AGENCY:
Office for Civil Rights (OCR), Office of the Secretary, Department of Health and Human Services.
ACTION:
Final rule.
SUMMARY:
The Department of Health and Human Services (HHS or “Department”) is issuing this final rule to modify the Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act). The Department is issuing this final rule after careful consideration of all public comments received in response to the notice of proposed rulemaking (NPRM) for the HIPAA Privacy Rule to Support Reproductive Health Care Privacy (“2023 Privacy Rule NPRM”) and public comments received on proposals to revise provisions of the HIPAA Privacy Rule in the NPRM for the Confidentiality of Substance Use Disorder (SUD) Patient Records (“2022 Part 2 NPRM”).
DATES:
Effective date: This final rule is effective on June 25, 2024.
Compliance date: Persons subject to this regulation must comply with the applicable requirements of this final rule by December 23, 2024, except for the applicable requirements of 45 CFR 164.520 in this final rule. Persons subject to this regulation must comply with the applicable requirements of 45 CFR 164.520 in this final rule by February 16, 2026.
FOR FURTHER INFORMATION CONTACT:
Marissa Gordon-Nguyen at (202) 240-3110 or (800) 537-7697 (TDD), or by email at OCRPrivacy@hhs.gov.
SUPPLEMENTARY INFORMATION:
Table of Contents
I. Executive Summary
A. Overview
B. Effective and Compliance Dates
1. 2023 Privacy Rule NPRM
2. Overview of Comments
3. Final Rule
4. Response to Public Comments
II. Statutory and Regulatory Background
A. Statutory Authority and History
1. Health Insurance Portability and Accountability Act of 1996 (HIPAA)
2. Health Information Technology for Economic and Clinical Health (HITECH) Act
B. Regulatory History
1. 2000 Privacy Rule
2. 2002 Privacy Rule
3. 2013 Omnibus Rule
4. 2024 Privacy Rule
III. Justification for This Rulemaking
A. HIPAA Encourages Trust and Confidence by Carefully Balancing Individuals' Privacy Interests With Others' Interests in Using or Disclosing PHI
1. Privacy Protections Ensure That Individuals Have Access to, and Are Comfortable Accessing, High-Quality Health Care
2. The Department's Approach to the Privacy Rule Has Long Sought To Balance the Interests of Individuals and Society
B. Developments in the Legal Environment Are Eroding Individuals' Trust in the Health Care System
C. To Protect the Trust Between Individuals and Health Care Providers, the Department Is Restricting Certain Uses and Disclosures of PHI for Particular Non-Health Care Purposes
IV. General Discussion of Public Comments
A. General Comments in Support of the Proposed Rule
B. General Comments in Opposition to the Proposed Rule
C. Other General Comments on the Proposed Rule
V. Summary of Final Rule Provisions and Public Comments and Responses
A. Section 160.103 Definitions
1. Clarifying the Definition of “Person”
2. Interpreting Terms Used in Section 1178(b) of the Social Security Act
3. Adding a Definition of “Reproductive Health Care”
4. Whether the Department Should Define Any Additional Terms
B. Section 164.502—Uses and Disclosures of Protected Health Information: General Rules
1. Clarifying When PHI May Be Used or Disclosed by Regulated Entities
2. Adding a New Category of Prohibited Uses and Disclosures
3. Clarifying Personal Representative Status in the Context of Reproductive Health Care
4. Request for Comments
C. Section 164.509—Uses and Disclosures for Which an Attestation is Required
1. Current Provision
2. Proposed Rule
3. Overview of Public Comments
4. Final Rule
5. Responses to Public Comments
D. Section 164.512—Uses and Disclosures for Which an Authorization or Opportunity To Agree or Object Is Not Required
1. Applying the Prohibition and Attestation Condition to Certain Permitted Uses and Disclosures
2. Making a Technical Correction to the Heading of 45 CFR 164.512(c) and Clarifying That Providing or Facilitating Reproductive Health Care Is Not Abuse, Neglect, or Domestic Violence
3. Clarifying the Permission for Disclosures Based on Administrative Processes
4. Request for Information on Current Processes for Receiving and Addressing Requests Pursuant to 164.512(d) Through (g)(1)
E. Section 164.520—Notice of Privacy Practices for Protected Health Information
1. Current Provision
2. CARES Act
3. Proposals in 2022 Part 2 NPRM and 2023 Privacy Rule NPRM
4. Overview of Public Comments
5. Final Rule
6. Responses to Public Comments
F. Section 164.535—Severability
G. Comments on Other Provisions of the HIPAA Rules
VI. Regulatory Impact Analysis
A. Executive Order 12866 and Related Executive Orders on Regulatory Review
1. Summary of Costs and Benefits
2. Baseline Conditions
3. Costs of the Rule
B. Regulatory Alternatives to the Final Rule
C. Regulatory Flexibility Act—Small Entity Analysis
D. Executive Order 13132—Federalism
E. Assessment of Federal Regulation and Policies on Families
F. Paperwork Reduction Act of 1995
Explanation of Estimated Annualized Burden Hours
Table of Acronyms
Term | Meaning |
---|---|
AMA | American Medical Association. |
API | Application Programming Interface. |
CARES Act | Coronavirus Aid, Relief, and Economic Security Act. |
CDC | Centers for Disease Control and Prevention. |
CLIA | Clinical Laboratory Improvement Amendments of 1988. |
CMS | Centers for Medicare & Medicaid Services. |
DOD | Department of Defense. |
Department or HHS | Department of Health and Human Services. |
EHR | Electronic Health Record. |
E.O. | Executive Order. |
FDA | Food and Drug Administration. |
FHIR® | Fast Healthcare Interoperability Resources®. |
FTC | Federal Trade Commission. |
GINA | Genetic Information Nondiscrimination Act of 2008. |
Health IT | Health Information Technology. |
HIE | Health Information Exchange. |
HIPAA | Health Insurance Portability and Accountability Act of 1996. |
HITECH Act | Health Information Technology for Economic and Clinical Health Act of 2009. |
ICR | Information Collection Request. |
IIHI | Individually Identifiable Health Information. |
NCVHS | National Committee on Vital and Health Statistics. |
NICS | National Instant Criminal Background Check System. |
NPP | Notice of Privacy Practices. |
NPRM | Notice of Proposed Rulemaking. |
OCR | Office for Civil Rights. |
OHCA | Organized Health Care Arrangement. |
OMB | Office of Management and Budget. |
ONC | Office of the National Coordinator for Health Information Technology. |
PHI | Protected Health Information. |
PRA | Paperwork Reduction Act of 1995. |
RFA | Regulatory Flexibility Act. |
RIA | Regulatory Impact Analysis. |
SBA | Small Business Administration. |
SSA | Social Security Act of 1935. |
TPO | Treatment, Payment, or Health Care Operations. |
UMRA | Unfunded Mandates Reform Act of 1995. |
I. Executive Summary
A. Overview
In this final rule, the Department of Health and Human Services (HHS or “Department”) modifies certain provisions of the Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”), issued pursuant to section 264 of the Administrative Simplification provisions of title II, subtitle F, of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Privacy Rule is one of several rules, collectively known as the HIPAA Rules, that protect the privacy and security of individuals' protected health information (PHI), which is individually identifiable health information (IIHI) transmitted by or maintained in electronic media or any other form or medium, with certain exceptions.
Subtitle F of title II of HIPAA (Pub. L. 104-191, 110 Stat. 1936 (Aug. 21, 1996)) added a new part C to title XI of the Social Security Act of 1935 (SSA), Public Law 74-271, 49 Stat. 620 (Aug. 14, 1935), ( see sections 1171-1179 of the SSA (codified at 42 U.S.C. 1320d-1320d-8)), as well as promulgating section 264 of HIPAA (codified at 42 U.S.C. 1320d-2 note), which authorizes the Secretary to promulgate regulations with respect to the privacy of individually identifiable health information. The Privacy Rule has subsequently been amended pursuant to the Genetic Information Nondiscrimination Act of 2008 (GINA), title I, section 105, Public Law 110-233, 122 Stat. 881 (May 21, 2008) (codified at 42 U.S.C. 2000ff), and the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, Public Law 111-5, 123 Stat. 226 (Feb. 17, 2009) (codified at 42 U.S.C. 1390w-4(O)(2)).
45 CFR parts 160 and 164, subparts A and E. For a history of the Privacy Rule, see infra Section II.B., “Regulatory History.”
See also the HIPAA Security Rule, 45 CFR parts 160 and 164, subparts A and C; the HIPAA Breach Notification Rule, 45 CFR part 164, subpart D; and the HIPAA Enforcement Rule, 45 CFR part 160, subparts C, D, and E.
45 CFR 160.103 (definition of “Protected health information”).
42 U.S.C. 1320d. See also45 CFR 160.103 (definition of “Individually identifiable health information”).
At times throughout this final rule, the Department uses the terms “health information” or “individuals' health information” to refer generically to health information pertaining to an individual or individuals. In contrast, the Department's use of the term “IIHI” refers to a category of health information defined in HIPAA, and “PHI” is used to refer specifically to a category of IIHI that is defined by and subject to the privacy and security standards promulgated in the HIPAA Rules.
The Privacy Rule requires the disclosure of PHI only in the following circumstances: when required by the Secretary to investigate a regulated entity's compliance with the Privacy Rule and to the individual pursuant to the individual's right of access and the individual's right to an accounting of disclosures. Any other uses or disclosures described in the Privacy Rule are either permitted or prohibited, as specified in the Privacy Rule. For example, the Privacy Rule permits, but does not require, a regulated entity to disclose PHI to conduct quality improvement activities when applicable conditions are met, and it prohibits a regulated entity from selling PHI except pursuant to and in compliance with 45 CFR 164.508(a)(4).
See45 CFR 164.502(2) and (4).
See45 CFR 164.512(i) and 164.502(a)(5)(ii).
In accordance with its statutory mandate, the Department promulgated the Privacy Rule and continues to administer and enforce it to ensure that individuals are not afraid to seek health care from, or share important information with, their health care providers because of a concern that their sensitive information will be disclosed outside of their relationship with their health care provider. Protecting privacy promotes trust between health care providers and individuals, advancing access to and improving the quality of health care. To achieve this goal, the Department generally has applied the same privacy standards to nearly all PHI, regardless of the type of health care at issue. Notably, special protections were given to psychotherapy notes, owing in part to the particularly sensitive information those notes contain.
See45 CFR 164.501 and 164.508(a)(2).
Under its statutory authority to administer and enforce the HIPAA Rules, the Department may modify the HIPAA Rules as needed. The Supreme Court decision in Dobbs v. Jackson Women's Health Organization ( Dobbs ) overturned precedent that protected a constitutional right to abortion and altered the legal and health care landscape. This decision has far-reaching implications for reproductive health care beyond its effects on access to abortion. This changing legal landscape increases the likelihood that an individual's PHI may be disclosed in ways that cause harm to the interests that HIPAA seeks to protect, including the trust of individuals in health care providers and the health care system. The threat that PHI will be disclosed and used to conduct such an investigation against, or to impose liability upon, an individual or another person is likely to chill an individual's willingness to seek lawful health care treatment or to provide full information to their health care providers when obtaining that treatment, and on the willingness of health care providers to provide such care. These developments in the legal environment increase the potential that use and disclosure of PHI about an individual's reproductive health will undermine access to and the quality of health care generally.
Section 1174(b)(1) of Public Law 104-191 (codified at 42 U.S.C. 1320d-3).
597 U.S. 215 (2022).
See Melissa Suran, “Treating Cancer in Pregnant Patients After Roe v Wade Overturned,” JAMA (Sept. 29, 2022), https://jamanetwork-com.hhsnih.idm.oclc.org/journals/jama/fullarticle/2797062?resultClick=1 and Rita Rubin, “How Abortion Bans Could Affect Care for Miscarriage and Infertility,” JAMA (June 28, 2022), https://jamanetwork-com.hhsnih.idm.oclc.org/journals/jama/fullarticle/2793921?resultClick=1.
See infra National Committee on Vital and Health Statistics (NCVHS) discussion, Section II.A.1., expressing concern for harm caused by disclosing identifiable health information for non-health care purposes.
See Whitney S. Rice et al. “ `Post- Roe ' Abortion Policy Context Heightens Imperative for Multilevel, Comprehensive, Integrated Health Education,” (Sept. 29, 2022), https://journals.sagepub.com/doi/full/10.1177/10901981221125399 (“New ethical and legal complexities around patient counseling are emerging, particularly in states limiting or eliminating abortion access, due to more extreme abortion restrictions. Clinicians in such contexts may be forced to adhere to legal requirements of states which run counter to well-being and desires of patients, violating the medical principles of beneficence and respect for patient autonomy”).
In order to continue to protect privacy in a manner that promotes trust between individuals and health care providers and advances access to, and improves the quality of, health care, we have determined that the Privacy Rule must be modified to limit the circumstances in which provisions of the Privacy Rule permit the use or disclosure of an individual's PHI about reproductive health care for certain non-health care purposes, where such use or disclosure could be detrimental to privacy of the individual or another person or the individual's trust in their health care providers. This determination was informed by our expertise in administering the Privacy Rule, questions we have received from members of the public and Congress, comments we received on the 2023 HIPAA Privacy Rule to Support Reproductive Health Care Privacy notice of proposed rulemaking (NPRM) (“2023 Privacy Rule NPRM”), and our analysis of the state of privacy for IIHI.
88 FR 23506 (Apr. 17, 2023).
This final rule (“2024 Privacy Rule”) amends provisions of the Privacy Rule to strengthen privacy protections for highly sensitive PHI about the reproductive health care of an individual, and directly advances the purposes of HIPAA by setting minimum protections for PHI and providing peace of mind that is essential to individuals' ability to obtain lawful reproductive health care. This final rule balances the interests of society in obtaining PHI for non-health care purposes with the interests of the individual, the Federal Government, and society in protecting individual privacy, thereby improving the effectiveness of the health care system by ensuring that persons are not deterred from seeking, obtaining, providing, or facilitating reproductive health care that is lawful under the circumstances in which such health care is provided.
The Department carefully analyzed state prohibitions and restrictions on an individual's ability to obtain high-quality health care and their effects on health information privacy and the relationships between individuals and their health care providers after Dobbs; assessed trends in state legislative activity with respect to the privacy of PHI; and conducted a thorough review of the text, history, and purposes of HIPAA and the Privacy Rule. The Department also engaged in extensive discussions with HHS agencies and other Federal departments, including the Department of Justice; consulted with the National Committee on Vital and Health Statistics (NCVHS) and the Attorney General as required by section 264(d) of HIPAA, and with Indian Tribes as required by Executive Order 13175; held listening sessions with and reviewed correspondence from stakeholders, including covered entities, states, individuals, and patient advocates; and reviewed correspondence to HHS from Members of Congress. The modifications made to the Privacy Rule by this final rule are the result of this work.
See65 FR 67249 (Nov. 11, 2000). See also Presidential Memorandum on Tribal Consultation and Strengthening Nation-to-Nation Relationships (Jan. 26, 2021), https://www.whitehouse.gov/briefing-room/presidential-actions/2021/01/26/memorandum-on-tribal-consultation-and-strengthening-nation-to-nation-relationships/ and Dep't of Health and Human Servs., Tribal Consultation Policy, https://www.hhs.gov/sites/default/files/iea/tribal/tribalconsultation/hhs-consultation-policy.pdf. See also88 FR 23506 (Apr. 17, 2023) (notice of Tribal consultation). The Department consulted with representatives of Tribal Nations on May 17, 2023. During the consultation, the representatives raised issues of health inequities and privacy of health information, specifically among American Indians and Alaskan Natives after Dobbs.
Letter from U.S. Senator Tammy Baldwin et al. to HHS Sec'y Xavier Becerra (Mar. 7, 2023) (addressing HIPAA privacy regulations and Dobbs v. Jackson Women's Health Organization). Letter from U.S. Senator Patty Murray et al. to HHS Sec'y Xavier Becerra (Sept. 13, 2022) (addressing HIPAA privacy regulations and Dobbs v. Jackson Women's Health Organization). Letter from U.S. Representative Earl Blumenauer et al. to HHS Sec'y Xavier Becerra (Aug. 30, 2022) (addressing HIPAA privacy regulations and Dobbs v. Jackson Women's Health Organization). Letter from U.S. Senator Michael F. Bennet et al. to HHS Sec'y Xavier Becerra (July 1, 2022) (addressing HIPAA privacy regulations and Dobbs v. Jackson Women's Health Organization).
B. Effective and Compliance Dates
1. 2023 Privacy Rule NPRM
In the 2023 Privacy Rule NPRM, the Department proposed an effective date for a final rule that would occur 60 days after publication, and a compliance date that would occur 180 days after the effective date. Taken together, the two dates would give entities 240 days after publication to implement compliance measures. In the preamble to the proposed rule, the Department stated that it did not believe that the proposed rule would pose unique implementation challenges that would justify an extended compliance period ( i.e., a period longer than the standard 180 days provided in 45 CFR 160.105). The Department also asserted that adherence to the standard compliance period is necessary to timely address the circumstances described in the 2023 Privacy Rule NPRM.
See id.
2. Overview of Comments
A commenter urged the Department to move quickly to issue the final rule and to provide a 180-day compliance period as proposed. Some commenters requested that the Department provide additional time for regulated entities to comply with the proposed modifications to the Privacy Rule. Several commenters requested that the Department coordinate compliance deadlines across its rulemakings, while a few commenters specifically encouraged the Department to provide additional time for compliance with the modifications to the Notice of Privacy Practices (NPP) requirements proposed in the 2023 Privacy Rule NPRM.
3. Final Rule
This final rule is effective on June 25, 2024. Covered entities and business associates of all sizes will have 180 days beyond the effective date of the final rule to comply with the final rule's provisions, with the exception of the NPP provisions, which we address separately below. We understand that some covered entities and business associates remain concerned that a 180-day period may not provide sufficient time to come into compliance with the modified requirements. However, we believe that providing a 180-day compliance period best comports with section 1175(b)(2) of the Social Security Act of 1935 (SSA), 42 U.S.C. 1320d-4, and our implementing provision at 45 CFR 160.104(c)(1), which require the Secretary to provide at least a 180-day period for covered entities to comply with modifications to standards and implementation specifications in the HIPAA Rules, and also that providing a 180-day compliance period best protects the privacy and security of individuals' PHI in a timely manner that reflects the urgency of addressing the changes in the legal landscape and their effects on individuals, regulated entities, and other persons, while balancing the burden imposed upon regulated entities of implementing this final rule.
Section 160.104(a) permits the Department to adopt a modification to a standard or implementation specification adopted under the Privacy Rule no more frequently than once every 12 months. As discussed above, we are required to provide a minimum of a 180-day compliance period when adopting a modification, but we are permitted to provide a longer compliance period based on the extent of the modification and the time needed to comply with the modification in determining the compliance date for the modification. The Department makes every effort to consider the burden and cost of implementation for regulated entities when determining an appropriate compliance date.
While we recognize that regulated entities will need to revise and implement changes to their policies and procedures in response to the modifications in this final rule, we do not believe that these changes are so significant as to require more than a 180-day compliance period. This final rule narrowly tailors the application of its changes to certain limited circumstances involving lawful reproductive health care and clarifies that regulated entities are not expected to know or be aware of laws other than those with which they are required to comply. While it adds a condition to certain requests for uses and disclosures, the affected requests already require careful review by regulated entities for compliance with previously imposed conditions. Thus, we do not believe it will be difficult for regulated entities to adjust their policies and procedures to accommodate this new requirement. The other modifications finalized in this rule are in service of implementing the two changes above and impose minimal burden on regulated entities. Additionally, the Department believes, based on its evaluation of the evolving privacy landscape, that the changes made by this final rule are of particular urgency. Accordingly, we believe that a 180-day compliance period, combined with a 60-day effective date, is sufficient for regulated entities to make the changes required by most of the modifications in this final rule, with the exception of the NPP provisions.
We separately consider the question of the compliance date for the modifications to the NPP provisions. In the 2022 Confidentiality of Substance Use Disorder (SUD) Patient Records NPRM (“2022 Part 2 NPRM”), the Department proposed, among other things, to revise 45 CFR 164.520 as required by section 3221 of the Coronavirus Aid, Relief, and Economic Security (CARES) Act. The Department proposed to provide the same compliance date for both the proposed modifications to 45 CFR 164.520 and the more extensive modifications to 42 CFR part 2 (“Part 2”). The 2024 Confidentiality of Substance Use Disorder (SUD) Patient Records Final Rule (“2024 Part 2 Rule”) explicitly noted that the Department was not finalizing the proposed modifications to the NPP provisions at that time, but that we planned to do so in a future HIPAA final rule. The Department also acknowledged that some covered entities might have NPPs that would not reflect updated changes to policies and procedures addressing how Part 2 records are used and disclosed. Rather than requiring covered entities to revise their NPPs twice in a short period of time, the Department announced in the 2024 Part 2 Rule that it would exercise enforcement discretion related to the requirement that covered entities update their NPPs whenever material changes are made to privacy practices until the compliance date established by a future HIPAA final rule. The Department is finalizing the modifications to the NPP required by section 3221 of the CARES Act in this rule and aligning the effective and compliance dates for all of the modified NPP requirements with those of the 2024 Part 2 Rule.
87 FR 74216 (Dec. 2, 2022).
Public Law 116-136, 134 Stat. 281 (Mar. 27, 2020).
89 FR 12472 (Feb. 16, 2024).
Id. at 12482, 12528, and 12530.
Id. at 12482, 12528, and 12530.
The compliance date of the 2024 Part 2 Rule is February 16, 2026, substantially later than the compliance date for most of this final rule, because of the significant changes required for compliance with the 2024 Part 2 Rule. Accordingly, in compliance with 45 CFR 160.104 and consistent with the NPP proposals included in the 2022 Part 2 NPRM and public comment, we are aligning the compliance date for the NPP changes required by this final rule with the compliance date for the 2024 Part 2 Rule so that covered entities regulated under both rules can implement all changes to their NPPs at the same time. Covered entities are expected to be in compliance with the modifications to 45 CFR 164.520 on February 16, 2026.
4. Response to Public Comments
Comment: One commenter expressed support for the proposal in the 2023 Privacy Rule NPRM to establish a 180-day compliance date and urged the Department to issue a final rule quickly. Some commenters sought an extension of the compliance date for twelve to eighteen months, explaining that extensive policy and legal work, process and software changes, documentation and training would be required to implement the 2023 Privacy Rule NPRM.
One commenter suggested phasing in the attestation requirement so that “downstream” regulated entities, such as business associates and managed care organizations, would have a later compliance date than health care providers.
Response: We appreciate the commenters' suggestions, but as discussed above, based on our assessment, we do not believe the modifications required by this final rule will require longer to implement.
Comment: Some commenters requested that the Department coordinate compliance deadlines of final rules that revise the Privacy Rule or publish one final rule addressing the proposals in the NPRMs to enable regulated entities to leverage the resources required to implement the changes to achieve compliance with all of the new requirements at one time.
One commenter explained that each NPRM would involve operational changes requiring significant resources and effort and expressed their belief that a single comprehensive final rule would allow regulated entities to make all of the required changes, including revisions to policies and procedures, development of new or revised workflows, electronic health record (EHR) updates, and technology enhancements.
Response: We appreciate the commenters' suggestion, but we do not believe that it is necessary to fully align the compliance dates for the 2024 Part 2 Rule and the 2024 Privacy Rule. By imposing separate compliance deadlines, we are able to act more quickly to protect the privacy of PHI.
However, consistent with 45 CFR 160.104 and as requested by public comment, we are applying the same compliance date for covered entities to revise their NPPs to address modifications made to 45 CFR 164.520 in response to and consistent with the CARES Act and to support reproductive health care privacy. The compliance date for the NPP provisions is February 16, 2026. Part 2 programs, including those that are covered entities, can choose to implement the changes to their NPPs that are required by the 2024 Part 2 Rule prior to the compliance date, but there is no requirement that they do so.
89 FR 12472 (Feb. 16, 2024).
II. Statutory and Regulatory Background
A. Statutory Authority and History
1. Health Insurance Portability and Accountability Act of 1996 (HIPAA)
In 1996, Congress enacted HIPAA to reform the health care delivery system to “improve portability and continuity of health insurance coverage in the group and individual markets.” To enable health care delivery system reform, Congress included in HIPAA requirements for standards to support the electronic exchange of health information. According to section 261, “[i]t is the purpose of this subtitle to improve [. . .] the efficiency and effectiveness of the health care system, by encouraging the development of a health information system through the establishment of standards and requirements for the electronic transmission of certain health information [. . .].” Congress applied the Administrative Simplification provisions directly to three types of entities known as “covered entities”—health plans, health care clearinghouses, and health care providers who transmit information electronically in connection with a transaction for which HHS has adopted a standard.
Public Law 104-191, 110 Stat. 1936 (Aug. 21, 1996).
See H.R. Rep. No. 104-496, at 66-67 (1996).
42 U.S.C. 1320d note (Statutory Notes and Related Subsidiaries: Purpose). Subtitle F also amended related provisions of the SSA.
See section 262 of Public Law 104-191, adding section 1172 to the SSA (codified at 42 U.S.C. 1320d-1). See also section 13404 of the American Recovery and Reinvestment Act of 2009, Public Law 111-5, 123 Stat. 115 (Feb. 17, 2009) (codified at 42 U.S.C. 17934) (applying privacy provisions and penalties to business associates of covered entities).
Section 262(a) of HIPAA required the Secretary to adopt uniform standards “to enable health information to be exchanged electronically.” Congress directed the Secretary to adopt standards for unique identifiers to identify individuals, employers, health plans, and health care providers across the nation and standards for, among other things, transactions and data elements relating to health information, the security of that information, and verification of electronic signatures.
42 U.S.C. 1320d2(a)(1).
42 U.S.C. 1320d-2(a), (c), and (f).
Congress recognized that the standardization of certain electronic health care transactions required by HIPAA posed risks to the privacy of confidential health information and viewed individual privacy, confidentiality, and data security as critical for orderly administrative simplification. Thus, as explained in the preamble to the 2023 Privacy Rule NPRM, Congress provided the Department with the authority to regulate the privacy of IIHI. According to one Member of Congress, privacy standards would create an additional layer of protection beyond the oath pledged by health care providers to keep information secure and, as described by another Member, would further protect information from being used in a “malicious or discriminatory manner.” Congress intended for the law to enhance individuals' trust in health care providers, which required that the law provide additional protection for the confidentiality of IIHI. As described by a Member of Congress: “The bill would also establish strict security standards for health information because Americans clearly want to make sure that their health care records can only be used by the medical professionals that treat them. Often, we assume that because doctors take an oath of confidentiality that in fact all who touch their records operate by the same standards. Clearly, they do not.” Moreover, Congress considered that health care reform required an approach that would not compromise privacy as health information became more accessible.
On a resolution waiving points of order against the Conference Report to H.R. 3103, members debated an “erosion of privacy” balanced against the administrative simplification provisions. Thus, from HIPAA's inception, privacy has been a central concern to be addressed as legislative changes eased disclosures of PHI. See 142 Cong. Rec. H9777 and H9780; see also H.R. Rep. No. 104-736, at 177 and 264 (1996); 142 Cong. Rec. H9780 (daily ed. Aug. 1, 1996) (statement of Rep. Sawyer); 142 Cong. Rec. H9792 (daily ed. Aug. 1, 1996) (statement of Rep. McDermott); and 142 Cong. Rec. S9515-16 (daily ed. Aug. 2, 1996) (statement of Sen. Simon).
88 FR 23506, 23511 (Apr. 17, 2023).
See statement of Rep. Sawyer, supra note 37. See also statement of Sen. Simon, supra note 37.
Statement of Rep. Sawyer, supra note 37.
See H.R. Rep. No. 104-496 Part 1, at 99-100 (Mar. 25, 1996).
Accordingly, section 264(a) directed the Secretary to submit to Congress detailed recommendations for Federal “standards with respect to the privacy of [IIHI]” nationwide within one year of HIPAA's enactment. The statute made clear that the Secretary had the authority to promulgate regulations if Congress did not enact legislation covering these matters within three years. Congress directed the Secretary to ensure that the regulations promulgated “address at least” the following three subjects: (1) the rights that an individual who is a subject of IIHI should have; (2) the procedures that should be established for the exercise of such rights; and (3) the uses and disclosures of such information that should be authorized or required.
42 U.S.C. 1320d-2 note.
Id.
Id.
Additionally, Congress provided a clear statement that HIPAA's provisions would “supersede any contrary provision of State law,” with certain limited exceptions. One exception to this general preemption authority is for “state privacy laws that are contrary to and more stringent than the corresponding federal standard, requirement, or implementation specification.” Thus, Congress intended for the Department to create privacy standards to safeguard health information while respecting the ability of states to provide individuals with additional health information privacy.
65 FR 82580 (the exception applies under section 1178(a)(2)(B) of the SSA and section 264(c)(2) of HIPAA).
Congress required the Secretary to consult with the NCVHS, thereby ensuring that the Secretary's decisions reflected public and expert involvement and advice in carrying out the requirements of section 264. NCVHS sent its initial recommendations to the Secretary in a letter to the Secretary on June 27, 1997. Importantly, NCVHS advised that “strong substantive and procedural protections” should be imposed if health information were to be disclosed to law enforcement, and, where identifiable health information would be made available for non-health purposes, individuals should be afforded assurances that their data would not be used against them. Additionally, NCVHS “unanimously” recommended that “[. . .] the Secretary and the Administration assign the highest priority to the development of a strong position on health privacy that provides the highest possible level of protection for the privacy rights of patients.” NCVHS further noted that failure to do so would “undermine public confidence in the health care system, expose patients to continuing invasions of privacy, subject record keepers to potentially significant legal liability, and interfere with the ability of health care providers and others to operate the health care delivery and payment system in an effective and efficient manner,” which would undermine what Congress intended.
NCVHS serves as the Secretary's statutory public advisory body for health data, statistics, privacy, and national health information policy and HIPAA. NCVHS also advises the Secretary, “reports regularly to Congress on HIPAA implementation, and serves as a forum for interaction between HHS and interested private sector groups on a range of health data issues.” Nat'l Comm. On Vital and Health Statistics, “About NCVHS,” https://ncvhs.hhs.gov/; see also “NCVHS 60th Anniversary Symposium and History,” U.S. Dep't of Health and Human Servs., at 28-29 (Feb. 2011), https://ncvhs.hhs.gov/wp-content/uploads/2014/05/60_years_of_difference.pdf .
See section 264(a) and (d) of Public Law 104-191 (codified at 42 U.S.C. 1320d-2 note).
Letter from NCVHS Chair Don E. Detmer to HHS Sec'y Donna E. Shalala (June 27, 1997) (forwarding NCVHS recommendations), https://ncvhs.hhs.gov/rrp/june-27-1997-letter-to-the-secretary-with-recommendations-on-health-privacy-and-confidentiality/.
Id. at Principal Findings and Recommendations.
Id.
NCVHS further recommended that “any rules regulating disclosures of identifiable health information be as clear and as narrow as possible. Each group of users must be required to justify their need for health information and must accept reasonable substantive and procedural limitations on access.” According to NCVHS, this would allow for the disclosures that society deemed necessary and appropriate while providing individuals with clear expectations regarding their health information privacy.
Id. at Third-Party Disclosures.
As we noted in the 2023 Privacy Rule NPRM, Congress contemplated that the Department's rulemaking authorities under HIPAA would not be static. Congress specifically built in a mechanism to adapt such regulations as technology and health care evolve, directing that the Secretary review and modify the Administrative Simplification standards as determined appropriate, but not more frequently than once every 12 months. That statutory directive complements the Secretary's general rulemaking authority to “make and publish such rules and regulations, not inconsistent with this chapter, as may be necessary to the efficient administration of the functions with which each is charged under this chapter.”
88 FR 23506, 23513 (Apr. 17, 2023).
See section 1174(b)(1) of Public Law 104-191 (codified at 42 U.S.C. 1320d-3).
Section 1102 of the SSA (codified at 42 U.S.C. 1302).
2. Health Information Technology for Economic and Clinical Health (HITECH) Act
On February 17, 2009, Congress enacted the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) to promote the widespread adoption and standardization of health information technology (health IT). The HITECH Act included additional HIPAA privacy and security requirements for covered entities and business associates and expanded certain rights of individuals with respect to their PHI.
Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009, Public Law 111-5, 123 Stat. 115 (Feb. 17, 2009) (codified at 42 U.S.C. 201 note).
Congress understood the importance of a relationship between a connected health IT landscape, “a necessary and vital component of health care reform,” and privacy and security standards when it enacted the HITECH Act. The Purpose statement of an accompanying House of Representatives report on the Energy and Commerce Recovery and Reinvestment Act recognizes that “[i]n addition to costs, concerns about the security and privacy of health information have also been regarded as an obstacle to the adoption of [health IT].” The Senate Report for S. 336 similarly acknowledges that “[i]nformation technology systems linked securely and with strong privacy protections can improve the quality and efficiency of health care while producing significant cost savings.” As the Department explained in the 2013 regulation referred to as the “Omnibus Rule” and discussed in greater detail below, the HITECH Act's additional HIPAA privacy and security requirements supported Congress' goal of promoting widespread adoption and interoperability of health IT by “strengthen[ing] the privacy and security protections for health information established by HIPAA.”
C. Stephen Redhead, Cong. Rsch. Serv., R40161, “The Health Information Technology for Economic and Clinical Health (HITECH) Act,” (2009), https://crsreports.congress.gov/product/pdf/R/R40161/9 (“[Health IT], which generally refers to the use of computer applications in medical practice, is widely viewed as a necessary and vital component of health care reform.”).
H.R. Rep. No. 111-7, at 74 (2009), accompanying H.R. 629, 111th Cong.
H.R. 629, Energy and Commerce Recovery and Reinvestment Act of 2009, introduced in the House on January 22, 2009, contained nearly identical provisions to subtitle D of the HITECH Act.
Congress enacted the American Recovery and Reinvestment Act of 2009, which included the HITECH Act, on February 17, 2009. While it was the House version of the bill, H.R. 1, that was enacted, the Senate version, S. 336, contained nearly identical provisions to subtitle D of the HITECH Act.
S. Rep. No. 111-3 accompanying S. 336, 111th Cong., at 59 (2009).
78 FR 5566 (Jan. 25, 2013).
Subtitle D of title XIII of the HITECH Act (codified at 42 U.S.C. 17921, 42 U.S.C. 17931-17941, and 42 U.S.C. 17951-17953).
78 FR 5566, 5568 (Jan. 25, 2013).
In passing the HITECH Act, Congress instructed the Department that any new health IT standards adopted under section 3004 of the Public Health Service Act (PHSA) must take into account the privacy and security requirements of the HIPAA Rules. Congress also affirmed that the existing HIPAA Rules were to remain in effect to the extent that they are consistent with the HITECH Act and directed the Secretary to revise the HIPAA Rules as necessary for consistency with the HITECH Act. Congress confirmed that the new law was not intended to have any effect on authorities already granted under HIPAA to the Department, including section 264 of that statute and the regulations issued under that provision. Congress thus affirmed the Secretary's ongoing rulemaking authority to modify the Privacy Rule's standards and implementation specifications as often as every 12 months when appropriate, including to strengthen privacy and security protections for IIHI.
Section 3009(a)(1)(B) of the PHSA, as added by section 13101 of the HITECH Act (codified at 42 U.S.C. 300jj-19(a)(1)).
Section 13421(b) of the HITECH Act (codified at 42 U.S.C. 17951).
Section 3009(a)(1)(A) of the PHSA, as added by section 13101 of the HITECH Act (codified at 42 U.S.C. 300jj-19(a)(1)).
B. Regulatory History
The Secretary has delegated the authority to administer the HIPAA Rules and to make decisions regarding their implementation, interpretation, and enforcement to the HHS Office for Civil Rights (OCR). Since the enactment of the HITECH Act, the Department has exercised its authority to modify the Privacy Rule several times—in 2013, 2014, and 2016.
See U.S. Dep't of Health and Hum. Servs., Off. of the Sec'y, Off. for Civil Rights; Statement of Delegation of Authority, 65 FR 82381 (Dec. 28, 2000); U.S. Dep't of Health and Hum. Servs., Off. of the Sec'y, Off. for Civil Rights; Delegation of Authority, 74 FR 38630 (Aug. 4, 2009); U.S. Dep't of Health and Hum. Servs., Off. of the Sec'y, Statement of Organization, Functions and Delegations of Authority, 81 FR 95622 (Dec. 28, 2016).
See78 FR 5566 (Jan. 25, 2013); 79 FR 7290 (Feb. 6, 2014); 81 FR 382 (Jan. 6, 2016).
1. 2000 Privacy Rule
As directed by HIPAA, the Department provided a series of recommendations to Congress for a potential new law that would address the confidentiality of IIHI. Congress did not act within its three-year self-imposed deadline. Accordingly, the Department published a proposed rule on November 3, 1999, and issued the first final rule establishing “Standards for Privacy of Individually Identifiable Health Information” (“2000 Privacy Rule”) on December 28, 2000.
See U.S. Dep't of Health and Hum. Servs., Off. of the Assistant Sec'y for Plan. and Evaluation, “Recommendations of the Secretary of Health and Human Services, pursuant to section 264 of the Health Insurance Portability and Accountability Act of 1996,” Section I.A. (Sept. 1997), https://aspe.hhs.gov/reports/confidentiality-individually-identifiable-health-information.
64 FR 59918 (Nov. 3, 1999).
65 FR 82462 (Dec. 28, 2000).
The primary goal of the Privacy Rule was to provide greater protection to individuals' privacy to engender a trusting relationship between individuals and health care providers. As announced, the final rule set standards to protect the privacy of IIHI to “begin to address growing public concerns that advances in electronic technology and evolution in the health care industry are resulting, or may result, in a substantial erosion of the privacy surrounding” health information. On the eve of that rule's issuance, the President issued an Executive Order recognizing the importance of protecting individual privacy, explaining that “[p]rotecting the privacy of patients' protected health information promotes trust in the health care system. It improves the quality of health care by fostering an environment in which patients can feel more comfortable in providing health care professionals with accurate and detailed information about their personal health.”
Id.
SeeExecutive Order 13181 (Dec. 20, 2000), 65 FR 81321.
Since its promulgation, the Privacy Rule has protected PHI by limiting the circumstances under which covered entities and their business associates (collectively, “regulated entities”) are permitted or required to use or disclose PHI and by requiring covered entities to have safeguards in place to protect the privacy of PHI. In adopting these regulations, the Department acknowledged the need to balance several competing factors, including existing legal expectations, individuals' privacy expectations, and societal expectations. The Department noted in the preamble that the large number of comments from individuals and groups representing individuals demonstrated the deep public concern about the need to protect the privacy of IIHI and constituted evidence of the importance of protecting privacy and the potential adverse consequences to individuals and their health if such protections are not extended. Through its policy choices in the 2000 Privacy Rule, the Department struck a balance between competing interests—the necessity of protecting privacy and the public interest in using identifiable health information for vital public and private purposes—in a way that was also workable for the varied stakeholders.
See65 FR 82462, 82471 (Dec. 28, 2000).
See id. at 82472.
See id.
In the 2000 Privacy Rule, the Department established “general rules” for uses and disclosures of PHI, codified at 45 CFR 164.502. The 2000 Privacy Rule also specified the circumstances in which a covered entity was required to obtain an individual's consent, authorization, or the opportunity for the individual to agree or object. Additionally, it established rules for when a covered entity is permitted to use or disclose PHI without an individual's consent, authorization, or opportunity to agree or object. In particular, the Privacy Rule permits certain uses and disclosures of PHI, without the individual's authorization, for identified activities that benefit the community, such as public health activities, judicial and administrative proceedings, law enforcement purposes, and research.
65 FR 82462 (Dec. 28, 2000).
45 CFR 164.506 was originally titled “Consent for uses or disclosures to carry out treatment, payment, or health care operations.”
See64 FR 59918, 59955 (Nov. 3, 1999).
The Privacy Rule also established the rights of individuals with respect to their PHI, including the right to receive adequate notice of a covered entity's privacy practices, the right to request restrictions of uses and disclosures, the right to access ( i.e., to inspect and obtain a copy of) their PHI, the right to request an amendment of their PHI, and the right to receive an accounting of disclosures.
See45 CFR 164.520, 164.522, 164.524, 164.526, and 164.528.
In the 2000 Privacy Rule, the Secretary exercised her statutory authority to adopt 45 CFR 160.104(a), which reserves the Secretary's ability to modify any standard or implementation specification adopted under the Administrative Simplification provisions. The Secretary first invoked this modification authority to amend the Privacy Rule in 2002 and made additional modifications in 2013, and 2016, as described below.
See65 FR 82462, 82800 (Dec. 28, 2000).
See67 FR 53182 (Aug. 14, 2002).
78 FR 5566 (Jan. 25, 2013).
81 FR 382 (Jan. 6, 2016).
2. 2002 Privacy Rule
After publication of the 2000 Privacy Rule, the Department received many inquiries and unsolicited comments about the Privacy Rule's effects and operation. As a result, the Department opened the 2000 Privacy Rule for further comment in February 2001, less than one month before the effective date and 25 months before the compliance date for most covered entities, and issued clarifying guidance on its implementation. NCVHS' Subcommittee on Privacy, Confidentiality and Security held public hearings about the 2000 Privacy Rule. From those hearings, the Department obtained additional information about concerns related to key provisions and their potential unintended consequences for health care quality and access. On March 27, 2002, the Department proposed modifications to the 2000 Privacy Rule to clarify the requirements and correct potential problems that could threaten access to, or quality of, health care.
66 FR 12738 (Feb. 28, 2001).
67 FR 53182, 53183 (Aug. 14, 2002).
67 FR 14775 (Mar. 27, 2002).
In response to comments on the proposed rule, the Department finalized modifications to the Privacy Rule on August 14, 2002 (“2002 Privacy Rule”). This final rule clarified HIPAA's requirements while maintaining strong protections for the privacy of IIHI. These modifications addressed certain workability issues, including but not limited to clarifying distinctions between health care operations and marketing; modifying the minimum necessary standard to exclude disclosures authorized by individuals and clarify its operation; eliminating the consent requirement for uses and disclosures of PHI for treatment, payment, or health care operations (TPO), and to otherwise clarify the role of consent in the Privacy Rule; and making other modifications and conforming amendments consistent with the proposed rule. The Department also included modifications to the provisions permitting the use or disclosure of PHI for public health activities and for research activities without consent, authorization, or an opportunity to agree or object.
67 FR 53182 (Aug. 14, 2002). See the final rule for changes in the entirety. The 2002 Privacy Rule was issued before the compliance date for the 2000 Privacy Rule. Thus, covered entities never implemented the 2000 Privacy Rule. Instead, they implemented the 2000 Privacy Rule as modified by the 2002 Privacy Rule.
See67 FR 53182 (Aug. 14, 2002).
3. 2013 Omnibus Rule
Following the enactment of the HITECH Act, the Department issued an NPRM, entitled “Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under the Health Information Technology for Economic and Clinical Health [HITECH] Act” (“2010 NPRM”), which proposed to implement certain HITECH Act requirements. In 2013, the Department issued the final rule, Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health [HITECH] Act and the Genetic Information Nondiscrimination Act, and Other Modifications to the HIPAA Rules (“2013 Omnibus Rule”), which implemented many of the new HITECH Act requirements, including strengthening individuals' privacy rights related to their PHI.
75 FR 40868 (July 14, 2010).
78 FR 5566 (Jan. 25, 2013). In addition to finalizing requirements of the HITECH Act that were proposed in the 2010 NPRM, the Department adopted modifications to the Enforcement Rule not previously adopted in an earlier interim final rule, 74 FR 56123 (Oct. 30, 2009), and to the Breach Notification Rule not previously adopted in an interim final rule, 74 FR 42739 (Aug. 24, 2009). The Department also finalized previously proposed Privacy Rule modifications as required by GINA, 74 FR 51698 (Oct. 7, 2009).
The Department also finalized regulatory provisions that were not required by the HITECH Act, but were necessary to address the workability and effectiveness of the Privacy Rule and to increase flexibility for and decrease burden on regulated entities. In the 2010 NPRM, the Department noted that it had not amended the Privacy Rule since 2002. It further explained that information gleaned from contact with the public since that time, enforcement experience, and technical corrections needed to eliminate ambiguity provided the impetus for the Department's actions to make certain regulatory changes.
See78 FR 5566 (Jan. 25, 2013) (explaining that the Department was using its general authority under HIPAA to make a number of changes to the Privacy Rule that were intended to increase workability and flexibility, decrease burden, and better harmonize the requirements with those under other Departmental regulations). The Department's general authority to modify the Privacy Rule is codified in HIPAA section 264(c), and OCR conducts rulemaking under HIPAA based on authority granted by the Secretary.
75 FR 40868, 40871 (July 14, 2010).
For example, the Department modified its prior interpretation of the Privacy Rule requirement at 45 CFR 164.508(c)(1)(iv) that a description of a research purpose must be study specific. The Department explained that, under its new interpretation, the research purposes need only be described adequately such that it would be reasonable for an individual to expect that their PHI could be used or disclosed for such future research. In the 2013 Omnibus Rule, the Department explained that this change was based on the concerns expressed by covered entities, researchers, and other commenters on the 2010 NPRM that the former requirement did not represent current research practices. The Department provided a similar explanation for its modifications to the Privacy Rule that permit certain disclosures of student immunization records to schools without an authorization. Additionally, based on a recommendation made at an NCVHS meeting, the Department requested comment on and finalized proposed revisions to the definition of PHI to exclude information regarding an individual who has been deceased for more than 50 years. For the latter, the Department noted that it was balancing the privacy interests of decedents' living relatives and other affected individuals against the legitimate needs of public archivists to obtain records.
See78 FR 5566, 5611 (Jan. 25, 2013).
See id. at 5612.
Id. at 5616-17. See also45 CFR 164.512(b)(1).
78 FR 5566, 5614 (Jan. 25, 2013). See also45 CFR 164.502(f) and the definition of “Protected health information” at 45 CFR 160.103, excluding IIHI regarding a person who has been deceased for more than 50 years.
In addition to the rulemakings discussed here, the Department has modified the Privacy Rule for workability purposes and in response to changes in circumstances on two other occasions, and it issued another notice of proposed rulemaking in 2021 for the same reasons. See79 FR 7289 (Feb. 6, 2014), 81 FR 382 (Jan. 6, 2016), and 86 FR 6446 (Jan. 21, 2021).
None of the changes described in the paragraph above were required by the HITECH Act. Rather, the Department determined that it was necessary to promulgate these changes pursuant to its existing general rulemaking authority under HIPAA. NCVHS and the public also recommended other changes between the publication of the 2002 Privacy Rule and the 2013 Omnibus Rule, including the creation of specific categories of PHI, such as “Sexuality and Reproductive Health Information” that would allow for special protections of such PHI. The Department declined to propose specific protections for certain categories of PHI at that time because of concerns about the ability of regulated entities to segment PHI and the effects on care coordination. Many of those concerns are still present and so, the Department did not propose and determined not to establish a specific category of particularly sensitive PHI in this rulemaking. Instead, as discussed more fully below, the Department is finalizing a purpose-based prohibition against certain uses and disclosures.
See Letter from NCVHS Chair Simon P. Cohn to HHS Sec'y Michael O. Leavitt (June 22, 2006), https://ncvhs.hhs.gov/rrp/june-22-2006-letter-to-the-secretary-recommendations-regarding-privacy-and-confidentiality-in-the-nationwide-health-information-network/; Letter from NCVHS Chair Simon P. Cohn to HHS Sec'y Michael O. Leavitt (Feb. 20, 2008) (listing categories of health information that are commonly considered to contain sensitive information), https://ncvhs.hhs.gov/wp-content/uploads/2014/05/080220lt.pdf; Letter from NCVHS Chair Justine M. Carr to HHS Sec'y Kathleen Sebelius (Nov. 10, 2010) (forwarding NCVHS recommendations), https://ncvhs.hhs.gov/wp-content/uploads/2014/05/101110lt.pdf.
4. 2024 Privacy Rule
On April 17, 2023, the Department issued an NPRM to modify the Privacy Rule for the purpose of prohibiting uses and disclosures of PHI for criminal, civil, or administrative investigations or proceedings against persons for seeking, obtaining, providing, or facilitating reproductive health care that is lawful under the circumstances in which it is provided. To properly execute the HIPAA statutory mandate, and in accordance with the regulatory authority granted to it by Congress, the Department continually monitors and evaluates the evolving environment for health information privacy nationally, including the interaction of the Privacy Rule and state statutes and regulations governing the privacy of health information. In keeping with the Department's practice, this final rule accommodates state autonomy to the extent consistent with the need to maintain rules for health information privacy that serve HIPAA's objectives. The regulation thus preempts state law only to the extent necessary to achieve Congress' directive to establish a standard for the privacy of IIHI for the purpose of improving the effectiveness of the health care system. As discussed below, achieving that objective requires individuals to trust that their health care providers will maintain privacy of PHI about lawful reproductive health care. In addition, NCVHS held a virtual public meeting that included a discussion about the proposed rule on June 14, 2023, and provided recommendations to the Department based on this discussion, briefings at their July 2022 and December 2022 meetings, and the expertise of its members. The resultant public record and subsequent recommendations submitted to the Department by NCVHS, along with other public comments on the 2023 Privacy Rule NPRM, informed the development of these modifications.
See Meeting of NCVHS (June 14, 2023), https://ncvhs.hhs.gov/meetings/full-committee-meeting-13/.
See Meeting of NCVHS, Briefing on Legislative Developments in Data Privacy (July 21, 2022), https://ncvhs.hhs.gov/meetings/full-committee-meeting-11/.
See Meeting of NCVHS, Briefing by Cason Schmit (Dec. 7, 2022), https://ncvhs.hhs.gov/meetings/full-committee-meeting-12/.
Letter from NCVHS Chair Jacki Monson to HHS Sec'y Xavier Becerra (June 14, 2023) (forwarding NCVHS recommendations), https://ncvhs.hhs.gov/wp-content/uploads/2023/06/NCVHS-Comments-on-HIPAA-Reproduction-Health-NPRM-Final-508.pdf.
III. Justification for This Rulemaking
A. HIPAA Encourages Trust and Confidence by Carefully Balancing Individuals' Privacy Interests With Others' Interests in Using or Disclosing PHI
1. Privacy Protections Ensure That Individuals Have Access to, and Are Comfortable Accessing, High-Quality Health Care
The goal of a functioning health care system is to provide high-quality health care that results in the best possible outcomes for individuals. To achieve that goal, a functioning health care system depends in part on individuals trusting health care providers. Thus, trust between individuals and health care providers is essential to an individual's health and well-being. Protecting the privacy of an individual's health information is “a crucial element for honest health discussions.” The original Hippocratic Oath required physicians to pledge to maintain the confidentiality of health information they learn about individuals. Without confidence that private information will remain private, individuals—to their own detriment—are reluctant to share information with health care providers.
See Jennifer Richmond et al., “Development and Validation of the Trust in My Doctor, Trust in Doctors in General, and Trust in the Health Care Team Scales,” 298 Social Science & Medicine 114827 (2022), https://www.sciencedirect.com/science/article/abs/pii/S0277953622001332?via%3Dihub; see also Fallon E. Chipidza et al., “Impact of the Doctor-Patient Relationship,” The Primary Care Companion for CNS Disorders (Oct. 2015), https://www.psychiatrist.com/pcc/delivery/patient-physician-communication/impact-doctor-patient-relationship/. See Testimony (transcribed) of William G. Plested, III, M.D., Member, Board of Trustees, American Medical Association, Hearing on Confidentiality of Patient Medical Records before House of Representatives Committee on Ways and Means, Subcommittee on Health (Feb. 17, 2000), https://www.govinfo.gov/content/pkg/CHRG-106hhrg66897/html/CHRG-106hhrg66897.htm. (“Trust is the foundation of the patient/physician relationship.”)
See Am. Med. Ass'n, “Patient Perspectives Around Data Privacy,” (2022), https://www.ama-assn.org/system/files/ama-patient-data-privacy-survey-results.pdf.
See John C. Moskop et al., “From Hippocrates to HIPAA: Privacy and Confidentiality in Emergency Medicine—Part I: Conceptual, Moral, and Legal Foundations,” 45 Ann Emerg. Med.1 (Jan. 2005) (quoting the Oath of Hippocrates, “What I may see or hear in the course of the treatment or even outside of the treatment in regard to the life of men, which on no account one must spread abroad, I will keep to myself [. . .].”), https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7132445/#bib1.
When proposing the 2000 Privacy Rule, the Department recognized that individuals may be deterred from seeking needed health care if they do not trust that their sensitive information will be kept private. The Department described its policy choices as stemming from a motivation to develop and maintain a relationship of trust between individuals and health care providers. The Department explained that a fundamental assumption of the 2000 Privacy Rule was that the greatest benefits of improved privacy protection would be realized in the future as individuals gain increasing trust in their health care provider's ability to maintain the confidentiality of their health information. As a result, the Privacy Rule strengthened protections for health information privacy, including the right of individuals to determine who has access to their health information.
See64 FR 59918, 60006 (Nov. 3, 1999) (In the 1999 Privacy Rule NPRM, the Department discussed confidentiality as an important component of trust between individuals and health care providers and cited a 1994 consumer privacy survey that indicated that a lack of privacy may deter patients from obtaining preventive care and treatment.). See id. at 60019.
See64 FR 59918, 60006 (Nov. 3, 1999).
Despite the Privacy Rule's rights and protections, individuals do not have confidence that their IIHI is being protected adequately. In a 2022 survey on patient privacy, the American Medical Association (AMA) found that, of 1,000 patients surveyed: (1) nearly 75% were concerned about protecting the privacy of their own health information; and (2) 59% of patients worried about health data being used by companies to discriminate against them or their loved ones. According to the AMA, a lack of health information privacy raises many questions about circumstances that could put individuals and health care providers in legal peril, and that the “primary purpose of increasing [health information] privacy is to build public trust, not inhibit data exchange.”
See “Patient Perspectives Around Data Privacy,” supra note 111.
Id. at 2.
The Federal Government also has a strong interest in ensuring that individuals have access to high-quality health care. This is true at both an individual and population level. In the 2000 Privacy Rule, the Department noted that high-quality health care depends on an individual being able to share sensitive information with their health care provider based on the trust that the information shared will be protected and kept confidential. An effective health care system requires an individual to share sensitive health information with their health care providers. They do so with the reasonable expectation that this information is going to be used to treat them. The prospect of the disclosure of highly sensitive PHI by regulated entities can result in medical mistrust and the deterioration of the confidential, safe environment that is necessary to provide high-quality health care, operate a functional health care system, and improve the public's health generally. High-quality health care cannot be attained without patient candor. Health care providers rely on an individual's health information to diagnose them and provide them with appropriate treatment options and may not be able to reach an accurate diagnosis or recommend the best course of action for the individual if the individual's medical records lack complete information about their health history. However, an individual may be unwilling to seek treatment or share highly sensitive PHI when they are concerned about the confidentiality and security of PHI provided to treating health care providers. The Department has long recognized that health care professionals who lose the trust of their patients cannot deliver high-quality care. Similarly, if a health care provider does not trust that the PHI they include in an individual's medical records will be kept private, the health care provider may leave gaps or include inaccuracies when preparing medical records, creating a risk that ongoing or future health care would be compromised. In contrast, heightened confidentiality and privacy protections enable a health care provider to feel confident maintaining full and complete medical records.
See Testimony (transcribed) of Peter R. Orszag, Director, Congressional Budget Office, Hearing on Comparative Clinical Effectiveness before House of Representatives Committee on Ways and Means, Subcommittee on Health, 2007 WL 1686358 (June 12, 2007) (“because federal health insurance programs play a large role in financing medical care and represent a significant expenditure, the federal government itself has an interest in evaluations of the effectiveness of different health care approaches”); Statement of Sen. Durenberger introducing S.1836, American Health Quality Act of 1991 and reading bill text, 137 Cong. Rec. S26720 (Oct. 17, 1991) (“[T]he Federal Government has a demonstrated interest in assessing the quality of care, access to care, and the costs of care through the evaluative activities of several Federal agencies.”).
See65 FR 82462, 82463 (Dec. 28, 2000).
See, e.g., Brooke Rockwern et al., Medical Informatics Committee and Ethics, Professionalism and Human Rights Committee of the American College of Physicians, “Health Information Privacy, Protection, and Use in the Expanding Digital Health Ecosystem: A Position Paper of the American College of Physicians,” 174 Ann Intern Med. 994 (Jul. 2021) (discussing the need for trust in the health care system as necessary to mitigate a global pandemic); Johanna Birkhäuer et. al, “Trust in the Health Care Professional and Health Outcome: A Meta-Analysis,” 12 PLoS One e0170988 (Feb. 7, 2017). See also Eric Boodman, “In a doctor's suspicion after a miscarriage, a glimpse of expanding medical mistrust,” STAT News (June 29, 2022), https://www.statnews.com/2022/06/29/doctor-suspicion-after-miscarriage-glimpse-of-expanding-medical-mistrust/ (Sarah Prager, professor of obstetrics and gynecology at the University of Washington, stating that it is a bad precedent if clinical spaces become unsafe for patients because, “[a health care provider's] ability to take care of patients relies on trust, and that will be impossible moving forward.”).
See “Development and Validation of the Trust in My Doctor, Trust in Doctors in General, and Trust in the Health Care Team Scales,” supra note 110; Bradley E. Iott et al., “Trust and Privacy: How Patient Trust in Providers is Related to Privacy Behaviors and Attitudes,” 2019 AMIA Annu Symp Proc 487 (Mar. 2020), https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7153104/; Pamela Sankar et al., “Patient Perspectives of Medical Confidentiality: a Review of the Literature,” 18 J. of Gen. Internal Med. 659 (Aug. 2003), https://pubmed.ncbi.nlm.nih.gov/12911650/.
See65 FR 82462, 82468 (Dec. 28, 2000).
Incomplete medical records and health care avoidance not only inhibit the quality of health care an individual receives; they are also detrimental to efforts to improve public health. The objective of public health is to prevent disease in and improve the health of populations. Barriers that undermine the willingness of individuals to seek health care in a timely manner or to provide complete and accurate health information to their health care providers undermine the overall objective of public health. For example, individuals who are not candid with their health care providers because of concerns about potential negative consequences of a loss of privacy may withhold information about a variety of health matters that have public health implications, such as communicable diseases or vaccinations. Experience also shows that medical mistrust—especially in communities of color and other communities that have been marginalized or negatively affected by historical and current health care disparities—can create damaging and chilling effects on individuals' willingness to seek appropriate and lawful health care for medical conditions that can worsen without treatment.
See Letter from NCVHS Chair Simon P. Cohn, supra note 104, at 2 (2006) (with forwarded NCVHS recommendations, “Individual trust in the privacy and confidentiality of their personal health information also promotes public health, because individuals with potentially contagious or communicable diseases are not inhibited from seeking treatment.”).
See Texas Dep't of State Health Servs., “Texas Maternal Mortality and Morbidity Review Committee and Department of State Health Services Joint Biennial Report 2022,” at 41 (Dec. 2022) https://www.dshs.texas.gov/sites/default/files/legislative/2022-Reports/2022-MMMRC-DSHS-Joint-Biennial-Report.pdf; Lynn M. Paltrow et al., “Arrests of and forced interventions on pregnant women in the United States, 1973-2005: implications for women's legal status and public health,” 38 J. Health Pol. Pol'y Law 299 (2013) (finding that hospital staff are most likely to report pregnant low-income and patients of color, especially Black women, to the authorities.); Terri-ann Monique Thompson et al., “Racism Runs Through It: Examining the Sexual and Reproductive Health Experience of Black Women in the South,” 41 Health Affairs 195 (Feb. 2022) (discussing how individual racism affects reproductive health care use by undermining the patient-doctor relationship), https://www.healthaffairs.org/doi/10.1377/hlthaff.2021.01422 ); Joli Hunt, “Maternal Mortality among Black Women in the United States,” Ballard Brief (July 2021), https://ballardbrief.byu.edu/issue-briefs/maternal-mortality-among-black-women-in-the-united-states/ (discussing the disproportionately high rate of Black maternal mortality and morbidity); Austin Frakt, “Bad Medicine: The Harm that Comes from Racism,” The New York Times (July 8, 2020), https://www.nytimes.com/2020/01/13/upshot/bad-medicine-the-harm-that-comes-from-racism.html.
2. The Department's Approach to the Privacy Rule Has Long Sought To Balance the Interests of Individuals and Society
While recognizing the importance of preserving individuals' trust, the Department has consistently taken the approach of balancing the interests of the individual in the privacy of their PHI with society's interests, including in the free flow of information that enables the provision of effective and efficient health care services. Such an approach derives from Congress's direction, in 1996, to improve the efficiency and effectiveness of the health care system by encouraging the development of a health information system while taking into account the privacy of IIHI and the uses and disclosures of such information that should be authorized or required. In past rulemakings, the Department has made revisions to the Privacy Rule to balance an individual's privacy expectations with a covered entity's need for information for reimbursement and quality purposes. As the Department previously explained, “Patient privacy must be balanced against other public goods, such as research and the risk of compromising such research projects if researchers could not continue to use such data.” The 2000 Privacy Rule included permissions for regulated entities to disclose PHI under certain conditions, including for judicial and administrative proceedings and law enforcement purposes, because an individual's right to privacy in information about themselves is not absolute. For example, it does not prevent reporting of public health information on communicable diseases, nor does it prevent law enforcement from obtaining information when due process has been observed.
42 U.S.C. 1320d note and 1320d-2 note.
See67 FR 53182, 53216 (Aug. 14, 2002).
Id. at 53226.
65 FR 82462, 82464 (Dec. 28, 2000).
In more recent rulemakings revising the Privacy Rule, the Department has continued its efforts to build and maintain individuals' trust in the health care system while balancing the interests of individuals with those of others. For example, in explaining revisions made as part of the 2013 Omnibus Rule, the Department recognized that covered entities must balance protecting the privacy of health information with sharing health information with those responsible for ensuring public health and safety. The Privacy Rule was also revised in 2016 (“2016 Privacy Rule”) in accordance with an administration-wide effort to curb gun violence across the nation. The 2016 Privacy Rule was tailored to authorize the disclosure of a limited set of PHI for a narrow, specific purpose, that is, to permit only regulated entities that are state agencies or other entities designated by a state to collect and report information to the National Instant Criminal Background Check System (NICS) or a lawful authority making an adjudication or commitment as described by 18 U.S.C. 922(g)(4) to disclose to NICS the identities of individuals who are subject to a Federal “mental health prohibitor,” that disqualifies them from shipping, transporting, possessing, or receiving a firearm. As explained in the 2016 Privacy Rule, the Federal mental health prohibitor applies only to the extent that the individual is involuntarily committed or determined by a court or other lawful authority to be a danger to self or others, or is unable to manage their own affairs because of a mental illness or condition. Similar to this final rule, the 2016 Privacy Rule balanced public safety goals with individuals' privacy interests by clearly limiting permissible disclosures to those that are necessary to ensure that individuals are not discouraged from seeking lawful health care, in this case, voluntary treatment for mental health needs. In the 2013 Omnibus Rule and 2016 Privacy Rule, the Department ensured that the disclosures were necessary for the public good and were not for the purpose of harming the individual. This approach is consistent with the NCVHS recommendations to the Secretary relating to health information privacy: “The Committee strongly supports limiting use and disclosure of identifiable information to the minimum amount necessary to accomplish the purpose. The Committee also strongly believes that when identifiable health information is made available for non-health uses, patients deserve a strong assurance that the data will not be used to harm them.”
See78 FR 5566, 5616 (Jan. 25, 2013).
81 FR 382 (Jan. 6, 2016); see, e.g.,78 FR 4297 (Jan. 22, 2013) and 78 FR 4295 (Jan. 22, 2013); see also Colleen Curtis, “President Obama Announces New Measures to Prevent Gun Violence,” The White House President Barack Obama (Jan. 16, 2013), https://obamawhitehouse.archives.gov/blog/2013/01/16/president-obama-announces-new-measures-prevent-gun-violence.
This PHI includes limited demographic and certain other information needed for the purposes of reporting to NICS. 45 CFR 164.512(k)(7)(iii)(A). In preamble, the Department explained that generally the information described at 45 CFR 164.512(k)(7)(iii)(A) would be limited to the data elements required to create a NICS record and certain other elements to the extent that they are necessary to exclude false matches: Social Security number, State of residence, height, weight, place of birth, eye color, hair color, and race. 81 FR 382, 390 (Jan. 6, 2016).
81 FR 382, 386-388 (Jan. 6, 2016).
Id. The Department addressed concerns about the possible chilling effect on individuals seeking health care by explaining that (1) the permission is limited to only those covered entities that order the involuntary commitments or make the other adjudications that cause individuals to be subject to the Federal mental health prohibitor, or that serve as repositories of such information for NICS reporting purposes; (2) the specified regulated entities are permitted to disclose NICS data only to designated repositories or the NICS; (3) the information that may be disclosed is limited to certain demographic or other information that is necessary for NICS reporting; and (4) the rulemaking did not expand the permission to encompass State law prohibitor information.
Letter from NCVHS Chair Don E. Detmer to HHS Sec'y Donna E. Shalala (June 27, 1997) (forwarding NCVHS recommendations), https://ncvhs.hhs.gov/rrp/june-27-1997-letter-to-the-secretary-with-recommendations-on-health-privacy-and-confidentiality/.
Consistent with Congress's directive to promulgate “standards with respect to the privacy of [IIHI]” that, among other things, address the “uses and disclosures of such information that should be authorized or required,” the Department recognizes a variety of interests with respect to health information. These include individuals' interests in the privacy of their health information, society's interests in ensuring the effectiveness of the health care system, and other interests of society in using IIHI for certain non-health care purposes. As part of balancing these interests, the Department has also recognized that it may be necessary to afford additional protection to certain types of health information because those types of information are particularly sensitive and often involve highly personal health care decisions. For example, the Department affords special privacy protections to psychotherapy notes. These protections are afforded in part because of the particularly sensitive information those notes contain and in part because of the unique function of these records, which are by definition maintained separately from an individual's medical record. As we previously explained, the primary value of psychotherapy notes is to the specific provider, and the promise of strict confidentiality helps to ensure that the patient will feel comfortable freely and completely disclosing very personal information essential to successful treatment. The Department elaborated that even the possibility of disclosure may impede development of the confidential relationship necessary for successful treatment because of the sensitive nature of the problems for which individuals consult psychotherapists and the potential embarrassment that may be engendered by the disclosure of confidential communications made during counseling sessions. Therefore, to support the development and maintenance of an individual's trust and protect the relationship between an individual and their therapist, the Privacy Rule permits the disclosure of psychotherapy notes without an individual's authorization only in limited circumstances, such as to avert a serious and imminent threat to health or safety. Those limited circumstances do not include judicial and administrative proceedings or law enforcement purposes unless the disclosure is “necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public.”
42 U.S.C. 1320d-2 note.
See45 CFR 164.501 (definition of “Psychotherapy notes”).
See64 FR 59918, 59941 (Nov. 3, 1999).
See id.
Information about an individual's reproductive health and associated health care is also especially sensitive and has long been recognized as such. As stated in the AMA's Principles of Medical Ethics, the “decision to terminate a pregnancy should be made privately within the relationship of trust between patient and physician in keeping with the patient's unique values and needs and the physician's best professional judgment.” NCVHS first noted reproductive health information as an example of a category of health information commonly considered to contain sensitive information in 2006. Between 2005 and 2010, NCVHS held nine hearings that addressed questions about sensitive information in medical records and identified additional categories of sensitive information beyond those addressed in Federal and state law, including “sexuality and reproductive health information.” In several letters to the Secretary during that period, NCVHS recommended that the Department identify and define categories of sensitive information, including “reproductive health.” In a 2010 letter to the Secretary, NCVHS elaborated that, after extensive testimony on sensitive categories of health information, “reproductive health” should be expanded to “sexuality and reproductive health information,” because:
Council on Ethical and Judicial Affairs, “Ethics, Amendment to Opinion 4.2.7, Abortion H-140.823,” Am. Med. Ass'n (2022), https://policysearch.ama-assn.org/policyfinder/detail/%224.2.7%20Abortion%22?uri=%2FAMADoc%2FHOD.xml-H-140.823.xml.
See Letter from NCVHS Chair Simon P. Cohn (2006), supra note 104.
See Letter from NCVHS Chair Simon P. Cohn (2006), supra note 104; Letter from NCVHS Chair Simon P. Cohn (2008), supra note 104; Letter from NCVHS Chair Justine M. Carr (2010), supra note 104.
Information about sexuality and reproductive history is often very sensitive. Some reproductive issues may expose people to political controversy (such as protests from abortion proponents), and public knowledge of an individual's reproductive history may place [them] at risk of stigmatization.” Additionally, individuals may wish to have their reproductive history segmented so that it is not viewed by family members who otherwise have access to their records. Parents may wish to delay telling their offspring about adoption, gamete donation, or the use of other forms of assisted reproduction technology in their conception, and, thus, it may be important to have the capacity to segment these records.
See Letter from NCVHS Chair Justine M. Carr (2010), supra note 104.
The Department did not provide specific protections for certain categories of PHI upon receipt of the recommendation or as part of the 2013 Omnibus Rule because of concerns about the ability of regulated entities to segment PHI and the effects on care coordination. While we recognized the sensitive nature of reproductive health information before this rulemaking, the Department believed that the Supreme Court's recognition of a constitutional right to abortion coupled with the privacy protections afforded by the HIPAA Rules provided the necessary trust to promote access to and quality of health care. As a result of the changed legal landscape for reproductive health care broadly, including abortion, the range of circumstances in which PHI about legal reproductive health care could be sought and used in investigations or to impose liability expanded significantly. Now that states have much broader power to criminalize and regulate reproductive choices—and that some states have already exercised that power in a variety of ways —individuals legitimately have a far greater fear that especially sensitive information about lawful health care will not be kept private. This changed environment requires additional privacy protections to help restore the Privacy Rule's carefully-struck balance between individual and societal interests. Because the concerns regarding segmentation and the negative impact on care coordination remain, the Department did not propose and is not establishing a new category of particularly sensitive PHI in this final rule. Instead, as discussed more fully below, the Department is finalizing its proposed purpose-based prohibition against certain uses and disclosures.
See LePage v. Center for Reproductive Medicine, SC-2022-0515 (Feb. 16, 2024).
B. Developments in the Legal Environment Are Eroding Individuals' Trust in the Health Care System
The Supreme Court's decision in Dobbs overturned Roe v. Wade and Planned Parenthood of Southeastern Pennsylvania v. Casey, thereby enabling states to significantly restrict access to abortion. Following the Supreme Court's decision, the legal landscape has shifted as laws significantly restricting access to abortion have in fact become effective in some jurisdictions. This change has also led to questions about both the current and future lawfulness of other types of reproductive health care, and therefore, the ability of individuals to access such health care. Thus, this shift may interfere with the longstanding expectations of individuals, established by HIPAA and the Privacy Rule, with respect to the privacy of their PHI. For example, while the Privacy Rule currently permits, but does not require, uses and disclosures of PHI for certain purposes, including when another law requires a regulated entity to make the use or disclosure, regulated entities after Dobbs may feel compelled by other applicable law to use or disclose PHI to law enforcement or other persons who may use that health information against an individual, a regulated entity, or another person who has sought, obtained, provided, or facilitated reproductive health care, even when such health care is lawful in the circumstances in which the health care is obtained.
410 U.S. 113 (1973).
505 U.S. 833 (1992).
Dobbs, 597 U.S. 299-302.
See, e.g., Carmel Shachar et al., “Informational Privacy After Dobbs,” 75 Ala. L. Rev. 1 (2023), https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4570500 and Andrzej Kulczycki, “Dobbs: Navigating the New Quagmire and Its Impacts on Abortion and Reproductive Health Care,” Health Education & Behavior (2022), https://doi.org/10.1177/10901981221125430.
See, e.g., Kayte Spector-Bagdady & Michelle M. Mello, “Protecting the Privacy of Reproductive Health Information After the Fall of Roe v. Wade,” 3 JAMA Network e222656 (June 30, 2022), https://jamanetwork.com/journals/jama-health-forum/fullarticle/2794032 ; Lisa G. Gill, “What does the overturn of Roe v. Wade mean for you?,” Consumer Reports (June 24, 2022), https://www.consumerreports.org/health-privacy/what-does-the-overturn-of-roe-v-wade-mean-for-you-a1957506408/.
45 CFR 164.502(a)(1).
See Laura J. Faherty et al. “Consensus Guidelines and State Policies: The Gap Between Principle and Practice at the Intersection of Substance Use and Pregnancy,” American Journal of Obstetrics & Gynecology Maternal-Fetal Medicine (Aug. 2020) (discussing a concern raised by multiple organizations that pregnant women will hesitate to seek prenatal care and addiction treatment during pregnancy because their concerns that disclosing substance use to health care providers will increase the likelihood that they will face legal penalties); see also “Informational Privacy After Dobbs,” supra note 147.
As a consequence of these developments in Federal and state law, an individual's expectation of privacy of their health information (irrespective of whether an individual is or was pregnant) is threatened by the potential use or disclosure of PHI to identify persons who seek, obtain, provide, or facilitate lawful reproductive health care. Thus, these developments have created an environment in which individuals are more likely to fear that their PHI will be requested from regulated entities for use against individuals, health care providers, and others, merely because such persons sought, obtained, provided, or facilitated lawful reproductive health care. The potential increased demand for PHI for these purposes is not limited to states in which providing or obtaining certain reproductive health care is no longer legal. Rather, the changes in the legal landscape have nationwide implications, not only because of their effects on the relationship between health care providers and individuals, but also because of the potential effects on the flow of health information across state lines. For example, an individual who travels out-of-state to obtain reproductive health care that is lawful under the circumstances in which it is provided may now be reluctant to have that information disclosed to a health care provider in their home state if they fear that it may then be used against them or a loved one in their home state. A health care provider may be unable to provide appropriate health care if they are unaware of the individual's recent health history, which could have significant negative health consequences. Individuals and health care providers may also be reluctant to disclose PHI to health plans with a multi-state presence because of concerns that one of those states will seek to obtain that PHI to investigate or impose liability on the individual or the health care provider, even if there is no nexus with that state other than the presence of the health plan in that state. Such reluctance may have significant ramifications for access to reproductive health care, given the cost associated with obtaining such health care, and health care generally.
See, e.g., Yvonne Lindgren et al., “Reclaiming Tort Law to Protect Reproductive Rights,” 75 Alabama L. Rev. 355 (2023), https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4435834.
Additionally, PHI is more likely to be transmitted across state lines as the electronic exchange of PHI increases because it is easier and more efficient to send information electronically. For instance, the Trusted Exchange Framework and Common Agreement (TEFCA) initiative established under the 21st Century Cures Act and the Centers for Medicare & Medicaid Services (CMS) Interoperability and Prior Authorization Final Rule will spur greater use and disclosure of PHI by regulated entities and to health apps and others. Different components of a health information exchange/health information network (HIE/HIN) may be located in different states, meaning that the PHI may be transmitted across state lines, and thus affected by laws severely restricting access to reproductive health care, even where both the health care and the recipient of the PHI are located in states where access to such health care is not substantially restricted.
See section 3001(c) of the PHSA, as amended by section 4003(b) of the 21st Century Cures Act, Public Law 114-255, 130 Stat. 1165 (codified at 42 U.S.C. 300jj-11(c)). For more information, see Office of the Nat'l Coordinator for Health Info. Tech., “Trusted Exchange Framework and Common Agreement (TEFCA),” https://www.healthit.gov/topic/interoperability/policy/trusted-exchange-framework-and-common-agreement-tefca; See also89 FR 8758 (Feb. 8, 2024); “CMS Interoperability and Prior Authorization Final Rule CMS-0057-F,” Centers for Medicare & Medicaid (Jan. 17, 2024), https://www.cms.gov/newsroom/fact-sheets/cms-interoperability-and-prior-authorization-final-rule-cms-0057-f.
According to commenters, individuals are increasingly concerned about the confidentiality of discussions with their health care providers. As a result, some individuals are not confiding fully in their health care providers, increasing the risk that their medical records will not be complete and accurate, leading to decreases in health care quality and safety. This lack of openness is also likely to affect the information and treatment recommendations health care providers provide to individuals because health care providers will not be sufficiently informed to provide thorough and accurate information and guidance.
See Eric Boodman, “In a doctor's suspicion after a miscarriage, a glimpse of expanding medical mistrust,” STAT News (June 29, 2022), https://www.statnews.com/2022/06/29/doctor-suspicion-after-miscarriage-glimpse-of-expanding-medical-mistrust/#:~:text=In%20a%20doctor's%20suspicion%20after,glimpse%20of%20expanding%20medical%20mistrust&text=The%20idea%20that%20she,used%20contraceptives%20and%20trusted%20them.
Individuals are not alone in their fears. Indeed, according to commenters, some health care providers are afraid to provide lawful health care because they are concerned that in doing so, they risk being subjected to investigation and possible liability. The Department is aware that some health care providers, such as clinicians and pharmacies, are hesitant to provide lawful health care or lawfully prescribe or fill prescriptions for medications that can result in pregnancy loss, even when the health care or those prescriptions are intended to treat individuals for other health matters, because of fear of law enforcement action. Some health care providers are also not providing individuals with information to address concerns about their reproductive health, even where their communications would be lawful, out of fear of criminal prosecution, civil suit, or loss of their clinical license. This may result in individuals making decisions about their health care with incomplete information, which could have serious implications for health outcomes. These fears also increase the risk that individual medical records will not be maintained with completeness and accuracy, which will in turn affect the quality of health care provided to individuals and their safety. Fears about potential prosecution, even when Federal law protects the actions of health care providers, are likely to negatively affect the accuracy of medical records maintained by health care providers and thereby harm individuals.
See also Melissa Suran, “As Laws Restricting Health Care Surge, Some US Physicians Choose Between Fight or Flight,” JAMA, 329(22):1899-1903 (May 17, 2023) (discussing a maternal-fetal medicine specialist who stated that she moved to another state because of legislation that restricts evidence-based health care and prevents her from fulfilling her ethical obligation to protect her patients' health.), https://pubmed.ncbi.nlm.nih.gov/37195699/.
See Off. for Civil Rights, “HHS Office for Civil Rights Resolves Complaints with CVS and Walgreens to Ensure Timely Access to Medications for Women and Support Persons with Disabilities,” U.S. Dep't of Health and Human Servs. (June 16, 2023), https://www.hhs.gov/civil-rights/for-providers/compliance-enforcement/agreements/cvs-walgreens/index.html. See also Kathryn Starzyk et al., “More than half of patients with a rheumatic disease or immunologic condition undergoing methotrexate treatment reside in states in which the overturning of Roe v. Wade can jeopardize access to medications with abortifacient potential,” 75 Arthritis Rheumatol 328 (Feb. 2023); see also Celine Castronuovo, “Many Female Arthritis Drug Users Face Restrictions After Dobbs,” Bloomberg Law (Nov. 14, 2022) (noting that 16 out of 524 patients responding to a survey indicated that they've had trouble getting methotrexate, their arthritis medication, since the Dobbs decision.) https://news.bloomberglaw.com/health-law-and-business/many-female-arthritis-drug-users-face-restrictions-after-dobbs; Interview with Donald Miller, PharmD, “Methotrexate access becomes challenging for some patients following Supreme Court decision on abortion,” Pharmacy Times (July 20, 2022), https://www.pharmacytimes.com/view/methotrexate-access-becomes-challenging-for-patients-following-supreme-court-decision-on-abortion; Jamie Ducharme, “Abortion restrictions may be making it harder for patients to get a cancer and arthritis drug,” Time (July 6, 2022), https://time.com/6194179/abortion-restrictions-methotrexate-cancer-arthritis/; Katie Shepherd & Frances Stead Sellers, “Abortion bans complicate access to drugs for cancer, arthritis, even ulcers,” The Washington Post (Aug. 8, 2022), https://www.washingtonpost.com/health/2022/08/08/abortion-bans-methotrexate-mifepristone-rheumatoid-arthritis/.
See Michelle Oberman & Lisa Soleymani Lehmann, “Doctors' duty to provide abortion information,” J. of Law and Biosciences. (Sept. 1, 2023) https://www.ncbi.nlm.nih.gov/pmc/articles/PMC10474560/; Whitney Arey et al., “Abortion Access and Medically Complex Pregnancies Before and After Texas Senate Bill 8,” 141 Obstet Gynecol. 995 (May 1, 2023) (concluding that “Abortion restrictions limit shared decision making, compromise patient care, and put pregnant people's health at risk.”); “1 Year Without Roe,” Center for American Progress (Jun. 23, 2023) (where a physician detailed her fear about speaking freely with her patients after Dobbs “worried a vigilante posing as a new patient would attempt to bait her into talking about abortion and attempt to sue her, and she sometimes skirts the topic of abortion when speaking with patients about their health care options.”)
As explained by commenters and supported by research, these impingements on the privacy of health information about reproductive health care are likely to have a disproportionately greater effect on women, individuals of reproductive age, and individuals from communities that have been historically underserved, marginalized, or subject to discrimination or systemic disadvantage by virtue of their race, disability, social or economic status, geographic location, or environment. Historically underserved and marginalized individuals are also more likely to be the subjects of investigations and other activities to impose liability for seeking or obtaining reproductive health care, even where such health care is lawful under the circumstances in which it is provided. They are also less likely to have adequate access to legal counsel to defend themselves from such actions. These inequities may be exacerbated where individuals face multiple, intersecting disparities, such as having limited English proficiency and disability. Such individuals are thus especially likely to be concerned that information they share with their health care providers about their reproductive health care will not remain private. This is particularly true considering the historic lack of trust, negative experiences, and fear of discrimination that many members of historically underrepresented and marginalized communities and communities of color have in the health care system; such individuals are more likely to be deterred from seeking or obtaining health care—or from giving their health care providers full information.
See Christine Dehlendorf et al., “Disparities in Abortion Rates: A Public Health Approach,” Am. J. of Pub. Health (Oct. 2013), https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3780732/. See also Kiara Alfonseca, “Why Abortion Restrictions Disproportionately Impact People of Color,” ABC News (June 24, 2022), https://abcnews.go.com/Health/abortion-restrictions-disproportionately-impact-people-color/story?id=84467809; Dulce Gonzalez et al., Robert Wood Johnson Foundation, “Perceptions of Discrimination and Unfair Judgment While Seeking Health Care” (Mar. 31, 2021), https://www.rwjf.org/en/insights/our-research/2021/03/perceptions-of-discrimination-and-unfair-judgment-while-seeking-health-care.html; Susan A. Cohen, “Abortion and Women of Color: The Bigger Picture,” 11 Guttmacher Pol'y Rev. (Aug. 6, 2008), https://www.guttmacher.org/gpr/2008/08/abortion-and-women-color-bigger-picture; “The Disproportionate Harm of Abortion Bans: Spotlight on Dobbs v. Jackson Women's Health,” Center for Reproductive Rights (Nov. 29, 2021), https://reproductiverights.org/supreme-court-case-mississippi-abortion-ban-disproportionate-harm/ (“Abuses such as forced sterilization of Black, Indigenous, and other people of color and individuals with disabilities specifically exacerbate medical mistrust within reproductive healthcare.”).
See Brief of Amici Curiae for Organizations Dedicated to the Fight for Reproductive Justice—Mississippi in Action, et al. at *35-36, Dobbs, 597 U.S. 215 (discussing the likelihood that individuals, particularly those from marginalized communities who terminate their pregnancies and anyone who assists them may be disproportionally likely to face criminal investigation or arrest, given the rates of incarceration of persons from such communities.); see also Elizabeth Yuko, “Women of Color Will Face More Criminalized Pregnancies in Post-` Roe' America,” Rolling Stone (Jul. 7, 2020) (“Historically, we've seen the criminalization of people of color, young people, and people with lower incomes who've had miscarriages and other types of pregnancy losses that the state deemed were their fault [. . .] These groups are the most likely to be reported to law enforcement and investigated”); see also Sentencing Project, State-by-State Data, https://www.sentencingproject.org/research/us-criminal-justice-data/ (last visited Feb. 16, 2024) (U.S. Total: Imprisonment rate per 100,000 residents—355; Black/White disparity—4.8:1; Latinx/White disparity—1.3:1); Racial Disparities in Incarceration, Vera Institute of Justice (Aug. 21, 2023), https://trends.vera.org/ (Prison population rate per 100,000 residents ages 15 to 64. U.S. total incarceration rate 2021 Q2—298, Asian American/Pacific Islander incarceration rate 2021 Q2—100, Black/African American incarceration rate 2021 Q2—1,310, Latinx incarceration rate 2021 Q2—671, Native American incarceration rate 2021 Q2—1,021, White incarceration rate 2021 Q2—281).
See Columbia Law Sch. Hum. Rts. Inst. & and Ne. Univ. Sch. of Law Program on Hum. Rts. and the Glob. Econ.,” Equal Access to Justice: Ensuring Meaningful Access to Counsel in Civil Cases, Including Immigration Proceedings” (July 2014), https://hri.law.columbia.edu/sites/default/files/publications/equal_access_to_justice_-_cerd_shadow_report.pdf. See also Lauren Hoffman et al., Ctr. For Am. Progress, “Report: State Abortion Bans Will Harm Women and Families' Economic Security Across the US” (Aug. 25, 2022), https://www.americanprogress.org/article/state-abortion-bans-will-harm-women-and-families-economic-security-across-the-us/.
See Myasar Ihmud, “Lost in Translation: Language Barriers to Accessing Justice in the American Court System,” UIC Law Review (2023) (discussing “access to justice for [limited English proficient (LEP)] individuals is hindered because they are unable to communicate with the court or understand the proceedings. Case law shows that, when unable to communicate with the court, LEP litigants are unable to defend themselves appropriately in criminal or immigration hearings, protect their homes, or keep custody of their children.”), https://repository.law.uic.edu/cgi/viewcontent.cgi?article=2908&context=lawreview; see also “Language Access & Cultural Sensitivity,” Legal Services Corporation (last visited Feb. 21, 2024) (describing how legal aid organizations should plan for providing meaningful access to language services. As of 2013, “close to 25 million people, about 8 percent of the population, has limited English proficiency.”), https://www.lsc.gov/i-am-grantee/model-practices-innovations/language-access-cultural-sensitivity.
See, e.g., Gautam Gulati et al., “The experience of law enforcement officers interfacing with suspects who have an intellectual disability—A systematic review,” International Journal of Law and Psychiatry (Sept.-Oct. 2020) (“It is not uncommon for people with [intellectual disability] to be suspects or accused persons when interfacing with Law Enforcement Officers (LEOs) and therefore face arrest, interview and/or custody.”), https://www.sciencedirect.com/science/article/pii/S016025272030073X.
See Leslie Read et al., The Deloitte Ctr. for Health Solutions, “Rebuilding Trust in Health Care: What Do Consumers Want—and Need—Organizations to Do?,” at 3 (Aug. 5, 2021) (With focus groups of 525 individuals in the United States who identify as Black, Hispanic, Asian, or Native American, “[f]ifty-five percent reported a negative experience where they lost trust in a health care provider.”), https://www2.deloitte.com/us/en/insights/industry/health-care/trust-in-health-care-system.html; Liz Hamel et al., Kaiser Family Foundation, “The Undefeated Survey on Race and Health,” at 23 (Oct. 2020) (Percent who say they can trust the health care system to do what is right for them or their community almost all of the time or most of the time: Black adults: 44%; Hispanic adults: 50%; White adults: 55%), https://files.kff.org/attachment/Report-Race-Health-and-COVID-19-The-Views-and-Experiences-of-Black-Americans.pdf; U.S. Dep't of Health and Hum. Servs., Assistant Sec'y for Pol. & Eval., Off. of Health Pol., “Issue Brief: Health Insurance Coverage and Access to Care for LGBTQ+ Individuals: Current Trends and Key Challenges,” at 9 (June 2021) (A 2021 survey found that 18 percent of LGBTQ+ individuals reported avoiding going to a doctor or seeking health care out of concern that they would face discrimination or poor treatment because of their sexual orientation or gender identity.), https://aspe.hhs.gov/sites/default/files/2021-07/lgbt-health-ib.pdf; Abigail A. Sewell, “Disaggregating Ethnoracial Disparities in Physician Trust,” Soc. Science Rsch. (Nov. 2015), https://pubmed.ncbi.nlm.nih.gov/26463531/; Irena Stepanikova et al., “Patients' Race, Ethnicity, Language, and Trust in a Physician,” J. of Health and Soc. Behavior (Dec. 2006), https://pubmed.ncbi.nlm.nih.gov/17240927/.
Congress contemplated that the Department would need to modify standards adopted under HIPAA's Administrative Simplification provisions and directed the Secretary to review standards adopted under 42 U.S.C. 1320d-2 periodically. In accordance with this directive and based on the Department's expertise and analysis and the recent developments in the legal landscape, there is a compelling need to provide additional protections to PHI about lawful reproductive health care. Accordingly, consistent with Congress's directions to the Department, in HIPAA, as amended by Genetic Information Nondiscrimination Act (GINA) and the HITECH Act, to establish standards and requirements for the electronic transmission of certain health information, including the privacy thereof, for the development of a health information system, the Department is restricting certain uses and disclosures of PHI for particular non-health care purposes to provide such protections.
Congress' directions regarding the issuance of standards for the privacy of IIHI are codified at 42 U.S.C. 1320d-2 note. See also45 CFR 160.104(a).
C. To Protect the Trust Between Individuals and Health Care Providers, the Department Is Restricting Certain Uses and Disclosures of PHI for Particular Non-Health Care Purposes
As discussed above, Congress enacted HIPAA to improve the efficiency and effectiveness of the health care system, which includes ensuring that individuals have trust in the health care system. Congress also directed the Department to develop standards with respect to the privacy of IIHI as part of its decision to encourage the development of a health information system. To preserve such trust, and to encourage the development and use of a nationwide health information system, it is appropriate and necessary for Federal law and policy to protect the confidentiality of medical records, especially those that are highly sensitive. Accordingly, to protect the trust between individuals and health care providers, this rule restricts certain uses and disclosures of PHI for particular non-health care purposes, i.e., for using or disclosing PHI to conduct a criminal, civil, or administrative investigation into or to impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating lawful reproductive health care, or to identify any person to initiate such activities.
Information about reproductive health care is particularly sensitive and requires heightened privacy protection. The Department's approach is consistent with efforts across the Federal Government. For example, the Department of Defense (DOD) has recognized such privacy concerns. In a memorandum to DOD leaders, the Secretary of Defense directed the DOD to “[e]stablish additional privacy protections for reproductive health care information” for service members and “[d]isseminate guidance that directs Department of Defense health care providers that they may not notify or disclose reproductive health information to commanders unless this presumption is overcome by specific exceptions set forth in policy.” The Federal Trade Commission (FTC) has also recognized that information about personal reproductive matters is “particularly sensitive” and has committed to using the full scope of its authorities to protect consumers' privacy, including the privacy of their health information and other sensitive data. In business guidance, the FTC explained that “[t]he exposure of health information and medical conditions, especially data related to sexual activity or reproductive health, may subject people to discrimination, stigma, mental anguish, or other serious harms.”
Dep't of Defense, Memorandum Re: Ensuring Access to Reproductive Health Care, at 1 (Oct. 20, 2022) (removed emphasis on “not” in original), https://media.defense.gov/2022/Oct/20/2003099747/-1/-1/1/MEMORANDUM-ENSURING-ACCESS-TO-REPRODUCTIVE-HEALTH-CARE.PDF.
Kristin Cohen, “Location, health, and other sensitive information: FTC committed to fully enforcing the law against illegal use and sharing of highly sensitive data”, Federal Trade Commission Business Blog (July 11, 2022), https://www.ftc.gov/business-guidance/blog/2022/07/location-health-and-other-sensitive-information-ftc-committed-fully-enforcing-law-against-illegal (last accessed Nov. 15, 2022).
Id.
As discussed above, the Department has long provided special protections for psychotherapy notes because of the sensitivity around this information. However, unlike psychotherapy notes, which by their very nature are easily segregated, reproductive health information is not easily segregated. Additionally, regulated entities generally do not have the ability to segment certain PHI such that regulated entities could afford special protections for specific categories of PHI. Where such technology is available, it is generally cost prohibitive and burdensome to implement. Therefore, the Department did not propose, and is not finalizing, a newly defined subset of PHI. Creating such a subset would create barriers to disclosing PHI for care coordination because the PHI would need to be segregated from the remaining medical record. Instead, consistent with the Privacy Rule's longstanding overall approach, the Department is finalizing a purpose-based prohibition against certain uses and disclosures. This rule seeks to protect individuals' privacy interests in their PHI about reproductive health care and the interests of society in an effective health care system by enabling individuals and licensed health care professionals to make decisions about reproductive health care based on a complete medical record, while balancing those interests with other interests of society in obtaining PHI for certain non-health care purposes.
See Daniel M. Walker et al., “Interoperability in a Post- Roe Era Sustaining Progress While Protecting Reproductive Health Information,” JAMA (Nov. 1, 2022) (discussing that segregation of records for reproductive health care is more difficult than for SUD treatment records because “reproductive health services are often provided in the same settings as other primary and acute care and thus could be inferred or directly reflected in many parts of the record.”), https://jamanetwork-com.ezproxyhhs.nihlibrary.nih.gov/journals/jama/fullarticle/2797865; See, e.g., 87 FR 74216, 74221 (Dec. 2, 2022) (noting that 42 CFR part 2 previously resulted in the separation of SUD treatment records previous from other health records, which led to the creation of data “silos” that hampered the integration of SUD treatment records into covered entities' electronic record systems and billing processes. When considering amendments to the relevant statute, some lawmakers argued that the silos perpetuated negative stereotypes about persons with SUD and inhibited coordination of care during the opioid epidemic.). See also Health Info. Tech. Advisory Comm., “Health Information Technology Advisory Committee (HITAC) Annual Report for Fiscal Year 2019,” 2019 ONC Ann. Rep., at 37 (Feb. 19, 2020), https://www.healthit.gov/sites/default/files/page/2020-03/HITAC%20Annual%20Report%20for%20FY19_508.pdf (“The new certification criteria that support the sharing of data via third-party apps will help advance the use of data segmentation, but adoption of this capability by the industry is not yet widespread.”).
See88 FR 23746, 23898 (Apr. 18, 2023) (explaining that while there are standards for security labels for document-based exchange that the Office of the National Coordinator for Health Information Technology (ONC) adopted in full in 2020 for the criteria in 45 CFR 170.315(b)(7) and (b)(8) to support the application of security labels at a granular level for sending in and receiving, standards to define the technical requirements for the actions described by the security label vocabularies do not yet exist. In the 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program Final Rule, published in 2020, ONC estimated a cost of the certification criteria and standards adopted for security labels in 45 CFR 170.315(b)(7) and (b)(8). The Department estimated the total cost to developers could range from $2,910,400 to $6,933,600 and that it would be a onetime cost. (85 FR 25926) The criteria do not include the ability for health IT to take the actions described by the security labels. Additionally, ONC did not require that health IT be certified to the criteria described above, making it essentially voluntary. Accordingly, the estimates for health IT developer and health care provider costs were likely significantly lower than they would have been if health IT were required to be certified to the criteria for participation. Thus, the total cost of implementing full segmentation capabilities is likely substantially higher than the per-product cost estimates provided by the Department in that rule). See also88 FR 23746, 23875 (Apr. 18, 2023) (discussing examples of challenges or technical limitations to electronic health information segmentation that have been described to ONC).
See64 FR 59918, at 59924, 59939, and 59955 (Nov. 3, 1999).
To assist in effectuating this prohibition, the Department is also requiring regulated entities to obtain an attestation in certain circumstances from the person requesting the use or disclosure stating that the use or disclosure is not for a prohibited purpose. A person (including a regulated entity or someone who requests PHI) who knowingly and in violation of the Administrative Simplification provisions obtains or discloses IIHI relating to another individual would be subject to potential criminal liability. Thus, a person who knowingly and in violation of HIPAA falsifies an attestation ( e.g., makes a material misrepresentation about the intended uses of the PHI requested) to obtain (or cause to be disclosed) an individual's IIHI could be subject to the criminal penalties provided by the statute. Additionally, a regulated entity is subject to potential civil penalties for violations of the HIPAA Rules, including a failure to obtain a valid attestation before disclosing PHI, where an attestation is required. The purpose-based prohibition, in concert with the attestation, will restrict the use and disclosure of PHI about lawful reproductive health care where the use or disclosure could harm HIPAA's overall goals of increasing trust in the health care system, improving health care quality, and protecting individual privacy. At the same time, it will allow uses and disclosures that either support those goals or do not substantially interfere with their achievement.
See42 U.S.C. 1320d-6(a).
See42 U.S.C. 1320d-6(b).
See42 U.S.C. 1320d-5. See also45 CFR part 160, subparts A, D, and E.
Consistent with the Privacy Rule's approach, the Department is clarifying that the purpose-based prohibition applies only in certain circumstances, recognizing the interests of both the Federal Government and states while also protecting the information privacy interests of persons who seek, obtain, provide, or facilitate lawful reproductive health care. Thus, the Department is finalizing a Rule of Applicability that balances the privacy interests of individuals and the interests of society in an effective health care system with those of society in the use of PHI for other non-health care purposes by limiting the new prohibition to certain circumstances.
The Department's experience administering the Privacy Rule, research cited below, our assessment of the needs of individuals and health care providers in light of recent developments to the legal landscape, public comments, and the Regulatory Impact Analysis, in Section VI below, all provide support for the changes finalized in this rulemaking. These changes will improve individuals' confidence in the confidentiality of their PHI and their trust in the health care system, creating myriad benefits for the health care system. Balancing the privacy interests of individuals and the use of PHI for other societal priorities will continue to support an effective health care system, as Congress intended. This final rule will deter the creation of inaccurate and incomplete medical records, which will help to support the provision of appropriate lawful health care. Health care providers base their treatment recommendations on PHI contained within existing medical records, as well as information shared with them directly by the individual. Thus, where individuals withhold information from their health care providers about lawful health care, health care providers may not be in possession of all of the necessary information to make an informed recommendation for an appropriate treatment plan, which may result in negative health outcomes at both the individual and population level. It will also improve the confidence of individuals, including among the Nation's most vulnerable communities, that they can securely seek or obtain or share that they sought or obtained lawful reproductive health care without that information being used or disclosed for the purpose of investigating or imposing liability on them for seeking or obtaining that lawful health care. By improving individuals' confidence and trust in their relationships with their health care providers, it will make individuals more likely to, for example, comply with preventative health screening recommendations, which will protect against a decline in individual and population health outcomes related to missed preventative health screenings. Additional intangible benefits from increased privacy protections in this area include enhanced support for survivors of rape, incest, and sex trafficking. The new attestation requirement discussed in greater detail below will help to assure regulated entities of their ability to operationalize these changes and avoid exposure to HIPAA liability for impermissible disclosures.
IV. General Discussion of Public Comments
The Department received more than 25,900 comments in response to its proposed rule. Overall, these comments represent the views of approximately 51,500 individuals and 350 organizations. Slightly more than half of the individuals and organizations who shared their views expressed general support for the 2023 Privacy Rule NPRM and its objectives. Less than one percent expressed mixed views. Organizational commenters included professional and trade associations, including those representing medical professionals, health plans, health care providers, health information management professionals, health information management system vendors, release-of-information vendors, employers, epidemiologists, and attorneys. The Department also received comments from advocacy organizations, including those representing patients, privacy advocates, faith-based organizations, and civil rights organizations. The NCVHS also provided comments, as did members of Congress, state, local, and Tribal government officials and public health authorities. Other commenters included health care systems, hospitals, and health care professionals.
A. General Comments in Support of the Proposed Rule
Comment: Many commenters expressed general support for the proposed rule and urged the Department to protect the privacy of individuals by limiting uses and disclosures of PHI for certain purposes where the use or disclosure of information is about reproductive health care that is lawful under the circumstances in which such health care is provided.
Many health care providers and individuals emphasized the importance of trusting relationships between individuals and their health care providers. According to individual commenters, a trusting relationship permits individuals to participate in sensitive and difficult conversations with their health care providers and enables health care providers to furnish high-quality and appropriate health care and to maintain accurate and complete medical records, including records that contain information about reproductive health care.
Many organizations also submitted comments that expressed agreement with the Department's position on the importance of the relationship between HIPAA and the HIPAA Rules and trust between individuals and health care providers. For example, an organization commented that privacy has long been a “hallmark” of medical care and agreed with the Department that Congress recognized this principle when it enacted HIPAA. Some organizations commented that the HIPAA framework of law and rules provides individuals with the necessary trust and confidence to seek reproductive health care without fear of being prosecuted or targeted by law enforcement, including in medical emergencies.
Other commenters stated that a trusting confidential relationship between an individual and a health care provider is an essential prerequisite to the delivery of high-quality health care. They also asserted that protective privacy laws, including HIPAA, help to ensure that individuals do not forgo health care.
Many individuals asserted that the proposed safeguards are urgently needed to provide individuals with the confidence to seek health care. According to the commenters, the proposal would increase the likelihood that pregnant individuals would receive essential health care, thus improving their overall well-being. One commenter expressed support for the proposal because they believe people should not be held liable or face punishment for seeking, obtaining, providing, or facilitating lawful health care. Another commenter expressed concerns that the increase in state legislation targeting reproductive health care has placed significant burdens on physicians and increased the risk of maternal morbidity and mortality for individuals.
A few commenters also expressed agreement with the Department's assertion that the proposed restrictions would clarify legal obligations of regulated entities with respect to the disclosure of PHI for certain non-health related purposes and would enable persons requesting PHI, including health plans, to better understand when such disclosures are permitted.
Response: The Department appreciates these comments and is finalizing the proposed rule with modification, as described in greater detail below. Consistent with HIPAA's goals, this final rule will support the development and maintenance of trust between individuals and their health care providers, encouraging individuals to be forthright with health care providers regarding their health history and providing valuable clarity to the regulated community and individuals concerning their privacy rights with respect to lawfully provided health care. In so doing, the Department helps to support access to health care by increasing individuals' confidence in the privacy of their PHI about lawfully provided reproductive health care. We are taking these actions as a result of our ongoing evaluation of the environment, including the legal landscape, and consistent with the Privacy Rule's longstanding balance of individual privacy and societal interests in PHI for non-health care purposes.
Comment: A wide cross-section of commenters, including individuals, health care providers, patient advocacy organizations, reproductive rights organizations, state law enforcement agencies, and others all agreed that individuals who frequently experience discrimination generally also experience it when seeking health care.
Many of these commenters urged the Department to recognize that there is a trust deficit in relationships between individuals and health care providers in communities that frequently experience discrimination. Many commenters cited scholarly journals and research articles showing that women of color especially suffer poorer medical outcomes, including higher maternal mortality and denial of medical interventions or treatments.
Commenters who answered the Department's request for comment about whether members of “historically underserved and minority communities” are more likely to be the subject of investigations into or proceedings against persons in connection with seeking, obtaining, providing, or facilitating lawful reproductive health care unanimously responded in the affirmative. Some commenters expressed concern about the current legal environment's disproportionately negative effect on the privacy of women and members of marginalized and historically underserved communities and communities of color, such as immigrants who might avoid obtaining health care because of fears that their PHI could be shared with government officials. In general, commenters encouraged the Department to consider the likely negative implications of reduced health information privacy when combined with these disparities on health outcomes for members of marginalized and historically underserved communities and communities of color when crafting the final rule.
Some commenters expressed concern about the current legal environment's disproportionately negative effect on the privacy of members of marginalized and historically underserved communities and communities of color, such as women of color, immigrants and American Indians and Alaska Natives, who might withhold information from health care providers or avoid obtaining health care because of fears that their PHI could be shared with government officials or used to investigate or impose liability on them.
Among commenters that addressed this topic, many supported the Department's proposed purpose-based prohibition. Commenters stated that the proposed rule would help to mitigate medical mistrust of individuals in marginalized and historically underserved communities and communities of color and reduce the racial disparities that result from the increased criminalization of reproductive health care.
Several commenters also addressed the issue of the availability of legal counsel among these communities. A few commenters asserted that individuals who are members of marginalized and historically underserved communities and communities of color are less likely to have access to legal counsel, despite being more likely to be subjects of investigations into or proceedings against persons in connection with obtaining providing or facilitating lawful sexual and reproductive health care and cited to related studies.
Response: We appreciate these comments and thank commenters for sharing these important considerations. As we discussed in the 2023 Privacy Rule NPRM and again here, the experiences of individuals from communities that have been historically underserved, marginalized, or subject to discrimination or systemic disadvantage by virtue of their race, disability, social or economic status, geographic location, or environment have significant negative effects on their relationships with health care providers and their willingness to seek necessary health care. We agree that the current legal landscape has exacerbated the health inequities that these individuals encounter when seeking reproductive health care services. The Department expects that the steps we have taken in this rule will meaningfully strengthen the privacy of PHI about lawful reproductive health care, and as a result, will help to mitigate the exacerbation of health disparities for members of marginalized and historically underserved communities and communities of color.
The Department is actively working to reduce health disparities. In recent months, we released a new plan to address language barriers and strengthen language access in health care, and issued three proposed rules to address health disparities: one to revise existing regulations to strengthen prohibitions against discrimination on the basis of a disability in health care and human services programs; another to issue new regulations to advance non-discrimination in health and human service programs for the LGBTQI+ community; and a third to revise existing regulations to prohibit discrimination on the basis of race, color, national origin, sex, age, and disability in a range of health programs. The Department will continue to work to address these concerns, ensure that individuals have access to and do not forgo necessary health care, and build individuals' trust that health care providers can and will protect the privacy of individuals' sensitive health information.
Press Release, “Breaking Language Barriers: Biden-Harris Administration Announces New Plan to Address Language Barriers and Strengthen Language Access,” U.S. Dep't of Health and Human Servs. (Nov. 15, 2023), https://www.hhs.gov/about/news/2023/11/15/breaking-language-barriers-biden-harris-administration-announces-new-plan-address-language-barriers-strengthen-language-access.html.
Press Release, “HHS Issues New Proposed Rule to Strengthen Prohibitions Against Discrimination on the Basis of a Disability in Health Care and Human Services Programs,” U.S. Dep't of Health and Human Servs. (Sept. 7, 2023), https://www.hhs.gov/about/news/2023/09/07/hhs-issues-new-proposed-rule-to-strengthen-prohibitions-against-discrimination-on-basis-of-disability-in-health-care-and-human-services-programs.html.
Press Release, “HHS Issues Proposed Rule to Advance Non-discrimination in Health and Human Service Programs for LGBTQI+ Community,” U.S. Dep't of Health and Human Servs. (July 11, 2023), https://www.hhs.gov/about/news/2023/07/11/hhs-issues-proposed-rule-advance-non-discrimination-health-human-service-programs-lgbtqi-community.html.
Press Release, “HHS Announces Proposed Rule to Strengthen Nondiscrimination in Health Care,” U.S. Dep't of Health and Human Servs. (July 25, 2022), https://www.hhs.gov/about/news/2022/07/25/hhs-announces-proposed-rule-to-strengthen-nondiscrimination-in-health-care.html.
Comment: A few commenters agreed with the Department's position that the proposed rule would appropriately protect individuals against growing threats to their privacy with respect to PHI about reproductive health care while permitting states to conduct law enforcement activities.
Response: The Privacy Rule always has and continues to balance privacy interests and other societal interests by permitting disclosures of PHI to support public policy goals, including disclosures to support certain criminal, civil, and administrative law enforcement activities; the operation of courts and tribunals; health oversight activities; the duties of coroners and medical examiners; and the reporting of child abuse, domestic violence, and neglect to appropriate authorities. We appreciate these comments that recognized the growing threat to the privacy of PHI and the need to strike an appropriate balance between ensuring health care privacy and conducting law enforcement activities. We are finalizing the proposed rule with modification as described in greater detail below.
B. General Comments in Opposition to the Proposed Rule
Comment: Several commenters generally opposed the proposed rule because of their opposition to certain types of reproductive health care. Many commenters opposed the proposed rule generally because they believed that it would harm women and children. Other commenters expressed concern that the proposals would increase administrative burdens and costs for health care providers; impede parental rights; prevent mandatory reporting of child abuse or abuse, domestic violence, and neglect; infringe upon states' rights; thwart law enforcement investigations; inhibit disclosures for public health activities; and protect those who engage in unlawful activities.
Response: The modifications to the Privacy Rule in this final rule directly advance Congress' directive in HIPAA to improve the efficiency and effectiveness of the health care system by encouraging the development of a health information system through the establishment of standards and requirements for the electronic transmission of certain health information, including a standard for the privacy of IIHI that, among other things, addresses the “uses and disclosures of such information that should be authorized or required.” As discussed in greater detail elsewhere in this final rule, a trusting relationship between individuals and health care providers is the foundation of effective health care. A primary goal of the Privacy Rule is to ensure the privacy of an individual's PHI while permitting necessary uses and disclosures of PHI that enable high-quality health care and protect the health and well-being of all individuals, including women and children, and the public.
See42 U.S.C. 1320d note.
See42 U.S.C. 1320d-2 note.
From the outset, the Department structured the Privacy Rule to ensure that individuals do not forgo lawful health care when needed—or withhold important information from their health care providers that may affect the quality of health care they receive out of a fear that their sensitive information would be revealed outside of their relationship with their health care provider. The Department has long been committed to protecting the privacy of PHI and providing the opportunity for an authentic, trusting relationship between individuals and health care providers. As we discussed in the 2023 Privacy Rule NPRM and again here, this final rule will help engender trust between individuals and health care providers and confidence in the health care system. We believe that this confidence will eliminate some of the burdens health care providers face in providing high-quality health care, encourage health care providers to accurately document PHI in an individual's medical record, and encourage individuals to provide health care providers with their complete and accurate health history, all of which will ultimately support better health outcomes. Nothing in this final rule sets forth a particular standard of care or affects the ability of health care providers to exercise their professional judgment.
This final rule protects the relationship between individuals and health care providers by protecting the privacy of PHI in circumstances where recent legal developments have increased concerns about that information being used and disclosed to harm persons who seek, obtain, provide, or facilitate reproductive health care under circumstances in which such health care is lawful, while continuing to permit uses and disclosures that confer other social benefits. It is narrowly tailored and respects the interests of both states and the Department. The final rule continues to permit regulated entities to use or disclose PHI to comply with certain mandatory reporting laws, for public health activities, and for law enforcement purposes when the uses and disclosures are compliant with the applicable provisions of the Privacy Rule.
Further, consistent with the longstanding operation of the Privacy Rule, this final rule requires that, in certain circumstances, regulated entities obtain information from persons requesting PHI, such as law enforcement, before the regulated entities may use or disclose the requested PHI. The Department recognizes that this final rule may increase the burden on those persons making requests for PHI, such as federal and state law enforcement officials, by requiring, in certain circumstances, that regulated entities obtain more information from such persons than previously required, and may, at times, prevent regulated entities from using or disclosing PHI that they previously would have been permitted to use or disclose. For example, the Department recognizes that situations may arise where a regulated entity reasonably determines that reproductive health care was lawfully provided, while at the same time, the person requesting the PHI ( e.g., law enforcement) reasonably believes otherwise. In such circumstances, where the regulated entity provided the reproductive health care, and upon receiving a request for the PHI for a purpose that implicates the prohibition, reasonably determines that the provision of reproductive health care was lawful, the final rule would prohibit the regulated entity from disclosing PHI for certain types of investigations into the provision of such health care. This constitutes a change from the current Privacy Rule, under which a regulated entity is permitted, but not required, to make a use or disclosure under 45 CFR 164.512(f) of information that is “relevant and material to a legitimate” law enforcement inquiry, provided that certain conditions are met; these conditions include, for example, that the request is specific and limited in scope to the extent reasonably practicable given the purpose for which the information is sought. Similarly, the Department acknowledges that, where the regulated entity did not provide the reproductive health care that is the subject of the investigation or imposition of liability, the Rule of Applicability and Presumption, discussed below, may require regulated entities to obtain additional information, that is, factual information that demonstrates to the regulated entity a substantial factual basis that the reproductive health care was not lawful under the specific circumstances in which it was provided, from persons requesting PHI before using or disclosing the requested PHI.
See45 CFR 164.512(f)(1)(ii)(C).
Consistent with HIPAA and the Department's longstanding approach in the Privacy Rule, the Department is finalizing an approach that strikes an appropriate balance between the privacy interests of individuals and the interests of law enforcement, and private parties afforded legal rights of action, in obtaining PHI for certain non-health care purposes. While this approach may adversely affect particular interests of law enforcement, and private parties afforded legal rights of action, in some cases, the Department believes that the final rule best balances these competing interests by enhancing privacy protections without unduly interfering with legitimate law enforcement activities and does so in a manner that is consistent with the approach taken elsewhere in the Privacy Rule. As explained above, individual privacy interests are especially strong where individuals seek lawful reproductive health care. In particular, individuals may forgo lawful health care or avoid disclosing previous lawful health care to providers because they fear that their PHI will be disclosed. The Department believes these concerns are exacerbated by the prospect of state investigations into, and resulting intimidation and criminalization of, health care providers for providing lawful reproductive health care, as well as state laws encouraging state residents to sue persons who facilitate individuals' access to legal health care. The final rule addresses these interests by protecting privacy in situations where the reproductive health care at issue is especially likely to be lawful under the circumstances in which such health care was provided. Where a regulated entity receives a request for PHI about reproductive health care that the regulated entity provided, such health care is likely to be lawful where the regulated entity reasonably determines, based on all information in its possession, that such health care was lawful under the circumstances in which it was provided. Similarly, where a regulated entity receives a request for PHI about reproductive health care that the regulated entity did not provide, such health care is likely to be lawful where law enforcement is unable to provide factual information that demonstrates to the regulated entity a substantial factual basis that the reproductive health care was not lawful under the specific circumstances in which such health care was provided.
The Department recognizes that, in some cases, the approach adopted in this final rule may inadvertently prohibit the disclosure of PHI about reproductive health care that was unlawfully provided, such as where a health care provider reasonably but incorrectly determines that the reproductive health care it provided was lawful under the circumstances in which such health care was provided. This is similar to how the Privacy Rule has always potentially prevented the use or disclosure of PHI that could be useful to law enforcement in certain circumstances because the request for PHI does not meet the conditions of the applicable permission. Nevertheless, given the importance of protecting individual privacy in this area, the Department has determined that the final rule adopts the appropriate balance between individual privacy and the interests of other persons, such as law enforcement. Specifically, the Department believes that the benefits to individual privacy of a broadly protective rule outweigh the benefits to societal interests in the use or disclosure of PHI from a narrower rule. While a narrower rule would more broadly permit disclosures related to PHI that might concern reproductive health care that is not lawful under the circumstances in which it is provided, such a rule would inadvertently permit more disclosures of PHI about lawful reproductive health care. Accordingly, the Department concludes that the final rule must be sufficiently broad to protect against such disclosures, given the paramount importance of individual privacy in this area.
Moreover, as explained above, individual privacy interests are paramount to promote free and open communication between individuals and their health care providers, thereby ensuring that individuals receive high-quality care based on their accurate medical history. Society has long recognized that information exchanged as part of a specific relationship for which trust is paramount should be entitled to heightened protection ( e.g., marital privilege, attorney-client privilege, doctor-patient privilege). Similarly, this final rule seeks to address situations where privacy interests are especially important, based both on the content of the information that is protected from disclosure (concerning lawful reproductive health care) and the context in which that information is shared (concerning a trust-based relationship between individuals and their health care providers).
In contrast, the potential adverse effects of this final rule on other interests, such as those of law enforcement, are limited by the narrow scope of this final rule. This final rule does not seek to prohibit disclosures of PHI where the request is for reasons other than investigating or imposing liability on persons for the mere act of seeking, obtaining, providing, or facilitating reproductive health care that is lawful under the circumstances in which such health care is provided. For example, as explained in the NPRM and below, the final rule does not prohibit the use or disclosure of PHI for investigating alleged violations of the Federal False Claims Act or a state equivalent; conducting an audit by an Inspector General aimed at protecting the integrity of the Medicare or Medicaid program where the audit is not inconsistent with this final rule; investigating alleged violations of Federal nondiscrimination laws or abusive conduct, such as sexual assault, that occur in connection with reproductive health care; or determining whether a person or entity violated 18 U.S.C. 248 regarding freedom of access to clinic entrances. In each of these cases, the request is not made for the purpose of investigating or imposing liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care.
Even when the request is for the purpose of investigating or imposing liability on the mere act of seeking, obtaining, providing, or facilitating reproductive health care, this final rule does not seek to prohibit disclosures of PHI about reproductive health care that is not lawful under the circumstances in which it was provided. Thus, in most situations involving reproductive health care that is not lawful under the circumstances in which it is provided, this final rule will not prevent the use or disclosure of PHI to investigate or impose liability on persons for such legal violations, provided such disclosures are otherwise permitted by the Privacy Rule. Moreover, where a regulated entity did not provide the reproductive health care at issue, this final rule prohibits the use or disclosure of PHI where the person making the request does not provide sufficient information to overcome the presumption of legality. In such cases, law enforcement agencies and other persons have a reduced interest in obtaining such PHI where the information does not demonstrate to the regulated entity a substantial factual basis that the reproductive health care was not lawful under the circumstances in which such health care was provided.
This final rule does not prohibit the use or disclosure of PHI to investigate or impose liability on persons where reproductive health care is unlawful under the circumstances in which it is provided. Instead, the final rule prohibits the use or disclosure of PHI in narrowly tailored circumstances ( i.e., where the use or disclosure is to conduct an investigation or impose liability on a person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care that is lawful under the circumstances in which such health care is provided, or to identify a person for such activities). For example, once this final rule is in effect, a covered health care provider may still disclose PHI to a medical licensing board investigating a health care provider's actions related to their obligation to report suspected elder abuse, assuming the disclosure meets the conditions of an applicable Privacy Rule permission. This is because the final rule does not bar the use or disclosure of PHI for health oversight purposes, which is unrelated to the mere act of seeking, obtaining, providing, or facilitating reproductive health care.
Additionally, even where the final rule prohibits the use or disclosure of PHI to investigate potentially unlawful reproductive health care ( i.e., where a regulated entity reasonably determines that the reproductive health care they provided was lawful, or where the presumption of legality is not overcome), law enforcement retains other ways of investigating reproductive health care that they suspect may have been unlawfully provided. For example, law enforcement retains the use of other traditional and otherwise lawful investigatory means for obtaining information, such as conducting witness interviews and accessing other sources of information not covered by HIPAA. The final rule is therefore tailored to protect the relationship between individuals and their health care providers specifically, while leaving unaffected law enforcement's ability to conduct investigations using information from other sources.
With respect to commenters' concerns about parental rights, this final rule also does not interfere with the ability of states to define the nature of the relationship between a minor and a parent or guardian.
Comment: A few commenters that expressed negative views asserted that the proposed rule exceeded the Department's statutory authority under HIPAA or was beyond the Department's rulemaking authority. Some commenters stated that the rulemaking was arbitrary and capricious and would make it difficult for law enforcement to investigate reproductive health care and engage in health oversight activities and would require health care providers to provide certain types of health care against which they have objections. Some commenters expressed concern about the balance of powers between the states and the federal government. Other commenters suggested that the proposals preempt state laws serving public health, safety, and welfare.
Response: As discussed above, Congress explicitly stated that the purpose of HIPAA's Administrative Simplification provisions was to improve the efficiency and effectiveness of the health care system. For the health care system to be effective, individuals must trust that information that they share with health care providers about lawful health care will remain private. Accordingly, since their inception, the HIPAA Rules have required that regulated entities narrowly tailor disclosures to law enforcement to protect an individual's privacy. While the Department is adopting an approach in this final rule that is more protective of privacy interests than the current Privacy Rule in certain circumstances, these changes are necessary to appropriately balance privacy interests and the interests of law enforcement, and private parties afforded legal rights of action, in light of the changing legal environment. This is discussed in detail above. In both the 2023 Privacy Rule NPRM and this final rule, the Department cited to multiple studies documenting the real-world harm to health and health care in the changing legal environment. As explained above, the Department acknowledges that this final rule may affect certain state interests in obtaining PHI to investigate potentially unlawful reproductive health care, but the Department has tailored the final rule to strike the appropriate balance between privacy interests and state interests. This final rule limits the potential harm to individuals, health care providers, and others resulting from the disclosure of PHI to investigate or punish individuals for the mere act of seeking, obtaining, providing, or facilitating reproductive health care that is lawful under the circumstances in which such health care is provided. We emphasize that nothing in this rule or any of the HIPAA Rules requires a health care provider to provide any type of health care, including any type of reproductive health care.
See, e.g., 45 CFR 164.512(f) and 164.514(d)(3)(iii).
Comment: Several commenters asserted that the proposed rule would impede states' enforcement of their own laws, including those concerning sexual assault and sex trafficking. Many commenters opposed the proposed rule because they believed it would inhibit the ability of states to investigate or enforce laws prohibiting minors from obtaining certain types of health care and prevent the commenters from reporting minors who they believe are coerced into obtaining such health care to authorities.
Response: This rule does not prohibit the disclosure of PHI for investigating allegations of or imposing liability for sexual assault, sex trafficking, or coercing minors into obtaining reproductive health care. Rather, this final rule modifies the existing HIPAA Privacy Rule standards by prohibiting uses and disclosures of PHI to investigate or impose liability on individuals, regulated entities, or other persons for the mere act of seeking, obtaining, providing, or facilitating reproductive health care that is lawful under the circumstances in which such reproductive health care is provided, or to identify any person to investigate or impose liability on them for such purposes. Accordingly, requests for the disclosure of PHI to investigate such allegations of or impose liability for such crimes do not fall within the final rule's prohibition, and the presumption of lawfulness likewise would not be triggered because the prohibition would not apply. A regulated entity therefore would not be prohibited from disclosing an individual's PHI when subpoenaed by law enforcement for the purpose of investigating such allegations, assuming that law enforcement provided a valid attestation and met the other conditions of the applicable permission.
Moreover, as explained above, the final rule is tailored to prohibit disclosures related to lawful reproductive health care, thereby reducing the interference with law enforcement interests to create an appropriate balance with privacy interests.
Comment: Some states expressed concern that the proposed rule would intrude into areas where the HIPAA Rules have previously acknowledged state control, such as enforcement of state and local laws, regulation of the practice of health care, and reporting of abuse.
Response: This final rule balances the interests of individuals in the privacy of their PHI and of society in an effective health care system with those of society in obtaining PHI for certain non-health care purposes. The Privacy Rule always has and continues to permit disclosures of PHI to support public policy goals, including disclosures to support criminal, civil, and administrative law enforcement activities; the operation of courts and tribunals; health oversight activities; the duties of coroners and medical examiners; and the reporting of child abuse, domestic violence, and neglect to appropriate authorities. As explained above, while the final rule adopts an approach that is more protective of privacy interests in certain circumstances than the previous Privacy Rule, the final rule continues to balance the interests that HIPAA Rules have long sought to protect with those of society in PHI.
C. Other General Comments on the Proposed Rule
Comment: Commenters urged the Department to provide enhanced privacy protections for health information that is not covered by existing frameworks or specifically addressed in the proposed rule. A few professional associations expressed support for revising the Privacy Rule to provide stronger protection for the privacy of reproductive health care information and urged the Department to modify the Privacy Rule to provide even stronger protections than those proposed in the 2023 Privacy Rule NPRM.
Response: The Department's authority under HIPAA is limited to protecting the privacy of IIHI that is maintained or transmitted by covered entities and, in some cases, their business associates. Specific modifications to the Privacy Rule to protect the privacy of PHI are described in greater detail below. Consistent with the Department's longstanding approach with respect to the Privacy Rule, the modifications we are finalizing in this rule strike a balance between protecting an individual's right to health information privacy with the interests of society in permitting the disclosure of PHI to support the investigation or imposition of liability for unlawful conduct. In particular, the final rule does not prohibit the disclosure of PHI about reproductive health care that was unlawfully provided, because an individual's privacy interests in reproductive health care that is not lawful ( e.g., a particular type of reproductive health care that is provided by a nurse practitioner in a state that requires that type of reproductive health care to be provided by a physician) are comparatively lower than a state's interests in investigating and imposing liability on persons for unlawful reproductive health care. We will continue to monitor legal developments and their effects on individual privacy as we consider the need for future modifications to the Privacy Rule.
Comment: Several commenters questioned how the proposed rule would affect their current business associate and data exchange agreements.
Response: The modifications in this final rule may require regulated entities to revise existing business associate agreements where such agreements permit regulated entities to engage in activities that are no longer permitted under the revised Privacy Rule. Regulated entities must be in compliance with the provisions of this rule by December 23, 2024.
Comment: A few commenters requested clarification of whether minors and legal adults have the same protections under the Privacy Rule and whether this rule would alter existing protections.
Response: The final rule does not change how the Privacy Rule applies to adults and minors. Thus, all of the protections provided to PHI by this final rule apply equally to adults and minors. For example, under this final rule, a regulated entity is prohibited from using or disclosing a minor's PHI for the purposes prohibited under 45 CFR 164.502(a)(5)(iii). The Privacy Rule generally permits a parent to have access to the medical records about their child as their minor child's personal representative when such access is consistent with state or other law, with limited exceptions. Additional information about how the Privacy Rule applies to minors can be found at 45 CFR 164.502(g) and on the OCR website.
See45 CFR 164.502(g) (describing personal representatives) and 164.524(a)(3) (describing reviewable grounds for denial of access to PHI by a personal representative).
Off. for Civil Rights, “Health Information Privacy,” U.S. Dep't of Health and Human Servs., https://www.hhs.gov/hipaa/index.html.
Comment: Many commenters urged the Department to take an educational approach, rather than a punitive one, with respect to enforcement against regulated entities. In addition, many commenters addressed the need for resources and education for successful implementation of the proposed changes to the Privacy Rule. They called for the Department to collaborate with and educate regulated entities, individuals, and others affected by the proposed revisions, such as law enforcement, as well as for the Department to partner with other Federal agencies and state governments to conduct the education. Some suggested that educational resources should include multiple media formats and a centralized platform.
Response: The Department frequently issues non-binding guidance and conducts outreach to help regulated entities achieve compliance. We appreciate these recommendations and will consider these topics for future guidance. Regulated entities are expected to comply with the Privacy Rule as revised once the compliance date has passed.
V. Summary of Final Rule Provisions and Public Comments and Responses
The Department is modifying the Privacy Rule to strengthen privacy protections for individuals' PHI by adding a new category of prohibited uses and disclosures of PHI. This final rule prohibits a regulated entity from using or disclosing an individual's PHI for the purpose of conducting a criminal, civil, or administrative investigation into or imposing criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care that is lawful under the circumstances in which it is provided, meaning that it is either: (1) lawful under the circumstances in which such health care is provided and in the state in which it is provided; or (2) protected, required, or authorized by Federal law, including the United States Constitution, regardless of the state in which such health care is provided. In both of these circumstances, as explained above, the interests of the individual in the privacy of their PHI and of society in ensuring an effective health care system outweighs those of society in the use of PHI for non-health care purposes. To operationalize this modification, the Department is revising or clarifying certain definitions and terms that apply to the Privacy Rule, as well as other HIPAA Rules. This final rule also prohibits a regulated entity from using or disclosing an individual's PHI for the purpose of identifying an individual, health care provider, or other person for the purpose of initiating such an investigation or proceeding against the individual, a health care provider, or other person in connection with seeking, obtaining, providing, or facilitating reproductive health care that is lawful under the circumstances in which it is provided.
To effectuate these proposals, the Department is finalizing conforming and clarifying changes to the HIPAA Rules. These changes include, but are not limited to, clarifying the definition of “person” to reflect longstanding statutory language defining the term; adopting new definitions of “public health” surveillance, investigation, or intervention, and “reproductive health care”; adding a new category of prohibited uses and disclosures; clarifying that a regulated entity may not decline to recognize a person as a personal representative for the purposes of the Privacy Rule because they provide or facilitate reproductive health care for an individual; imposing a new requirement that, in certain circumstances, regulated entities must first obtain an attestation that a requested use or disclosure is not for a prohibited purpose; and requiring modifications to covered entities' NPPs to inform individuals that their PHI may not be used or disclosed for a purpose prohibited under this final rule.
The Department's section-by-section description of the final rule is below.
A. Section 160.103 Definitions
1. Clarifying the Definition of “Person”
HIPAA does not define the term “person.” The HIPAA Rules have long defined “person” to mean “a natural person, trust or estate, partnership, corporation, professional association or corporation, or other entity, public or private.” This meaning was based on the definition of “person” adopted by Congress in the original SSA, as an “individual, a trust or estate, a partnership, or a corporation.”
See42 U.S.C. 1320d-1320d-8.
45 CFR 160.103.
See section 1101(3) of Public Law 74-271, 49 Stat. 620 (Aug. 14, 1935) (codified at 42 U.S.C. 1301(3)).
In 2002, Congress enacted 1 U.S.C. 8, which defines “person,” “human being,” “child,” and “individual.” The statute specifies that these definitions shall apply when “determining the meaning of any Act of Congress, or of any ruling, regulation, or interpretation of the various administrative bureaus and agencies of the United States.” The Department understands 1 U.S.C. 8 to provide definitions of “person,” “individual,” and “child” that do not include a fertilized egg, embryo, or fetus, and are consistent with the Department's understanding of those terms, as used in the SSA, HIPAA, and the HIPAA Rules.
1 U.S.C. 8(a). The Department is not opining on whether any state law confers a particular legal status upon a fertilized egg, embryo, or fetus. Rather, the Department cites to this statute to help define the scope of privacy protections that attach pursuant to HIPAA and its implementing regulations.
Id.
The Department proposed to clarify the term “natural person” in a manner consistent with 1 U.S.C. 8. Thus, the Department proposed to clarify that all terms subsumed within the definition of “natural person,” such as “individual,” are limited to the confines of the term “person.” As discussed in the 2023 Privacy Rule NPRM, the purpose of this proposal was to better explain to regulated entities and other stakeholders the parameters of an “individual” whose PHI is protected by the HIPAA Rules.
88 FR 23506, 23523 (Apr. 17, 2023).
45 CFR 160.103 (definition of “Individual”).
See Sharon T. Phelan, “The Prenatal Record and the Initial Prenatal Visit,” The Glob. Libr. of Women's Med. (last updated Jan. 2008) (PHI about the fetus is included in the mother's PHI), https://www.glowm.com/section-view/heading/The%20Prenatal%20Record%20and%20the%20Initial%20Prenatal%20Visit/item/107#.Y7WRKofMKUl.
Many individuals and organizations commented on the proposal to clarify the definition “person.” Organizational commenters, including professional associations representing health care providers, advocacy groups, and academic departments, generally supported the proposal. Several commenters applauded the proposed clarification because they believed it would limit disclosures of PHI in cases where no individual has been harmed.
Most opponents of the proposed clarification were individuals participating in form letter campaigns who expressed concern that the proposal might diminish access to prenatal care. Others asserted that the proposed clarification would contradict or conflict with existing laws, such as mandatory reporting laws and Federal statutes that rely upon a different definition of “person.”
The final rule adopts the proposed clarification of the definition of person, to mean a “natural person (meaning a human being who is born alive), trust or estate, partnership, corporation, professional association or corporation, or other entity, public or private.” Therefore, an “individual,” “child,” or “victim” ( e.g., a victim of crime) under the HIPAA Rules must be a natural person. As we explained in the 2023 Privacy Rule NPRM, this clarification is consistent with the SSA, HIPAA, and 1 U.S.C. 8. This clarification applies only to regulations issued pursuant to the Administrative Simplification provisions of HIPAA.
See42 U.S.C. 1320d.
This clarification is consistent with the Privacy Rule's longstanding definitions of “person” and “individual,” as applied to Privacy Rule provisions permitting certain types of reports or other disclosures of PHI. For example, a regulated entity is permitted to disclose PHI about an individual who the regulated entity reasonably believes to be a victim of abuse, neglect, or domestic violence only where the individual is a “natural person.” In addition, because a “victim” necessarily is a natural person, the permission to disclose PHI to avert a serious threat to health or safety at 45 CFR 164.512(j)(i) does not permit disclosures when the perceived threat does not involve the health or safety of a natural person or the public, or when an individual has not caused serious physical harm to a natural person.
45 CFR 160.103 (definition of “Person”). The Department first defined the term “person” in the HIPAA Rules as part of the 2003 Civil Money Penalties: Procedures for Investigations, Imposition of Penalties, and Hearings Interim Final Rule (2003 Interim Final Rule) to distinguish a “natural person” who could testify in the context of administrative proceedings from an “entity” (defined therein as a “legal person”) on whose behalf a person would testify. See45 CFR 160.502 of the 2003 Interim Final Rule, 68 FR 18895, 18898 (Apr. 17, 2003) ( Person is defined to mean a natural person or a legal person).
45 CFR 160.103 (definition of “Individual”). The definition of “individual” in the HIPAA Rules was first adopted in the 2000 Privacy Rule.
See45 CFR 164.512(c)(1). This provision explicitly excludes reports of child abuse, which are addressed by 45 CFR 164.512(b)(1).
Comment: Many organizational commenters expressed support for the proposal to clarify the definition of “person.”
One commenter stated that this clarification should prevent law enforcement from attempting to avoid the proposed prohibition. According to another commenter, this proposed clarification is crucial as stakeholders adapt to the current reproductive health landscape.
Several commenters expressed support for the Department's proposal but requested additional clarifications. For example, one commenter recommended that the Department clarify whether the definition would preempt state laws.
Response: We take the opportunity to emphasize here that the clarification only applies to the HIPAA Rules and explains certain terms that apply to the permissions for uses and disclosures of PHI by regulated entities. We do not believe it is necessary to further clarify the final regulatory text because the current definition remains unchanged other than to incorporate the plain wording of 1 U.S.C. 8.
Comment: A few commenters expressed opposition to the Department's proposed clarification of “person” as tantamount to eliminating legal protections for and recognition of categories of human beings based on developmental stage. Some commenters maintained that the proposed clarification of “person” was inaccurate.
Several commenters opposed the proposed clarification of “person” because it would affect the provision of prenatal care.
A few commenters asserted that the proposed clarification would prevent the collection of medical information about reproductive health care for important purposes, such as public health and research.
Response: We are clarifying the definition of person consistent with applicable Federal law only for the purpose of applying HIPAA's Administrative Simplification provisions. This clarification will not affect how the term “person” is applied for purposes of other laws, affect any rights or protections provided by any other law, or affect standards of health care, including prenatal care.
This final rule does not affect the reporting of vital statistics, nor does it affect the ability of regulated entities to use and disclose PHI for research. The Privacy Rule's standards for uses and disclosures for public health surveillance, investigations, and interventions, or for health oversight activities, are discussed elsewhere.
Comment: Several commenters requested additional clarifications to the Department's proposed clarification of “person.” A few commenters asserted that the proposed clarification would be overly expansive. Most of these same commenters disagreed with the Department's interpretation of 1 U.S.C. 8. Commenters asserted that the clarification was inconsistent or conflicted with other laws.
Response: The clarified definition of person that we are finalizing in this rule does not change the Department's interpretation of the term or change definitions under other law, such as state law. It also is consistent with Federal law, including 1 U.S.C. 8, which specifically applies to Federal regulations, and other examples cited by commenters. For example, both GINA and the Privacy Rule protect the genetic information of a fetus carried by a pregnant individual as the PHI of the pregnant individual.
Public Law 110-233, 122 Stat. 881. See generally Off. for Civil Rights, “Health Information Privacy, Genetic Information,” U.S. Dep't of Health and Human Servs. (Content last reviewed June 16, 2017), https://www.hhs.gov/hipaa/for-professionals/special-topics/genetic-information/index.html#:~:text=The%20Genetic%20Information%20Nondiscrimination%20Act,into%20two%20sections%2C%20or%20Titles.
The other laws cited by commenters address policy concerns that are different from those health information privacy issues addressed under HIPAA and do not address personhood. Even if those statutes did adopt different understandings of who is a “person,” the Department has the authority to clarify or define terms that apply to the Administrative Simplification regulations issued pursuant to HIPAA. Additionally, the definition in the final rule of 1 U.S.C. 8 is appropriate because it is consistent with the Department's longstanding interpretation of the term in the context of HIPAA's Administrative Simplification provisions and associated regulations. Many Federal and state laws operate with differing definitions of common terms, to which existing legal standards that govern how such differences are to be interpreted would apply.
See45 CFR 164.524. See also William Baude & Stephen E. Sachs, “The Law of Interpretation,” 130 Harv. L. Rev. 1079 (2017).
Comment: A few commenters asserted that the proposal would expand minors' access to hormone therapy or surgeries without requiring parental consent.
Response: The final rule's clarification to define the term “person” does not affect the ability of a parent to make decisions related to health care for an individual who is an unemancipated minor, and nothing in this rule dictates a standard of care. The application of this definition is limited to the HIPAA Rules.
Comment: A few commenters asserted that the proposed clarification would help to prevent the misapplication of child abuse laws to individuals who engage in certain behaviors while pregnant ( e.g., use of an illicit substance or alcohol). Several other commenters expressed concern that this definition would limit the ability of a regulated entity to apply the Privacy Rule permission to use or disclose PHI to prevent a serious and imminent threat to a fertilized egg, embryo, or fetus.
Response: Under this final rule, a regulated entity would continue to be permitted to disclose PHI about an individual who the covered entity reasonably believes is a victim of child abuse or neglect, consistent with 45 CFR 164.512(b)(1)(ii), or a victim of abuse, neglect, or domestic violence, consistent with 45 CFR 164.512(c), to a government authority, including a social service or protective services agency, authorized by law to receive reports of such abuse, neglect, or domestic violence under the circumstances set forth under 45 CFR 164.512(c) where the individual meets the clarified definition of person. The Privacy Rule permission concerning serious and imminent threats applies to threats to a person, consistent with the definition as clarified by this final rule, or the public.
See45 CFR 164.512(j)(1)(i).
2. Interpreting Terms Used in Section 1178(b) of the Social Security Act Reporting of Disease or Injury, Birth, or Death
Section 1178(a) of the SSA provides that HIPAA generally preempts contrary state laws with certain limited exceptions, such as those described in section 1178(b). Specifically, section 1178(b) excepts from HIPAA's general preemption authority laws that provide for certain public health reporting, such as the reporting of disease or injury, birth, or death. HIPAA does not define the terms in section 1178(b) that govern the scope of this exception to HIPAA's general preemption authority, nor has the Department previously defined such terms through rulemaking.
The Department recognizes that such public health reporting activities are an important means of identifying threats to the health and safety of the public. Accordingly, when a public health authority has furnished documentation of its authority to collect or receive such information, the Privacy Rule permits a regulated entity, without an individual's authorization, to use or disclose PHI to specified persons for public health activities. These activities include all of the vital statistics reporting activities described in section 1178(b), including reporting of diseases and injuries, birth, or death.
45 CFR 164.501 (definition of “Public health authority”).
This is unchanged by this final rule.
See45 CFR 164.512(b). The Privacy Rule addresses its interactions with laws governing excepted public health activities in two sections: 45 CFR 164.512(a), Standard: Uses and disclosures required by law, and 45 CFR 164.512(b), Standard: Uses and disclosures for public health activities.
The Department proposed to interpret in preamble key terms used in section 1178(b) to clarify when HIPAA's general preemption authority applies. Specifically, the Department proposed an interpretation of section 1178(b) that would clarify that HIPAA's general preemption authority applies to laws that require regulated entities to use or disclose PHI for a purpose that would be prohibited under the proposed rule. Under this interpretation, the Privacy Rule permission to use or disclose PHI without an individual's authorization for the reporting of disease or injury, birth, or death would not permit the use or disclosure of PHI for a criminal, civil, or administrative investigation into or proceeding against a person in connection with seeking, obtaining, providing, or facilitating reproductive health care. The Department did not intend this clarification to prevent disclosures of PHI from regulated entities to public health authorities for public health purposes that have been and continue to be permitted under the Privacy Rule. Nor did the Department intend for this proposed clarification to prevent disclosures of PHI by regulated entities under other permissions in the Privacy Rule, such as for law enforcement purposes, when made consistent with the conditions of the relevant permission and where the purpose of the disclosure is not one for which a use or disclosure would have been prohibited under 45 CFR 164.502(a)(5)(iii) as proposed.
The Department did not propose to define “disease or injury,” “birth,” or “death,” because we believed that these terms, when read with the definition of “person” and in the broader context of HIPAA, would exclude information about reproductive health care without the need for further clarification. However, the Department invited public comment on whether it would be beneficial to make such clarification.
88 FR 23506, 23523 (Apr. 17, 2023).
Few commenters addressed interpretation of these terms. Some commenters expressed concern that the Department's interpretation would prevent beneficial public health reporting about certain types of reproductive health care, while others requested that the Department prohibit public health reporting about certain types of reproductive health care. Some commenters on this issue agreed with the Department's interpretation and clarification of the terms used in 1178(b). Several of these commenters requested that the Department define or clarify these terms because reporting standards are inconsistent across states.
The Department declines to add definitions for “disease or injury,” “birth,” or “death” to the Privacy Rule in this final rule. However, we offer the discussion below to provide additional context on our interpretation of these terms.
At the time of HIPAA's enactment, state laws provided for the reporting of disease or injury, birth, or death by covered health care providers and other persons. State public health reporting systems were well established and involved close collaboration between the state, local, or territorial jurisdiction and the Federal Government. Reports generally were made to public health authorities or, in some specific cases, law enforcement ( e.g., reporting of gunshot wounds). Similar public health reporting systems continue to exist today.
The 1996-98 Report of the NCVHS to the Secretary describes various types of activities considered to be public health during the era in which HIPAA was enacted, such as the collection of public health surveillance data on health status and health outcomes and vital statistics information. See Nat'l Comm. On Vital and Health Stats., Report of The National Committee on Vital and Health Statistics, 1996-98, (Dec. 1999), https://ncvhs.hhs.gov/wp-content/uploads/2018/03/90727nv-508.pdf.
Id.
Id.
Reporting of “disease or injury” commonly refers to diagnosable health conditions reported for limited purposes such as workers' compensation, tort claims, or communicable or other disease or injury tracking efforts. States, territories, and Tribal governments require health care providers ( e.g., physicians, laboratories) and some others ( e.g., medical examiners, coroners, veterinarians, local boards of health) to report cases of certain diseases or conditions that affect public health, such as coronavirus disease 2019 (COVID-19), malaria, and foodborne illnesses. Such reporting enables public health practitioners to study and explain diseases and their spread, along with determining appropriate actions to prevent and respond to outbreaks. States also require health care providers to report incidents of certain types of injuries, such as those caused by gunshots, knives, or burns. Various Federal statutes use the phrase “disease or injury” similarly to refer to events such as workplace injuries for purposes of compensation.
Richard N. Danila et al., “Legal Authority for Infectious Disease Reporting in the United States: Case Study of the 2009 H1N1 Influenza Pandemic,” 105 a.m. J. Public Health 13 (Jan. 2015).
See “Reportable Diseases,” MedlinePlus, https://medlineplus.gov/ency/article/001929.htm (accessed Oct. 19, 2022). See also Nat'l Notifiable Diseases Surveillance Sys., “What is Case Surveillance?,” Ctrs. for Disease Control and Prevention (July 20, 2022), https://www.cdc.gov/nndss/about/index.html.
See “Reportable Diseases,” supra note 215. Such reporting is a type of public health surveillance activity.
See Victims Rts. Law Ctr., “Mandatory Reporting of Non-Accidental Injuries: A State-by-State Guide” (May 2014), http://4e5ae7d17e.nxcli.net/wp-content/uploads/2021/01/Mandatory-Reporting-of-Non-Accidental-Injury-Statutes-by-State.pdf.
See, e.g., 38 U.S.C. 1110 (referring to an “injury suffered or disease contracted”); 10 U.S.C. 972 (discussing time lost as a result of “disease or injury”); 38 U.S.C. 3500 (providing education for certain children whose parent suffered “a disease or injury” incurred or aggravated in the Armed Forces); see also5 U.S.C. 8707 (insurance provision discussing compensation as a result of “disease or injury”); 33 U.S.C. 765 (discussing retirement for disability as a result of “disease or injury”); 15 U.S.C. 2607(c) (requiring chemical manufacturers to maintain records of “occupational disease or injury”).
The limited meaning given to the terms “disease” and “injury” for purposes of public health reporting is clear from HIPAA's broader context. For instance, interpreting “injury” reporting to include disclosures about all instances of suspected criminal abuse would render the specific permission to report “child abuse” superfluous. And interpreting “disease” reporting to include disclosures about any sort of disease for any purpose would both eviscerate HIPAA's general provisions protecting PHI and make superfluous the statutory requirement to not invalidate laws providing for public health surveillance, or public health investigation or intervention. For example, “disease management activities” constitute “health care” under the Privacy Rule. As such, a broad interpretation of “disease or injury” reporting could make potentially all the health records detailing a particular individual's treatment for any disease or injury disclosable to a public health authority or others unrelated to the health care. Consequently, the Department has long understood “disease or injury” to narrowly refer to diagnosable health conditions reported for limited purposes such as workers' compensation, tort claims or in compliance with Federal laws that require states to conduct surveillance of specific diseases and injuries related to public health or Federal funding.
See65 FR 82462, 82571 (Dec. 28, 2000) (recognizing that “disease management activities” often constitute “health care” under HIPAA); Id. at 82777 (discussing the importance of privacy for information about cancer, a “disease” that causes an “indisputable” “societal burden”); Id. at 82778 (discussing the importance of privacy for information about sexually transmitted diseases, including Human Immunodeficiency Virus/Acquired Immunodeficiency Syndrome (HIV/AIDS)); Id. at 82463-64 (noting that numerous states adopted laws protecting health information relating to certain health conditions such as communicable diseases, cancer, HIV/AIDS, and other stigmatized conditions.); Id. at 82731 (finding that there are no persuasive reasons to provide information contained within disease registries with special treatment as compared with other information that may be used to make decisions about an individual).
See, e.g.,65 FR 82462, 82517 (Dec. 28, 2000) (discussing tort litigation as information that could implicate IIHI); Id. at 82542 (discussing workers' compensation); Id. at 82527 (separately addressing disclosures about “abuse, neglect or domestic violence” and limiting such disclosures to only two circumstances, even if expressly authorized by state statute or regulation).
With respect to reporting of “births” and “deaths,” such vital statistics are reported by health care providers to the vital registration systems operated in various jurisdictions legally responsible for the registration of vital events. State laws require birth certificates to be completed for all births, and Federal law mandates the national collection and publication of births and other vital statistics data. Tracking and reporting death is a complex and decentralized process with a variety of systems used by more than 6,000 local vital registrars. When HIPAA was enacted, the Model State Vital Statistics Act and Regulations, which is followed by most states, included distinct categories for “live births,” “fetal deaths,” and “induced terminations of pregnancy,” with instructions that abortions “shall not be reported as fetal deaths.” In light of that common understanding at the time of HIPAA's enactment, it is clear that the reporting of abortions is not included in the category of reporting of deaths for the purposes of HIPAA and does not fall within the scope of state death reporting activities that Congress specifically designated as excepted from preemption by HIPAA.
See “Public Health Professionals Gateway, Public Health Systems & Best Practices, Health Department Governance,” Ctrs. for Disease Control and Prevention (Nov. 25, 2022), https://www.cdc.gov/publichealthgateway/sitesgovernance/index.html.
See the list of events included in vital events, Nat'l Ctr. for Health Stats., “About the National Vital Statistics System,” Ctrs. for Disease Control and Prevention (Jan. 4, 2016), https://www.cdc.gov/nchs/nvss/about_nvss.htm.
See Nat'l Ctr. for Health Stats., “Birth Data,” Ctrs. for Disease Control and Prevention (Dec. 6, 2022), https://www.cdc.gov/nchs/nvss/births.htm.
See Ctrs. For Disease Control and Surveillance, “How Tracking Deaths Protects Health,” (July 2018), https://www.cdc.gov/surveillance/pdfs/Tracking-Deaths-protects-healthh.pdf.
See Nat'l Ctr. for Health Stats., Ctrs. for Disease Control and Prevention, “State Definitions and Reporting Requirements: For Live Births, Fetal Deaths, and Induced Terminations of Pregnancy,” at 5 (1997), https://www.cdc.gov/nchs/data/misc/itop97.pdf.
Nat'l Ctr. for Health Stats., Ctrs. for Disease Control and Prevention, “Model State Vital Statistics Act and Regulations,” at 8 (1992), https://www.cdc.gov/nchs/data/misc/mvsact92b.pdf.
More generally, while Congress exempted certain “[p]ublic health” laws from preemption, Congress chose not to create a general exception for criminal laws or other laws that address the disclosure of information about similar types of activities outside of the public health context.
42 U.S.C. 1178(b) (codified in HIPAA at 42 U.S.C. 1320d-7).
For all these reasons, state laws requiring the use or disclosure of PHI for the purpose of investigating or imposing liability on a person for the mere act of seeking, obtaining, providing, or facilitating health care, or identifying a person for such activities, are subject to HIPAA's general preemption provision. Similarly, the Privacy Rule's public health provisions that permit the disclosure of PHI for the reporting of disease or injury, birth, or death do not include permission to use or disclose PHI for the purpose of investigating or imposing liability on a person for the mere act of seeking, obtaining, providing, or facilitating health care, or identifying a person for such activities. This general distinction between public health activities and investigation and enforcement activities is not limited to reproductive health care. Nevertheless, as discussed elsewhere in this final rule, the Department has chosen to strike a balance between privacy interests and other public policy interests. Consistent with the Department's longstanding approach that has allowed disclosures for law enforcement purposes in certain circumstances, the new prohibitions set forth in this rule apply only to lawful reproductive health care. State authorities cannot rely on the Privacy Rule's permissions for disclosures related to disease or injury, birth, or death to obtain PHI for the purpose of investigating or imposing liability for the provision of reproductive health care. However, as discussed above, state authorities may be able to invoke other permissions, such as the permission for disclosures for law enforcement purposes, to obtain such PHI where such disclosure is to investigate or impose liability on a person when the reproductive health care at issue is unlawful under the circumstances in which it is provided.
Comment: A few commenters expressed support for the Department's interpretation and clarification of the terms used in section 1178(b) of the SSA. A few commenters recommended that the Department define, rather than clarify, these terms. Some commenters requested that the Department further clarify the terms “disease or injury,” “birth,” and “death,” to explicitly exclude information about reproductive health care. Other commenters expressed opposition to the Department's clarifications.
Response: We decline to define “disease or injury,” “birth,” or “death” in this final rule. The Department's understanding of these terms is consistent with the Model State Vital Statistics Act and Regulations and its application in the context of the passage of HIPAA. We believe that the 2023 Privacy Rule NPRM preamble discussion is sufficient to clarify that such reporting does not include the use or disclosure of PHI for investigating or imposing liability on a person for the mere act of seeking, obtaining, providing, or facilitating health care, including reproductive health care, or to identify a person for such activities.
Defining “Public health,” as used in the terms “public health surveillance,” “public health investigation,” and “public health intervention.”
Section 1178(b) also excepts state laws providing for “public health surveillance, or public health investigation or intervention” from HIPAA's general preemption authority. Neither HIPAA nor the Privacy Rule currently defines “public health surveillance” or “public health investigation or intervention.” Consistent with the statute, the Privacy Rule expressly permits a regulated entity to use or disclose PHI for “public health” surveillance, investigation, or intervention. The Department proposed to define public health, as used in the terms “public health surveillance,” “public health investigations,” and “public health interventions,” to mean population-level activities to prevent disease and promote health of populations. In preamble to the 2023 Privacy Rule NPRM, the Department described public health surveillance as the ongoing, systematic collection, analysis, and interpretation of health-related data essential to planning, implementation, and evaluation of public health practice. The Department explained that public health investigations or interventions include monitoring real-time health status and identifying patterns to develop strategies to address chronic diseases and injuries, as well as using real-time data to identify and respond to acute outbreaks, emergencies, and other health hazards. Public health surveillance, investigations, or interventions safeguard the health of the community by addressing ongoing or prospective population-level issues such as the spread of communicable diseases, even where these activities involve individual-level investigations or interventions.
Section 1178(a) of HIPAA.
See45 CFR 164.512(b)(1)(i); Off. for Civil Rights, “Disclosures for Public Health Activities,” U.S. Dep't of Health and Human Servs., https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/disclosures-public-health-activities/index.html (accessed Oct. 19, 2022).
See “Introduction to Public Health Surveillance,” Ctrs. for Disease Control and Prevention (Nov. 15, 2018), https://www.cdc.gov/training/publichealth101/surveillance.html.
See “Public Health Professionals Gateway, Ten Essential Public Health Services,” Ctrs. for Disease Control and Prevention (Dec. 1, 2022), https://www.cdc.gov/publichealthgateway/publichealthservices/essentialhealthservices.html.
The Department also proposed to expressly exclude certain activities from the definition of public health to distinguish between public health activities and certain criminal investigations. Specifically, the Department proposed to provide in regulatory text that the Privacy Rule's permissions to use and disclose PHI for the “public health” activities of surveillance, investigations, or interventions do not include criminal, civil, or administrative investigations into, or proceedings against, any person in connection with seeking, obtaining, providing, or facilitating reproductive health care, nor do they include identifying any person for the purpose of initiating such investigations or proceedings. The Department stated that any such actions are not public health activities that would be subject to the exception to HIPAA's general preemption authority for state laws providing for “public health surveillance, or public health investigation or intervention.”
Section 1178(a) of SSA.
Commenters expressed mixed views on the proposal to define “public health” in the context of “public health surveillance,” “public health investigations” or “public health interventions.” Commenters expressing opposition to the proposal either disagreed with the Department's assertion that public health activities do not involve uses and disclosures that would be prohibited by the rule or asserted that the proposal would prevent public health reporting of reproductive health care. Some commenters generally supported the goal of the proposal but expressed concern that inclusion of the proposed language about “population-level” activities could prevent essential public health activities that involve specific persons, such as reporting data about specific health care services provided to specific persons that have a “population-level” effect and investigating the spread of communicable diseases.
Some commenters asserted that the proposal would frustrate states' ability to enforce their laws not related to public health, such as laws banning health care such as abortion. Supporters asserted that the proposal would help to prevent PHI from being disclosed for a purpose that would be prohibited under the proposed rule. Supportive commenters also expressed concern about states obtaining PHI based on an interpretation of “public health investigations” that includes the mandatory reporting of pregnant individuals who engage in certain activities, such as substance use. Other commenters asserted that disclosures of PHI to public health authorities should be limited because of the potential for PHI to be redisclosed for purposes that otherwise would be prohibited under the Privacy Rule.
The final rule adopts the proposed definition with some modifications. The final rule maintains the proposed rule's focus on activities aimed at preventing disease and improving the health of populations. This definition does not prevent disclosures of PHI by covered entities to public health authorities for public health activities that have long been permitted under the Privacy Rule. As discussed in the 2023 Privacy Rule NPRM, since the time of HIPAA's enactment, public health activities related to surveillance, investigation, or intervention have been widely understood to refer to activities aimed at improving the health of a population. For example, legal dictionaries define “public health” as “[t]he health of the community at large,” or “[t]he healthful or sanitary condition of the general body of people or the community en masse; esp., the methods of maintaining the health of the community, as by preventive medicine or organized care for the sick.” Stedman's Medical Dictionary defines “public health” as “the art and science of community health, concerned with statistics, epidemiology, hygiene, and the prevention and eradication of epidemic diseases; an effort organized by society to promote, protect, and restore the people's health; public health is a social institution, a service, and a practice.” The Centers for Disease Control and Prevention (CDC) and the Agency for Toxic Substances and Disease Registry have described “public health surveillance” as “the ongoing systematic collection, analysis and interpretation of outcome-specific data for use in the planning, implementation, and evaluation of public health practice.” And many states similarly define “public health” to mean activities to support population health. The Department likewise has used the term public health in this way since it first adopted the Privacy Rule.
“Health, Public Health,” Black's Law Dictionary (11th ed. 2019).
“Public Health,” Stedman's Medical Dictionary 394520.
Jonathan Weinstein, In Re Miguel M., 55 N.Y.L. Sch. L. Rev. 389, 390 (2010) (citing Stephen B. Thacker, “Historical Development,” in Principles and Practice of Public Health Surveillance 1 (Steven M. Teutsch & R. Elliott Churchill eds., 2d ed., 2000)), https://digitalcommons.nyls.edu/cgi/viewcontent.cgi?article=1599&context=nyls_law_review.
See, e.g., Richard A. Goodman et al., “Forensic Epidemiology: Law at the Intersection of Public Health and Criminal Investigations,” 31 J. of Law, Med. & Ethics 684, 689-90 (2003); La. Rev. Stat. Ann. Sec. 40:3.1 (2011) (defining threats to public health as nuisances “including but not limited to communicable, contagious, and infectious diseases, as well as illnesses, diseases, and genetic disorders or abnormalities”); N.C. Gen. Stat. sec. 130A-141.1(a) (2010) (defining public health investigations as the “surveillance of an illness, condition, or symptoms that may indicate the existence of a communicable disease or condition”).
See, e.g.,65 FR 82462, 82464 (Dec. 28, 2000) (noting that reporting of public health information on communicable diseases is not prevented by individuals' right to information privacy); Id. at 82467 (discussing the importance of accurate medical records in recognizing troubling public health trends and in assessing the effectiveness of public health efforts); Id. at 82473 (discussing disclosure to “a department of public health”); Id. at 82525 (recognizing that it may be necessary to disclose PHI about communicable diseases when conducting a public health intervention or investigation); Id. at 82526 (recognizing that an entity acts as a “public health authority” when, in its role as a component of the public health department, it conducts infectious disease surveillance); Stephen B. Thacker, Epidemiology Program Office, Ctrs. for Disease Control and Prevention, “HIPAA Privacy Rule and Public Health: Guidance from CDC and the U.S. Department of Health and Human Services,” 52 MMWR 1 (Apr. 11, 2003), https://www.cdc.gov/mmwr/preview/mmwrhtml/m2e411a1.htm (describing what traditionally are considered to be “public health activities” that require PHI).
Public health surveillance, public health investigations, and public health interventions are activities that address population health concerns and have generalized public benefit to the health of a population, including activities that involve specific persons. Examples of activities that prevent disease in and promote the health of populations include vaccination campaigns to eradicate communicable disease, surveillance of a community's use of emergency services after a natural disaster to improve allocation of resources to meet health needs, and investigation of the source of an outbreak of food poisoning. As explained in the preamble to the 2023 Privacy Rule NPRM, there is a widely recognized distinction between public health activities, which primarily focus on improving the health of populations, and criminal investigations, which primarily focus on identifying and imposing liability on persons who have violated the law. States and other local governing authorities maintain criminal codes that are distinct and separate from public health reporting laws, although some jurisdictions enforce required public health reporting through criminal statutes. Different governmental bodies are responsible for enforcing these separate codes, and public health officials do not typically investigate activities enforced under criminal statutes or laws. Federal laws also generally treat public health investigations as distinct from criminal investigations. Maintaining a clear distinction between public health investigations and criminal investigations serves HIPAA's broader purposes.
See Miguel M. v. Barron, 950 NE2d 107, at 111 (2011) (explaining “[t]he apparent purpose of the public health exception is to facilitate government activities that protect large numbers of people from epidemics, environmental hazards, and the like, or that advance public health by accumulating valuable statistical information.”).
88 FR 23510, 23525 (Apr. 17, 2023).
See Miguel M. v. Barron at 111, supra note 239 (concluding that “[t]o disclose private information about particular people, for the purpose of preventing those people from harming themselves or others, effects a very substantial invasion of privacy without the sort of generalized public benefit that would come from, for example, tracing the course of an infectious disease.”).
For example, traditional public health reporting laws grew from colonial requirements that physicians report disease. These requirements transitioned to state regulatory requirements imposed by public health departments on authority granted to them by states. See Ctrs. for Disease Control and Prevention, “Public Health Law 101, Disease Reporting and Public Health Surveillance,” at 12 and 14 (Jan. 16, 2009), https://www.cdc.gov/phlp/docs/phl101/PHL101-Unit-5-16Jan09-Secure.pdf. See also, e.g., Code of Georgia 31-12-2 (2021) (authority to require disease reporting).
See “ Public Health,” supra note 235 (“Many cities have a `public health department' or other agency responsible for maintaining the public health; Federal laws dealing with health are administered by the Department of Health and Human Services.”); see also “Forensic Epidemiology: Law at the Intersection of Public Health and Criminal Investigations,” supra note 237, at 689.
See Camara v. Municipal Ct. of City & Cty. of S.F., 387 U.S. 523, 535-37 (1967) (discussing administrative inspections under the Fourth Amendment, such as those aimed at addressing “conditions which are hazardous to public health and safety,” and not “aimed at the discovery of evidence of crime”); 42 U.S.C. 241(d)(D) (prohibiting disclosure of private information from research subjects in “criminal” and other proceedings); 42 U.S.C. 290dd-2(c) (prohibiting substance abuse records from being used in criminal proceedings).
See “ Forensic Epidemiology: Law at the Intersection of Public Health and Criminal Investigations,” supra note 237, at 687 (discussing reasons why “an association of public health with law enforcement” may be “to the detriment of routine public health practice”). See also45 CFR 164.512(b)(1)(i) (including “public health investigations” as an activity carried out by a public health authority that is authorized by law to carry out public health activities).
The Department concludes that neither section 1178(b) nor the Privacy Rule's permissions to use and disclose PHI for the “public health” activities of surveillance, investigation, or intervention include conducting criminal, civil, or administrative investigations into, or imposing criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating health care, including reproductive health care, nor do they include the identification of any person for such purposes. Such actions are not public health activities. As described above, this distinction between public health activities and other investigation and enforcement activities is not limited to reproductive health care. Public health surveillance, investigations, or interventions ensure the health of the community as a whole by addressing ongoing or prospective population-level issues such as the spread of communicable diseases, even where they involve interventions involving specific individuals. Such surveillance systems provide the necessary data to examine and potentially develop interventions to improve the public's health, such as providing education or resources to support individuals' access to health care and improve health outcomes and are not affected by this final rule. U.S. states, territories, and Tribal governments participate in bilateral agreements with the Federal Government to share data on conditions that affect public health. The CDC's Division of Reproductive Health collects reproductive health data in support of national and state-based population surveillance systems to assess maternal complications, mortality and pregnancy-related disparities, and the numbers and characteristics of individuals who obtain legal induced abortions. This final rule does not affect CDC's ability to collect this information now or in the future. Importantly, disclosures to public health authorities permitted by the Privacy Rule are limited to the “minimum necessary” to accomplish the public health purpose. In some cases, regulated entities need disclose only de-identified data to meet the public health purpose.
See “Improving the Role of Health Departments in Activities Related to Abortion,” Am. Pub. Health Ass'n (Oct. 26, 2021), https://www.apha.org/Policies-and-Advocacy/Public-Health-Policy-Statements/Policy-Database/2022/01/07/Improving-Health-Department-Role-in-Activities-Related-to-Abortion.
See “Reportable diseases,” supra note 215. See also “What is Case Surveillance?,” supra note 215.
See “Reproductive Health, About Us,” Ctrs. for Disease Control and Prevention (Apr. 20, 2022), https://www.cdc.gov/reproductivehealth/drh/about-us/index.htm; and “ Reproductive Health, CDCs Abortion Surveillance System FAQs,” Ctrs. for Disease Control and Prevention (Nov. 17, 2022), https://www.cdc.gov/reproductivehealth/data_stats/abortion.htm.
See45 CFR 164.502(b).
See45 CFR 164.514(a).
By contrast, efforts to conduct criminal, civil, and administrative investigations or impose criminal, civil, and administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating health care generally target specific persons for particular conduct; they are not designed to address population-level health concerns and are not limited to information authorized to be collected by a public health or similar government authority for a public health activity. Thus, the exceptions in section 1178(b) for “public health” investigations, interventions, or surveillance do not limit the Department's ability to prohibit uses or disclosures of PHI for other purposes, such as judicial and administrative proceedings or law enforcement purposes. While the Department has chosen as a policy matter to continue to permit uses or disclosures of PHI for law enforcement and other purposes in certain contexts, it is adopting a different balance where such uses or disclosures are about reproductive health care that is lawful under the circumstances in which it was provided.
While retaining the focus on activities to prevent disease and promote the health of populations, this final rule clarifies that population-level activities “include identifying, monitoring, preventing, or mitigating ongoing or prospective threats to the health or safety of a population, which may involve the collection of protected health information.” This clarification addresses commenters' concerns that regulated entities would no longer be able to report information that states need to conduct public health functions intended to protect against prospective or ongoing threats at the population level, even if at times they necessarily will focus on individuals while doing so (through contact tracing, quarantine or isolation, and the like). The Department does not intend this clarification to prevent disclosures of PHI from covered entities to public health authorities for public health activities that have long been and continue to be permitted under the Privacy Rule. These changes clarify that public health, as used in the specified terms, broadly includes activities to prevent disease in and promote the health of populations. The changes also confirm that the Department does not require a public health authority to supply an attestation to a covered entity to receive PHI of an individual where that disclosure is intended to prevent disease in or promote the health of populations.
The intended purpose of including “population-level” was to facilitate public health activities that protect large numbers of people from epidemics, environmental hazards, and the like. However, we believe that the language that clarifies that population-level activities “include identifying, monitoring, preventing, or mitigating ongoing or prospective threats to the health or safety of a population, which may involve the collection of protected health information,” sufficiently serves this purpose of addressing uses and disclosures of PHI that are necessary to accomplish the overarching goals of public health.
The last sentence of the proposed definition, which described what are not public health activities, is also revised in the final rule for consistency with the general distinction between activities of public health surveillance, investigation, and intervention and activities of investigating or imposing liability on a person for the mere act of seeking, obtaining, providing, or facilitating health care, or identifying a person for such activities, as well as the standard the Department is adopting at 45 CFR 164.502(a)(5)(iii), which is discussed further in that section of this rule. Thus, while a state might assert that investigating or imposing liability on persons for the mere act of seeking, obtaining, providing, or facilitating health care satisfies the definition of “public health,” their interpretation would not supersede the definition of “public health” in the context of public health surveillance, investigations, or interventions that the Department is adopting under its own Federal statutory authority to administer the HIPAA Rules.
Comment: A few organizations expressed support for the proposed definition of “public health” without further elaboration. Several commenters expressed support for the proposed definition of “public health” because it would prevent PHI from being disclosed for a prohibited purpose. A few commenters expressed support for the proposal because they believed that information reported for public health purposes could be requested, re-identified (in the case of de-identified information), or further disclosed to law enforcement for purposes for which the Department proposed to prohibit uses and disclosures.
Several commenters expressed support for the proposed definition of “public health” and the existing standard that limits public health disclosures of PHI to the minimum necessary information to achieve the purpose.
Response: Consistent with the NPRM, the Department agrees with the commenters who stated that it is important to define “public health” in the context of public health surveillance, investigation, or intervention to ensure that PHI is not disclosed for a purpose prohibited under 45 CFR 164.502(a)(5)(iii). Disclosures of PHI for public health purposes continue to be subject to the minimum necessary standard, which limits the use and disclosure of PHI to the minimum necessary to achieve the specified purpose; in some circumstances, de-identified information may suffice. However, many public health activities do require identifiable data, such as for interventions involving individuals, to protect against prospective or ongoing threats to health or safety at the population level, and the Privacy Rule does not prohibit such uses and disclosures.
When making disclosures to public officials that are permitted under 45 CFR 164.512, if the public official represents that the information requested is the minimum necessary for the stated purpose, regulated entities are permitted, but not required, to rely on that representation, if such reliance is reasonable under the circumstances. Such reliance may not be reasonable where the request appears to be overly broad when compared to the stated purpose of the request ( e.g., where a public health authority requests the disclosure of PHI of all individuals who received treatment for uterine bleeding when the stated purpose is to investigate infection control practices by an obstetrician/gynecologist in a state where law enforcement has publicly announced its intention to investigate individuals for traveling out of state to seek or obtain reproductive health care that is lawful under the circumstances in which it is provided).
45 CFR 164.514(d)(3)(iii)(A); see also45 CFR 164.514(h)(2)(ii) and (iii).
Comment: A few commenters asserted that law enforcement generally interprets public health investigations to include criminal investigations and prosecutions and the NPRM proposed definition would complicate such investigations by limiting the amount of PHI that could be disclosed to law enforcement.
Response: The Department has adopted a definition of “public health” in the context of public health surveillance, investigation, and intervention that sets clear parameters between such activities and law enforcement activities conducted to impose liability for the mere act of seeking, obtaining, providing, or facilitating health care. Public health surveillance, investigation, and intervention do not include efforts to attach liability to persons for specific acts of seeking, obtaining, providing, or facilitating health care.
This definition is consistent with the longstanding distinction made by the Department between public health activities and law enforcement activities as described above.
Comment: Several commenters expressed support for the Department's proposal generally but recommended further clarifications or revisions to it, especially regarding the limitation to “population-level” activities. A few commenters raised questions about the difference between the proposed definition of “public health” and the permission for public health activities under 45 CFR 164.512(b)(1)(i) and recommended that the Department clarify the definition to ensure that public health agencies are able to obtain health information for administrative or civil proceedings, such as quarantine or isolation in cases involving infectious diseases.
Response: The Department has modified the definition of “public health” in the context of public health surveillance, investigation, or intervention to clarify that such activities include identifying, monitoring, preventing, or mitigating ongoing or prospective threats to the health or safety of a population, which may involve the collection of PHI. This change addresses commenters' concerns that under the proposed definition, regulated entities would no longer be able to report PHI that is required to address population-level concerns.
Comment: Several commenters raised concerns that the proposed definition of “public health” would circumvent states' interests related to public health. A few commenters expressed opposition to the Department's clarification of public health because they believed that states should have the ability to conduct surveillance, investigations, or interventions concerning certain types of health care for public health purposes. Several commenters asserted that the proposal would frustrate the ability of states to enforce their laws prohibiting access to certain types of health care. Conversely, a commenter requested that the Department explicitly exclude reproductive health care from the proposed definition of “public health,” so it would not be reportable to public health agencies.
Response: We disagree with commenters' assertions that this final rule will prevent the reporting of vital statistics or other public health activities. A covered entity may continue to use or disclose PHI for all the public health activities and purposes listed in section 1178(b). We also decline to explicitly exclude reproductive health care from the definition of “public health” because doing so could hinder beneficial public health activities. Instead, this definition supports this final rule's prohibition against certain uses and disclosures of PHI by clarifying that public health surveillance, investigation, and intervention exclude conducting a criminal, civil, or administrative investigation into any person, or the imposing criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating health care, or identifying any person for such activities. Such excluded activities include those with the purposes that are prohibited at 45 CFR 164.502(a)(5)(iii).
Comment: A few commenters believed that defining “investigation,” “intervention,” or “surveillance” was unnecessary or recommended against doing so and requested that the Department clarify that such terms do not encompass any prohibited purposes. One commenter requested that the Department define these terms to expressly exclude information related to reproductive health care.
Response: We are not defining the terms “investigation,” “intervention,” or “surveillance” in this rule. However, we are providing extensive interpretation in the preamble to clarify that such activities in the public health context do not encompass conducting a criminal, civil, or administrative investigation into any person, or imposing criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating health care, or identifying any person for such activities, including those for which use or disclosure of PHI is prohibited by 45 CFR 164.502(a)(5)(iii).
Reporting of Child Abuse
In accordance with section 1178(b) of HIPAA, the Privacy Rule permits a regulated entity to use or disclose PHI to report known or suspected child abuse or neglect if the report is made to a public health authority or other appropriate government authority that is authorized by law to receive such reports. The Privacy Rule limits disclosures of PHI made pursuant to this permission to the minimum necessary to make the report.
See45 CFR 164.512(b)(1)(ii).
See45 CFR 164.502(b) and 164.514(d).
As the Department explained in the 2023 Privacy Rule NPRM, at the time HIPAA was enacted, “most, if not all, states had laws that mandated reporting of child abuse or neglect to the appropriate authorities.” Additionally, when Congress enacted HIPAA, it had already addressed child abuse reporting in other laws, such as the Victims of Child Abuse Act of 1990 and the Child Abuse Prevention and Treatment Act. For example, 34 U.S.C. 20341(a)(1), a provision of the original Victims of Child Abuse Act of 1990 that is still in place today, requires certain professionals to report suspected abuse when working on Federal land or in a federally operated (or contracted) facility. As used in these statutes, the term “child abuse” does not include activities related to reproductive health care, such as abortion.
65 FR 82462, 82527 (Dec. 28, 2000).
Public Law 101-647, 104 Stat. 4789 (codified at 18 U.S.C. 3509).
Public Law 93-247, 88 Stat. (codified at 42 U.S.C. 5101 note).
See34 U.S.C. 20341(a)(1), originally enacted as part of the Victims of Child Abuse Act of 1990 and codified at 42 U.S.C. 13031, which was editorially reclassified as 34 U.S.C. 20341, Crime Control and Law Enforcement. For the purposes of such mandated reporting, see34 U.S.C. 20341(c)(1) for definition of “child abuse.”
In the 2023 Privacy Rule NPRM, the Department discussed that it has long interpreted “child abuse,” as used in the Privacy Rule and section 1178(b) of HIPAA, to exclude conduct based solely on a person seeking, obtaining, providing, or facilitating reproductive health care. This interpretation is consistent with the public health aims of improving access to health care for individuals, including reproductive health care, and with relevant statutes at the time HIPAA was enacted, as described above. The Department also stated that this interpretation prohibits a regulated entity from disclosing PHI in reliance on the permission for reporting “child abuse” where the alleged victim does not meet the definition of “person” or “child,” consistent with both 1 U.S.C. 8 and section 1178(b). Additionally, consistent with previous rulemaking under HIPAA, the Department clarified in the preamble that it did not intend for the interpretation to disrupt longstanding state or Federal child abuse reporting requirements that apply to regulated entities.
88 FR 23506, 23526 (Apr. 17, 2023).
65 FR 82462, 82527 (Dec. 28, 2000).
The Department also made several clarifications in preamble concerning our interpretation of section 1178(b) and the Privacy Rule's public health permission and how we distinguish between public health reporting and disclosures for law enforcement purposes or judicial and administrative proceedings.
Comment: Many commenters supported the Department's clarification and agreed that it would preserve trust between individuals and health care providers, but also requested additional clarification from the Department on its implementation. Few opposed the clarification; those who did expressed concerns about the potential for the clarification to prevent state-mandated reporting in certain circumstances. Many commenters expressed mixed views about the Department's interpretation.
Response: The Department is moving forward with its interpretation as described in the NPRM. As noted above, this final rule does not alter the Privacy Rule's reliance on other applicable law with respect to determining who has the authority to act on behalf of an individual who is an unemancipated minor in making decisions related to health care, including lawful reproductive health care. The Privacy Rule does not permit a regulated entity to disclose PHI as part of a report of suspected child abuse based solely on the fact that a parent seeks reproductive health care ( e.g., treatment for a sexually transmitted infection) for a child. However, the regulated entity is permitted to make such disclosure where there is suspicion of sexual abuse that could be the basis of permitted reporting.
See45 CFR 164.502(g).
Congress defined the term “child” in 1 U.S.C. 8, and the term “child” in the Privacy Rule is consistent with that definition. As such, the Department believes that to the extent this clarification prohibits a regulated entity from disclosing PHI to report “child abuse” under this permission in the Privacy Rule where the alleged victim does not meet the definition of “person,” it is consistent with both 1 U.S.C. 8 and section 1178(b).
The Department also reaffirms its clarification that the Privacy Rule permission to report known or suspected child abuse or neglect permits a disclosure only for the purpose of making a report, and the PHI disclosed must be limited to the minimum necessary information for the purpose of making a report. These provisions do not permit the covered entity to disclose PHI in response to a request for the use or disclosure of PHI to conduct a criminal, civil, or administrative investigation into or impose criminal, civil, or administrative liability on a person based on suspected child abuse. Instead, as we explained in the 2023 Privacy Rule NPRM, any disclosure of PHI in response to this type of request from an investigator, must meet the applicable Privacy Rule conditions for disclosures for judicial and administrative proceedings or law enforcement purposes, as applicable. That is the case whether such disclosure is in follow up to the report made by the covered entity (other than to clarify the PHI provided on the report) or part of an investigation initiated based on an allegation or report made by a person other than the covered entity.
See45 CFR 164.502(b) and 164.514(d).
See45 CFR 164.512(e) and (f).
See45 CFR 164.512(e) and (f).
Moreover, this clarification does not affect the ability of state authorities to invoke other permissions for disclosure under the Privacy Rule, such as the permission for disclosures for law enforcement purposes, where they are seeking PHI related to unlawful reproductive health care. Thus, the Department's interpretation of “child abuse” continues to support the protection of children while also serving HIPAA's objectives of protecting the privacy of PHI to promote individuals' trust in the health care system and preserving the relationship between individuals and their health care providers.
65 FR 82462, 82527 (Dec. 28, 2000).
Comment: A few commenters recommended that the Department expand the clarification of child abuse to broadly address providing or facilitating all health care, rather than just reproductive health care.
Response: It is beyond the scope of this rule making to expand the clarification to include the provision or facilitation of all lawful health care. We appreciate the recommendations of commenters and will take them under advisement for potential future rulemaking.
3. Adding a Definition of “Reproductive Health Care”
Section 160.103 of the HIPAA Rules defines “health care” as “care, services, or supplies related to the health of an individual.” The definition clarifies that the term “includes but is not limited to” several identified types of care, services, and procedures and includes examples such as therapeutic, rehabilitative, or maintenance care, as well as sale or dispensing of drugs or devices.
45 CFR 160.103 (definition of “Health care”).
These groupings are (1) “[p]reventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual or that affects the structure or function of the body” and (2) “[the s]ale or dispensing of a drug, device, equipment, or other item in accordance with a prescription.” It would also include supplies purchased over the counter or furnished to the individual by a person that does not meet the definition of a health care provider under the HIPAA Rules. 45 CFR 164.103 (definition of “Health care provider”).
The Department proposed to add and define a new term, “reproductive health care,” that would be a subset of the term “health care.” The Department proposed to define “reproductive health care” as “care, services, or supplies related to the reproductive health of the individual.” The Department noted in the NPRM preamble that the HIPAA Rules define “health care” broadly.
88 FR 23506, 23527-28 (Apr. 17, 2023).
88 FR 23506, 23527 (Apr. 17, 2023).
Consistent with the definition of “health care” in the HIPAA Rules, the proposed definition of “reproductive health care” would have applied broadly and included not only reproductive health care and services furnished by a health care provider and supplies furnished in accordance with a prescription, but also care, services, or supplies furnished by other persons and non-prescription supplies purchased in connection with an individual's reproductive health. The Department proposed to use the term “reproductive health care” rather than “reproductive health services” to ensure that the term was interpreted broadly to capture all health care that could be furnished to address reproductive health, including the provision of medications and devices, whether prescription or over-the-counter.
The Department discussed in preamble some of the types of care, services, and supplies that were included in the proposed term. In keeping with the Department's intention for “reproductive health care” to be inclusive of all types of health care related to an individual's reproductive system, the 2023 Privacy Rule NPRM preamble indicated that the term would include, but not be limited to: contraception, including emergency contraception; pregnancy-related health care; fertility or infertility-related health care; and other types of care, services, or supplies used for the diagnosis and treatment of conditions related to the reproductive system. We also provided a non-exhaustive list of examples of health care within each of these categories of reproductive health care.
Consistent with the definition of “health care” adopted in 2000 in the HIPAA Rules, the Department did not propose a specific definition of “reproductive health” but invited comment on whether including a particular definition of “reproductive health” would be beneficial.
Many commenters supported the proposal and agreed that it would provide the necessary protections for individuals and others. Some referenced existing definitions used by other legal authorities and recommended the Department consider adopting or incorporating them in some manner.
Some commenters opposed the proposal to provide an inclusive definition of reproductive health care. Some commenters asserted that the proposal lacked clarity and was too open-ended, making it difficult to operationalize. Other commenters expressed concern that the proposed definition would permit minors to consent to reproductive health care without parental consent.
The final rule adopts the new term “reproductive health care” and definition with three modifications. First, we replace “care, services, or supplies related to the reproductive health of the individual” with “health care” and add a citation to the HIPAA Rules' definition of that term to clarify that reproductive health care is a subset of “health care.”
Second, we specify that the term means health care “that affects the health of the individual in all matters relating to the reproductive system and to its functions and processes.” In keeping with the Department's intention for “reproductive health care” to be interpreted broadly and inclusive of all types of health care related to an individual's reproductive system, this additional language clarifies that the definition encompasses the full range of health care related to an individual's reproductive health.
Third, we add a statement reaffirming that the definition should not be construed to establish a standard of care for or regulate what constitutes clinically appropriate reproductive health care.
As discussed in the NPRM, this approach is consistent with the approach the Department took when it adopted the definition of “health care” in the HIPAA Rules. At that time, the Department explained that listing specific activities would create the risk that important activities would be left out and could also create confusion.
65 FR 82571 (Dec. 28, 2000).
By describing more fully the breadth of reproductive health care, the definition may decrease the perceived burden to regulated entities of complying with the rule by helping them determine whether a request for the use or disclosure of PHI includes PHI that is implicated by this final rule.
To further clarify what is included in reproductive health care for regulated entities, we provide a non-exclusive list of examples that fit within the definition: contraception, including emergency contraception; preconception screening and counseling; management of pregnancy and pregnancy-related conditions, including pregnancy screening, prenatal care, miscarriage management, treatment for preeclampsia, hypertension during pregnancy, gestational diabetes, molar or ectopic pregnancy, and pregnancy termination; fertility and infertility diagnosis and treatment, including assisted reproductive technology and its components ( e.g., in vitro fertilization (IVF)); diagnosis and treatment of conditions that affect the reproductive system ( e.g., perimenopause, menopause, endometriosis, adenomyosis); and other types of care, services, and supplies used for the diagnosis and treatment of conditions related to the reproductive system ( e.g., mammography, pregnancy-related nutrition services, postpartum care products).
See “What is Assisted Reproductive Technology?” Centers for Disease Control and Prevention (Oct. 8, 2019), https://www.cdc.gov/art/whatis.html and “Fact Sheet: In Vitro Fertilization (IVF) Use Across the United States,” U.S. Dep't of Health and Human Servs. (Mar. 13, 2024), https://www.hhs.gov/about/news/2024/03/13/fact-sheet-in-vitro-fertilization-ivf-use-across-united-states.html.
Additionally, the language in the definition stating that the definition should not be construed to set forth a standard of care or regulate what constitutes clinically appropriate reproductive health care should not be read as limiting “reproductive health care” to only health care that is determined to be appropriate by a health care professional. Rather, it may be the individual who determines whether the health care they receive, such as over-the-counter contraceptives, is appropriate. Like the definition of “health care,” the definition of reproductive health care is intended to be broad. Finally, we clarify that meeting the definition is not sufficient for information about such health care to be protected under the HIPAA Rules or this final rule. Rather, the information about such health care still needs to meet the definition of PHI.
45 CFR 160.103 (definition of “Protected health information”).
Comment: Some commenters expressed support for the proposed definition of “reproductive health care.” Several commenters specifically expressed their support for a broad definition of the term for various reasons, including: ensuring that providers of reproductive health care can continue to serve vulnerable communities and reduce health care disparities; providing clarity; and mitigating the need for clinical expertise and interpretation for each request for reproductive health information. Other commenters expressed support for the term because it would improve access to care and better reflect the breadth of services that support an individual's reproductive health, enable health care providers to continue to maintain appropriate data safeguards, and enable individuals to feel comfortable disclosing their information without fear of incrimination.
Many other commenters expressed opposition to the proposed definition because it was too expansive and would encompass procedures that they did not consider to be reproductive health care. Many commenters explicitly requested that the definition exclude certain types of health care. A few commenters recommended that the Department narrow the proposed definition to apply only to records directly involving certain specified services and clarify that the final definition does not include other procedures or treatments related to pregnancy or contraception. Another commenter expressed opposition to the proposed definition of “reproductive health care” because they believe that reproductive health information is no more sensitive than other medical information and should not be treated differently.
One commenter opposed the proposed definition of “reproductive health care” because they thought it would prevent health care providers from disclosing PHI to other health care providers for treatment, which would erode individual trust.
Several commenters requested that the Department expand the proposed definition, be more specific in its meaning ( e.g., provide additional information about the types of care, services, or supplies included in the definition), or replace it with a more expansive term ( e.g., “sensitive personal health care” meaning “care, services, or supplies related to the health of the individual which could expose any person to civil or criminal liability for the mere act of seeking, obtaining, providing, or facilitating such health care”). A commenter urged the Department to define the term “sexual and reproductive health care” to ensure that individuals have reproductive health care privacy, regardless of their sexual orientation or gender identity.
Commenters offered several alternative definitions or terms, such as “including but not limited to services related to contraception, sterilization, preconception care, maternity care, abortion care, and counseling regarding reproductive health care”; the definition of “reproductive health care services” at 18 U.S.C. 248(e)(5); “reproductive and sexual health care services” as defined in California Health and Safety Code section 1367.31; and limiting the definition to capture only health care that is at risk of being investigated or prosecuted because of Dobbs. Other commenters requested additional precision or clarity in the definition. For example, a commenter recommended that the definition include the specific codes and data points that would constitute reproductive health care that would be prohibited from disclosure under the proposed rule ( e.g., International Classification of Diseases (ICD) codes related to reproductive health, ABO blood type and Rh factor).
Several commenters urged the Department to narrow the proposed definition because of operational concerns, including the redirection of resources to making or obtaining legal determinations about whether a particular type of care was reproductive health care. Some explained that health information management staff generally do not have the clinical expertise to determine what would constitute “reproductive health care,” while another stated that physicians would also have trouble discerning what health care would meet the proposed definition. Another commenter recommended that the Department include only PHI that is already reliably segregated in EHRs in the definition.
Many commenters requested that the Department further explain the proposed definition either in preamble or the regulatory text. One commenter suggested that in lieu of a definition of “reproductive health care,” the Department include an extensive discussion of examples in the preamble and provide entities flexibility to implement policies or procedures that may be affected by the definition of “reproductive health care” in accordance with their operational structures. A few commenters also recommended that the Department provide examples in preamble discussion, rather than regulatory text. One commenter recommended that the Department provide specific examples to illustrate its meaning where there could be ambiguity. Several commenters recommended that examples be included in the regulatory text and provided specific examples of the types of health care they thought should be included. Some commenters recommended the Department include examples but did not specify whether they should be in the preamble or in the regulatory text, while other commenters requested that the Department include a non-exhaustive list of examples of reproductive health care in both the regulation and preamble.
Response: After consideration, we have finalized a definition grounded in the Privacy Rule's long-established term “health care.” We provide a non-exhaustive list of examples in preamble above. We do not explicitly address all of the many types of health care suggested in comments to avoid creating the impression of a complete list. This is also consistent with our approach regarding the definition of “health care.” We emphasize that this definition does not set or affect standards of care, nor does it affect uses and disclosures of PHI for treatment purposes. Operational concerns expressed by some commenters are addressed in response to comments on the prohibition.
4. Whether the Department Should Define Any Additional Terms
The Department requested comments about whether it would be helpful for the Department to define “reproductive health” or any additional terms.
88 FR 23506, 23528 (Apr. 17, 2023).
Comment: Several commenters recommended that the Department define “reproductive health” because it would ensure that all covered entities would be required to implement changes, or that the PHI of individuals receiving certain types of health care would not be disclosed to states where individuals who receive such health care is being penalized.
Several commenters urged the Department to add the definition of reproductive health adopted by the United Nations and World Health Organization, while others recommended the adoption of the definition articulated by the International Conference on Population and Development in 1994. One commenter expressed opposition to adding a definition of reproductive health as unnecessary, and another instead recommended adoption of a precise definition of “reproductive health care.”
Another commenter recommended expanding the definition of PHI to include certain digital data of entities not regulated under HIPAA ( e.g., information from period tracking apps). One commenter recommended revising the definition of “health oversight agency” to exclude agencies that investigate or prosecute activities related to reproductive health care. Some commenters requested that the Department define additional terms or clarify existing terms.
Rather than define additional terms, one commenter recommended that the Department ensure that all the proposed definitions would be aligned with the Office of the National Coordinator for Health Information Technology (ONC) and CMS-mandated data elements for Certified Electronic Health Record Technology products and in the electronic clinical quality measures that health care providers are required to report to CMS.
Response: We appreciate the feedback from commenters, but upon further consideration, have concluded that defining any of the additional terms or clarifying additional existing ones is not necessary to support the implementation of this final rule. We also clarify that because HIPAA only authorizes the Department to protect IIHI used or disclosed by covered entities and their business associates, we are not able to regulate information that individuals themselves store and share using consumer health apps.
B. Section 164.502—Uses and Disclosures of Protected Health Information: General Rules
Section 164.502 of the Privacy Rule contains the general rules governing uses and disclosures of PHI. Paragraph (a)(1) of this section sets forth the list of permitted uses and disclosures.
1. Clarifying When PHI May Be Used or Disclosed by Regulated Entities
Section 164.502(a)(1)(iv) generally permits a regulated entity to use or disclose PHI pursuant to and in compliance with a valid authorization under 45 CFR 164.508, except for uses and disclosures of genetic information by a health plan for underwriting purposes prohibited under 45 CFR 164.502(a)(5)(i). Thus, an authorization that purports to allow a health plan to use or disclose PHI for that prohibited purpose is not valid under the Privacy Rule.
The Department proposed to modify 45 CFR 164.502(a)(1)(iv) to incorporate an additional limitation on the ability of a regulated entity to use and disclose PHI pursuant to an individual's authorization. Specifically, the Department's proposal would prohibit a regulated entity from using or disclosing PHI pursuant to an individual's authorization where the purpose of the disclosure is for a criminal, civil, or administrative investigation or proceeding against any person in connection with seeking, obtaining, providing, or facilitating reproductive health care that is lawful under the circumstances in which such health care is provided, or to identify any person for the purpose of initiating such activities. As explained in the 2023 Privacy Rule NPRM, the proposed modification was intended to prevent the misuse of the general permission for a regulated entity to use or disclose PHI pursuant to an individual's authorization to bypass the proposed prohibition against using and disclosing PHI for purposes that would be prohibited by proposed 45 CFR 164.502(a)(5)(iii).
88 FR 23506, 23528-29 (Apr. 17, 2023).
The Department explained in the proposed rule that this change to the authorization permission was necessary to protect individuals' privacy by precluding any possibility that a third party, such as a law enforcement official, could coerce or attempt to coerce an individual into signing an authorization, thereby enabling the third party to circumvent the prohibition proposed at 45 CFR 164.502(a)(5)(iii).
The Department also proposed to modify the general rules in 45 CFR 164.502(a)(1)(vi) to expressly condition certain uses and disclosures made under 45 CFR 164.512 on the receipt of an attestation pursuant to proposed 45 CFR 164.509, which is discussed below in greater detail. For clarity, the Department proposed to revise 45 CFR 164.502(a)(1)(vi) by replacing the sentence containing the conditions for certain permitted uses and disclosures with a lettered list.
Public comments about the use of authorization to use and disclose PHI for the purposes the Department proposed to prohibit in the 2023 Privacy Rule NPRM were generally divided between opposing views and supportive views, although only a few comments expressed full support for the proposal, as drafted. While many commenters shared the Department's concerns about the potential for individuals to be coerced into providing an authorization, some of these commenters nonetheless opposed the proposal because it could limit beneficial disclosures, cause uncertainty about the validity of an authorization, increase the burden on regulated entities, or seem to conflict with state laws that permit the disclosure of certain health information with the individual's explicit written consent.
The Department received no comments on its proposal to replace the sentence at 45 CFR 164.502(a)(1)(vi) with a lettered list. Comments on the Department's proposal to condition certain disclosures made under 45 CFR 164.512 on the receipt of an attestation as required by proposed 45 CFR 164.509 are discussed below in greater detail.
The Department is not finalizing its proposal to prohibit a regulated entity from using or disclosing an individual's PHI for the specified purposes pursuant to and in compliance with an individual's authorization. We agree with the majority of public comments discussed in detail below that generally expressed the view that the Privacy Rule's authorization requirements empower individuals to make decisions about who has access to their PHI. We acknowledge that maintaining the permission for regulated entities to obtain an individual's authorization to use and disclose PHI could leave an individual exposed to the potential for duress or coercion by a third party. It could also expose a health care provider or other person who provides or facilitates reproductive health care to liability in the event the authorization is used to affect a disclosure for a prohibited purpose in connection with lawful reproductive health care. However, we believe that continuing to permit uses and disclosures pursuant to an individual's authorization best preserves individual autonomy concerning uses and disclosures of their PHI. Consistent with our practice described above, the Department will monitor closely the interaction of the revised Privacy Rule and the evolving legal landscape to ensure an appropriate balance of protecting the privacy interests of individuals and permitting access to PHI for non-health care purposes.
As we discussed in the proposed rule, there is a relationship between the provision allowing an individual to authorize a regulated entity to use or disclose the individual's PHI to a third party and the HITECH Act requirement that a regulated entity comply with an individual's direction to transmit to another person an electronic copy of the individual's PHI in an EHR (“individual access right to direct”). Both enhance an individual's autonomy by providing them with the ability to determine who can access the individual's PHI as specified in the authorization or access request. Both also create an opportunity for coercion or attempted coercion of an individual by another person ( e.g., a law enforcement official could attempt to coerce an individual into providing the law enforcement official with access to the individual's PHI by offering the individual a reduced sentence for an alleged crime). And while we remain concerned about the potential for coercion or attempted coercion, even if the Department were to finalize the proposed limitation on uses and disclosures with an authorization, the individual would retain the individual access right to direct, which is enshrined in statute. We also believe it would be inconsistent with the spirit of individual access right to direct for the Department to limit the ability of an individual to authorize a regulated entity to disclose their PHI to another person.
For the foregoing reasons, we are not finalizing this proposal, and the language in 45 CFR 164.502(a)(1)(iv) remains unchanged.
Comment: While some commenters expressed concern about the potential for coercion described in the proposed rule, they did not all agree that it would be appropriate to address this concern by prohibiting such disclosures pursuant to an authorization. Some commenters asserted that coercion concerns would not be eliminated by curtailing the ability of individuals to authorize disclosures of their PHI in certain circumstances.
Some commenters explained that prohibiting individuals from requesting disclosures of their PHI pursuant to an authorization for prohibited purposes would create a significant burden for regulated entities, primarily because of the frequent failure of persons requesting the use or disclosure of PHI to provide sufficient detail regarding the purpose of the request to allow them to determine if it would be for a prohibited purpose.
A few commenters asserted that a HIPAA authorization is the safest approach to ensuring an individual is aware of and agrees to the use or disclosure of their PHI. One of those commenters recommended that the Department permit a regulated entity to disclose PHI pursuant to a valid authorization unless the covered entity has actual knowledge that an authorization was not voluntary. A commenter recommended adding a disclaimer or warning to the authorization to provide assurances that an individual was not coerced into disclosing their PHI to law enforcement or other third party that might seek to use the PHI for improper purposes. Still another commenter recommended that the Department require the authorization to indicate the types of sensitive information the individual intends to share. One commenter recommended that certain disclosures be accompanied by a notice of the individual's rights under the Privacy Rule.
Response: We appreciate comments concerning this proposal and the restriction of individuals' ability to maintain control over their PHI by prohibiting the use of written authorization. The Privacy Rule's written authorization requirements are the most objective means by which an individual can provide direction to a regulated entity about the use and disclosure of their PHI known to a regulated entity. The right of individuals to access their PHI and choose to disclose their PHI to another person is a cornerstone of HIPAA, and as such, we are not proceeding with this proposal. The Department will continue to monitor complaints we receive and the outcome of enforcement actions to identify potential coercion and the effect of permitting individuals to authorize the disclosure of PHI for purposes that are prohibited under 45 CFR 164.502(a)(5)(iii) on the relationship between health care providers and individuals.
We also appreciate the comments that asserted that restricting the ability of regulated entities to use an authorization to obtain PHI for the purposes prohibited in this rulemaking could create a burden for the regulated entities.
To the extent that individuals wish to authorize the use and disclosure of their PHI, particularly when a request is not clear, or when a request seeks only partial parts of a record, a written authorization provides the regulated entity with the opportunity to clarify, with both the individual and the person requesting the disclosure, the PHI that will be disclosed. State laws that require regulated entities to obtain an individual's written consent are generally considered more privacy protective, and thus are not preempted.
Comment: Several commenters expressed support for eliminating the ability of regulated entities to use or disclose PHI pursuant to an authorization in certain circumstances because of the potential for harm to individuals as proposed. One commenter described the potential negative effects of permitting uses and disclosures pursuant to an authorization in certain circumstances on individuals from historically marginalized communities. Another commenter asserted that individuals frequently do not read consent forms provided to them for signature for a variety of reasons, including proficiency. Some commenters expressed concerns that individuals who are the subject of a criminal investigation or prosecution would be placed in situations where it would not be possible to obtain a voluntary authorization ( e.g., a custodial situation), or that law enforcement could seek to persuade an individual to provide them with access to the individual's PHI through improper means.
Response: We continue to share the concern expressed by commenters about the potential for coercion or harassment of individuals, particularly those in marginalized or underserved communities, to provide authorization for the use or disclosure of their PHI. According to many reports and data cited by the Department and commenters, such individuals more often experience negative interactions with law enforcement or other prosecutorial authorities. We urge HIPAA regulated entities to be mindful of Privacy Rule requirements that could help mitigate the potential for harm resulting from coercion or difficulties individuals may experience in understanding an authorization. For example, 45 CFR 164.508(b)(2)(v) holds invalid authorizations that include “material information [. . .] known by the covered entity to be false”; 45 CFR 164.508(c)(1)(iv) requires that every authorization include a description of each purpose of the requested use or disclosure; and 45 CFR 164.508(c)(3), requires the authorization be written in plain language. The Department will continue to monitor complaints, questions, and enforcement outcomes for potential harm from disclosures resulting from authorizations.
In the preamble to the 2000 Privacy Rule, we explained that a covered entity could meet HIPAA plain language requirements by organizing material to serve the reader; writing short sentences in the active voice; using pronouns; using common, everyday language; and dividing material into short sections. 65 FR 82462, 82548 (Dec. 28, 2000).
Comment: A few commenters requested clarifications of how the proposal would affect other disclosures made pursuant to the Privacy Rule, including disclosures to the individual's attorney, and whether the Department intended it to apply to other consumer-initiated requests, such as part of an Application Programming Interface (API).
A commenter recommended that health care providers be permitted to refuse to release PHI to any consumer health app when the information could lead to civil or criminal repercussions for the health care provider unless the app developer signs a binding agreement that protects them.
Response: We are not finalizing the proposal, but state here that the Department did not intend to affect or disrupt the ability of covered entities to make other disclosures of PHI pursuant to a written authorization under the Privacy Rule. Additionally, as discussed above, individuals have the right to obtain a copy of their PHI and the individual access right to direct, which could involve releasing PHI to a consumer health app or an API. With respect to EHR and technology vendors and other third parties who facilitate the exchange of PHI on behalf of covered entities, we continue to stress that valid business associate agreements are required by the Privacy Rule and necessary to protect the privacy of the individuals who are the subject of the PHI. ONC also has made clear that it intends to advance technologies that support requirements already extant under the HIPAA Privacy Rule. Additionally, the Department continues to urge covered entities that have direct contact with individuals to educate such individuals on the risks of disclosing their PHI to persons that are not regulated by HIPAA. We will continue to ensure that regulated entities enter into business associate agreements as required by the Privacy Rule. We will continue to monitor complaints, questions, and enforcement outcomes.
89 FR 1192, 1302 (Jan. 9, 2024). See also Off. for Civil Rights, “Information Blocking Regulations Work In Concert with HIPAA Rules and Other Privacy Laws to Support Health Information Privacy,” U.S. Dep't of Health and Human Servs. (Apr. 12, 2023), https://www.healthit.gov/buzz-blog/information-blocking/information-blocking-regulations-work-in-concert-with-hipaa-rules-and-other-privacy-laws-to-support-health-information-privacy.
See, e.g., Off. for Civil Rights, “Resource for Health Care Providers on Educating Patients about Privacy and Security Risks to Protected Health Information when Using Remote Communication Technologies for Telehealth,” U.S. Dep't of Health and Human Servs., https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/resource-health-care-providers-educating-patients/index.html.
See45 CFR 164.502(a)(3) and (e). See also45 CFR 164.504(e).
Comment: Many commenters addressed the relationship between the Department's proposal to eliminate the option for an individual to request disclosure of their information for the prohibited purposes pursuant to an authorization and the individual right of access, particularly, the right of an individual to direct a regulated entity to transmit to a third party an electronic copy of their PHI in an EHR. Several commenters recommended that the Department curtail the individual access right to direct. Some commenters expressed concern about the potential for individuals to be coerced into providing access to their PHI to third parties. A few commenters expressed concerns that some third parties sell PHI for purposes adverse to individuals' interests, including some of the purposes described in the 2023 Privacy Rule NPRM.
A few commenters provided recommendations for ways to educate individuals regarding their rights under the Privacy Rule.
Response: Although we appreciate the comments on this topic, any modifications to the individual access right to direct are beyond the scope of this rulemaking. We reiterate here that covered entities and their technology vendors that meet the definition of business associates must ensure that valid business associate agreements are in place, and we urge them to facilitate individuals' awareness of the risks of using third-party consumer apps that are not regulated by HIPAA. The Department continues to appreciate the identification of better education resources for individuals and health care providers and commits to providing educational resources through its website, regional offices, and webinars.
For information about what a business associate is and the requirements for business associate agreements, see Off. for Civil Rights, “Business Associate Contracts,” U.S. Dep't of Health and Human Servs. (Jan. 25, 2013), https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html.
Off. for Civil Rights, “Protecting the Privacy and Security of Your Health Information When Using Your Personal Cell Phone or Tablet,” U.S. Dep't of Health and Human Servs. (June 29, 2022), https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/cell-phone-hipaa/index.html.
2. Adding a New Category of Prohibited Uses and Disclosures
Generally, the Privacy Rule prohibits the use or disclosure of PHI except as permitted or required by the Privacy Rule. Paragraph (a)(5) of section 164.502 contains specific purposes for which the Privacy Rule explicitly prohibits the use and disclosure of PHI. Section 164.502(a)(5)(i) prohibits most health plans from using or disclosing PHI that is genetic information for underwriting purposes, while 45 CFR 164.502(a)(5)(ii) prohibits a regulated entity from selling PHI, except when they have obtained a valid authorization from the individual who is the subject of the PHI.
The Department proposed to add a new paragraph, 45 CFR 164.502(a)(5)(iii), to prohibit regulated entities from using or disclosing an individual's PHI for certain additional purposes, and to describe the scope, applicability, and limitations of the prohibition. Similar to most other prohibitions within the Privacy Rule, this prohibition would be purpose-based, rather than a blanket prohibition against uses and disclosures of certain types of PHI. The Department's rationale for this approach was four-fold: (1) to be consistent with the existing Privacy Rule permissible use and disclosure structure with which regulated entities are familiar, including the permission to disclose to law enforcement for certain purposes; (2) to avoid imposing a requirement on regulated entities that would necessitate the adoption and implementation of costly technology upgrades to enable data segmentation; (3) to recognize that PHI about an individual's reproductive health care may be used or disclosed for a wide variety of purposes, and permitting the use or disclosure of PHI for some of those purposes would erode individuals' ability to trust in the health care system; and (4) to avoid any misperception that the Department is setting a standard of care or substituting its judgment for that of individuals and licensed health care professionals.
88 FR 23506, 23529-33 (Apr. 17, 2023).
The Department does not oppose efforts to implement or employ technology that is capable of segmenting data. Rather, the Department's proposal was informed by the recognition that the technology deployed by most regulated entities today is not capable of doing so.
Proposed 45 CFR 164.502(a)(5)(iii)(A) would establish a new prohibition against the use or disclosure of PHI. Section (a)(5)(iii)(A)( 1) would prohibit the use or disclosure of PHI where the use or disclosure is for a criminal, civil, or administrative investigation into or proceeding against any person in connection with seeking, obtaining, providing, or facilitating reproductive health care. Section 164.502(a)(5)(iii)(A)( 2) would prohibit the use or disclosure of PHI to identify any person for the purpose of initiating a criminal, civil, or administrative investigation into or proceeding against any person in connection with seeking, obtaining, providing, or facilitating reproductive health care.
The Department proposed 45 CFR 164.502(a)(5)(iii)(B) to explain that “seeking, obtaining, providing, or facilitating” would include, but not be limited to, expressing interest in, inducing, using, performing, furnishing, paying for, disseminating information about, arranging, insuring, assisting, or otherwise taking action to engage in reproductive health care; or attempting any of the same. As the Department explained in the 2023 Privacy Rule NPRM, the proposed prohibition would apply to any request for PHI to facilitate a criminal, civil, or administrative investigation or proceeding against any person, or to identify any person to initiate an investigation or proceeding, where the basis for the investigation, proceeding, or identification is that the person sought, obtained, provided, or facilitated reproductive health care that is lawful under the circumstances in which such health care is provided. The Department further explained that, consistent with its HIPAA authority, the prohibition would preempt state or other laws requiring a regulated entity to use or disclose PHI in response to a court order or other type of legal process for a purpose prohibited under the proposed rule. Conversely, the prohibition would not preempt laws that require the use or disclosure of PHI for other purposes, such as: public health activities; investigations of sexual assault committed against an individual where such use or disclosure is conditioned upon the receipt of an attestation; or investigations into human and sex trafficking, child abuse, or professional misconduct or licensing inquiries.
See supra discussion of “Public health” for more information on what constitutes a “public health activity” under the Privacy Rule.
88 FR 23506, 23532 (Apr. 17, 2023).
The Department also proposed to subject this prohibition to a Rule of Applicability in 45 CFR 164.502(a)(5)(iii)(C). As the Department explained, the proposed prohibition in 45 CFR 164.502(a)(5)(iii) would prohibit a regulated entity from using or disclosing PHI for certain purposes against any person in connection with seeking, obtaining, providing, or facilitating reproductive health care that is “lawful under the circumstances in which such health care is provided.” The Department further explained that it proposed a framework for regulated entities to determine whether the reproductive health care at issue was lawful under the circumstances in which such health care was provided. The proposed language of the Rule of Applicability under this rule would apply where one or more of three specified conditions exist.
Id. at 23510, 23522, and 23531.
The first condition, as proposed in 45 CFR 164.502(a)(5)(iii)(C)( 1), addressed reproductive health care provided outside of the state that authorized the investigation or proceeding where such health care is lawful in the state where it is provided. In the proposed rule, we also clarified that the proposal would apply the prohibition in a situation in which the health care is ongoing, has been completed, or has not yet been obtained, provided, or facilitated. The proposed prohibition would recognize that any interest of society in conducting an investigation or proceeding against a person would require balancing with, and generally be outweighed by, the interests of society in protecting the privacy interests of individuals when they access lawful health care. As discussed above, privacy interests are heightened with respect to reproductive health care that is lawful under the circumstances in which it is provided as compared to the interests of law enforcement, and private parties afforded legal rights of action, in investigating or imposing liability for actions related to lawful reproductive health care.
The second condition, proposed in 45 CFR 164.502(a)(5)(iii)(C)( 2 ), addressed reproductive health care protected, required, or authorized by Federal law, regardless of the state in which such health care is provided. It would apply the prohibition to reproductive health care that is lawful under the applicable Federal law and where the investigation or proceeding is against any person in connection with seeking, obtaining, providing, or facilitating reproductive health care. It would apply, for example, where the underlying reproductive health care continues to be protected by the Constitution, such as contraception, or is expressly required or authorized under Federal law.
See Griswold v. Connecticut, 381 U.S. 479 (1965); Eisenstadt v. Baird, 405 U.S. 438 (1972); Dobbs, 597 U.S. 345 (Kavanaugh, J., concurring) ( Dobbs “does not threaten or cast doubt on” the precedents providing constitutional protection for contraception).
The third condition, proposed in 45 CFR 164.502(a)(5)(iii)(C)( 3), would apply the prohibition when the relevant criminal, civil, or administrative investigation or proceeding is in connection with any person seeking, obtaining, providing, or facilitating reproductive health care that is provided in a state consistent with and permitted by the law of that same state.
The Department also proposed a Rule of Construction in 45 CFR 164.502(a)(5)(iii)(D) that provided that the proposed prohibition should not be construed to prohibit a use or disclosure of PHI otherwise permitted by the Privacy Rule unless such use or disclosure is primarily for the purpose of investigating or imposing liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care. The Department proposed the Rule of Construction to avoid an erroneous interpretation of the prohibition standard, which otherwise could have been construed to prevent regulated entities from using or disclosing PHI for the purpose of defending themselves or others against allegations that they sought, obtained, provided, or facilitated reproductive health care that was not lawful under the circumstances in which it was provided.
See proposed 45 CFR 164.502(a)(5)(iii)(D). See also88 FR 23506, 23552-53 (Apr. 17, 2023).
Most of the comments addressing the proposed prohibition expressed support for the Department's purpose-based approach and the principle that the Privacy Rule should prohibit the use and disclosure of PHI for a criminal, civil, or administrative investigation into or proceeding against any person, or to identify any person to initiate a criminal, civil, or administrative investigation into or proceeding against any person, in connection with seeking, obtaining, providing, or facilitating lawful reproductive health care. At the same time, the Department received many comments that expressed concern about the proposal's clarity and regulated entities' ability to operationalize the Rule of Applicability and Rule of Construction. For example, commenters asserted that to the extent the proposed rule would require regulated entities to determine whether the requested PHI was about reproductive health care that was lawful under the circumstances in which it was provided, making such a determination could be unduly burdensome when the request was about reproductive health care that was not provided by the regulated entity that received the request and could expose them to legal risk in the absence of additional guidance or a safe harbor. Other commenters expressed concern that applying the prohibition would undermine the ability of states to enforce their own health care laws.
Commenters who addressed the proposed Rule of Construction also expressed confusion about how the Department intended “primarily” or “primarily for the purpose of” to be interpreted. Many either requested examples of uses and disclosures that were “primarily” for the underlying prohibited purposes. In lieu of the proposal to avoid liability based on “the mere act of” seeking, obtaining, providing, or facilitating reproductive health care, a few commenters suggested expanding the proposed definition or modifying existing permissions to explicitly exclude conduct based solely on seeking, obtaining, providing, or facilitating certain types of health care.
The Department is finalizing the proposed prohibition that restricts the ability of regulated entities to use or disclose PHI for activities with the purpose of investigating or imposing liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care that is lawful under the circumstances in which it was provided, or to identify any person for such purposes, with modifications to improve clarity and ease implementation for regulated entities.
The Department is retaining its purpose-based approach in the final rule in light of concerns about the ability of regulated entities to segment certain types of data and in recognition that PHI about an individual's reproductive health may be reflected throughout an individual's longitudinal health record, in addition to being maintained by a wide variety of regulated entities.
As we discussed in the 2023 Privacy Rule NPRM, the Department recognizes that diseases and conditions that are not directly related to an individual's reproductive health may be affected by or have bearing on the individual's reproductive health and the reproductive health care they are eligible to receive, and vice versa. Thus, it may be necessary for all types of health care providers to maintain complete and accurate medical records to ensure that subsequent health care providers are adequately informed in making diagnoses or recommending courses of treatment. For example, an individual with a chronic cardiac or endocrine condition may become pregnant, placing additional strain on the individual's cardiovascular or endocrine system. In such cases, it is essential that their cardiologist or endocrinologist be informed of the pregnancy and consulted as necessary to ensure appropriate health care is provided to the individual because such conditions may have bearing on their pregnancy.
Additionally, the final rule revises the prohibition standard at 45 CFR 164.502(a)(5)(iii) by incorporating language from the proposed Rule of Construction to clarify the purposes for which the Department prohibits uses or disclosures of PHI. In 45 CFR 164.502(a)(5)(iii)(A)( 1) and ( 2 ), the Department incorporates the “mere act of” language of the proposed Rule of Construction to clarify that the prohibited uses and disclosures of PHI are tied to imposing criminal, civil, or administrative liability for the “mere act of” seeking, obtaining, providing, or facilitating reproductive care and not just “in connection to” such acts. Section 164.502(a)(5)(iii)(A)( 1) combines the criminal, civil, or administrative investigations language from the proposed prohibition standard with the proposed Rule of Construction to prohibit regulated entities from using or disclosing PHI for activities conducted for the purpose of a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care. Section 164.502(a)(5)(iii)(A)( 2) separates and replaces the “or proceeding against” language from the first condition of the proposed prohibition standard with “to impose criminal, civil, or administrative liability on” and incorporates language from the proposed Rule of Construction to prohibit regulated entities from using or disclosing PHI for activities conducted for the purpose of imposing criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care. Similar to proposed 45 CFR 164.502(a)(5)(iii)(A)( 2), 45 CFR 164.502(a)(5)(iii)(A)( 3) now addresses the use or disclosure of PHI to identify any person for the activities described in the other conditions of the prohibition standard. To the extent the purpose in 45 CFR 164.502(a)(5)(iii)(A)( 1) relates to activities conducted for an investigation, the purpose in 45 CFR 164.502(a)(5)(iii)(A)( 2) relates to the activities to impose liability, including activities that would flow from that investigation, whether it be in the form of proceedings to consider censure, medical license revocation, the imposition of fines or other penalties, or detainment or imprisonment, or the actual imposition of such liability.
Section 164.502(a)(5)(iii)(A)( 3) incorporates the same language by reference to 45 CFR 164.502(a)(5)(iii)(A)( 1) and (A)( 2).
The prohibition against the uses and disclosures of PHI finalized in 45 CFR 164.502(a)(5)(iii)(A) is subject to the Rule of Applicability that the Department is finalizing in 45 CFR 164.502(a)(5)(iii)(B). As discussed in the proposed rule and finalized herein, the Rule of Applicability modifies the prohibition standard to make clear that the prohibition encompasses the use or disclosure of PHI for any activities conducted for the purpose of investigating or imposing liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care that the regulated entity that has received the request for PHI has reasonably determined is lawful under the circumstances in which such health care is provided. The prohibition's reference to the “mere act” of seeking, obtaining, providing, or facilitating lawful reproductive health care includes the reasons that the reproductive health care was sought or provided ( e.g., an investigation into whether a particular abortion was necessary to save a pregnant person's life would constitute an investigation into the “mere act” of seeking, obtaining, providing, or facilitating reproductive health care). The reference to “mere act” operates the same way with respect to activities conducted to identify any individual for the purposes described above. This includes but is not limited to law enforcement investigations, third party investigations in furtherance of civil proceedings, state licensure proceedings, criminal prosecutions, and family law proceedings. Examples of criminal, civil, or administrative investigations or activities to impose liability for which regulated entities would be prohibited from using or disclosing PHI would also include a civil suit brought by a person exercising a private right of action provided for under state law against an individual or health care provider who obtained, provided, or facilitated a lawful abortion, or a law enforcement investigation into a health care provider for lawfully providing or facilitating the disposal of an embryo at the direction of the individual.
The Department acknowledges that this final rule will not prohibit the use or disclosure of PHI in all instances in which persons request the use or disclosure of PHI for an investigation or to impose liability on a person for seeking, obtaining, providing, or facilitating reproductive health care. As discussed extensively in Section III of this rule, the Privacy Rule has long balanced the privacy interests of individuals with that of society in obtaining PHI for certain non-health care purposes. Accordingly, we acknowledge that in some circumstances, an individual's privacy interest in obtaining lawful care will outweigh law enforcement's interests in the PHI for certain non-health care purposes, while in others, law enforcement's interests in the PHI will outweigh the privacy interests of individuals. As we discussed above in Section III and in the proposed rule, recent developments in the legal landscape have made information about an individual's reproductive health more likely to be sought for punitive non-health care purposes, such as targeting individuals for seeking lawful reproductive health care outside of their home state, and therefore more likely to be subject to disclosure by regulated entities if the requested disclosure is permitted under the Privacy Rule. The Department's approach in this rulemaking limits the application of the prohibition to situations in which reproductive health care meets one of the conditions of the Rule of Applicability. Accordingly, the prohibition applies only where individuals' privacy interests outweigh the interests of law enforcement, and private parties afforded legal rights of action, in obtaining individuals' PHI for the non-health care purpose of investigating or imposing liability for reproductive health care that was not lawful under the circumstances in which it was provided.
We also acknowledge, as we did in the proposed rule, that in some circumstances, the Privacy Rule imposes greater restrictions on uses and disclosures of PHI than state privacy laws, and the prohibition may delay or hamper enforcement of certain other state laws ( e.g., laws governing access to reproductive health care). Such circumstances were contemplated by Congress when it enacted HIPAA. For example, a state law might require a covered entity to disclose PHI to law enforcement in furtherance of an investigation, while the final rule may prohibit such a disclosure. In such cases, the provisions of the Privacy Rule would preempt the application of contrary provisions of state law, and the regulated entity could not disclose the PHI. However, as discussed above in section III, we reiterate that not all methods to investigate the lawfulness of reproductive health care are foreclosed by this rule.
42 U.S.C. 1320d-7(a)(1) (providing the general rule that, with limited exceptions, a provision or requirement under HIPAA supersedes any contrary provision of state law); see also section 264(c)(2) of Public Law 104-191 (codified at 42 U.S.C. 1320d-2 note) and 45 CFR 160.203.
See final 45 CFR 164.509, and discussion below.
The Department emphasizes that the prohibition does not apply in circumstances that fall outside of its terms. Where a person requesting PHI identifies a legal basis for the request beyond the mere act of a person having sought, obtained, provided, or facilitated reproductive health care that was lawful under the circumstances in which it was provided, the prohibition at 45 CFR 164.502(a)(5)(iii) would not apply. Similarly, if a person obtains reproductive health care that was unlawful, such health care would not be lawful under the circumstances in which it was provided, and the prohibition would not apply. Where the prohibition does not apply, the Privacy Rule permits the requested PHI to be used or disclosed, provided that the use or disclosure is otherwise permitted by the Privacy Rule ( i.e., the request meets the requirements of an applicable permission and is accompanied by a valid attestation as described by 45 CFR 164.509, where required). The Department reminds the public that persons who request PHI under false pretenses may be subject to criminal penalties under HIPAA.
See42 U.S.C. 1320d-6.
The Rule of Applicability, as discussed below, vests the determination of whether the reproductive health care was lawful under the circumstances it was provided with the regulated entity that receives the request for PHI and requires that such determination be reasonable. The regulatory presumption, also discussed below, replaces the proposed requirement that a regulated entity make a determination regarding the lawfulness of the reproductive health care where someone other than the regulated entity that receives the request provided such health care. The new language requires that the reproductive health care at issue be presumed lawful under the circumstances in which such health care is provided when provided by a person other than the regulated entity receiving the request. This helps to ensure that the regulated entity is not required to make a determination about the lawfulness of such health care. The presumption may be overcome if certain conditions are met.
In the proposed rule, the Department provided examples that remain helpful in illustrating the operation of the clarified prohibition and how it continues to permit uses and disclosures for legitimate interests. For example, the prohibition does not restrict a regulated entity from using or disclosing PHI to a health oversight agency conducting health oversight activities, such as investigating whether reproductive health care was actually provided or appropriately billed in connection with a claim for such services, or investigating substandard medical care or patient abuse. However, as discussed above, investigating substandard medical care or patient abuse may not be used as a pretext for investigating reproductive health care for purposes that are otherwise prohibited by this final rule. In another example, the rule does not bar a regulated entity from using or disclosing PHI to investigate an alleged violation of the Federal False Claims Act or a state equivalent based on unusual prescribing or billing patterns for erectile dysfunction medication.
88 FR 23506, 23532-33 (Apr. 17, 2023).
See45 CFR 164.512(d)(1)(i) through (iv) for health oversight activities for which the Privacy Rule permits uses and disclosures of PHI. See also the National Association of Medicaid Fraud Control Units, described at https://www.naag.org/about-naag/namfcu/. All 53 federally certified Medicaid Fraud Control Units voluntarily subscribe to this organization. This final rule does not interfere with any State's ability to meet their statutory obligations to combat health care fraud related to Medicaid.
This final rule also does not prohibit the use or disclosure of PHI where the PHI is sought to investigate or impose liability on a person for submitting a false claim for reproductive health care for payment to the government. In such a case, the request is not made for the purpose of investigating or imposing liability on a person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care. Instead, the purpose of the request for PHI is to investigate or impose liability on a person for an alleged violation of the Federal False Claims Act or a state equivalent. As another example, the revised prohibition standard generally does not prohibit the disclosure of PHI to an Inspector General where the PHI is sought to conduct an audit aimed at protecting the integrity of the Medicare or Medicaid Program where the audit is not inconsistent with this final rule. This is because the request is generally not being made for the purpose of investigating or imposing liability on a person for the mere act of providing the reproductive health care itself. The prohibition also makes clear that the use or disclosure of PHI is permitted where the purpose of the use or disclosure is to investigate alleged violations of Federal nondiscrimination laws or abusive conduct, such as sexual assault, that may occur in connection with reproductive health care. The prohibition likewise makes clear that the use or disclosure of PHI is permitted where the purpose of the use or disclosure is to penalize the provision of reproductive health care that is not lawful, as defined by the Rule of Applicability at 45 CFR 164.502(a)(5)(iii)(B), as long as a Privacy Rule permission applies.
Under the prohibition, a regulated entity could respond to a request for relevant records in a criminal or civil investigation pursuant to 18 U.S.C. 248 regarding freedom of access to clinic entrances. Investigations under this provision are conducted for the purpose of determining whether a person physically obstructed, intimidated, or interfered with persons providing “reproductive health services,” or attempted to do so. Thus, they do not involve investigating or imposing liability on a person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care that was reasonably determined to be lawful under the circumstances in which such health care was provided by the regulated entity that received the request for PHI.
18 U.S.C. 248(e)(5) (definition of “Reproductive health services”).
The final rule retains the proposal's prohibition against the use or disclosure of PHI for activities conducted for the purpose of investigating or imposing liability on “any person” for the mere act of seeking, obtaining, providing, or facilitating reproductive health care that is lawful under the circumstances in which such health care is provided, or for identifying “any person” for such activities. “Any person” means, based on the HIPAA Rules' definition of “person,” that the prohibition is not limited to use or disclosure of PHI for use against the individual; rather, the prohibition applies to the use or disclosure of PHI against a regulated entity, or any other person, including an individual or entity, who may have obtained, provided, or facilitated lawful reproductive health care.
45 CFR 160.103 (definition of “Person”).
Note that in Section V.A.1, the Department is clarifying the definition of “person,” although that clarification does not affect the analysis in this paragraph.
The Department has always and continues to recognize that there may be a public interest and benefit in disclosing PHI for limited non-health care purposes, including enforcing duly enacted laws. The Department has also always sought to balance competing interests in individual privacy and the use and disclosure of PHI for particular purposes in the Privacy Rule. We balance these competing interests by considering both the harm to individuals that results from the use or disclosure of PHI ( e.g., loss of trust in the health care system, potential for financial liability or detainment) and the countervailing interests in disclosure. As discussed above, the Department finds that the final rule reflects the appropriate balance between these interests by prohibiting the use and disclosure of PHI for activities conducted for the purpose of investigating or imposing liability on “any person” for the mere act of seeking, obtaining, providing, or facilitating reproductive health care that is lawful under the circumstances in which such health care is provided, or for identifying “any person” for such activities.
Accordingly, the final rule adopts, with modifications discussed below, the proposed Rule of Applicability and re-designates it as 45 CFR 164.502(a)(5)(iii)(B). The final rule text also adds the word “only” in 45 CFR 164.502(a)(5)(iii)(B) to make clear that the prohibition's application is limited to the use or disclosure of PHI “only” where one or more of the conditions set forth in the Rule of Applicability exists.
To address concerns from commenters about how to determine whether reproductive health care is “lawful,” the Department finalizes a revised Rule of Applicability at 45 CFR 164.502(a)(5)(iii)(B). Specifically, the Rule of Applicability, as finalized, requires that a regulated entity that receives a request for PHI make a reasonable determination about the lawfulness of the reproductive health care in the circumstances in which such health care was provided, where lawfulness is described by 45 CFR 164.502(a)(5)(iii)(B)( 1)-( 3). Thus, a regulated entity that receives the request for PHI must decide whether it would be reasonable for a similarly situated regulated entity to determine, as provided in the Rule of Applicability, that the reproductive health care is lawful under the circumstances in which such health care is provided.
To make the reasonableness determination, that is, to determine whether it would be reasonable for a similarly situated regulated entity to determine that one or more of the conditions of the Rule of Applicability applies, a regulated entity receiving the request for PHI must evaluate the facts and circumstances under which the reproductive health care was provided. Such facts and circumstances include but are not limited to the individual's diagnosis and prognosis, the time such health care was provided, the location where such health care was provided, and the particular health care provider who provided the health care. This approach is consistent with the current and longstanding practice under the Privacy Rule, whereby a covered entity is responsible for determining whether a requested use or disclosure is permitted under one or more of the permissions set forth in the Privacy Rule. For example, a regulated entity is permitted to make a use or disclosure of PHI where “required by law” pursuant to 45 CFR 164.512(a). To make a use or disclosure under that permission, the regulated entity cannot rely on assertions from the person making the request, but rather, must itself evaluate the relevant law to determine whether the use or disclosure is “required by law” and thus permitted under that permission. As discussed above, the Department recognizes that this approach may prevent uses or disclosures in support of some law enforcement investigations ( e.g., where a health care provider reasonably determines that its provision of reproductive health care was lawful, but where law enforcement reasonably disagrees or does not provide sufficient factual information for a regulated entity to determine that there is a substantial factual basis that the reproductive health care was not lawful under the circumstances in which such health care was provided). However, we believe that, in these narrow circumstances, the interests of law enforcement, and private parties afforded legal rights of action, are outweighed by privacy interests and that the current approach strikes the appropriate balance between these competing interests.
The Department is retaining the proposed framework for identifying the circumstances in which reproductive health care is lawful, and thus the prohibition applies. However, we are modifying the regulatory text of the Rule of Applicability to clarify its conditions. As revised, the regulatory text combines the first and third conditions of the Rule of Applicability into a revised 45 CFR 164.502(a)(5)(iii)(B)( 1) that focuses on whether the reproductive health care at issue is lawful under the circumstances in which such health care is provided. Under the revised condition, the circumstances in which the prohibition applies are determined by the law of the state in which the health care is provided.
As proposed in the 2023 Privacy Rule NPRM, the first and third conditions, when considered together, would have given the impression that the Department was drawing a distinction between reproductive health care provided in-state or out-of-state, although outcomes would have been the same. As the Department explained in the proposed rule, both the first and third conditions would have prohibited a regulated entity from using or disclosing PHI where the reproductive health care was permitted by the law of the state in which it was provided ( e.g., for pregnancy termination that occurs before a state-specific gestational limit or under a relevant exception in a state law restricting pregnancy termination such as when the pregnancy is the result of rape or incest or because the life of the pregnant individual is endangered, for reproductive health care that is generally permitted but must be provided by a specific type of health care professional or in a certain place of service). The outcome of the analysis remains the same under this final rule, which combines the first and third conditions of the Rule of Applicability into one condition. Thus, the revision improves the clarity of the Rule of Applicability by focusing solely on whether the reproductive health care was lawful under the circumstances in which it was provided.
Additionally, the final rule modifies the regulatory text in 45 CFR 164.502(a)(5)(iii)(B)( 2) to include an express reference to the U.S. Constitution as a source of Federal law for determining whether reproductive health care is lawful under the circumstances in which such health care is provided. The Department has always intended to include the U.S. Constitution as a source of Federal law, and the final regulatory text now explicitly reflects this. The regulatory text also makes clear that the U.S. Constitution is not the sole source of Federal law and that Federal statutes, regulations, and policies may be the relevant legal authority for determining whether the reproductive health care is protected, required, or authorized under Federal law. This final rule in no way supersedes applicable state law pertaining to the lawfulness of reproductive health care.
To address commenters' concerns about obligating regulated entities to determine whether reproductive health care that occurred outside of the regulated entity is lawful, the Department is adding a new presumption provision at 45 CFR 164.502(a)(5)(iii)(C). It presumes the reproductive health care at issue was lawful under the circumstances in which such health care was provided when it was provided by a person other than the regulated entity receiving the request. The presumption can be overcome where the regulated entity has either actual knowledge, or factual information supplied by the person requesting the use or disclosure, that demonstrates a substantial factual basis that the reproductive health care was not lawful under the specific circumstances in which it was provided. The first ground to overcome the presumption—concerning “actual knowledge”—accounts for situations where the regulated entity has actual knowledge that the reproductive health care was not lawful. The second ground to overcome the presumption—concerning “factual information”—accounts for situations where the person making the request has demonstrated to the regulated entity that there is a substantial factual basis that the reproductive health care was unlawful under the circumstances in which such health care was provided. To satisfy the second ground, the regulated entity must obtain from the person making the request sufficient threshold factual evidence that demonstrates to the regulated entity a substantial factual basis that the reproductive health care was not lawful under the circumstances in which such health care was provided.
For example, an investigator requests information from a health plan about claims for coverage of certain reproductive health care provided by a particular health care provider. The health plan must presume that the reproductive health care was lawful unless the health plan has actual knowledge that the reproductive health care was not lawful or the investigator supplied information that demonstrates a substantial factual basis to believe that the reproductive health care was not lawful under these circumstances. The latter condition could be met where the investigator provides the regulated entity with various types of documentation. For example, persons requesting PHI could provide the regulated entity with affidavits supplied by complainants that contain the circumstances under which the reproductive health care was provided. In this example, the presumption would be overcome, and the health plan would be permitted to use or disclose the PHI, assuming that all applicable conditions of the Privacy Rule were otherwise met. In contrast, if the investigator requests the same information but only provides an anonymous report of a particular health care provider providing reproductive health care that is not lawful under the circumstances in which it is provided, the health plan would not have a substantial factual basis to believe that the reproductive health care was not lawful. Accordingly, this final rule would prohibit the health plan from disclosing the requested PHI unless the investigator provides sufficient information to overcome the presumption and the use or disclosure is otherwise permitted by the Privacy Rule. The conditions of making the use or disclosure would include, as described elsewhere in this final rule, obtaining a valid attestation if the relevant permission requires one.
The Department emphasizes that, as demonstrated by the numerous comments on this issue, this regulatory presumption is necessary for workability by the regulated entities subject to this final rule. We recognize that when a regulated entity did not provide the reproductive health care at issue, it may not have access to all of the relevant information, including medical records with the necessary information, to determine whether prior reproductive health care obtained by an individual was lawful. We clarify that regulated entities are not expected to conduct research or perform an analysis of an individual's PHI to determine whether prior reproductive health care was lawful under the circumstances in which it was provided when such health care was provided by someone other than the regulated entity that receives the request for the use or disclosure of PHI.
We also reiterate that this final rule is intended to support and clarify the privacy interests of individuals availing themselves of lawful reproductive health care, and not to thwart the interests of states in conducting lawful investigations or imposing liability on the provision of unlawful reproductive health care. While this new regulatory presumption may make it more difficult for a state to investigate whether reproductive health care was unlawful under the circumstances in which it was provided ( e.g., when other sources of information that is not PHI are unavailable), as discussed above, the Department has considered those interests and determined that the effects are justified by countervailing privacy benefits. Moreover, as also explained above, society's interest in obtaining PHI in such circumstances is reduced, particularly in light of its continued ability to obtain information from other sources. The Department also emphasizes that it is not applying a blanket presumption that all reproductive health care reflected in a regulated entity's records was lawful under the circumstances in which it was provided. Instead, the presumption applies only where the reproductive health care at issue is provided by someone other than the regulated entity that received the request for the use or disclosure of PHI, and it may be overcome in the circumstances identified above.
In contrast, where a request for PHI is made to the regulated entity that provided the relevant reproductive health care, the regulated entity is responsible for determining whether it provided reproductive health care that was lawful under the circumstances in which it was provided, including, as discussed above, a review of all available relevant evidence bearing on whether the reproductive health care was lawful under the circumstances in which it was provided. If the regulated entity reasonably determines that the health care was lawfully provided, the prohibition applies, and the regulated entity may not make the use or disclosure.
To illustrate how the presumption would apply, consider a hospital that has PHI about the provision of reproductive health care by a different facility. The hospital is not expected to conduct research or perform analysis into whether reproductive health care obtained at a different facility from another health care provider was lawful under the circumstances in which such health care was provided. Accordingly, the regulated entity, if they receive a request for PHI to which the prohibition at 45 CFR 164.502(a)(5)(iii) may apply, is not expected to review the individual's PHI to determine the lawfulness of the prior reproductive health care. In such situations, the regulated entity is also not expected to research other states' laws to determine whether the reproductive health care was lawful under the circumstances in which it was provided, nor are they expected to consult with an attorney to do the same. Rather, the presumption standard allows the regulated entity to limit their review to information supplied by the person making the request for the use or disclosure of PHI where the request addresses reproductive health care provided by someone other than the regulated entity receiving the request. Thus, a regulated entity that did not provide the reproductive health care must presume that the reproductive health care was lawful under the circumstances in which it was provided unless the conditions of rebutting the presumption are met.
Consider a different example in which a law enforcement official from State A issues a subpoena to a hospital in State A to request the PHI of an individual from State A who is suspected of obtaining reproductive health care in State B that would have been unlawful under the law of State A if provided there. The hospital did not provide the reproductive health care in question, nor did the individual provide information to the hospital about who may have provided such health care. At the time the law enforcement official issues the subpoena, the individual is no longer in the hospital, nor is the individual receiving treatment at the hospital. Additionally, the law enforcement official provided no information in the subpoena that would make it reasonable for the hospital to determine that the reproductive health care at issue was not lawful in the circumstances in which it was provided, that is, to determine that the reproductive health care was not lawful under the law of State B or was not protected, required, or authorized by Federal law. In this case, the hospital did not have actual knowledge that, nor did the information supplied to it by the law enforcement official making the request demonstrate to the hospital a substantial factual basis that, the individual had previously received unlawful reproductive health care; therefore, the reproductive health care is presumed to have been provided under circumstances in which it was lawful to provide such health care. Accordingly, this final rule would prohibit the hospital from disclosing the requested PHI unless the law enforcement official provides sufficient information to overcome the presumption and the use or disclosure is otherwise permitted by the Privacy Rule. This includes, as described elsewhere in this final rule, receipt of a valid attestation if the relevant permission requires one.
Conversely, if the hospital is provided with factual information that demonstrates a substantial factual basis that the reproductive health care at issue was not lawful under the specific circumstances in which such health care was provided, the presumption would be overcome. When a presumption is overcome or rebutted, the Rule of Applicability at 45 CFR 164.502(a)(5)(iii)(B) cannot be satisfied ( i.e., the regulated entity has actual knowledge, or has received factual information from the person requesting the PHI to determine that there is substantial factual basis to believe, that the reproductive health care was not lawful under the circumstances in which it was provided), and thus, the use or disclosure would not be prohibited under the final rule. As such, the Privacy Rule would permit, but would not require, the hospital to disclose the PHI in response to the subpoena where the use or disclosure meets the requirements of an applicable permission, including the receipt of a valid attestation where required.
In another example, a law enforcement agency presents a covered entity's business associate, such as a cloud service provider, with a subpoena for the PHI of an individual who received reproductive health care as part of its investigation into the health care provider who provided such health care for the provision of that health care. The PHI is encrypted, and the business associate does not have the key to decrypt it or is not permitted under the terms of its business associate agreement with the covered entity to decrypt the PHI. Thus, the business associate lacks a complete view of the individual's PHI and did not provide the underlying reproductive health care. Additionally, the business associate has no actual knowledge that the reproductive health care was unlawful, nor did the person requesting the PHI supply it with information that demonstrates to the business associate a substantial factual basis that the reproductive health care was not lawful under the specific circumstances in which such health care was provided. In such a case, the presumption that the reproductive health care at issue was lawful applies. If the law enforcement agency does not present more information to overcome the presumption, the Privacy Rule prohibits the business associate from disclosing the requested PHI in response to the subpoena, even if the law enforcement agency has provided an attestation; in this circumstance, the attestation would not be valid because the disclosure is for a purpose that is prohibited by 45 CFR 164.502(a)(5)(iii).
The presumption serves a different purpose than the attestation, which is required when there is a request for PHI potentially related to reproductive health care for certain permitted purposes under the Privacy Rule, as discussed further below. In contrast with the attestation, the presumption applies only where a request for PHI involves a purpose prohibited under 45 CFR 164.502(a)(5)(iii) and the reproductive health care at issue was provided by someone other than the regulated entity that received the request for PHI, so the regulated entity does not have first-hand knowledge of the circumstances in which the reproductive health care was provided. Because the situations in which the presumption applies involve purposes prohibited under 45 CFR 164.502(a)(5)(iii), it is not reasonable for a regulated entity to rely, without additional information, on a statement from the person requesting the use or disclosure, including the statement required in the attestation by 45 CFR 164.509(b)(1)(ii), that the request is not made for a prohibited purpose or that the underlying reproductive health care was unlawful. Thus, such statement alone does not satisfy 45 CFR 164.502(a)(5)(iii)(C)( 2). However, if a person requesting the use or disclosure of PHI provides the regulated entity with sufficient information, separate and distinct from the attestation itself, that demonstrates to the regulated entity a substantial factual basis that the reproductive health care was not lawful under the specific circumstances in which such health care was provided, the presumption would be overcome; in this scenario, the Privacy Rule would permit, but would not require, the regulated entity to disclose the PHI in response to the subpoena. The presumption may also be overcome by, for example, a spontaneous statement from the individual about the circumstances under which they obtained reproductive health care.
As we explained above, this final rule, consistent with the Department's longstanding approach to the Privacy Rule, balances competing interests between the privacy expectations of individuals and society's interests in PHI for certain non-health care purposes. For example, since its inception, the Privacy Rule has permitted a covered entity to rely, if such reliance is reasonable under the circumstances, on a requested disclosure as the minimum necessary for the stated purpose when making disclosures to public officials that are permitted under 45 CFR 164.512, if the public official represents that the information requested is the minimum necessary for the stated purpose(s). Elsewhere in the Privacy Rule, covered entities are required to make a determination of whether it is “reasonable under the circumstances” to rely on documentation, statements, or representations from a person requesting PHI to verify the identity of the person requesting PHI and the authority of the person to access the PHI. In the case of public officials, we have previously explained that covered entities must verify the identity of the request by examination of reasonable evidence, such as written statement of identity on agency letterhead, an identification badge, or similar proof of official status. In addition, where explicit written evidence of legal process or other authority is required before disclosure may be made, a public official's proof of identity and oral statement that the request is authorized by law are not sufficient to constitute the required reasonable evidence of the legal process or authority. In both instances, the Privacy Rule permits regulated entities to rely on representations made by public officials where it is reasonable to do so but makes clear that in some instances, documentary or other evidentiary proof is needed.
See45 CFR 164.514(d)(3)(iii)(A) and 65 FR 82462, 82545, and 82547 (Dec. 28, 2000).
45 CFR 164.514(h)(2) and 65 FR 82462, 82546-47 (Dec. 28, 2000).
See45 CFR 164.514(h) and 65 FR 82462, 82546-47 (Dec. 28, 2000).
See65 FR 82462, 82545 (Dec. 28, 2000) (“[. . .] covered entities making disclosures to public officials that are permitted under § 164.512 may rely on the representations of a public official that the information requested is the minimum necessary.”); see also id. at 82547 (further discussing verification of identity and authority of persons requesting PHI in 45 CFR 164.514(h) and the requirements in 45 CFR 164.512 for the circumstances under which covered entities must make reasonable determinations about the sufficiency of proof of identify and authority based on documentary evidence, contrasted with a reasonable reliance on verbal representations when necessary to avert a pending emergency or imminent threat to the health or safety of a person or the public pursuant to 45 CFR 164.512(j)(1)(i)).
In this final rule, the Department has enshrined the requirement that a regulated entity make a reasonable determination of whether PHI should be disclosed in response to a request from law enforcement, or other official, in regulatory text and determined that is not reasonable to rely solely on representations of law enforcement or other officials without a written attestation. This approach is due to the high potential for harm to the individual who is the subject of the PHI or to persons who are subject to liability for the mere act of seeking, obtaining, providing or facilitating reproductive health care.
Further, as we discussed above, even in the scenario where a state official seeks PHI to investigate whether the underlying reproductive health care was unlawful, a regulated entity's reasonable determination that the conditions of the prohibition set forth in the Rule of Applicability are met means that the prohibition applies and the regulated entity is prohibited from using or disclosing the PHI. This does not foreclose the ability of state officials to investigate the circumstances surrounding the provision of the reproductive health care, including through the collection of information from sources that are not regulated under HIPAA, to determine whether a health care provider or other person may have acted unlawfully. Rather, this final rule prohibits the use or disclosure of PHI when it is being used to investigate or impose liability on a person for the mere act of seeking, obtaining, providing, or facilitating lawful reproductive health care, or to identify any person to initiate such activities. Indeed, the individual's privacy interests are especially strong where individuals seek lawful reproductive health care and risk either avoiding such lawful health care or being less than truthful with their health care providers because they fear that their PHI will be disclosed.
The Department is re-designating proposed 45 CFR 164.502(a)(5)(iii)(B) as 45 CFR 164.502(a)(5)(iii)(D) and modifying it in response to the commenters who provided examples of situations where they could reasonably expect to receive a request for PHI that might relate to “seeking, obtaining, providing, or facilitating reproductive health care.” To address these concerns, the Department is revising the list of activities in 45 CFR 164.502(a)(5)(iii)(D) that explain the scope of actions taken by persons that the Department is protecting against impermissible requests for PHI. Specifically, the Department is adding the terms “administering,” “authorizing,” “providing coverage for,” “approving,” and “counseling about” to the current list of descriptive activities in the proposed rule and removing “inducing” from the list. We are removing “inducing” from the list in response to concerns from commenters that the prohibition might apply in circumstances where individuals are coerced to obtain reproductive health care. It was never the Department's intention for the prohibition on the use or disclosure of PHI to apply in such circumstances. Rather, we intended it to refer to situations in which a health care provider “induces” labor under circumstances in which such health care is lawful; however, we believe our intended meaning of “inducing” is encompassed in other terms in the list. The revised list better explains the type of activities in which a person may be engaged and about which the Department intends to prevent the use or disclosure of PHI.
The Department is not finalizing a separate Rule of Construction because the need is obviated by incorporating the key content into the prohibition itself at 45 CFR 164.502(a)(5)(iii). The Department proposed the Rule of Construction to clarify that 45 CFR 164.502(a)(5)(iii) should not be construed to prohibit a use or disclosure of PHI otherwise permitted by the Privacy Rule unless such use or disclosure is “primarily for the purpose of” investigating or imposing liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care. By incorporating the Rule of Construction into the main standard and removing the proposed “primarily for the purpose of” language, the Department now more clearly conveys its intent to prohibit the use and disclosure of PHI for the specified purposes only when it relates to the “mere act of” seeking, obtaining, providing, or facilitating reproductive health care. As discussed in greater detail below in our responses to comments, this change is designed to reduce confusion for regulated entities about how to reconcile and apply the Rule of Construction with the main prohibition standard and does not change the scope of the prohibition as proposed. The revisions and restructuring of regulatory text formerly included in the Rule of Construction improve readability and reduce redundancy. Likewise, the final rule incorporates other minor wording changes to improve readability and updates regulatory text references to other paragraphs to accurately reflect the organization of this section.
Comment: Many commenters expressed support for the Department's proposal to create a new category of prohibited uses and disclosures about reproductive health care. A few of these commenters explained the rationale for their support as based on the proposed approach's balance of preventing harm to individuals from certain uses and disclosures and permitting beneficial uses and disclosures, while providing regulated entities with clarity with respect to when uses and disclosures of PHI would be permitted.
A few commenters agreed with the Department's view that a purpose-based prohibition is preferable to other approaches to protecting the privacy of individuals that would require labeling or segmenting of PHI. Other commenters focused on how the proposal would better facilitate HIPAA's goals of providing high-quality health care and encouraging the flow of information to covered entities.
Response: The approach we are taking in this final rule preserves the ability of regulated entities to use and disclose PHI for permitted purposes while also enhancing protections for PHI, to strike the appropriate balance between privacy interests and other societal interests, including law enforcement. As discussed above, the Department's approach will lead to numerous benefits associated with enhanced privacy protections.
Comment: A few commenters asserted that the Department's proposal would provide a consistent standard for all states to follow.
Response: The Department believes this final rule will provide clear standards for regulated entities, especially health care providers, by incorporating the prohibition into the Privacy Rule. However, we stress that the prohibition attaches to only requests for uses and disclosures that are for a prohibited purpose where the reproductive health care is lawful under the circumstances in which such health care is provided. Different states and localities have promulgated different standards for the lawfulness of reproductive health care.
Comment: A few commenters expressed their appreciation that the proposal encompassed a broad range of reproductive health care and explained the importance of ensuring that a final rule protects any health information about reproductive health care.
Response: As the Department acknowledged in the 2023 Privacy Rule NPRM, many routine medical examinations and treatments could involve PHI about an individual's reproductive health or reproductive organs and systems. This final rule is not limited to PHI about abortion. The Department recognized the impracticability of attempting to parse out the types of reproductive health care that should be subject to the prohibition and those that should not be. For this reason, and in keeping with the existing scheme of the Privacy Rule, the Department proposed and is finalizing a purpose-based approach to prohibiting the use and disclosure of any PHI for use against any person for seeking, obtaining, providing, or facilitating reproductive health care that is lawful under the circumstances in which such health care is provided. A regulated entity that receives a request for PHI is charged with making a reasonable determination of whether the conditions of lawfulness set forth in the Rule of Applicability apply. To further assist regulated entities in understanding the broad scope of “reproductive health care,” we provide in the preamble a non-exclusive list of examples that fit within the definition.
Comment: Some commenters expressed opposition to this proposal, asserting that the proposed new category would interfere with the enforcement of state laws that restrict or regulate abortion or that the proposal would make it more difficult for regulated entities to determine whether a requested use or disclosure of PHI is permitted under the Privacy Rule because it lacked sufficient specificity.
Response: The Department is finalizing a narrowly tailored prohibition that will only apply when an individual's privacy interest in lawfully obtained reproductive health care outweighs society's interest in obtaining PHI for non-health care purposes. As discussed above, the Department has adopted an approach that strikes the appropriate balance between privacy interests and other interests, including law enforcement interests in accessing PHI to investigate or impose liability on persons for seeking, obtaining, providing, or facilitating reproductive health care that is unlawful under the circumstances in which such health care is provided. To help regulated entities operationalize the prohibition, the Department is finalizing an attestation requirement in 45 CFR 164.509 in which persons requesting PHI under a permission that is mostly likely to be used to request PHI for a purpose prohibited by 45 CFR 164.502(a)(5)(iii) must attest that the request is not subject to the prohibition. The Department acknowledges that requests for a purpose prohibited by 45 CFR 164.502(a)(5)(iii) may be made pursuant to another applicable permission and reminds regulated entities that they must evaluate all requests made by a third party for the use or disclosure of PHI to ensure that they are not for a prohibited purpose. Requests not subject to the prohibition would still be subject to the conditions of the relevant permissions in the Privacy Rule. When requests for PHI meet the conditions for permissions in the Privacy Rule, including conditions specified in 45 CFR 164.512, regulated entities are permitted to use and disclose PHI in accordance with such permissions.
Moreover, as we describe above, the Department is modifying the final rule to clarify that the prohibition restricts the use and disclosure of PHI for the enumerated purposes when connected to the “mere act of” seeking, obtaining, providing, or facilitating reproductive health care. Thus, the prohibition does not prevent the use or disclosure of the PHI about reproductive health care obtained by an individual in all circumstances. Rather, it prevents the use or disclosure of PHI when the purpose of the disclosure is to investigate or impose liability on a person because they sought, obtained, provided, or facilitated reproductive health care that was lawful under the circumstances in which such health care was provided, as determined by the regulated entity that received the request for PHI. For example, a regulated entity would not be prohibited from disclosing an individual's PHI when subpoenaed by law enforcement for the purpose of investigating allegations of sexual assault by or of the individual, assuming that law enforcement provided a valid attestation and met the other conditions of the permission under which the request was made.
Comment: A commenter expressed opposition to the proposal and asserted that it relied on the assumption that it would be readily apparent or ascertainable whether particular reproductive health care was lawfully provided. According to this commenter, persons who violate the law have an interest in concealing their activity, and the proposal would impede law enforcement investigations to determine whether lawbreaking has occurred. Additionally, the commenter expressed their concern that the proposal would represent a departure from the Privacy Rule's existing approach to law enforcement investigations and proceedings.
Response: The Department is finalizing a regulatory presumption to address the narrow circumstance of when lawfulness is not readily apparent to a regulated entity who is the recipient of a request for the use or disclosure PHI when the regulated entity did not provide the underlying reproductive health care. As we explained above, this final rule is intended to support and clarify the privacy interests of individuals availing themselves of lawful reproductive health care, and not to thwart the interests of states and the Federal government in conducting lawful investigations or imposing liability on the provision of unlawful reproductive health care. While this new regulatory presumption may make it more difficult for law enforcement officials to investigate whether reproductive health care was unlawful under the circumstances in which it was provided ( e.g., when other sources of information that is not PHI are unavailable), the Department has considered those interests and determined that the effects are justified by countervailing privacy benefits. We also reiterate here that the presumption is not a blanket presumption. It only applies where the reproductive health care at issue is provided by someone other than the regulated entity that received the request for the use or disclosure of PHI, and it may be overcome in the circumstances identified above.
We note that the Privacy Rule has always and continues to permit regulated entities to disclose PHI for law enforcement purposes, subject to certain conditions or limitations. In this final rule, the Department has found that changes in the legal landscape now necessitate codifying a prohibition against uses and disclosures for the purposes specified in 45 CFR 164.502(a)(5)(iii)(A), subject to the Rule of Applicability in 45 CFR 164.502(a)(5)(iii)(B). The Department is not otherwise changing the existing permissions in the Privacy Rule that permit regulated entities to use or disclose PHI for law enforcement purposes and other important non-health care purposes, except as discussed elsewhere in this rule. These purposes include when PHI is required by law to be disclosed for purposes other than those prohibited by this final rule, for public health and health oversight activities, for other law enforcement purposes not in conflict with this rulemaking, for reports of child abuse, about decedents when not prohibited by this final rule, and other purposes specified in the Privacy Rule.
In particular, in the 2023 Privacy Rule NPRM, the Department discussed the interaction of this rule with HIPAA's statutory preemption provisions and explained that it was necessary to preempt state laws that require the use and disclosure of PHI for the purposes prohibited by this rule to give effect to the prohibition consistent with HIPAA. As discussed above, to achieve the purpose for which HIPAA was enacted, to enable the electronic exchange of identifiable health information, we must protect the privacy of that information to further individuals' trust in the health care system. As finalized, the prohibition is limited only to circumstances in which the privacy interests of an individual and the interests of society in an effective health care system outweigh society's interest in obtaining PHI for non-health care purposes.
See88 FR 23506, 23530 (Apr. 17, 2023).
Comment: A commenter stated that, to the extent the ability of a state to determine whether to investigate or bring a proceeding is based on information in the possession of a regulated entity, the proposed rule did not adequately address a state's need to regulate the medical profession and health care facilities.
Response: As finalized, the prohibition prevents the use and disclosure of PHI for certain purposes where a person sought, obtained, provided, or facilitated reproductive health care that is lawful under the circumstances in which such health care is provided. As discussed above, the final rule strikes the appropriate balance between privacy interests and other interests. Public officials remain free to investigate the provision of health care by seeking information from non-covered entities. Moreover, the prohibition does not prevent a state from enforcing its laws. Instead, it protects the privacy of individuals' PHI in certain circumstances.
Comment: A few commenters expressed concern that the proposed prohibition may also affect the enforcement of Federal laws.
Response: The Department has consulted extensively with other Federal agencies and officials in the development of this rule, including the Attorney General, and does not believe that this rule will impede the enforcement of Federal laws. As discussed above, this rule carefully balances privacy and other interests, applying only in certain narrowly tailored situations.
Comment: Numerous commenters recommended that the Department expand the scope of the proposed prohibition to include other or all types of stigmatized health care. A few commenters recommended expanding the proposed prohibition to all health care or to provide individuals the ability to prevent the disclosure of their PHI through HIEs.
Generally, commenters supporting expansion of the proposal's scope expressed the belief that it was necessary for HIPAA to promote trust between individuals and health care providers and to improve health care quality and outcomes.
Several commenters explained that persons seeking, obtaining, providing, or facilitating other types of health care are facing the same challenges as described in the proposal with respect to reproductive health care, including health care obtained outside of the health care system, and provided examples of such challenges. Many commenters also made recommendations for how the Department should address those challenges.
Response: The Department is issuing this final rule to protect the privacy of PHI when it is sought for activities to investigate or impose liability on persons for the mere act of seeking, obtaining, providing, or facilitating lawful reproductive health care. Lawfulness is based on a reasonable determination made by a regulated entity that has received a request for PHI for one of the purposes specified at 45 CFR 164.502(a)(5)(iii)(A) that at least one of the conditions in the Rule of Applicability applies. We are finalizing a prohibition that is not specific to certain procedures, laws, or types of providers. Rather, the prohibition we finalize here requires regulated entities to consider the purpose of the requested use or disclosure. To the extent that the specific types of health care referenced by commenters above meet the definition of reproductive health care, this final rule will prevent the disclosure of PHI where it is sought for activities with the purpose of investigating or imposing liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care that is lawful under the circumstances in which it is provided. In adopting a purpose-based prohibition, the Department has chosen an administrable standard that reflects the appropriate balance between protecting individuals' privacy interests and allowing the use or disclosure of PHI in support of other important societal interests. Additional privacy protections for information about SUD treatment may be afforded to PHI in Part 2 records under Part 2.
See42 CFR part 2 and the 2024 Part 2 Rule for more information about Part 2 and the protections afforded to Part 2 records.
Comment: In response to the Department's specific request about whether it should require a regulated entity to obtain an individual's authorization for any uses and disclosures of “highly sensitive PHI” or otherwise address such a defined category of PHI in the Privacy Rule, a few commenters urged the Department to expand the proposed prohibition to protect all people at risk of criminal or other investigation for use of essential health care or care, services, or supplies related to the health of the individual that could expose any person to civil or criminal liability. Several commenters recommended that the Department expand the scope of the proposed prohibition to, variously, all “highly sensitive health information,” “sensitive personal health care,” “highly sensitive PHI,” or “highly sensitive PHI and restricted health care service” because of the potential harms that could result if such health information were to be disclosed without stringent privacy safeguards.
Several commenters asserted that creating a category of or separate standard for “highly sensitive PHI” would cause significant confusion because it would be difficult to define in a commonly understood manner. According to these commenters, this would make compliance more challenging and costly and further decrease the individual's privacy. A few commenters expressed concern that creating a special category of highly sensitive PHI would further stigmatize certain types of health care.
Several commenters expressed concern that prohibiting or limiting uses or disclosures of highly sensitive PHI for certain purposes may negatively affect efforts to eliminate the need for data segmentation, such as efforts to align the Privacy Rule and Part 2; reduce or eliminate stigmatization of certain health conditions and diagnoses; and improve health care management and health care coordination.
Response: We appreciate these comments and generally agree with commenters who expressed concern that the Privacy Rule should address the shifting legal landscape to ensure that it continues to protect PHI, regardless of how the PHI is transmitted or maintained. We also agree that to the extent possible, the Privacy Rule should promote administrative efficiency and disincentivize adverse actions by health care providers grounded in fear of prosecution or legal risks borne from providing lawful health care to individuals, which may erode patients' trust and confidence in the health care system and deter them from seeking lawful health care. The Department's approach to promulgating a narrowly tailored prohibition focused on clarifying the use and disclosure of PHI for the purposes prohibited by this final rule accomplishes these goals. As we explained in the 2023 Privacy Rule NPRM and re-affirm in this final rule, recent developments in the legal environment have made information about lawful reproductive health care sought by or provided to an individual more likely to be of interest for punitive non-health care purposes, and thus more likely to be used or disclosed if sought for a purpose permitted under the Privacy Rule today. As explained, the Department has identified concerns that the use or disclosure of PHI for the prohibited purposes in this rule would erode individuals' trust in the privacy of legal reproductive health care. Such erosion would negatively affect relationships between individuals and their health care providers, result in individuals forgoing needed treatment, and make individuals less likely to share pertinent health concerns with their health care providers. Modifying the Privacy Rule to focus on and address this shifting landscape is the most efficient way to return to a regulatory landscape that is balanced and consistent with the goals of HIPAA.
We do not believe that it is necessary to modify the Privacy Rule to prohibit the use and disclosure of PHI for any criminal, civil, or administrative investigation or effort to impose criminal, civil, or administrative liability related to all health care, services, or supplies. Sections 164.512(e) and (f) already set forth the specified conditions under which regulated entities may disclose PHI for judicial and administrative proceedings and law enforcement purposes.
We decline to modify the prohibition to apply it to the use and disclosure of “highly sensitive PHI.” We are persuaded by commenters who voiced concern about the feasibility of defining the phrase such that regulated entities would be able to understand and operationalize it. We also find persuasive comments about the compliance burden that would result from implementing such a prohibition. While PHI about reproductive health care may be found throughout an individual's record and may be collected or maintained by multiple types of providers, the term “reproductive health care” is defined in a manner that is clearly connected to the reproductive system, its functions, and processes.
See the finalized definition of “Reproductive health care” at 45 CFR 160.103.
In contrast, applying the prohibition to all “highly sensitive PHI” or any use or disclosure of PHI that results in harm, stigma, or adverse result for an individual would be unworkable because of lack of consensus about how to define such categories and would likely create the issues with segmentation and care coordination discussed above. As discussed above, the purpose of this final rule and narrowly crafted prohibition is to adopt the appropriate balance in the Privacy Rule between protecting individuals' privacy and permitting PHI to be used and disclosed for other societal benefits. The commenters' objectives reflect a desire to protect individuals, but their discussion does not properly account for other societal interests that are supported by certain disclosures of PHI, interests that the Privacy Rule has balanced since its inception.
Comment: A commenter requested that the Department clarify that state laws may protect the privacy of health information when the Privacy Rule does not apply, such as when individuals' health information is in the possession of a person that is not a regulated entity, such as a friend or family member, or is stored on a personal cellular phone or tablet.
Response: HIPAA provides the Department with the authority to protect the privacy and security of IIHI that is maintained or transmitted by covered entities, and in some cases, their business associates. Other laws may apply where the HIPAA Rules do not. Guidance on protecting the privacy and security of health information when using a personal cell phone or tablet is available on OCR's website.
See Off. for Civil Rights, “Protecting the Privacy and Security of Your Health Information When Using Your Personal Cell Phone or Tablet,” U.S. Dep't of Health and Human Servs. (June 29, 2022), https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/cell-phone-hipaa/index.html.
Comment: Many commenters cited potential operational challenges with the proposed prohibition and confirmed that current health IT generally does not provide regulated entities with the ability to segment PHI into specific categories afforded special protections. A few commenters recommended that the Department work with EHR vendors to modernize health care data management platforms to better address data segmentation, while others recommended that the Department ensure interagency coordination of data segmentation policies and provide individuals with granular level of control over their PHI.
A few commenters requested that the Department address concerns about the interaction between the minimum necessary standard and this final rule.
A commenter asserted that privacy protections that do not account for individual privacy preferences would result in individuals withholding information from their health care providers, and some health care providers electing not to generate or document certain information from or about individuals.
Response: The prohibition, as finalized, should not implicate additional data segmentation concerns beyond those that already exist. We acknowledge the low adoption rate of data segmentation standards and challenges related to the technical and administrative feasibility of data segmentation ( e.g., costs), and as discussed above, are finalizing a purpose-based approach to address such concerns. The Department continues its active engagement, particularly through ONC, to identify robust data sharing standards that facilitate appropriate privacy controls.
With respect to concerns about the Privacy Rule minimum necessary standard, we do not anticipate that this final rule will affect the ability of regulated entities subject to the standard to comply. First, the prohibition is applicable only for the purposed uses and disclosures specified in 45 CFR 164.502(a)(5)(iii). Regulated entities must make reasonable efforts to limit the use or disclosure of PHI pursuant to 45 CFR 164.512, other than 45 CFR 164.512(a), to the minimum amount of PHI necessary to accomplish the intended purpose of the use, disclosure, or request. Regulated entities are required to have in place policies and procedures that outline how the entity complies with the standard.
See45 CFR 164.502(b). Uses and disclosures of PHI pursuant to 45 CFR 164.512(a) are limited to the relevant requirements of such law. 45 CFR 164.512(a)(1).
Comment: A few commenters requested that the Department clarify the roles and responsibilities of covered entities and business associates with respect to compliance with the proposed prohibition and attestation requirements and whether business associate agreements would need to be amended to reflect the requirements of the final rule.
Response: The prohibition standard finalized in 45 CFR 164.502(a)(5)(iii)(A) applies directly to all regulated entities; meaning, all HIPAA covered entities and business associates. We also note that the finalized presumption of lawfulness for the underlying health care, when applicable, directly applies to business associates, as does the attestation requirement in 45 CFR 164.509. As such, business associates of covered entities that hold PHI by virtue of their business associate relationship with the covered entity are subject to the express prohibition on using or disclosing PHI for the specified purposes, regardless of whether the prohibition is specified in the business associate agreement. The attestation requirement and its application to business associates are discussed in greater detail below.
Comment: A commenter expressed support for the application of the proposal to health care providers, but also recognized states' interest in ensuring that health care providers render health care in accordance with the standard of care in that state. Another commenter questioned the Department's authority under HIPAA to implement this provision.
Response: The Department is modifying the proposed definition of “Reproductive health care” to explicitly clarify that the definition does not set a standard of care for or determine what constitutes clinically appropriate reproductive health care. Additionally, as discussed above, the application of this rule is limited to reproductive health care that is lawful under the circumstances in which such health care is provided as described at 45 CFR 164.502(a)(5)(iii)(B). Lawfulness is determined by the regulated entity that receives the request for PHI, after a reasonable determination that at least one of the conditions in the Rule of Applicability apply. As explained above, the prohibition is carefully tailored to protect the privacy of individuals' health information in circumstances where the reproductive health care at issue was lawful under the circumstances such care was provided, reflecting the appropriate balance between privacy interests and other societal interests.
Comment: Many commenters recommended alternative or additional approaches to the purpose-based prohibition, such as eliminating or narrowing the permissions for use or disclosure of PHI without an individual's authorization or limiting disclosures to third parties subject to an individual's authorization.
A few commenters recommended that the Department revise specific Privacy Rule permissions to clarify the use and disclosure of PHI for certain administrative or law enforcement requests, instead of promulgating a new prohibition.
Response: The Department's approach to prohibit the uses and disclosures of PHI for the purposes described in this final rule is consistent with the Privacy Rule's longstanding balancing of individual privacy interests with society's interests in PHI for non-health care purposes. Adopting the correct balance is necessary to preserve and promote trust between individuals and health care providers. Instead of modifying specific permissions at 45 CFR 164.512, we are finalizing modifications that prohibit the use or disclosure of PHI to ensure the correct balance, instead of modifying specific permissions at 45 CFR 164.512. Recognizing that requests that fall under these permissions represent important public policy objectives ( e.g., health oversight, law enforcement, protection of individuals subject to abuse), the Department is imposing a new attestation requirement, as described in greater detail below, to protect against harm that may arise from the use or disclosure of PHI for a purpose prohibited under 45 CFR 164.502(a)(5)(iii), which is more likely to occur when a person requesting the use or disclosure of PHI relies on certain permissions. The new attestation condition will also provide a mechanism that will enable a regulated entity to better evaluate the request. The Department declines to make additional changes at this time and will consider these topics for future guidance. The Department also declines to finalize its proposal to prevent an individual from requesting that a regulated entity use or disclose PHI pursuant to a valid authorization.
Comment: A few commenters questioned the ability of regulated entities to use or disclose PHI in compliance with mandatory reporting laws, such as laws requiring the reporting of suspected child abuse or domestic violence.
A few of these commenters questioned whether mandatory reporting requirements would change a regulated entity's duty to apply the minimum necessary standard.
A few commenters asserted that mandatory reporting laws dissuade individuals from seeking health care, prevent the development of trust between individuals and health care providers, and generally are implemented in an inequitable fashion that disproportionately apply to individuals from marginalized or historically underserved communities or communities of color.
Response: The Department acknowledges that there may be some mandatory reporting laws that require a regulated entity to determine whether a request for PHI is for a purpose prohibited by this rule. However, whether in response to a mandatory reporting law or routine request, the final rule's operation remains the same, that is, it prohibits a regulated entity from using or disclosing PHI for a prohibited purpose when the reproductive health care under investigation or at the center of the activity to impose liability is lawful under the circumstances that it was provided.
To the extent mandatory reporting requirements apply to the reporting of PHI to public health authorities for public health purposes, including PHI about reproductive health care, this final rule does not prevent a regulated entity from complying with such mandate.
To aid stakeholders in understanding how the prohibition operates with respect to public health reporting, the Department is clarifying that the term “Public health,” as used in public health surveillance, investigation, and intervention, includes identifying, monitoring, preventing, or mitigating ongoing or prospective threats to the health or safety of a population, which may involve the collection of PHI. In so doing, we are clarifying that public health surveillance, investigation, and intervention are outside of the scope of activities prohibited by 45 CFR 164.502(a)(5)(iii). These changes will offer additional protection to individuals who would otherwise be subject to having their PHI disclosed for a prohibited purpose because the underlying mandatory reporting requirement did not clearly specify its relationship to public health. This final rule does not change the minimum necessary standard or the circumstances in which the Privacy Rule requires a regulated entity to apply the minimum necessary standard.
Comment: Many commenters expressed concern that the purposes for which the Department proposed to prohibit uses or disclosures would interfere with the ability of law enforcement to conduct investigations, including into coercion, child abuse, and sex trafficking and assault, would prevent states from verifying state licensure requirements, and would hamper the ability of health care professionals to report illegal behavior by other health care professionals.
Response: As discussed above, the prohibition applies only to activities conducted for the purpose of investigating or imposing liability on a person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care that is provided under circumstances in which such health care is lawful. A regulated entity is permitted to disclose PHI to a person who requests PHI for other purposes if a permission applies and the underlying conditions of the relevant permission are met, including the attestation condition, if applicable.
Comment: A few commenters recommended that the Department establish a safe harbor for the use or disclosure of PHI by regulated entities for TPO.
Response: We appreciate the comment but do not believe such a safe harbor is necessary. The Privacy Rule permits the disclosure of an individual's PHI for TPO when the conditions set forth in the TPO provisions of the rule are met. The prohibited uses and disclosures codified in this rulemaking would rarely intersect with uses and disclosures that qualify as TPO activities. As explained above, to the extent a person requesting the use or disclosure of PHI reasonably articulates a basis for a request that is not related to the mere act of seeking, obtaining, providing, or facilitating reproductive health care, a regulated entity may use or disclose the PHI where otherwise permitted by the Privacy Rule.
See45 CFR 164.506.
Comment: A commenter recommended that the Department clarify that the prohibition applies to the activities of insurers and third-party administrators of self-funded plans by adding “administering, authorizing, covering, approving, or gathering or providing information about” to the explanation of “seeking, obtaining, providing, or facilitating.”
Response: The prohibition applies to all activities that a person could reasonably be expected to engage in with a regulated entity that could result in a use or disclosure of PHI that might be sought for prohibited purposes, including activities conducted or performed by or on behalf of a health plan, including a group health plan. Accordingly, the Department has modified the scope of activities initially proposed in the 2023 Privacy Rule NPRM to better explain what it meant by seeking, obtaining, providing, or facilitating reproductive health care. The modified text is finalized at 45 CFR 164.502(a)(5)(iii)(D), and adds administering, authorizing, providing coverage for, approving, counseling about to the non-exhaustive list of example activities.
See45 CFR 160.103 (definitions of “health plan” and “group health plan”).
In the 2023 Privacy Rule NPRM, we proposed the Scope of prohibition in 45 CFR 164.502(a)(5)(iii)(B).
Comment: Several commenters expressed support for the proposed Rule of Applicability. A few commenters expressed support for the proposed Rule of Applicability because it would reassure residents of the state in which the lawful health care is provided and individuals who travel to such states for lawful health care that their medical records will not be disclosed for prohibited purposes.
Response: We are finalizing a modified Rule of Applicability as described above.
Comment: Some comments expressed varying levels of support for the Department's references to “substantial interests” by states or superseding state laws. A few commenters disagreed with the Department's assertion that states lack a legitimate interest in conducting a criminal, civil, or administrative investigation or proceeding into lawful reproductive health care where the investigation is based on the mere fact that reproductive health care was or is being provided. Others asserted that the proposed rule would be unworkable and would assign health care providers and the Department the power to determine whether reproductive health care was provided lawfully, thereby affording them the authority to enforce certain state laws.
Response: As explained above, the Rule of Applicability reflects the Department's careful balancing of privacy interests and other societal interests. For the reasons explained above, the Department has determined that the privacy interest of an individual and the interest of society in an effective health care system outweigh the interests of society in seeking the use of PHI for non-health care purposes that could result in harm to the individual where a regulated entity that receives a request for PHI reasonably determines that at least one of the conditions in the Rule of Applicability applies. To help clarify this discussion further, the Department provides examples where the Rule of Applicability applies in this section of this final rule.
Comment: Several commenters recommended that the Department eliminate the distinction between health care that is lawful and health care that is not and that all forms of reproductive health care should be protected from criminalization and government investigation.
Several commenters stated that the term “lawful” would incorrectly suggest that receiving certain types of reproductive health care could be unlawful, even though most prohibitions on reproductive health care apply to providing or performing the health care, rather than receiving it. They also questioned whether the proposed Rule of Applicability would protect individuals who obtained reproductive health care in another state.
Response: We are finalizing a Rule of Applicability at 45 CFR 164.502(a)(5)(iii)(B) that ensures the privacy of PHI when it is sought to conduct an investigation into or impose liability on any person for the mere act of seeking, obtaining, providing or facilitating reproductive health care that is lawful under the circumstances in which such health care is provided, consistent with applicable Federal or state law. A regulated entity that receives a request for PHI must make a reasonable determination that at least one of the conditions in the Rule of Applicability applies. As discussed above, this approach reflects a careful balance between privacy interests and other societal interests.
Comment: Some commenters asserted that medical records should not be used for purposes outside of the health care setting in ways that could harm the subject of the records, particularly for law enforcement or other governmental purposes. One commenter expressed concern that disclosures of PHI would not be limited for all purposes, and that the proposal would not prevent a state from pursuing actions where the health care is later found to be unlawful. Another commenter asserted that disclosing PHI to law enforcement in connection with an investigation into reproductive health care is a secondary use of PHI that would be directly at odds with the purpose for which the PHI was collected, while others stated that the proposal risks deterring individuals from seeking or obtaining necessary health care.
A few commenters expressed concerns that health care providers could be inhibited from providing necessary health care, fully educating individuals about their options, or documenting the health care provided.
Response: When the Department promulgated the 2000 Privacy Rule, we acknowledged that the rule balanced the privacy interests of individuals with the interests of the public in ensuring PHI was available for non-health purposes. As we explained in the 2023 Privacy Rule NPRM, “individuals' right to privacy in information about themselves is not absolute. It does not, for instance, prevent reporting of public health information on communicable diseases or stop law enforcement from getting information when due process has been observed.” At the same time, in the 2023 Privacy Rule NPRM, the Department acknowledged that adverse consequences do result when individuals question the privacy of their health information and explained that the purpose of HIPAA is to protect the privacy of information and promote trust in the health care system to ensure that individuals do not forgo lawful health care when needed or withhold important information that may affect the quality of their health care.
88 FR 23506, 23509 (Apr. 17, 2023) ( citing65 FR 82464 (Dec. 28, 2000)).
Id.
Accordingly, the Privacy Rule provides a clear framework to operationalize these principles, and this final rule is intended to balance these interests. The Privacy Rule does not protect information received or maintained by entities other than those that are regulated under HIPAA, including information that is used for a purpose other than the purpose for which it was initially requested. This final rule provides heightened protection, as necessary, to the privacy of PHI where its use or disclosure may result in harm to a person in connection with seeking, obtaining, providing, or facilitating reproductive health care that is lawful under the circumstances in which such health care is provided. With respect to other disclosures to law enforcement or to other governmental interests, the Privacy Rule includes other carefully crafted permissions that specify the conditions under which such disclosures must be made to ensure a reasonable balance between privacy and the public policies that disclosure would serve.
Comment: Several commenters asserted that the proposed Rule of Applicability would not protect all PHI pertaining to lawful health care. For example, commenters suggested that the proposed Rule of Applicability would be unlikely to protect individuals who obtain care outside of the health care system and urged the Department to clarify the final rule to strengthen protections for individuals who receive care in this manner. As another example, a commenter expressed concern that the proposal would not protect PHI for individuals who obtain legal reproductive health care, but as a result of complications, subsequently access health care in a state where the same reproductive health care is illegal.
Response: The definition of “reproductive health care” is discussed in greater detail above. As noted above, this final rule does not establish a standard of care, nor does it regulate what constitutes clinically appropriate health care.
Commenters who point out that different results may arise in different states are correct, but this has been true since the inception of the Privacy Rule because it sets a national floor for privacy standards, rather than a universal rule. The prohibition applies, and therefore liability attaches, when the prohibition is violated, based on the “circumstances in which such health care is provided.” Thus, a regulated entity is not permitted to disclose PHI about reproductive health care that was provided in another state where such health care was provided under circumstances in which it was lawful to provide such health care, even where the individual subsequently accesses related health care in a state where it would have been unlawful to provide the underlying health care under the circumstances in which such health care was provided. HIPAA liability attaches in cases where attempts to circumvent the Privacy Rule result in impermissible or wrongful uses or disclosures.
See42 U.S.C. 1320d-5 and 6.
We remind regulated entities that the Privacy Rule permits the use or disclosure of PHI, without an individual's signed authorization, only as expressly permitted or required by the Privacy Rule. For example, where state or other applicable law prohibits certain reproductive health care but does not expressly require a regulated entity to report that an individual obtained the prohibited health care, the Privacy Rule would not permit a disclosure to law enforcement or other investigative body pursuant to the “required by law” permission (but could potentially allow it pursuant to other provisions).
See45 CFR 164.512(a).
Comment: One commenter recommended the Department add language to the proposed Rule of Applicability or elsewhere to ensure that there would be protections for PHI where a health care provider believes the health care is legal, even when the person requesting the use or disclosure of PHI disputes the legality. A few commenters asserted that the health care provider making the decision could be a party to the reproductive health care at issue, making it a conflict of interest for the health care provider to make the determination regarding the lawfulness of the reproductive health care.
Response: We do not believe additional language is necessary because, under the prohibition, the regulated entity—and not the person making the request—is responsible for reasonably determining whether health care was lawful before making a disclosure. As explained above, this framework is consistent with how the Privacy Rule's permissions are administered, whereby regulated entities must determine whether a use or disclosure is permitted under the relevant permission. For example, when evaluating whether a use or disclosure of PHI is permitted because the use or disclosure is required by law, the regulated entity must look to the relevant law to determine whether the use or disclosure falls within that permission. Furthermore, as with other use and disclosure provisions in the Privacy Rule, regulated entities remain subject to HIPAA liability for impermissible or wrongful disclosures. Neither the statute nor the Privacy Rule provides an exception to such liability for circumstances involving conflicts of interest.
See45 CFR 164.512(a).
Comment: Many commenters expressed concern regarding the burden imposed upon and resources that would be required for regulated entities to determine whether the reproductive health care at issue was lawful if they did not provide the health care at issue, particularly considering the evolving nature of state law in this area. Several commenters expressed concern that the proposal incorrectly assumes that regulated entities would know where the reproductive health care at issue occurred and inquired about specific scenarios, such as where requests for PHI are received by clinical laboratories that have no face-to-face interaction with individuals and that rely on information provided by other covered entities. A few commenters asserted that requiring regulated entities to make the required legal determinations would not be conducive to building a trusting relationship between individuals and health care providers.
Some commenters offered recommendations to the Department, such as providing guidance for health care providers regarding their rights and responsibilities under a final rule, revising the proposal to clarify that there would be a presumption that reproductive health care occurred under lawful circumstances, absent compelling evidence to the contrary, particularly when an individual travels for health care, and clarifying the Rule of Applicability by including examples in the regulatory text.
Some commenters asserted that regulated entities in different states or with different interpretations of certain state requirements could reach different determinations about whether the reproductive health care was provided lawfully, in part because of the lack of clarity or consistency in the interpretation in these laws. Yet another commenter recommended that the Department add an express directive that, in the event of any ambiguity or unsettled law, the scope of what is considered lawful should be interpreted consistently with the intent of the rule to protect the privacy of PHI to the maximum extent possible. A commenter recommended that where the regulated entity decides in good faith, it should not be subject to penalties or enforcement action if their determination is incorrect or if the Department disagrees with the determination. Another commenter recommended that the Department clarify that regulated entities may use a reasonableness standard when making the determination about whether state laws conflict with the Privacy Rule and are therefore preempted by HIPAA.
A few commenters expressed concern about the potential interpretation or application of the proposed Rule of Applicability, particularly when the laws at issue are ambiguous. Commenters recommended inclusion of language that PHI need not be disclosed to a government agency or law enforcement if the health care provider deems, in good faith, that the reproductive health care is lawful under the circumstances in which it is provided, and that the Department clarify the application of preemption or provide in preamble examples of each condition of the proposed Rule of Applicability.
Response: We appreciate the many comments the Department received in response to its inquiry asking whether the proposed Rule of Applicability would be sufficiently clear to individuals and covered entities, and whether the provision should be made more specific or otherwise modified. Considering the many comments expressing concern about the burden associated with, the difficulty of, or the liability that could attach when someone other than the person who provided the health care must determine whether the underlying reproductive health care is lawful, the Department is adding a regulatory presumption in the final rule.
As discussed above, the regulatory presumption in 45 CFR 164.502(a)(5)(iii)(C) will permit a regulated entity receiving a PHI request that may be subject to the prohibition to presume the reproductive health care at issue was lawful under the circumstances in which such health care was provided when provided by a person other than the regulated entity receiving the request. The presumption includes a knowledge requirement such that the regulated entity must not have actual knowledge that the reproductive health care was unlawful under the circumstances in which such health care was provided or factual information supplied by the person requesting the use or disclosure of PHI that demonstrates to the regulated entity a substantial factual basis that the reproductive health care was not lawful under the specific circumstances in which such health care was provided.
Comment: A commenter asserted that the proposed rule would unlawfully thwart enforcement of Federal criminal laws on reproductive health care because the proposed rule would be limited to circumstances where reproductive health care is permitted by state law, thereby prohibiting disclosures for the purpose of enforcing Federal laws pertaining to reproductive health care when they conflict with state law. A few commenters expressed their support for the Department's proposal that the prohibition against the use or disclosure of PHI apply where certain Federal laws apply. A few commenters requested greater specificity with respect to the application of Federal and state laws on abortion.
Response: Federal laws that involve reproductive health care form the underlying basis for examining whether reproductive health care was protected, required, or authorized by Federal law under the circumstances in which it was provided, pursuant to the 45 CFR 164.502(a)(5)(iii)(B)( 2). Under this final rule, Federal and state authorities retain the ability to investigate or impose liability on persons where the investigation or imposition of liability is centered upon the provision of reproductive health care that is unlawful under the circumstances in which it is provided. As discussed above, this rule reflects a careful balance between privacy interests and other societal interests, and the prohibition is tailored to cover situations where the reproductive health care was lawfully provided, whether state or Federal law is at issue.
Comment: A few commenters provided examples of and expressed concerns about the electronic availability of PHI about health care lawfully provided in one state to health care providers in another state where such health care would not have been lawful.
A few commenters requested that the Department clarify that clinical laboratory testing involving a validated laboratory-developed test used within a single laboratory certified pursuant to the Clinical Laboratory Improvement Amendments of 1988 (CLIA) and the implementing regulations, an in vitro diagnostic test cleared or approved by the Food and Drug Administration (FDA), or a validated laboratory-developed test that is an in vitro diagnostic test cleared or approved by the FDA and used within a single CLIA-certified laboratory would fall within the scope of reproductive health care that would be “authorized by Federal law” for the purposes of the Rule of Applicability. The commenters also recommended that a clinical laboratory test furnished under the authority of a state with legal requirements that are equal to or more stringent than CLIA's statutory and regulatory requirements, and is therefore exempt from CLIA requirements, also be considered “authorized by Federal law” for the purposes of the Rule of Applicability.
Public Law 100-578, 102 Stat. 2903 (Oct. 31, 1988) (codified at 42 U.S.C. 201 note).
Response: We interpret the language “authorized by Federal law” in the Rule of Applicability to include activities, including clinical laboratory activities, that are conducted as allowed under applicable Federal law, in circumstances where there is no conflicting state restriction on the Federally authorized activity or where applicable Federal law preempts a contrary state restriction. In such circumstances, these activities are lawfully conducted because there either is no relevant state restriction or Federal law preempts a contrary state restriction. This provision thus reflects the Department's careful balancing of privacy interests and other societal interests in disclosure. As explained above, in circumstances where reproductive health care is lawfully provided, privacy interests are heightened while other societal interests in disclosure are reduced. This final rule and the operation of HIPAA's general preemption authority do not supersede applicable state law pertaining to the lawfulness of reproductive health care.
Comment: One commenter expressed support for including the phrase “based primarily” to clarify that the proposed Rule of Construction would only address situations where the purpose of the disclosure is to investigate or impose liability because reproductive health care was provided, rather than for an issue related to, but not focused on the provision of such health care, such as the quality of the health care provided or whether claims for certain health care were submitted appropriately.
All other commenters recommended removing “primarily” to ensure that there is consistent implementation. In the alternative, the commenters recommended that the Department provide additional examples of scenarios in which a situation would and would not be considered “primarily for the purposes of” or “primarily based on” the provision of reproductive health care. One commenter asserted that the definition is uncertain and could be interpreted as permitting secondary or additional uses or disclosures. Another commenter explained that permitting a use or disclosure where conducting the investigation or imposing liability is only for a secondary or incidental purpose would create too much risk for individuals and health care providers and would undermine the intent of the proposed prohibition. And another stated it is foreseeable that a requesting entity could still use the PHI for one of the purposes for which the Department proposed to prohibit uses or disclosures of PHI once they have it if it was not the primary purpose of their request. A commenter expressed concern that the language could be exploited to manufacture a “primary” purpose that would be permissible to permit PHI to be used or disclosed for a prohibited purpose, particularly because the PHI would lose the protections of the Privacy Rule once it is disclosed to another person, unless that person is also a regulated entity. Another commenter asserted that the proposed rule did not define “primarily” or “mere act,” nor did it provide sufficient examples to provide regulated entities with sufficient information to understand the proposal.
A commenter explained that a request for PHI is often for multiple purposes and recommended that the Department revise the proposed Rule of Construction to allow the proposed prohibition to apply where at least one of the purposes for which PHI is sought is to use or disclose the information for a prohibited purpose. Similarly, this commenter recommended the proposed attestation requirement in 45 CFR 164.509(b)(1) be revised to state that “one of the uses or disclosures” is not prohibited by 45 CFR 164.502(a)(5)(iii).
Response: We agree with the commenter that explained that a request for PHI may be multi-purposed. We also agree with commenters that pointed out that as proposed, the regulatory Rule of Construction appeared to create a secondary standard to consider whether a regulated entity should be prohibited from using or disclosing PHI. As discussed above, the Department is not finalizing a separate Rule of Construction and is not incorporating the phrase “primarily for the purpose of” originally proposed in 45 CFR 164.502(a)(5)(iii)(D) into the final prohibition standard. The modified prohibition standard more clearly conveys that it only prohibits the use and disclosure of PHI for the specified purposes when it relates to the mere act of seeking, obtaining, providing, or facilitating lawful reproductive health care in certain circumstances.
Comment: Commenters also recommended that the proposed Rule of Construction prohibit health care providers from reporting individuals for the sole reason of having received health care in a state where it was not lawful. They described concerns about the effect of interoperability and data sharing rules that give health care providers ready access to individuals' full medical records and urged the Department to expand the proposed Rule of Construction to mitigate the risks created by the electronic exchange of PHI.
Response: The prohibition, as finalized, is narrowly tailored to operate in a manner that protects the interests of individuals and society in protecting the privacy of PHI while still allowing the use or disclosure of PHI for certain non-health care purposes. We remind regulated entities that they are generally prohibited from disclosing PHI unless there is a specific provision of the Privacy Rule that permits (or, in limited instances, requires) such disclosure. For example, the Privacy Rule permits but does not require regulated entities to disclose PHI about an individual, without the individual's authorization, when such disclosure is required by another law and the disclosure complies with the requirements of the other law. The permission to disclose PHI as “required by law” is limited to a “mandate contained in law that compels an entity to use or disclose PHI and that is enforceable in a court of law.” Further, where a disclosure is required by law, the disclosure is limited to the relevant requirements of such law. Disclosures that do not meet the “required by law” definition of the HIPAA Rules, or that exceed what is required by such law,” are not permissible disclosures under the required by law permission. Accordingly, regulated entities are prohibited from proactively disclosing PHI under the required by law permission at 45 CFR 164.512(a) absent a law requiring mandatory reporting of such PHI.
See45 CFR 164.512(a)(1).
See45 CFR 164.103 (definition of “Required by law”). The definition provides additional explanation about what constitutes a mandate contained in law.
See45 CFR 164.512(a)(1).
See45 CFR 164.103 (definition of “Required by law”).
The Privacy Rule permits but does not require covered entities to disclose PHI in response to an order of a court or administrative tribunal. The Privacy Rule also permits but does not require covered entities to disclose PHI in response to a subpoena, discovery request, or other lawful process, but only when certain conditions are met. See45 CFR 164.512(e)(1). These provisions cannot be used to make disclosures to law enforcement officials that are restricted by 45 CFR 164.512(f). See45 CFR 164.512(e)(2).
Comment: A few commenters asserted that the Department should modify the regulatory text of the proposed prohibition to eliminate the need for the proposed Rule of Construction because it is confusing and appears to set forth two different standards.
Response: For the reasons discussed above, we agree and have incorporated the Rule of Construction into the prohibition standard as described above.
Comment: A commenter expressed concerns that beneficial uses or disclosures, such as for conducting investigations into health care fraud, would be too limited and would not address criminal, civil and administrative proceedings, which are not related to receiving, obtaining, facilitating, or providing reproductive health services where the receipt or provision of these services could serve as evidence of another crime.
Response: We disagree with concerns that beneficial uses or disclosures would be too limited under the changes. If PHI is requested for a purpose that is not prohibited and the request complies with the conditions of an applicable permission, including the requirements of the attestation condition are met, where applicable, the regulated entity is permitted to comply with the request.
Comment: Another commenter cited studies to assert that the proposed Rule of Construction would continue to permit health care providers to proactively report on individuals. The commenter also stated that the proposed rule would not clarify how it would interact with mandatory reporting laws that could expose individuals and health care providers to investigations based on the provision of reproductive health care.
Response: The Privacy Rule does not permit a regulated entity to disclose PHI for law enforcement purposes, proactively or otherwise, without an individual's authorization when the disclosure is not made pursuant to process or as otherwise required by law. This is true currently and remains true under this final rule.
As discussed above, HIPAA generally preempts state laws requiring the use or disclosure of PHI, except in limited circumstances. Where such mandatory reporting laws are not preempted by HIPAA, regulated entities are limited to disclosing the minimum amount of PHI necessary to comply with the mandatory reporting requirement or the relevant requirements of such law.
Whether the regulated entity is limited by the minimum necessary standard or the relevant requirements of the law that requires the reporting depends upon whether the regulated entity is making the disclosure pursuant to 45 CFR 164.512(a) or some other permission under 45 CFR 164.512. See45 CFR 164.502(b)(v).
Comment: Several commenters responded to the question about whether it would be beneficial for the Department to further clarify or provide examples of uses or disclosures of PHI that would be permitted under a final rule. All of these commenters agreed that it would be beneficial for the Department to do so. Of those, several commenters specified that the Department should provide such examples in the final regulatory text. A few commenters who requested examples be provided within the regulatory text also recommended that the language make clear that the examples are illustrative.
Response: The Department declines to include examples of uses or disclosures of PHI that would be permitted in this rule, in regulatory text. We have provided illustrative examples above.
3. Clarifying Personal Representative Status in the Context of Reproductive Health Care
Section 164.502(g) of the Privacy Rule contains the standard for personal representatives and generally requires a regulated entity to treat an individual's personal representative as the individual if that person has authority under applicable law ( e.g., state law, court order) to act on behalf of the individual in making decisions related to health care. For example, the Privacy Rule would treat a legal guardian of an individual who has been declared incompetent by a court as the personal representative of that individual, if consistent with applicable law. In this and certain other provisions, the Department seeks to maintain the longstanding balance HIPAA strikes between the interest of a state or other authorities to regulate health and safety and protect vulnerable individuals with the goal of maintaining the privacy protections established in the Privacy Rule.
See45 CFR 164.502(g).
See45 CFR 164.502(g)(3)(i). See also Off. for Civil Rights, “Personal Representatives,” U.S. Dep't of Health and Human Servs., https://www.hhs.gov/hipaa/for-individuals/personal-representatives/index.html.
See, e.g., 45 CFR 164.510(b)(3) and 164.512(j)(1)(i)(A).
See65 FR 82462, 82471 (Dec. 28, 2000).
In the 2023 Privacy Rule NPRM, the Department expressed concern that some regulated entities may interpret the Privacy Rule as providing them with the ability to refuse to recognize as an individual's personal representative a person who makes reproductive health care decisions, on behalf of the individual, with which the regulated entity disagrees. Under these circumstances, current section 45 CFR 164.502(g)(5) of the Privacy Rule could be interpreted to permit a regulated entity to assert that, by virtue of the personal representative's involvement in the reproductive health care of the individual, the regulated entity believes that the personal representative is subjecting the individual to abuse. Further, this regulated entity might exercise its professional judgment and decide that it is in the best interest of the individual to not recognize the personal representative's authority to make health care decisions for that individual.
88 FR 23506, 23533-34 (Apr. 17, 2023).
To protect the balance of interests struck by the Privacy Rule, the Department proposed to modify 45 CFR 164.502 by adding a new paragraph (g)(5)(iii). Proposed 45 CFR 164.502(g)(5)(iii) would ensure that a regulated entity could not deny personal representative status to a person where such status would otherwise be consistent with state and other applicable law primarily because that person provided or facilitated reproductive health care for an individual. The Department expressed its belief that this proposal was narrowly tailored and respected the interests of states and the Department by not unduly interfering with the ability of states to define the nature of the relationship between an individual and another person, including between a minor and a parent, upon whom the state deems it appropriate to bestow personal representative status. The proposal would, however, maintain the existing HIPAA standard by ensuring personal representative status, when otherwise consistent with state law, would not be affected by the type of underlying health care sought.
Several commenters supported the Department's proposal to clarify that the covered entity's reasonable basis for electing not to treat a person as a personal representative of an individual, despite state law or other requirements of the Privacy Rule, cannot be primarily because the person has provided or facilitated reproductive health care. Other commenters expressed concern about their ability to determine what constitutes reproductive health care, as would be required to ascertain whether the covered entity had a reasonable basis to elect not to treat a person as an individual's personal representative. These commenters requested that the Department provide additional clarity in regulatory text or through examples. Other commenters questioned how the Department's proposal would align with existing state law on parental rights.
As discussed throughout this final rule, reproductive health care is uniquely sensitive and must be treated accordingly. Thus, we are finalizing 45 CFR 164.502(g)(5) with additional modifications as follows. This final rule precludes the denial of personal representative status where the basis of the denial is that the person provided or facilitated reproductive health care instead of the proposed standard that would have precluded denial “primarily” based on these actions. This change clarifies that the covered entity does not have to determine whether the reproductive health care is the “primary” basis for denying a person personal representative status. Additionally, the final rule adds the term “reasonable” before “belief” to align with 45 CFR 164.502(g)(5)(i)(A), clarifying that the basis of the covered entity's belief must be reasonable in the circumstances. We are also renumbering paragraphs. Collectively, these changes clarify that it is not reasonable to elect not to treat a person as an individual's personal representative because the person provides or facilitates reproductive health care for and at the request of the individual. The Department is making these changes in response to comments received on the 2023 Privacy Rule NPRM, which are further discussed below.
Comment: Several commenters supported the Department's proposal to clarify that the covered entity's basis for electing not to treat a person as a personal representative of an individual, despite state law or other requirements of the Privacy Rule, cannot be primarily because the person has provided or facilitated reproductive health care.
Response: As explained throughout this final rule, reproductive health care is uniquely sensitive and must be treated as such. Accordingly, we are finalizing this proposal with modifications as described above.
Comment: A commenter expressed concerns that regulated entities would have difficulty determining whether the “primary” basis for the belief that the individual has been or may be subjected to domestic violence, abuse, or neglect by such person, or that treating such person as the personal representative could endanger the individual related to the provision or facilitation of the reproductive health care, in some circumstances. The commenter requested that the Department provide additional clarity in the regulatory text or through examples.
Response: As discussed above, we have removed the term “primary” before “basis” and reorganized the provision. We believe this change clarifies that the covered entity does not have to determine whether the provision or facilitation of reproductive health care is the “primary” basis for believing that a person who is an individual's personal representative under applicable law has abused, neglected, or endangered the individual, or may do so in the future, such that the covered entity would be permitted to deny the person personal representative status.
Comment: A few commenters requested that the Department clarify that other existing provisions pertaining to personal representatives continue to apply, including the provision that a covered entity should not treat a parent or guardian as a personal representative where state law does not require a minor to obtain parental consent to lawfully obtain health care.
Response: As discussed above, the Privacy Rule generally requires a covered entity to treat a person who, under applicable law, has the authority to act on behalf of an individual in making decisions related to health care as the individual's personal representative with respect to PHI relevant to such personal representation, with limited exception. In this final rule, we are clarifying those limited exceptions apply to this general rule. We did not propose, nor are we making any additional changes to the Privacy Rule's provisions on personal representatives. Nothing in this final rule is intended to alter any other use or disclosure permissions for personal representatives, nor does it interfere with the ability of states to define the nature of the relationship between a minor and a parent or guardian.
See45 CFR 164.502(g).
See45 CFR 164.502(g)(3)(i).
Comment: A commenter asserted that the proposal could lead to situations in which someone pretending to be a personal representative of the individual would consent to reproductive health care for the individual. According to a few commenters, the proposal would make it easier for a person abusing an individual to obtain access to an individual's PHI because of the limits imposed on the reasonable belief provisions by the proposal. Another commenter asserted that the proposal would hinder state investigations into crimes that affect an individual's reproductive health where such crimes are committed by a person meeting a state's definition of a personal representative.
Response: The Department has no reason to believe, and commenters provided no evidence to suggest, that the final rule will lead to abuse or undermine parental consent. Rather, the final rule will protect sensitive PHI by clarifying that a regulated entity must treat a person as a personal representative of an individual with respect to PHI relevant to such personal representation if such person is, under applicable law, authorized to act on behalf of the individual in making decisions related to health care. This includes a court-appointed guardian, a person with a power of attorney, or other persons with legal authority to make health care decisions. Further, under 45 CFR 164.514(h), a covered entity must verify the identity of a person requesting PHI and the authority of any such person to have access to PHI, if the identity is not already known to the covered entity.
Additionally, the final rule allows a covered entity to elect not to treat a person as a personal representative of an individual if the covered entity, in the exercise of professional judgment, has a reasonable belief that the individual has been or may be subjected to domestic violence, abuse, or neglect by such person, or that treating such person as the personal representative could endanger the individual. The final rule only clarifies that the reasonable basis cannot be the provision or facilitation of reproductive health care by the person authorized by applicable law.
Comment: A few commenters recommended that the Department define and interpret personal representative status in the context of reproductive health care consistent with its current interpretation.
Response: We appreciate the comments but decline to specifically define “personal representative” in the context of reproductive health care. We are reducing compliance burdens by eliminating the need for covered entities to determine whether the provision or facilitation of reproductive health care was the “primary” basis for their belief that an individual has been or may be subjected to domestic violence, abuse, or neglect, or may be endangered by a person authorized by applicable law to act as an individual's personal representative if the covered entity treats the person as such, with respect to PHI relevant to such personal representation.
Comment: A covered entity recommended that the Department set reasonable threshold standards that covered entities would be required to meet if they deny personal representative status to a person because of any legal, social, or professional liability that could attach based on such denials. The commenter further recommended that the Department set objective universal thresholds for denials that are clear, concise, and easily defined.
Response: We appreciate the comment but decline to set a reasonable threshold standard that covered entities would be required to meet if they deny personal representative status to a person. As discussed above, the Department gives covered entities discretion to elect not to treat a person as a personal representative of an individual if the covered entity has a reasonable belief that the individual has been subjected to domestic violence, abuse, or neglect by or would be in danger from a person seeking to act as the personal representative, except where the basis of the denial is that the person provided or facilitated reproductive health care.
Response: As discussed above, a personal representative, with authority under applicable law, stands in the shoes of the individual and has the ability to act for the individual and exercise the individual's rights. Thus, with very limited exceptions, covered entities must provide the personal representative access to the individual's PHI in accordance with 45 CFR 164.524 to the extent such information is relevant to such representation.
4. Request for Comments
The Department requested comment on whether to eliminate or narrow any existing permissions to use or disclose “highly sensitive PHI.” Most of the comments on this question are discussed in the context of the prohibition.
88 FR 23506, 23534 (Apr. 17, 2023).
C. Section 164.509—Uses and Disclosures for Which an Attestation Is Required
1. Current Provision
The Privacy Rule currently separates uses and disclosures into three categories: required, permitted, and prohibited. Permitted uses and disclosures are further subdivided into those to carry out TPO; those for which an individual's authorization is required; those requiring an opportunity for the individual to agree or object; and those for which an authorization or opportunity to agree or object is not required. For an individual's authorization to be valid, the Privacy Rule requires that it contain certain specific information to ensure that an individual authorizing a regulated entity to use or disclose their PHI to another person knows and understands to what it is they are agreeing.
2. Proposed Rule
As we described in the 2023 Privacy Rule NPRM, a regulated entity presented with a request for PHI would need to discern whether using or disclosing PHI in response to the request would be prohibited. To facilitate compliance with the proposed prohibition at 45 CFR 164.502(a)(5)(iii) while also providing a pathway for regulated entities to disclose PHI for certain permitted purposes, the Department proposed to require that a covered entity obtain an attestation from a person requesting the use or disclosure of PHI in certain circumstances.
88 FR 23506, 23534-37 (Apr. 17, 2023).
Specifically, the Department proposed to add a new section 45 CFR 164.509, “Uses and disclosures for which an attestation is required.” This proposed condition would require a regulated entity to obtain certain assurances from the person requesting PHI potentially related to reproductive health care before the PHI is used or disclosed, in the form of a signed and dated written statement attesting that the use or disclosure would not be for a purpose prohibited under 45 CFR 164.502(a)(5)(iii), where the person is making the request under the Privacy Rule permissions at 45 CFR 164.512(d) (disclosures for health oversight activities), (e) (disclosures for judicial and administrative proceedings), (f) (disclosures for law enforcement purposes), or (g)(1) (disclosures about decedents to coroners and medical examiners).
The proposed new section included a description of the proposed attestation contents, including a statement that the use or disclosure is not for a purpose the Department proposed to prohibit as described at 45 CFR 164.502(a)(5)(iii). The 2023 Privacy Rule NPRM also included a discussion about how the Department anticipated the proposed attestation requirement would work in concert with Privacy Rule permissions. Additionally, the proposed attestation provision would also include the general requirements for a valid attestation, and defects of an invalid attestation. The Department also proposed to require that an attestation be written in plain language and to prohibit it from being “combined with” any other document. Further, the Department's proposal would explicitly permit the attestation to be in an electronic format, as well as electronically signed by the person requesting the disclosure. Under the proposal, the attestation would be facially valid when the document meets the required elements of the attestation proposal and includes an electronic signature that is valid under applicable Federal and state law.
Pursuant to 45 CFR 164.530(j), regulated entities would be required to maintain a written or electronic copy of the attestation.
The Federal plain language guidelines under the Plain Writing Act of 2010 only applies to Federal agencies, but it serves as a helpful resource. See5 U.S.C. 105 and “Federal plain language guidelines,” U.S. Gen. Servs. Admin., https://www.plainlanguage.gov/guidelines/.
Proposed 45 CFR 164.509(b)(1)(iv) and (c)(1)(iv).
While not explicitly stated in the Privacy Rule, the Department previously issued guidance clarifying that authorizations are permitted to be submitted and signed electronically. See Off. for Civil Rights, “Is a copy, facsimile, or electronically transmitted version of a signed authorization valid under the Privacy Rule?,” U.S. Dep't of Health and Human Servs., HIPAA FAQ #475 (Jan. 9, 2023), https://www.hhs.gov/hipaa/for-professionals/faq/475/is-a-copy-of-a-signed-authorization-valid/index.html and Off. for Civil Rights, “How do HIPAA authorizations apply to an electronic health information exchange environment?,” U.S. Dep't of Health and Human Servs., HIPAA FAQ #554 (July 26, 2013), https://www.hhs.gov/hipaa/for-professionals/faq/554/how-do-hipaa-authorizations-apply-to-electronic-health-information/index.html.
Additionally, the proposal specified that each use or disclosure request would require a new attestation.
The Department proposed that a regulated entity would be able to rely on the attestation provided that it is objectively reasonable under the circumstances for the regulated entity to believe the statement required by 45 CFR 164.509(c)(1)(iv) that the requested disclosure of PHI is not for a purpose prohibited by 45 CFR 164.502(a)(5)(iii), rather than requiring a regulated entity to investigate the validity of an attestation. We explained that it would not be objectively reasonable for a regulated entity to rely on the representation of the person requesting PHI about whether the reproductive health care was provided under circumstances in which it was lawful to provide such health care. This is because we believed that the regulated entity, not the person requesting the disclosure of PHI, has the information about the provision of such health care that is necessary to make this determination. Therefore, we explained that this determination would need to be made by the regulated entity prior to using or disclosing PHI in response to a request for a use or disclosure of PHI that would require an attestation under the proposal.
This approach is consistent with 45 CFR 164.514(h), which requires a regulated entity to verify the identity and legal authority of a public official or a person acting on behalf of a public official, and describes the type of documentation upon which a regulated entity may rely, if such reliance is reasonable under the circumstances, to do so. See also45 CFR 164.514(d)(3)(iii)(A), which permits a covered entity to rely, if such reliance is reasonable under the circumstances, on a requested disclosure as the minimum necessary for the stated purpose when making disclosures to public officials that are permitted under 45 CFR 164.512, if the public official represents that the information requested is the minimum necessary for the stated purpose(s).
The attestation proposal also would require a regulated entity to cease use or disclosure of PHI if the regulated entity develops reason to believe, during the course of the use or disclosure, that the representations contained within the attestation were materially incorrect, leading to uses or disclosures for a prohibited purpose. Relatedly, the 2023 Privacy Rule NPRM included a discussion of the consequences of material misrepresentations that cause the impermissible use or disclosure of IIHI relating to another individual under HIPAA.
Proposed 45 CFR 164.509(d).
To reduce the burden on regulated entities implementing this proposed attestation, the Department requested comment on whether it should develop a model attestation that a regulated entity may use when developing its own attestation templates. The Department did not propose to require that regulated entities use the model attestation.
3. Overview of Public Comments
Most commenters expressed support for the proposal to require an attestation for certain uses and disclosures. Some commenters questioned why the Department did not extend the attestation requirement directly to business associates, consistent with the general prohibition and recommended that the attestation requirements be applied to business associates.
Some of those commenters that supported the proposal to require an attestation expressed concern or made additional recommendations about its components, content, and scope, and the consequences for covered entities that make inadvertent disclosures of PHI without an attestation. A small number of opposing commenters also expressed concerns about the effectiveness and administrative burden of the proposed attestation requirement.
About half of the commenters concerned about the administrative burden of the attestation expressed support for limiting the applicability of the proposed attestation to certain types of uses and disclosures of information, while the other half recommended expanding the scope of the proposed attestation requirement to mitigate burdens on covered entities or to increase privacy protections for individuals.
Many commenters expressed concern about the Department's statement in the 2023 Privacy Rule NPRM that it would not be objectively reasonable for a regulated entity to rely on the representation of a person requesting the use or disclosure of PHI about whether the PHI sought was related to lawful health care. Specifically, commenters asserted that regulated entities may have difficulties determining whether an attestation is “objectively reasonable” and were unlikely to possess the information necessary to determine the purpose of a person's request for the use or disclosure of PHI.
Most commenters urged the Department to expand the proposal beyond requests for PHI potentially related to reproductive health care to requests for any PHI because of the associated administrative burden of identifying and segmenting PHI about reproductive health care from other types of PHI. These commenters asserted that the burden would be significant because such PHI can be found throughout the medical record. Commenters also expressed concerns about the ability of EHRs to segment data.
Most commenters recommended that the Department add to or modify the content of the proposed attestation, including to add a statement that the recipient pledges not to redisclose PHI to another party for any of the prohibited purposes or that the request is for the minimum amount of information necessary. Many supported the inclusion of a signed declaration under penalty of perjury and a statement regarding the penalties for perjury to add a layer of accountability.
4. Final Rule
As we explained in the 2023 Privacy Rule NPRM, it may be difficult for regulated entities to distinguish between requests for the use and disclosure of PHI based on whether the request is for a permitted or prohibited purpose, which could lead regulated entities to deny use or disclosure requests for permitted purposes. Additionally, absent an enforcement mechanism, it is likely that persons requesting the use or disclosure of PHI could seek to use Privacy Rule permissions for purposes that are prohibited under the new 45 CFR 164.502(a)(5)(iii). Accordingly, the Department is finalizing the proposed attestation requirement, with modification, as described below. We intend to publish a model attestation prior to the compliance date for this final rule.
First, the Department is renumbering the attestation provision such that the requirement is now 45 CFR 164.509(a)(1) and modifying that requirement to hold business associates directly liable for compliance with the attestation requirement. This change was made to address concerns raised by commenters who questioned why the Department did not extend the attestation requirement directly to business associates, consistent with the general prohibition and with revisions made to the HIPAA Rules in the 2013 Omnibus Rule, as required by the HITECH Act. The Department has authority to take enforcement action against business associates only for requirements for which the business associate is directly liable. Thus, under the proposed attestation requirement, a business associate would only have been required to comply with the proposed 45 CFR 164.509 if such obligation was explicitly included within its business associate agreement.
Business associates became directly liable for compliance with certain requirements of the HIPAA Rules under the HITECH Act. Consistent with the HITECH Act, the 2013 Omnibus Rule identified the portions of the HIPAA Rules that apply directly to business associates and for which business associates are directly liable. Prior to the HITECH Act and the Omnibus Rule, these requirements applied to business associates and their subcontractors indirectly through the requirements under 45 CFR 164.504(e) and 164.314(a), which require that covered entities by contract require business associates to limit uses and disclosures and implement HIPAA Security Rule-like safeguards. See78 FR 5566 (Jan. 25, 2013). See also Off. for Civil Rights, “Direct Liability of Business Associates Fact Sheet,” U.S. Dep't of Health and Human Servs. (July 16, 2021), https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/factsheet/index.html.
45 CFR 164.504(e) and 164.314(a).
Both covered entities and business associates process requests for PHI. The Privacy Rule permits regulated entities to determine whether a business associate can respond to such requests or whether they are required to defer to the covered entity. As noted by commenters, while many PHI requests processed by a business associate pursuant to 45 CFR 164.512(d)-(g)(1) are processed on behalf of the covered entity, persons may elect to request PHI directly from the business associate. Thus, the Department has determined that it is appropriate to hold both covered entities and business associates directly liable for compliance with the attestation requirement. Expanding the attestation requirement to apply to business associates will ensure that the business associate is directly liable for compliance with it, regardless of whether compliance with 45 CFR 164.509 is explicitly included in a BAA.
The Department is also adopting the proposed attestation requirement that a regulated entity obtain an attestation only for PHI “potentially related to reproductive health care.” As discussed in the 2023 Privacy Rule NPRM, this will limit the number of requests that require an attestation, and therefore, the burden of the attestation requirement on regulated entities and persons requesting PHI. The Department reminds regulated entities that they are permitted, but not required, to respond to law enforcement requests for PHI where the purpose of the request is not one for which regulated entities are prohibited from disclosing PHI. By narrowing the scope of the attestation to PHI “potentially related to reproductive health care,” the attestation requirement will not unnecessarily interfere with or delay law enforcement investigations that do not involve PHI “potentially related to reproductive health care.” While in practice this scope may be wide, we believe the privacy interests of individuals who have obtained reproductive health care necessitates the inclusion of “potentially related” PHI. We are concerned that extending the attestation requirement to all PHI could unnecessarily delay law enforcement investigations that are not for a purpose prohibited under 45 CFR 164.502(a)(5)(iii). We acknowledge commenters' concerns about the ability of regulated entities to operationalize the attestation condition and note that the requirement to obtain an attestation applies where the request is for PHI “potentially related to reproductive health care,” as opposed to PHI “related to reproductive health care.” Consistent with the Department's instructions to regulated entities since the Privacy Rule's inception, we have taken a flexible approach to allow scalability based on a regulated entity's activities and size. All regulated entities must take appropriate steps to address privacy concerns. Regulated entities should weigh the costs and benefits of alternative approaches when determining the scope and extent of their compliance activities, including when developing policies and procedures to comply with the Privacy Rule. The Department will assess the progress of regulated entities' compliance with this requirement and promulgate guidance as appropriate. The Department also notes that with limited exceptions, the Privacy Rule generally permits but does not require the use or disclosure of PHI when the conditions set by the Privacy Rule for the specific use or disclosure of PHI are met.
65 FR 82462, 82471, and 82875 (Dec. 28, 2000).
The Department is adopting the proposed requirement that an attestation be obtained where a request is made under the Privacy Rule permissions at 45 CFR 164.512(d) (disclosures for health oversight activities), (e) (disclosures for judicial and administrative proceedings), (f) (disclosures for law enforcement purposes), or (g)(1) (disclosures about decedents to coroners and medical examiners). This requirement will help ensure that these Privacy Rule permissions cannot be used to circumvent the new prohibition at 45 CFR 164.502(a)(5)(iii) and continue permitting essential disclosures, while also limiting the attestation's burden on regulated entities by providing a standard mechanism by which the regulated entity can ascertain whether a requested use or disclosure is prohibited under this final rule. The attestation requirement is intended to reduce the burden of determining whether the PHI request is for a purpose prohibited under 45 CFR 164.502(a)(5)(iii), but it does not absolve regulated entities of the responsibility of making this determination, nor does it absolve regulated entities of the responsibility for ensuring that such requests meet the other conditions of the relevant permission.
We are modifying the proposal by revising 45 CFR 164.509(a)(1) to clarify that a regulated entity may not use or disclose PHI where the use or disclosure does not meet all of the Privacy Rule's applicable conditions, including the attestation requirement. While this is consistent with the existing requirements of the Privacy Rule, we determined that it was necessary to reiterate this requirement here based on comments we received. Thus, when this final rule is read holistically, a regulated entity is not permitted to use or disclose PHI where such disclosure does not meet all of the Privacy Rule's applicable conditions, including the attestation requirement.
We are also modifying the proposal by adding 45 CFR 164.509(a)(2) to clarify that the use or disclosure of PHI based on a defective attestation does not meet the attestation requirement. For example, the attestation requirement would not be met if a regulated entity relies on an attestation where it is not reasonable to do so because the attestation would be defective under 45 CFR 164.509(b)(2)(v). Accordingly, it would be a violation of the Privacy Rule if the regulated entity makes a use or disclosure in response to a defective attestation.
The Department is modifying the proposal to prohibit inclusion in the attestation of any elements that are not specifically required by 45 CFR 164.509(c). This provision addresses concerns that regulated entities might require persons requesting PHI to provide information beyond that which is required under 45 CFR 164.509(c). Such additional requirements could make it burdensome for persons requesting PHI to submit a valid attestation when they make a request pursuant to 45 CFR 164.512(d), (e), (f), or (g)(1). Additionally, a person requesting PHI is not required to use the specific attestation form provided by a regulated entity, as long as the attestation provided by such person is compliant with the requirements of 45 CFR 164.509.
Additionally, the Department is modifying the proposed prohibition on compound attestations. Specifically, the final rule prohibits the attestation from being “combined with” any other document. The modification clarifies that while an attestation may not be combined with other “forms,” additional documentation to support the information provided in the attestation may be submitted. This additional documentation may not replace or substitute for any of the attestation's required elements. The attestation itself must be clearly labeled, distinct from any surrounding text, and completed in its entirety, but documentation to support the statement at 45 CFR 164.509(c)(1)(iv) or to overcome the presumption at 45 CFR 164.502(a)(5)(iii)(C) may be appended to the attestation. Thus, a regulated entity must ensure that the required elements of the attestation are met, and should review any additional documents provided by the person making the request when making the required determinations.
A regulated entity may use this information—the information on the attestation combined with any additional documentation provided by the person making the request for PHI—to make a reasonable determination that the attestation is true, consistent with 45 CFR 164.509(b)(2)(v). For example, an attestation would not be impermissibly “combined with” a subpoena if it is attached to it, provided that the attestation is clearly labeled as such. As another example, an electronic attestation would not be impermissibly “combined with” another document where the attestation is on the same screen as the other document, provided that the attestation is clearly and distinctly labeled as such.
The Department is finalizing the proposed content requirements with modifications as follows. Specifically, the Department is finalizing the proposal that an attestation must include that the person requesting the disclosure confirm the types of PHI that they are requesting; clearly identify the name of the individual whose PHI is being requested, if practicable, or if not practicable, the class of individuals whose PHI is being requested; and confirm, in writing, that the use or disclosure is not for a purpose prohibited under 45 CFR 164.502(a)(5)(iii). For purposes of the “class of individuals” described in 45 CFR 164.509(c)(1)(i)(B), the Department clarifies that the requesting entity may describe such a class in general terms—for example, as all individuals who were treated by a certain health care provider or for whom a certain health care provider submitted claims, all individuals who received a certain procedure, or all individuals with given health insurance coverage.
As we proposed, we are finalizing a requirement that the attestation include a clear statement that the use or disclosure is not for a purpose prohibited under 45 CFR 164.502(a)(5)(iii). This requirement may be satisfied with a series of checkboxes that identifies why the use or disclosure is not prohibited under 45 CFR 164.502(a)(5)(iii) ( i.e., the use or disclosure is not for a purpose specified in 45 CFR 164.502(a)(5)(iii)(A); or the use or disclosure is for a purpose that would be prohibited under 45 CFR 164.502(a)(5)(iii)(A), but the reproductive health care at issue was not lawful under the circumstances in which it was provided so the Rule of Applicability is not satisfied, and thus the prohibition does not apply).
The Department is adding another new required element, a statement that the attestation is signed with the understanding that a person who knowingly and in violation of HIPAA obtains or discloses IIHI relating to another individual, or discloses IIHI to another person, may be subject to criminal liability. We believe that adding this language satisfies the intent that led us to consider including a penalty of perjury requirement and with applicable law. The statement does not impose new liability on persons who sign an attestation; instead, including the statement in the attestation ensures that persons who request the use or disclosure of PHI for which an attestation is required are on notice of and acknowledge the consequences of making such requests under false pretenses.
See42 U.S.C. 1320d-6(a).
The Department is also finalizing the proposed requirement that the attestation must be written in plain language. Additionally, the Department is finalizing its proposal to permit the attestation to be in electronic format and for it to be electronically signed by the person requesting the disclosure where such electronic signature is valid under applicable law. The Department declines to mandate a specific electronic format for the attestation.
45 CFR 164.509(b)(1)(iii) and (c)(1)(vi).
As we proposed, an attestation will be limited to the specific use or disclosure. Accordingly, each use or disclosure request for PHI will require a new attestation.
There is no exception to the minimum necessary standard for uses and disclosures made pursuant to an attestation under 45 CFR 164.509. Thus, a regulated entity will have to limit a use or disclosure to the minimum necessary when provided in response to a request that would be subject to the proposed attestation requirement, unless one of the specified exceptions to the minimum necessary standard in 45 CFR 164.502(b)(2) applies. Where the person requesting the PHI is also a regulated entity, that person will also need to make reasonable efforts to limit their request to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.
45 CFR 164.502(b). The minimum necessary standard of the Privacy Rule applies to all uses and disclosures where a request does not meet one of the specified exceptions in paragraph (b)(2).
The Department is not requiring a regulated entity to investigate the validity of an attestation provided by a person requesting a use or disclosure of PHI. Rather, a regulated entity is generally permitted to rely on the attestation if, under the circumstances, a regulated entity reasonably determines that the request is not for investigating or imposing liability for the mere act of seeking, obtaining, providing, or facilitating allegedly unlawful reproductive health care. In addition, a regulated entity is generally permitted to rely on the attestation and any accompanying material if, under the circumstances, a regulated entity reasonably could conclude ( e.g., upon examination of adequate supporting documentation provided by the person making the request) that the requested disclosure of PHI is not for a purpose prohibited by 45 CFR 164.502(a)(5)(iii), consistent with the approach taken in the Privacy Rule and elsewhere in this final rule. If such reliance is not reasonable, then the regulated entity may not rely on the attestation. This is a change from the proposed language, which permitted reliance based on an “objectively reasonable” standard. The proposed standard was modified because a reasonable person standard is inherently objective. Thus, including “objectively” in the description of the standard was redundant.
This approach is consistent with 45 CFR 164.514(h), which requires a covered entity to verify the identity and legal authority of a public official or a person acting on behalf of the public official and describes the type of documentation upon which regulated entities can rely, if such reliance is reasonable under the circumstances, to do so. See also45 CFR 164.514(d)(3)(iii)(A), which permits a covered entity to rely, if such reliance is reasonable under the circumstances, on a requested disclosure as the minimum necessary for the stated purpose when making disclosures to public officials that are permitted under 45 CFR 164.512, if the public official represents that the information requested is the minimum necessary for the stated purpose(s).
E.g., Restatement (Second) Torts § 283, comment b (Am. L. Inst. 1965).
For requests involving allegedly unlawful reproductive health care, the extent to which a regulated entity may reasonably rely on an attestation depends in part on whether the regulated entity provided the reproductive health care at issue. Under the final rule, it would not be reasonable for a regulated entity to rely on the representation made by a person requesting the use or disclosure of PHI that the reproductive health care was unlawful under the circumstances in which it was provided unless such representation meets the conditions set forth in the presumption at 45 CFR 164.502(a)(5)(iii)(C). As discussed above, under the presumption, reproductive health care is presumed to be lawful under the circumstances in which such health care is provided unless a regulated entity has actual knowledge, or information from the person making the request that demonstrates to the regulated entity a substantial factual basis that the reproductive health care was not lawful under the specific circumstances in which such health care was provided. Where the reproductive health care at issue was provided by a person other than the regulated entity receiving the request for the use or disclosure of PHI and the presumption is overcome, the regulated entity is permitted to use or disclose PHI in response to the request upon receipt of an attestation where it is reasonable to rely on the representations made in the attestation. It is not reasonable for the regulated entity to rely solely on a statement of the person requesting the use or disclosure of PHI that the reproductive health care was unlawful under the circumstances in which such health care was provided. Instead, the person requesting the use or disclosure of PHI must provide the regulated entity with information such that it would constitute actual knowledge or that demonstrates to the regulated entity a substantial factual basis that the reproductive health care was not lawful under the specific circumstances in which such health care was provided. A regulated entity that receives a request for PHI involving reproductive health care provided by that regulated entity should review the relevant PHI in its possession and other related information ( e.g., license of health care provider that provided the health care, operating license for the facility in which such health care was provided) to determine whether the reproductive health care was lawful under the circumstances in which it was provided prior to using or disclosing PHI in response to a request for PHI that requires an attestation. Where the request is about reproductive health care that is provided by the regulated entity receiving the request, it would not be reasonable for a regulated entity to automatically rely on a representation made by a person requesting the use or disclosure of PHI about whether the reproductive health care was provided under the circumstances in which it was lawful to provide such health care. Rather, the regulated entity must review the individual's PHI to consider the circumstances under which it provided the reproductive health care to determine whether such reliance is reasonable. Therefore, where the request involves the use or disclosure of PHI potentially related to reproductive health care that was provided by the recipient of the request, the regulated entity must make the determination about whether it provided the health care lawfully prior to using or disclosing PHI in response to a request that requires an attestation.
For example, if a law enforcement official requested PHI potentially related to reproductive health care to investigate a person for the mere act of seeking, obtaining, providing or facilitating allegedly unlawful reproductive health care, it would not be reasonable for a regulated entity that receives such a request to rely solely on a signed attestation that states that the reproductive health care was not lawful under the circumstances in which it was provided, as set forth in 45 CFR 164.502(a)(5)(iii)(B), and therefore, that the requested disclosure is not for a purpose prohibited under 45 CFR 164.502(a)(5)(iii)(A). This is regardless of whether the regulated entity receiving the request for PHI provided the reproductive health care at issue. Assuming that the attestation is not facially deficient, a regulated entity must consider the totality of the circumstances surrounding the attestation and whether it is reasonable to rely on the attestation in those circumstances. To determine whether it is reasonable to rely on the attestation, a regulated entity should consider, among other things: who is requesting the use or disclosure of PHI; the permission upon which the person making the request is relying; the information provided to satisfy other conditions of the relevant permission; the PHI requested and its relationship to the stated purpose of the request; and, where the reproductive health care was supplied by another person, whether the regulated entity has: (1) actual knowledge that the reproductive health care was not lawful under the circumstances in which it was provided; or (2) factual information supplied by the person requesting the use or disclosure of PHI that would demonstrate to a reasonable regulated entity a substantial factual basis that the reproductive health care was not lawful under the specific circumstances in which such health care was provided.
For example, a regulated entity receives an attestation from a Federal law enforcement official, along with a court ordered warrant demanding PHI potentially related to reproductive health care. The law enforcement official represents that the request is about reproductive health care that was not lawful under the circumstances in which such health care was provided, but the official will not divulge more information because they allege that doing so would jeopardize an ongoing criminal investigation. In this example, if the regulated entity itself provided the reproductive health care and, based on the information in its possession, reasonably determines that such health care was lawful under the circumstances in which it was provided, the regulated entity may not disclose the requested PHI.
If the regulated entity did not provide the reproductive health care, it may not disclose the requested PHI absent additional factual information because the official requesting the PHI has not provided sufficient information to overcome the presumption at 45 CFR 164.502(a)(5)(iii)(C). Further, it also would not be reasonable under the circumstances for the regulated entity to rely on the attestation that the information would not be used for a purpose prohibited by 45 CFR 164.502(a)(5)(iii) because of the presumption that the reproductive health care was lawfully provided.
However, in cases where the presumption of lawfulness applies, the regulated entity would be permitted to make the disclosure, for example, where the law enforcement official provides additional factual information for the regulated entity to determine that there is a substantial factual basis that the reproductive health care was not lawful under the circumstances in which such health care was provided. As another example, a regulated entity could rebut the presumption of lawfulness by relying on a sworn statement by a law enforcement official that the PHI is necessary for an investigation into violations of specific criminal codes unrelated to the provision of reproductive health care ( e.g., billing fraud) or an affidavit from an individual that the individual obtained unlawful reproductive health care from a different health care provider and the requested PHI is relevant to that investigation. Similarly, if a regulated entity receives an attestation from a Federal law enforcement official, along with a court-ordered warrant demanding PHI potentially related to reproductive health care, that both specify that the purpose of the request is not for a purpose prohibited by 45 CFR 164.502(a)(5)(iii), the regulated entity may rely on the attestation and warrant, subject to the requirements of 45 CFR 164.512(f)(1)(ii)(A).
Lastly, this final rule requires a regulated entity to cease use or disclosure of PHI if the regulated entity, during the course of the use or disclosure, discovers information reasonably showing that the representations contained within the attestation are materially incorrect, leading to uses or disclosures for a prohibited purpose. As we explained in the 2023 Privacy Rule NPRM, pursuant to HIPAA, a person who knowingly and in violation of the Administrative Simplification provisions obtains or discloses IIHI relating to another individual or discloses IIHI to another person would be subject to criminal liability. Thus, a person who knowingly and in violation of HIPAA falsifies an attestation ( e.g., makes material misrepresentations about the intended uses of the PHI requested) to obtain (or cause to be disclosed) an individual's IIHI could be subject to criminal penalties as outlined in the statute. Additionally, a disclosure made based on an attestation that contains material misrepresentations after the regulated entity becomes aware of such misrepresentations constitutes an impermissible disclosure, which requires notifications of a breach to the individual, the Secretary, and in some cases, the media.
45 CFR 164.509(d).
See42 U.S.C. 1320d-6(a).
A person (including an employee or other individual) shall be considered to have obtained or disclosed individually identifiable health information in violation of this part if the information is maintained by a covered entity (as defined in the HIPAA privacy regulation described in section 1320d-9(b)(3) of this title) and the individual obtained or disclosed such information without authorization. Id.
See42 U.S.C. 1320d-6(b).
45 CFR 164.400 et seq. The HIPAA Breach Notification Rule, 45 CFR 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured PHI.
The attestation requirement does not replace the conditions of the Privacy Rule's permissions for a regulated entity to disclose PHI, including in response to a subpoena, discovery request, or other lawful process, or administrative request. Instead, the attestation is designed to work with the permissions and their requirements. If PHI is disclosed pursuant to 45 CFR 164.512(e)(1)(ii) or (f)(1)(ii)(C), a regulated entity will need to verify that the requirements of each provision are met, in addition to satisfying the requirements of the new attestation provision under 45 CFR 164.509. Furthermore, the requirements of 45 CFR 164.528, the right to an accounting of disclosures of PHI made by a covered entity, are not affected by the attestation requirement. Thus, disclosures made pursuant to a permission under 45 CFR 164.512(d), (e), (f), or (g) must be included in the accounting, including when they are made pursuant to an attestation.
5. Responses to Public Comments
Comment: Most commenters supported the proposal to require an attestation for certain uses and disclosures. A few commenters recognized the benefits of the attestation requirement, despite the potential increase in administrative burden for regulated entities.
Many commenters opposed the proposal for what they described as administrative burden, questionable effectiveness, and lack of clarity. A few commenters stated that the requirements imposed an inappropriate compliance burden on covered entities that would need to determine whether a PHI request was “potentially related” to sensitive personal health care, and, along with a health care provider who otherwise supported the attestation, they recommended instead that the Department impose requirements on the person requesting the use or disclosure of PHI. Many commenters expressed concerns about the ability of covered entities to operationalize the proposed requirement with the limitation to PHI potentially related to reproductive health care because it would require the ability to segment PHI, which the Department previously acknowledged is generally unavailable. A few commenters questioned the effectiveness of the proposed attestation requirement, as compared to its potential burden, enforceability, and effects on access to maternal and specialty health care.
Response: We agree with commenters that the attestation requirement will bolster the privacy of PHI and acknowledge that implementation of this important safeguard requires additional administrative activities by regulated entities. The Department considered removing the limitation on the application of the attestation condition to PHI “potentially related to reproductive health care,” but we are concerned that expanding it to apply to all requests for PHI made for specified purposes would impose even more burden on regulated entities. The requirement is to determine whether the requested PHI is “potentially related to reproductive health care,” not whether it is “related to reproductive health care.” Thus, regulated entities are not required to make an affirmative determination that the requested PHI is in fact related to reproductive health care before requiring a person requesting PHI to provide an attestation. We note that the focus of the attestation requirement has been limited to PHI potentially related to reproductive health care because the changes to the legal landscape have heighted privacy concerns about reproductive health care that is lawful under the circumstances in which such health care is provided. We also note that the provision of an attestation itself is not determinant of whether the request is for a prohibited purpose. Rather, regulated entities must consider whether a request for PHI is for a prohibited purpose, regardless of whether the request is made for a purpose for which the Privacy Rule requires an attestation.
The Department is limited to applying the HIPAA Rules to those entities covered by HIPAA ( i.e., health plans, health care clearinghouses, and health care providers that conduct covered transactions) and to business associates, as provided under the HITECH Act. Accordingly, the Department is limited to imposing obligations on persons requesting the use or disclosure of PHI to those who are also regulated entities.
The attestation condition has been drafted to promote the privacy of information about lawful reproductive health care, including maternal and specialty health care, while still permitting certain uses of PHI. Regulated entities, including covered entities that specialize in providing reproductive health care may determine, based on their assessment of what PHI is potentially related to reproductive health care, that an attestation must accompany all requests they receive for the use or disclosure of any PHI made pursuant to and in compliance with 45 CFR 164.512(d)-(g)(1). Further, the attestation requirement only applies to the specified requests for PHI and should not affect any intake of new patients or provision of maternal health care.
The Department is not requiring a regulated entity to investigate the veracity of the information provided in support of an attestation because doing so would impose a significant administrative burden on regulated entities and persons requesting the use or disclosure of PHI without proportional benefit. Additionally, requiring such an investigation by the regulated entity may cause unnecessary delays to law enforcement activities. Rather, the Department is finalizing a regulated entity's ability to rely on the attestation provided that it is reasonable under the circumstances for the regulated entity to believe the statement required by 45 CFR 164.509(c)(1)(iv) that the requested disclosure of PHI is not for a purpose prohibited by 45 CFR 164.502(a)(5)(iii). If such reliance is not reasonable, then the regulated entity may not rely on the attestation.
A regulated entity that receives a request for PHI potentially related to reproductive health care for purposes specified in 45 CFR 164.512(d), (e), (f), or (g)(1) may accept information, in addition to the attestation, from the person requesting the PHI to support its ability to make the determinations required by 45 CFR 164.502(a)(5)(iii) and 45 CFR 164.509(b)(v).
For example, it likely would not be reasonable for a regulated entity to rely on an attestation from a public official who represents that their request is for a purpose that is not prohibited, if the request for PHI is overly broad for its purported purpose and the public official has publicly stated that they will be investigating health care providers for providing reproductive health care. In such cases, regulated entities should consider the circumstances surrounding an attestation to determine whether they can reasonably rely on the attestation. Although we have modified the regulatory text by removing “objectively,” the standard remains unchanged in practice because a reasonableness standard is an objective standard. As we also discussed above, it is not reasonable for a regulated entity that provided the reproductive health care at issue to rely on a representation made by a person requesting the use or disclosure of PHI that the reproductive health care at issue was unlawful under the circumstance in which such health care was provided. A regulated entity that makes a disclosure where it was not reasonable to rely on the representation made by the person requesting the use or disclosure may be subject to enforcement action by OCR.
Additionally, as discussed in greater detail above, a person who knowingly and in violation of the Administrative Simplification provisions obtains or discloses IIHI relating to another individual or discloses IIHI to another person would be subject to criminal liability. We believe that this provision serves as a deterrent for those who otherwise might request PHI in violation of this final rule. It also will continue to permit essential disclosures while ensuring that Privacy Rule permissions cannot be used to circumvent the new prohibition, thereby enhancing the privacy of individuals' PHI and protecting other important interests.
See42 U.S.C. 1320d-6(a).
Comment: Several commenters opposed the attestation proposal because they believed that the proposal would make it more difficult for law enforcement to request PHI and for entities to respond to such requests, potentially putting them in situations where they need to choose between complying with a court order and impermissibly disclosing PHI. A few individuals stated that the proposal would have a chilling effect on the ability of a state to conduct investigations or proceedings for which the use or disclosure of PHI could be beneficial, particularly in cases involving rape, incest, sex trafficking, domestic violence, abuse, and neglect.
Response: We acknowledge that the attestation provision may require regulated entities to obtain additional information from persons requesting PHI in certain circumstances. As discussed above, this condition is consistent with the operation of the Privacy Rule since its inception, which has always required regulated entities to obtain additional information from persons requesting PHI in certain circumstances, such as where the use or disclosure is one for which an authorization or opportunity to agree or object is not required. However, as also discussed above, any burden the attestation may impose on persons requesting PHI is outweighed by the privacy interests that this final rule is designed to protect.
See45 CFR 164.512.
A person requesting PHI pursuant to 45 CFR 164.512(d)-(g)(1) may elect to provide an attestation with their request, even if a determination has not yet been made concerning whether such request is for PHI potentially related to reproductive health care. Similarly, the Privacy Rule does not require a regulated entity to respond to requests for PHI.
Comment: Some commenters were concerned about the effect of the attestation requirement on the electronic exchange of PHI and recommended approaches for incorporating attestations into a HIE environment. A commenter expressed concern that the requirement for an attestation would delay or prevent automated data exchange using Fast Healthcare Interoperability Resources® (FHIR®) APIs and might impede innovation. They requested guidance on how to implement the attestation condition in an HIE environment without impeding regulated exchanges or industry innovations using extensive data exchange via FHIR APIs. Commenters also recommended that the Department issue guidance on implementing attestation policies in circumstances not required by this rule that would not constitute information blocking. A commenter encouraged the Department to implement processes that limit the liability of health care providers for the actions of third parties. For example, the commenter requested that the Department clarify that a refusal to disclose PHI absent an attestation is protected from a finding of information blocking.
Response: We do not believe that this final rule prevents the disclosure of PHI via a HIE. We disagree that this requirement prevents the exchange of data using FHIR APIs under these permissions or for automated health data exchange more broadly. PHI can be disclosed as requested if the regulated entity obtains a valid attestation and the request meets the conditions of an applicable permission. The attestation requirement does not affect any requests via FHIR API that fall outside of the 45 CFR 164.512(d)-(g)(1) permissions. For example, a disclosure of PHI from a covered health care provider to another health care provider for care coordination purposes would not require an attestation because the disclosure would not be for a purpose addressed by 45 CFR 164.512(d)-(g)(1). The importance of ensuring the protection of an individual's interests in the privacy of their PHI and society in improving the effectiveness of the health care system far outweigh any potential administrative burdens or delays in the electronic exchange of PHI for non-health care purposes. Further, compliance with applicable law does not constitute information blocking. Thus, we do not believe additional regulatory language is necessary at this time. OCR regularly collaborates with other Federal agencies, including ONC, to develop guidance on compliance with Federal standards and to address questions that arise about the ability of regulated entities to comply with applicable laws.
See42 U.S.C. 300jj-52(a)(1) (excluding from the definition of “information blocking” practices that are likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information if they are “required by law”; 85 FR 25642, 25794 (May 1, 2020) (explaining that “required by law” specifically refers to interferences that are explicitly required by state or Federal law). See also89 FR 1192, 1351 (Jan. 9, 2024) (affirming that where applicable law prohibits access, exchange, or use of information, practices in compliance with such law are not considered to be information blocking and citing to compliance with the Privacy Rule as an example of an applicable law).
The permissions for which the Department is requiring that a regulated entity obtain an attestation prior to using or disclosing PHI are already conditioned upon meeting certain requirements, which generally require manual review. The Department acknowledges that certain persons may need to adjust their workflows to account for the attestation requirement. While there may be some delays until new processes are implemented, any disruptions will decrease over time. Thus, we do not anticipate that this final rule will contribute to additional delays in the disclosure of PHI.
The Department is finalizing a new regulatory presumption that permits a regulated entity to presume reproductive health care provided by another person was lawful unless the regulated entity has actual knowledge or factual information supplied by the person requesting the use or disclosure of PHI that demonstrates to the regulated entity a substantial factual basis that the reproductive health care was not lawful under the specific circumstances in which such health care was provided. This presumption will facilitate the determination by the regulated entity about whether a request for the use or disclosure of PHI would be subject to the prohibition, and thus will reduce the risk of an impermissible use or disclosure of the requested PHI, thereby reducing the liability of regulated entities that receive requests for PHI to which the prohibition may apply, but where they did not provide the reproductive health care at issue.
Comment: Many commenters questioned the Department's rationale for not extending the attestation requirement directly to business associates, consistent with the general prohibition. Some commenters recommended that the attestation requirement be applied to business associates because persons requesting the use or disclosure of PHI may directly approach a business associate for this PHI (and the business associate agreement may permit such disclosures or be silent regarding whether the business associate may respond to them). Commenters also requested clarification of the responsibilities of business associates with respect to attestations and questioned whether the proposal would require amendment of their business associate agreements.
Response: As discussed above, we agree with the commenters that the attestation requirement should apply directly to business associates because they receive direct requests for PHI and are subject to the general prohibition in the same manner as covered entities. Therefore, we are modifying 45 CFR 164.509 to ensure that it expressly applies to both covered entities and their business associates.
Comment: Although a few commenters expressed support for limiting the attestation condition to requests regarding “PHI potentially related to reproductive health care,” many commenters recommended that the proposed requirement to obtain an attestation be broadly applied to requests for any PHI. Many stated that it would be easier and more efficient for regulated entities if all requests related to a prohibited purpose required the attestation, regardless of the PHI being requested. According to these commenters, this would allow the regulated entity to avoid making any determinations regarding the PHI. A few explained that expanding the requirement to all PHI would appropriately place the burden of demonstrating that the requested disclosure was permissible on the person making request.
Several commenters asserted that information related to reproductive health care is potentially found in every department, record, and system, including those that may not have a readily apparent relationship to reproductive health care. As a result, according to these commenters, it would be onerous and costly to separate different types of health information in a medical record. According to other commenters, the volume of records requests received by health systems would render any requirement on a health care provider to redact PHI from an individual's medical record in the absence of an attestation overly burdensome and increase the risk of unauthorized disclosure. Some commenters explained that staff managing health information generally do not have the legal or medical training to determine whether a PHI request may be for PHI potentially related to reproductive health care, particularly given the breadth of most requests ( e.g., for all medical records of an entity, of a particular health care provider or a particular individual). These commenters also raised concerns that the lack of legal or medical training could lead to inconsistent application of the rule, the inadvertent disclosure of PHI potentially related to reproductive health care, or delay the use or disclosure of PHI, even when the individual has not sought or obtained reproductive health care. Many commenters asserted that determining whether a request for the use or disclosure of PHI includes PHI potentially related to reproductive health care is difficult and a significant burden on health information professionals, particularly where the covered entity did not provide or facilitate the health care. According to some commenters, some business associates, such as cloud services providers, may not have the ability to determine whether the PHI that they maintain includes PHI potentially related to reproductive health care.
Some commenters posited that the result of this requirement would be that health care providers would refuse to provide any PHI in response to a request for the use or disclosure PHI on any matter that could possibly be construed as potentially related to reproductive health care. They and others stated that limiting the proposed prohibition to one category of PHI would require regulated entities to label or segment certain PHI within medical records, which would be impractical and costly because EHRs are unable to reliably segregate or flag PHI retrospectively.
Response: We acknowledge the comments from regulated entities that expressed concerns about the effects of the limitation of the attestation requirement to PHI potentially related to reproductive health care. However, the Department is concerned that extending the attestation requirement to all PHI could result in unintended consequences, such as the potential delay of law enforcement investigations that do not require PHI potentially related to reproductive health care. By contrast, an attestation requirement is necessary for PHI potentially related to reproductive health care because of recent changes to the legal landscape that make it more likely that PHI will be sought for punitive non-health care purposes, and thus more likely to be subject to disclosure by regulated entities if the requested disclosure is permissible under the Privacy Rule, thereby harming the interests that HIPAA seeks to protect. Accordingly, the Department is not modifying the attestation requirement that a regulated entity obtain an attestation only for PHI potentially related to reproductive health care.
The Department acknowledges that the attestation requirement may increase the burden on regulated entities, but we disagree that regulated entities are unable to make the required assessments of attestations. Regulated entities currently conduct similar assessments when determining whether PHI may be disclosed to a personal representative, when making disclosures that are required by law or for public health purposes, and for various other permitted purposes. Regulated entities also regularly review medical records to comply with minimum necessary requirements. The Department is cognizant that an expanded attestation requirement could significantly increase burden if it were to expand this requirement to all disclosures in the absence of the sensitivities described in this final rule.
Comment: Many commenters supported the proposal to limit the requirement to obtain an attestation with a request for uses and disclosures for certain permissions, namely that have the greatest potential to be connected with a purpose for which the Department proposed to prohibit the use and disclosure of PHI. Some commenters expressed their belief that the Department had identified the appropriate permissions for which the attestation would provide additional safeguards.
Many commenters suggested modifications, primarily expansions or clarifications of the types of permitted uses and disclosures that would be subject to the attestation. Generally, commenters explained their belief that their recommended modifications would either mitigate the burden of the requirement to ascertain the purposes of the requested disclosure or increase privacy protections for individuals.
Commenters recommended multiple ways to expand the attestation requirement, such as extending it to all permissions in 45 CFR 164.512; disclosures required by law, for public health activities, and to avert a serious threat to health or safety; disclosures for treatment purposes to a person not regulated by HIPAA or disclosures to any person who might use the PHI for a prohibited purpose; and any disclosure at the discretion of the covered entity.
Response: The Department declines to expand the permissions for which an attestation is required at this time. The Department specifically chose to limit the attestation condition to the permissions at 45 CFR 164.512(d)-(g)(1) because these permissions have the greatest potential to result in the use or disclosure of an individual's PHI for a purpose prohibited at 45 CFR 164.502(a)(5)(iii). In the context of other permissions, where the risk of improper use or disclosure is less, the benefits of an attestation condition would be outweighed by the administrative burden of compliance. Accordingly, any disclosures made pursuant to 45 CFR 164.512(b), which includes disclosures for public health surveillance, investigations, or interventions, do not require an attestation. However, we note that requests made pursuant to other permissions of the rule remain subject to and must be evaluated for compliance with the prohibition at 45 CFR 164.502(a)(5)(iii).
Comment: A commenter stated that no attestation should be needed for judicial and administrative proceedings because current requirements are adequate. Instead, the commenter requested that the Department consider expanding procedural protections.
Response: We are finalizing the requirement that regulated entities obtain an attestation as a condition of a use or disclosure of PHI for judicial and administrative proceedings. As previously discussed, the attestation requirement ensures that certain Privacy Rule permissions are not used to circumvent the prohibition. The attestation requirement also reduces the burden on regulated entities because it is specifically designed to facilitate compliance with the prohibition under 45 CFR 164.502(a)(5)(iii) by helping regulated entities determine whether the use or disclosure of the requested PHI is permitted. Although a court order, qualified protective order, satisfactory assurance, or subpoena may have a restriction that prevents information requested from being further disclosed, it protects PHI only after it has been used or disclosed. Thus, the regulated entity's use or disclosure of PHI could still violate the prohibition at 45 CFR 164.502(a)(5)(iii), even if that disclosure is made in response to a court order, qualified protective order, satisfactory assurance, or subpoena. The attestation requirement helps to mitigate the risk of violations in these circumstances.
Comment: A few commenters expressed concerns about their ability to implement the attestation requirement in circumstances where the use or disclosure is triggered by a mandatory reporting law or verbal request and recommended that no attestation should be required in any case where disclosure of PHI is required by law. According to the commenters, an attestation requirement could require a significant change to operational workflows for permitted disclosures and significantly impede operations for state and local agencies that conduct death investigations and perform public health studies and initiatives.
Response: The Privacy Rule at 45 CFR 164.512(a) permits certain uses and disclosures of PHI that are required by law, including notification of certain deaths by a covered health care provider to a medical examiner, when those uses and disclosures are limited to the requirements of such law. The attestation condition does not apply to the mandatory disclosures made pursuant to 45 CFR 164.512(a). Other mandatory reporting that is subject to 45 CFR 164.512(a)(2) has always been subject to the additional requirements of 45 CFR 164.512(c), (e), or (f). Further, mandatory reporting for public health activities pursuant to 45 CFR 164.512(b) do not require an attestation.
The attestation condition applies if the regulated entity is making a use or disclosure to a coroner or medical examiner pursuant to 45 CFR 164.512(g)(1). We understand that this may require regulated entities to adjust their workflows to comply with this requirement. For example, regulated entities could consider having an electronic attestation form readily available for persons that request the use or disclosure of PHI potentially related to reproductive health care because doing so may reduce delays in the regulated entity's response time related to the attestation condition. Thus, this condition will not significantly impede operations for persons who request information because the interruptions will decrease as they adjust their workflows to accommodate the new condition.
We remind regulated entities that the prohibition in 45 CFR 164.502(a)(5)(iii) applies, regardless of whether the request for PHI is made pursuant to a permission for which an attestation is required or another permission.
Comment: Many commenters urged the Department to implement a reasonable, good faith standard or a safe harbor for situations in which a regulated entity discloses PHI and the person requesting the PHI either uses or rediscloses it for a purpose that would be prohibited under the proposed rule. Some commenters were concerned that a covered entity will be liable for inadvertent disclosures of PHI and sought the benefit of the affirmative defense afforded at 45 CFR 160.410(b)(2).
Response: The Department declines to add a “good faith” standard or safe harbor to this final rule. As discussed above, the Department is not finalizing a separate Rule of Construction and is not incorporating the phrase “primarily for the purpose of” into the final prohibition standard.
As we explained in the 2023 Privacy Rule NPRM, 45 CFR 164.509 requires a new attestation for each use or disclosure request; a single attestation would not be sufficient to permit multiple uses or disclosures. This requirement is unlike the authorization, where generally, when a regulated entity receives a valid authorization, they may continue to use or disclose PHI to the person requesting the use or disclosure of PHI pursuant to that authorization after the initial disclosure, provided that such subsequent uses and disclosures are valid and related to that authorization. We understand that this may constitute an additional administrative burden for both the regulated entity and the person or entity requesting the information; however, requiring an attestation for each use or disclosure is necessary to ensure that certain Privacy Rule permissions are not used to circumvent the new prohibition at 45 CFR 164.502(a)(5)(iii), and to permit essential disclosures.
Comment: Some commenters expressed support for permitting a regulated entity to rely on an attestation if “it appears objectively reasonable” or “when objectively reasonable” and not requiring covered entities to investigate the accuracy of an attestation, thereby mitigating liability to the regulated entity, if not fully protecting an individual. Many commenters expressed concern that it would not be objectively reasonable for a regulated entity to rely on a representation made by the person requesting the use or disclosure of PHI that the PHI sought was related to unlawful health care. The commenters requested a guarantee that a health care provider's reliance on a “facially valid” attestation would be objectively reasonable without requiring the entity to investigate the intentions of the person requesting the use or disclosure of PHI and the validity of their attestation. A commenter recommended that the final rule direct regulated entities to take attestations at face value and hold harmless regulated entities in the event of a false attestation.
Commenters offered several reasons for these recommendations, including the burden on covered entities where they are required to determine: (1) the veracity of every attestation; (2) whether an attestation is required; and (3) whether the statement that the request for the use or disclosure is not for a purpose prohibited under 45 CFR 164.502(a)(5)(iii) is objectively reasonable.
Response: To assist in effectuating the prohibition, this Final Rule requires an attestation in some circumstances. We recognize the potential burden on regulated entities to investigate the validity of every attestation and do not require that they conduct a full investigation in each instance. However, as discussed above, if an attestation, on its face, meets the requirements at 45 CFR 164.509(c), a regulated entity must consider the totality of the circumstances surrounding the attestation and whether it is reasonable to rely on the attestation in those circumstances. To determine whether it is reasonable to rely on the attestation, a regulated entity should consider, among other things: who is requesting the use or disclosure of PHI; the permission upon which the person making the request is relying; the information provided to satisfy other conditions of the relevant permission; the PHI requested and its relationship to the purpose of the request ( i.e., does the request meet the minimum necessary standard in relation to the purpose of the request); and, where the presumption at 45 CFR 164.502(a)(5)(iii)(C) applies, information provided by the person requesting the use or disclosure of PHI to overcome that presumption.
For example, as discussed above, it may not be reasonable for a regulated entity to rely on an attestation filed by a public official that a request for PHI potentially related to reproductive health care is not for a prohibited purpose when that public official has publicly stated their interest in investigating or imposing liability on those who seek, obtain, provide, or facilitate certain types of lawful reproductive health care. If a regulated entity concludes that it would not reasonable to rely on the attestation in this instance, the regulated entity would be prohibited from disclosing the requested PHI unless and until the public official provided additional information that enables the regulated entity to assess the veracity of its attestation. In contrast, it may be reasonable to rely on the representation of a public official that a request for PHI potentially related to reproductive health care is not for a prohibited purpose if the stated purpose for the request is to investigate insurance fraud and the public official making the request is expressly authorized by law to conduct insurance fraud investigations as part of their legal mandate. Therefore, as discussed above, the Department is balancing these considerations by finalizing language that generally permits a regulated entity to rely on the attestation if it is reasonable for the regulated entity to believe the statement that the requested disclosure of PHI is not for a purpose prohibited by 45 CFR 164.502(a)(5)(iii). To further assist regulated entities in determining whether it is reasonable to rely on the attestation, the requirement that the attestation include a clear statement that the use or disclosure is not for a prohibited purpose under 45 CFR 164.502(a)(5)(iii) may be satisfied with a statement that identifies why the use or disclosure is not prohibited, which could be checkboxes that indicate that the use or disclosure is not for a purpose described in 45 CFR 164.502(a)(5)(iii)(A), or that the reproductive health care does not satisfy the Rule of Applicability at 45 CFR 164.502(a)(5)(iii)(B).
This approach is consistent with 45 CFR 164.514(h), which requires a regulated entity to verify the identity and legal authority of a public official or a person acting on behalf of the public official and describes the type of documentation upon which the regulated entity can rely, if such reliance is reasonable under the circumstances, to do so. See also45 CFR 164.514(d)(3)(iii)(A), which permits a covered entity to rely, if such reliance is reasonable under the circumstances, on a requested disclosure as the minimum necessary for the stated purpose when making disclosures to public officials that are permitted under 45 CFR 164.512, if the public official represents that the information requested is the minimum necessary for the stated purpose(s).
Where the request for the use or disclosure of PHI is made of the regulated entity that provided the reproductive health care at issue, the regulated entity should ensure that the reproductive health care was not lawful under the circumstances in which such health care was provided before using or disclosing the requested PHI. If the reproductive health care at issue was provided under circumstances in which such health care was lawful, the regulated entity must obtain an attestation and determine whether it is reasonable to rely on the attestation that the use or disclosure is not being requested to conduct an investigation into or impose liability on any person for the mere act of seeking, obtaining, providing, or facilitating such reproductive health care. If the reproductive health care at issue was provided under circumstances in which such health care was unlawful, the regulated entity is permitted, but not required, to disclose the PHI if the disclosure is meets the conditions of an applicable Privacy Rule permission, which may include an attestation.
Regulated entities will not generally be held liable for disclosing PHI to a person who signed the attestation under false pretenses, provided that the requirements of 45 CFR 164.509 are met, and it is reasonable under the circumstances for the regulated entity to believe the statement that the requested disclosure of PHI is not for a purpose prohibited by 45 CFR 164.502(a)(5)(iii).
Comment: A commenter recommended that the rule clarify the relationship between the attestation and 45 CFR 164.514(h) regarding verification requirements. They requested that the Department consider making explicit in the Final Rule that reliance on legal process would not be appropriate in the absence of an attestation.
Response: The verification requirement under 45 CFR 164.514(h) is separate from the attestation requirement, and a regulated entity must still comply with 45 CFR 164.514(h) when processing an attestation. The final rule makes clear that the attestation requirement will apply if the request for PHI potentially related to reproductive health care is made pursuant to permissions under 45 CFR 164.512(d)-(g)(1), which may include disclosing PHI pursuant to a legal process.
45 CFR 164.514(h)(1) requires a regulated entity to verify both the identity of the person requesting PHI and the authority of any such person to have access to PHI, if the identity or authority of such person is not known to the regulated entity. 45 CFR 164.514(h)(2)(ii) describes the information upon which a regulated entity may rely, if such reliance is reasonable under the circumstances, to verify the identity of a public official requesting PHI or a person acting on behalf of a public official, while 45 CFR 164.514(h)(2)(iii) describes the information upon which a regulated entity may rely, if such reliance is reasonable under the circumstances, to verify the authority of the public official requesting PHI or a person acting on behalf of a public official.
Comment: Some commenters stated that it is difficult to determine the purpose of a request for the use or disclosure of PHI because many requests include only a general purpose. A commenter asserted that staff would need to screen all incoming requests, a task that may require legal or clinical expertise. Further, some commenters stated that regulated entities may experience conflict with persons requesting the use or disclosure of PHI about signing the form.
Response: This final rule prohibits the use and disclosure of PHI for certain purposes and conditions disclosures for certain purposes upon the receipt of an attestation. Thus, it is incumbent upon the regulated entity receiving the request to determine whether disclosure is in compliance with the Privacy Rule. To help the regulated entity make such a determination, the Department is adding to the required elements of the attestation a description of the purpose of the request that is sufficient for the regulated entity to determine whether the prohibition at 45 CFR164.502(a)(5)(iii) may apply to the request. Requests for the use or disclosure of PHI for the specified purposes are likely subject to heightened scrutiny by the regulated entity currently because of other conditions imposed upon such disclosures by the Privacy Rule, so additional expertise will not always be required when processing a request for the use or disclosure of PHI and the accompanying attestation. For example, under the Privacy Rule, a regulated entity must determine whether a request for the use or disclosure of PHI for a judicial or administrative proceeding made using a subpoena, discovery request, or other lawful process, that is not accompanied by an order of a court or administrative tribunal contains “satisfactory assurances” that reasonable efforts have been made by the person making the request either: (1) to ensure that the individual who is the subject of the PHI that has been requested has been given notice of the request; or (2) to secure a qualified protective order that meets certain requirements specified in the Privacy Rule. The Privacy Rule further details how regulated entities are to determine whether they have received “satisfactory assurances” for both options described above. Such requirements ensure that a regulated entity must already carefully review requests for such purposes, such that the attestation condition likely poses minimal additional burden for such requests. In any event, the Department believes that these administrative burdens are outweighed by the privacy interests that this final rule seeks to protect.
45 CFR 164.512(e)(1)(iii) and (iv).
Comment: Many commenters asserted that it would be reasonable to require affirmative verification under penalty of perjury that the request for the use or disclosure of PHI is not for a purpose prohibited under 45 CFR 164.502(a)(5)(iii) because it would signal an intent to penalize requests made to contravene the prohibition; would incentivize persons requesting the use or disclosure of PHI to consider whether their request is for a purpose prohibited under 45 CFR 164.502(a)(5)(iii); deter unlawful “fishing expeditions” or conceal improper intent; and add a layer of accountability. Another commenter stated this heightened standard would enable the covered entity to reasonably rely in good faith on the substance of the attestation without further investigation, delay, cost, burden, or dispute. According to the commenter, a person making a request for the use or disclosure of PHI in good faith should have minimal to no concern when providing a statement signed under penalty of perjury. Another commenter supported a requirement that a person requesting the use or disclosure of PHI provide an affirmative verification made under penalty of perjury that the use or disclosure is not for purpose prohibited under 45 CFR 164.502(a)(5)(iii) because it would suggest that evidence obtained falsely would not be admissible in a legal proceeding. A commenter asserted that it is important to ensure that the proposed attestations would be as effective as possible, and including a signed declaration made under penalty of perjury is critical to ensuring their effectiveness in the current legal environment. A commenter endorsed adding a statement regarding perjury to the proposed attestation because it would place the person requesting the use or disclosure of PHI on notice of the criminal penalties if the person were to violate the proposed requirement.
A commenter asserted that the penalty of perjury requirement is a common signature standard for legal and administrative proceedings and expressed support for expanding it to other proceedings. The commenter also expressed support for considering other options because of concerns that the application and consequences of making a statement under a penalty of perjury may lack clarity outside of certain proceedings.
Response: We appreciate commenters' suggestions; however, the Department ultimately decided that the addition of a penalty of perjury would be unnecessary in light of the statutory criminal and civil penalties under HIPAA. 42 U.S.C. 1320d-6 provides that any person who knowingly and in violation of the Administrative Simplification provisions obtains IIHI relating to another individual or discloses IIHI to another person is subject to criminal liability. A regulated entity is also subject to civil penalties for violations of requirements of the HIPAA Rules. Thus, a person that requests PHI who knowingly falsifies an attestation ( e.g., makes material misrepresentations as to the intended uses of the PHI requested) to obtain PHI or cause PHI to be disclosed would be in violation of HIPAA and could be subject to criminal penalties.
See42 U.S.C. 1320d-6(a).
See42 U.S.C. 1320d-5. See also45 CFR part 160, subparts A, D, and E.
See42 U.S.C. 1320d-6(b).
Comment: Some commenters expressed support for requiring that the attestation include a statement that a person signing an attestation is doing so under penalty of perjury, but they also questioned its ability to prevent a person from requesting the use or disclosure of PHI for a purpose prohibited under 45 CFR 164.502(a)(5)(iii) and recommended additional requirements or alternatives. One commenter expressed concern that there would be no disincentive for the recipient to submit an attestation signed under false pretenses in the absence of enforceable penalties. A different commenter questioned the efficacy of a penalty of perjury requirement because the person requesting the use or disclosure may not be the person that uses the PHI for a purpose prohibited under 45 CFR 164.502(a)(5)(iii); it might be another person who uses the information for a purpose prohibited under that provision. According to the commenter, no criminal or other penalty would attach because that other person did not sign the attestation. The commenter also expressed concern that an attestation signed on behalf of an entity may not be enforceable because the person who signed the attestation did not have authority to bind the entity.
Commenters variously recommended that the Department include language that the person requesting the use or disclosure of PHI would not further use or disclose the PHI for a purpose prohibited under 45 CFR 164.502(a)(5)(iii) and that the requested information is the minimum necessary, or require a search warrant or data use agreement instead of an attestation. A commenter recommended that the Department provide individuals with an actionable remedy, such as the right to receive a portion of any civil money penalty assessed to the regulated entity or the right to “claw back” the disclosure from the receiving entity if the party that signed the attestation later violates its terms.
Response: The Department understands and shares commenters' concerns about redisclosures that would be prohibited by this rule if the disclosure was made by a regulated entity. However, HIPAA limits the Department's authority to regulating PHI maintained or transmitted by a regulated entity, that is a covered entity or their business associate. Accordingly, a person that is not a regulated entity generally may use or disclose such information without further limitation by the HIPAA Rules.
Requiring search warrants or data use agreements as a condition of the use or disclosure of PHI is beyond the scope of this final rule.
With respect to the commenter's concern about situations in which a person who does not have the appropriate authority requests PHI on behalf of a public official, the Privacy Rule generally requires that a regulated entity verify the identity and legal authority of persons requesting PHI prior to making the disclosure. Where a disclosure of PHI is to a public official or person acting on behalf of a public official who has the authority to request the information, a regulated entity may verify the authority of that public official by relying on, if reliance is reasonable under the circumstances, either a written statement of legal authority under which the information is requested (or an oral statement, if the written statement is impracticable). Alternatively, a regulated entity may presume the public official's legal authority if a request is made pursuant to legal process, warrant, subpoena, order, or other legal process issued by a grand jury or judicial administrative tribunal. We remind regulated entities that a determination that a public official has the authority to make a request for the use or disclosure does not mean that the Privacy Rule permits them to obtain any and all information that the official requests. In such circumstances, the regulated entity should carefully review the conditions of the applicable permission to ensure that they are met. Where the condition involves a warrant, subpoena, or similar instrument, the regulated entity must also review the scope of the authority granted by the warrant, subpoena, or order to determine the extent of the PHI that it is permitted to disclose. Further, a regulated entity may rely, if such reliance is reasonable under the circumstances, on a requested disclosure by a public official as the minimum necessary if the public official represents that the requested PHI is the minimum necessary for the stated purpose.
See45 CFR 164.514(h); see also65 FR 82462, 82541, and 82547 (Dec. 28, 2000).
HIPAA specifies the remedies available to the Federal Government where persons violate the statute's Administrative Simplification provisions: civil monetary penalties and criminal fines and imprisonment. HIPAA does not include a private right of action.
Comment: One commenter asked the Department to clarify that anyone providing a false attestation would be held accountable for false statements with appropriate or significant civil fines or criminal penalties for the material misrepresentation. Another commenter specifically recommended that the Department consider it a material misrepresentation for a person to sign an attestation without an objectively reasonable basis to suspect that the reproductive health care of interest was unlawful under the circumstances in which such health care was provided. The commenter asserted that the attestation should include specific language that any person who is requesting the use or disclosure of PHI because they believe the reproductive health care was not lawful under the circumstances in which such health care was provided must have a reasonable basis for that belief ( e.g., a statement from a witness) and that the absence of an articulable, fact-based reasonable suspicion would constitute a material misrepresentation. According to the commenter, such a requirement would prevent fishing expeditions because persons requesting the use or disclosure of PHI would be required to have an actual, objective reason for believing that a person provided health care in violation of state or Federal law.
Response: The Department agrees that it would be a material misrepresentation if a person who signs an attestation does not have an objectively reasonable basis to suspect that the reproductive health care was provided under circumstances in which it was unlawful, and that an objectively reasonable basis of suspicion requires specific and articulable facts associated with the individual whose PHI is requested and the health care they received. We decline to include a statement of this position on the attestation because it is encompassed in the language that requires persons making a request for PHI to attest that they are not making the request for a prohibited purpose and the language ensuring that persons making such requests are aware of the potential liability for knowingly and in violation of HIPAA obtaining IIHI relating to an individual or disclosing IIHI to another person.
Comment: Some commenters urged the Department to include additional provisions to monitor and enforce the attestation condition, including requiring that a court order, written attestation, or valid authorization accompany requests for the use or disclosure of PHI for legal or administrative proceedings or law enforcement investigations.
Response: The attestation condition does not replace the conditions of the Privacy Rule's permissions for a regulated entity to disclose PHI in response to a subpoena, discovery request, or other lawful process, or administrative request. Instead, it is designed to work with these permissions and associated condition. For PHI to be disclosed pursuant to 45 CFR 164.512(e)(1)(ii) and (f)(1)(ii)(C), a regulated entity must verify that the relevant conditions are met and also satisfy the attestation condition at 45 CFR 164.509. We do not believe it is necessary to include additional requirements to monitor and enforce implementation of the attestation condition because a person who knowingly and in violation of the Administrative Simplification provisions obtains or discloses IIHI relating to another individual or discloses IIHI to another person would be subject to criminal liability.
45 CFR 165.512(e)(1)(ii).
See42 U.S.C. 1320d-6(a).
Comment: Almost all commenters responding to the Department's request for comment expressed support for a Department-developed model attestation or sample language that could be used by regulated entities to reduce the implementation burden of the attestation condition. A large health care provider expressed appreciation for options that would simplify the process for reviewing requests for the use or disclosure of PHI made pursuant to 45 CFR 164.512(d)-(g)(1). Other commenters asserted that a standard form would reduce unnecessary variation, support a consistent approach, decrease implementation costs, and make it easier for a regulated entity to identify requests for the use or disclosure of PHI for purposes prohibited under 45 CFR 164.502(a)(5)(iii).
Several commenters suggested that a universal or standardized attestation form would reduce the burden of the attestation requirement, especially for smaller health care providers, and reduce delays in the disclosure of PHI resulting from the need for legal review or unfamiliarity with the format of an attestation provided by a person requesting the use or disclosure of PHI. One of these commenters stated this would also support electronic data exchange by standardizing attestation fields and the format. Most commenters expressed opposition to a Department-required format and recommended that the Department permit covered entities to modify the language of the attestation.
Some commenters requested that the model attestation include a plain language explanation and a tip sheet or guidance for completion. They also requested that the model be an electronic, fillable form with a clear heading and that the editing capabilities be limited to the specific required fields. Some commenters recommended that the model attestation contain an outline of penalties for misuse of PHI.
A commenter requested that the Department guarantee that a health care provider's good faith reliance on a model attestation form would be objectively reasonable.
Response: We appreciate these recommendations and intend to publish model attestation language before the compliance date of this final rule. As discussed above, if an attestation, on its face, meets the requirements at 45 CFR 164.509(c), a regulated entity must consider the totality of the circumstances surrounding the attestation and whether it is reasonable to rely on the attestation in those circumstances.
Comment: In response to the Department's request for comment on how the proposed attestation would affect a regulated entity's process for responding to regular or routine requests from certain persons, a few commenters explained their current workflows and the resource requirements for managing these requests.
Some commenters suggested that an attestation requirement might require changes to workflows and discussed the changes that might be made.
Response: The Department appreciates these insights into how regulated entities currently respond to certain requests for the use or disclosure of PHI. We confirm that a person requesting the use or disclosure of PHI pursuant to 45 CFR 164.512(d), (e), (f), or (g)(1) must provide the regulated entity a signed and truthful attestation where the request is for PHI potentially related to reproductive health care before the regulated entity is permitted to use or disclose the requested PHI. The Department will consider developing guidance and technical assistance as needed on these topics in the future as necessary to ensure compliance with the Privacy Rule, including both the prohibition at 45 CFR 164.502(a)(5)(iii) and 164.509. It may benefit a regulated entity to require such documentation where the requested use or disclosure is for TPO or in response to a valid authorization or individual right of access request.
Comment: A few commenters recommended imposing obligations to limit redisclosures of PHI for certain purposes.
A few commenters stated that a person requesting the use or disclosure of PHI could seek a court order or provide a written attestation to permit the regulated entity to make the disclosure in question in the event they were unable to obtain an authorization.
Response: While we understand commenters' concerns regarding the uses and disclosures of health information by entities not covered by the Privacy Rule, the Department is limited to applying the HIPAA Rules to those entities covered by HIPAA ( i.e., health plans, health care clearinghouses, and health care providers that conduct covered transactions) and to business associates, as provided under the HITECH Act.
In the 2023 Privacy Rule NPRM, the Department considered permitting regulated entities to make uses or disclosures of PHI only after obtaining a valid authorization. However, the Department rejected the approach because requiring an authorization in all circumstances would not reflect the appropriate balance between individual privacy interests and other societal interests in disclosure. In particular, individuals may decline to authorize disclosure of PHI even in circumstances where their privacy interests are reduced and societal interests in disclosure are heightened, such as where the reproductive health care was unlawful under the circumstances in which it was provided.
Comment: Some commenters requested that the Department provide educational resources for regulated entities to implement the attestation. A commenter encouraged the Department to strongly enforce the attestation provision.
Response: We appreciate these recommendations and commit to providing additional resources to assist regulated entities with implementation of this rule.
Comment: In response to the Department's request for comment on alternative documentation that could assist regulated entities in complying with the proposed limitations on the use and disclosure of PHI, some commenters recommended that an attestation always be required, even if additional documentation is mandated, because the attestation would place the person requesting the use or disclosure of PHI on notice of the prohibition and to hold them accountable if they use the PHI for a purpose prohibited by 45 CFR 164.502(a)(5)(iii), in addition to helping a covered entity to determine whether the PHI is being requested for a legitimate or prohibited purpose. Others agreed because of the risk of coercion when authorizations are sought from individuals for certain purposes.
Some commenters suggested that the Department require that a court order, written attestation, or valid authorization accompany a request for the use or disclosure of any PHI for legal or administrative proceedings or law enforcement investigations because there are circumstances under which it would be unlikely for a person to obtain an authorization. Some commenters recommended that the Department not require an attestation when the disclosure of PHI is required by law, or when so ordered by a court of competent jurisdiction. A commenter proposed that the Department permit regulated entities to make the specified uses and disclosures with a written attestation, a HIPAA authorization, or alternative documentation described by the Department, including a court order, to minimize the administrative burden.
Response: The Department appreciates the approaches recommended by commenters to ensure that PHI requested is not for a prohibited purpose. We also believe that the attestation will place the person requesting the use or disclosure of PHI on notice of the prohibition and serve to hold them accountable if they use the PHI for a purpose prohibited by 45 CFR 164.502(a)(5)(iii). However, we have limited the attestation requirement to requests for PHI that is potentially related to reproductive health care. In addition, as discussed above, because the Privacy Rule's authorization requirements empower individuals to make decisions about who has access to their PHI, we are not adopting the proposed exception to the permission to use or disclose PHI pursuant to a valid authorization, nor are we adopting the other recommendations made by commenters. The Department is not finalizing its proposal to prohibit the disclosure of PHI for a purpose prohibited by 45 CFR 164.502(a)(5)(iii) pursuant to an authorization. Accordingly, the final rule permits the disclosure of an individual's PHI to another person pursuant to a valid authorization, even if the disclosure would otherwise be prohibited under this rule. Therefore, a regulated entity may disclose PHI for a purpose that otherwise would be prohibited under 45 CFR 164.502(a)(5)(iii) by obtaining a valid authorization or pursuant to the individual right of access. We reiterate that in all cases, the conditions of the underlying permission must be met before a regulated entity is permitted to use or disclose the requested PHI.
D. Section 164.512—Uses and Disclosures for Which an Authorization or Opportunity To Agree or Object Is Not Required
1. Applying the Prohibition and Attestation Condition to Certain Permitted Uses and Disclosures
Section 164.512 of the Privacy Rule contains the standards for uses and disclosures for which an authorization or opportunity to agree or object is not required. Many of the uses and disclosures addressed by 45 CFR 164.512 relate to government or administrative functions and are described in the 2000 Privacy Rule preamble as “national priority purposes.” These permissions for uses and disclosures were not required by HIPAA; instead they represented the Secretary's previous balancing of the privacy interests and expectations of individuals and the interests of communities in making certain information available for community purposes, such as for certain public health, health care oversight, and research purposes. As discussed previously, the Department, in its implementation of HIPAA, has sought to ensure that individuals do not forgo health care when needed—or withhold important information from their health care providers that may affect the quality of health care they receive—out of a fear that their sensitive information would be revealed outside of their relationships with their health care providers.
65 FR 82462, 82524 (Dec. 28, 2000).
See id. at 82471.
To clarify that the proposal at 45 CFR 164.502(a)(5)(iii) would prohibit the use and disclosure of PHI in some circumstances where such uses or disclosures are currently permitted, the Department proposed to cite the proposed prohibition at the beginning of the introductory text of 45 CFR 164.512 and condition certain disclosures on the receipt of the attestation proposed at 45 CFR 164.509. The proposed modification would add the clause, “Except as provided by 45 CFR 164.502(a)(5)(iii), [. . .]” and add “and 45 CFR 164.509” to “subject to the applicable requirements of this section.” This would create a new requirement to obtain an attestation from the person requesting the use and disclosure of PHI as a condition of making certain types of permitted uses and disclosures of PHI. Thus, under the proposal and subject to the Department finalizing the prohibition at paragraph (a)(5)(iii) of 45 CFR 164.502, uses and disclosures of PHI for certain purposes would be prohibited unless a regulated entity first obtained an attestation from the person requesting the use and disclosure under proposed 45 CFR 164.509.
88 FR 23506, 23537-38 (Apr. 17, 2023).
The Department also proposed to replace “orally” with “verbally” at the end of the introductory paragraph for clarity.
Overview of Public Comments
While many commenters addressed the proposals to add a prohibition on the use and disclosure of PHI and to require an attestation in certain circumstances, few commenters addressed the proposal to modify the introductory paragraph to 45 CFR 164.512. Such commenters either expressed support for it or requested additional guidance on the Department's intention or the proposal's operation.
The Department is adopting its proposal without modification. As discussed above, this change creates a new requirement for a regulated entity to obtain an attestation from a person requesting the use or disclosure of PHI as a condition of making certain types of permitted uses and disclosures of PHI. For example, the Privacy Rule currently permits uses and disclosures for health care oversight, judicial and administrative proceedings, law enforcement purposes, and about decedents to coroners and medical examiners, provided specified conditions are met. When read in conjunction with the new prohibition at 45 CFR 164.502(a)(5)(iii), uses and disclosures of PHI for these purposes will be subject to an additional condition that the regulated entity first obtain an attestation from the person requesting the use and disclosure under the new attestation requirement at 45 CFR 164.509.
The Department assumes that there will be instances in which state or other law requires a regulated entity to use or disclose PHI for health care oversight, judicial and administrative proceedings, law enforcement purposes, or about decedents to coroners and medical examiners for a purpose not related to one of the prohibited purposes in 45 CFR 164.502(a)(5)(iii). The Department believes that a regulated entity will be able to comply with such laws and the attestation requirement. For example, a regulated entity may continue to disclose PHI without an individual's authorization to a state medical board, a prosecutor, or a coroner, in accordance with the Privacy Rule, when the request is accompanied by the required attestation. As a result, a regulated entity generally may continue to assist the state in carrying out its health care oversight, judicial and administrative functions, law enforcement, and coroner duties with the use or disclosure of PHI once a facially valid attestation has been provided to the regulated entity from whom PHI is sought. However, where an attestation is required but not obtained, a state seeking information about an individual's reproductive health or reproductive health care would need to obtain such information from an entity not regulated under the Privacy Rule or demonstrate that the regulated entity has actual knowledge that the reproductive health care was not lawful under the circumstances in which such health care was provided, thereby reversing the presumption described at 45 CFR 164.502(a)(5)(iii)(C).
The Privacy Rule only applies to PHI, which is IIHI that is maintained or transmitted by, for, or on behalf of a covered entity. Thus, it does not apply to individuals' health information when it is in the possession of a person that is not a regulated entity, such as a friend, family member, or is stored on a personal cellular telephone or tablet. See Off. for Civil Rights, “Protecting the Privacy and Security of Your Health Information When Using Your Personal Cell Phone or Tablet,” U.S. Dep't of Health and Human Servs. (June 29, 2022), https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/cell-phone-hipaa/index.html.
Additionally, we are replacing “orally” with “verbally” for clarity. No substantive change is intended.
Comment: One commenter expressed support for the Department's proposed revision to 45 CFR 164.512, while another commenter requested additional examples or detail in preamble about what the Department intends by this revision.
Response: The Department intends that the uses and disclosures of PHI made in accordance with 45 CFR 164.512 would be subject to both the 45 CFR 164.502(a)(5)(iii) prohibition and the 45 CFR 164.509 attestation, when applicable, specifically uses or disclosures made for health oversight activities, judicial and administrative proceedings, law enforcement purposes, and about decedents to coroners and medical examiners. For example, a regulated entity may disclose PHI for law enforcement purposes, subject to the conditions of the permission at 45 CFR 164.512(f), where the purpose of the request for the use or disclosure is to investigate a sexual assault and the person requesting the PHI provides the regulated entity with a valid attestation signifying that the purpose of the request is not for a prohibited purpose. Similarly, where a request meets the requirements of 45 CFR 164.502(a)(5)(iii), a regulated entity may disclose PHI for law enforcement purposes, subject to the conditions of the permission at 45 CFR 164.512(f), where the purpose of the request for the use or disclosure is to investigate the unlawful provision of reproductive health care with a valid attestation signifying that the purpose of the request is not one that is prohibited ( i.e., that the purpose of the use or disclosure is not to investigate or impose liability on any person for the lawful provision of reproductive health care). As another example, a regulated entity may disclose PHI to a state Medicaid agency in accordance with 45 CFR 164.512(d) where the purpose of the request is to ensure that the regulated entity is providing the reproductive health care for which the regulated entity has submitted claims for payment to Medicaid after obtaining an attestation that meets the requirements of 45 CFR 164.509 from the state Medicaid agency.
Comment: One commenter requested clarification regarding the intersection between the Department's proposed Rule of Construction at 45 CFR 164.502(a)(5)(iii)(D) and its proposal at 45 CFR 164.512.
Response: The Department is not adopting the proposed Rule of Construction. Rather, the language of the proposal has been integrated into the prohibition standard at 45 CFR 164.502(a)(5)(iii)(A). The finalized prohibition standard requires a regulated entity to ensure that they obtain a valid attestation from a person requesting the use or disclosure of PHI for health oversight activities, judicial and administrative proceedings, law enforcement purposes, or about decedents to coroners or medical examiners, assuring the regulated entity that the purpose of the request is not for a purpose prohibited under 45 CFR 164.502(a)(5)(iii).
2. Making a Technical Correction to the Heading of 45 CFR 164.512(c) and Clarifying That Providing or Facilitating Reproductive Health Care Is Not Abuse, Neglect, or Domestic Violence
Paragraph (c) of 45 CFR 164.512 permits a regulated entity to disclose PHI, under specified conditions, to an authorized government agency where the regulated entity reasonably believes the individual is a victim of abuse, neglect, or domestic violence. The regulatory text includes a serial comma, which clearly indicates that the provision addresses victims of three different types of crimes, but the heading of this standard does not include the serial comma.
For grammatical clarity, the Department proposed to add the serial comma after the word “neglect” in the heading of the standard contained at 45 CFR 164.512(c).
88 FR 23506, 23538 (Apr. 17, 2023).
The Department also proposed to add a new paragraph (c)(3) to 45 CFR 164.512(c), with the heading “Rule of construction,” to clarify that the permission to use or disclose PHI in reports of abuse, neglect, or domestic violence does not permit uses or disclosures based primarily on the provision or facilitation of reproductive health care to the individual. The Department intended the proposed provision to safeguard the privacy of individuals' PHI against claims that uses and disclosures of that PHI are warranted because the provision or facilitation of reproductive health care, in and of itself, may constitute abuse, neglect, or domestic violence.
Id.
A few commenters supported the proposal because it would clarify that providing or facilitating access to health care is not itself abuse, neglect, or violence, while others expressed opposition to the proposal because they believed it would prevent health care providers from reporting abuse based on the provision of reproductive health care, including potentially coerced reproductive health care. Commenters both supported and opposed the inclusion of the phrase “based primarily.”
The Department is finalizing the proposal to add the serial comma after the word “neglect” in the heading of the standard contained at 45 CFR 164.512(c).
As we explained in the 2023 Privacy Rule NPRM, the Department is concerned that recent state actions may lead regulated entities to believe that they are permitted to make disclosures of PHI when they believe that persons who provide or facilitate access to reproductive health care are perpetrators of a crime simply because they provide or facilitate access to reproductive health care. Thus, the Department is clarifying that providing or facilitating access to lawful reproductive health care itself is not abuse, neglect, or domestic violence for purposes of the Privacy Rule. This is consistent with the Department's understanding that the provision or facilitation of lawful health care is not itself abuse, neglect, or domestic violence. Such clarification has not previously been required, but recent developments in the legal landscape have made it necessary for us to codify this interpretation in the context of reproductive health care.
Accordingly, the Department is finalizing the proposed Rule of Construction at 45 CFR 164.512(c)(3), with modification as follows. The modification clarifies the circumstances under which regulated entities that are mandatory reporters of abuse, neglect, or domestic violence are permitted to make such reports. Specifically, we are replacing “based primarily on” with language specifying that the prohibition at 45 CFR 164.502(a)(5)(iii) cannot be circumvented by the permission to use or disclose PHI to report abuse, neglect, or domestic violence where the “sole basis of” the report is the provision or facilitation of reproductive health care. Thus, the Department makes clear that it may be reasonable for a covered entity that is a mandatory reporter to believe that an individual is the victim of abuse, neglect, or domestic violence and to make such report to the government authority authorized by law to receive such reports in circumstances where the provision of reproductive health care to the individual is but one factor prompting the suspicion. For example, it would not be reasonable for a covered entity to believe that an individual is the victim of domestic violence solely because the individual's spouse facilitated the covered entity's provision of reproductive health care to the individual.
Comment: A few commenters supported the Department's proposal. One commenter asserted that providing or facilitating access to any type of health care is not in and of itself abuse, neglect, or domestic violence and urged the Department to expand the scope of this language, particularly if the prohibition is similarly expanded in the final rule.
Response: The Department appreciates the comments about the modifications to 45 CFR 164.512(c). As discussed above, the scope of the prohibition is limited to reproductive health care. The proposed and final regulations are narrowly tailored and limited in scope to not increase regulatory burden beyond appropriate public policy objectives. Thus, we decline to expand the scope of this provision, as well.
Comment: A large coalition expressed concerns about mandatory domestic violence and sexual assault reporting laws. According to the coalition, mandatory reporting laws reduce the willingness of domestic violence survivors to seek help, including health care, and that the reports themselves worsen the situation for most survivors. The coalition asserted that permitting the disclosure of PHI to law enforcement and other agencies for reports of abuse, neglect, or domestic violence isolates survivors of such abuse and puts them at risk of losing their children. These commenters recommended that the Department prevent such disclosures.
Some commenters expressed opposition to the proposal because they believe it would put victims of domestic abuse at risk because it would prevent health care providers from reporting abuse, including child abuse, based on the provision or facilitation of reproductive health care. A commenter asserted that the proposal would circumvent the exception prohibiting disclosures to abusive persons at 45 CFR 164.512(b)(1)(ii). According to another commenter, the change would chill the willingness of covered entities to cooperate with investigations and judicial proceedings concerning individuals who may have used reproductive health care, regardless of the matter being adjudicated.
According to another commenter, the proposal is aimed at undermining state laws and shielding persons who provide or facilitate reproductive health care. Commenters expressed concern that the proposal would prohibit reports of abuse, neglect, or domestic violence because such reports are made for the purpose of investigating or prosecuting a person for providing or facilitating unlawful reproductive health care, and for committing sexual assault.
Response: The Department appreciates the concerns raised by the commenters. Since publication of the final Privacy Rule in 2000, the Department has acknowledged that covered entities, including covered health care providers, may have legal obligations to report PHI in certain circumstances, including about suspected victims of abuse, neglect, or domestic violence. The Department did not propose to modify the Privacy Rule's permission to disclose PHI at 45 CFR 164.512(c). The Department declines to expand its proposal to eliminate the permission for covered entities to disclose PHI to public health authorities, law enforcement, and other government authority authorized by law to receive reports of abuse, neglect, or domestic violence.
Additionally, the Department does not agree that covered entities will be prevented from reporting PHI about victims of abuse, neglect, or domestic violence. The new language at 45 CFR 164.512(c)(3) is narrowly tailored to reduce the conflation between lawfully provided reproductive health care and the view that such lawful health care, on its own, is abuse. Readers are referred to the preamble discussion of 45 CFR 164.502(a)(5)(iii) that describes the scope of disclosure changes which are being made applicable to 45 CFR 164.512(c).
The Department does not agree that the modifications circumvent the exception prohibiting disclosures to abusive persons at 45 CFR 164.512(b)(1)(ii). The new language at 45 CFR 164.512(c)(3) does not modify or change the current Privacy Rule provision for disclosures to a public health authority or other appropriate government authority authorized by law to receive reports of child abuse or neglect. We believe the commenter is referring to 45 CFR 164.512(c)(2), which requires a covered entity to inform an individual that a report has been or will be made, and 45 CFR 164.512(c)(2)(ii), which removes the requirement to inform the individual when the covered entity would be informing a personal representative and the covered entity reasonably believes the personal representative is responsible for the abuse, neglect, or other injury, and that informing such person would not be in the best interests of the individual as determined by the covered entity, in the exercise of professional judgment. Because the new language at 45 CFR 164.512(c)(3) operates as a limitation on disclosure, it is not possible for the new provision to permit disclosures in more circumstances than previously permitted, and therefore does not circumvent the existing provision.
Comment: A commenter recommended that the Department clarify that the proposed Rule of Applicability would not prohibit disclosure and use of such records when they are sought for a defensive purpose by revising the proposed Rule of Construction at 45 CFR 164.512(c)(3) to more explicitly state that it permits such use or disclosure.
Response: The adopted Rule of Construction at 45 CFR 164.512(c)(3) applies to disclosures permitted by 45 CFR 164.512(c), which are explicitly to a government authority, including a social service or protective services agency, authorized by law to receive reports of abuse, neglect, or domestic violence. The Department is not aware of a disclosure that otherwise meets the requirements specified at 45 CFR 164.512(c)(1) that would constitute a disclosure for defensive purposes. Rather, disclosures of PHI for defensive purposes, such as a disclosure to defend against a prosecution for criminal prosecution for allegations of providing unlawful health care, are permitted by 45 CFR 164.512(f), as well as for health care operations when obtaining legal services. To the extent that a disclosure for a defensive purpose meets the applicable requirements and is permitted, the Department confirms that the final rule language generally would not prohibit a disclosure.
Comment: A few commenters requested clarification of the standard for determining what would constitute a report of abuse, neglect, or domestic violence that is based primarily on the provision of reproductive health care. Commenters also requested clarification about the interaction between the proposed prohibition and the permission at 45 CFR 164.512(c).
Response: The Privacy Rule permits but does not require the reporting of abuse, neglect, or domestic violence under certain conditions. Under the final rule, the Department is clarifying that this permission does not apply where the sole basis of the report is the provision or facilitation of reproductive health care. With this modification, the Department makes clear that it may be reasonable for a covered entity that is a mandatory reporter to believe that an individual is the victim of abuse, neglect, or domestic violence and to make such report to the government authority authorized by law to receive such reports in circumstances where the provision or facilitation of reproductive health care is but one factor prompting the suspicion. We also note, as discussed above with respect to 45 CFR 164.512(b)(1)(i), this permission allows a covered entity to report known or suspected abuse, neglect, or domestic violence only for the purpose of making a report. The PHI disclosed must be limited to the minimum necessary information for the purpose of making a report. These provisions do not permit the covered entity to disclose PHI in response to a request for the use or disclosure of PHI to conduct a criminal, civil, or administrative investigation into or impose criminal, civil, or administrative liability on a person based on suspected abuse, neglect, or domestic violence. Thus, any disclosure of PHI in response to a request from an investigator, whether in follow up to the report made by the covered entity (other than to clarify the PHI provided on the report) or as part of an investigation initiated based on an allegation or report made by a person other than the covered entity, must meet the conditions of disclosures for law enforcement purposes or judicial and administrative proceedings.
See45 CFR 164.502(b) and 164.514(d).
See45 CFR 164.512(e) and (f).
3. Clarifying the Permission for Disclosures Based on Administrative Processes
Under 45 CFR 164.512(f)(1), a regulated entity may disclose PHI pursuant to an administrative request, provided that: (1) the information sought is relevant and material to a legitimate law enforcement inquiry; (2) the request is specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought; and (3) de-identified information could not reasonably be used. Examples of administrative requests include administrative subpoena or summons, a civil or an authorized investigative demand, or similar process authorized under law. The examples of administrative requests provided in the regulatory text include only requests that are enforceable in a court of law, and the catchall “or similar process authorized by law” similarly is intended to include only requests that, by law, require a response. This interpretation is consistent with the Privacy Rule's definition of “required by law,” which enumerates these and other examples of administrative requests that constitute “a mandate contained in law that compels an entity to make a use or disclosure of protected health information and that is enforceable in a court of law.”
As we explained in the 2023 Privacy Rule NPRM, the Department has become aware that some regulated entities may be interpreting 45 CFR 164.512(f)(1) in a manner that is inconsistent with the Department's intent. Therefore, the Department proposed to clarify the types of administrative processes that this provision was intended to address.
88 FR 23506, 23538-39 (Apr. 17, 2023).
Specifically, the Department proposed to insert language to clarify that the administrative processes that give rise to a permitted disclosure include only requests that, by law, require a regulated entity to respond. Accordingly, the proposal would specify that PHI may be disclosed pursuant to an administrative request “for which a response is required by law.” The Department does not consider this to be a substantive change because the proposal was consistent with express language of the preamble discussion on this topic in the 2000 Privacy Rule. The Department intends that the express inclusion of this language will ensure that regulated entities more fully appreciate the permitted uses and disclosures pursuant to 45 CFR 164.512(f)(1)(ii)(C).
See65 FR 82462, 82531 (Dec. 28, 2000).
The Department received few comments on the proposal to clarify the permission at 45 CFR 164.512(f)(1)(ii)(C). Comments were mixed, with some support, some opposition, and some requesting additional modifications or additional examples or guidance.
While the Department received few comments on this clarification, the Department is aware of reports that covered entities are misinterpreting the intention of the requirements of 45 CFR 164.512(f)(1)(ii)(C) that disclosures of PHI to law enforcement be necessary and limited in scope. For example, a congressional inquiry recently highlighted concerns about disclosures of PHI to law enforcement from retail pharmacy chains. The inquiry found that some pharmacy staff are providing PHI directly to law enforcement without advice from their legal departments in part because their staff “face extreme pressure to immediately respond to law enforcement demands.” Based on this inquiry, these disclosures often are made without a warrant or subpoena issued by a court.
See U.S. Senate Committee on Finance News Release (Dec. 12, 2023), https://www.finance.senate.gov/chairmans-news/wyden-jayapal-and-jacobs-inquiry-finds-pharmacies-fail-to-protect-the-privacy-of-americans-medical-records-hhs-must-update-health-privacy-rules (describing legislative inquiry into pharmacy chains and release of health information in response to law enforcement). See also Letter from Sen. Wyden and Reps. Jayapal and Jacobs to HHS Sec'y Xavier Becerra (Dec. 12, 2023), https://www.finance.senate.gov/imo/media/doc/hhs_pharmacy_surveillance_letter_signed.pdf (describing findings from Congressional oversight, including survey of chain pharmacies about their processes for responding to law enforcement requests for PHI).
See U.S. Senate Committee on Finance News Release, supra note 399 and Letter from Sen. Wyden and Reps. Jayapal and Jacobs, supra note 399; see also Remy Tumin, “Pharmacies Shared Patient Records Without a Warrant, an Inquiry Finds,” The New York Times (Dec. 13, 2023), https://www.nytimes.com/2023/12/13/us/pharmacy-records-abortion-privacy.html.
The Department is adopting the clarification as proposed because regulated entities are misinterpreting the requirements of 45 CFR 164.512(f)(1)(ii)(C) that ensure that disclosures of PHI to law enforcement are necessary and limited in scope. Accordingly, the Department is adding to 45 CFR 164.512(f)(1)(ii)(C) language that specifies that PHI may be disclosed pursuant to an administrative request “for which a response is required by law.” Thus, the regulatory text now clearly states that the administrative processes for which a disclosure is permitted are limited to only requests that, by law, require a regulated entity to respond, consistent with preamble discussion on this topic in the 2000 Privacy Rule.
See65 FR 82462, 82531 (Dec. 28, 2000).
Comment: A few commenters supported the Department's proposed clarification of 45 CFR 164.512(f)(1)(ii)(C). A commenter recommended that the Department revise the language to refer to an administrative subpoena or summons, a civil or other “expressly” authorized demand, or other similar process. The commenter recommended that, at a minimum, the Department prohibit disclosures in response to oral requests, require all informal administrative requests be in writing, and require qualifying administrative requests to obtain express supervisory approval.
A commenter asserted, without providing examples, that there are many disclosures currently made under Federal agencies' interpretations of the Privacy Act of 1974 that would not be permitted under the NPRM proposal.
Public Law 93-579, 88 Stat. 1896 (Dec. 31, 1974) (codified at 5 U.S.C. 552a).
Response: The Department appreciates the comments on this clarification. The Department understands the commenter's request to add language identifying specific processes but declines to make the suggested modification at this time. The Department is concerned that references to specific items or actions could be understood to not apply to similarly situated administrative requests understood by different names. In guidance for law enforcement, the Department has provided its interpretation that administrative requests must be accompanied by a written statement.
Off. for Civil Rights, “Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule: A Guide for Law Enforcement,” https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/special/emergency/final_hipaa_guide_law_enforcement.pdf.
In addition, the Department does not control whether a verbal or other non-written request is sufficient to meet the standards of various jurisdictions for an administrative process that would require a responding covered entity to be legally required to respond. The Department understands that valid, justiciable reasons for responding to a verbal or other non-written request may exist, such as an emergent situation that requires an immediate response to avoid an adverse outcome. The Department believes the additional text sufficiently clarifies the misunderstandings of some regulated entities about what constitutes administrative process for the purposes of this permission.
4. Request for Information on Current Processes for Receiving and Addressing Requests Pursuant to 164.512(d) Through (g)(1)
The Department requested information and comments on certain considerations to help inform development of the final rule. In particular, the Department asked how regulated entities currently receive and address requests for PHI when requested pursuant to the Privacy Rule permissions at 45 CFR 164.512(d), (e), (f), or (g)(1), and what effect expanding the scope of the proposed prohibition to include any health care would have on the proposed attestation requirement and the ability of regulated entities to implement it. Comments submitted in response to the question about the effects of expanding the scope of the proposed prohibition have been included in prior discussions of the specific policy issues elsewhere, as applicable.
88 FR 23506, 23539 (Apr. 17, 2023).
Comment: Several commenters responded to this request for information concerning current processes for receiving certain requests pursuant to 45 CFR 164.512 by providing specific information about how they receive such requests. Some requests for PHI are received in hard copy, either by mail or hand delivery, while others are received via email. Still others are received through the regulated entities online portal or facsimile. In emergency circumstances, such requests may be received verbally. Commenters generally receive assurances through hard copy, email, their patient portal, and fax. A few commenters seek assurances for every subsequent related request, while another commenter stated that it does not require or obtain assurances for every subsequent related request if the subsequent request is related to the initial request for which the initial assurance was received.
A commenter asserted that the privacy interests at stake outweigh potential administrative burdens and provided examples of state laws that are more privacy protective than the Privacy Rule. The commenter explained that the privacy landscape is constantly evolving, as do the HIPAA Rules, and as such, regulated entities must adapt in response.
Response: The Department appreciates the information provided by commenters explaining the processes by which regulated entities currently receive requests for the use or disclosure of PHI for certain purposes and the workflows of regulated entities to ensure that such requests comply with the conditions of the applicable Privacy Rule permissions. We reviewed and considered this information when evaluating the burden of the proposed modifications to the Privacy Rule during the development of this final rule.
E. Section 164.520—Notice of Privacy Practices for Protected Health Information
1. Current Provision
The Privacy Rule generally requires that a covered entity provide individuals with an NPP to ensure that they understand how a covered entity may use and disclose their PHI, as well as their rights and the covered entity's legal duties with respect to PHI. Section 164.520(b)(1)(ii) of the Privacy Rule describes the required contents of the NPP, including descriptions of the types of permitted uses and disclosures of their PHI. More specifically, the NPP must describe the ways in which the covered entity may use and disclose PHI for TPO, as well as each of the other purposes for which the covered entity is permitted or required to use or disclose PHI without the individual's written authorization. Additionally, the NPP must state the covered entity's duties to protect privacy, provide a copy of the NPP, and abide by the terms of the current notice. The NPP must also describe individuals' rights, including the right to complain to HHS and to the covered entity if they believe their privacy rights have been violated, as well as other statements if the covered entity uses PHI for certain activities, such as fundraising. The Privacy Rule does not, however, currently require a covered entity to provide information about specific prohibited uses and disclosures of PHI.
45 CFR 164.520. Unlike many provisions of the Privacy Rule, 45 CFR 164.520 applies only to covered entities, as opposed to both covered entities and their business associates.
2. CARES Act
Section 3221(i) of the CARES Act directs the Secretary to modify the NPP provisions at 45 CFR 164.520 to include new requirements for covered entities that create or maintain PHI that is also a record of SUD treatment provided by a Part 2 program ( i.e., covered entities that are Part 2 programs and covered entities that receive Part 2 records from a Part 2 program). The CARES Act amended 42 U.S.C. 290dd-2 to require the Department to revise Part 2 to more closely align with the Privacy Rule.
3. Proposals in 2022 Part 2 NPRM and 2023 Privacy Rule NPRM
The Department proposed in December 2022 to modify both the Patient Notice requirements at 42 CFR 2.22 and the NPP requirements at 45 CFR 164.520 to provide consistent notice requirements for all Part 2 records. Revisions to the Patient Notice requirements were addressed and finalized in the 2024 Part 2 Rule, while modifications to the NPP provisions proposed in the 2022 Part 2 NPRM were deferred to a future rulemaking. The Department also separately proposed to modify the NPP provisions to support reproductive health care privacy as part of the 2023 Privacy Rule NPRM.
As part of the 2022 Part 2 NPRM, the Department proposed several changes to the NPP provisions. We proposed in a new paragraph (2) to 45 CFR 164.520(a) that individuals with Part 2 records that are created or maintained by covered entities would have a right to adequate notice of uses and disclosures, their rights, and the responsibilities of covered entities with respect to such records. The Department also proposed to remove 45 CFR 164.520(a)(3), the exception for providing inmates a copy of the NPP, which would require covered entities that serve correctional facilities to provide inmates with a copy of the NPP. Additionally, the Department proposed revising 45 CFR 164.520(b)(1) to specifically clarify that covered entities that maintain or receive Part 2 records would need to provide an NPP that is written in plain language and contains the notice's required elements. We also proposed to modify 45 CFR 164.520(b)(1)(i) to replace “medical” with “health” information.
The Department also proposed in the 2022 Part 2 NPRM to incorporate changes proposed to the NPP requirements in the 2021 Privacy Rule NPRM, such as adding a requirement to include the email address for a designated person who would be available to answer questions about the covered entity's privacy practices; adding a permission for a covered entity to provide information in its NPP concerning the individual access right to direct copies of PHI to third parties when the PHI is not in an EHR and the ability to request the transmission using an authorization; and removing the requirement for a covered entity to obtain a written acknowledgment of receipt of the NPP. The Department is finalizing certain changes proposed in the 2022 Part 2 NPRM and the 2023 Privacy Rule NPRM that directly support the two final rules.
86 FR 6446 (Jan. 21, 2021).
In both the 2022 Part 2 NPRM and 2023 Privacy Rule NPRM, the Department proposed to modify 45 CFR 164.520(b)(1)(ii), which requires covered entities to describe for individuals the purposes for which a covered entity is permitted to use and disclose PHI. Consistent with the CARES Act, we proposed in the 2022 Part 2 NPRM to modify paragraph (C) to clarify that where uses and disclosures are prohibited or materially limited by other applicable law, “other applicable law” would include Part 2, while the Department proposed to clarify at paragraph (D) that the requirement for a covered entity to include in the NPP sufficient detail to place an individual on notice of the uses and disclosures that are permitted or required by the Privacy Rule and other applicable laws, including Part 2.
The Department further proposed to require in 45 CFR 164.520(b)(1)(iii), which requires covered entities to include descriptions of certain activities in which the covered entity intends to engage, in a new paragraph (D) the inclusion of a statement that Part 2 records created or maintained by the covered entity will not be used in certain proceedings against the individual without the individual's written consent or a court order consistent with 42 CFR part 2. Additionally, we proposed to require in a new paragraph (E) that covered entities that intend to use Part 2 records for fundraising include a statement that such records may be used or disclosed for fundraising purposes only if the individual grants written consent as provided in 42 CFR 2.31.
In 45 CFR 164.520(b)(1)(v)(C), which addresses a covered entity's right to change the terms of its notice, we also proposed to simplify and modify the regulatory text to clarify that this right is limited to circumstances where such changes are not material or contrary to law. The Department also proposed to add a new paragraph (4) to 45 CFR 164.520(d) to prohibit construing permissions for covered entities participating in organized health care arrangements (OHCAs) to disclose PHI between participants as negating obligations relating to Part 2 records.
45 CFR 160.103 (definition of “Organized health care arrangement”).
The 2023 Privacy Rule NPRM also proposed modifications to the NPP requirements. Specifically, the Department proposed to modify 45 CFR 164.520(b)(1)(ii) by adding a new paragraph (F) to require a covered entity to describe and provide an example of the types of uses or disclosures prohibited by 45 CFR 164.502(a)(5)(iii), and to do so in sufficient detail for an individual to understand the prohibition. We also proposed adding a new paragraph (G) to 45 CFR 164.502(b)(1)(ii) to describe each type of use and disclosure for which an attestation is required under 45 CFR 164.509, with an example. Additionally, the Department requested comment on whether it would benefit individuals for the Department to require that covered entities include a statement in the NPP that would explain that the recipient of the PHI would not be bound by the proposed prohibition because the Privacy Rule would no longer apply after PHI is disclosed for a permitted purpose to an entity other than a regulated entity ( e.g., disclosed to a non-covered health care provider for treatment purposes).
88 FR 23506, 23539 (Apr. 17, 2023).
4. Overview of Public Comments
We received many comments on the proposed NPP changes in both the 2022 Part 2 NPRM and the 2023 Privacy Rule NPRM. Some of the comments on the 2022 Part 2 NPRM addressed both the NPP and the Patient Notice. Comments concerning the Patient Notice are discussed in the 2024 Part 2 Rule. Commenters on the NPP proposals in the 2022 Part 2 NPRM urged the Department to coordinate revisions to the NPP provisions across its proposed and final rules. Commenters also requested guidance about their ability to use a single form to satisfy both the NPP and Patient Notice requirements. Commenters generally expressed support for the Department's proposals to modify 45 CFR 164.520(a) and 164.520(b)(1) to apply the NPP requirements to certain entities, in coordination with changes required by the CARES Act and consistent with Part 2.
89 FR 12472 (Feb. 16, 2024).
Commenters to the 2022 Part 2 NPRM generally did not express opposition to the Department's proposed changes to paragraph (b)(iii) of 45 CFR 164.520, although some did request additional guidance. We received no comments on our proposed modifications to add a new paragraph concerning OHCAs to 45 CFR 164.520(d).
Most commenters expressed support for the Department's 2023 Privacy Rule NPRM proposals to revise the NPP requirements. Many also recommended additional modifications to the NPP requirements or clarifications to the requirements. Most also recommended that the Department add a requirement that NPPs include a statement that would explain that the recipient of PHI would not be bound by the proposed prohibition because the Privacy Rule would no longer apply after PHI is disclosed for a permitted purpose to an entity other than a regulated entity ( e.g., disclosed to a non-covered health care provider for treatment purposes).
5. Final Rule
The Department published the 2024 Part 2 Rule on February 16, 2024. It included modifications to the Patient Notice in 42 CFR 2.22 and reserved modifications to the HIPAA NPP for a forthcoming HIPAA rule. We address the modifications proposed in the 2022 Part 2 NPRM here, in concert with the modifications proposed in the 2023 Privacy Rule NPRM.
As required by the CARES Act and in alignment with the Privacy Rule, we are modifying the NPP provisions in multiple ways. First, we are requiring in 45 CFR 164.520(a)(2) that covered entities that create or maintain Part 2 records provide notice to individuals of the ways in which those covered entities may use and disclose such records, and of the individual's rights and the covered entities' responsibilities with respect to such records. Second, we are revising 45 CFR 164.520(b)(1) to clarify that a covered entity that receives or maintains records subject to Part 2 must provide an NPP that is written in plain language and that contains the elements required. For clarity, we have reordered wording within this paragraph to refer to “receiving or maintaining” records, rather than “maintaining or receiving” records as initially proposed.
Third, the Department is modifying 45 CFR 164.520(b)(1)(ii) to revise paragraphs (C) and (D), and to add paragraphs (F), (G), and (H) to clarify certain statements and add new statements that must be included in an NPP. Consistent with the CARES Act, we are modifying paragraph (C) to clarify that where NPP's descriptions of uses or disclosures that are permitted for TPO or without an authorization must reflect “other applicable law” that is more stringent than the Privacy Rule, other applicable law includes Part 2. Likewise, we are modifying paragraph (D) to clarify that Part 2 is specifically included in the “other applicable law” referenced in the requirement to describe uses and disclosures that are permitted for TPO or without an authorization sufficiently to place an individual on notice of the uses and disclosures that are permitted or required by the Privacy Rule and other applicable law.
New paragraphs (F) and (G) provide individuals with additional information about how their PHI may or may not be disclosed for purposes addressed in this rule, furthering trust in the relationship between regulated entities and individuals by ensuring that individuals are aware that certain uses and disclosures of PHI are prohibited. Specifically, paragraph (F) requires that the NPP contain a description, including at least one example, of the types of uses and disclosures prohibited under 45 CFR 164.502(a)(5)(iii) in sufficient detail for an individual to understand the prohibition, while paragraph (G) requires that the NPP contain a description, including at least one example, of the types of uses and disclosures for which an attestation is required under new 45 CFR 164.509.
Additionally, based on feedback from commenters, we are requiring in a new paragraph (H) that covered entities include a statement explaining to individuals that PHI disclosed pursuant to the Privacy Rule may be subject to redisclosure and no longer protected by the Privacy Rule.This will help individuals to make informed decisions about to whom they provide access to or authorize the disclosure of their PHI.
Under new paragraph (D) of 45 CFR 164.520(b)(1)(iii), the Department is requiring that covered entities provide notice to individuals that a Part 2 record, or testimony relaying the content of such record, may not be used or disclosed in a civil, criminal, administrative, or legislative proceeding against the individual absent written consent from the individual or a court order, consistent with the requirements of 42 CFR part 2.
The Department is also finalizing a requirement at 45 CFR 164.520(b)(1)(iii)(E) that a covered entity must provide individuals with a clear and conspicuous opportunity to elect not to receive any fundraising communications before using Part 2 records for fundraising purposes for the benefit of the covered entity.
Lastly, we are finalizing our proposal to add a new paragraph (4) in 45 CFR 164.520(d) regarding joint notice by separate covered entities. This modification clarifies that Part 2 requirements continue to apply to Part 2 records maintained by covered entities that are part of OHCAs.
We are not finalizing in this rule the proposal to remove the exception to the NPP requirements for inmates of correctional facilities in this rule because it would be better addressed within the context of care coordination.
6. Responses to Public Comments
Comment: Commenters on both the 2022 Part 2 NPRM and the 2023 Privacy Rule NPRM urged the Department to coordinate any changes made to the NPP provisions based on proposals made in the separate rulemakings. According to the commenters, coordinating the changes to the NPP requirements would help to ensure consistency, reduce the administrative burden on covered entities, and ensure individual understanding of the permitted uses and disclosures of their PHI, including PHI that is also a Part 2 record. A few commenters on the 2022 Part 2 NPRM explained the different concerns that updates to the NPP pose to covered entities of differing sizes, based on resource constraints directly related to their size. Several commenters on the 2023 Privacy Rule NPRM requested that the Department provide sample language and examples or provide an updated model NPP.
Response: As part of this rulemaking, the Department is finalizing modifications to certain NPP requirements that were proposed in the 2022 Part 2 NPRM and the 2023 Privacy Rule NPRM. Thus, these changes serve to implement certain requirements of the CARES Act and to support reproductive health care privacy. The Department appreciates the recommendations and will consider them for future guidance.
Comment: A few commenters on the 2022 Part 2 NPRM requested that the Department clarify whether they would be permitted to use a single document or form when providing notice statements to individuals to ensure compliance by regulated entities and understanding of the notices by individuals. A few commenters agreed that a single NPP would reduce the administrative burden on regulated entities or be the most effective way to convey privacy information to individuals and asked for confirmation that this was permitted. A commenter requested that the Department update the Patient Notice in a manner such that the NPP header may be used in the combined notice if they are permitted to use a combined NPP/Patient Notice.
Response: As we have provided previously in guidance on the Privacy Rule and Part 2, notices issued by covered entities for different purposes may be separate or combined, as long as all of the required elements for both are included. Thus, it is acceptable under both the Privacy Rule and Part 2 to meet the notice requirements of the Privacy Rule, Part 2, and state law by either providing separate notices or combining the required notices into a single notice, as long as all of the required elements are included.
See also82 FR 6052, 6082-83 (Jan. 18, 2017); Off. for Civil Rights, “Notice of Privacy Practices for Protected Health Information,” U.S. Dep't of Health and Human Servs. (July 26, 2013), https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/privacy-practices-for-protected-health-information/index.html.
Comment: A few commenters on the 2022 Part 2 NPRM and most of the commenters on the 2023 Privacy Rule NPRM suggested the proposed approach to modifying both the Patient Notice and NPP would bolster transparency and the public's understanding of how their health information is used or disclosed and collected. Many commenters on the 2023 Privacy Rule NPRM provided recommendations for ways in which the Department could improve the NPP, including requiring that the NPP be in plain language.
Response: The Department appreciates the comments on its proposal to modify the NPP to align with changes made in the Patient Notice and in support of reproductive health care privacy. The modifications will bolster transparency and public understanding of how information is used, disclosed, and protected. Covered entities have long been required under 45 CFR 164.520(b)(1) to provide an NPP that is written in plain language. Discussion of this requirement can be found in the preamble to the 2000 Privacy Rule. The Department's model NPP forms, available in both English and Spanish, provide one example of how the plain language requirement may be met. As discussed above, we are modifying 45 CFR 164.520 to clarify that this requirement applies to covered entities that use and disclose Part 2 records. Additional resources on writing in plain language can be found at https://plainlanguage.gov. Additionally, covered entities are required to comply with all Federal nondiscrimination laws, including laws that address language access requirements. Information about such requirements is available at www.hhs.gov/hipaa.
65 FR 82462, 82548-49 (Dec. 28, 2000).
Off. for Civil Rights, “Model Notices of Privacy Practices,” U.S. Dep't of Health and Human Servs. (Apr. 8, 2013), https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/model-notices-privacy-practices/index.html.
Comment: Commenters expressed concerns about the interplay of the Part 2 Patient Notice requirements with the NPP, the burden on covered entities to modify the NPP, and including the attestation requirement in the NPP.
Response: We have sought to align the requirements for the Patient Notice as closely as possible with the NPP requirements and to modify the NPP requirements to allow for a combined Patient Notice and NPP. The changes the Department is making to the NPP empower the individual and improve health outcomes by improving the likelihood that health care providers will make accurate diagnoses and informed treatment recommendations to individuals. These changes to the NPP provide the individual with clear information and reassurance about their privacy rights and their ability to discuss their reproductive health and related health care because they inform an individual that their PHI may not be used or disclosed for certain purposes prohibited by new 45 CFR 164.502(a)(5)(iii). As such, the qualitative benefits of providing individuals with information about how their PHI may be used and disclosed under the Privacy Rule outweigh the quantitative burdens for covered entities to revise their NPPs. Accordingly, we are finalizing the modifications proposed to the NPP as part of the 2023 Privacy Rule NPRM.
Comment: A majority of the commenters on the 2023 Privacy Rule NPRM who expressed support for revising the NPP also recommended that the Department require that the NPP include an explanation that the prohibition or Privacy Rule generally would no longer apply to PHI that has been disclosed for a permitted purpose to a person that is not a regulated entity. A few commenters opposed the addition as unnecessary or expressed concern about the potential length of the NPP. A few of the commenters opposed adding such a statement because they believed it could deter individuals from seeking reproductive health care, increase individuals' mistrust of health care providers, or not add to individuals' understanding of their rights and protections under the Privacy Rule.
Response: In response to comments and in support of transparency for individuals, the Department is finalizing a new requirement to include in the NPP a statement adequate to put the individual on notice of the potential for information disclosed pursuant to the Privacy Rule to be subject to redisclosure by the recipient and no longer protected by the Privacy Rule. This change will provide additional clarity to individuals directly and assist covered entities in explaining the limitations of the Privacy Rule to individuals. We believe that any concerns about the negative effects of these modifications on length are outweighed by their benefits to the individual.
Comment: Several commenters to the 2023 Privacy Rule NPRM requested the Department provide additional time for compliance with the new NPP requirements and exercise enforcement discretion for a period of time after the compliance date.
Response: As noted above, we are finalizing certain modifications to the NPP provisions that were proposed in the 2022 Part 2 NPRM rule and other modifications to the same provisions that were proposed in the 2023 Privacy Rule NPRM. To ease the burden on covered entities and in compliance with 45 CFR 160.104, the Department is finalizing a compliance date of February 16, 2026, for the NPP provisions. The rationale for this compliance date is discussed in greater detail in the discussion of Effective and Compliance Dates.
F. Section 164.535—Severability
In the NPRM, the Department included a discussion of severability that explained how we believed the proposed rule should be interpreted if any provision was held to be invalid or facially unenforceable. We are finalizing a new 45 CFR 164.535 to codify this interpretation. The Department intends that, if a specific regulatory provision in this rule is found to be invalid or unenforceable, the remaining provisions of the rule will remain in effect because they would still function sensibly.
For example, the changes this final rule makes to the NPP requirements in 45 CFR 164.520 (including the changes finalizing proposals from the 2022 Part 2 NPRM) shall remain in full force and effect to the extent that they are not directly related to a provision in this rulemaking that is held to be invalid or unenforceable such that notice of that provision is no longer necessary. Conversely, if the NPP requirements are held to be invalid or unenforceable, the other modifications shall remain in full force and effect to the extent that they are not directly related to the NPP requirements.
As another example, we also intend that the revision in 45 CFR 160.103 to the definition of “person” shall remain in full force and effect if any other provision is held to be invalid or unenforceable because the new modified definition is not solely related to supporting reproductive health care privacy and is consistent with the Department's longstanding interpretation of the term and with regulated entities' current understanding and practices.
Similarly, we are finalizing technical corrections to the heading at 45 CFR 164.512(c) and a clarifying revision at 45 CFR 164.512(f) regarding the permission for disclosures based on administrative processes. Those changes are intended to remain in full force and effect even if other parts of this final rule are held to be invalid or unenforceable.
As another example, we also intend, if the addition in 45 CFR 160.103 of the definition of “public health,” as used in the terms “public health surveillance,” “public health investigation,” and “public health intervention” is held to be invalid and unenforceable, the other modifications to the rules shall remain in full force and effect to the extent that they are not directly related to the definition of public health.
We further intend that if the rule is held to be invalid and unenforceable with respect to its application to some types of health care, it should be upheld with respect to other types ( e.g., pregnancy or abortion-related care).
We also intend that any provisions of the Privacy Rule that are unchanged by this final rule shall remain in full force and effect if any provision of this final rule is held to be invalid or unenforceable.
These examples are illustrative and not exhaustive.
We received no comments on the language addressing severability in the 2023 Privacy Rule NPRM.
G. Comments on Other Provisions of the HIPAA Rules
Comment: A few commenters expressed concerns that the Department may grant exceptions to preemption and recommended that the Department clarify the standards for which exceptions to preemption would be made and consider strengthening these standards wherever possible or remove the potential for exceptions entirely.
One commenter expressed concern that the proposed rule could dissuade regulated entities from providing de-identified data for research, while another commenter recommended that the Department prohibit the sharing of de-identified reproductive health care data except in limited circumstances to prevent the re-identification of reproductive health data by third parties, such as law enforcement or data brokers
Response: The process for requesting exceptions to preemption and the standards for granting such requests are at 45 CFR 160.201 et seq. We did not propose any modifications to these provisions as part of the 2023 Privacy Rule NPRM, and as such, do not finalize modifications in this final rule.
The Department does not believe that this final rule will dissuade regulated entities from providing de-identified data for research or other purposes. Under the Privacy Rule, health information that meets the standard and implementation specifications for de-identification under 45 CFR 164.514 is considered not to be IIHI. HIPAA confers on the Department the authority to set standards for the privacy of IIHI, including for de-identification. We did not propose to modify the de-identification standard as part of the 2023 Privacy Rule NPRM, and as such, do not finalize modifications in this final rule.
Comment: A commenter posited that the proposed rule's preemption of contrary state laws was not sufficiently clear and recommended that the Department reinforce the preemption provision in the final rule.
Response: The Department did not propose changes to the preemption provisions of the HIPAA Rules, which are based in statute, and believes that the provisions, in combination with our discussion of preemption in the preamble, are sufficient.
See45 CFR part 160, subpart B—Preemption of State Law.
58 FR 51735 (Oct. 4, 1993).
VI. Regulatory Impact Analysis
A. Executive Order 12866 and Related Executive Orders on Regulatory Review
The Department of Health and Human Services (HHS or “Department”) has examined the effects of this final rule under Executive Order (E.O.) 12866, Regulatory Planning and Review, as amended by E.O. 14094, E.O. 13563, Improving Regulation and Regulatory Review, the Regulatory Flexibility Act (RFA), and the Unfunded Mandates Reform Act of 1995 (UMRA). E.O.s 12866 and 13563 direct the Department to assess all costs and benefits of available regulatory alternatives and, when regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety, and other advantages; distributive effects; and equity). This final rule is significant under section 3(f)(1) of E.O. 12866, as amended.
88 FR 21879 (Apr. 11, 2023).
76 FR 3821 (Jan. 21, 2011).
Public Law 96-354, 94 Stat. 1164 (codified at 5 U.S.C. 601-612).
Public Law 104-4, 109 Stat. 48 (codified at 2 U.S.C. 1501).
The RFA requires us to analyze regulatory options that would minimize any significant effect of a rule on small entities. As discussed in greater detail below, this analysis concludes, and the Secretary certifies, that the rule will not result in a significant economic effect on a substantial number of small entities.
The UMRA (section 202(a)) generally requires us to prepare a written statement, which includes an assessment of anticipated costs and benefits, before proposing “any rule that includes any Federal mandate that may result in the expenditure by State, local, and tribal governments, in the aggregate, or by the private sector, of $100,000,000 or more (adjusted annually for inflation) in any 1 year.” The current threshold after adjustment for inflation is $177 million, using the most current (2023) Implicit Price Deflator for the Gross Domestic Product. UMRA does not address the total cost of a rule. Rather, it focuses on certain categories of cost, mainly Federal mandate costs resulting from imposing enforceable duties on state, local, or Tribal governments or the private sector; or increasing the stringency of conditions in, or decreasing the funding of, state, local, or Tribal governments under entitlement programs. This final rule imposes mandates that would result in the expenditure by state, local, and Tribal governments, in the aggregate, or by the private sector, of more than $177 million in any one year. The impact analysis in this final rule addresses such effects both qualitatively and quantitatively. In general, each regulated entity, including government entities that meet the definition of covered entity ( e.g., state Medicaid agencies), is required to adopt new policies and procedures for responding to requests for the use or disclosure of protected health information (PHI) for which an attestation is required and to train its workforce members on the new requirements. Additionally, although the Department has not quantified the costs, state, local, and Tribal law enforcement agencies must analyze requests that they initiate for the use or disclosure of PHI and provide regulated entities with an attestation that the request is not for a prohibited purpose in instances where the request is made for health oversight activities, judicial and administrative proceedings, law enforcement purposes, or about decedents to coroners and medical examiners, and is for PHI potentially related to reproductive health care. One-time costs for all regulated entities to change their policies will increase costs above the UMRA threshold in one year. The Department initially estimated that ongoing expenses for the new attestation condition would not increase significantly, but we sought additional data to inform our estimates. Although Medicaid makes Federal matching funds available for states for certain administrative costs, these are limited to costs specific to operating the Medicaid program. There are no Federal funds directed at Health Insurance Portability and Accountability Act of 1996 (HIPAA) compliance activities.
Id. at sec. 202 (codified at 2 U.S.C. 1532(a)).
Pursuant to Subtitle E of the Small Business Regulatory Enforcement Fairness Act of 1996, the Office of Management and Budget's (OMB's) Office of Information and Regulatory Affairs has determined that this final rule meets the criteria set forth in 5 U.S.C. 804(2) because it is projected to have an annualized effect on the economy of more than $100,000,000. Because of the large number of covered entities that are subject to this final rule and the large number of individuals with health plan coverage, any rule modifying the HIPAA Privacy Rule that requires updating policies and procedures and the Notice of Privacy Practices (NPP) and distributing the NPP to a percentage of individuals is likely to meet the threshold in 5 U.S.C. 804(2).
Also referred to as the Congressional Review Act, 5 U.S.C. 801 et seq.
The Justification for this Rulemaking and Summary of Final Rule Provisions section at the beginning of this preamble contain a summary of this rule and describe the reasons it is needed. The Department presents a detailed analysis below.
1. Summary of Costs and Benefits
The Department identified six general categories of quantifiable costs arising from these proposals: (1) responding to requests for the use or disclosure of PHI for which an attestation is required; (2) revising business associate agreements; (3) updating the NPP and posting it online; (4) developing new or modified policies and procedures; (5) revising training programs for workforce members; and (6) requesting an exception from HIPAA's general preemption authority. The first five categories apply primarily to covered entities, while the sixth category applies to states and other interested persons.
The Department estimates that the first-year costs attributable to this final rule total approximately $595.0 million. These costs are associated with covered entities responding to requests for the use or disclosure of PHI that are conditioned upon an attestation; revising business associate agreements; revising policies and procedures; updating, posting, and mailing the NPP; and revising training programs for workforce members, and with states or other persons requesting exceptions from preemption. These costs also include increased estimates for wages, postage, and the number of NPPs distributed by health plans as compared to the baseline of existing annual cost and burden estimates for these activities in the approved HIPAA information collection. For years two through five, estimated annual costs of approximately $20.9 million are attributable to ongoing costs related to the attestation requirement. Table 1 reports the present value and annualized estimates of the costs of this final rule covering a 5-year time horizon. Using a 7% discount rate, the Department estimates this final rule will result in annualized costs of $151.8 million; and using a 3% discount rate, these annualized costs are $142.6 million.
Table 1—Accounting Table, Costs of the Rule
[$ Millions]
Costs | Primary estimate | Year dollars | Discount rate (%) | Period covered |
---|---|---|---|---|
Present Value | $678.6 | 2022 | Undiscounted | 2024-2028 |
Present Value | 622.3 | 2022 | 7 | 2024-2028 |
Present Value | 653.1 | 2022 | 3 | 2024-2028 |
Annualized | 151.8 | 2022 | 7 | 2024-2028 |
Annualized | 142.6 | 2022 | 3 | 2024-2028 |
The changes to the Privacy Rule will likely result in important benefits and some costs that the Department is unable to fully quantify at this time. As explained further below, unquantified benefits include improved trust and confidence between individuals and health care providers; enhanced privacy and improved access to reproductive health care and information, which may prevent increases in maternal mortality and morbidity; increased accuracy and completeness in patient medical records, which may prevent poor health outcomes; enhanced support for survivors of rape, incest, and sex trafficking; and maintenance of family economic stability by allowing families to determine the timing and spacing of whether or when to be pregnant. Additionally, allowing regulated entities to accept an attestation for requests for the use or disclosure of PHI potentially related to reproductive health care, and to presume that reproductive health care provided by another person was lawful under the circumstances it was provided, will reduce potential liability for regulated entities by providing some assurance with respect to whether the requested disclosure is prohibited.
Table 2—Potential Non-Quantified Benefits for Covered Entities and Individuals
Benefits |
---|
Improve access to complete information about lawful reproductive health care options, including for individuals who are pregnant or considering a pregnancy ( i.e., improve health literacy), by reducing concerns about disclosure of PHI. |
Maintain or reduce levels of maternal mortality and morbidity by ensuring that individuals and their clinicians can freely communicate and have access to complete information needed for quality lawful health care, including coordination of care. |
Decrease barriers to accessing prenatal health care by maintaining privacy for individuals who seek a complete range of lawful reproductive health care options. |
Enhance mental health and emotional well-being of pregnant individuals by reducing fear of potential disclosures of their PHI to investigate or impose liability on a person for the mere act of seeking, obtaining, providing, or facilitating lawful health care. |
Improve or maintain trust between individuals and health care providers by reducing the potential for health care providers to report PHI in a manner that could harm the individuals' interests. |
Prevent or reduce re-victimization of pregnant individuals who have survived rape or incest by protecting their PHI from undue scrutiny. |
Improve or maintain families' economic well-being by not exposing individuals or their family members to costly investigations or activities to impose liability for seeking, obtaining or facilitating lawful reproductive health care. |
Maintain the economic well-being of regulated entities by not exposing regulated entities or workforce members to costly investigations or activities to impose liability on them for engaging in lawful activities. |
Ensure individuals' ability to obtain full and complete information and make lawful decisions concerning fertility- or infertility-related health care that may include selection or disposal of embryos without risk of PHI disclosure for criminal, civil, or administrative investigations or activities to impose liability for engaging in lawful activities. |
The Department also recognizes that there may be some costs that are not readily quantifiable, notably, the potential burden on persons requesting PHI to investigate or impose liability on persons for seeking, obtaining, providing, or facilitating reproductive health care that is not lawful under the circumstances in which such health care is provided. As discussed elsewhere in this final rule, we acknowledge that, in certain limited circumstances, the final rule may, prevent persons from obtaining an individual's PHI, such as where the request is directed to the health care provider that provided the reproductive health care and that health care provider reasonably determines that such health care was provided lawfully. However, the existing permission for disclosures for law enforcement does not create a mandate for disclosure to law enforcement agencies. Rather, it establishes the conditions under which a regulated entity may disclose PHI if it so chooses. Accordingly, consistent with how the Privacy Rule has operated since its inception, persons whose requests for PHI are declined by regulated entities may incur additional costs if they choose to pursue their investigations through other methods and obtain evidence from non-covered entities. We have not previously quantified the costs to such persons for obtaining an individual's PHI, such as where a law enforcement official is required to prepare a formal administrative request or obtain a qualified protective order and we do not do so here. We do not view the attestation requirement as changing this calculus and have designed the attestation to impose a minimal burden on requests for PHI related to lawful conduct by health care providers by offering a model attestation form. Despite the minimal formality of providing a signed attestation, some state law enforcement agencies may experience the requirement as a burden, and we acknowledge that potential as a non-quantifiable cost.
2. Baseline Conditions
The Privacy Rule, in conjunction with the Security and Breach Notification Rules, protects the privacy and security of individuals' PHI, that is, individually identifiable health information (IIHI) transmitted by or maintained in electronic media or any other form or medium, with certain exceptions. It limits the circumstances under which regulated entities are permitted or required to use or disclose PHI and requires covered entities to have safeguards in place to protect the privacy of PHI. The Privacy Rule also establishes certain rights for individuals with respect to their PHI and sets limits and conditions on the uses and disclosures that may be made of such information without an individual's authorization.
As explained in the preamble, the Department has the authority under HIPAA to modify the Privacy Rule to prohibit the use or disclosure of PHI for activities to conduct a criminal, civil, or administrative investigation into or impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care that is lawful under the circumstances in which it was provided, as well as to identify any person for the purpose of initiating such activities. The Privacy Rule has been modified several times since it was first issued in 2000 to address statutory requirements, changed circumstances, and concerns and issues raised by stakeholders regarding the effects of the Privacy Rule on regulated entities, individuals, and others. Recently, as the preamble discusses, changed circumstances resulting from new inconsistencies in the regulation of reproductive health care nationwide and the negative effects on individuals' expectations for privacy and their relationships with their health care providers, as well as the additional burdens imposed on regulated entities, require the modifications made by this final rule.
For purposes of this Regulatory Impact Analysis (RIA), this final rule adopts the list of covered entities and cost assumptions identified in the Department's 2023 Information Collection Request (ICR). The Department also relies on certain estimates and assumptions from the 1999 Privacy Rule NPRM that remain relevant, and the 2013 Omnibus Rule, as referenced in the analysis that follows.
88 FR 3997 (Jan. 23, 2023).
64 FR 59918 (Nov. 3, 1999).
78 FR 5566 (Jan. 25, 2013).
The Department quantitatively analyzes and monetizes the effect that this final rule may have on regulated entities' actions to: revise business associate agreements between covered entities and their business associates, including release-of-information contractors; create new forms; respond to certain types of requests for PHI; update their NPPs; adopt policies and procedures to implement the requirements of this final rule; and train their employees on the updated policies and procedures. The Department analyzes the remaining benefits and burdens qualitatively because of the uncertainty inherent in predicting other concrete actions that such a diverse scope of regulated entities might take in response to this rule.
Analytic Assumptions
The Department bases its assumptions for calculating estimated costs and benefits on several publicly available datasets, including data from the U.S. Census, the U.S. Department of Labor, Bureau of Labor Statistics, Centers for Medicare & Medicaid Services, and the Agency for Healthcare Research and Quality. For the purposes of this analysis, the Department assumes that benefits plus indirect costs equal approximately 100 percent of pre-tax wages and adjusts the hourly wage rates by multiplying by two, for a fully loaded hourly wage rate. The Department adopts this as the estimate of the hourly value of time for changes in time use for on-the-job activities.
Implementing the regulatory changes likely will require covered entities to engage workforce members or consultants for certain activities. The Department assumes that a lawyer will draft or review the new attestation form, revisions to business associate agreements, revisions to the NPP, and required changes to HIPAA policies and procedures. The Department expects that a training specialist will revise the necessary HIPAA training and that a web designer will post the updated NPP. The Department further anticipates that a workforce member at the pay level of medical records specialist will confirm receipt of required attestations. To the extent that these assumptions affect the Department's estimate of costs, the Department solicited comment on its assumptions, particularly assumptions in which the Department identifies the level of workforce member ( e.g., clerical staff, professional) that will be engaged in activities and the amount of time that particular types of workforce members spend conducting activities related to this RIA as further described below. Table 3 also lists pay rates for occupations referenced in the explanation of estimated information collection burdens in Section F of this RIA and related tables.
The Department received several comments about the occupations engaged in certain activities and the time burden associated with them. We reviewed these submissions and used the provided information to revise the estimate for the cost of processing requests for the use or disclosure of PHI that require an attestation. For more details, please see the sections discussing the costs of the rule below.
The Department received no comment on the hourly value of time; therefore, we retain all relevant assumptions laid out in the 2023 Privacy Rule NPRM, as described above (see Table 3 for a list of occupations and corresponding wages).
For each occupation performing activities as a result of the final rule, the Department identifies a pre-tax hourly wage using a database maintained by the Bureau of Labor Statistics. See U.S. Dep't of Labor, “Occupational Employment and Wages” (May 2022), https://www.bls.gov/oes/current/oes_nat.htm.
Table 3—Occupational Pay Rates
Occupation code and title | Mean hourly wage | Fully loaded hourly wage |
---|---|---|
00-0000 All Occupations | $29.76 | $59.52 |
43-3021 Billing and Posting Clerks | 21.54 | 43.08 |
29-0000 Healthcare Practitioners and Technical Occupations | 46.52 | 93.04 |
29-9021 Health Information Technologists and Medical Registrars | 31.38 | 62.76 |
29-9099 Healthcare Practitioners and Technical Workers, All Other | 32.78 | 65.56 |
15-1212 Information Security Analysts | 57.63 | 115.26 |
23-1011 Lawyers | 78.74 | 157.48 |
13-1111 Management Analysts | 50.32 | 100.64 |
11-9111 Medical and Health Services Manager | 61.53 | 123.06 |
29-2072 Medical Records Specialist | 24.56 | 49.12 |
43-0000 Office and Administrative Support Occupations | 21.90 | 43.80 |
11-2030 Public Relations and Fundraising Managers | 68.56 | 137.12 |
13-1151 Training and Development Specialist | 33.59 | 67.18 |
43-4171 Receptionists and Information Clerks | 16.64 | 33.28 |
15-1255 Web and Digital Interface Designers | 48.91 | 97.82 |
The Department assumes that most covered entities will be able to incorporate changes to their workforce training into existing HIPAA training programs rather than conduct a separate training because the total time frame for compliance from date of finalization would be 240 days.
This includes 60 days from publication of a final rule to the effective date and an additional 180 days until the compliance date.
Covered Entities Affected
The Department received no substantive comments on the number or type of HIPAA covered entities affected by this rule; therefore, we retain the methodology and entity estimates as described in the 2023 Privacy Rule NPRM and the baseline conditions section above.
To the extent that covered entities engage business associates to perform activities under the rule, the Department assumes that any additional costs will be borne by the covered entities through their contractual agreements with business associates. The Department's estimate that each revised business associate agreement will require no more than 1 hour of a lawyer's labor assumes that the hourly burden could be split between the covered entity and the business associate. Thus, the Department calculated estimated costs based on the potential number of business associate agreements that will be revised rather than the number of covered entities or business associates with revised business associate agreements.
The Department requested data on the number of business associates (which may include health care clearinghouses acting in their role as business associates of other covered entities) that would be affected by the rule and the extent to which they may experience costs or other burdens not already accounted for in the estimates of burdens for revising business associate agreements. The Department also requested comment on the number of business associate agreements that would need to be revised, if any. We did not receive any actionable comments on the number of affected business associates, the number of business associate agreements, or any specific costs that business associates might bear. For more details, see the section on business associate agreements below.
The Department requested public comment on these estimates, including estimates for third party administrators and pharmacies where the Department has provided additional explanation. The Department additionally requested detailed comment on any situations, other than those identified here, in which covered entities would be affected by this rulemaking. We did not receive any substantive comments related to these issues.
Table 4—Estimated Number and Type of Covered Entities
Individuals Affected
The Department believes that the population of individuals potentially affected by the rule is approximately 76 million overall, representing nearly one-fourth of the U.S. population, including approximately 6 million pregnant individuals annually and an unknown number of individuals facing a potential pregnancy or pregnancy risk due to sexual activity, contraceptive avoidance or failure, rape (including statutory rape), and incest. According to Federal data, 78 percent of sexually active females received reproductive health care in 2015-2017.
See U.S. Census Bureau, American Community Survey S0101, AGE AND SEX 2022: ACS 5-Year Estimates Subject Tables (females aged 10-44), https://data.census.gov/table/ACSST1Y2022.S0101 . The U.S. Census Bureau uses the term “sex” to equate to an individual's biological sex. “Sex—Definition,” U.S. Census Bureau (accessed Mar. 20, 2024), https://www.census.gov/glossary/?term=Sex.
See “Reproductive and Sexual Health,” Sexually active females who received reproductive health services (FP-7.1), Healthypeople.gov, https://wayback.archive-it.org/5774/20220415172039/https:/www.healthypeople.gov/2020/leading-health-indicators/2020-lhi-topics/Reproductive-and-Sexual-Health/data.
The Department received comments related to the number of individuals affected by the rule, some of which are summarized below. One commenter asserted that the Department had overestimated the number of affected individuals and urged reducing the estimate to 78 percent of sexually active females (52.72 million). The same commenter also argued that even this revised number might be an overestimate, and that the number of individuals directly affected by the rule would be closer to 50,400 a year. Another commenter suggested that the number of individuals potentially affected by the proposed rule is much larger than the estimate and that the estimate should include any individual who was ever capable of bearing children and their family members.
Another commenter asserted that the Department was underestimating the number of individuals that would be affected by the proposed rule but did not include an estimate of their own.
After reviewing the comments, the Department is finalizing the estimates of the number of individuals that will be affected by this final rule as described above, which includes updates for 2022 data. The Department considers a key category of individuals affected by this final rule those who have the potential to become pregnant because pregnancies may occur and result in a need for reproductive health care nationwide. Pregnancy, concern about potential pregnancy, and the need for reproductive health care do not recognize state boundaries or regulatory timelines.
Commenters recommended data points above and below the Department's proposed estimate of 74 million affected individuals. We believe that the number of affected individuals is far greater than the total who are survivors of sexual assault or sex trafficking (as recommended by a commenter), yet less than the number of all individuals who have ever been of childbearing age and their family members (as recommended by another commenter). We recognize that the age range for the proposed estimate of females, 10-44, imperfectly reflects the number of females of childbearing age; however, the number of females over age 44 who could become pregnant may be offset by the number of females aged 10-13 who are not yet capable of childbearing. We use the number of females of potentially childbearing age as a proxy for the number of individuals affected by the final rule as shown in Table 5 below.
Table 5—Estimated Number of Individuals Affected
See American Community Survey S0101, AGE AND SEX 2022: ACS 5-Year Estimates Subject Tables (females aged 10-44), supra note 427.
3. Costs of the Rule
Below, the Department provides the basis for its estimated quantifiable costs resulting from the changes to specific provisions of the Privacy Rule. Many of the estimates are based on assumptions formed through the Office for Civil Rights' (OCR's) experience with its compliance and enforcement program and accounts from stakeholders received at outreach events. The Department has quantified recurring burdens for this final rule for obtaining an attestation from a person requesting the use or disclosure of PHI potentially related to reproductive health care for health oversight activities, judicial and administrative proceedings, law enforcement purposes, and about decedents to coroners or medical examiners.
The Department requested information or data points from commenters to further refine its estimates and assumptions. We examine the most substantive comments received in the cost section below. Additionally, we received comments that are also discussed below on topics that are not directly addressed in the cost section.
A commenter asserted that the Department did not account for the additional costs associated with major depressive disorders that would arise from the increase in abortions due to the rule. The Department does not believe that is a valid benchmark for the effects of this final rule, in part because we reject the premise, which is not backed by medical evidence or data, that this final rule will result in an increase in pregnancy terminations or depression. Further, researchers have raised numerous concerns about the methodology of the 2011 study cited in the comment. Accordingly, we are not including the costs associated with treatment of depression in the cost section.
See M. Antonia Biggs et al., “Women's Mental Health and Well-being 5 Years After Receiving or Being Denied an Abortion: A Prospective, Longitudinal Cohort Study,” 74(2) JAMA Psychiatry 169, 177 (2017), https://jamanetwork.com/journals/jamapsychiatry/fullarticle/2592320. See also Julia R. Steinberg et al., “The association between first abortion and first-time non-fatal suicide attempt: a longitudinal cohort study of Danish population registries,” 6(12) The Lancet Psychiatry 1031-1038 (Dec. 2019).
See Julia R. Steinberg et al., “Fatal flaws in a recent meta-analysis on abortion and mental health,” 86(5) Contraception 430-7 (Nov. 2012), https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3646711/ (discussing errors and significant shortcomings of the studies included in the 2011 meta-analysis that render its conclusions invalid).
a. Costs Associated With Requests for Exception From Preemption
The Department anticipates that states with laws that restrict access to reproductive health care are likely to seek an exception to the requirements of this final rule that preempt state law. Given the pace at which state laws governing access to reproductive health care are changing, the Department is finalizing its proposed estimate that a potential increase of 26 states will incur costs to develop a request to except a provision of state law from HIPAA's general preemption authority to submit to the Secretary. Based on existing burden estimates for this activity, the Department is finalizing its estimate that each exception request will require approximately 16 hours of labor at the rate of a general health care practitioner and that approximately 26 states will make such requests. Thus, the Department estimates that states will spend a total of 416 hours requesting exception from preemption and monetize this as a one-time cost of $38,705 [= 16 × 26 × $93.04].
See Lawrence O. Gostin et al., “One Year After Dobbs —Vast Changes to the Abortion Legal Landscape,” 4(8) JAMA Health Forum (2023), https://jamanetwork.com/journals/jama-health-forum/fullarticle/2808205 (counting 21 states with post- Dobbs limits that are more restrictive than Roe v. Wade allowed) and Laura Deal, “State Laws Restricting or Prohibiting Abortion,” Congressional Research Service (Jan. 22, 2024), https://crsreports.congress.gov/product/pdf/R/R47595 . Because of the pace of change in this area, the Department relies on a higher number than JAMA's 2023 figure as a basis for its cost estimates.
See45 CFR 160.201 et seq. for information about exceptions to HIPAA's general preemption authority and the process for requesting such an exception and the criteria for granting it.
“Information Collection: Process for Requesting Exception Determinations (states or persons),” U.S. Gen. Servs. Admin. & Off. of Mgmt. and Budget, https://www.reginfo.gov/public/do/PRAViewIC?ref_nbr=201909-0945-001&icID=10428.
b. Estimated Costs From Adding a Requirement for an Attestation for Disclosures for Certain Purposes
Multiple commenters asserted that the projected attestation cost in the proposed rule was incorrect and underestimated the true cost of implementing the proposed requirement. One commenter asserted that the proposed rule underestimated the time to review medical records for PHI about reproductive health care and recommended that it be increased significantly. The same commenter also suggested that the Department adopt a requirement to obtain an individual's authorization, instead of an attestation, because it would reduce costs. Other commenters asserted that the proposed cost estimates for the attestation requirement did not account for associated administrative burdens, urged the Department to require an attestation for every request for PHI to decrease overall costs by establishing a procedural norm, or requested that the Department provide grants and trainings to regulated entities to offset the costs of the attestation provision. Finally, another commenter requested that the Department release a model attestation form to decrease the cost burden for covered entities.
A few commenters asserted that the Department mis-identified the types of staff that would performing specific components of the attestation requirement. One posited that both a lawyer and a medical professional would need to review medical records for the use or disclosure of PHI in response to the proposed revisions to the Privacy Rule. Another asserted that the person reviewing PHI in response to a request for the use or disclosure of PHI would be a medical records clerk.
The Department has modified the attestation requirement in response to public comments. As discussed above, this final rule requires regulated entities to obtain an attestation that the request for the use or disclosure of PHI is not for a purpose prohibited by 45 CFR 164.502(a)(5)(iii) when the request is for certain purposes (health oversight activities, judicial and administrative proceedings, law enforcement purposes, and about decedents to coroners and medical examiners) and is for PHI potentially related to reproductive health care. Where the request is for a purpose that implicates 45 CFR 164.502(a)(5)(iii) and the reproductive health care was provided by someone other than the regulated entity that received the request, such health care is presumed lawful under the circumstances in which it was provided unless the conditions of 45 CFR 164.502(a)(5)(iii)(C) are met. We expect the presumption of lawfulness to lower the burden for regulated entities to process requests for the use or disclosure of PHI for which an attestation is required; however, we also acknowledge that the proposed estimate did not fully represent the number of likely requests for the use or disclosure of PHI. The Department declines to require a valid authorization for these requests, as opposed to an attestation, and no grants to offset costs will be needed because of the lower estimated burden per request. The revised cost estimates include review of each request for the use or disclosure of PHI for health oversight activities, judicial and administrative proceedings, law enforcement purposes, and about decedents to coroners and medical examiners, to determine if an attestation has been provided and administrative burdens associated with obtaining the attestation.
This final rule necessitates that regulated entities establish a process for responding to requests for the use or disclosure of PHI for which an attestation is required, such as reviewing and screening requests that are not accompanied by a valid authorization and are not a right of access request. We anticipate that across all regulated entities, this final rule will result in approximately 2,794,201 requests that regulated entities need to review in connection with the permissions under 45 CFR 164.512(d)-(g)(1). The Department estimates 5 minutes of average processing time per attestation based on the average wage of a mix of several occupations: medical and health services managers, medical records specialists, and health practitioners. For example, a medical records specialist may forward certain requests for the use or disclosure of PHI (for health oversight activities, judicial and administrative proceedings, law enforcement purposes, and about decedents to coroners and medical examiners) to a manager to review whether the request pertains to the lawfulness of reproductive health care. A health practitioner may review a number of records subject to a request for whether they contain PHI potentially related to reproductive health care. We calculate the annual cost for initial processing of the estimated 2,794,201 requests requiring attestations to total $20,585,500 [2,794,201 × (5/60) × $88.41]. For almost all of these requests, we believe that a brief review will be sufficient for a regulated entity to make a final disclosure determination.
See supra, Table 3 of this RIA.
For a small number of these requests, approximately 1,300, we assume that the brief review will not be sufficient; we assume that these requests will require legal review. This figure is an estimate of the number of requests that are generated to investigate or impose liability on a person for the mere act of seeking or obtaining lawful reproductive health care, including from a health care provider in a state other than the state where the regulated entity is located. The Department's estimate assumes that approximately 26 states may seek to restrict access to out-of-state reproductive health care, including reproductive health care that is lawful under the circumstances in which it provided, and will initiate an average of 50 such requests annually. The Department estimates on average 1 hour of review for such requests based on the wage of a lawyer. We calculate the annual legal review cost for the estimated 1,300 requests totals $204,724 [1,300 × 1 × $157.48]. This additional review increases the cost of processing attestations to $20,790,224.
Id.
We anticipate that approximately one-quarter of requests that result in legal reviews, approximately 325, will require additional managerial review by the regulated entity before making a disclosure decision. The Department estimates on average 3 hours of additional review for each of these requests based on the wage of medical and health insurance managers. We calculate a total cost for additional actions for these requests of $119,984 [325 × 3 × $123.06]. The total annual estimated cost of processing attestations, including all additional legal and managerial reviews, is $20,910,207.
Id.
Upon consideration of the estimated cost for regulated entities to create a new attestation form, the Department is planning to develop a model form to be available prior to the compliance date of this final rule. This will save an estimated total of $60,970,823 [= 774,331 × (30/60) × $157.48], based on 30 minutes of labor by a lawyer.
c. Costs Arising From Revised Business Associate Agreements
The Department anticipates that a certain percentage of business associate agreements will likely need to be updated to reflect a determination made by parties about their respective responsibilities when either party receives requests for disclosures of PHI under 45 CFR 164.512(d), (e), (f), or (g)(1). For example, each of the parties to the business associate agreement may need to notify the other party when they have knowledge that a request is for an unlawful purpose and allocate their respective responsibilities for handling these less frequent requests. The Department is finalizing its proposed estimate that each new or significantly modified contract between a business associate and its subcontractors will require, on average, one hour of labor by a lawyer at the wage reported in Table 3. We believe that approximately 35 percent of 1 million business associates, or 350,000 entities, will decide to create or significantly modify subcontracts, resulting in total costs of $55,118,000 [= 350,000 × $157.48].
A few commenters asserted that the Department's estimates for business associates' costs were incorrect and that it should consider additional costs. A commenter recommended that the Department adopt a non-enforcement period to allow business associates to achieve compliance and limit legal costs. Another commenter stated that the Department did not adequately identify the costs that would be associated with increased legal scrutiny of business associates as a result of the proposed rule. And another commenter urged the Department to consider the additional costs for renegotiated contracts as a result of the proposed rule. Lastly, a commenter requested that the Department apply the attestation requirement to business associates because it would reduce the costs of the rule.
The Department has reviewed the comments and is adopting the 2023 Privacy Rule NPRM cost analysis in this final rule. Business associate costs are adequately captured by the estimate for revising agreements. Applying costs directly to business associates (as opposed to covered entities) is distributional and will not alter the total impact of the rule. The Department declines to create an additional non-enforcement period for this provision of the final rule beyond the 180 days from the date of publication for the final rule to the compliance date. The estimated cost for responding to requests for PHI for which an attestation is required accounts for increased scrutiny of a small number of requests for PHI, and the estimated costs for updating business associate agreements accounts for renegotiation of an average of one release of information vendor contract for nearly half of all covered entities.
This includes 60 days from the date of publication to the effective date, plus 120 days from the effective date to the compliance date.
d. Costs Arising From Changes to the Notice of Privacy Practices
The final rule modifies the NPP to notify individuals that covered entities cannot use or disclose PHI for certain purposes and that in certain circumstances, covered entities must obtain an attestation from a person requesting the PHI that affirms that the use or disclosure is not for a purpose prohibited under 45 CFR 164.502(a)(5)(iii). The final rule also modifies the NPP to align with changes proposed in the 2022 Part 2 NPRM. This includes requiring covered entities that create or maintain Part 2 records to provide a notice that: addresses such records; references Part 2 as “other applicable law” that is more stringent than the Privacy Rule; explains that covered entities may not use or disclose a Part 2 record in a civil, criminal, administrative, or legislative proceeding against the individual absent written consent from the individual or a court order; and clarifies the applicability of Part 2 for organized health care arrangements that hold Part 2 records. Additionally, the final rule further modifies language for fundraising by covered entities that use or disclose Part 2 records to require a clear and conspicuous opt-out opportunity for patients. Finally, the modifications require the NPP to explain that PHI disclosed to a person other than a regulated entity is no longer subject to the requirements of the Privacy Rule.
The Department believes the burden associated with revising the NPP consists of costs related to developing and drafting the revised NPP for covered entities. The Department estimates that the updating and revising the language in the NPP will require 50 minutes of professional legal services at the wage reported in Table 3. Across all covered entities, the Department estimates a cost of $101,618,038 [= 774,331 × (50/60) × $157.48]. The Department does not anticipate any new costs for health care providers associated with distribution of the revised notice other than posting it on the entity's website (if it has one) because health care providers have an ongoing obligation to provide the notice to first-time patients that is already accounted for in cost estimates for the HIPAA Rules. Health plans that post their NPP online will incur minimal costs by posting the updated notice and then including the updated NPP in the next annual mailing to subscribers. Health plans that do not provide an annual mailing will potentially incur an additional $12,743,700 in capital expenses for mailing the revised NPP to an estimated 10 percent of the 150,000,000 health plan subscribers who receive a mailed, paper copy of the notice, as well as the labor expense for an administrative support staff member at the rate shown in Table 3 to complete the mailing, for approximately $2,737,500 [= 62,500 hours × $43.80]. The Department further estimates the cost of posting the revised NPP on the covered entity's website will be 15 minutes of a web designer's time at the wage reported in Table 3. Across all covered entities, the Department estimates a cost of online posting as $18,936,265 [= 774,331 × (15/60) × $97.82].
A commenter expressed concern that the Department was underestimating the cost of mailing updates associated with changes to NPP policies.
The Department is already accounting for the cost of mailing updated NPPs within the estimated capital costs, which include printing copies of NPPs that are provided in person and those that are mailed, and postage for health plans that will need to conduct a mailing that is off-cycle from its regular schedule. We estimate that half of NPPs will need to be mailed and that health plans may include the updated NPP with their next regular mailing to individuals.
e. Estimated Costs for Developing New or Modified Policies and Procedures
The Department anticipates that covered entities will need to develop new or modified policies and procedures for the new requirements for attestations, the new category of prohibited uses and disclosures, modifications to certain uses and disclosures permitted under 45 CFR 164.512, and clarification of personal representative qualifications. The Department is finalizing its proposed estimate that the costs associated with developing such policies and procedures will be the labor of a lawyer for 2.5 hours and that this expense represents the largest area of cost for compliance with this final rule, for a total of $304,854,115 [= 774,331 × 2.5 × $157.48].
A few commenters stated that the estimate for covered entities to draft new policies was incorrect and provided additional information or alternatives to reduce costs. A commenter stated that the time burden for drafting new policies was insufficient and did not accurately represent the amount of time it would take a covered entity to draft a policy that complied with the proposed rule. Another commenter urged the Department to include the costs for organizations to update their privacy policies because of the proposed rule. A few commenters requested that the Department provide organizations with additional time to develop new policies that comply with the final rule.
The Department considered the concerns raised by commenters about the burdens of the requirements to revise the Privacy Rule and made several additional modifications in this final rule to reduce burdens on regulated entities. For example, regulated entities are not required to develop policies to routinely evaluate whether reproductive health care that was provided by someone else was lawful. Instead, regulated entities will need to develop policies to ensure that regulated entities identify requests for health oversight activities, judicial and administrative proceedings, law enforcement purposes, and about decedents to coroners or medical examiners and procedures for obtaining the required attestation if it is not provided with the request for the use or disclosure of PHI. Additional policies will be required to address requests for the above purposes that could result in a prohibited use or disclosure, such as requests from law enforcement for the use or disclosure of PHI that assert, without any other information, that reproductive health care was provided unlawfully. The updating of privacy policies is included in the overall cost of updating policies and the estimate for updating the NPP. Because of changes in the final rule that simplify compliance with the new requirements, the Department is not adjusting the time burden for revising or creating new policies and procedures.
f. Costs Associated With Training Workforce Members
The Department anticipates that covered entities will be able to incorporate new content into existing HIPAA training requirements and that the costs associated with doing so will be attributed to the labor of a training specialist for an estimated 90 minutes for a total of $78,029,335 [= 774,331 × (90/60) × $67.18].
A few commenters addressed training costs within the proposed rule, including one who asserted that such costs could be reduced by ensuring that the effective date for all of the provisions of the rule is the same. Another commenter stated that covered entities would incur both a one time and yearly training cost, with the yearly training cost accounting for most of the total training cost in year 1.
The Department is finalizing the cost estimate for training workforce members as proposed, which includes the cost of a training a specialist to update the covered entity's HIPAA training program with new content to include in training for workforce members within the first year. Any further recurring component is likely to be implemented into regularly scheduled employee training and will thus not be directly attributable to this rule.
g. Total Quantifiable Costs
The Department summarizes in Table 6 the estimated nonrecurring costs that covered entities and states will experience in the first year of implementing the regulatory changes. The Department anticipates that these costs will be for requesting exceptions from preemption of contrary state law, implementing the attestation requirement, revising business associate agreements, revising the NPP, mailing and posting it online, revising policies and procedures, and updating HIPAA training programs.
Table 6—New Nonrecurring Costs of Compliance With the Final Rule
Table 7 summarizes the recurring costs that the Department anticipates covered entities will incur annually as a result of the regulatory changes. These new costs are based on responding to requests for uses and disclosures of PHI that are conditioned upon an attestation.
Table 7—Recurring Annual Costs of Compliance With the Final Rule
Costs Borne by the Department
The covered entities that are operated by the Department will be affected by the changes in a similar manner to other covered entities, and such costs have been factored into the estimates above.
The Department expects that it will incur costs related to drafting and disseminating a model attestation form and information about the regulatory changes to covered entities, including health care providers and health plans. In addition, the Department anticipates that it may incur a 26-fold increase in the number of requests for exceptions from preemption of contrary state law in the first year after a final rule becomes effective, at an estimated total cost of approximately $146,319 to analyze and develop responses for an average cost of $7,410 per request. This increase is based on the number of states that have enacted or are likely to enact laws restricting access to reproductive health care and may seek to obtain individuals' PHI to enforce those laws. This estimate assumes that the Department receives and reviews exception requests from the 26 states, that half require a more complex analysis, and that all requests result in a written response within one year of the final rule's publication.
See “One Year After Dobbs —Vast Changes to the Abortion Legal Landscape,” supra note 432 (counting 21 states with post- Dobbs limits that are more restrictive than Roe v. Wade allowed) and “State Laws Restricting or Prohibiting Abortion,” supra note 432. Because of the pace of change in this area, the Department relies on a higher number than JAMA's 2023 figure as a basis for its cost estimates.
Benefits of the Final Rule
The benefits of this final rule to individuals and families are likely substantial, and yet are not fully quantifiable because the area of health care this final rule addresses is among the most sensitive and life-altering if privacy is violated. Additionally, the value of privacy, which cannot be recovered once lost, and trust that privacy will be protected by others, is difficult to quantify fully. Health privacy has many significant benefits, such as promoting effective communication between individuals and health care providers, preventing discrimination, enhancing autonomy, supporting medical research, and protecting the individual from unwanted exposure of sensitive health information.
See “Trust and Privacy: How Patient Trust in Providers is Related to Privacy Behaviors and Attitudes,” supra note 120; Paige Nong et al., “Discrimination, trust, and withholding information from providers: Implications for missing data and inequity,” SSM—Population Health (Apr. 7, 2022), https://www.sciencedirect.com/science/article/pii/S2352827322000714 ; See also S.J. Nass et al., “Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research,” Institute of Medicine (US) Committee on Health Research and the Privacy of Health Information: The HIPAA Privacy Rule (2009), https://www.ncbi.nlm.nih.gov/books/NBK9579/.
Notably, reproductive health care may include circumstances resulting in a pregnancy, considerations concerning maternal and fetal health, family genetic conditions, information concerning sexually transmitted infections, and the relationship between prospective parents (including victimization due to rape, incest, or sex trafficking). Involuntary or poorly-timed disclosures can irreparably harm relationships and reputations, and even result in job loss or other negative consequences in the workplace, as well as investigation, civil litigation or proceedings, and prosecution for lawful activities. Additionally, fear of potential penalties or liability that may result from disclosing information to a health care provider about accessing reproductive health care may cast a long shadow, decreasing trust between individuals and health care providers, discouraging and deterring access to other valuable and necessary health care, or compromising ongoing or subsequent care if an individual's medical records are not accurate or complete. This final rule will prevent or reduce the harms discussed here, resulting in non-quantifiable benefits to individuals and their families, friends, and health care providers. In particular, the role of trust in the health care system and its importance to the provision of high-quality health care is discussed extensively in Section III of this preamble.
See Danielle Keats Citron & Daniel J. Solove, “Privacy Harms,” GWU Legal Studies Research Paper No. 2021-11, GWU Law School Public Law Research Paper No. 2021-11, 102 B.U. L. Rev. 793, 830-861 (Feb. 9, 2021), https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3782222.
See “Reclaiming Tort Law to Protect Reproductive Rights,” supra note 152.
See Div. of Reproductive Health, Nat'l Ctr. for Chronic Disease Prevention and Health Promotion, “Women With Chronic Conditions Struggle to Find Medications After Abortion Laws Limit Access,” Ctrs. for Disease Control and Prevention (Jan. 4, 2023), https://www.cdc.gov/teenpregnancy/health-care-providers/index.htm; see also Brittni Frederiksen et al., “Abortion Bans May Limit Essential Medications for Women with Chronic Conditions,” Kaiser Family Foundation (Nov. 17, 2022), https://www.kff.org/womens-health-policy/issue-brief/abortion-bans-may-limit-essential-medications-for-women-with-chronic-conditions/.
The Department anticipates that this final rule will increase health literacy by improving access to complete information about health care options for individuals. For example, the prohibition on the use and disclosure of PHI for purposes of investigating or imposing liability on an individual, a person assisting them, or their health care provider for lawful health care will increase individuals' access to complete information about their health care options because they will have increased confidence to share information about their life, including their health, with health care providers. In turn, the receipt of more complete information from patients will enable health care providers to provide more accurate and relevant medical information about lawful reproductive health care, and the new prohibition will enable them to do so without fear of serious and costly professional repercussions.
See Lynn M. Yee et al., “Association of Health Literacy Among Nulliparous Individuals and Maternal and Neonatal Outcomes,” JAMA Network Open (Sept. 1, 2021), https://jamanetwork.com/journals/jamanetworkopen/fullarticle/2783674.
This final rule will also contribute to increased access to prenatal health care at the critical early stages of pregnancy by affording individuals the assurance that they may obtain lawful reproductive health care without fearing that records related to that care would be subject to disclosure. For example, if a sexually active individual fears they or their health care providers could be subject to prosecution as a result of disclosure of their PHI, the individual may avoid informing health care providers about symptoms or asking questions of medical experts and may consequently fail to receive necessary support and health care for a pregnancy diagnosis. Similarly, this final rule will likely contribute to a decreased rate of maternal mortality and morbidity by improving access to information about health services.
See “Texas Maternal Mortality and Morbidity Review Committee and Department of State Health Services Joint Biennial Report 2022,” supra note 123.
See Helen Levy & Alex Janke, “Health Literacy and Access to Care,” J. of Health Commc'n (2016), https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4924568/; see also Brief for Zurawski, Zurawski v. State of Texas (No. D-1-GN-23-000968) (W.D. Tex. 2023), https://reproductiverights.org/wp-content/uploads/2023/03/Zurawski-v-State-of-Texas-Complaint.pdf.
Additionally, this final rule will enhance the mental health and emotional well-being of individuals seeking or obtaining lawful reproductive health care by reducing fear that their PHI will be disclosed to investigate or impose liability on the individual, their health care provider, or any persons facilitating the individual's access to lawful reproductive health care. This is especially important for individuals who need access to reproductive health care because they are survivors of rape, incest, or sex trafficking. For at least some such individuals, certain types of reproductive health care, including abortion, often remain legal even if pregnancy termination is not available to the broader population under state law. The Department expects that this final rule will help to prevent or reduce re-victimization of pregnant individuals who have been subject to rape, incest, or sex trafficking by protecting their PHI from disclosure.
Activities conducted to investigate and impose liability that rely on that information may be costly to defend against and thus are financially draining for the target of those activities and for persons who are not the target of the activity but whose information may be used as evidence against others. Witnesses or targets of such activities may lose time from work and incur steep legal bills that create unmanageable debt or otherwise harm the economic stability of the individual, their family, and their health care provider. In the absence of this final rule, much of the costs may be for defending against the unwanted use or disclosure of PHI. Thus, the Department expects that this final rule will contribute to families' economic well-being by reducing the risk of exposure to costly activities to investigate or impose liability on persons for lawful activities as a result of disclosures of PHI.
This final rule will also contribute to improved continuity of care and ongoing and subsequent health care for individuals, thereby improving health outcomes. If a health care provider believes that PHI is likely to be disclosed without the individual's or the health care provider's knowledge or consent, possibly to initiate or be used in criminal or civil proceedings against the individual, their health care provider, or others, the health care provider is more likely to omit information about an individual's medical history or condition, leave gaps, or include inaccuracies when preparing the individual's medical records. And if an individual's medical records lack complete information about the individual's health history, a subsequent health care provider may not be able to conduct an appropriate health assessment to reach a sound diagnosis and recommend the best course of action for the individual. Alternatively, health care providers may withhold from the individual full and complete information about their treatment options because of liability concerns stemming from fears about the privacy of an individual's PHI. Heightened confidentiality and privacy protections enable a health care provider to feel confident maintaining full and complete patient records. Without complete patient records, an individual is less likely to receive appropriate ongoing or future health care, including correct diagnoses, and will be impeded in making informed treatment decisions.
See Brief for Zurawski, at 10, supra note 447.
Comparison of Benefits and Costs
A few commenters stated that the 2023 Privacy Rule NPRM reflected the staffing costs of covered entities in full. One posited that covered entities will receive more requests for PHI because of changes in the legal environment after Dobbs, which will require some regulated entities that may not typically get such requests to adjust according to the changes in the law and how it is enforced. Another commenter stated that the proposed rule did not account for higher staffing costs from more highly qualified employees. The commenters did not provide any relevant data or discussion of methodology for how these costs should be quantified. Therefore, the Department did not include any additional labor costs in the economic analysis based on this comment.
A few additional commenters expressed general concerns related to electronic health record (EHR) systems and data storage. One urged the Department to include costs associated with updating EHR systems to ensure compliance and to allow for data segmentation. Another asserted that the current classifications for different types of PHI are not clear enough for effective data segmentation, contributing to increased costs. As a result, they recommended that the Department provide clearer guidelines on the different types of PHI. The Department did not attempt to estimate additional data maintenance or EHR-related costs because any adjustments will be part of the regular cost of business for regulated entities.
A commenter stated that the Department did not quantify the costs associated with violations of the rule by regulated entities, such as incurring a monetary penalty after impermissibly responding to a court order. The Department does not quantify the costs of noncompliance as part of its analysis. Whether a violation will result in a monetary penalty is dependent on numerous factors and the aim of the Department's enforcement is to bring regulated entities into compliance.
A few commenters asserted that the proposed rule would make it more difficult for law enforcement to investigate criminals for crimes related to sex and recommended that the Department quantify this cost. The Department acknowledges that the final rule may result in some changes to procedures for handling law enforcement requests for PHI; however, the burden on regulated entities is calculated in its cost estimates. The Department is unable to quantify the burdens to law enforcement resulting from this final rule. However, to address concerns about victims' ability to disclose their PHI related to reproductive health care, the final rule permits individuals to authorize disclosures for any purpose, including law enforcement investigations. Therefore, the Department is not including costs to law enforcement in the quantified costs and benefits analysis. The Department expects the totality of the benefits of this final rule to outweigh the costs, particularly in light of the privacy benefits for individuals who could become pregnant (nearly one-fourth of the U.S. population in any given year) and seek access to lawful health care without the risk of their PHI being used or disclosed in furtherance of activities to conduct criminal, civil, or administrative investigations or impose liability without their authorization. The Department expects covered entities and individuals to benefit from covered entities' increased confidence to be able to provide lawful health care according to professional standards.
The Department's qualitative benefit-cost analysis asserts that the regulatory changes in this final rule will support an individual's privacy with respect to lawful health care, enhance the relationship between health care providers and individuals, strengthen maternal well-being and family stability, and support victims of rape, incest, and sex trafficking. The regulatory changes will also aid health care providers in developing and maintaining a high level of trust with individuals and maintaining complete and accurate medical records to aid ongoing and subsequent health care. Greater levels of trust will further enable individuals to develop and maintain relationships with health care providers, which would enhance continuity of health care for all individuals receiving care from the health care provider, not only individuals in need of reproductive health care.
The financial costs of this final rule will accrue primarily to covered entities, particularly health care providers and health plans in the first year after implementation of a final rule, with recurring costs accruing annually at a lower rate.
B. Regulatory Alternatives to the Final Rule
In addition to regulatory proposals in the 2023 Privacy Rule NPRM that are not adopted here, the Department considered several alternatives to the policies finalized in this rule.
Define Public Health in the Context of Public Health Surveillance, Intervention, or Investigation
The Department considered alternatives to the proposed definition of “public health” in the context of public health surveillance, investigation, and intervention, particularly the reference to population-level activities. Specifically, the Department considered whether to add “individual-level” to further distinguish public health surveillance, investigation, and intervention from other activities but did not adopt this approach because it would add a new undefined term that would generate more complexity without adding clarity. The Department also considered removing “population-level” from the definition in this final rule, but we are not adopting that approach because it might lead people to believe that the focus of public health is not on activities benefiting the population as a whole. Additionally, the Department considered defining “public health” surveillance, investigation, or intervention only in the negative—that is, by listing activities that are excluded—but decided not to adopt this approach to ensure that stakeholders understand what public health surveillance, investigation, or intervention means.
Modify Prohibition To Presume That Reproductive Health Care Is Lawful Absent Actual Knowledge
The Department considered adding a provision that would allow regulated entities to presume that certain requests for PHI are about reproductive health care that was lawful under the circumstances in which such health care was provided where it was provided by someone other than the regulated entity receiving the PHI request, unless the regulated entity had actual knowledge that such health care was not lawful under the circumstances in which it was provided. However, in consultation with Federal partners, the Department decided to finalize a second exception to the presumption to permit uses or disclosures of PHI where privacy interests are reduced, as compared to the societal interest in the PHI for certain non-health care purposes. This exception is available where factual information supplied by the person requesting the use or disclosure of PHI demonstrates to the regulated entity a substantial factual basis that the reproductive health care was not lawful under the specific circumstances in which such health care was provided.
Administrative Requests by Law Enforcement
The Department received reports that not all regulated entities are interpreting the administrative request provision correctly and proposed a clarification to 45 CFR 164.512(f)(1)(ii)(C). To address concerns that disclosures currently made under Federal agencies' interpretations of the Privacy Act of 1974 would not be permitted under the NPRM proposal, the Department considered adding qualifying language to paragraph 45 CFR 164.512(f)(1)(ii)(C) to state that PHI may be disclosed by a Federal agency in response to an administrative request from law enforcement where the Federal agency is authorized, but not required, to disclose under applicable law ( see, e.g., the Privacy Act and OMB 1975 Guidelines ). However, the Department determined that the contemplated change was not necessary because the intent of the Privacy Rule was adequately captured in the clarification proposed in the NPRM and finalized in this rule at 45 CFR 164.512(f)(1)(ii)(C). As finalized, this provision permits disclosures to law enforcement in response to “an administrative request for which response is required by law, including an administrative subpoena or summons, a civil or an authorized investigative demand, or similar process authorized under law.”
Public Law 93-579, 88 Stat. 1896 (Dec. 31, 1974) (codified at 5 U.S.C. 552a).
40 FR 28948, 28955 (July 9, 1975).
Scope of Prohibited Conduct
In response to public comments on the 2023 Privacy Rule NPRM, the Department considered several approaches to outlining prohibited conduct. One approach was creating a category of “highly sensitive PHI” and prohibiting its use and disclosure in certain proceedings based on the mere act of, for example, obtaining, providing, or aiding that category of health care. The Department did not adopt this category based on many concerns expressed in public comments. For example, distinguishing between the sensitivity of different types of PHI would require complicated subjective determinations, and prohibiting or limiting uses or disclosures of highly sensitive PHI for certain purposes could negatively affect efforts to eliminate data segmentation and further stigmatize the types of health care included in the “highly sensitive” category.
Another approach the Department considered was to require an attestation for all requested uses and discloses of PHI under 45 CFR 164.512(d)-(g)(1), rather than limiting the requirement to only requested uses and disclosures of PHI potentially related to reproductive health care under such provisions. This would have reduced the burden on regulated entities to screen requested PHI for whether it contained information potentially related to reproductive health care and increased the burden on persons requesting PHI to evaluate and attest to all requests for use and disclosure of PHI under 45 CFR 164.512(d)-(g)(1). However, in recognition of the importance of oversight and law enforcement entities' ability to obtain PHI for legitimate inquiries, the Department decided not to require an attestation for all requests under these provisions.
Requiring an Attestation Under Penalty of Perjury
The Department requested comments about the possibility of adding a required penalty of perjury statement to strengthen the attestation requirement but did not propose this statement in the 2023 Privacy Rule NPRM. After reviewing public comments on this topic, the Department considered adding a requirement that the attestation be signed by the person requesting the use or disclosure of PHI under penalty of perjury but did not adopt such a requirement in the final rule. As discussed in greater detail above, a person who knowingly and in violation of the Administrative Simplification provisions of HIPAA obtains or discloses IIHI relating to another individual or discloses IIHI to another person is subject to criminal liability. Thus, a person who knowingly and in violation of HIPAA falsifies an attestation ( e.g., makes material misrepresentations about the intended uses of the PHI requested) to obtain (or cause to be disclosed) an individual's IIHI could be subject to criminal penalties as outlined in the statute. The Department believes such penalties are sufficient to hold persons who knowingly submit false attestations accountable for their actions and deter such submissions entirely.
A person (including an employee or other individual) shall be considered to have obtained or disclosed individually identifiable health information in violation of this part if the information is maintained by a covered entity (as defined in the HIPAA privacy regulation described in section 1320d-9(b)(3) of this title) and the individual obtained or disclosed such information without authorization. Id.
Right To Request Restrictions
In the 2023 Privacy Rule NPRM, the Department requested comments regarding the right of individuals to request restrictions of uses and disclosures of their PHI. We did not propose any changes to this provision in the 2023 Privacy Rule NPRM, nor are we proposing or finalizing any modifications to it at this time. We appreciate the comments we received regarding expanding the rights to request disclosures and will take them under advisement when we consider future modifications to the Privacy Rule.
C. Regulatory Flexibility Act—Small Entity Analysis
The Department has examined the economic implications of this final rule as required by the RFA. If a rule has a significant economic impact on a substantial number of small entities, the RFA requires agencies to analyze regulatory options that would reduce the economic effect of the rule on small entities.
For purposes of the RFA, small entities include small businesses, nonprofit organizations, and small governmental jurisdictions. The Act defines “small entities” as (1) a proprietary firm meeting the size standards of the Small Business Administration (SBA), (2) a nonprofit organization that is not dominant in its field, and (3) a small government jurisdiction of less than 50,000 population. A few commenters raised concerns about the effects of the proposed rule on small or rural providers and requested additional analysis, guidance, or technical assistance from the Department to aid these entities. The Department did not receive any public comments on the small business analysis assumptions used in the NPRM. Accordingly, we are not changing the baseline assumptions for this final rule. We have updated our analysis of small entities for consistency with revisions to the RIA for the costs and savings for covered entities. The Department has determined that roughly 90 percent or more of all health care providers meet the SBA size standard for a small business or are a nonprofit organization. Therefore, the Department estimates that there are 696,898 small entities affected by the final rule. The SBA size standard for health care providers ranges between a maximum of $16 million and $47 million in annual receipts, depending upon the type of entity.
696,898 = 774,331 × .90.
See U.S. Small Business Administration, Table of Small Business Size Standards (Mar. 17, 2023), https://www.sba.gov/sites/sbagov/files/2023-06/Table%20of%20Size%20Standards_Effective%20March%2017%2C%202023%20%282%29.pdf.
With respect to health insurers, the SBA size standard is a maximum of $47 million in annual receipts, and for third party administrators it is $45.5 million. While some insurers are classified as nonprofit, it is possible they are dominant in their market. For example, a number of Blue Cross/Blue Shield insurers are organized as nonprofit entities; yet they dominate the health insurance market in the states where they are licensed.
Id.
Kaiser Family Foundation, “Market Share and Enrollment of Largest Three Insurers—Large Group Market” (2019), https://www.kff.org/other/state-indicator/market-share-and-enrollment-of-largest-three-insurers-large-group-market/?currentTimeframe=0&sortModel=%7B%22colId%22:%22Location%22,%22sort%22:%22asc%22%7D.
For the reasons stated below, we do not expect that the cost of compliance will be significant for small entities. Nor do we expect that the cost of compliance will fall disproportionately on small entities. Although many of the covered entities affected by this final rule are small entities, they will not bear a disproportionate cost burden compared to the other entities subject to the rule. The projected total costs are discussed in detail in the RIA. The Department does not view this as a substantial burden because the result of the changes will be annualized costs per covered entity of approximately $184 [= $142.6 million /774,331 covered entities]. In the context of the RFA, HHS generally considers an economic impact exceeding 3 percent of annual revenue to be significant, and 5 percent or more of the affected small entities within an identified industry to represent a substantial number. The quantified impact of $184 per covered entity would only apply to covered entities whose annual revenue is $6,133 or less. We believe almost all, if not all covered entities have annual revenues that exceed this amount. Accordingly, the Department has determined that this final rule is unlikely to affect a substantial number of small entities that meet the RFA threshold. Thus, this analysis concludes, and the Secretary certifies, that the rule will not result in a significant economic effect on a substantial number of small entities.
This figure represents annualized costs discounted at a 3% rate.
D. Executive Order 13132—Federalism
As required by E.O. 13132 on Federalism, the Department has examined the provisions in both the proposed and final regulation for their effects on the relationship between the Federal Government and the states. In the Department's view, the final regulation may have federalism implications because it may have direct effects on the states, the relationship between the Federal Government and states, and on the distribution of power and responsibilities among various levels of government relating to the disclosure of PHI.
The changes from this final rule flow from and are consistent with the underlying statute, which authorizes the Secretary to issue regulations that govern the privacy of PHI. The statute provides that, with limited exceptions, such regulations supersede contrary provisions of state law unless the provision of state law imposes more stringent privacy protections than the Federal law.
Section 3(b) of E.O. 13132 recognizes that national action limiting the policymaking discretion of states will be imposed only where there is constitutional and statutory authority for the action and the national activity is appropriate when considering a problem of national significance. The privacy of PHI is of national concern by virtue of the scope of interstate health commerce. As described in the preamble to the proposed rule and this final rule, recent state actions affecting reproductive health care have undermined the longstanding expectation among individuals in all states that their highly sensitive reproductive health information will remain private and not be used against them for seeking or obtaining legal health care. These state actions thus directly threaten the trust that is essential to ensuring access to, and quality of, lawful health care. HIPAA's provisions reflect this position by authorizing the Secretary to promulgate regulations to implement the Privacy Rule.
Section 4(a) of E.O. 13132 expressly contemplates preemption when there is a conflict between exercising state and Federal authority under a Federal statute. Section 4(b) of the E.O. authorizes preemption of state law in the Federal rulemaking context when “the exercise of State authority directly conflicts with the exercise of Federal authority under the Federal statute.” The approach in this regulation is consistent with the standards in the E.O. because it supersedes state authority only when such authority is inconsistent with standards established pursuant to the grant of Federal authority under the statute.
State and local laws that impinge on the privacy protections for PHI of individuals who obtain lawful reproductive health care undermine Congress' directive to develop a health information system for the purpose of improving the effectiveness of the health care system, which requires that all individuals who receive health care legally are assured a minimum level of privacy for their PHI. Congress established specific, narrow exceptions to preemption that did not include the use or disclosure of an individual's medical records for law enforcement purposes generally. Nor did Congress include a specific exception to preemption that would permit states to use PHI against that individual, health care providers, or third parties merely for seeking, obtaining, providing, or facilitating lawful health care. Both the personal and public interest is served by protecting PHI so as not to undermine an individual's access to and quality of lawful health care services and their trust in the health care system.
The Department anticipates that the most significant direct costs on state and local governments would be the cost for state and local government-operated covered entities to revise business associate agreements, revise policies and procedures, update the NPP, update training programs, and process requests for disclosures for which an attestation is required. These costs would be similar in kind to those borne by non-government operated covered entities. In addition, the Department anticipates that approximately half of the states may choose to file a request for an exception to preemption. The longstanding regulatory provisions that govern preemption exception requests under the HIPAA Rules would remain undisturbed by this rule. However, based on the legal developments in some states that are described elsewhere in this preamble, the Department anticipates that in the first year of implementation of a final rule, more states will submit requests for exceptions from preemption than have done so in the past. The RIA above addresses these costs in detail.
45 CFR 160.201 through 160.205.
Pursuant to the requirements set forth in section 8(a) of E.O. 13132, and by the signature affixed to the final rule, the Department certifies that it has complied with the requirements of E.O. 13132, including review and consideration of comments from state and local government officials and the public about the interaction of this rule with state activity, for the final rule in a meaningful and timely manner.
E. Assessment of Federal Regulation and Policies on Families
Section 654 of the Treasury and General Government Appropriations Act of 1999 requires Federal departments and agencies to determine whether a proposed policy or regulation could affect family well-being. If the determination is affirmative, then the Department or agency must prepare an impact assessment to address criteria specified in the law. This final rule is expected to strengthen the stability of the family and marital commitment because it protects individual privacy in the context of sensitive decisions about family planning. The rule may be carried out only by the Federal Government because it would modify Federal health privacy law, ensuring that American families have confidence in the privacy of their information about lawful reproductive health care, regardless of the state where they are located when health care is provided. Such health care privacy is vital for individuals who may become pregnant or who are capable of becoming pregnant.
Public Law 105-277, 112 Stat. 2681 (Oct. 21, 1998).
F. Paperwork Reduction Act of 1995
Under the Paperwork Reduction Act of 1995 (PRA), agencies are required to submit to OMB for review and approval any reporting or record-keeping requirements inherent in a proposed or final rule and are required to publish such proposed requirements for public comment. To fairly evaluate whether an information collection should be approved by the OMB, section 3506(c)(2)(A) of the PRA requires that the Department solicit comment on the following issues:
Public Law 104-13, 109 Stat. 163 (May 22, 1995).
1. Whether the information collection is necessary and useful to carry out the proper functions of the agency;
2. The accuracy of the agency's estimate of the information collection burden;
3. The quality, utility, and clarity of the information to be collected; and
4. Recommendations to minimize the information collection burden on the affected public, including automated collection techniques.
The PRA requires consideration of the time, effort, and financial resources necessary to meet the information collection requirements referenced in this section. The Department considered public comments on its assumptions and burden estimates in the 2023 Privacy Rule NPRM and addresses those comments above in the discussion of benefits and costs of this final rule.
In this RIA, the Department is revising certain information collection requirements associated with this final rule and, as such, is revising the information collection last prepared in 2023 and approved under OMB control #0945-0003. The revised information collection describes all new and adjusted information collection requirements for covered entities pursuant to the implementing regulation for HIPAA at 45 CFR parts 160 and 164, the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules (“HIPAA Rules”).
The estimated annual labor burden presented by the regulatory modifications in the first year of implementation, including nonrecurring and recurring burdens, is 4,584,224 burden hours at a cost of $582,242,165 and $20,910,207 of estimated annual labor costs in years two through five. The overall total burden for respondents to comply with the information collection requirements of all of the HIPAA Privacy, Security, and Breach Notification Rules, including nonrecurring and recurring burdens presented by program changes, is 953,982,236 burden hours at a cost of $107,336,705,941, plus $197,364,010 in capital costs for a total estimated annual burden of $107,534,069,951 in the first year following the effective date of the final rule. Details describing the burden analysis for the proposals associated with this RIA are presented below and explained further in the ICR associated with this final rule.
This includes an increase of 416 burden hours and $36,442 in costs added to the existing information collection for requesting exemption determinations under 45 CFR 160.204.
Explanation of Estimated Annualized Burden Hours
Below is a summary of the significant program changes and adjustments made since the approved 2023 ICR; because the ICR addresses regulatory burdens associated with the full suite of HIPAA Rules, the changes and adjustments include updated data and estimates for some provisions of the HIPAA Rules that are not affected by this final rule. These program changes and adjustments form the bases for the burden estimates presented in the ICR associated with this RIA.
Adjusted Estimated Annual Burdens of Compliance
(1) Increasing the number of covered entities from 700,000 to 774,331 based on program change.
(2) Increasing the number of respondents requesting exceptions to state law preemption from 1 to 27 based on an expected reaction by states that have enacted restrictions on reproductive health care access.
(3) Increasing the burden hours by a factor of two for responding to individuals' requests for restrictions on disclosures of their PHI under 45 CFR 164.522 to represent a doubling of the expected requests.
(4) Updating the number of breaches for which notification is required to reflect data in OCR's 2022 Report to Congress and related burdens.
See Off. for Civil Rights, “Annual Report to Congress on Breaches of Unsecured Protected Health Information,” U.S. Dep't of Health and Human Servs. (2022), https://www.hhs.gov/hipaa/for-professionals/breach-notification/reports-congress/index.html.
(5) Increasing the number of estimated uses and disclosures for research purposes.
(6) Increasing the total number of NPPs distributed by health plans by 50% to total 300,000,000 due to the increase in number of Americans with health coverage.
New Burdens Resulting from Program Changes
In addition to these changes, the Department added new annual burdens as a result of program changes in the final rule:
(1) A nonrecurring burden of 1 hour for each of 350,000 business associate agreements that is likely to be revised as a result of the changes to handling requests for PHI under 45 CFR 164.512(d), (e), (f), and (g)(1), to allocate responsibilities between covered entities and their release-of-information contractors.
(2) A recurring burden of 5 minutes per request for staff to determine whether an attestation is required for disclosure under 45 CFR 164.509.
(3) A recurring burden of 1 hour per request for legal review of whether certain requests identified by staff as potentially requiring an attestation pertain to the lawfulness of reproductive health care.
(4) A recurring burden of 3 hours per request for a percentage of requests requiring legal review that might require additional manager review to determine whether the requirements at 45 CFR 164.509 are met.
(5) A nonrecurring burden of 50 minutes per covered entity to update the required content of its NPP.
(6) A nonrecurring burden of 15 minutes per covered entity for posting an updated NPP online.
(7) A nonrecurring burden of 2.5 hours for each covered entity to update its policies and procedures.
(8) A nonrecurring burden of 90 minutes for each covered entity to update the content of its HIPAA training program.
List of Subjects
45 CFR Part 160
- Health care
- Health records
- Preemption
- Privacy
- Public health
- Reproductive health care
45 CFR Part 164
- Health care
- Health records
- Privacy
- Public health
- Reporting and recordkeeping requirements
- Reproductive health care
For the reasons stated in the preamble, the Department of Health and Human Services amends 45 CFR subtitle A, subchapter C, parts 160 and 164 as set forth below:
PART 160—GENERAL ADMINISTRATIVE REQUIREMENTS
1. The authority citation for part 160 continues to read as follows:
Authority: 42 U.S.C. 1302(a); 42 U.S.C. 1320d-1320d-9; sec. 264, Pub. L. 104-191, 110 Stat. 2033-2034 (42 U.S.C. 1320d-2 (note)); 5 U.S.C. 552; secs. 13400-13424, Pub. L. 111-5, 123 Stat. 258-279; and sec. 1104 of Pub. L. 111-148, 124 Stat. 146-154.
2. Amend § 160.103 by:
a. Revising the definition of “Person”; and
b. Adding in alphabetical order the definitions of “Public health” and “Reproductive health care”.
The revision and additions read as follows:
Person means a natural person (meaning a human being who is born alive), trust or estate, partnership, corporation, professional association or corporation, or other entity, public or private.
Public health, as used in the terms “public health surveillance,” “public health investigation,” and “public health intervention,” means population-level activities to prevent disease in and promote the health of populations. Such activities include identifying, monitoring, preventing, or mitigating ongoing or prospective threats to the health or safety of a population, which may involve the collection of protected health information. But such activities do not include those with any of the following purposes:
(1) To conduct a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating health care.
(2) To impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating health care.
(3) To identify any person for any of the activities described at paragraphs (1) or (2) of this definition.
Reproductive health care means health care, as defined in this section, that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes. This definition shall not be construed to set forth a standard of care for or regulate what constitutes clinically appropriate reproductive health care.
PART 164—SECURITY AND PRIVACY
3. The authority citation for part 164 continues to read as follows:
Authority: 42 U.S.C. 1302(a); 42 U.S.C. 1320d-1320d-9; sec. 264, Pub. L. 104-191, 110 Stat. 2033-2034 (42 U.S.C. 1320d-2(note)); and secs. 13400-13424, Pub. L. 111-5, 123 Stat. 258-279.
4. Amend § 164.502 by
a. Revising paragraph (a)(1)(vi);
b. Adding paragraph (a)(5)(iii); and
c. Revising paragraph (g)(5).
The addition and revisions read as follows:
(a) * * *
(1) * * *
(vi) As permitted by and in compliance with any of the following:
(A) This section.
(B) Section 164.512 and, where applicable, § 164.509.
(C) Section 164.514(e), (f), or (g).
(5) * * *
(iii) Reproductive health care —(A) Prohibition. Subject to paragraphs (a)(5)(iii)(B) and (C) of this section, a covered entity or business associate may not use or disclose protected health information for any of the following activities:
( 1) To conduct a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care.
( 2) To impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care.
( 3) To identify any person for any purpose described in paragraphs (a)(5)(iii)(A)( 1) or ( 2) of this section.
(B) Rule of applicability. The prohibition at paragraph (a)(5)(iii)(A) of this section applies only where the relevant activity is in connection with any person seeking, obtaining, providing, or facilitating reproductive health care, and the covered entity or business associate that received the request for protected health information has reasonably determined that one or more of the following conditions exists:
( 1) The reproductive health care is lawful under the law of the state in which such health care is provided under the circumstances in which it is provided.
( 2) The reproductive health care is protected, required, or authorized by Federal law, including the United States Constitution, under the circumstances in which such health care is provided, regardless of the state in which it is provided.
( 3) The presumption at paragraph (a)(5)(iii)(C) of this section applies.
(C) Presumption. The reproductive health care provided by another person is presumed lawful under paragraph (a)(5)(iii)(B)( 1) or ( 2) of this section unless the covered entity or business associate has any of the following:
( 1) Actual knowledge that the reproductive health care was not lawful under the circumstances in which it was provided.
( 2) Factual information supplied by the person requesting the use or disclosure of protected health information that demonstrates a substantial factual basis that the reproductive health care was not lawful under the specific circumstances in which it was provided.
(D) Scope. For the purposes of this subpart, seeking, obtaining, providing, or facilitating reproductive health care includes, but is not limited to, any of the following: expressing interest in, using, performing, furnishing, paying for, disseminating information about, arranging, insuring, administering, authorizing, providing coverage for, approving, counseling about, assisting, or otherwise taking action to engage in reproductive health care; or attempting any of the same.
(g) * * *
(5) Implementation specification: Abuse, neglect, endangerment situations. Notwithstanding a State law or any requirement of this paragraph to the contrary, a covered entity may elect not to treat a person as the personal representative, provided that the conditions at paragraphs (g)(5)(i) and (ii) of this section are met:
(i) Paragraphs (g)(5)(i)(A) and (B) of this section both apply.
(A) The covered entity has a reasonable belief that any of the following is true:
( 1) The individual has been or may be subjected to domestic violence, abuse, or neglect by such person.
( 2) Treating such person as the personal representative could endanger the individual.
(B) The covered entity, in the exercise of professional judgment, decides that it is not in the best interest of the individual to treat the person as the individual's personal representative.
(ii) The covered entity does not have a reasonable belief under paragraph (g)(5)(i)(A) of this section if the basis for their belief is the provision or facilitation of reproductive health care by such person for and at the request of the individual.
5. Add § 164.509 to read as follows:
(a) Standard: Attestations for certain uses and disclosures of protected health information to persons other than covered entities or business associates. (1) A covered entity or business associate may not use or disclose protected health information potentially related to reproductive health care for purposes specified in § 164.512(d), (e), (f), or (g)(1), without obtaining an attestation that is valid under paragraph (b)(1) of this section from the person requesting the use or disclosure and complying with all applicable conditions of this part.
(2) A covered entity or business associate that uses or discloses protected health information potentially related to reproductive health care for purposes specified in § 164.512(d), (e), (f), or (g)(1), in reliance on an attestation that is defective under paragraph (b)(2) of this section, is not in compliance with this section.
(b) Implementation specifications: General requirements— (1) Valid attestations. (i) A valid attestation is a document that meets the requirements of paragraph (c)(1) of this section.
(ii) A valid attestation verifies that the use or disclosure is not otherwise prohibited by § 164.502(a)(5)(iii).
(iii) A valid attestation may be electronic, provided that it meets the requirements in paragraph (c)(1) of this section, as applicable.
(2) Defective attestations. An attestation is not valid if the document submitted has any of the following defects:
(i) The attestation lacks an element or statement required by paragraph (c) of this section.
(ii) The attestation contains an element or statement not required by paragraph (c) of this section
(iii) The attestation violates paragraph (b)(3) of this section.
(iv) The covered entity or business associate has actual knowledge that material information in the attestation is false.
(v) A reasonable covered entity or business associate in the same position would not believe that the attestation is true with respect to the requirement at paragraph (c)(1)(iv) of this section.
(3) Compound attestation. An attestation may not be combined with any other document except where such other document is needed to satisfy the requirements at paragraph (c)(iv) of this section or at § 164.502(a)(5)(iii)(C), as applicable.
(c) Implementation specifications: Content requirements and other obligations— (1) Required elements. A valid attestation under this section must contain the following elements:
(i) A description of the information requested that identifies the information in a specific fashion, including one of the following:
(A) The name of any individual(s) whose protected health information is sought, if practicable.
(B) If including the name(s) of any individual(s) whose protected health information is sought is not practicable, a description of the class of individuals whose protected health information is sought.
(ii) The name or other specific identification of the person(s), or class of persons, who are requested to make the use or disclosure.
(iii) The name or other specific identification of the person(s), or class of persons, to whom the covered entity is to make the requested use or disclosure.
(iv) A clear statement that the use or disclosure is not for a purpose prohibited under § 164.502(a)(5)(iii).
(v) A statement that a person may be subject to criminal penalties pursuant to 42 U.S.C. 1320d-6 if that person knowingly and in violation of HIPAA obtains individually identifiable health information relating to an individual or discloses individually identifiable health information to another person.
(vi) Signature of the person requesting the protected health information, which may be an electronic signature, and date. If the attestation is signed by a representative of the person requesting the information, a description of such representative's authority to act for the person must also be provided.
(2) Plain language requirement. The attestation must be written in plain language.
(d) Material misrepresentations. If, during the course of using or disclosing protected health information in reasonable reliance on a facially valid attestation, a covered entity or business associate discovers information reasonably showing that any representation made in the attestation was materially false, leading to a use or disclosure for a purpose prohibited under § 164.502(a)(5)(iii), the covered entity or business associate must cease such use or disclosure.
6. Amend § 164.512 by:
a. Revising the introductory text and the paragraph (c) paragraph heading;
b. Adding paragraph (c)(3); and
c. Revising paragraph (f)(1)(ii)(C) introductory text.
The revisions and addition read as follows:
Except as provided by § 164.502(a)(5)(iii), a covered entity may use or disclose protected health information without the written authorization of the individual, as described in § 164.508, or the opportunity for the individual to agree or object as described in § 164.510, in the situations covered by this section, subject to the applicable requirements of this section and § 164.509. When the covered entity is required by this section to inform the individual of, or when the individual may agree to, a use or disclosure permitted by this section, the covered entity's information and the individual's agreement may be given verbally.
(c) Standard: Disclosures about victims of abuse, neglect, or domestic violence —* * *
(3) Rule of construction. Nothing in this section shall be construed to permit disclosures prohibited by § 164.502(a)(5)(iii) when the sole basis of the report of abuse, neglect, or domestic violence is the provision or facilitation of reproductive health care.
(f) * * *
(1) * * *
(ii) * * *
(C) An administrative request for which response is required by law, including an administrative subpoena or summons, a civil or an authorized investigative demand, or similar process authorized under law, provided that:
7. Amend § 164.520 by:
a. Revising and republish paragraphs (a) and (b); and
b. Adding paragraph (d)(4).
The revisions and additions read as follows:
(a) Standard: Notice of privacy practices —(1) Right to notice. Except as provided by paragraph (a)(3) or (4) of this section, an individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual's rights and the covered entity's legal duties with respect to protected health information.
(2) Notice requirements for covered entities creating or maintaining records subject to 42 U.S.C. 290dd-2. As provided in 42 CFR 2.22, an individual who is the subject of records protected under 42 CFR part 2 has a right to adequate notice of the uses and disclosures of such records, and of the individual's rights and the covered entity's legal duties with respect to such records.
(3) Exception for group health plans. (i) An individual enrolled in a group health plan has a right to notice:
(A) From the group health plan, if, and to the extent that, such an individual does not receive health benefits under the group health plan through an insurance contract with a health insurance issuer or HMO; or
(B) From the health insurance issuer or HMO with respect to the group health plan through which such individuals receive their health benefits under the group health plan.
(ii) A group health plan that provides health benefits solely through an insurance contract with a health insurance issuer or HMO, and that creates or receives protected health information in addition to summary health information as defined in § 164.504(a) or information on whether the individual is participating in the group health plan, or is enrolled in or has disenrolled from a health insurance issuer or HMO offered by the plan, must:
(A) Maintain a notice under this section; and
(B) Provide such notice upon request to any person. The provisions of paragraph (c)(1) of this section do not apply to such group health plan.
(iii) A group health plan that provides health benefits solely through an insurance contract with a health insurance issuer or HMO, and does not create or receive protected health information other than summary health information as defined in § 164.504(a) or information on whether an individual is participating in the group health plan, or is enrolled in or has disenrolled from a health insurance issuer or HMO offered by the plan, is not required to maintain or provide a notice under this section.
(4) Exception for inmates. An inmate does not have a right to notice under this section, and the requirements of this section do not apply to a correctional institution that is a covered entity.
(b) Implementation specifications: Content of notice —(1) Required elements. The covered entity, including any covered entity receiving or maintaining records subject to 42 U.S.C. 290dd-2, must provide a notice that is written in plain language and that contains the elements required by this paragraph.
(i) Header. The notice must contain the following statement as a header or otherwise prominently displayed:
“THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.”
(ii) Uses and disclosures. The notice must contain:
(A) A description, including at least one example, of the types of uses and disclosures that the covered entity is permitted by this subpart to make for each of the following purposes: treatment, payment, and health care operations.
(B) A description of each of the other purposes for which the covered entity is permitted or required by this subpart to use or disclose protected health information without the individual's written authorization.
(C) If a use or disclosure for any purpose described in paragraphs (b)(1)(ii)(A) or (B) of this section is prohibited or materially limited by other applicable law, such as 42 CFR part 2, the description of such use or disclosure must reflect the more stringent law as defined in § 160.202 of this subchapter.
(D) For each purpose described in paragraph (b)(1)(ii)(A) or (B) of this section, the description must include sufficient detail to place the individual on notice of the uses and disclosures that are permitted or required by this subpart and other applicable law, such as 42 CFR part 2.
(E) A description of the types of uses and disclosures that require an authorization under § 164.508(a)(2)-(a)(4), a statement that other uses and disclosures not described in the notice will be made only with the individual's written authorization, and a statement that the individual may revoke an authorization as provided by § 164.508(b)(5).
(F) A description, including at least one example, of the types of uses and disclosures prohibited under § 164.502(a)(5)(iii) in sufficient detail for an individual to understand the prohibition.
(G) A description, including at least one example, of the types of uses and disclosures for which an attestation is required under § 164.509.
(H) A statement adequate to put the individual on notice of the potential for information disclosed pursuant to this subpart to be subject to redisclosure by the recipient and no longer protected by this subpart
(iii) Separate statements for certain uses or disclosures. If the covered entity intends to engage in any of the following activities, the description required by paragraph (b)(1)(ii)(A) or (B) of this section must include a separate statement informing the individual of such activities, as applicable:
(A) In accordance with § 164.514(f)(1), the covered entity may contact the individual to raise funds for the covered entity and the individual has a right to opt out of receiving such communications;
(B) In accordance with § 164.504(f), the group health plan, or a health insurance issuer or HMO with respect to a group health plan, may disclose protected health information to the sponsor of the plan;
(C) If a covered entity that is a health plan, excluding an issuer of a long-term care policy falling within paragraph (1)(viii) of the definition of health plan, intends to use or disclose protected health information for underwriting purposes, a statement that the covered entity is prohibited from using or disclosing protected health information that is genetic information of an individual for such purposes;
(D) Substance use disorder treatment records received from programs subject to 42 CFR part 2, or testimony relaying the content of such records, shall not be used or disclosed in civil, criminal, administrative, or legislative proceedings against the individual unless based on written consent, or a court order after notice and an opportunity to be heard is provided to the individual or the holder of the record, as provided in 42 CFR part 2. A court order authorizing use or disclosure must be accompanied by a subpoena or other legal requirement compelling disclosure before the requested record is used or disclosed; or
(E) If a covered entity that creates or maintains records subject to 42 CFR part 2 intends to use or disclose such records for fundraising for the benefit of the covered entity, the individual must first be provided with a clear and conspicuous opportunity to elect not to receive any fundraising communications.
(iv) Individual rights. The notice must contain a statement of the individual's rights with respect to protected health information and a brief description of how the individual may exercise these rights, as follows:
(A) The right to request restrictions on certain uses and disclosures of protected health information as provided by § 164.522(a), including a statement that the covered entity is not required to agree to a requested restriction, except in case of a disclosure restricted under § 164.522(a)(1)(vi);
(B) The right to receive confidential communications of protected health information as provided by § 164.522(b), as applicable;
(C) The right to inspect and copy protected health information as provided by § 164.524;
(D) The right to amend protected health information as provided by § 164.526;
(E) The right to receive an accounting of disclosures of protected health information as provided by § 164.528; and
(F) The right of an individual, including an individual who has agreed to receive the notice electronically in accordance with paragraph (c)(3) of this section, to obtain a paper copy of the notice from the covered entity upon request.
(v) Covered entity's duties. The notice must contain:
(A) A statement that the covered entity is required by law to maintain the privacy of protected health information, to provide individuals with notice of its legal duties and privacy practices, and to notify affected individuals following a breach of unsecured protected health information;
(B) A statement that the covered entity is required to abide by the terms of the notice currently in effect; and
(C) For the covered entity to apply a change in a privacy practice that is described in the notice to protected health information that the covered entity created or received prior to issuing a revised notice, in accordance with § 164.530(i)(2)(ii), a statement that it reserves the right to change the terms of its notice and to make the new notice provisions effective for all protected health information that it maintains. The statement must also describe how it will provide individuals with a revised notice.
(vi) Complaints. The notice must contain a statement that individuals may complain to the covered entity and to the Secretary if they believe their privacy rights have been violated, a brief description of how the individual may file a complaint with the covered entity, and a statement that the individual will not be retaliated against for filing a complaint.
(vii) Contact. The notice must contain the name, or title, and telephone number of a person or office to contact for further information as required by § 164.530(a)(1)(ii).
(viii) Effective date. The notice must contain the date on which the notice is first in effect, which may not be earlier than the date on which the notice is printed or otherwise published.
(2) Optional elements. (i) In addition to the information required by paragraph (b)(1) of this section, if a covered entity elects to limit the uses or disclosures that it is permitted to make under this subpart, the covered entity may describe its more limited uses or disclosures in its notice, provided that the covered entity may not include in its notice a limitation affecting its right to make a use or disclosure that is required by law or permitted by § 164.512(j)(1)(i).
(ii) For the covered entity to apply a change in its more limited uses and disclosures to protected health information created or received prior to issuing a revised notice, in accordance with § 164.530(i)(2)(ii), the notice must include the statements required by paragraph (b)(1)(v)(C) of this section.
(3) Revisions to the notice. The covered entity must promptly revise and distribute its notice whenever there is a material change to the uses or disclosures, the individual's rights, the covered entity's legal duties, or other privacy practices stated in the notice. Except when required by law, a material change to any term of the notice may not be implemented prior to the effective date of the notice in which such material change is reflected.
(d) * * *
(4) The permission in paragraph (d) of this section for covered entities that participate in an organized health care arrangement to issue a joint notice may not be construed to remove any obligations or duties of entities creating or maintaining records subject to 42 U.S.C. 290dd-2, or to remove any rights of patients who are the subjects of such records.
8. Add § 164.535 to read as follows:
If any provision of the HIPAA Privacy Rule to Support Reproductive Health Care Privacy is held to be invalid or unenforceable facially, or as applied to any person, plaintiff, or circumstance, it shall be construed to give maximum effect to the provision permitted by law, unless such holding shall be one of utter invalidity or unenforceability, in which case the provision shall be severable from this part and shall not affect the remainder thereof or the application of the provision to other persons not similarly situated or to other dissimilar circumstances.
Xavier Becerra,
Secretary, Department of Health and Human Services.
[FR Doc. 2024-08503 Filed 4-22-24; 4:15 pm]
BILLING CODE 4153-01-P