---------------------------------------------------------------------------

    \452\ 696,898 = 774,331 x .90.
    \453\ See U.S. Small Business Administration, Table of Small 
Business Size Standards (Mar. 17, 2023), https://www.sba.gov/sites/sbagov/files/2023-06/Table%20of%20Size%20Standards_Effective%20March%2017%2C%202023%20%282%29.pdf.
---------------------------------------------------------------------------

    With respect to health insurers, the SBA size standard is a maximum 
of $47 million in annual receipts, and for third party administrators 
it is $45.5 million.\454\ While some insurers are classified as 
nonprofit, it is possible they are dominant in their market. For 
example, a number of Blue Cross/Blue Shield insurers are organized as 
nonprofit entities; yet they dominate the health insurance market in 
the states where they are licensed.\455\
---------------------------------------------------------------------------

    \454\ Id.
    \455\ Kaiser Family Foundation, ``Market Share and Enrollment of 
Largest Three Insurers--Large Group Market'' (2019), https://www.kff.org/other/state-indicator/market-share-and-enrollment-of-largest-three-insurers-large-group-market/?currentTimeframe=0&sortModel=%7B%22colId%22:%22Location%22,%22sort%22:%22asc%22%7D.
---------------------------------------------------------------------------

    For the reasons stated below, we do not expect that the cost of 
compliance will be significant for small entities. Nor do we expect 
that the cost of compliance will fall disproportionately on small 
entities. Although many of the covered entities affected by this final 
rule are small entities, they will not bear a disproportionate cost 
burden compared to the other entities subject to the rule. The 
projected total costs are discussed in detail in the RIA. The 
Department does not view this as a substantial burden because the 
result of the changes will be annualized costs per covered entity of 
approximately $184 [= $142.6 million \456\/774,331 covered entities]. 
In the context of the RFA, HHS generally considers an economic impact 
exceeding 3 percent of annual revenue to be significant, and 5 percent 
or more of the affected small entities within an identified industry to 
represent a substantial number. The quantified impact of $184 per 
covered entity would only apply to covered entities whose annual 
revenue is $6,133 or less. We believe almost all, if not all covered 
entities have annual revenues that exceed this amount. Accordingly, the 
Department has determined that this final rule is unlikely to affect a 
substantial number of small entities that meet the RFA threshold. Thus, 
this analysis concludes, and the Secretary certifies, that the rule 
will not result in a significant economic effect on a substantial 
number of small entities.
---------------------------------------------------------------------------

    \456\ This figure represents annualized costs discounted at a 3% 
rate.
---------------------------------------------------------------------------

D. Executive Order 13132--Federalism

    As required by E.O. 13132 on Federalism, the Department has 
examined the provisions in both the proposed and final regulation for 
their effects on the relationship between the Federal Government and 
the states. In the Department's view, the final regulation may have 
federalism implications because it may have direct effects on the 
states, the relationship between the Federal Government and states, and 
on the distribution of power and responsibilities among various

[[Page 33061]]

levels of government relating to the disclosure of PHI.
    The changes from this final rule flow from and are consistent with 
the underlying statute, which authorizes the Secretary to issue 
regulations that govern the privacy of PHI. The statute provides that, 
with limited exceptions, such regulations supersede contrary provisions 
of state law unless the provision of state law imposes more stringent 
privacy protections than the Federal law.\457\
---------------------------------------------------------------------------

    \457\ 42 U.S.C. 1320d-7(a)(1).
---------------------------------------------------------------------------

    Section 3(b) of E.O. 13132 recognizes that national action limiting 
the policymaking discretion of states will be imposed only where there 
is constitutional and statutory authority for the action and the 
national activity is appropriate when considering a problem of national 
significance. The privacy of PHI is of national concern by virtue of 
the scope of interstate health commerce. As described in the preamble 
to the proposed rule and this final rule, recent state actions 
affecting reproductive health care have undermined the longstanding 
expectation among individuals in all states that their highly sensitive 
reproductive health information will remain private and not be used 
against them for seeking or obtaining legal health care. These state 
actions thus directly threaten the trust that is essential to ensuring 
access to, and quality of, lawful health care. HIPAA's provisions 
reflect this position by authorizing the Secretary to promulgate 
regulations to implement the Privacy Rule.
    Section 4(a) of E.O. 13132 expressly contemplates preemption when 
there is a conflict between exercising state and Federal authority 
under a Federal statute. Section 4(b) of the E.O. authorizes preemption 
of state law in the Federal rulemaking context when ``the exercise of 
State authority directly conflicts with the exercise of Federal 
authority under the Federal statute.'' The approach in this regulation 
is consistent with the standards in the E.O. because it supersedes 
state authority only when such authority is inconsistent with standards 
established pursuant to the grant of Federal authority under the 
statute.
    State and local laws that impinge on the privacy protections for 
PHI of individuals who obtain lawful reproductive health care undermine 
Congress' directive to develop a health information system for the 
purpose of improving the effectiveness of the health care system, which 
requires that all individuals who receive health care legally are 
assured a minimum level of privacy for their PHI. Congress established 
specific, narrow exceptions to preemption that did not include the use 
or disclosure of an individual's medical records for law enforcement 
purposes generally. Nor did Congress include a specific exception to 
preemption that would permit states to use PHI against that individual, 
health care providers, or third parties merely for seeking, obtaining, 
providing, or facilitating lawful health care.\458\ Both the personal 
and public interest is served by protecting PHI so as not to undermine 
an individual's access to and quality of lawful health care services 
and their trust in the health care system.
---------------------------------------------------------------------------

    \458\ 42 U.S.C. 1320d-7(a)(2)(A).
---------------------------------------------------------------------------

    The Department anticipates that the most significant direct costs 
on state and local governments would be the cost for state and local 
government-operated covered entities to revise business associate 
agreements, revise policies and procedures, update the NPP, update 
training programs, and process requests for disclosures for which an 
attestation is required. These costs would be similar in kind to those 
borne by non-government operated covered entities. In addition, the 
Department anticipates that approximately half of the states may choose 
to file a request for an exception to preemption. The longstanding 
regulatory provisions that govern preemption exception requests under 
the HIPAA Rules would remain undisturbed by this rule.\459\ However, 
based on the legal developments in some states that are described 
elsewhere in this preamble, the Department anticipates that in the 
first year of implementation of a final rule, more states will submit 
requests for exceptions from preemption than have done so in the past. 
The RIA above addresses these costs in detail.
---------------------------------------------------------------------------

    \459\ 45 CFR 160.201 through 160.205.
---------------------------------------------------------------------------

    Pursuant to the requirements set forth in section 8(a) of E.O. 
13132, and by the signature affixed to the final rule, the Department 
certifies that it has complied with the requirements of E.O. 13132, 
including review and consideration of comments from state and local 
government officials and the public about the interaction of this rule 
with state activity, for the final rule in a meaningful and timely 
manner.

E. Assessment of Federal Regulation and Policies on Families

    Section 654 of the Treasury and General Government Appropriations 
Act of 1999 \460\ requires Federal departments and agencies to 
determine whether a proposed policy or regulation could affect family 
well-being. If the determination is affirmative, then the Department or 
agency must prepare an impact assessment to address criteria specified 
in the law. This final rule is expected to strengthen the stability of 
the family and marital commitment because it protects individual 
privacy in the context of sensitive decisions about family planning. 
The rule may be carried out only by the Federal Government because it 
would modify Federal health privacy law, ensuring that American 
families have confidence in the privacy of their information about 
lawful reproductive health care, regardless of the state where they are 
located when health care is provided. Such health care privacy is vital 
for individuals who may become pregnant or who are capable of becoming 
pregnant.
---------------------------------------------------------------------------

    \460\ Public Law 105-277, 112 Stat. 2681 (Oct. 21, 1998).
---------------------------------------------------------------------------

F. Paperwork Reduction Act of 1995

    Under the Paperwork Reduction Act of 1995 \461\ (PRA), agencies are 
required to submit to OMB for review and approval any reporting or 
record-keeping requirements inherent in a proposed or final rule and 
are required to publish such proposed requirements for public comment. 
To fairly evaluate whether an information collection should be approved 
by the OMB, section 3506(c)(2)(A) of the PRA requires that the 
Department solicit comment on the following issues:
---------------------------------------------------------------------------

    \461\ Public Law 104-13, 109 Stat. 163 (May 22, 1995).
---------------------------------------------------------------------------

    1. Whether the information collection is necessary and useful to 
carry out the proper functions of the agency;
    2. The accuracy of the agency's estimate of the information 
collection burden;
    3. The quality, utility, and clarity of the information to be 
collected; and
    4. Recommendations to minimize the information collection burden on 
the affected public, including automated collection techniques.
    The PRA requires consideration of the time, effort, and financial 
resources necessary to meet the information collection requirements 
referenced in this section. The Department considered public comments 
on its assumptions and burden estimates in the 2023 Privacy Rule NPRM 
and addresses those comments above in the discussion of benefits and 
costs of this final rule.
    In this RIA, the Department is revising certain information 
collection requirements associated with this final rule and, as such, 
is revising the information collection last prepared in

[[Page 33062]]

2023 and approved under OMB control #0945-0003. The revised information 
collection describes all new and adjusted information collection 
requirements for covered entities pursuant to the implementing 
regulation for HIPAA at 45 CFR parts 160 and 164, the HIPAA Privacy, 
Security, Breach Notification, and Enforcement Rules (``HIPAA Rules'').
    The estimated annual labor burden presented by the regulatory 
modifications in the first year of implementation, including 
nonrecurring and recurring burdens, is 4,584,224 burden hours at a cost 
of $582,242,165 \462\ and $20,910,207 of estimated annual labor costs 
in years two through five. The overall total burden for respondents to 
comply with the information collection requirements of all of the HIPAA 
Privacy, Security, and Breach Notification Rules, including 
nonrecurring and recurring burdens presented by program changes, is 
953,982,236 burden hours at a cost of $107,336,705,941, plus 
$197,364,010 in capital costs for a total estimated annual burden of 
$107,534,069,951 in the first year following the effective date of the 
final rule. Details describing the burden analysis for the proposals 
associated with this RIA are presented below and explained further in 
the ICR associated with this final rule.
---------------------------------------------------------------------------

    \462\ This includes an increase of 416 burden hours and $36,442 
in costs added to the existing information collection for requesting 
exemption determinations under 45 CFR 160.204.
---------------------------------------------------------------------------

Explanation of Estimated Annualized Burden Hours
    Below is a summary of the significant program changes and 
adjustments made since the approved 2023 ICR; because the ICR addresses 
regulatory burdens associated with the full suite of HIPAA Rules, the 
changes and adjustments include updated data and estimates for some 
provisions of the HIPAA Rules that are not affected by this final rule. 
These program changes and adjustments form the bases for the burden 
estimates presented in the ICR associated with this RIA.
Adjusted Estimated Annual Burdens of Compliance
    (1) Increasing the number of covered entities from 700,000 to 
774,331 based on program change.
    (2) Increasing the number of respondents requesting exceptions to 
state law preemption from 1 to 27 based on an expected reaction by 
states that have enacted restrictions on reproductive health care 
access.
    (3) Increasing the burden hours by a factor of two for responding 
to individuals' requests for restrictions on disclosures of their PHI 
under 45 CFR 164.522 to represent a doubling of the expected requests.
    (4) Updating the number of breaches for which notification is 
required to reflect data in OCR's 2022 Report to Congress \463\ and 
related burdens.
---------------------------------------------------------------------------

    \463\ See Off. for Civil Rights, ``Annual Report to Congress on 
Breaches of Unsecured Protected Health Information,'' U.S. Dep't of 
Health and Human Servs. (2022), https://www.hhs.gov/hipaa/for-professionals/breach-notification/reports-congress/index.html.
---------------------------------------------------------------------------

    (5) Increasing the number of estimated uses and disclosures for 
research purposes.
    (6) Increasing the total number of NPPs distributed by health plans 
by 50% to total 300,000,000 due to the increase in number of Americans 
with health coverage.
New Burdens Resulting from Program Changes
    In addition to these changes, the Department added new annual 
burdens as a result of program changes in the final rule:
    (1) A nonrecurring burden of 1 hour for each of 350,000 business 
associate agreements that is likely to be revised as a result of the 
changes to handling requests for PHI under 45 CFR 164.512(d), (e), (f), 
and (g)(1), to allocate responsibilities between covered entities and 
their release-of-information contractors.
    (2) A recurring burden of 5 minutes per request for staff to 
determine whether an attestation is required for disclosure under 45 
CFR 164.509.
    (3) A recurring burden of 1 hour per request for legal review of 
whether certain requests identified by staff as potentially requiring 
an attestation pertain to the lawfulness of reproductive health care.
    (4) A recurring burden of 3 hours per request for a percentage of 
requests requiring legal review that might require additional manager 
review to determine whether the requirements at 45 CFR 164.509 are met.
    (5) A nonrecurring burden of 50 minutes per covered entity to 
update the required content of its NPP.
    (6) A nonrecurring burden of 15 minutes per covered entity for 
posting an updated NPP online.
    (7) A nonrecurring burden of 2.5 hours for each covered entity to 
update its policies and procedures.
    (8) A nonrecurring burden of 90 minutes for each covered entity to 
update the content of its HIPAA training program.

List of Subjects

45 CFR Part 160

    Health care, Health records, Preemption, Privacy, Public health, 
Reproductive health care.

45 CFR Part 164

    Health care, Health records, Privacy, Public health, Reporting and 
recordkeeping requirements, Reproductive health care.

    For the reasons stated in the preamble, the Department of Health 
and Human Services amends 45 CFR subtitle A, subchapter C, parts 160 
and 164 as set forth below:

PART 160--GENERAL ADMINISTRATIVE REQUIREMENTS

0
1. The authority citation for part 160 continues to read as follows:

    Authority:  42 U.S.C. 1302(a); 42 U.S.C. 1320d-1320d-9; sec. 
264, Pub. L. 104-191, 110 Stat. 2033-2034 (42 U.S.C. 1320d-2 
(note)); 5 U.S.C. 552; secs. 13400-13424, Pub. L. 111-5, 123 Stat. 
258-279; and sec. 1104 of Pub. L. 111-148, 124 Stat. 146-154.


0
2. Amend Sec.  160.103 by:
0
a. Revising the definition of ``Person''; and
0
b. Adding in alphabetical order the definitions of ``Public health'' 
and ``Reproductive health care''.
    The revision and additions read as follows:


Sec.  160.103  Definitions.

* * * * *
    Person means a natural person (meaning a human being who is born 
alive), trust or estate, partnership, corporation, professional 
association or corporation, or other entity, public or private.
* * * * *
    Public health, as used in the terms ``public health surveillance,'' 
``public health investigation,'' and ``public health intervention,'' 
means population-level activities to prevent disease in and promote the 
health of populations. Such activities include identifying, monitoring, 
preventing, or mitigating ongoing or prospective threats to the health 
or safety of a population, which may involve the collection of 
protected health information. But such activities do not include those 
with any of the following purposes:
    (1) To conduct a criminal, civil, or administrative investigation 
into any person for the mere act of seeking, obtaining, providing, or 
facilitating health care.
    (2) To impose criminal, civil, or administrative liability on any 
person for the mere act of seeking, obtaining, providing, or 
facilitating health care.

[[Page 33063]]

    (3) To identify any person for any of the activities described at 
paragraphs (1) or (2) of this definition.
    Reproductive health care means health care, as defined in this 
section, that affects the health of an individual in all matters 
relating to the reproductive system and to its functions and processes. 
This definition shall not be construed to set forth a standard of care 
for or regulate what constitutes clinically appropriate reproductive 
health care.
* * * * *

PART 164--SECURITY AND PRIVACY

0
3. The authority citation for part 164 continues to read as follows:

    Authority:  42 U.S.C. 1302(a); 42 U.S.C. 1320d-1320d-9; sec. 
264, Pub. L. 104-191, 110 Stat. 2033-2034 (42 U.S.C. 1320d-2(note)); 
and secs. 13400-13424, Pub. L. 111-5, 123 Stat. 258-279.


0
4. Amend Sec.  164.502 by
0
a. Revising paragraph (a)(1)(vi);
0
b. Adding paragraph (a)(5)(iii); and
0
c. Revising paragraph (g)(5).
    The addition and revisions read as follows:


Sec.  164.502  Uses and disclosures of protected health information: 
General rules.

    (a) * * *
    (1) * * *
    (vi) As permitted by and in compliance with any of the following:
    (A) This section.
    (B) Section 164.512 and, where applicable, Sec.  164.509.
    (C) Section 164.514(e), (f), or (g).
* * * * *
    (5) * * *
    (iii) Reproductive health care--(A) Prohibition. Subject to 
paragraphs (a)(5)(iii)(B) and (C) of this section, a covered entity or 
business associate may not use or disclose protected health information 
for any of the following activities:
    (1) To conduct a criminal, civil, or administrative investigation 
into any person for the mere act of seeking, obtaining, providing, or 
facilitating reproductive health care.
    (2) To impose criminal, civil, or administrative liability on any 
person for the mere act of seeking, obtaining, providing, or 
facilitating reproductive health care.
    (3) To identify any person for any purpose described in paragraphs 
(a)(5)(iii)(A)(1) or (2) of this section.
    (B) Rule of applicability. The prohibition at paragraph 
(a)(5)(iii)(A) of this section applies only where the relevant activity 
is in connection with any person seeking, obtaining, providing, or 
facilitating reproductive health care, and the covered entity or 
business associate that received the request for protected health 
information has reasonably determined that one or more of the following 
conditions exists:
    (1) The reproductive health care is lawful under the law of the 
state in which such health care is provided under the circumstances in 
which it is provided.
    (2) The reproductive health care is protected, required, or 
authorized by Federal law, including the United States Constitution, 
under the circumstances in which such health care is provided, 
regardless of the state in which it is provided.
    (3) The presumption at paragraph (a)(5)(iii)(C) of this section 
applies.
    (C) Presumption. The reproductive health care provided by another 
person is presumed lawful under paragraph (a)(5)(iii)(B)(1) or (2) of 
this section unless the covered entity or business associate has any of 
the following:
    (1) Actual knowledge that the reproductive health care was not 
lawful under the circumstances in which it was provided.
    (2) Factual information supplied by the person requesting the use 
or disclosure of protected health information that demonstrates a 
substantial factual basis that the reproductive health care was not 
lawful under the specific circumstances in which it was provided.
    (D) Scope. For the purposes of this subpart, seeking, obtaining, 
providing, or facilitating reproductive health care includes, but is 
not limited to, any of the following: expressing interest in, using, 
performing, furnishing, paying for, disseminating information about, 
arranging, insuring, administering, authorizing, providing coverage 
for, approving, counseling about, assisting, or otherwise taking action 
to engage in reproductive health care; or attempting any of the same.
* * * * *
    (g) * * *
    (5) Implementation specification: Abuse, neglect, endangerment 
situations. Notwithstanding a State law or any requirement of this 
paragraph to the contrary, a covered entity may elect not to treat a 
person as the personal representative, provided that the conditions at 
paragraphs (g)(5)(i) and (ii) of this section are met:
    (i) Paragraphs (g)(5)(i)(A) and (B) of this section both apply.
    (A) The covered entity has a reasonable belief that any of the 
following is true:
    (1) The individual has been or may be subjected to domestic 
violence, abuse, or neglect by such person.
    (2) Treating such person as the personal representative could 
endanger the individual.
    (B) The covered entity, in the exercise of professional judgment, 
decides that it is not in the best interest of the individual to treat 
the person as the individual's personal representative.
    (ii) The covered entity does not have a reasonable belief under 
paragraph (g)(5)(i)(A) of this section if the basis for their belief is 
the provision or facilitation of reproductive health care by such 
person for and at the request of the individual.
* * * * *

0
5. Add Sec.  164.509 to read as follows:


Sec.  164.509  Uses and disclosures for which an attestation is 
required.

    (a) Standard: Attestations for certain uses and disclosures of 
protected health information to persons other than covered entities or 
business associates. (1) A covered entity or business associate may not 
use or disclose protected health information potentially related to 
reproductive health care for purposes specified in Sec.  164.512(d), 
(e), (f), or (g)(1), without obtaining an attestation that is valid 
under paragraph (b)(1) of this section from the person requesting the 
use or disclosure and complying with all applicable conditions of this 
part.
    (2) A covered entity or business associate that uses or discloses 
protected health information potentially related to reproductive health 
care for purposes specified in Sec.  164.512(d), (e), (f), or (g)(1), 
in reliance on an attestation that is defective under paragraph (b)(2) 
of this section, is not in compliance with this section.
    (b) Implementation specifications: General requirements--(1) Valid 
attestations. (i) A valid attestation is a document that meets the 
requirements of paragraph (c)(1) of this section.
    (ii) A valid attestation verifies that the use or disclosure is not 
otherwise prohibited by Sec.  164.502(a)(5)(iii).
    (iii) A valid attestation may be electronic, provided that it meets 
the requirements in paragraph (c)(1) of this section, as applicable.
    (2) Defective attestations. An attestation is not valid if the 
document submitted has any of the following defects:
    (i) The attestation lacks an element or statement required by 
paragraph (c) of this section.
    (ii) The attestation contains an element or statement not required 
by paragraph (c) of this section
    (iii) The attestation violates paragraph (b)(3) of this section.

[[Page 33064]]

    (iv) The covered entity or business associate has actual knowledge 
that material information in the attestation is false.
    (v) A reasonable covered entity or business associate in the same 
position would not believe that the attestation is true with respect to 
the requirement at paragraph (c)(1)(iv) of this section.
    (3) Compound attestation. An attestation may not be combined with 
any other document except where such other document is needed to 
satisfy the requirements at paragraph (c)(iv) of this section or at 
Sec.  164.502(a)(5)(iii)(C), as applicable.
    (c) Implementation specifications: Content requirements and other 
obligations--(1) Required elements. A valid attestation under this 
section must contain the following elements:
    (i) A description of the information requested that identifies the 
information in a specific fashion, including one of the following:
    (A) The name of any individual(s) whose protected health 
information is sought, if practicable.
    (B) If including the name(s) of any individual(s) whose protected 
health information is sought is not practicable, a description of the 
class of individuals whose protected health information is sought.
    (ii) The name or other specific identification of the person(s), or 
class of persons, who are requested to make the use or disclosure.
    (iii) The name or other specific identification of the person(s), 
or class of persons, to whom the covered entity is to make the 
requested use or disclosure.
    (iv) A clear statement that the use or disclosure is not for a 
purpose prohibited under Sec.  164.502(a)(5)(iii).
    (v) A statement that a person may be subject to criminal penalties 
pursuant to 42 U.S.C. 1320d-6 if that person knowingly and in violation 
of HIPAA obtains individually identifiable health information relating 
to an individual or discloses individually identifiable health 
information to another person.
    (vi) Signature of the person requesting the protected health 
information, which may be an electronic signature, and date. If the 
attestation is signed by a representative of the person requesting the 
information, a description of such representative's authority to act 
for the person must also be provided.
    (2) Plain language requirement. The attestation must be written in 
plain language.
    (d) Material misrepresentations. If, during the course of using or 
disclosing protected health information in reasonable reliance on a 
facially valid attestation, a covered entity or business associate 
discovers information reasonably showing that any representation made 
in the attestation was materially false, leading to a use or disclosure 
for a purpose prohibited under Sec.  164.502(a)(5)(iii), the covered 
entity or business associate must cease such use or disclosure.
* * * * *

0
6. Amend Sec.  164.512 by:
0
a. Revising the introductory text and the paragraph (c) paragraph 
heading;
0
b. Adding paragraph (c)(3); and
0
c. Revising paragraph (f)(1)(ii)(C) introductory text.
    The revisions and addition read as follows:


Sec.  164.512  Uses and disclosures for which an authorization or 
opportunity to agree or object is not required.

    Except as provided by Sec.  164.502(a)(5)(iii), a covered entity 
may use or disclose protected health information without the written 
authorization of the individual, as described in Sec.  164.508, or the 
opportunity for the individual to agree or object as described in Sec.  
164.510, in the situations covered by this section, subject to the 
applicable requirements of this section and Sec.  164.509. When the 
covered entity is required by this section to inform the individual of, 
or when the individual may agree to, a use or disclosure permitted by 
this section, the covered entity's information and the individual's 
agreement may be given verbally.
* * * * *
    (c) Standard: Disclosures about victims of abuse, neglect, or 
domestic violence--* * *
    (3) Rule of construction. Nothing in this section shall be 
construed to permit disclosures prohibited by Sec.  164.502(a)(5)(iii) 
when the sole basis of the report of abuse, neglect, or domestic 
violence is the provision or facilitation of reproductive health care.
* * * * *
    (f) * * *
    (1) * * *
    (ii) * * *
    (C) An administrative request for which response is required by 
law, including an administrative subpoena or summons, a civil or an 
authorized investigative demand, or similar process authorized under 
law, provided that:
* * * * *

0
7. Amend Sec.  164.520 by:
0
a. Revising and republish paragraphs (a) and (b); and
0
b. Adding paragraph (d)(4).
    The revisions and additions read as follows:


Sec.  164.520  Notice of privacy practices for protected health 
information.

* * * * *
    (a) Standard: Notice of privacy practices--(1) Right to notice. 
Except as provided by paragraph (a)(3) or (4) of this section, an 
individual has a right to adequate notice of the uses and disclosures 
of protected health information that may be made by the covered entity, 
and of the individual's rights and the covered entity's legal duties 
with respect to protected health information.
    (2) Notice requirements for covered entities creating or 
maintaining records subject to 42 U.S.C. 290dd-2. As provided in 42 CFR 
2.22, an individual who is the subject of records protected under 42 
CFR part 2 has a right to adequate notice of the uses and disclosures 
of such records, and of the individual's rights and the covered 
entity's legal duties with respect to such records.
    (3) Exception for group health plans. (i) An individual enrolled in 
a group health plan has a right to notice:
    (A) From the group health plan, if, and to the extent that, such an 
individual does not receive health benefits under the group health plan 
through an insurance contract with a health insurance issuer or HMO; or
    (B) From the health insurance issuer or HMO with respect to the 
group health plan through which such individuals receive their health 
benefits under the group health plan.
    (ii) A group health plan that provides health benefits solely 
through an insurance contract with a health insurance issuer or HMO, 
and that creates or receives protected health information in addition 
to summary health information as defined in Sec.  164.504(a) or 
information on whether the individual is participating in the group 
health plan, or is enrolled in or has disenrolled from a health 
insurance issuer or HMO offered by the plan, must:
    (A) Maintain a notice under this section; and
    (B) Provide such notice upon request to any person. The provisions 
of paragraph (c)(1) of this section do not apply to such group health 
plan.
    (iii) A group health plan that provides health benefits solely 
through an insurance contract with a health insurance issuer or HMO, 
and does not create or receive protected health information other than 
summary health information as defined in Sec.  164.504(a) or 
information on whether an individual is participating in the group 
health plan, or is enrolled in or has disenrolled from a health 
insurance issuer or HMO

[[Page 33065]]

offered by the plan, is not required to maintain or provide a notice 
under this section.
    (4) Exception for inmates. An inmate does not have a right to 
notice under this section, and the requirements of this section do not 
apply to a correctional institution that is a covered entity.
    (b) Implementation specifications: Content of notice--(1) Required 
elements. The covered entity, including any covered entity receiving or 
maintaining records subject to 42 U.S.C. 290dd-2, must provide a notice 
that is written in plain language and that contains the elements 
required by this paragraph.
    (i) Header. The notice must contain the following statement as a 
header or otherwise prominently displayed:

    ``THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE 
USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. 
PLEASE REVIEW IT CAREFULLY.''

    (ii) Uses and disclosures. The notice must contain:
    (A) A description, including at least one example, of the types of 
uses and disclosures that the covered entity is permitted by this 
subpart to make for each of the following purposes: treatment, payment, 
and health care operations.
    (B) A description of each of the other purposes for which the 
covered entity is permitted or required by this subpart to use or 
disclose protected health information without the individual's written 
authorization.
    (C) If a use or disclosure for any purpose described in paragraphs 
(b)(1)(ii)(A) or (B) of this section is prohibited or materially 
limited by other applicable law, such as 42 CFR part 2, the description 
of such use or disclosure must reflect the more stringent law as 
defined in Sec.  160.202 of this subchapter.
    (D) For each purpose described in paragraph (b)(1)(ii)(A) or (B) of 
this section, the description must include sufficient detail to place 
the individual on notice of the uses and disclosures that are permitted 
or required by this subpart and other applicable law, such as 42 CFR 
part 2.
    (E) A description of the types of uses and disclosures that require 
an authorization under Sec.  164.508(a)(2)-(a)(4), a statement that 
other uses and disclosures not described in the notice will be made 
only with the individual's written authorization, and a statement that 
the individual may revoke an authorization as provided by Sec.  
164.508(b)(5).
    (F) A description, including at least one example, of the types of 
uses and disclosures prohibited under Sec.  164.502(a)(5)(iii) in 
sufficient detail for an individual to understand the prohibition.
    (G) A description, including at least one example, of the types of 
uses and disclosures for which an attestation is required under Sec.  
164.509.
    (H) A statement adequate to put the individual on notice of the 
potential for information disclosed pursuant to this subpart to be 
subject to redisclosure by the recipient and no longer protected by 
this subpart
    (iii) Separate statements for certain uses or disclosures. If the 
covered entity intends to engage in any of the following activities, 
the description required by paragraph (b)(1)(ii)(A) or (B) of this 
section must include a separate statement informing the individual of 
such activities, as applicable:
    (A) In accordance with Sec.  164.514(f)(1), the covered entity may 
contact the individual to raise funds for the covered entity and the 
individual has a right to opt out of receiving such communications;
    (B) In accordance with Sec.  164.504(f), the group health plan, or 
a health insurance issuer or HMO with respect to a group health plan, 
may disclose protected health information to the sponsor of the plan;
    (C) If a covered entity that is a health plan, excluding an issuer 
of a long-term care policy falling within paragraph (1)(viii) of the 
definition of health plan, intends to use or disclose protected health 
information for underwriting purposes, a statement that the covered 
entity is prohibited from using or disclosing protected health 
information that is genetic information of an individual for such 
purposes;
    (D) Substance use disorder treatment records received from programs 
subject to 42 CFR part 2, or testimony relaying the content of such 
records, shall not be used or disclosed in civil, criminal, 
administrative, or legislative proceedings against the individual 
unless based on written consent, or a court order after notice and an 
opportunity to be heard is provided to the individual or the holder of 
the record, as provided in 42 CFR part 2. A court order authorizing use 
or disclosure must be accompanied by a subpoena or other legal 
requirement compelling disclosure before the requested record is used 
or disclosed; or
    (E) If a covered entity that creates or maintains records subject 
to 42 CFR part 2 intends to use or disclose such records for 
fundraising for the benefit of the covered entity, the individual must 
first be provided with a clear and conspicuous opportunity to elect not 
to receive any fundraising communications.
    (iv) Individual rights. The notice must contain a statement of the 
individual's rights with respect to protected health information and a 
brief description of how the individual may exercise these rights, as 
follows:
    (A) The right to request restrictions on certain uses and 
disclosures of protected health information as provided by Sec.  
164.522(a), including a statement that the covered entity is not 
required to agree to a requested restriction, except in case of a 
disclosure restricted under Sec.  164.522(a)(1)(vi);
    (B) The right to receive confidential communications of protected 
health information as provided by Sec.  164.522(b), as applicable;
    (C) The right to inspect and copy protected health information as 
provided by Sec.  164.524;
    (D) The right to amend protected health information as provided by 
Sec.  164.526;
    (E) The right to receive an accounting of disclosures of protected 
health information as provided by Sec.  164.528; and
    (F) The right of an individual, including an individual who has 
agreed to receive the notice electronically in accordance with 
paragraph (c)(3) of this section, to obtain a paper copy of the notice 
from the covered entity upon request.
    (v) Covered entity's duties. The notice must contain:
    (A) A statement that the covered entity is required by law to 
maintain the privacy of protected health information, to provide 
individuals with notice of its legal duties and privacy practices, and 
to notify affected individuals following a breach of unsecured 
protected health information;
    (B) A statement that the covered entity is required to abide by the 
terms of the notice currently in effect; and
    (C) For the covered entity to apply a change in a privacy practice 
that is described in the notice to protected health information that 
the covered entity created or received prior to issuing a revised 
notice, in accordance with Sec.  164.530(i)(2)(ii), a statement that it 
reserves the right to change the terms of its notice and to make the 
new notice provisions effective for all protected health information 
that it maintains. The statement must also describe how it will provide 
individuals with a revised notice.
    (vi) Complaints. The notice must contain a statement that 
individuals may complain to the covered entity and

[[Page 33066]]

to the Secretary if they believe their privacy rights have been 
violated, a brief description of how the individual may file a 
complaint with the covered entity, and a statement that the individual 
will not be retaliated against for filing a complaint.
    (vii) Contact. The notice must contain the name, or title, and 
telephone number of a person or office to contact for further 
information as required by Sec.  164.530(a)(1)(ii).
    (viii) Effective date. The notice must contain the date on which 
the notice is first in effect, which may not be earlier than the date 
on which the notice is printed or otherwise published.
    (2) Optional elements. (i) In addition to the information required 
by paragraph (b)(1) of this section, if a covered entity elects to 
limit the uses or disclosures that it is permitted to make under this 
subpart, the covered entity may describe its more limited uses or 
disclosures in its notice, provided that the covered entity may not 
include in its notice a limitation affecting its right to make a use or 
disclosure that is required by law or permitted by Sec.  
164.512(j)(1)(i).
    (ii) For the covered entity to apply a change in its more limited 
uses and disclosures to protected health information created or 
received prior to issuing a revised notice, in accordance with Sec.  
164.530(i)(2)(ii), the notice must include the statements required by 
paragraph (b)(1)(v)(C) of this section.
    (3) Revisions to the notice. The covered entity must promptly 
revise and distribute its notice whenever there is a material change to 
the uses or disclosures, the individual's rights, the covered entity's 
legal duties, or other privacy practices stated in the notice. Except 
when required by law, a material change to any term of the notice may 
not be implemented prior to the effective date of the notice in which 
such material change is reflected.
* * * * *
    (d) * * *
* * * * *
    (4) The permission in paragraph (d) of this section for covered 
entities that participate in an organized health care arrangement to 
issue a joint notice may not be construed to remove any obligations or 
duties of entities creating or maintaining records subject to 42 U.S.C. 
290dd-2, or to remove any rights of patients who are the subjects of 
such records.
* * * * *

0
8. Add Sec.  164.535 to read as follows:


Sec.  164.535  Severability.

    If any provision of the HIPAA Privacy Rule to Support Reproductive 
Health Care Privacy is held to be invalid or unenforceable facially, or 
as applied to any person, plaintiff, or circumstance, it shall be 
construed to give maximum effect to the provision permitted by law, 
unless such holding shall be one of utter invalidity or 
unenforceability, in which case the provision shall be severable from 
this part and shall not affect the remainder thereof or the application 
of the provision to other persons not similarly situated or to other 
dissimilar circumstances.
* * * * *

Xavier Becerra,
Secretary, Department of Health and Human Services.
[FR Doc. 2024-08503 Filed 4-22-24; 4:15 pm]
BILLING CODE 4153-01-P