Home/Federal/Federal Register/2023-07517

Proposed Rule2023-07517

HIPAA Privacy Rule To Support Reproductive Health Care Privacy

Primary source

Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.

Published

April 17, 2023

Issuing agencies

Health and Human Services Department

Abstract

The Department of Health and Human Services (HHS or "Department") is issuing this notice of proposed rulemaking (NPRM) to solicit comment on its proposal to modify the Standards for Privacy of Individually Identifiable Health Information ("Privacy Rule") under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act). The proposal would modify existing standards permitting uses and disclosures of protected health information (PHI) by limiting uses and disclosures of PHI for certain purposes where the use or disclosure of information is about reproductive health care that is lawful under the circumstances in which such health care is provided. The proposal would modify existing standards by prohibiting uses and disclosures of PHI for criminal, civil, or administrative investigations or proceedings against individuals, covered entities or their business associates (collectively, "regulated entities"), or other persons for seeking, obtaining, providing, or facilitating reproductive health care that is lawful under the circumstances in which it is provided.

Full Text

<html>
<head>
<title>Federal Register, Volume 88 Issue 73 (Monday, April 17, 2023)</title>
</head>
<body><pre>
[Federal Register Volume 88, Number 73 (Monday, April 17, 2023)]
[Proposed Rules]
[Pages 23506-23553]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2023-07517]

[[Page 23505]]

Vol. 88

Monday,

No. 73

April 17, 2023

Part II

Department of Health and Human Services

-----------------------------------------------------------------------

45 CFR Part 160 and 164

HIPAA Privacy Rule To Support Reproductive Health Care Privacy;
Proposed Rule

Federal Register / Vol. 88, No. 73 / Monday, April 17, 2023 /
Proposed Rules

[[Page 23506]]

-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Office of the Secretary

45 CFR Parts 160 and 164

RIN 0945-AA20

HIPAA Privacy Rule To Support Reproductive Health Care Privacy

AGENCY: Office for Civil Rights (OCR), Office of the Secretary,
Department of Health and Human Services.

ACTION: Notice of proposed rulemaking; notice of Tribal consultation.

-----------------------------------------------------------------------

SUMMARY: The Department of Health and Human Services (HHS or
``Department'') is issuing this notice of proposed rulemaking (NPRM) to
solicit comment on its proposal to modify the Standards for Privacy of
Individually Identifiable Health Information (``Privacy Rule'') under
the Health Insurance Portability and Accountability Act of 1996 (HIPAA)
and the Health Information Technology for Economic and Clinical Health
Act of 2009 (HITECH Act). The proposal would modify existing standards
permitting uses and disclosures of protected health information (PHI)
by limiting uses and disclosures of PHI for certain purposes where the
use or disclosure of information is about reproductive health care that
is lawful under the circumstances in which such health care is
provided. The proposal would modify existing standards by prohibiting
uses and disclosures of PHI for criminal, civil, or administrative
investigations or proceedings against individuals, covered entities or
their business associates (collectively, ``regulated entities''), or
other persons for seeking, obtaining, providing, or facilitating
reproductive health care that is lawful under the circumstances in
which it is provided.

DATES:
Comments: Submit comments on or before June 16, 2023.
Meeting: Pursuant to Executive Order 13175, Consultation and
Coordination with Indian Tribal Governments, the Department of Health
and Human Services' Tribal Consultation Policy, and the Department's
Plan for Implementing Executive Order 13175, the Office for Civil
Rights solicits input from Tribal officials as the Department develops
the modifications to the HIPAA Privacy Rule at 45 CFR parts 160 and
164, subparts A and E. The Tribal consultation meeting will be held on
May 17, 2023, at 2 p.m. to 3:30 p.m. EDT.

ADDRESSES: You may submit comments, identified by RIN Number 0945-AA20,
by any of the following methods. Please do not submit duplicate
comments.
To participate in the Tribal consultation meeting, you must
register in advance at <a href="https://www.zoomgov.com/meeting/register/vJItf-2hqD8jHfdtmYaUoWidy9odBZMYQ4Q">https://www.zoomgov.com/meeting/register/vJItf-2hqD8jHfdtmYaUoWidy9odBZMYQ4Q</a>.
<bullet> Federal eRulemaking Portal: You may submit electronic
comments at <a href="http://www.regulations.gov">http://www.regulations.gov</a> by searching for the Docket ID
number HHS-OCR-0945-AA20. Follow the instructions at <a href="http://www.regulations.gov">http://www.regulations.gov</a> for submitting electronic comments. Attachments
should be in Microsoft Word or Portable Document Format (PDF).
<bullet> Regular, Express, or Overnight Mail: You may mail written
comments to the following address only: U.S. Department of Health and
Human Services, Office for Civil Rights, Attention: HIPAA and
Reproductive Health Care Privacy NPRM, Hubert H. Humphrey Building,
Room 509F, 200 Independence Avenue SW, Washington, DC 20201. Please
allow sufficient time for mailed comments to be timely received in the
event of delivery or security delays.
Please note that comments submitted by fax or email and those
submitted after the comment period will not be accepted.
Inspection of Public Comments: All comments received by the
accepted methods and due date specified above may be posted without
change to content to <a href="https://www.regulations.gov">https://www.regulations.gov</a>, which may include
personal information provided about the commenter, and such posting may
occur after the closing of the comment period. However, the Department
may redact certain non-substantive content from comments or attachments
to comments before posting, including: threats, hate speech, profanity,
sensitive health information, graphic images, promotional materials,
copyrighted materials, or individually identifiable information about a
third-party individual other than the commenter. In addition, comments
or material designated as confidential or not to be disclosed to the
public will not be accepted. Comments may be redacted or rejected as
described above without notice to the commenter, and the Department
will not consider in rulemaking any redacted or rejected content that
would not be made available to the public as part of the administrative
record.
Docket: For complete access to background documents or posted
comments, go to <a href="https://www.regulations.gov">https://www.regulations.gov</a> and search for Docket ID
number HHS-OCR-0945-AA20.

FOR FURTHER INFORMATION CONTACT: Lester Coffer at (202) 240-3110 or
(800) 537-7697 (TDD).

SUPPLEMENTARY INFORMATION: The discussion below includes an Executive
Summary, a description of relevant statutory and regulatory authority
and history, the justification for this proposed regulation, a section-
by-section description of the proposed modifications, and a regulatory
impact analysis and other required regulatory analyses. The Department
solicits public comment on all aspects of the proposed rule. The
Department requests that persons commenting on the provisions of the
proposed rule label their discussion of any particular provision or
topic with a citation to the section of the proposed rule being
addressed and identify the particular request for comment being
addressed, if applicable.

I. Executive Summary
A. Overview
B. Applicability
C. Table of Abbreviations/Commonly Used Acronyms in This
Document
II. Statutory Authority and Regulatory History
A. Statutory Authority and History
1. Health Insurance Portability and Accountability Act of 1996
(HIPAA)
2. The Health Information Technology for Economic and Clinical
Health (HITECH) Act
B. Rulemaking Authority and Regulatory History
1. The Department's Rulemaking Authority Under HIPAA
2. Regulatory History
III. Justification for This Proposed Rulemaking
A. HIPAA Encourages Trust by Carefully Balancing Individuals'
Privacy Interests With Others' Interests in Using or Disclosing PHI
B. Developments in the Legal Environment are Eroding
Individuals' Trust in the Health Care System
C. To Protect the Trust Between Individuals and Health Care
Providers, the Department Proposes To Restrict Certain Uses and
Disclosures of PHI for Non-Health Care Purposes
IV. Section-by-Section Description of Proposed Amendments to the
Privacy Rule
A. Section 160.103--Definitions
1. Clarifying the Definition of ``Person''
2. Interpreting Terms Used in Section 1178(b) of the Social
Security Act
3. Adding a Definition of ``Reproductive Health Care''
4. Request for Comment
B. Section 164.502--Uses and Disclosures of Protected Health
Information: General Rules
1. Clarifying When PHI May Be Used or Disclosed by Regulated
Entities
2. Adding a New Category of Prohibited Uses and Disclosures

[[Page 23507]]

3. Clarifying Personal Representative Status in the Context of
Reproductive Health Care
4. Request for Comment
C. Section 164.509--Uses and Disclosures for Which an
Attestation Is Required (Proposed Heading)
1. Current Provision and Issues To Address
2. Proposal
3. Request for Comment
D. Section 164.512--Uses and Disclosures for Which an
Authorization or Opportunity To Agree or Object Is Not Required
1. Applying the Proposed Prohibition and Attestation Requirement
to Certain Permitted Uses and Disclosures
2. Making a Technical Correction to the Heading of 45 CFR
164.512(c) and Clarifying That Providing or Facilitating
Reproductive Health Care Is Not Abuse, Neglect, or Domestic Violence
3. Clarifying the Permission for Disclosures Based on
Administrative Processes
4. Request for Comment
E. Section 164.520--Notice of Privacy Practices for Protected
Health Information
1. Current Provision and Issues To Address
2. Proposal
3. Request for Comment
V. Executive Order 12866 and Related Executive Orders on Regulatory
Review
A. Regulatory Impact Analysis
1. Summary of Costs and Benefits
2. Baseline Conditions
3. Costs of the Proposed Rule
4. Request for Comment
B. Regulatory Alternatives to the Proposed Rule
C. Regulatory Flexibility Act--Small Entity Analysis
D. Executive Order 13132--Federalism
E. Assessment of Federal Regulation and Policies on Families
F. Paperwork Reduction Act of 1995
1. Explanation of Estimated Annualized Burden Hours
VI. Request for Comment
VII. Public Participation

I. Executive Summary

A. Overview

In this notice of proposed rulemaking (NPRM), the Department of
Health and Human Services (HHS or ``Department'') proposes
modifications to the Standards for Privacy of Individually Identifiable
Health Information (``Privacy Rule''), issued pursuant to section 264
of the Administrative Simplification provisions of title II, subtitle
F, of the Health Insurance Portability and Accountability Act of 1996
(HIPAA).\1\ The Privacy Rule \2\ is one of several rules, collectively
known as the HIPAA Rules,\3\ that protect the privacy and security of
individuals' protected health information \4\ (PHI), which is
individually identifiable health information \5\ (IIHI) transmitted by
or maintained in electronic media or any other form or medium, with
certain exceptions.\6\
---------------------------------------------------------------------------

\1\ Subtitle F of title II of HIPAA (Pub. L. 104-191, 110 Stat.
1936 (Aug. 21, 1996)) added a new part C to title XI of the Social
Security Act (SSA), Public Law 74-271, 49 Stat. 620 (Aug. 14, 1935),
(see sections 1171-1179 of the SSA (codified at 42 U.S.C. 1320d-
1320d-8)), as well as promulgating section 264 of HIPAA (codified at
42 U.S.C. 1320d-2 note), which authorizes the Secretary to
promulgate regulations with respect to the privacy of individually
identifiable health information. The Privacy Rule has subsequently
been amended pursuant to the Genetic Information Nondiscrimination
Act of 2008 (GINA), title I, section 105, Public Law 110-233, 122
Stat. 881 (May 21, 2008) (codified at 42 U.S.C. 2000ff), and the
Health Information Technology for Economic and Clinical Health
(HITECH) Act of 2009, Public Law 111-5, 123 Stat. 226 (Feb. 17,
2009) (codified at 42 U.S.C. 139w-4(0)(2)).
\2\ 45 CFR parts 160 and 164, subparts A and E. For a history of
the Privacy Rule, see Section II.B.2., ``Regulatory History,''
below.
\3\ See also the HIPAA Security Rule, 45 CFR parts 160 and 164,
subparts A and C; the HIPAA Breach Notification Rule, 45 CFR part
164, subpart D; and the HIPAA Enforcement Rule, 45 CFR part 160,
subparts C, D, and E.
\4\ 45 CFR 160.103 (definition of ``Protected health
information'').
\5\ 42 U.S.C. 1320d. See also 45 CFR 160.103 (definition of
``Individually identifiable health information'').
\6\ At times throughout this NPRM, the Department uses the terms
``health information'' or ``individuals' health information'' to
refer generically to health information pertaining to an individual
or individuals. In contrast, the Department's use of the term
``IIHI'' refers to a category of health information defined in
HIPAA, and ``PHI'' is used to refer specifically to a category of
IIHI that is defined by and subject to the privacy and security
standards promulgated in the HIPAA Rules.
---------------------------------------------------------------------------

Under its statutory authority to administer and enforce the HIPAA
Rules, the Department modifies the HIPAA Rules as needed, but not more
than once every 12 months.\7\ The Department makes the determination
that such modifications may be needed using information it receives on
an ongoing basis--from the public, regulated entities, media reports,
and its own analysis of the state of privacy for IIHI. Based on
information the Department has received in recent months, we believe it
may be necessary to modify the Privacy Rule to avoid the circumstance
where an existing provision of the Privacy Rule is used to request the
use or disclosure of an individual's PHI as a pretext for obtaining PHI
related to reproductive health care for a non-health care purpose where
such use or disclosure would be detrimental to any person. The
proposals in this NPRM would amend provisions of the Privacy Rule to
strengthen privacy protections for individuals' PHI related to
reproductive health care.
---------------------------------------------------------------------------

\7\ 45 CFR 160.104.
---------------------------------------------------------------------------

The Supreme Court's decision in Dobbs v. Jackson Women's Health
Organization \8\ (Dobbs) makes it more likely than before that
individuals' PHI may be disclosed in ways that cause harm to the
interests that HIPAA seeks to protect but that are not adequately
addressed in this context,\9\ such as criminal, civil, or
administrative investigations or proceedings that chill access to
lawful health care and full communication between individuals and
health care providers. These developments in the legal environment
increase the potential for uses or disclosures about an individual's
reproductive health to undermine access to and the quality of health
care generally. Some states have already imposed criminal, civil, or
administrative liability for, or created private rights of action
against, individuals who obtain certain reproductive health care,
including pregnancy termination; the health care providers who furnish
such reproductive health care; or other persons who facilitate the
furnishing or receipt of certain reproductive health care.\10\ Other
states may follow suit in the future. And in yet other states, law
enforcement agencies may attempt to use general criminal laws to
prosecute individuals for seeking or obtaining such reproductive health
care.\11\
---------------------------------------------------------------------------

\8\ 597 U.S. __, 142 S. Ct. 2228 (2022) (No. 19-1392) (June 24,
2022).
\9\ See National Committee on Vital and Health Statistics (NCVHS
or ``Committee'') discussion below, section II.A.1., expressing
concern for harm caused by disclosing identifiable health
information for non-health care purposes.
\10\ See, e.g., S.C. Code Ann. sec. 44-41-80(b), NRS 200.220,
Tex. Health & Safety Code Ann. sec. 171.208 (2021); 63 OK Stat sec.
1-745.34-35 (2022). See also Abortion Policy Tracker, Kaiser Family
Foundation (Jan. 20, 2023), <a href="https://www.kff.org/other/state-indicator/abortion-policy-tracker/?currentTimeframe=0&sortModel=%7B%22colId%22:%22Location%22,%22sort%22:%22asc%22%7D">https://www.kff.org/other/state-indicator/abortion-policy-tracker/?currentTimeframe=0&sortModel=%7B%22colId%22:%22Location%22,%22sort%22:%22asc%22%7D</a>.
\11\ See Laura Huss, Farah Diaz-Tello, Goleen Samari, ``Self-
Care, Criminalized: August 2022 Preliminary Findings,*'' If/When/
How: Lawyering for Reproductive Justice (2022), <a href="https://www.ifwhenhow.org/resources/self-care-criminalized-preliminary-findings/">https://www.ifwhenhow.org/resources/self-care-criminalized-preliminary-findings/</a>; Caroline Kitchener and Ellen Francis, ``Talk of
prosecuting women for abortion pills roils antiabortion movement,''
The Washington Post (Jan. 11. 2023), <a href="https://www.washingtonpost.com/nation/2023/01/11/alabama-abortion-pills-prosecution/">https://www.washingtonpost.com/nation/2023/01/11/alabama-abortion-pills-prosecution/</a>.
---------------------------------------------------------------------------

After Dobbs, the Department has heard concerns that civil,
criminal, or administrative investigations or proceedings have been
instituted or threatened on the basis of reproductive health care that
is lawful under the circumstances in which it is provided. The threat
that PHI will be obtained and used in such an investigation or
proceeding is likely to chill individuals' willingness to seek lawful
treatment or to provide full information to their

[[Page 23508]]

health care providers when obtaining that treatment.
A positive, trusting relationship between individuals and their
health care providers is essential to an individual's health and well-
being.\12\ The prospect of releasing highly sensitive PHI can result in
medical mistrust and the deterioration of the confidential, safe
environment that is necessary to quality health care, a functional
health care system, and the public's health generally.\13\ That is even
more true in the context of reproductive health care, given the
potential for stigmatization and other adverse consequences to
individuals resulting from disclosures they do not want or expect.\14\
---------------------------------------------------------------------------

\12\ See Fallon E. Chipidza, Rachel S. Wallwork, Theodore A.
Stern, ``Impact of the Doctor-Patient Relationship,'' The Primary
Care Companion for CNS Disorders (Oct. 2015), <a href="https://www.psychiatrist.com/pcc/delivery/patient-physician-communication/impact-doctor-patient-relationship/">https://www.psychiatrist.com/pcc/delivery/patient-physician-communication/impact-doctor-patient-relationship/</a>.
\13\ See, e.g., Kim Bellware, ``Doctor says she shouldn't have
to turn over patients' abortion records,'' The Washington Post (Nov.
19, 2022), <a href="https://www.washingtonpost.com/politics/2022/11/19/caitlin-bernard-rokita-lawsuit/">https://www.washingtonpost.com/politics/2022/11/19/caitlin-bernard-rokita-lawsuit/</a> (citing the testimony of pediatric
bioethics expert Kyle Brothers about the potential negative effects
requests for this type of sensitive medical record could have on
individuals: ``This kind of disclosure, especially for a minor, is
just heartbreaking.''). See also Eric Boodman, ``In a doctor's
suspicion after a miscarriage, a glimpse of expanding medical
mistrust,'' STAT News (June 29, 2022), <a href="https://www.statnews.com/2022/06/29/doctor-suspicion-after-miscarriage-glimpse-of-expanding-medical-mistrust/">https://www.statnews.com/2022/06/29/doctor-suspicion-after-miscarriage-glimpse-of-expanding-medical-mistrust/</a> (Sarah Prager, professor of obstetrics and
gynecology at the University of Washington said that it's a bad
precedent if clinical spaces become unsafe for patients because,
``[a health care provider's] ability to take care of patients relies
on trust, and that will be impossible moving forward.'').
\14\ See Letter from NCVHS Chair Simon P. Cohn to HHS Secretary
Michael O. Leavitt (Feb. 20, 2008) (listing categories of health
information that are commonly considered to contain sensitive
information), p. 5, <a href="https://ncvhs.hhs.gov/wp-content/uploads/2014/05/080220lt.pdf">https://ncvhs.hhs.gov/wp-content/uploads/2014/05/080220lt.pdf</a>.
---------------------------------------------------------------------------

Experience shows that medical mistrust--especially in vulnerable
communities that have been negatively affected by historical and
current health care disparities \15\--can create damaging and chilling
effects on individuals' willingness to seek appropriate and lawful care
for medical conditions that can worsen without treatment.\16\ If
individuals believe that their PHI may be disclosed without their
knowledge or consent to initiate criminal, civil, or administrative
investigations or proceedings against them or others based primarily
upon their receipt of lawful reproductive health care, they are likely
to be less open, honest, or forthcoming about their symptoms and
medical history. As a result, individuals may refrain from sharing
critical information with their health care providers, regardless of
whether they are seeking reproductive health care that is lawful under
the circumstances in which it is provided. For instance, an individual
who has obtained a lawful abortion in one state may fear receiving
emergency care in a state where abortion is unlawful because providing
information to a health care provider in such a state could place them
into legal jeopardy, even if that information is relevant to the
immediate health emergency. If an individual believes they cannot be
honest about their health history, the health care provider cannot
conduct an appropriate health assessment to reach a sound diagnosis and
recommend the best course of action for that individual. Heightened
confidentiality and privacy protections enable an individual to develop
a trust-based relationship with their health care provider and to be
open and honest with their health care provider. That health care
provider is then more likely to provide a correct diagnosis and aid the
individual in making informed treatment decisions.
---------------------------------------------------------------------------

\15\ See Lisa P. Oakley, Marie Harvey, Daniel F. Lopez-Cevallos,
``Racial and Ethnic Discrimination, Medical Mistrust, and
Satisfaction with Birth Control Services among Young Adult
Latinas,'' Women's Health Issues (July-August 2018), p. 313, <a href="https://www.sciencedirect.com/science/article/abs/pii/S1049386717305443">https://www.sciencedirect.com/science/article/abs/pii/S1049386717305443</a>;
and Cynthia Prather, Taleria R. Fuller, Khiya J. Marshall, et al.,
``The Impact of Racism on the Sexual and Reproductive Health of
African American Women,'' Journal of Women's Health (July 2016), p.
664, <a href="https://www.liebertpub.com/doi/abs/10.1089/jwh.2015.5637">https://www.liebertpub.com/doi/abs/10.1089/jwh.2015.5637</a>.
\16\ See Texas Maternal Mortality and Morbidity Review Committee
and Department of State Health Services Joint Biennial Report 2022,
Texas Department of State Health Services (Dec. 2022), p. 41,
<a href="https://www.dshs.texas.gov/sites/default/files/legislative/2022-Reports/Joint-Biennial-MMMRC-Report-2022.pdf">https://www.dshs.texas.gov/sites/default/files/legislative/2022-Reports/Joint-Biennial-MMMRC-Report-2022.pdf</a>.
---------------------------------------------------------------------------

Similarly, if a health care provider believes that an individual's
highly sensitive PHI is likely to be disclosed without the individual's
or the health care provider's knowledge or consent in connection with a
criminal, civil, or administrative investigation or proceeding against
the individual, their health care provider, or others primarily because
of the type of health care the individual received or sought, the
health care provider is more likely to omit information about an
individual's medical history or condition, leave gaps, or include
inaccuracies when preparing the individual's medical records. And if an
individual's medical records lack complete information about the
individual's health history, a subsequent health care provider may not
be able to conduct an appropriate health assessment to reach a sound
diagnosis and recommend the best course of action for the individual.
Alternatively, a health care provider may even withhold from an
individual full and complete information about their treatment options
because of liability fears stemming from concerns about the level of
privacy afforded to PHI.\17\ Heightened confidentiality and privacy
protections enable a health care provider to feel confident maintaining
full and complete medical records. With complete medical records, an
individual is more likely to receive appropriate ongoing or future
health care, including correct diagnoses, and obtain appropriate
guidance, empowering the individual in making informed treatment
decisions. This further enables the individual to access lawful health
care--and health care providers to practice medicine--in an environment
that promotes social, environmental, mental, and physical wellness.
---------------------------------------------------------------------------

\17\ See Brief for Zurawski at p. 10, Zurawski v. State of Texas
(No. D-1-GN-23-000968) (W.D. Tex. 2023) (stating that ``[i]n every
interaction with their medical team in Texas, Lauren M. and her
husband felt confused and frustrated and could not get direct
answers,'' and that ``[i]t was apparent that their doctors, nurses,
and counselors were all fearful of speaking directly and openly
about abortion for fear of liability under Texas's abortion
bans.'').
---------------------------------------------------------------------------

Furthermore, an individual's lack of trust in their health care
provider to maintain the confidentiality of the individual's most
sensitive medical information and a lack of trust in the medical system
more generally may have significant repercussions for the public's
health more generally. Individuals who are not candid with their health
care providers about their reproductive health care may also withhold
information about other matters that have public health implications,
such as sexually transmitted infections or vaccinations.\18\
---------------------------------------------------------------------------

\18\ See Letter from NCVHS Chair Simon P. Cohn to HHS Secretary
Michael O. Leavitt (June 22, 2006), p. 2 (with forwarded NCVHS
recommendations, ``Individual trust in the privacy and
confidentiality of their personal health information also promotes
public health, because individuals with potentially contagious or
communicable diseases are not inhibited from seeking treatment.''),
<a href="https://ncvhs.hhs.gov/rrp/june-22-2006-letter-to-the-secretary-recommendations-regarding-privacy-and-confidentiality-in-the-nationwide-health-information-network/">https://ncvhs.hhs.gov/rrp/june-22-2006-letter-to-the-secretary-recommendations-regarding-privacy-and-confidentiality-in-the-nationwide-health-information-network/</a>.
---------------------------------------------------------------------------

When proposing the initial Privacy Rule, the Department described
its policy choices as being motivated to develop and maintain a
relationship of trust between individuals and health care providers.
``A fundamental assumption of this regulation is that the greatest
benefits of improved privacy protection will be realized in the future
as patients gain increasing trust in health care practitioner's ability
to

[[Page 23509]]

maintain the confidentiality of their health information.'' \19\ The
Department also described the benefits of increasing individuals'
access to their own health care information in the development and
maintenance of that trust. Providing individuals with ``[o]pen access
to [their] health information can benefit both the individuals and the
covered entities. [ . . . ] It can increase communication, thereby
enhancing individuals' trust in their health care providers and
increasing compliance with the providers' instructions.'' \20\ The
Department reiterated this need for trust between individuals and
health care providers in the 2000 Privacy Rule, noting that ``[t]he
provision of high-quality health care requires the exchange of
personal, often-sensitive information between an individual and a
skilled practitioner. Vital to that interaction is the patient's
ability to trust that the information shared will be protected and kept
confidential.'' \21\ As the Department also stated, ``[h]ealth care
professionals who lose the trust of their patients cannot deliver high-
quality care.'' \22\
---------------------------------------------------------------------------

\19\ See 64 FR 59918, 60006 (Nov. 3, 1999).
\20\ See 64 FR 59980.
\21\ See 65 FR 82462, 82463 (Dec. 28, 2000).
\22\ See 65 FR 82468.
---------------------------------------------------------------------------

However, the Department also noted that the policy choices it made
when issuing the 2000 Privacy Rule were a result of balancing the
interests of the individual in the privacy of their PHI with the
interests of society in disclosures of PHI for non-health care
purposes. Thus, the 2000 Privacy Rule included permissions for
regulated entities to disclose PHI under certain conditions for
judicial and administrative proceedings and law enforcement purposes.
As the Department explained at that time, ``Individuals' right to
privacy in information about themselves is not absolute. It does not,
for instance, prevent reporting of public health information on
communicable diseases or stop law enforcement from getting information
when due process has been observed.'' \23\
---------------------------------------------------------------------------

\23\ 65 FR 82464.
---------------------------------------------------------------------------

The proposed modifications to the Privacy Rule in this NPRM
directly advance the purposes of HIPAA. From their inception, the
Department's regulations implementing the statute have sought to ensure
that individuals do not forgo lawful health care when needed--or
withhold important information from their health care providers that
may affect the quality of health care they receive--out of a fear that
their sensitive information would be revealed outside of their
relationships with their health care providers. In the past, the
Department generally has applied the same privacy standards to nearly
all PHI, regardless of the type of health care at issue. But the
Department has also recognized that some forms of PHI may be
particularly sensitive and thus may warrant heightened protections. For
example, the Department has accorded ``special protections'' to
psychotherapy notes under the Privacy Rule, owing in part to the
``particularly sensitive information'' those notes contain.\24\
---------------------------------------------------------------------------

\24\ The special protections for psychotherapy notes and the
Department's rationale for them are discussed at greater length in
section III of this preamble.
---------------------------------------------------------------------------

Many individuals regard information about their reproductive health
as highly private and personal. That information is likely to come up
in a wide variety of encounters between individuals and their health
care providers, including routine physicals, gynecological
examinations, and a range of other encounters that do not involve an
individual's effort to obtain health care, such as an abortion, that is
illegal under some post-Dobbs state laws. However, if individuals do
not trust that their health care providers will keep their sensitive
information private, they may withhold important health information
from their health care providers, leading to incomplete and inaccurate
medical records and potentially substandard health care. Some
individuals may refrain from or defer obtaining necessary health care,
which could lead to worse health outcomes and exacerbate health
disparities.\25\ Others may withhold aspects of their medical history
from their health care providers, which could impede the ability of
health care professionals to make fully informed medical judgments and
provide full and complete information about treatment options.
Similarly, health care providers may omit information about an
individual's medical history or condition, or leave gaps or include
inaccuracies, when preparing medical records, out of fear that the
individual's PHI is likely to be disclosed without the individual's or
the health care provider's knowledge or consent for use in criminal or
civil proceedings against the individual, their health care provider,
or others. In so doing, they increase the risk that the individual will
receive substandard ongoing or future health care. Regardless of how it
occurs, the result is substandard health care and worse health
outcomes.
---------------------------------------------------------------------------

\25\ See Jessica Winter, ``The Dobbs Decision Has Unleashed
Legal Chaos for Doctors and Patients,'' The New Yorker (July 2,
2022) (Chloe Akers, a criminal defense attorney in Tennessee,
discussing agencies authorized to investigate offenses related to
abortion ``[t]hat leads to a serious concern about privacy at ob-gyn
offices and for other health-care providers.''), <a href="https://www.newyorker.com/news/news-desk/the-dobbs-decision-has-unleashed-legal-chaos-for-doctors-and-patients">https://www.newyorker.com/news/news-desk/the-dobbs-decision-has-unleashed-legal-chaos-for-doctors-and-patients</a>.
---------------------------------------------------------------------------

Such deferrals or avoidance of lawful health care are not only
problematic for individuals' health, but they are also problematic for
public health. As discussed in greater detail below, the objective of
public health is to protect and improve the health of people and their
communities. Barriers that undermine the willingness of individuals to
seek lawful health care in a timely manner or to provide complete and
accurate health information to their health care providers undermine
the overall objective of public health. Thus, based on the longstanding
purposes of HIPAA, there is a compelling need to provide additional
protections to this especially sensitive category of information.
Following the Dobbs decision in 2022, laws enacted or effective in
a number of states \26\ raised the prospect that highly sensitive PHI
would be disclosed under circumstances that did not exist before the
Supreme Court's decision, generating significant confusion for
individuals, health care providers, family, friends, and caregivers
regarding their ability to privately seek, obtain, provide, or
facilitate health care. The Department has received questions from
regulated entities, Members of Congress, and others about the state of
privacy protections, particularly for information about an individual's
reproductive health or about reproductive health care an individual may
have received. While the Department has already taken steps to address
some of the confusion,\27\ we have received additional inquiries and
reports that indicate further clarification is needed to resolve this
confusion and strengthen privacy protections. In light of this
confusion, the Department believes that there is a need to reaffirm and
clarify that maintaining the privacy of an individual's PHI is
important to providing high-quality health care. To do so, the
Department believes it is

[[Page 23510]]

necessary to provide heightened protections for another especially
sensitive category of health information--PHI sought for the purposes
of conducting a criminal, civil, or administrative investigation into
or proceeding against any person in connection with seeking, obtaining,
providing, or facilitating reproductive health care that is lawful
under the circumstances in which it is provided. These proposed
modifications would provide heightened protections for individuals'
health information privacy under the defined circumstances; foster an
open and honest exchange of information between the individual and
health care provider, who--with that information--could employ
evidence-based clinical practice guidelines; and increase access to
high-quality, lawful health care.
---------------------------------------------------------------------------

\26\ See ``After Roe Fell: Abortion Laws by State,'' Center for
Reproductive Rights (updated in real time) (describing actions taken
by states, including that ``some states and territories never
repealed their pre-Roe abortion bans'' that have now gone into
effect.), <a href="https://reproductiverights.org/maps/abortion-laws-by-state/">https://reproductiverights.org/maps/abortion-laws-by-state/</a>.
\27\ See Press Release, ``HHS Issues Guidance to Protect Patient
Privacy in Wake of Supreme Court Decision on Roe,'' U.S. Dep't of
Health and Human Servs. (June 29, 2022), <a href="https://www.hhs.gov/about/news/2022/06/29/hhs-issues-guidance-to-protect-patient-privacy-in-wake-of-supreme-court-decision-on-roe.html">https://www.hhs.gov/about/news/2022/06/29/hhs-issues-guidance-to-protect-patient-privacy-in-wake-of-supreme-court-decision-on-roe.html</a>.
---------------------------------------------------------------------------

The Department has determined, in accordance with other Federal
agencies, that information about reproductive health care is
particularly sensitive and requires heighted protections. For example,
the Federal Trade Commission (FTC) has recognized that information
related to personal reproductive matters is ``particularly sensitive.''
\28\ In business guidance, FTC staff explained that ``[t]he exposure of
health information and medical conditions, especially data related to
sexual activity or reproductive health, may subject people to
discrimination, stigma, mental anguish, or other serious harms.'' \29\
As a result, the FTC has committed to using the full scope of its
authorities to protect consumers' privacy, including the privacy of
their health information and other sensitive data.\30\
---------------------------------------------------------------------------

\28\ Kristin Cohen, ``Location, health, and other sensitive
information: FTC committed to fully enforcing the law against
illegal use and sharing of highly sensitive data,'' Federal Trade
Commission Business Blog (July 11, 2022), <a href="https://www.ftc.gov/business-guidance/blog/2022/07/location-health-and-other-sensitive-information-ftc-committed-fully-enforcing-law-against-illegal">https://www.ftc.gov/business-guidance/blog/2022/07/location-health-and-other-sensitive-information-ftc-committed-fully-enforcing-law-against-illegal</a> (last
accessed Nov. 15, 2022).
\29\ Id.
\30\ Id.
---------------------------------------------------------------------------

The Department of Defense (DOD) has also recognized such privacy
concerns. In a memorandum to DOD leaders, the Secretary of Defense
directed the DOD to ``[e]stablish additional privacy protections for
reproductive health care information'' for service members and
``[d]isseminate guidance that directs Department of Defense health care
providers that they may not notify or disclose reproductive health
information to commanders unless this presumption is overcome by
specific exceptions set forth in policy.'' \31\ The guidance repeatedly
emphasizes not only the importance of privacy for such highly sensitive
information but also the importance of privacy in making highly
sensitive reproductive health care decisions.\32\
---------------------------------------------------------------------------

\31\ Memorandum Re: Ensuring Access to Reproductive Health Care,
Dep't of Defense (Oct. 20, 2022), p. 1, (emphasis in original),
<a href="https://media.defense.gov/2022/Oct/20/2003099747/-1/-1/1/MEMORANDUM-ENSURING-ACCESS-TO-REPRODUCTIVE-HEALTH-CARE.PDF">https://media.defense.gov/2022/Oct/20/2003099747/-1/-1/1/MEMORANDUM-ENSURING-ACCESS-TO-REPRODUCTIVE-HEALTH-CARE.PDF</a>.
\32\ Id.
---------------------------------------------------------------------------

The Department recognizes that the need for heightened protections
for highly sensitive PHI is now more acute than it was before, given
the actions taken by states to regulate, and even criminalize,
reproductive health care.\33\ Before the Supreme Court's decision, the
range of circumstances in which persons attempted to seek or use highly
sensitive PHI in criminal, civil, and administrative investigations or
proceedings in connection with the provision of reproductive health
care was much narrower. The general HIPAA privacy protections provided
the necessary trust to promote access to and receipt of high-quality
and lawful health care in that environment. As states take steps to
more broadly regulate reproductive health care, some individuals and
their health care providers are at greater risk and have increased fear
that especially sensitive PHI detailing the individual's need for, or
receipt of, lawful reproductive health care will be used or disclosed
without their knowledge or consent.\34\
---------------------------------------------------------------------------

\33\ See ``Talk of prosecuting women for abortion pills roils
antiabortion movement,'' supra note 11.
\34\ Id.
---------------------------------------------------------------------------

The Department carefully analyzed state prohibitions or
restrictions on an individual's ability to obtain health care and the
effects on health information privacy, access to high-quality health
care, and the relationships between individuals and their health care
providers after Dobbs; and conducted a thorough review of the history
and text of HIPAA and the Privacy Rule. The Department has also engaged
in extensive discussions with HHS agencies and other Federal
departments, including the Department of Justice; examined media
reports on state activity affecting privacy protections for
reproductive health information; held listening sessions with and
reviewed correspondence from stakeholders, including covered entities,
requesting technical assistance from the Department and urging the
Department to clarify and strengthen privacy protections for PHI; and
reviewed correspondence to HHS from Members of Congress who have urged
the same. The proposals contained within this NPRM are the result of
this work.

B. Applicability

The effective date of a final rule would be 60 days after
publication.\35\ Regulated entities would have until the ``compliance
date'' to establish and implement policies and practices to achieve
compliance with any new or modified standards. Except as otherwise
provided, 45 CFR 160.105 provides that regulated entities must comply
with the applicable new or modified standards or implementation
specifications no later than 180 days from the effective date of any
such change. The Department has previously noted that the 180-day
general compliance period for new or modified standards would not apply
where a different compliance period is provided in the regulation for
one or more provisions.\36\ However, the compliance period cannot be
less than the statutory minimum of 180 days.\37\
---------------------------------------------------------------------------

\35\ See Office of the Federal Register, A Guide to the
Rulemaking Process (2011), p. 8, <a href="https://www.federalregister.gov/uploads/2011/01/the_rulemaking_process.pdf">https://www.federalregister.gov/uploads/2011/01/the_rulemaking_process.pdf</a>.
\36\ See 78 FR 5566, 5569 (Jan. 25, 2013).
\37\ See 42 U.S.C. 1320d-4(b)(2).
---------------------------------------------------------------------------

The Department does not believe that the proposed rule would pose
unique implementation challenges that would justify an extended
compliance period (i.e., a period longer than the standard 180 days
provided in 45 CFR 160.105). Further, the Department believes that
adherence to the standard compliance period is necessary to timely
address the circumstances described in this NPRM. Thus, the Department
proposes to apply the standard compliance date of 180 days after the
effective date of a final rule.\38\ The Department seeks comment on
this time frame for compliance.
---------------------------------------------------------------------------

\38\ See 45 CFR 160.104(c)(1), which requires the Secretary to
provide at least a 180-day period for covered entities to comply
with modifications to standards and implementation specifications in
the HIPAA Rules.
---------------------------------------------------------------------------

If any provision in this rulemaking is held to be invalid or
unenforceable facially, or as applied to any person, plaintiff, or
circumstance, the provision shall be severable from the remainder of
this rulemaking, and shall not affect the remainder thereof, and the
invalidation of any specific application of a provision shall not
affect the application of the provision to other persons or
circumstances.

C. Table of Abbreviations/Commonly Used Acronyms in This Document

As used in this preamble, the following terms and abbreviations
have the meanings noted below.

[[Page 23511]]

------------------------------------------------------------------------
Term Meaning
------------------------------------------------------------------------
AMA.................................... American Medical Association.
BLS.................................... Bureau of Labor Statistics.
CDC.................................... Centers for Disease Control and
Prevention.
DOD.................................... Department of Defense.
HHS or Department...................... U.S. Department of Health and
Human Services.
EHR.................................... Electronic Health Record.
E.O.................................... Executive Order.
FTC.................................... Federal Trade Commission.
GINA................................... Genetic Information
Nondiscrimination Act of 2008.
Health IT.............................. Health Information Technology.
HITECH Act............................. Health Information Technology
for Economic and Clinical
Health Act of 2009.
HIPAA.................................. Health Insurance Portability
and Accountability Act of
1996.
ICR.................................... Information Collection Request.
IIHI................................... Individually Identifiable
Health Information.
NCVHS or Committee..................... National Committee on Vital and
Health Statistics.
NPP.................................... Notice of Privacy Practices.
NPRM................................... Notice of Proposed Rulemaking.
OCR.................................... Office for Civil Rights.
OMB.................................... Office of Management and
Budget.
PDF.................................... Portable Document Format.
PHI.................................... Protected Health Information.
PRA.................................... Paperwork Reduction Act of
1995.
PSAO................................... Pharmacy Services
Administration Organization.
RFA.................................... Regulatory Flexibility Act.
RIA.................................... Regulatory Impact Analysis.
SBA.................................... Small Business Administration.
SSA.................................... Social Security Act of 1935.
UMRA................................... Unfunded Mandates Reform Act of
1995.
VA..................................... Department of Veterans Affairs.
------------------------------------------------------------------------

II. Statutory Authority and Regulatory History

A. Statutory Authority and History

1. Health Insurance Portability and Accountability Act of 1996 (HIPAA)
In 1996, Congress enacted HIPAA \39\ to reform the health care
delivery system. In so doing, Congress intended to make health
insurance more portable and accessible for consumers, to improve its
quality, and to simplify its administration.\40\ As noted by a leading
proponent of the bill during final debate leading up to passage of the
law, ``[o]ur objective, then, is to initiate fundamental reforms in
access to health care without doing irreversible harm to quality,
research and technology.'' \41\
---------------------------------------------------------------------------

\39\ See HIPAA, supra note 1.
\40\ See H. Rept. 104-736, 104th Cong. (1996) at 177. See also
142 Cong. Rec. H3038 (daily ed. Mar. 28, 1996), (statement of Rep.
McDermott) (speaking about how privacy protection is essential to
improving health care quality, one of the purposes of the H.R. 3103,
Health Coverage Availability and Affordability Act of 1996, the
precursor to HIPAA); 142 Cong. Rec. H9568 (daily ed. Aug. 1, 1996)
(statement of Rep. Ganske).
\41\ See 142 Cong. Rec. S9505 (daily ed. Aug. 2, 1996)
(statement of Sen. Roth).
---------------------------------------------------------------------------

At the time, the health care system was moving from paper-based to
electronic medical records. Congress recognized the need to reduce the
burden of the transition on health care providers, encourage health
care provider adoption of technology by addressing concerns for
potential liability for use of new systems, and ensure patient
confidentiality of electronic data to foster trust in health care
providers and support patient access to health care.\42\ Congressional
statements leading up to HIPAA's enactment demonstrate Congress' desire
that the law enhance individuals' trust in health care providers: ``The
bill would also establish strict security standards for health
information because Americans clearly want to make sure that their
health care records can only be used by the medical professionals that
treat them. Often we assume that because doctors take an oath of
confidentiality that in fact all who touch their records operate by the
same standards. Clearly they do not.'' \43\
---------------------------------------------------------------------------

\42\ See H.Rept. 104-736 at 177 and 264, supra note 40. See also
142 Cong. Rec. H9780 (daily ed., No. 116 Part II, Aug. 1, 1996)
(statement of Rep. Sawyer); 142 Cong. Rec. H9792 (daily ed. Aug. 1,
1996) (statement of Rep. McDermott); and 142 Cong. Rec. S9515-16
(daily ed. Aug. 2, 1996) (statement of Sen. Simon).
\43\ 142 Cong. Rec. H9780 (statement of Rep. Sawyer), supra note
42.
---------------------------------------------------------------------------

To address these needs, Congress enacted HIPAA's Administrative
Simplification provisions \44\ in subtitle F, sections 261 through 264,
which contained requirements for standards to support the electronic
exchange of health information. Section 261 states, in part, that
``[i]t is the purpose of this subtitle to improve [ . . . ] the
efficiency and effectiveness of the health care system, by encouraging
the development of a health information system through the
establishment of standards and requirements for the electronic
transmission of certain health information [ . . . ].'' \45\
---------------------------------------------------------------------------

\44\ See HIPAA, supra note 1.
\45\ 42 U.S.C. 1320d note (Statutory Notes and Related
Subsidiaries: Purpose). Subtitle F also amended related provisions
of the SSA.
---------------------------------------------------------------------------

HIPAA protects individuals' health information in various ways.
Congress prohibited, among other things, the disclosure of
``individually identifiable health information to another person'' \46\
and provided for severe penalties for violations, including prison
sentences of up to 10 years and monetary fines of up to $250,000.\47\
Congress also put in place numerous protections for the privacy of
individuals' health information and directed HHS to promulgate rules,
recognizing the importance of standards for security and privacy in the
developing electronic environment, when Congress did not enact detailed
privacy requirements within a specified period.\48\
---------------------------------------------------------------------------

\46\ 42 U.S.C. 1320d-6(a).
\47\ 42 U.S.C. 1320d-6(b).
\48\ See, e.g., 42 U.S.C. 1320a-7c(a)(3)(B)(ii) (creating a
fraud and abuse control program with measures to protect, among
other things, the confidentiality of the information and the privacy
of individuals receiving health care services and items.); H.Rept.
104-736 at 242, supra note 40 (explaining that such program ``would
ensure the confidentiality of information [ . . . ] as well as the
privacy of individuals receiving health care services''); 42 U.S.C.
1320a-7e(b)(3) (creating a health care fraud and abuse data
collection program with procedures to assure the protection of the
privacy of individuals receiving health care services.); H.Rept.
104-736 at 252, supra note 40 (explaining that such program would
``protect the privacy of individuals receiving health care
services''); section 264(a) of Public Law 104-191, (codified at 42
U.S.C. 1320d-2 note) (requiring the Secretary of HHS to submit
recommendations on privacy standards for individually identifiable
health information); section 264(c) of Public Law 104-191, (codified
at 42 U.S.C. 1320d-2 note) (requiring the Secretary to issue
regulations containing such privacy standards if Congress does not);
H.Rept. 104-736 at 265, supra note 40 (recognizing that ``certain
uses of individually identifiable information are appropriate, and
do not compromise the privacy of an individual[,]'' such as ``the
transfer of information when making referrals from primary care to
specialty care'').
---------------------------------------------------------------------------

HIPAA's preemption provisions reflect Congress' intent to protect
individuals' health care privacy. The statute provides a ``[g]eneral
rule'' that, with certain exceptions, HIPAA's provisions ``supersede
any contrary provision of State law.'' \49\ One exception to HIPAA's
preemption provisions is for ``state privacy laws that are contrary to
and more stringent than the corresponding federal standard,
requirement, or implementation specification.'' \50\ ``The effect of
these provisions is to let the law that is most protective of privacy
control.'' \51\ Thus, HIPAA created privacy standards that safeguard
the health information of all Americans, while respecting the ability

[[Page 23512]]

of states to provide individuals with additional privacy protection.
---------------------------------------------------------------------------

\49\ 42 U.S.C. 1320d-7(a)(1) (providing the general rule that,
with limited exceptions, a provision or requirement under HIPAA
supersedes any contrary provision of state law.) See also section
264(c)(2) of Public Law 104-191 (codified at 42 U.S.C. 1320d-2
note).
\50\ 65 FR 82580 (the exception applies under section
1178(a)(2)(B) of the SSA and section 264(c)(2) of HIPAA).
\51\ Id.
---------------------------------------------------------------------------

The Conference Report resolving differences in House and Senate
bill language provides further evidence that Congress gave great weight
to the need for privacy standards that adequately protect individual
health information privacy at a Federal level but allow for greater
health information privacy protection by states. Congressional
references to ``rapidly'' progressing technological innovation \52\ and
the need to balance the privacy interests of individuals and the
benefits of sharing data in certain circumstances (e.g., sharing IIHI
for treatment or aggregated data for research \53\) demonstrate that
Congress considered that health care reform would require a carefully
calibrated and appropriate method for exchanging data. Similarly,
congressional deliberations demonstrate that Congress viewed individual
privacy, confidentiality, and data security as critical for orderly
administrative simplification.\54\ As noted by one Member of Congress,
privacy standards would add an additional layer of protection beyond
the oath pledged by health care providers to keep information secure
and, as described by another Member, would further protect information
from being used in a ``malicious or discriminatory manner.'' \55\
---------------------------------------------------------------------------

\52\ See H.Rept. 104-736 at 270, supra note 40. See also South
Carolina Med. Ass'n v. Thompson, 327 F.3d 346, 354 (4th Cir. 2003)
(``Recognizing the importance of protecting the privacy of health
information in the midst of the rapid evolution of health
information systems, Congress passed HIPAA in August 1996.''), cert.
denied, 540 U.S. 981 (2003).
\53\ See H.Rept. 104-736 at 265, supra note 40.
\54\ On a resolution waiving points of order against the
Conference Report to H.R. 3103, members debated an ``erosion of
privacy'' balanced against the administrative simplification
provisions. See 142 Cong. Rec. H9777 and H9780, supra note 42.
\55\ See comment from Rep. Sawyer, supra note 42. See also
statement of Sen. Simon, supra note 42.
---------------------------------------------------------------------------

Congress applied the Administrative Simplification provisions
directly to three types of entities known as ``covered entities''--
health plans, health care clearinghouses, and health care providers who
transmit information electronically in connection with a transaction
for which HHS has adopted a standard.\56\ Congress also required the
Secretary, no later than 12 months from the date of enactment, to
identify ``detailed'' recommendations for Federal standards to protect
the privacy and security of IIHI nationwide addressing, at least, (1)
the rights that an individual who is a subject of IIHI should have; (2)
the procedures that should be established for the exercise of such
rights; and (3) the uses and disclosures of such information that
should be authorized or required. Congress further directed the
Secretary to promulgate standards to govern the privacy of information
no later than 42 months after HIPAA's enactment if Congress itself had
not done so via additional legislation.\57\
---------------------------------------------------------------------------

\56\ See section 262 of Public Law 104-191, adding section 1172
to the SSA (codified at 42 U.S.C. 1320d-1). See also section 13404
of the American Recovery and Reinvestment Act of 2009, Public Law
111-5, 123 Stat. 115 (Feb. 17, 2009) (codified at 42 U.S.C. 17934)
(applying privacy provisions and penalties to business associates of
covered entities).
\57\ See section 264 of Public Law 104-191 (codified at 42
U.S.C. 1320d-2 note). Although the original regulations were enacted
in 2001, more than 42 months from HIPAA's enactment, ``HHS's delay
in promulgating the final Privacy Rule did not deprive the agency of
the power to act.'' Ass'n of Am. Physicians & Surgeons, Inc. v. HHS,
224 F. Supp. 2d 1115, 1127 (S.D. Tex. 2002), aff'd, 67 F. App'x 253
(5th Cir. 2003) (noting that HHS's delay, ``particularly in the face
of huge administrative burdens . . . do[es] not result in the
invalidation of HHS's authority to promulgate the Privacy Rule'')
(citing Regions Hospital v. Shalala, 522 U.S. 448, 459 n.2 (1998);
Brock v. Pierce Cnty., 476 U.S. 253, 260 (1986)).
---------------------------------------------------------------------------

HIPAA section 264(d) required the Secretary to consult with the
Department's National Committee on Vital and Health Statistics (NCVHS)
\58\ in carrying out the requirements of section 264.\59\ Like
Congress, NCVHS considered the appropriateness of permitting
identifiable health information to be used for certain purposes and not
others and requiring ``substantive and procedural barriers'' for still
others. For example, NCVHS recommended that ``strong substantive and
procedural protections'' be imposed if health information were to be
disclosed to law enforcement, and, where identifiable health
information would be made available for non-health purposes,
individuals should be afforded assurances that their data would not be
used against them.\60\ Ultimately, NCVHS ``unanimously'' believed, ``[
. . . ] the Secretary and the Administration [should] assign the
highest priority to the development of a strong position on health
privacy that provides the highest possible level of protection for the
privacy rights of patients.'' \61\ NCVHS further noted that failure to
do so would ``undermine public confidence in the health care system,
expose patients to continuing invasions of privacy, subject record
keepers to potentially significant legal liability, and interfere with
the ability of health care providers and others to operate the health
care delivery and payment system in an effective and efficient
manner,'' which would undermine what Congress intended when it enacted
HIPAA.\62\
---------------------------------------------------------------------------

\58\ See section 264(a) and (d) of Public Law 104-191 (codified
at 42 U.S.C. 1320d-2 note). The law also required the Secretary to
consult with the U.S. Attorney General.
\59\ 42 U.S.C. 242k(k) established the NCVHS as an 18-member
committee within the Office of the Secretary. The statute requires
the committee to include persons with expertise in the following
fields: health statistics, electronic interchange of health care
information, privacy and security of electronic information,
population-based public health, purchasing or financing health care
services, integrated computerized health information systems, health
services research, consumer interests in health information, health
data standards, epidemiology, and the provision of health services.
NCVHS committee members are appointed to serve four-year terms.
NCVHS serves as the statutory public advisory body to the Secretary
``for health data, statistics, privacy, and national health
information policy and the Health Insurance Portability and
Accountability Act.'' In addition, the Committee advises the
Secretary, ``reports regularly to Congress on HIPAA implementation,
and serves as a forum for interaction between HHS and interested
private sector groups on a range of health data issues.'' National
Comm. on Vital and Health Statistics, About NCVHS, <a href="https://ncvhs.hhs.gov/">https://ncvhs.hhs.gov/</a>.
\60\ Letter from NCVHS Chair Don E. Detmer to HHS Secretary
Donna E. Shalala (June 27, 1997) (forwarding NCVHS recommendations),
<a href="https://ncvhs.hhs.gov/rrp/june-27-1997-letter-to-the-secretary-with-recommendations-on-health-privacy-and-confidentiality/">https://ncvhs.hhs.gov/rrp/june-27-1997-letter-to-the-secretary-with-recommendations-on-health-privacy-and-confidentiality/</a>.
\61\ Id. at Principal Findings and Recommendations.
\62\ Id.
---------------------------------------------------------------------------

The NCVHS explicitly stated that:

The Committee strongly supports limiting use and disclosure of
identifiable information to the minimum amount necessary to
accomplish the purpose. The Committee also strongly believes that
when identifiable health information is made available for non-
health uses, patients deserve a strong assurance that the data will
not be used to harm them.\63\
---------------------------------------------------------------------------

\63\ Id. at Executive Summary.

NCVHS acknowledged that secondary uses of individuals' health
information could provide benefits to society but recognized that these
uses posed the potential for harm to individuals in certain
circumstances. As NCVHS described it, ``[a] restriction prohibiting
secondary use against the record subject is an essential part of the
`bargain' that allows use of the data for socially beneficial purposes
while protecting individual patients.'' \64\ Thus, NCVHS strongly
recommended restrictions of the ability of third parties to use
information against the individual for purposes unrelated to health,
particularly for law enforcement and other governmental purposes.
---------------------------------------------------------------------------

\64\ Id. at E.
---------------------------------------------------------------------------

In its recommendations, NCVHS acknowledged that there might be
difficulty in distinguishing between categories of users, but it also
recognized the importance of doing so.\65\ NCVHS recommended that ``any
rules

[[Page 23513]]

regulating disclosures of identifiable health information be as clear
and as narrow as possible. Each group of users must be required to
justify their need for health information and must accept reasonable
substantive and procedural limitations on access.'' \66\ This would
allow for the disclosures that society deemed necessary and appropriate
while providing individuals with clear expectations regarding their
health information privacy.
---------------------------------------------------------------------------

\65\ Id. at F.
\66\ Id.
---------------------------------------------------------------------------

2. The Health Information Technology for Economic and Clinical Health
(HITECH) Act
On February 17, 2009, Congress enacted the Health Information
Technology for Economic and Clinical Health Act of 2009 (HITECH Act)
\67\ to promote the widespread adoption and standardization of health
information technology (health IT). In passing the law, Congress
instructed that any new health IT standards take into account the
privacy and security requirements of the HIPAA Rules.\68\
---------------------------------------------------------------------------

\67\ Title XIII of Division A and Title IV of Division B of the
American Recovery and Reinvestment Act of 2009, Public Law 111-5,
123 Stat. 115 (Feb. 17, 2009) (codified at 42 U.S.C. 201 note).
\68\ Section 3009(a)(1)(B) of the HITECH Act (codified at 42
U.S.C. 300jj-19(a)(1)) requires that the health IT standards and
implementation specifications adopted under section 3004 take into
account the requirements of HIPAA privacy and security law.
---------------------------------------------------------------------------

Within the HITECH Act, Congress enacted new HIPAA privacy and
security requirements for covered entities and business associates and
expanded certain rights of individuals with respect to their PHI. The
HITECH Act affirmed that ``[t]he standards governing the privacy and
security of individually identifiable health information promulgated by
the Secretary under sections 262(a) and 264'' of HIPAA ``shall remain
in effect to the extent that they are consistent with this subtitle''
and directed the Secretary to ``amend such Federal regulations as
required to make such regulations consistent with this subtitle.'' \69\
The HITECH Act further provided that ``[t]his title may not be
construed as having any effect on the authorities of the Secretary
under HIPAA privacy and security law,'' defined to include ``section
264 of the [HIPAA]'' and ``regulations under [that] provision[ ].''
\70\
---------------------------------------------------------------------------

\69\ Section 13421(b) of the HITECH Act (codified at 42 U.S.C.
17951).
\70\ Section 3009(a) of the HITECH Act (codified at 42 U.S.C.
300jj-19(a)), which, as stated above, preserves the Secretary's
authority to modify the privacy regulations under 45 CFR 160.104(a).
---------------------------------------------------------------------------

Congress understood the relationship between a connected health IT
landscape, a necessary and vital component of health care reform,\71\
and privacy and security standards when it enacted the HITECH Act. The
Purpose statement of an accompanying House of Representatives report
\72\ on the Energy and Commerce Recovery and Reinvestment Act \73\
recognizes that ``[i]n addition to costs, concerns about the security
and privacy of health information have also been regarded as an
obstacle to the adoption of [health IT].'' The Senate Report for S. 336
\74\ similarly acknowledges that ``[i]nformation technology systems
linked securely and with strong privacy protections can improve the
quality and efficiency of health care while producing significant cost
savings.'' \75\ As the Department explained in the 2013 regulation
referred to as the ``Omnibus Rule'' \76\ and discussed in greater
detail below, the HITECH Act's new HIPAA privacy and security
requirements \77\ supported Congress' goal to promote widespread
adoption and interoperability of health IT by ``strengthen[ing] the
privacy and security protections for health information established by
HIPAA.'' \78\
---------------------------------------------------------------------------

\71\ C. Stephen Redhead, ``The Health Information Technology for
Economic and Clinical Health (HITECH) Act,'' Congressional Research
Service (updated Apr. 27, 2009), <a href="https://crsreports.congress.gov/product/pdf/R/R40161/9">https://crsreports.congress.gov/product/pdf/R/R40161/9</a> (``[Health IT], which generally refers to the
use of computer applications in medical practice, is widely viewed
as a necessary and vital component of health care reform.'').
\72\ H.Rept. 111-7, accompanying H.R. 629, 111th Cong., at 74
(2009).
\73\ H.R. 629, Energy and Commerce Recovery and Reinvestment Act
of 2009, introduced in the House on January 22, 2009, contained
nearly identical provisions to subtitle D of the HITECH Act.
\74\ Congress enacted the American Recovery and Reinvestment Act
of 2009, which included the HITECH Act, on February 17, 2009. While
it was the House version of the bill, H.R. 1, that was enacted, the
Senate version, S. 336, contained nearly identical provisions to
subtitle D of the HITECH Act.
\75\ S.Rept. 111-3, 111th Cong. accompanying S. 336, 111th
Cong., at 59 (2009).
\76\ 78 FR 5566.
\77\ Subtitle D of title XIII of the HITECH Act (codified at 42
U.S.C. 17921, 42 U.S.C. 17931-17941, and 42 U.S.C. 17951-17953).
\78\ 78 FR 5568.
---------------------------------------------------------------------------

B. Rulemaking Authority and Regulatory History

1. The Department's Rulemaking Authority Under HIPAA
In passing HIPAA, Congress recognized the importance of privacy for
IIHI by requiring the Secretary to issue regulations on privacy in the
event that Congress itself did not enact specific privacy
legislation.\79\ That statutory directive complemented the Secretary's
general rulemaking authority to ``make and publish such rules and
regulations, not inconsistent with this chapter, as may be necessary to
the efficient administration of the functions with which each is
charged under this chapter.'' \80\
---------------------------------------------------------------------------

\79\ See Section 264(c)(1) of Public Law 104-191 (codified at 42
U.S.C. 1320d-2 note).
\80\ Section 1102 of the SSA (codified at 42 U.S.C. 1302).
---------------------------------------------------------------------------

Congress further contemplated that related rulemaking authorities
would not be static. Indeed, in a closely analogous section of the
HIPAA Administrative Simplification provisions--related to enabling the
electronic exchange of health information--Congress built in a
mechanism to adapt such regulations as technology and health care
evolve, directing that the Secretary review and modify the
Administrative Simplification standards as determined appropriate, but
not more frequently than once every 12 months.\81\ The Department
recognized how intertwined these particular Administrative
Simplification standards would be with the standards for the privacy of
individually identifiable health information, and thus promulgated a
regulatory standard that limits modifications to all of the rules
promulgated under the Administrative Simplification provisions to no
more frequently than once every 12 months.\82\
---------------------------------------------------------------------------

\81\ See Section 1174(b)(1) of Public Law 104-191 (codified at
42 U.S.C. 1320d-3).
\82\ 45 CFR 160.104.
---------------------------------------------------------------------------

The Secretary exercised each of these rulemaking authorities in
2000 to adopt 45 CFR 160.104(a), which reserves the Secretary's power
to modify any ``standard or implementation specification adopted under
this subchapter'' of these regulations, including the Administrative
Simplification provisions. The Secretary invoked this modification
authority to amend the Privacy Rule in 2002.\83\
---------------------------------------------------------------------------

\83\ See 67 FR 53182 (Aug. 14, 2002).
---------------------------------------------------------------------------

Subsequently, as discussed above, Congress affirmed that the HIPAA
Rules--including 45 CFR 160.104(a)--are to remain in effect to the
extent that they are consistent with the HITECH Act and directed the
Secretary to revise the HIPAA Rules as necessary for consistency with
the HITECH Act.\84\ At the same time, Congress also confirmed that the
new law was not intended to have any effect on authorities already
granted under HIPAA to the Department, including section 264 of that
statute and the regulations issued under that provision. Congress'
affirmation of the Secretary's rulemaking power, including the

[[Page 23514]]

authority to modify the Secretary's own regulations, thus confirms that
the Secretary retains the authority to modify the Privacy Rule as often
as every 12 months when appropriate, including to strengthen privacy
and security protections for IIHI. In fact, after the enactment of the
HITECH Act, the Secretary exercised this authority to modify the
Privacy Rule again in 2013.\85\
---------------------------------------------------------------------------

\84\ Section 13421(b) of the HITECH Act (codified at 42 U.S.C.
17951).
\85\ See 78 FR 5566.
---------------------------------------------------------------------------

To properly execute the HIPAA statutory mandate, and in accordance
with the regulatory authority granted to it by Congress, the Department
regularly evaluates the interaction of the Privacy Rule and state
statutes and regulations governing the privacy of health information.
In keeping with the Department's practice, this NPRM attempts to
accommodate state autonomy to the extent consistent with the need to
maintain rules for health information privacy that serve HIPAA's
objectives. The proposed regulation, if finalized, would thus preempt
state law only to the extent necessary to achieve the national
objectives of HIPAA.
The Secretary has delegated authority to administer the HIPAA Rules
and to make decisions regarding their implementation, interpretation,
and enforcement to the HHS Office for Civil Rights (OCR).\86\
---------------------------------------------------------------------------

\86\ See U.S. Dep't of Health and Human Servs., Office of the
Secretary, Office for Civil Rights; Statement of Delegation of
Authority, 65 FR 82381 (Dec. 28, 2000); U.S. Dep't of Health and
Human Servs., Office of the Secretary, Office for Civil Rights;
Delegation of Authority, 74 FR 38630 (Aug. 4, 2009); U.S. Dep't of
Health and Human Servs., Office of the Secretary, Statement of
Organization, Functions and Delegations of Authority, 81 FR 95622
(Dec. 28, 2016).
---------------------------------------------------------------------------

2. Regulatory History
The 2000 Privacy Rule
As directed by HIPAA, the Department provided a series of
recommendations to Congress for a potential new law that would address
the confidentiality of individually identifiable health
information.\87\ Congress did not act within its three-year self-
imposed deadline. As a result, the Department published a proposed rule
setting forth the required standards on November 3, 1999,\88\ and
issued the first final rule establishing ``Standards for Privacy of
Individually Identifiable Health Information'' (``2000 Privacy Rule'')
on December 28, 2000.\89\
---------------------------------------------------------------------------

\87\ See Confidentiality of Individually Identifiable Health
Information, U.S. Dep't of Health and Human Servs., Section I.A.
(Sept. 1997), <a href="https://aspe.hhs.gov/reports/confidentiality-individually-identifiable-health-information">https://aspe.hhs.gov/reports/confidentiality-individually-identifiable-health-information</a>.
\88\ 64 FR 59918.
\89\ 65 FR 82462.
---------------------------------------------------------------------------

The final rule announced ``standards to protect the privacy of
individually identifiable health information'' to ``begin to address
growing public concerns that advances in electronic technology and
evolution in the health care industry are resulting, or may result, in
a substantial erosion of the privacy surrounding'' health
information.\90\ On the eve of that rule's issuance, the President
issued an Executive order recognizing the importance of protecting
patient privacy, explaining that ``[p]rotecting the privacy of
patients' protected health information promotes trust in the health
care system. It improves the quality of health care by fostering an
environment in which patients can feel more comfortable in providing
health care professionals with accurate and detailed information about
their personal health.'' \91\ Thus, the primary goal of the Privacy
Rule was to provide greater protections to individuals' privacy and to
engender a trusting relationship between individuals and health care
providers.\92\
---------------------------------------------------------------------------

\90\ 65 FR 82462.
\91\ Executive Order 13181 (Dec. 20, 2000), 65 FR 81321.
\92\ Id.
---------------------------------------------------------------------------

\93\ 65 FR 82462.
---------------------------------------------------------------------------

Since promulgation, the Privacy Rule has protected PHI \94\ by
limiting the circumstances under which covered entities and their
business associates (collectively, ``regulated entities'') are
permitted or required to use or disclose PHI and by requiring covered
entities to have safeguards in place to protect the privacy of PHI. In
adopting these regulations, the Department acknowledged the need to
balance several competing factors, including existing legal
expectations, individuals' privacy expectations, and societal
expectations.\95\ The Department noted ``the large number of comments
from individuals and groups representing individuals demonstrate the
deep public concern about the need to protect the privacy of
individually identifiable health information'' and ``evidence about the
importance of protecting privacy and the potential adverse consequences
to individuals and their health if such protections are not extended.''
\96\ The Department struck a balance between the ``competing
interests--the necessity of protecting privacy and the public interest
in using identifiable health information for vital public and private
purposes--in a way that is also workable for the varied
stakeholders[.]'' \97\
---------------------------------------------------------------------------

\94\ PHI includes individuals' IIHI transmitted by or maintained
in electronic media or any other form or medium, with certain
exceptions. See 45 CFR 160.103 (definition of ``Protected health
information'').
\95\ See 65 FR 82471.
\96\ 65 FR 82472.
\97\ Id.
---------------------------------------------------------------------------

The Department established ``general rules'' for uses and
disclosures of PHI, codified at 45 CFR 164.502, in the 2000 Privacy
Rule.\98\ The 2000 Privacy Rule also specified the circumstances in
which a covered entity was required to obtain an individual's
consent,\99\ authorization,\100\ or the opportunity for the individual
to agree or object.\101\ Additionally, it established rules for when a
covered entity is permitted to use or disclose PHI without an
individual's consent, authorization, or opportunity to agree or
object.\102\ In particular, the Privacy Rule permits certain uses and
disclosures of PHI, without the individual's authorization, for
identified activities that benefit the community, such as public health
activities, law enforcement purposes, judicial and administrative
proceedings, and research.
---------------------------------------------------------------------------

\98\ 65 FR 82462.
\99\ 45 CFR 164.506 was originally titled ``Consent for uses or
disclosures to carry out treatment, payment, or health care
operations.''
\100\ 45 CFR 164.508.
\101\ 45 CFR 164.510.
\102\ 45 CFR 164.512.
---------------------------------------------------------------------------

The Privacy Rule also established the rights of individuals with
respect to their PHI, including the right to receive adequate notice of
a covered entity's privacy practices, the right to request restrictions
of uses and disclosures, the right to access (i.e., to inspect and
obtain a copy of) their PHI, the right to request an amendment of their
PHI, and the right to receive an accounting of disclosures.\103\
---------------------------------------------------------------------------

\103\ See 45 CFR 164.520, 164.522, 164.524, 164.526, and
164.528.
---------------------------------------------------------------------------

As part of the final rule, the Department provided that covered
entities were to comply with the 2000 Privacy Rule no later than 24
months following its effective date.\104\
---------------------------------------------------------------------------

\104\ The effective date of the Privacy Rule was updated to
April 14, 2001. A covered entity meeting the definition of a small
health plan was given 36 months to comply with the Privacy Rule. The
compliance date for most covered entities was April 14, 2003. See 66
FR 12434 (Feb. 26, 2001).
---------------------------------------------------------------------------

The 2002 Privacy Rule
After publication of the 2000 Privacy Rule, the Department received
many

[[Page 23515]]

inquiries and unsolicited comments about the Rule's impact and
operation. As a result, the Department opened the 2000 Privacy Rule for
further comment in March 2001, less than one month before the effective
date and 25 months before the compliance date, for most covered
entities and issued clarifying guidance on the Rule's
implementation.\105\ NCVHS' Subcommittee on Privacy, Confidentiality
and Security held public hearings about the 2000 Privacy Rule. From
those hearings, the Department learned more about concerns related to
key provisions and their potential unintended consequences on health
care quality and access.\106\ In March 2002, the Department proposed
modifications to the 2000 Privacy Rule to clarify the requirements and
correct potential problems that could threaten access to, or quality
of, health care.\107\
---------------------------------------------------------------------------

\105\ 66 FR 12738 (Feb. 28, 2001).
\106\ 67 FR 53183.
\107\ 67 FR 14775 (Mar. 27, 2002).
---------------------------------------------------------------------------

In response to the comments on the proposed rule, the Department
finalized modifications on August 14, 2002 (``2002 Privacy
Rule'').\108\ This final rule clarified HIPAA's requirements while
``maintain[ing] strong protections for the privacy of individually
identifiable health information.'' \109\ These modifications addressed
certain workability issues, including but not limited to clarifying
distinctions between health care operations and marketing; modifying
the minimum necessary standard to exclude disclosures authorized by
individuals and clarify its operation; clarifying that consent is not
required for treatment, payment, or health care operations, and to
otherwise clarify the role of consent in the Privacy Rule; and making
other modifications and conforming amendments consistent with the
proposed rule. The Department also included modifications to the
provisions permitting the use or disclosure of PHI for public health
activities and for research activities without consent, authorization,
or an opportunity to agree or object.
---------------------------------------------------------------------------

\108\ 67 FR 53182. See the final rule for changes in the
entirety. The 2002 Privacy Rule was issued before the compliance
date for the 2000 Privacy Rule. Thus, covered entities never
implemented the 2000 Privacy Rule. Instead, they implemented the
2000 Privacy Rule as modified by the 2002 Privacy Rule.
\109\ 67 FR 53182.
---------------------------------------------------------------------------

2013 Omnibus Final Rule
Following the enactment of the HITECH Act, the Department issued an
NPRM, entitled ``Modifications to the HIPAA Privacy, Security, and
Enforcement Rules Under the Health Information Technology for Economic
and Clinical Health [HITECH] Act'' (``2010 NPRM''),\110\ to propose
implementation of certain HITECH Act requirements. In 2013, the
Department issued the Modifications to the HIPAA Privacy, Security,
Enforcement, and Breach Notification Rules Under the Health Information
Technology for Economic and Clinical Health [HITECH] Act and the
Genetic Information Nondiscrimination Act, and Other Modifications to
the HIPAA Rules--Final Rule (``2013 Omnibus Rule''),\111\ which
implemented many of the new HITECH Act requirements, including
strengthening individuals' privacy rights as related to their PHI.
---------------------------------------------------------------------------

\110\ 75 FR 40867 (July 14, 2010).
\111\ 78 FR 5565. In addition to finalizing requirements of the
HITECH Act that were proposed in the NPRM, the Department adopted
modifications to the Enforcement Rule not previously adopted in an
earlier interim final rule, 74 FR 56123 (Oct. 30, 2009), and to the
Breach Notification Rule not previously adopted in an interim final
rule, 74 FR 42739 (Aug. 24, 2009). The Department also finalized
previously proposed Privacy Rule modifications as required by GINA,
74 FR 51698 (Oct. 7, 2009).
---------------------------------------------------------------------------

The Department also finalized regulatory provisions not required by
the HITECH Act, but necessary to address the ``workability and
effectiveness'' of the HIPAA Rules and ``to increase flexibility for
and decrease burden on regulated entities.'' \112\ In the 2010 NPRM,
the Department noted that it had not amended the HIPAA Privacy and
Security Rules since 2002 and 2003, respectively, other than to amend
the Enforcement Rule through a 2009 interim final rule.\113\ It further
explained that information gleaned from contact with the public since
that time, enforcement experience, and technical corrections required
to eliminate ambiguity provided the impetus for the Department's
actions to make certain regulatory changes.\114\
---------------------------------------------------------------------------

\112\ 78 FR 5566. The Department's general rulemaking authority
is codified in HIPAA section 264(c), and OCR conducts rulemaking
under HIPAA based on authority granted by the Secretary.
\113\ See 75 FR 40871. See also 74 FR 56123. The Department
issued an interim final rule on October 30, 2009, to implement
HITECH Act statutory changes to the HIPAA Enforcement Rule.
\114\ 75 FR 40871.
---------------------------------------------------------------------------

For example, the Department modified its prior interpretation of
the Privacy Rule requirement at 45 CFR 164.508(c)(1)(iv) that a
description of a research purpose must be ``study specific.'' The
Department explained that, under its new interpretation, the research
purposes need only be described adequately so that it would be
``reasonable for the individual to expect that his or her protected
health information could be used or disclosed for such future
research.'' \115\ The Department attributed its changed interpretation
to the expressed concerns from covered entities, researchers, and other
commenters to the 2010 NPRM that the former requirement did not
represent current research practices. The Department expressed a
similar rationale for the Privacy Rule modifications permitting certain
disclosures of student immunization records to schools without an
authorization,\116\ and another provision redefining the definition of
PHI to exclude information regarding an individual who has been
deceased for more than 50 years.\117\ For the latter, the Department
noted that it was balancing the privacy interests of decedents' living
relatives and other affected individuals against the legitimate needs
of public archivists to obtain records.
---------------------------------------------------------------------------

\115\ 78 FR 5612.
\116\ Id. at 5616-17. See also 45 CFR 164.512(b)(1).
\117\ 78 FR 5614. See also 45 CFR 164.502(f) and the definition
of ``Protected health information'' at 45 CFR 160.103, excluding
IIHI regarding a person who has been deceased for more than 50
years.
---------------------------------------------------------------------------

None of the above-described changes were expressly required by the
HITECH Act. Rather, the Department determined them to be necessary
pursuant to its ongoing general rulemaking authority.\118\
---------------------------------------------------------------------------

\118\ In addition to the rulemakings discussed here, the
Department has modified the HIPAA Privacy Rule for workability
purposes and in response to changes in circumstances on two other
occasions, and it issued another notice of proposed rulemaking in
2021 for the same reasons. See 79 FR 7289 (Feb. 6, 2014), 81 FR 382
(Jan. 6, 2016), and 86 FR 6446 (Jan. 21, 2021).
---------------------------------------------------------------------------

III. Justification for This Proposed Rulemaking

HIPAA and the HIPAA Rules promote access to health care by
establishing standards for the privacy of PHI in order to protect the
confidentiality of individuals' health information. These protections
promote the development and maintenance of confidence and trust between
individuals and their health care providers and health plans, and help
improve the completeness and accuracy of patient records.\119\ The
Privacy Rule, as it has been amended over time, carefully balances the
interests of individuals and society in identifiable health information
by establishing conditions for when and how such information may be
used and

[[Page 23516]]

disclosed--with and without the individual's permission.
---------------------------------------------------------------------------

\119\ See 65 FR 82463. See also H. Rept. 104-736 at 177 and 264,
supra note 40. See also 142 Cong. Rec. H9780 (statement of Rep.
Sawyer), supra note 42; 142 Cong. Rec. H9792 (statement of Rep.
McDermott), supra note 42; and 142 Cong. Rec. S9515-16 (statement of
Sen. Simon), supra note 42.
---------------------------------------------------------------------------

The Privacy Rule is balanced to protect an individual's privacy
while allowing the use or disclosure of PHI for certain non-health care
purposes, including in certain criminal, civil, and administrative
investigations and proceedings. The Privacy Rule permits, but does not
require, covered entities to disclose PHI to law enforcement officials,
without the individual's written authorization, under specific
circumstances.\120\ For example, a covered entity is permitted to
disclose PHI to law enforcement in compliance with, and as limited by,
the relevant requirements of a court order. A covered entity is also
permitted to disclose certain limited types of PHI in response to a law
enforcement official's request for such information for the limited
purpose of identifying or locating a suspect, fugitive, material
witness, or missing person. Such disclosures are also currently
permitted, under certain circumstances, for health oversight
purposes,\121\ judicial and administrative proceedings,\122\ or to
coroners and medical examiners.\123\ Except when required by law, the
disclosures summarized above are subject to a minimum necessary
determination by the covered entity.\124\ When reasonable to do so, the
covered entity may rely upon the representations of the public health
authority, law enforcement official, or other public official as to
what information is the minimum necessary for their lawful
purpose.\125\ Moreover, if the law enforcement official making the
request for information is not known to the covered entity, the covered
entity must verify the identity and authority of such person prior to
disclosing the information.\126\
---------------------------------------------------------------------------

\120\ See 45 CFR 164.152(f).
\121\ 45 CFR 164.512(d).
\122\ 45 CFR 164.512(e).
\123\ 45 CFR 164.512(g)(1).
\124\ 45 CFR 164.502(b) and 164.514(d).
\125\ 45 CFR 164.514(d)(3)(iii)(A).
\126\ 45 CFR 164.514(h).
---------------------------------------------------------------------------

However, the Department believes that developments in the legal
environment have disrupted the balance. On one hand, there is the
individual's interest in the privacy of their health information and
that of society in fostering trust between individuals and health care
providers to promote public health. On the other hand, there is the
interest of others in using or disclosing that information to achieve
certain public policy goals, in this case, for purposes of criminal,
civil, and administrative investigations or proceedings. Those
developments have made information related to reproductive health care,
which has long been considered highly sensitive,\127\ more likely to be
of interest for punitive non-health care purposes, and thus more likely
to be disclosed if sought for a purpose permitted under the Privacy
Rule today. The interest in this sensitive health information is likely
to remain high, even where the reproductive health care has been
provided under circumstances in which it was lawful to do so. The
Department believes PHI will be increasingly targeted by those seeking
evidence for criminal, civil, or administrative investigations into or
proceedings against persons in connection with seeking, obtaining,
providing, or facilitating reproductive health care--or identifying
persons for such purposes, thereby jeopardizing the relationships
between individuals and their health care providers, even when such
health care is lawfully obtained.
---------------------------------------------------------------------------

\127\ See Letter from NCVHS, supra note 14.
---------------------------------------------------------------------------

To address these developments, the Department is proposing to
protect this sensitive PHI and preserve that balance by establishing a
new purpose for which disclosures are prohibited in certain
circumstances--that is, the use or disclosure of PHI for the criminal,
civil, or administrative investigation of or proceeding against an
individual, regulated entity, or other person for seeking, obtaining,
providing, or facilitating reproductive health care, as well as the
identification of any person for the purpose of initiating such an
investigation or proceeding. Such disclosures of PHI would be
prohibited when the reproductive health care: (1) is provided outside
of the state where the investigation or proceeding is authorized and
where such health care is lawfully provided; (2) is protected,
required, or authorized by Federal law, regardless of the state in
which such health care is provided; or (3) is provided in the state in
which the investigation or proceeding is authorized and that is
permitted by the law of that state. In these circumstances, the state
lacks any substantial interest in seeking the disclosure. Protecting
against disclosures of PHI in these circumstances thus directly
advances the long-understood purpose of the HIPAA privacy protections
without unduly interfering with legitimate state prerogatives.
To assist in effectuating this prohibition, the Department proposes
to require covered entities in certain circumstances to obtain an
attestation from the person requesting the use or disclosure that the
use or disclosure is not for a prohibited purpose. Additionally, the
Department proposes to clarify the definition of ``person'' and certain
other terms that distinguish between state laws that are contrary to
the Privacy Rule and are therefore preempted by it and those that are
excepted from preemption. The Department also discusses its view of
``child abuse'' for the purposes of the Privacy Rule and which persons
a covered entity may decline to recognize as an individual's personal
representative under particular circumstances. This NPRM contains
proposals for minor technical corrections that reflect the Department's
long-standing interpretation of the Privacy Rule. Lastly, the
Department proposes to require modifications to the Notice of Privacy
Practices (NPP) to ensure that individuals are aware of and understand
the proposed prohibition.

A. HIPAA Encourages Trust by Carefully Balancing Individuals' Privacy
Interests With Others' Interests in Using or Disclosing PHI

It is well established that a functioning health care system
depends in part on patients trusting their health care providers and
health care systems.\128\ According to the American Medical Association
(AMA), a key element of patient trust is privacy protection, ``a
crucial element for honest health discussions.'' \129\ Privacy is the
core foundation of the relationship between individuals and their
health care providers.\130\ The original Hippocratic Oath required
physicians to pledge to maintain the confidentiality of information
they learn about their patients.\131\ Individuals' health privacy
concerns affect their trust in health care providers, and thus, their
willingness to provide complete and accurate information to health care
providers.\132\

[[Page 23517]]

Individuals must disclose sensitive information to their health care
providers to obtain appropriate health care.\133\ If individuals do not
trust that the sensitive information they disclose to their health care
providers will be kept private, they may be deterred from seeking or
obtaining needed health care or withhold information from their health
care providers, compromising the quality of the health care they
receive.\134\ Similarly, if a health care provider does not trust that
the information they include in an individual's medical records will
not be kept private, the health care provider might leave gaps or
include inaccuracies when preparing medical records, creating a risk
that ongoing or future health care would be compromised. Thus, the
Privacy Rule promotes access to higher quality health care by
protecting the privacy of individuals' health information in order to
engender trust between individuals and health care providers and to
help improve the completeness and accuracy of individuals' medical
records. The Federal Government has a strong interest in ensuring that
individuals have access to high-quality health care,\135\ and from its
inception, the Privacy Rule has recognized the importance of trust to
health care quality.
---------------------------------------------------------------------------

\128\ See Jennifer Richmond, Marcella H. Boynton, Sachiko Ozawa,
et al., ``Development and Validation of the Trust in My Doctor,
Trust in Doctors in General, and Trust in the Health Care Team
Scales,'' Social Science & Medicine (Apr. 2022), <a href="https://www.sciencedirect.com/science/article/abs/pii/S0277953622001332?via%3Dihub">https://www.sciencedirect.com/science/article/abs/pii/S0277953622001332?via%3Dihub</a>.
\129\ See ``Patient Perspectives Around Data Privacy,'' American
Medical Association (2022), <a href="https://www.ama-assn.org/system/files/ama-patient-data-privacy-survey-results.pdf">https://www.ama-assn.org/system/files/ama-patient-data-privacy-survey-results.pdf</a>.
\130\ Id.
\131\ Warren T. Reich, editor. Vol. 5. Macmillan; New York, NY:
1995. Oath of Hippocrates; p. 2632. (Encyclopedia of Bioethics).
\132\ See ``Development and Validation of the Trust in My
Doctor, Trust in Doctors in General, and Trust in the Health Care
Team Scales,'' supra note 128; Bradley E. Iott, Celeste Campos-
Castillo, Denise L. Anthony, ``Trust and Privacy: How Patient Trust
in Providers is Related to Privacy Behaviors and Attitudes,'' AMIA
Annual Symposium Proceedings (Mar. 2020), <a href="https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7153104/">https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7153104/</a>; Pamela Sankar, Susan
Mora, Jon F. Merz, et al., ``Patient perspectives of medical
confidentiality: a review of the literature,'' Journal of General
Internal Medicine (Aug. 2003), p. 659-69, <a href="https://pubmed.ncbi.nlm.nih.gov/12911650/">https://pubmed.ncbi.nlm.nih.gov/12911650/</a>.
\133\ See ``Recommendations on Privacy and Confidentiality,
2006-2008,'' Nat'l Comm. on Vital and Health Stats. (May 2009), p.
4, <a href="https://ncvhs.hhs.gov/wp-content/uploads/2014/05/privacyreport0608.pdf">https://ncvhs.hhs.gov/wp-content/uploads/2014/05/privacyreport0608.pdf</a>; See also Letter from NCVHS (forwarding NCVHS
recommendations) (``As a practical matter, it is often essential for
individuals to disclose sensitive, even potentially embarrassing,
information to a health care provider to obtain appropriate care''),
supra note 18.
\134\ See 64 FR 60019 (In the 1999 Privacy Rule NPRM, the
Department discussed confidentiality as an important component of
trust between individuals and health care providers and cited a 1994
consumer privacy survey that indicated that a lack of privacy may
deter patients from obtaining preventive care and treatment.);
``Trust and Privacy: How Patient Trust in Providers is Related to
Privacy Behaviors and Attitudes,'' supra note 132.
\135\ See Testimony (transcribed) of Peter R. Orszag, Director,
Congressional Budget Office, Hearing on Comparative Clinical
Effectiveness before House of Representatives Committee on Ways and
Means, Subcommittee on Health, 2007 WL 1686358 (June 12, 2007)
(``because federal health insurance programs play a large role in
financing medical care and represent a significant expenditure, the
federal government itself has an interest in evaluations of the
effectiveness of different health care approaches''); Statement of
Sen. Durenberger introducing S.1836, American Health Quality Act of
1991 and reading bill text, 137 Cong. Rec. S26720 (Oct. 17, 1991)
(``[T]he Federal Government has a demonstrated interest in assessing
the quality of care, access to care, and the costs of care through
the evaluative activities of several Federal agencies.'').
---------------------------------------------------------------------------

Of course, health information--and PHI in particular--can be useful
for purposes other than an individual's own health care. Indeed,
society also benefits when individuals trust their health care
providers to keep highly sensitive information private for the same
reasons that individuals benefit. After all, it is to society's benefit
that individuals seek out necessary medical care, and that when they
do, they receive high-quality health care based on information that is
more likely to be complete and accurate when individuals trust their
health care providers. Individuals' lack of trust in health care
providers and the health care system can have serious consequences for
society.\136\
---------------------------------------------------------------------------

\136\ See Letter from NCVHS, supra note 18.
---------------------------------------------------------------------------

There is also significant interest in using PHI to address non-
health care concerns, such as for research, law enforcement purposes,
judicial and administrative proceedings, health oversight activities,
and others. As the Department explained in the 1999 Privacy Rule NPRM,
``The information may be sought well before a trial or hearing, to
permit the party to discover the existence or nature of testimony or
physical evidence, or in conjunction with the trial or hearing, in
order to obtain the presentation of testimony or other evidence. These
uses of health information are clearly necessary to allow the smooth
functioning of the legal system.'' \137\ For example, in the absence of
a permission to use or disclose PHI for judicial and administrative
proceedings, a regulated entity would be dependent upon an individual's
authorization to use or disclose PHI to defend itself against a medical
malpractice claim brought by the individual, rendering the regulated
entity dependent upon the very person bringing the claim against them.
The Department believes that there is societal benefit to permitting
such uses and disclosures where such uses and disclosures do not
undermine the public policy goals set by Congress when it passed
HIPAA--that is, where they do not undermine the trust of individuals in
the health care system and the ability of individuals to receive high-
quality health care.\138\ The Department has long permitted uses and
disclosures of PHI for non-health care purposes in such circumstances,
subject to certain limitations because of the potential harm they could
cause to individuals.
---------------------------------------------------------------------------

\137\ 64 FR 59959.
\138\ See Letter from NCVHS, at Executive Summary, supra note 60
(with forwarded NCVHS recommendations, ``The importance of trust in
the provider-patient relationship must be preserved. Health records
are used to improve the quality of health care [ . . . ] protect the
public health, and assure public accountability of the health care
system.'').
---------------------------------------------------------------------------

As discussed in section II of this preamble, the Privacy Rule
represents the Department's careful balancing of individuals' interests
and the interests of others in a way that engenders individuals' trust
and enables high-quality health care, while also allowing others to use
individuals' PHI for certain public policy purposes. The Department
recognized the need for trust between patients and health care
providers in the 2000 Privacy Rule, noting that ``[t]he provision of
high-quality health care requires the exchange of personal, often-
sensitive information between an individual and a skilled practitioner.
Vital to that interaction is the patient's ability to trust that the
information shared will be protected and kept confidential.'' \139\
Further, if individuals do not trust that the sensitive information
they give their health care providers will be kept private, they may be
deterred from seeking needed health care.\140\ And when individuals do
seek health care, they may be reluctant to be completely forthcoming
with their health care providers, thus compromising the quality of the
health care they receive. As the Department also stated, ``[h]ealth
care professionals who lose the trust of their patients cannot deliver
high-quality care.'' \141\ And when the trust of individuals is lost,
the public's health as a whole is jeopardized.
---------------------------------------------------------------------------

\139\ 65 FR 82463.
\140\ See 64 FR 60019 (In the 1999 Privacy Rule NPRM, the
Department discussed confidentiality as an important component of
trust between individuals and health care providers and cited a 1994
consumer privacy survey that indicated that a lack of privacy may
deter patients from obtaining preventive care and treatment.).
\141\ 65 FR 82468.
---------------------------------------------------------------------------

Throughout the preamble to the 2000 Privacy Rule and the preambles
to the rules revising the Privacy Rule, the Department described and
explained its efforts to balance those interests. In the 2002 Privacy
Rule, the Department discussed its re-evaluation of the balance
established by the 2000 Privacy Rule and revised certain provisions
because of concerns that arose as regulated entities prepared to
implement its requirements. The Department made certain revisions to
protect the privacy interests of individuals by strengthening the
requirements for covered entities to inform individuals of their
privacy practices through an NPP. These revisions afforded individuals
the opportunity to engage in discussions

[[Page 23518]]

regarding the use and disclosure of their PHI, while protecting the
interests of covered entities by allowing activities that are essential
to the provision of high-quality health care to occur unimpeded,
reducing the burden on such entities.\142\ The Department made other
revisions to ``balance an individual's privacy expectations with a
covered entity's need for information for reimbursement and quality
purposes.'' \143\ In that same rulemaking, in addressing comments on
still other revisions, the Department clearly stated, ``Patient privacy
must be balanced against other public goods, such as research and the
risk of compromising such research projects if researchers could not
continue to use such data.'' \144\
---------------------------------------------------------------------------

\142\ 67 FR 53209.
\143\ 67 FR 53216.
\144\ 67 FR 53226.
---------------------------------------------------------------------------

In more recent rulemakings, the Department has continued its
efforts to build and maintain individuals' trust in the health care
system by balancing the interests of individuals with those of others
as it further revised the Privacy Rule. For example, in explaining
revisions made as part of the 2013 Omnibus Rule, the Department stated,
``The Privacy Rule, at Sec. 164.512(b), recognizes that covered
entities must balance protecting the privacy of health information with
sharing health information with those responsible for ensuring public
health and safety.'' \145\ As another example from that same rule, the
Department revised the requirements for the distribution of the NPP
because ``[w]e believe these distribution requirements best balance the
right of individuals to be informed of their privacy rights with the
burden on health plans to provide the revised [Notice of Privacy
Practices].'' \146\ In the 2014 CLIA Program and HIPAA Privacy Rule;
Patients' Access to Test Reports Final Rule, the Department further
balanced the interests of individuals and those of others by providing
individuals (or their personal representatives) with the right to
access test reports directly from laboratories subject to HIPAA.\147\
This rulemaking afforded the Department with the opportunity to
demonstrate the supremacy of the individual's right of access over the
potential burden imposed on others, in this case, the laboratory. And
still more recently, the primary focus of the 2016 HIPAA Privacy Rule
and the National Instant Criminal Background Check System (NICS) Final
Rule was to issue a narrowly tailored rule that appropriately balanced
public safety goals with individuals' privacy interests to ensure that
individuals are not discouraged from seeking voluntary treatment for
mental health needs.\148\
---------------------------------------------------------------------------

\145\ 78 FR 5616.
\146\ 78 FR 5625.
\147\ 79 FR 7290 (Feb. 6, 2014).
\148\ 81 FR 382, 386 (Jan. 6, 2016).
---------------------------------------------------------------------------

As part of balancing individuals' interests with those of society,
the Department has recognized that it may be necessary to provide
certain types of health information with special protection because
they are particularly sensitive. For example, while the Department
usually applies the same privacy standards to all PHI regardless of the
type of health care at issue, it affords ``special protections'' to
psychotherapy notes. These protections are afforded in part because of
the ``particularly sensitive information'' those notes contain and in
part because of the unique function of these records, which are by
definition maintained separately from an individual's medical
record.\149\ As the Department explained when it proposed these
protections, ``[p]sychotherapy notes are of primary value to the
specific provider and the promise of strict confidentiality helps to
ensure that the patient will feel comfortable freely and completely
disclosing very personal information essential to successful
treatment.'' \150\ The Department elaborated that, ``[b]ecause of the
sensitive nature of the problems for which individuals consult
psychotherapists,'' and the ``embarrassment or disgrace'' engendered by
``disclosure of confidential communications made during counseling
sessions,'' even ``the mere possibility of disclosure may impede
development of the confidential relationship necessary for successful
treatment.'' \151\ To support the development and maintenance of an
individual's trust and protect the relationship between an individual
and their therapist, psychotherapy notes may be disclosed without an
individual's authorization only in limited circumstances, such as to
avert a serious and imminent threat to health or safety. Those limited
circumstances do not include judicial and administrative proceedings or
law enforcement purposes unless the disclosure is ``necessary to
prevent or lessen a serious and imminent threat to the health or safety
of a person or the public.'' \152\
---------------------------------------------------------------------------

\149\ See 45 CFR 164.501 (definition of ``Psychotherapy notes'')
(explicitly providing that psychotherapy notes are separated from
the individual's medical record).
\150\ 64 FR 59941.
\151\ Id.
\152\ 45 CFR 164.508(a)(2).
---------------------------------------------------------------------------

Information related to an individual's reproductive health and
associated health care is also especially sensitive and has long been
recognized as such. As stated in the AMA's Principles of Medical
Ethics, the ``decision to terminate a pregnancy should be made
privately within the relationship of trust between patient and
physician in keeping with the patient's unique values and needs and the
physician's best professional judgment.\153\ NCVHS first noted it as an
example of a category of health information commonly considered to
contain sensitive information in 2008.\154\ From 2005-2010, NCVHS held
nine hearings that addressed questions about sensitive information in
medical records and identified additional categories of sensitive
information beyond those addressed in Federal and state law, including
``sexuality and reproductive health information,'' which NCVHS
elaborated on in a 2010 letter to the Secretary:
---------------------------------------------------------------------------

\153\ Amendment to Opinion 4.2.7, Abortion H-140.823, American
Medical Association (2022), <a href="https://policysearch.amaassn.org/policyfinder/detail/%224.2.7%20Abortion%22?uri=%2FAMADoc%2FHOD.xml-H-140.823.xml">https://policysearch.amaassn.org/policyfinder/detail/%224.2.7%20Abortion%22?uri=%2FAMADoc%2FHOD.xml-H-140.823.xml</a>.
\154\ See Letter from NCVHS, supra note 14.

Some reproductive issues may expose people to political
controversy [ . . . ], and public knowledge of an individual's
reproductive history may place [them] at risk of stigmatization.
Additionally, individuals may wish to have their reproductive
history segmented so that it is not viewed by family members who
otherwise have access to their records. Parents may wish to delay
telling their offspring about adoption, gamete donation, or the use
of other forms of assisted reproduction technology in their
conception, and, thus, it may be important to have the capacity to
segment these records.\155\
---------------------------------------------------------------------------

\155\ See Letter from NCVHS Chair Justine M. Carr to HHS
Secretary Kathleen Sebelius (Nov. 10, 2010) (forwarding NCVHS
recommendations).

At that time, the general privacy standards promulgated under HIPAA
adequately protected information related to reproductive health care.
Based on settled Federal constitutional law in 2000, the Department did
not see a need to treat uses or disclosures of PHI related to
reproductive health care, such as information about a pregnancy
termination, differently from other uses or disclosures of PHI related
to other categories of health care when establishing the Federal
standards for privacy as mandated by HIPAA.\156\ HHS knew that
individuals generally could legally access reproductive health care
nationwide. And because such health care generally was legal and
constitutionally protected, HHS was confident that law enforcement or
other

[[Page 23519]]

third parties typically would not seek individuals' health information
for purposes of investigating violations of criminal or civil laws
related to highly sensitive types of health care, such as the provision
of or access to reproductive health care, except in certain limited
circumstances aimed at ensuring the quality and safety of such health
care. Therefore, until states' recent efforts to regulate and
criminalize the provision of or access to reproductive health care,
effectuating the purposes of HIPAA did not require regulatory
provisions that restricted uses and disclosures of PHI related to those
activities.
---------------------------------------------------------------------------

\156\ See 65 FR 82464-70.
---------------------------------------------------------------------------

B. Developments in the Legal Environment Are Eroding Individuals' Trust
in the Health Care System

The Supreme Court's decision in Dobbs on June 24, 2022, created new
concerns about the privacy of PHI related to reproductive health care.
In that decision, the Court overruled Roe v. Wade \157\ and Planned
Parenthood of Southeastern Pennsylvania v. Casey \158\ and held that
constitutional challenges to state abortion regulations are subject to
rational-basis review.\159\ But the Court's decision did not disturb
other longstanding constitutional principles, such as those protecting
the right of interstate travel or the right to use contraception.\160\
Nor did it displace Federal statutes, such as Emergency Medical
Treatment and Active Labor Act \161\ (EMTALA), that protect access to
reproductive health care in particular circumstances.
---------------------------------------------------------------------------

\157\ 410 U.S. 113 (1973).
\158\ 505 U.S. 833 (1992).
\159\ Dobbs, 142 S. Ct. at 2283-2284.
\160\ See id. at 2309 (Kavanaugh, J., concurring).
\161\ Public Law 99-272, 100 Stat. 164 (Apr. 7, 1986) (codified
at 42 U.S.C. 1395dd). For further discussion of a health care
provider's obligations under the EMTALA statute, see <a href="https://www.hhs.gov/sites/default/files/emergency-medical-care-letter-to-health-care-providers.pdf">https://www.hhs.gov/sites/default/files/emergency-medical-care-letter-to-health-care-providers.pdf</a>.
---------------------------------------------------------------------------

Following the Supreme Court's decision, states have taken actions,
some tacitly and some explicitly, that could interfere with
individuals' longstanding expectations created by HIPAA and the Privacy
Rule with respect to the privacy of their PHI.\162\ The Department is
aware of reports that persons or authorities have reached or intend to
reach beyond their own states' borders to investigate reproductive
health care that has been performed in other states where that health
care is legal.\163\ These actions present new concerns nationwide for
the protection of health information privacy mandated by HIPAA. Because
the Privacy Rule currently permits uses and disclosures of PHI for
certain purposes,\164\ including when another law requires a regulated
entity to make the use or disclosure,\165\ regulated entities after
Dobbs might be compelled to use or disclose PHI to law enforcement or
other persons who may use that health information against an
individual, a regulated entity, or another person who has sought,
obtained, provided, or facilitated reproductive health care, even when
such health care is lawful in the circumstances in which the health
care is obtained.\166\
---------------------------------------------------------------------------

\162\ See, e.g., Kayte Spector-Bagdady, Michelle M. Mello,
``Protecting the Privacy of Reproductive Health Information After
the Fall of Roe v Wade,'' JAMA Network (June 30, 2022), <a href="https://jamanetwork.com/journals/jama-health-forum/fullarticle/2794032">https://jamanetwork.com/journals/jama-health-forum/fullarticle/2794032</a>; Lisa
G. Gill, ``What does the overturn of Roe v. Wade mean for you?,''
Consumer Reports (June 24, 2022), <a href="https://www.consumerreports.org/health-privacy/what-does-the-overturn-of-roe-v-wade-mean-for-you-a1957506408/">https://www.consumerreports.org/health-privacy/what-does-the-overturn-of-roe-v-wade-mean-for-you-a1957506408/</a>.
\163\ See, e.g., Giulia Carbonaro, ``Texas bill targeting
internet abortion access `attacks individual liberty','' Newsweek
(Mar. 3, 2023), <a href="https://www.newsweek.com/texas-bill-targeting-internet-abortion-access-attacks-individual-liberty-1785254">https://www.newsweek.com/texas-bill-targeting-internet-abortion-access-attacks-individual-liberty-1785254</a>; Alice
Miranda Ollstein and Megan Messerly, ``Missouri wants to stop out-
of-state abortions. Other states could follow,'' Politico (Mar. 19,
2022), <a href="https://www.politico.com/news/2022/03/19/travel-abortion-law-missouri-00018539">https://www.politico.com/news/2022/03/19/travel-abortion-law-missouri-00018539</a>. For pending bills that would impose limitations
on the ability of individuals to travel to obtain reproductive
health care, see, e.g., H.B. 2012, Missouri 101st General Assembly
(2022) (would have permitted a private citizen to sue a person who
provides or facilitates an abortion for a Missouri resident,
including an out-of-state physician or person who transports an
individual across state lines to a health care provider); H.B. No.
787, Texas State Legislature (2023) (prohibiting the receipt of tax
incentives by a business entity that assists an employee in
obtaining an abortion, including through funding out-of-state travel
for the procedure); and H.B. 90 and S.B. 600, Tennessee General
Assembly (2023) (prohibiting local governments from spending money
to assist ``a person in obtaining an abortion,'' including through
funding out-of-state travel for the procedure).
\164\ 45 CFR 164.502(a)(1).
\165\ 45 CFR 164.512(a).
\166\ See Eleanor Klibanoff, ``Lawyers preparing for abortion
prosecutions warn about health care, data privacy,'' The Texas
Tribune (July 25, 2022), <a href="https://www.texastribune.org/2022/07/25/abortion-prosecution-data-health-care/">https://www.texastribune.org/2022/07/25/abortion-prosecution-data-health-care/</a>(discussing the fact that the
most common way PHI is obtained by law enforcement is through health
care provider disclosures).
---------------------------------------------------------------------------

One significant consequence of the developments in Federal and
state law is the erosion of individuals' trust in health care providers
to protect their health information privacy, creating barriers or
disincentives for individuals to obtain health care, including legal
reproductive health care, and increasing the potential for health care
providers to possess incomplete or inaccurate medical records. A 2023
qualitative study of individuals who obtained abortions after the
passage of a law significantly restricting abortion access in Texas
highlighted the concerns of such individuals with respect to the
privacy of PHI related to reproductive health care they received.\167\
In fact, a recently filed complaint details the decision made by the
plaintiff's out-of-state health care provider to describe the
plaintiff's condition as something other than an abortion, even though
the abortion was lawful in the state in which it was provided because
the health care provider was concerned about the ramifications of
documenting the health care provided as an abortion.\168\ Another
significant consequence is the risk that individual medical records
will not be maintained with completeness and accuracy, including as
they relate to legal reproductive health care. The developments
discussed above have increased uncertainty nationwide for individuals,
regulated entities, and other persons about the privacy of an
individual's PHI. Recent state actions now place individuals and health
care providers in potential civil or criminal jeopardy when PHI related
to an individual's reproductive health is used and disclosed,
regardless of whether the health care services are obtained or
performed legally.
---------------------------------------------------------------------------

\167\ Courtney C. Baker, Emma Smith, Mitchell D. Creinin, et
al., ``Texas Senate Bill 8 and Abortion Experiences in Patients with
Fetal Diagnoses: A Qualitative Analysis,'' Obstetrics & Gynecology
(Mar. 2023), <a href="https://pubmed.ncbi.nlm.nih.gov/36735418">https://pubmed.ncbi.nlm.nih.gov/36735418</a> (citing a
representative statement made by a study participant, `` `I would
joke around and say, well don't sue me, but halfway mean it.' '').
\168\ See Brief for Zurawski at p. 2 (One plaintiff had to
travel out of state for an abortion to save the life of one of her
twins, and afterwards, fearful of documenting her abortion, her
health care provider instead described her condition as ``vanishing
twin syndrome.'').
---------------------------------------------------------------------------

In the past, some law enforcement officials exercised their
authority under general criminal statutes to obtain PHI for use against
pregnant individuals on the basis of their pregnancy status or
pregnancy outcomes.\169\ But more recent developments in law have
created an environment in which law enforcement and others are
increasingly likely to request PHI from regulated entities for use
against individuals,\170\ health care

[[Page 23520]]

providers, and others, solely because such persons sought, obtained,
provided, or facilitated lawful reproductive health care.\171\ This
environment of increased demand for PHI for these purposes is not
limited to states in which those legal developments have occurred.
Rather, these legal developments have nationwide implications because
of the overall effects on the relationship between health care
providers and individuals and the flow of health information across
state lines. Examples of such cross-state health information flows
include disclosures from health care providers to health plans with a
multi-state presence or between health care providers in different
states to treat individuals as they travel across the country.
---------------------------------------------------------------------------

\169\ See ``Self-Care, Criminalized: August 2022 Preliminary
Findings,*'' supra note 11; ``Confronting Pregnancy Criminalization:
A Practical Guide for Healthcare Providers, Lawyers, Medical
Examiners, Child Welfare Workers, and Policymakers,'' Pregnancy
Justice (June 2022), <a href="https://www.pregnancyjusticeus.org/confronting-pregnancy-criminalization/">https://www.pregnancyjusticeus.org/confronting-pregnancy-criminalization/</a>.
\170\ See, e.g., S.C. Code Ann. sec. 44-41-80(b) and NRS
200.220. See also ``Self-Care, Criminalized: August 2022 Preliminary
Findings,*'' supra note 11, p. 2-3 (From 2000 to 2020, out of 54
cases, 74% of the adult cases involved the criminalization of the
person for self-managing their own abortion, and 39% of the cases
reported to law enforcement were by health care providers.); ``Talk
of prosecuting women for abortion pills roils antiabortion
movement,'' supra note 11.
\171\ The Department believes that those investigating or
bringing proceedings against individuals, health care providers, or
other persons for seeking, obtaining, providing, or facilitating
reproductive health care will increasingly seek to access PHI as
part of their investigation or proceeding. See, e.g., Karen Brooks
Harper, ``Texas abortion foes use legal threats and propose more
laws to increase pressure on providers and their allies,'' The Texas
Tribune (July 18, 2022), <a href="https://www.texastribune.org/2022/07/18/texas-abortion-laws-pressure-campaign/">https://www.texastribune.org/2022/07/18/texas-abortion-laws-pressure-campaign/</a>; Timothy Bella, ``Doctor in
10-year-old rape victim's abortion faces AG inquiry, threats,'' The
Washington Post (July 27, 2022), <a href="https://www.washingtonpost.com/politics/2022/07/27/abortion-doctor-girl-rape-caitlin-bernard-investigation/">https://www.washingtonpost.com/politics/2022/07/27/abortion-doctor-girl-rape-caitlin-bernard-investigation/</a>; ``Doctor says she shouldn't have to turn over
patients' abortion records,'' supra note 13.
---------------------------------------------------------------------------

This reality is in tension with many individuals' expectation that
they have or should have the right to health information privacy,
including the right to determine who has access to that information. In
fact, in its most recent annual survey on patient privacy, the AMA
found that, of 1,000 patients surveyed: (1) nearly 75% are concerned
about protecting the privacy of their own health information; and (2)
59% of patients worry about health data being used by companies to
discriminate against them or their loved ones.\172\ In its report on
the survey, the AMA opines that a lack of health information privacy
raises many questions about circumstances that could put patients and
physicians in legal peril, and that the ``primary purpose of increasing
[health information] privacy is to build public trust, not inhibit data
exchange.'' \173\ The mismatch between privacy expectations and current
legal protections for health information privacy undermines trust
between individuals and health care providers nationwide, thereby
decreasing access to, and effectiveness of, health care for
individuals.
---------------------------------------------------------------------------

\172\ See ``Patient Perspectives Around Data Privacy,'' supra
note 129.
\173\ Id. at 2.
---------------------------------------------------------------------------

The present situation also has resulted in ambiguity and confusion
for individuals and health care providers, many of whom are uncertain
about when health information is protected under the HIPAA Rules given
recent legal developments.\174\ This confusion undermines access to
health care and individual privacy--including for individuals seeking
or obtaining health care that is lawful nationwide. For example, the
Department is aware that some health care providers, both clinicians
and pharmacies, are hesitant to prescribe or fill prescriptions for
medications that can result in pregnancy loss, even when those
prescriptions are intended to treat individuals for other health
matters, because of fear of law enforcement action.\175\ As a result,
these health care providers are either denying access to prescriptions
that affect an individual's quality of life or requiring additional PHI
to justify an individual's need for such prescriptions for purposes
that are permissible under state law.\176\ Although most health care
providers, including pharmacies, are subject to the HIPAA Rules, and
thus, limited in the purposes for which they are permitted to use or
disclose such PHI, an individual's privacy is necessarily reduced as an
increasing number of persons have access to an increasing amount of
their PHI. Additionally, individuals face an increasing risk to the
security of their PHI as the number of information technology systems
in which the PHI is stored increases. As the number of persons and
information technology systems with access to this PHI increases, this
expands the number and types of regulated entities from which law
enforcement and others may try to seek disclosure of this highly
sensitive information. Individual trust in regulated entities is eroded
when individuals' access to health care is questioned and their PHI is
subject to disclosures that previously were unnecessary.
---------------------------------------------------------------------------

\174\ See Press Release, American Medical Association, American
Pharmacists Association, American Society of Health-System
Pharmacists, and National Community Pharmacists Association,
``Statement on state laws impacting patient access to necessary
medicine'' (Sept. 8, 2022), <a href="https://www.ama-assn.org/press-center/press-releases/statement-state-laws-impacting-patient-access-necessary-medicine">https://www.ama-assn.org/press-center/press-releases/statement-state-laws-impacting-patient-access-necessary-medicine</a>. See also Abigail Higgins, ``Abortion rights
advocates fear access to birth control could be curtailed,'' The
Washington Post (June 24, 2022), <a href="https://www.washingtonpost.com/nation/2022/06/24/birth-control-access-supreme-court-abortion-ruling/">https://www.washingtonpost.com/nation/2022/06/24/birth-control-access-supreme-court-abortion-ruling/</a>.
\175\ See Interview with Donald Miller, PharmD, ``Methotrexate
access becomes challenging for some patients following Supreme Court
decision on abortion,'' Pharmacy Times (July 20, 2022), <a href="https://www.pharmacytimes.com/view/methotrexate-access-becomes-challenging-for-patients-following-supreme-court-decision-on-abortion">https://www.pharmacytimes.com/view/methotrexate-access-becomes-challenging-for-patients-following-supreme-court-decision-on-abortion</a>; Jamie
Ducharme, ``Abortion restrictions may be making it harder for
patients to get a cancer and arthritis drug,'' Time (July 6, 2022),
<a href="https://time.com/6194179/abortion-restrictions-methotrexate-cancer-arthritis/">https://time.com/6194179/abortion-restrictions-methotrexate-cancer-arthritis/</a>; Katie Shepherd and Frances Stead Sellers, ``Abortion
bans complicate access to drugs for cancer, arthritis, even
ulcers,'' The Washington Post (Aug. 8, 2022), <a href="https://www.washingtonpost.com/health/2022/08/08/abortion-bans-methotrexate-mifepristone-rheumatoid-arthritis/">https://www.washingtonpost.com/health/2022/08/08/abortion-bans-methotrexate-mifepristone-rheumatoid-arthritis/</a>.
\176\ See, e.g., Jen Christensen, ``Women with chronic
conditions struggle to find medications after abortion laws limit
access,'' CNN Health (July 22, 2022), <a href="https://www.cnn.com/2022/07/22/health/abortion-law-medications-methotrexate/index.html">https://www.cnn.com/2022/07/22/health/abortion-law-medications-methotrexate/index.html</a>; Brittni
Frederiksen, Matthew Rae, Tatyana Roberts, et al., ``Abortion Bans
May Limit Essential Medications for Women with Chronic Conditions,''
Kaiser Family Foundation (Nov. 17, 2022), <a href="https://www.kff.org/womens-health-policy/issue-brief/abortion-bans-may-limit-essential-medications-for-women-with-chronic-conditions/">https://www.kff.org/womens-health-policy/issue-brief/abortion-bans-may-limit-essential-medications-for-women-with-chronic-conditions/</a>.
---------------------------------------------------------------------------

Impingements on health information privacy related to reproductive
health care are likely to have a disproportionately greater effect on
women, individuals of reproductive age, and individuals from
communities that have been historically underserved, marginalized, or
subject to discrimination or systemic disadvantage by virtue of their
race, disability, social or economic status, geographic location, or
environment.\177\ Historically underserved and marginalized individuals
are also more likely to be the subjects of investigations and
proceedings about any suspected interest in, or obtaining of,
reproductive health care, even where such health care is lawful under
the circumstances in which it is provided.\178\ They are also less
likely to have adequate access to legal counsel to defend themselves
from

[[Page 23521]]

such actions.\179\ Such individuals are thus especially likely to be
concerned that information they give to their health care providers
regarding their reproductive health care will not remain private. This
is particularly true in light of the historic lack of trust that
members of marginalized communities have for the health care system;
\180\ such individuals are more likely to be deterred from seeking or
obtaining health care--or from giving their health care providers full
information when they do obtain it.
---------------------------------------------------------------------------

\177\ See Christine Dehlendorf, Lisa H. Harris, Tracy A. Weitz,
``Disparities in Abortion Rates: A Public Health Approach,''
American Journal of Public Health. (Oct. 2013), <a href="https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3780732/">https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3780732/</a>. See also Kiara
Alfonseca, ``Why Abortion Restrictions Disproportionately Impact
People of Color, ABC News (June 24, 2022), <a href="https://abcnews.go.com/Health/abortion-restrictions-disproportionately-impact-people-color/story?id=84467809">https://abcnews.go.com/Health/abortion-restrictions-disproportionately-impact-people-color/story?id=84467809</a>; Susan A. Cohen, ``Abortion and Women of Color:
The Bigger Picture,'' Guttmacher Institute (Aug. 6, 2008), <a href="https://www.guttmacher.org/gpr/2008/08/abortion-and-women-color-bigger-picture">https://www.guttmacher.org/gpr/2008/08/abortion-and-women-color-bigger-picture</a>; ``The Disproportionate Harm of Abortion Bans: Spotlight on
Dobbs v. Jackson Women's Health,'' Center for Reproductive Rights
(Nov. 29, 2021), <a href="https://reproductiverights.org/supreme-court-case-mississippi-abortion-ban-disproportionate-harm/">https://reproductiverights.org/supreme-court-case-mississippi-abortion-ban-disproportionate-harm/</a>.
\178\ See Brief of Amici Curiae for Organizations Dedicated to
the Fight for Reproductive Justice--Mississippi in Action, et al. at
*59-60, Dobbs, 142 S. Ct. (discussing the likelihood that those who
terminate their pregnancies and anyone who assists them may face
criminal investigation or arrest, exacerbating the mass
incarceration of marginalized people in Mississippi and Louisiana,
particularly in light of the states' disproportionate rates of
incarceration for people of color).
\179\ See ``Equal access to justice: ensuring meaningful access
to counsel in civil cases, including immigration proceedings,''
Columbia Law School Human Rights Institute and Northeastern
University School of Law Program on Human Rights and the Global
Economy (July 2014), <a href="https://hri.law.columbia.edu/sites/default/files/publications/equal_access_to_justice_-_cerd_shadow_report.pdf">https://hri.law.columbia.edu/sites/default/files/publications/equal_access_to_justice_-_cerd_shadow_report.pdf</a>.
See also ``Report: State Abortion Bans Will Harm Women and Families'
Economic Security Across the U.S.'' (Aug. 25, 2022), <a href="https://www.americanprogress.org/article/state-abortion-bans-will-harm-women-and-families-economic-security-across-the-us/">https://www.americanprogress.org/article/state-abortion-bans-will-harm-women-and-families-economic-security-across-the-us/</a>.
\180\ See Leslie Read, Heather Nelson, Leslie Korenda, The
Deloitte Ctr. for Health Solutions, ``Rebuilding Trust in Health
Care: What Do Consumers Want--and Need--Organizations to Do?'' (Aug.
5, 2021), p. 3 (With focus groups of 525 individuals in the United
States who identify as Black, Hispanic, Asian, or Native American,
``Fifty-five percent reported a negative experience where they lost
trust in a health care provider.''), <a href="https://www2.deloitte.com/us/en/insights/industry/health-care/trust-in-health-care-system.html">https://www2.deloitte.com/us/en/insights/industry/health-care/trust-in-health-care-system.html</a>;
Liz Hamel, Lunna Lopes, Cailey Mu[ntilde]ana, et al., Kaiser Family
Foundation, The Undefeated Survey on Race and Health (Oct. 2020), p.
23, (Percent who say they can trust the health care system to do
what is right for them or their community almost all of the time or
most of the time: Black adults: 44%; Hispanic adults: 50%; White
adults: 55%), <a href="https://files.kff.org/attachment/Report-Race-Health-and-COVID-19-The-Views-and-Experiences-of-Black-Americans.pdf">https://files.kff.org/attachment/Report-Race-Health-and-COVID-19-The-Views-and-Experiences-of-Black-Americans.pdf</a>;
``Issue Brief: Health Insurance Coverage and Access to Care for
LGBTQ+ Individuals: Current Trends and Key Challenges,'' U.S. Dep't
of Health and Human Servs., Assistant Sec'y for Policy & Evaluation,
Office of Health Policy (June 2021), p. 9 (``According to a recent
survey, 18 percent of LGBTQ+ individuals reported avoiding going to
a doctor or seeking healthcare out of concern that they would face
discrimination or be treated poorly because of their sexual
orientation or gender identity.''), <a href="https://aspe.hhs.gov/sites/default/files/2021-07/lgbt-health-ib.pdf">https://aspe.hhs.gov/sites/default/files/2021-07/lgbt-health-ib.pdf</a>; Abigail A. Sewell,
``Disaggregating Ethnoracial Disparities in Physician Trust,''
Social Science Research. (Nov. 2015), <a href="https://pubmed.ncbi.nlm.nih.gov/26463531/">https://pubmed.ncbi.nlm.nih.gov/26463531/</a>; Irena Stepanikova, Stefanie
Mollborn, Karen S. Cook, et al., ``Patients' Race, Ethnicity,
Language, and Trust in a Physician,'' Journal of Health and Social
Behavior (Dec. 2006), <a href="https://pubmed.ncbi.nlm.nih.gov/17240927/">https://pubmed.ncbi.nlm.nih.gov/17240927/</a>.
---------------------------------------------------------------------------

The recent legal landscape that increases the potential for
disclosures of PHI to impose liability for seeking, obtaining,
providing, or facilitating reproductive health care risks eroding
health information privacy and trust in health care providers that has
long been supported and advanced by the Privacy Rule. The Department
issued guidance in 2022 to clarify its longstanding interpretation of
the Privacy Rule's law enforcement provisions.\181\ In the guidance,
the Department explained that disclosures for non-health care purposes,
such as disclosures to law enforcement officials, are permitted only in
narrow circumstances tailored to protect the individual's privacy and
support their access to health care, including abortion care. The
guidance specifically reminded regulated entities that they can use and
disclose PHI, without an individual's signed authorization, only as
expressly permitted or required by the Privacy Rule. Additionally, the
guidance explained the Privacy Rule's restrictions on disclosures of
PHI when required by law, for law enforcement purposes, and to avert a
serious threat to health or safety. For example, where state law does
not expressly require reporting of suspicions of self-managed
reproductive health care, the Privacy Rule would not permit a
disclosure by a hospital workforce member of such suspicions to law
enforcement under the ``required by law'' permission.
---------------------------------------------------------------------------

\181\ See ``HIPAA Privacy Rule and Disclosures of Information
Relating to Reproductive Health Care,'' U.S. Dep't of Health and
Human Servs. (June 29, 2022), <a href="https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/phi-reproductive-health/index.html">https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/phi-reproductive-health/index.html</a>.
---------------------------------------------------------------------------

However, many questions remain with respect to the potential for
this sensitive PHI to be disclosed and the effects of such disclosure
on the individual. Thus, it is incumbent upon the Department to
consider whether it should revise the Privacy Rule to ensure the
privacy of health information related to an individual's use of lawful
reproductive health care, consistent with Congress' intent to create
standards for the privacy of IIHI that promote trust and support access
to high-quality health care.\182\
---------------------------------------------------------------------------

\182\ See FCC v. Fox Television Stations, Inc., 556 U.S. 502,
515 (2009) (holding ``[ . . . ] the agency must show that there are
good reasons for the new policy. [ . . . ][I]t suffices that the new
policy is permissible under the statute, that there are good reasons
for it, and that the agency believes it to be better, which the
conscious change of course adequately indicates.'' (emphasis in
original)).
---------------------------------------------------------------------------

C. To Protect the Trust Between Individuals and Health Care Providers,
the Department Proposes To Restrict Certain Uses and Disclosures of PHI
for Non-Health Care Purposes

The Federal Government seeks to ensure that individuals have access
to high-quality health care.\183\ This proposed rule would further that
goal by restricting the use and disclosure of certain PHI for non-
health care purposes.
---------------------------------------------------------------------------

\183\ See Testimony (transcribed) of Peter R. Orszag and
statement of Sen. Durenberger, supra note 135.
---------------------------------------------------------------------------

The Department acknowledges that the Privacy Rule has not
previously conditioned uses and disclosures for certain purposes on the
specific type of health care about which the disclosure relates, as it
does herein with reproductive health care. However, the primary reasons
behind this rulemaking are the risks to privacy, patient trust, and
health care quality that occur when it is the very act of obtaining
health care that subjects an individual to an investigation or
proceeding, potentially disincentivizing the individual from obtaining
medically necessary health care.
As discussed above, the Department has long provided special
protections for psychotherapy notes when they are not included as part
of the medical record because of the sensitivity around this
information. Given the particularly sensitive nature of information
related to an individual's reproductive health, the Department is
proposing to create new, special safeguards for this information.
However, unlike psychotherapy notes, which by their very nature are
easily defined and segregated, reproductive health information is not
easily defined or segregated. This is in part because many types of PHI
may not initially appear to be related to an individual's reproductive
health but may in fact reveal information about an individual's
reproductive health or reproductive health care an individual has
received. For example, in a pregnant individual, a high blood pressure
reading may be a sign of preeclampsia, and glucose found in a urine
test may indicate gestational diabetes. Additionally, it is the
Department's understanding that today's clinical documentation and
health IT do not provide regulated entities with the ability to segment
certain PHI such that regulated entities could afford specific
categories of PHI special protections, or at least do so in a manner
that is not overly burdensome and cost prohibitive.\184\ Instead, as is
consistent

[[Page 23522]]

with the Privacy Rule's overall approach,\185\ the Department proposes
a purpose-based prohibition on certain uses and disclosures to protect
individuals' privacy interests in their PHI. The Department believes
that this proposed purpose-based prohibition, in concert with the
proposed attestation, will restrict the use and disclosure of PHI that
could harm HIPAA's overall goals of increasing trust in the health care
system, improving health care quality, and protecting individual
privacy, while continuing to allow PHI uses and disclosures that either
provide support for those goals or do not interfere with their
achievement.
---------------------------------------------------------------------------

\184\ See, e.g., 87 FR 74216, 74221 (Dec. 2, 2022) (noting that
42 CFR part 2 previously resulted in the separation of substance use
disorder (SUD) treatment records previous from other health records,
which led to the creation of data ``silos'' that hampered the
integration of SUD treatment records into covered entities'
electronic record systems and billing processes. When considering
amendments to the relevant statute, some lawmakers argued that the
silos perpetuated negative stereotypes about persons with SUD and
inhibited coordination of care during the opioid epidemic. See also
``Health Information Technology Advisory Committee (HITAC) Annual
Report for Fiscal Year 2019,'' Health Information Technology
Advisory Committee (Feb. 19, 2020), p. 37, <a href="https://www.healthit.gov/sites/default/files/page/2020-03/HITAC%20Annual%20Report%20for%20FY19_508.pdf">https://www.healthit.gov/sites/default/files/page/2020-03/HITAC%20Annual%20Report%20for%20FY19_508.pdf</a> (``The new
certification criteria that support the sharing of data via third-
party apps will help advance the use of data segmentation, but
adoption of this capability by the industry is not yet
widespread.'').
\185\ See 64 FR 59924, 59939, and 59955.
---------------------------------------------------------------------------

Also, consistent with the Privacy Rule's approach, the Department
proposes a Rule of Applicability for the purpose-based prohibition that
recognizes the interests of the Federal Government and states in
protecting the privacy of persons who seek, obtain, provide, or
facilitate lawful reproductive health care. This Rule of Applicability
would limit the new prohibition to certain categories of instances in
which the state lacks any substantial interest in seeking the
disclosure. The Department believes that the proposals described in
greater detail later in this NPRM could benefit health care providers
and individuals. Although many benefits are not quantifiable, the
Department believes the proposals would increase the likelihood that
individuals would seek lawful health care by improving their confidence
in the confidentiality of their PHI; improve access to high quality and
continuous health care by increasing the accuracy and completeness of
individuals' medical records; improve population health by encouraging
individuals to receive disease screenings; safeguard the mental health
of pregnant individuals; prevent increases in maternal mortality and
morbidity; enhance support for victims of rape, incest, and sex
trafficking; and maintain family economic stability. Similarly, the
proposals are expected to increase certainty for, and therefore reduce
the burden on, regulated entities implementing the Privacy Rule.
The Department's proposed modifications are consistent with its
existing authority to modify the Privacy Rule. As discussed above,
Congress expressly authorized the Department to develop standards for
the privacy of IIHI. The Department has consistently exercised its
rulemaking authority to establish, implement, and modify the HIPAA
Rules pursuant to this statutory authority, including when necessary to
maintain their effectiveness, address workability issues for regulated
entities including clarifying amendments, and respond to changed
circumstances.\186\ The proposed changes would effectuate HIPAA's goals
of setting standards with respect to the privacy of IIHI, thereby
increasing the quality of and access to health care by fostering trust
in the health care system and buttressing continuity of health
care.\187\ Moreover, Congress expressly provided in HIPAA that the
Department's regulations in this area ``shall supersede any contrary
provision of State law,'' absent an explicit exception.\188\ As
discussed below, various state laws that might conflict with the rules
proposed herein, such as those that require disclosure of PHI for
purposes of criminal, civil, or administrative investigations or
proceedings based on seeking, obtaining, providing, or facilitating
lawful reproductive health care, are not excepted from this general
rule of preemption.
---------------------------------------------------------------------------

\186\ See, e.g., 67 FR 53182 (modifying the 2000 Privacy Rule in
response to stakeholder implementation concerns and to clarify key
provisions), 78 FR 5566 (modifying the HIPAA Rules to address HITECH
requirements and improve workability and flexibility for covered
entities), 79 FR 7289 (modifying the Privacy Rule to address
requirements in the Clinical Laboratory Improvement Amendments of
1988 and to improve patient access), and 81 FR 382 (modifying the
Privacy Rule to permit certain disclosures to the National Instant
Criminal Background Check System).
\187\ See section III of this rulemaking for a full discussion
of HIPAA and congressional intent.
\188\ 42 U.S.C. 1320d-7 and section 264(c)(2) of Public Law 104-
191 (codified at 42 U.S.C. 1320d-2 note).
---------------------------------------------------------------------------

In accordance with section 264(d) of HIPAA, the Department has
consulted with the Attorney General in the formulation of this proposed
rule and intends to continue to engage in these consultations before
finalizing the rule. The Department invites NCVHS to review this
proposed rule and to provide comments to the Department.

IV. Section-by-Section Description of Proposed Amendments to the
Privacy Rule

The Department proposes to modify the Privacy Rule to strengthen
privacy protections for individuals' PHI by adding a new category of
prohibited uses and disclosures. This modification would prohibit a
regulated entity from using or disclosing an individual's PHI for the
purpose of conducting a criminal, civil, or administrative
investigation into or proceeding against the individual, a health care
provider, or other person in connection with seeking, obtaining,
providing, or facilitating reproductive health care that: (1) is
provided outside of the state where the investigation or proceeding is
authorized and such health care is lawful in the state in which it is
provided; (2) is protected, required, or authorized by Federal law,
regardless of the state in which such health care is provided; or (3)
is provided in the state in which the investigation or proceeding is
authorized and that is permitted by the law of that state. In these
three circumstances, the state lacks any substantial interest in
seeking the disclosure. To operationalize this proposed modification,
the Department also proposes to revise or clarify certain definitions
and terms that apply to the Privacy Rule, as well as other HIPAA Rules.
The NPRM would also prohibit a regulated entity from using or
disclosing an individual's PHI for the purpose of identifying \189\ an
individual, health care provider, or other person for the purpose of
initiating such an investigation or proceeding against the individual,
a health care provider, or other person in connection with seeking,
obtaining, providing, or facilitating reproductive health care that is
lawful under the circumstances in which it is provided.
---------------------------------------------------------------------------

\189\ Section 164.514(h) of 45 CFR requires a covered entity, in
most cases, to take reasonable steps to verify the identify and
authority of a person requesting PHI before disclosing the PHI,
including in the case of public officials. The proposed restriction
against using or disclosing PHI in connection with the proposals in
this NPRM would not modify 45 CFR 164.514(h) but would address only
those circumstances in which a regulated entity would use or
disclose PHI to identify an individual for a purpose that would be
restricted herein. Further, the Department believes the attestation
requirement proposed in this NPRM would provide a regulated entity
the assurance it needs to make disclosures for identity purposes
that are consistent with the Privacy Rule.
---------------------------------------------------------------------------

To effectuate these proposals, the Department proposes conforming
and clarifying changes to the HIPAA Rules. These proposed changes
include, but are not limited to, clarifying the definition of
``person'' to reflect long-standing statutory language defining the
term; adopting new definitions of ``public health'' surveillance,
investigation, or intervention, and ``reproductive health care'';
clarifying that a regulated entity may not decline to recognize a
person as a personal representative for the purposes of the Privacy
Rule solely because they provide or facilitate reproductive health care
for an individual; a new requirement that, in certain

[[Page 23523]]

circumstances, regulated entities must first obtain an attestation that
a requested use or disclosure is not for a prohibited purpose; and
modifications to the NPP for PHI to inform individuals that their PHI
may not be used or disclosed for a prohibited purpose.
The Department's proposals are discussed in greater detail below.

A. Section 160.103--Definitions

1. Clarifying the Definition of ``Person''
Current Provision and Issues To Address
HIPAA does not define the term ``person.'' \190\ By regulation, the
Department has long defined ``person'' for purposes of the HIPAA Rules
to mean ``a natural person, trust or estate, partnership, corporation,
professional association or corporation, or other entity, public or
private.'' \191\ This definition was based on the meaning of ``person''
that Congress adopted in the original Social Security Act of 1935
(SSA), defined as an ``individual, a trust or estate, a partnership, or
a corporation.'' \192\
---------------------------------------------------------------------------

\190\ See 42 U.S.C. 1320d-1320d-8.
\191\ 45 CFR 160.103.
\192\ See section 1101(3) of Public Law 74-271, 49 Stat. 620
(Aug. 14, 1935) (codified at 42 U.S.C. 1301(3)).
---------------------------------------------------------------------------

In 2002, Congress enacted 1 U.S.C. 8, which defines ``person,''
``human being,'' ``child,'' and ``individual.'' \193\ The statute
specifies that this definition shall apply when ``determining the
meaning of any Act of Congress, or of any ruling, regulation, or
interpretation of the various administrative bureaus and agencies of
the United States.'' \194\ The Department understands 1 U.S.C. 8 to
provide a definition of ``person'' and ``child'' that is consistent
with the Department's understanding of that term, as it is used in the
SSA, HIPAA, and the HIPAA Rules and does not include a fertilized egg,
embryo, or fetus.
---------------------------------------------------------------------------

\193\ 1 U.S.C. 8(a). The Department is not opining on whether
any state law confers a particular legal status upon a fetus. The
Department instead cites to this statute to define the scope of the
right of privacy that attaches pursuant to HIPAA.
\194\ Id.
---------------------------------------------------------------------------

Proposal
Thus, the Department proposes to clarify the definition of
``natural person'' in a manner consistent with 1 U.S.C. 8. In so doing,
the Department would make clear that all terms subsumed within the
definition of ``natural person,'' such as ``individual,'' \195\ which
refers to a ``person'' who is the subject of PHI under the HIPAA Rules,
is limited to the confines of the term ``person.'' \196\ The Department
would also make clear that ``natural person,'' as used in the
definition of ``person'' under the HIPAA Rules, is limited to the
definition at 1 U.S.C. 8.
---------------------------------------------------------------------------

\195\ 45 CFR 160.103 (definition of ``Individual'').
\196\ See The Prenatal Record and the Initial Prenatal Visit,
The Global Library of Women's Medicine (last updated Jan. 2008) (PHI
about the fetus is included in the mother's PHI), <a href="https://www.glowm.com/section-view/heading/The%20Prenatal%20Record%20and%20the%20Initial%20Prenatal%20Visit/item/107#.Y7WRKofMKUl">https://www.glowm.com/section-view/heading/The%20Prenatal%20Record%20and%20the%20Initial%20Prenatal%20Visit/item/107#.Y7WRKofMKUl</a>.
---------------------------------------------------------------------------

The Department believes it would be beneficial to clarify the
definition of ``person'' to ensure that there is an understanding among
stakeholders as to its meaning for Privacy Rule purposes. As such, the
Department believes the proposed clarification of the definition of
person better explains to regulated entities and other stakeholders the
parameters of who is an ``individual'' whose PHI is protected by the
HIPAA Rules.
2. Interpreting Terms Used in Section 1178(b) of the Social Security
Act \197\
---------------------------------------------------------------------------

\197\ 42 U.S.C. 1320d-7(b).
---------------------------------------------------------------------------

HIPAA includes a rule of construction for certain laws generally
concerning ``[p]ublic health.'' \198\ Specifically, section 1178(b) of
the SSA provides that nothing in HIPAA ``shall be construed to
invalidate or limit'' laws ``providing for the reporting of disease or
injury, child abuse, birth, or death, public health surveillance, or
public health investigation or intervention.'' \199\ Accordingly, the
Privacy Rule permits a regulated entity to use and disclose PHI for
certain public health purposes, treating the uses and disclosures
covered by section 1178(b) as permitted uses and disclosures to public
health authorities or other appropriate government authorities for the
listed activities.\200\
---------------------------------------------------------------------------

\198\ Id.
\199\ Id. The Department incorporated this limitation on Federal
preemption of state laws in the HIPAA Rules at 45 CFR 160.203(c).
\200\ 45 CFR 164.512(b). The Privacy Rule addresses its
interactions with laws governing excepted public health activities
in two sections: 45 CFR 164.512(a), Standard: Uses and disclosures
required by law, and 45 CFR 164.512(b), Standard: Uses and
disclosures for public health activities.
---------------------------------------------------------------------------

A regulated entity may use or disclose PHI to public health
authorities for the full range of activities described above, including
reporting of diseases and injuries, reporting of birth and death to
vital statistics agencies, and activities covered by the terms public
health surveillance, public health investigation, and public health
intervention. A ``public health authority'' means an agency or
authority of the United States, a State, a territory, a political
subdivision of a State or territory, or an Indian tribe, or a person or
entity acting under a grant of authority from, or contract with, such
public agency, including the employees or agents of such public agency
or its contractors or persons or entities to whom it has granted
authority, that is responsible for public health matters as part of its
official mandate.\201\
---------------------------------------------------------------------------

\201\ See 45 CFR 164.501 (definition of ``Public health
authority'').
---------------------------------------------------------------------------

HIPAA does not define the terms in section 1178(b) that govern the
scope of the ``public health'' exceptions to preemption and the
Department declines to do so here. The Department believes it necessary
to define only ``public health'' surveillance, investigation, or
intervention and to make clear the Department's interpretation of key
terms used in section 1178(b) to clarify when HIPAA preempts contrary
state laws. The Department believes that state laws that require the
use or disclosure of highly sensitive PHI for non-public health
purposes, such as criminal, civil, or administrative investigations or
proceedings based on whether a person sought, obtained, provided, or
facilitated reproductive health care, are not exempt from HIPAA's
general rule of preemption.
Reporting of Disease or Injury, Birth, or Death
The Privacy Rule permits regulated entities to use or disclose PHI
without authorization for the public health purposes of reporting
``disease or injury,'' ``birth,'' or ``death.'' \202\ Similarly,
section 1178(b) exempts state laws requiring such reporting from
HIPAA's general preemption provision. The Department recognizes that
such public health reporting activities are an important means of
identifying threats to the health and safety of the public. The
Department does not propose to define ``disease or injury,'' ``birth,''
or ``death,'' because the Department believes that these terms, when
read with the definition of ``person'' as discussed above and in the
broader context of HIPAA as discussed in greater detail below, exclude
information about abortion or other reproductive health care. But the
Department invites comment on whether it would be beneficial to clarify
that these terms exclude information about reproductive health care.
---------------------------------------------------------------------------

\202\ See U.S. Dep't of Health and Human Servs., Office for
Civil Rights, Public Health (Dec. 18, 2020), <a href="https://www.hhs.gov/hipaa/for-professionals/special-topics/public-health/index.html">https://www.hhs.gov/hipaa/for-professionals/special-topics/public-health/index.html</a>.

---------------------------------------------------------------------------

[[Page 23524]]

At the time of HIPAA's enactment, state laws provided for the
reporting of disease or injury, birth, or death by covered health care
providers and other persons.\203\ These state public health reporting
systems were well established and involved close collaboration between
the state, local, or territorial jurisdiction and the Federal
Government.\204\ Reports generally were made to public health
authorities or, in some specific cases, law enforcement (e.g.,
reporting of gunshot wounds).\205\ Similar public health reporting
systems continue to exist today.
---------------------------------------------------------------------------

\203\ The 1996-98 Report of the NCVHS to the Secretary describes
various types of activities considered to be public health during
the era in which HIPAA was enacted, such as the collection of public
health surveillance data on health status and health outcomes and
vital statistics information. See Report of ``The National Committee
on Vital and Health Statistics, 1996-98,'' Nat'l Comm. on Vital and
Health Stats. (Dec. 1999), <a href="https://ncvhs.hhs.gov/wp-content/uploads/2018/03/90727nv-508.pdf">https://ncvhs.hhs.gov/wp-content/uploads/2018/03/90727nv-508.pdf</a>.
\204\ Id.
\205\ Id.
---------------------------------------------------------------------------

Reporting of ``disease or injury'' commonly refers to diagnosable
health conditions reported for limited purposes such as workers'
compensation, tort claims, or health tracking efforts. All states,
territories, and Tribal governments require covered health care
providers (e.g., physicians and laboratories) and others to report
cases of certain diseases or conditions that affect public health, such
as coronavirus disease 2019 (COVID-19), malaria, and foodborne
illnesses.\206\ Such reporting enables public health practitioners to
study and explain diseases and their spread, along with determining
appropriate actions to prevent and respond to outbreaks.\207\ States
also require health care providers to report incidents of certain types
of injuries, such as those caused by gunshots, knives, or burns.\208\
Various Federal statutes use the phrase ``disease or injury'' similarly
to refer to events such as workplace injuries for purposes of
compensation.\209\
---------------------------------------------------------------------------

\206\ See ``Reportable diseases,'' in National Institutes of
Health, National Library of Medicine, MedlinePlus, <a href="https://medlineplus.gov/ency/article/001929.htm">https://medlineplus.gov/ency/article/001929.htm</a> (accessed Oct. 19, 2022).
See also ``What is Case Surveillance?'' Centers for Disease Control
and Prevention, National Notifiable Diseases Surveillance Sys. (July
20, 2022), <a href="https://www.cdc.gov/nndss/about/index.html">https://www.cdc.gov/nndss/about/index.html</a>.
\207\ See ``Reportable diseases,'' supra note 206. Such
reporting is a type of public health surveillance activity.
\208\ See Victims Rights Law Center, ``Mandatory Reporting of
Non-Accidental Injuries: A State-by-State Guide'' (May 2014), <a href="http://4e5ae7d17e.nxcli.net/wp-content/uploads/2021/01/Mandatory-Reporting-of-Non-Accidental-Injury-Statutes-by-State.pdf">http://4e5ae7d17e.nxcli.net/wp-content/uploads/2021/01/Mandatory-Reporting-of-Non-Accidental-Injury-Statutes-by-State.pdf</a>.
\209\ See, e.g., 38 U.S.C. 1110 (referring to an ``injury
suffered or disease contracted''); 10 U.S.C. 972 (discussing time
lost as a result of ``disease or injury''); 38 U.S.C. 3500
(providing education for certain children whose parent suffered ``a
disease or injury'' incurred or aggravated in the Armed Forces); see
also 5 U.S.C. 8707 (insurance provision discussing compensation as a
result of ``disease or injury''); 33 U.S.C. 765 (discussing
retirement for disability as a result of ``disease or injury''); 15
U.S.C. 2607(c) (requiring chemical manufacturers to maintain records
of ``occupational disease or injury'').
---------------------------------------------------------------------------

The limited meaning given to the terms ``disease'' and ``injury''
is clear from HIPAA's broader context. For instance, interpreting
``injury'' to include reporting of any criminal abuse would render the
specific exception for ``child abuse'' superfluous. And interpreting
``disease'' to include reporting of any disease for any purpose would
eviscerate HIPAA's general provisions protecting PHI. ``[D]isease
management activities'' constitute ``health care'' under the Privacy
Rule, and a broad interpretation of ``disease or injury'' would make
even information about cancer treatment disclosable.\210\ Consequently,
the Department has long understood ``disease or injury'' to narrowly
refer to diagnosable health conditions reported for limited purposes
such as workers' compensation, tort claims, or health tracking
efforts.\211\
---------------------------------------------------------------------------

\210\ See 65 FR 82571 (recognizing that ``disease management
activities'' often constitute ``health care'' under HIPAA); 65 FR
82777 (discussing the importance of privacy for information about
cancer, a ``disease'' that causes an ``indisputable'' ``societal
burden''); 65 FR 82778 (discussing the importance of privacy for
information about sexually transmitted diseases, including Human
Immunodeficiency Virus/Acquired Immunodeficiency Syndrome (HIV/
AIDS)); 65 FR 82463-64 (noting that numerous states adopted laws
protecting health information relating to certain health conditions
such as communicable diseases, cancer, HIV/AIDS, and other
stigmatized conditions.); 65 FR 82731 (finding that there are no
persuasive reasons to provide information contained within disease
registries with special treatment as compared with other information
that may be used to make decisions about an individual).
\211\ See, e.g., 65 FR 82517 (discussing tort litigation as
information that could implicate IIHI); 65 FR 82542 (discussing
workers' compensation); 65 FR 82527 (separately addressing
disclosures about ``abuse, neglect or domestic violence'' and
limiting such disclosures to only two circumstances, even if
expressly authorized by state statute or regulation).
---------------------------------------------------------------------------

With respect to reporting of ``births'' and ``deaths,'' such vital
statistics are reported by covered health care providers to the vital
registration systems operated in various jurisdictions \212\ legally
responsible for the registration of vital events.\213\ State laws
require birth certificates to be completed for all births, and Federal
law mandates the national collection and publication of births and
other vital statistics data.\214\ Tracking and reporting death is a
complex and decentralized process with a variety of systems used by
more than 6,000 local vital registrars.\215\ When HIPAA was enacted,
the Model State Vital Statistics Act and Regulations, which is followed
by most states,\216\ included distinct categories for ``live births,''
``fetal deaths,'' and ``induced terminations of pregnancy,'' with
instructions that abortions ``shall not be reported as fetal deaths.''
\217\ In light of that common understanding at the time of HIPAA's
enactment, it is clear that the reporting of abortions is not included
in the category of reporting of deaths for the purposes of HIPAA and
does not fall within the scope of state activities Congress
specifically designated as excepted from preemption by HIPAA.
---------------------------------------------------------------------------

\212\ See ``Health Department Governance,'' Centers for Disease
Control and Prevention, Public Health Professionals Gateway (Nov.
25, 2022), <a href="https://www.cdc.gov/publichealthgateway/sitesgovernance/index.html">https://www.cdc.gov/publichealthgateway/sitesgovernance/index.html</a>.
\213\ See the list of events included in vital events ``vital
events--births, deaths, marriages, divorces, and fetal deaths,''
National Center for Health Statistics, Centers for Disease Control
and Prevention, About the National Vital Statistics System (Jan. 4,
2016), <a href="https://www.cdc.gov/nchs/nvss/about_nvss.htm">https://www.cdc.gov/nchs/nvss/about_nvss.htm</a>.
\214\ See ``Birth Data,'' National Center for Health Statistics,
Centers for Disease Control and Prevention, National Vital
Statistics (Dec. 6, 2022), <a href="https://www.cdc.gov/nchs/nvss/births.htm">https://www.cdc.gov/nchs/nvss/births.htm</a>.
\215\ See ``How Tracking Deaths Protects Health,'' Centers for
Disease Control and Prevention, Public Health and Surveillance Data
(July 2018), <a href="https://www.cdc.gov/surveillance/pdfs/Tracking-Deaths-protects-healthh.pdf">https://www.cdc.gov/surveillance/pdfs/Tracking-Deaths-protects-healthh.pdf</a>.
\216\ See ``State Definitions and Reporting Requirements: For
Live Births, Fetal Deaths, and Induced Terminations of Pregnancy,''
Centers for Disease Control and Prevention, National Center for
Health Statistics (1997), p. 5, <a href="https://www.cdc.gov/nchs/data/misc/itop97.pdf">https://www.cdc.gov/nchs/data/misc/itop97.pdf</a>.
\217\ ``Model State Vital Statistics Act and Regulations,''
Centers for Disease Control and Prevention, National Center for
Health Statistics (1992), p. 8, <a href="https://www.cdc.gov/nchs/data/misc/mvsact92b.pdf">https://www.cdc.gov/nchs/data/misc/mvsact92b.pdf</a>.
---------------------------------------------------------------------------

More generally, while Congress exempted certain ``[p]ublic health''
laws from preemption,\218\ Congress chose not to create a general
exception for criminal laws or other laws that address the disclosure
of information about similar types of activities outside of the public
health context. Thus, the Privacy Rule's exceptions for reporting of
disease or injury, birth, or death do not allow the use or disclosure
of PHI for investigating or punishing a person for seeking, obtaining,
providing, or facilitating reproductive health care. Similarly, state
laws requiring disclosure for such purposes are not exempt under
section 1178(b) from HIPAA's general preemption provision.
---------------------------------------------------------------------------

\218\ 42 U.S.C. 1178(b) (codified in HIPAA at 42 U.S.C. 1320d-
7).

---------------------------------------------------------------------------

[[Page 23525]]

Public Health Surveillance, Investigation, or Intervention
The Privacy Rule also permits a regulated entity to use or disclose
PHI to conduct ``public health'' surveillance, investigation, or
intervention.\219\ Section 1178(b) similarly exempts state laws
providing for ``public health'' surveillance, investigation, or
intervention from HIPAA's general preemption rule. Neither HIPAA nor
the Privacy Rule currently defines these terms. To clarify their
meaning, the Department proposes to define public health \220\
surveillance, investigation, or intervention to mean population-based
activities to prevent disease and promote health of populations.\221\
The Department also proposes to clarify that such public health
activities do not include uses and disclosures for the criminal, civil,
or administrative investigation into or proceeding against any person
in connection with seeking, obtaining, providing, or facilitating
reproductive health care, or to identify any person for the purpose of
initiating such an investigation or proceeding.\222\
---------------------------------------------------------------------------

\219\ See 45 CFR 164.512(b)(1)(i); U.S. Dep't of Health and
Human Servs., Office for Civil Rights, Disclosures for Public Health
Activities, (accessed Oct. 19, 2022), <a href="https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/disclosures-public-health-activities/index.html">https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/disclosures-public-health-activities/index.html</a>.
\220\ See ``Ten Essential Public Health Services,'' Centers for
Disease Control and Prevention, Public Health Professionals Gateway
(Dec. 1, 2022), <a href="https://www.cdc.gov/publichealthgateway/publichealthservices/essentialhealthservices.html">https://www.cdc.gov/publichealthgateway/publichealthservices/essentialhealthservices.html</a> and ``What is
Public Health?'' in CDC Foundation, Public Health in Action (2023),
<a href="https://www.cdcfoundation.org/what-public-health?gclid=Cj0KCQjw_viWBhD8ARIsAH1mCd7ME0r94gapt8Qh48LjdQO3Sto101snekpI94auuahRs7LizEkh7OwaAiKxEALw_wcB">https://www.cdcfoundation.org/what-public-health?gclid=Cj0KCQjw_viWBhD8ARIsAH1mCd7ME0r94gapt8Qh48LjdQO3Sto101snekpI94auuahRs7LizEkh7OwaAiKxEALw_wcB</a>. See also ``HIPAA Privacy Rule
and Public Health,'' Centers for Disease Control and Prevention,
MMWR (Apr. 11, 2003), <a href="https://www.cdc.gov/mmwr/preview/mmwrhtml/m2e411a1.htm">https://www.cdc.gov/mmwr/preview/mmwrhtml/m2e411a1.htm</a>.
\221\ See Report of ``The National Committee on Vital and Health
Statistics, 1996-98,'' supra note 203. These activities are
consistent with the definition proposed herein.
\222\ See Report of ``The National Committee on Vital and Health
Statistics, 1996-98,'' supra note 203, for descriptions of public
health activities in 1996-98.
---------------------------------------------------------------------------

Since the time of HIPAA's enactment, public health activities
related to surveillance, investigation, or intervention have been
widely understood to refer to activities aimed at improving the health
of a population. For example, legal dictionaries define ``public
health'' as ``[t]he health of the community at large,'' or ``[t]he
healthful or sanitary condition of the general body of people or the
community en masse; esp., the methods of maintaining the health of the
community, as by preventive medicine or organized care for the sick.''
\223\ Stedman's Medical Dictionary defines ``public health'' as ``the
art and science of community health, concerned with statistics,
epidemiology, hygiene, and the prevention and eradication of epidemic
diseases; an effort organized by society to promote, protect, and
restore the people's health; public health is a social institution, a
service, and a practice.'' \224\ The Centers for Disease Control and
Prevention's (CDC) Agency for Toxic Substances and Disease Registry
commonly defines ``public health surveillance'' as ``the ongoing
systematic collection, analysis and interpretation of outcome-specific
data for use in the planning, implementation, and evaluation of public
health practice.'' \225\ And many states similarly define ``public
health'' to mean population-level activities.\226\ The Department
likewise has used public health in this way since it first adopted the
Privacy Rule.\227\
---------------------------------------------------------------------------

\223\ ``Health,'' ``public health,'' Black's Law Dictionary
(11th ed. 2019).
\224\ ``Public health,'' Stedman's Medical Dictionary 394520.
\225\ Jonathan Weinstein, ``In Re Miguel M.,'' 55 N.Y.L. Sch. L.
Rev. 389, 390 (2010) (citing Stephen B. Thacker, ``Historical
Development,'' in Principles and Practice of Public Health
Surveillance 1 (Steven M. Teutsch & R. Elliott Churchill eds., 2d
ed., 2000)), <a href="https://digitalcommons.nyls.edu/cgi/viewcontent.cgi?article=1599&context=nyls_law_review">https://digitalcommons.nyls.edu/cgi/viewcontent.cgi?article=1599&context=nyls_law_review</a>.
\226\ See, e.g., Richard A. Goodman, Judith W. Munson, Kim
Dammers, et al., ``Forensic Epidemiology: Law at the Intersection of
Public Health and Criminal Investigations,'' 31 The Journal of Law,
Medicine & Ethics 684, 689-90 (2003); La. Rev. Stat. Ann. sec.
40:3.1 (2011) (defining threats to public health as nuisances
``including but not limited to communicable, contagious, and
infectious diseases, as well as illnesses, diseases, and genetic
disorders or abnormalities''); N.C. Gen. Stat. sec. 130A-141.1(a)
(2010) (defining public health investigations as the ``surveillance
of an illness, condition, or symptoms that may indicate the
existence of a communicable disease or condition'').
\227\ See, e.g., 65 FR 82464 (noting that reporting of public
health information on communicable diseases is not prevented by
individuals' right to information privacy); id. at 82467 (discussing
the importance of accurate medical records in recognizing troubling
public health trends and in assessing the effectiveness of public
health efforts); id. at 82473 (discussing disclosure to ``a
department of public health''); id. at 82525 (recognizing that it
may be necessary to disclose PHI about communicable diseases when
conducting a public health intervention or investigation); id. at
82526 (recognizing that an entity acts as a ``public health
authority'' when, in its role as a component of the public health
department, it conducts infectious disease surveillance); ``HIPAA
Privacy Rule and Public Health,'' supra note 220 (describing what
traditionally are considered to be ``public health activities'' that
require PHI).
---------------------------------------------------------------------------

There is also a widely recognized distinction between public health
activities, which primarily focus on improving the health of
populations, and criminal investigations, which primarily focus on
identifying and imposing liability on persons who have violated the
law. States and other local governing authorities maintain criminal
codes that are distinct and separate from public health reporting
laws,\228\ although some jurisdictions enforce required reporting
through criminal statutes. Different governmental bodies are
responsible for enforcing these separate codes, and public health
officials do not typically investigate criminal activity.\229\ When
states intend for public health information to be shared with law
enforcement for criminal investigation purposes, they typically pass
specific laws to permit that sharing.\230\ Other Federal laws also
treat public health investigations as distinct from criminal
investigations.\231\ Maintaining a clear distinction between public
health investigations and criminal investigations serves HIPAA's
broader purposes, as well, by safeguarding privacy to ensure quality
health care.\232\
---------------------------------------------------------------------------

\228\ For example, traditional public health reporting laws grew
from colonial requirements that physicians report disease. These
requirements transitioned to state regulatory requirements imposed
by public health departments on authority granted to them by states.
See Public Health Law 101, Disease Reporting and Public Health
Surveillance, Centers for Disease Control and Prevention, p. 12 and
14, <a href="https://www.cdc.gov/phlp/docs/phl101/PHL101-Unit-5-16Jan09-Secure.pdf">https://www.cdc.gov/phlp/docs/phl101/PHL101-Unit-5-16Jan09-Secure.pdf</a>. See also, e.g., Code of Georgia 31-12-2 (2021),
authority to require disease reporting.
\229\ See ``Public Health,'' supra note 223 (``Many cities have
a `public health department' or other agency responsible for
maintaining the public health; Federal laws dealing with health are
administered by the Department of Health and Human Services.''); See
also ``Forensic Epidemiology: Law at the Intersection of Public
Health and Criminal Investigations,'' supra note 226, at 689.
\230\ See ``Forensic Epidemiology: Law at the Intersection of
Public Health and Criminal Investigations,'' supra note 226, at 687
(discussing South Dakota Statutes sec. 22-18-31, a law allowing HIV
test results to be released to a prosecutor for criminal
investigation purposes); id. at 693 (discussing North Carolina
General Statute (N.C.G.S.) sec. 130A-476, a law allowing
confidential medical information to be shared with law enforcement
in certain circumstances related to communicable diseases or
terrorism).
\231\ See Camara v. Municipal Ct. of City & Cty. of S.F., 387
U.S. 523, 535-37 (1967) (discussing administrative inspections under
the Fourth Amendment, such as those aimed at addressing ``conditions
which are hazardous to public health and safety,'' and not ``aimed
at the discovery of evidence of crime''); 42 U.S.C. 241(d)(D)
(prohibiting disclosure of private information from research
subjects in ``criminal'' and other proceedings); 42 U.S.C. 290dd-
2(c) (prohibiting substance abuse records from being used in
criminal proceedings).
\232\ See ``Forensic Epidemiology: Law at the Intersection of
Public Health and Criminal Investigations,'' supra note 226, at 687
(discussing reasons why ``an association of public health with law
enforcement'' may be ``to the detriment of routine public health
practice''). See also 45 CFR 164.512(b)(1)(i) (including ``public
health investigations'' as an activity carried out by a public
health authority that is authorized by law to carry out public
health activities).

---------------------------------------------------------------------------

[[Page 23526]]

The Department concludes that the Privacy Rule's permissions to use
and disclose PHI for the ``public health'' activities of surveillance,
investigation, or intervention do not include criminal, civil, or
administrative investigations into, or proceedings against, any person
in connection with seeking, obtaining, providing, or facilitating
reproductive health care, nor do they include identifying any person
for the purpose of initiating such investigations or proceedings. Such
actions are not public health activities. Public health surveillance,
investigations, or interventions ensure the health of the community as
a whole by addressing population-level issues such as the spread of
communicable diseases, even where they involve individual-level
interventions. Such surveillance systems provide data necessary to
examine and potentially develop interventions to improve the public's
health, such as providing education or resources to support
individuals' access to health care and improve health outcomes.\233\
U.S. states, territories, and Tribal governments participate in
bilateral agreements with the Federal Government to share data on
conditions that affect public health.\234\ The CDC's Division of
Reproductive Health presently collects reproductive health data in
support of national and state-based population surveillance systems to
assess maternal complications, mortality and pregnancy-related
disparities, and the numbers and characteristics of individuals who
obtain legal induced abortions.\235\ Importantly, disclosures to public
health authorities permitted by the Privacy Rule are limited to the
``minimum necessary'' to accomplish the public health purpose.\236\ In
many cases, regulated entities need disclose only de-identified data
\237\ to meet the public health purpose. By contrast, criminal, civil,
and administrative investigations and proceedings generally target
specific persons; they are not designed to address population-level
health concerns and are not limited to information authorized to be
collected by a public health or similar government authority for a
public health activity. Thus, the exceptions in section 1178(b) for
``public health'' investigations, interventions, or surveillance do not
limit the Department's ability to prohibit uses or disclosures of PHI
for other purposes, such as judicial and administrative proceedings or
law enforcement purposes. While the Department has chosen as a policy
matter to permit uses or disclosures of PHI for law enforcement and
other purposes in other contexts, it believes, as discussed above, that
a different balance is appropriate in the context of highly sensitive
information related to reproductive health care.
---------------------------------------------------------------------------

\233\ See ``Improving the Role of Health Departments in
Activities Related to Abortion,'' American Public Health Association
(Oct. 26, 2021), <a href="https://www.apha.org/Policies-and-Advocacy/Public-Health-Policy-Statements/Policy-Database/2022/01/07/Improving-Health-Department-Role-in-Activities-Related-to-Abortion">https://www.apha.org/Policies-and-Advocacy/Public-Health-Policy-Statements/Policy-Database/2022/01/07/Improving-Health-Department-Role-in-Activities-Related-to-Abortion</a>.
\234\ See ``Reportable diseases,'' supra note 206. See also
``What is Case Surveillance?'' supra note 206.
\235\ See ``Reproductive Health,'' Centers for Disease Control
and Prevention (Apr. 20, 2022), <a href="https://www.cdc.gov/reproductivehealth/drh/about-us/index.htm">https://www.cdc.gov/reproductivehealth/drh/about-us/index.htm</a>; and ``Reproductive
Health--CDCs Abortion Surveillance System FAQs,'' Centers for
Disease Control and Prevention, Reproductive Health (Nov. 17, 2022),
<a href="https://www.cdc.gov/reproductivehealth/data_stats/abortion.htm">https://www.cdc.gov/reproductivehealth/data_stats/abortion.htm</a>.
\236\ See 45 CFR 164.502(b).
\237\ See 45 CFR 164.514(a).
---------------------------------------------------------------------------

In light of the proposed definition of ``public health'' in this
context, the Department does not propose to additionally define the
terms ``investigation,'' ``intervention,'' or ``surveillance,'' because
it believes these terms are commonly understood. Specifically, the
Department believes public health investigation or intervention
includes monitoring real-time health status and identifying patterns to
develop strategies to address chronic diseases and injuries, as well as
using real-time data to identify and respond to acute outbreaks,
emergencies, and other health hazards.\238\ The Department also
believes public health surveillance refers to the ongoing, systematic
collection, analysis, and interpretation of health-related data
essential to planning, implementation, and evaluation of public health
practice.\239\ Nevertheless, the Department invites comment on whether
it would be beneficial to specifically define these terms.
---------------------------------------------------------------------------

\238\ See ``Ten Essential Public Health Services,'' supra note
220.
\239\ See ``Introduction to Public Health Surveillance,''
Centers for Disease Control and Prevention (Nov. 15, 2018), <a href="https://www.cdc.gov/training/publichealth101/surveillance.html">https://www.cdc.gov/training/publichealth101/surveillance.html</a>.
---------------------------------------------------------------------------

Child Abuse Reporting
In accordance with section 1178(b) of HIPAA, the Privacy Rule
permits a regulated entity to use or disclose PHI to report known or
suspected child abuse or neglect if the report is made to a public
health authority or other appropriate government authority that is
authorized by law to receive such reports,\240\ which primarily are
state or local child protective services agencies.\241\ This Privacy
Rule provision does not include permission for the covered entity to
disclose PHI in response to a request for PHI for a criminal, civil, or
administrative investigation into or proceeding against a person based
on suspected child abuse. Rather, the Privacy Rule only permits the
disclosure of information for the purpose of making a report. We also
note that the permission limits such disclosures to the minimum
necessary to make the report.\242\ Any disclosure of PHI in response to
a request from an investigator, whether in follow up to the report made
by the covered entity (other than to clarify the PHI provided on the
report) or as part of an investigation initiated based on an allegation
or report made by a person other than the covered entity, would be
required to meet the conditions of disclosures to law enforcement or
for other investigations or legal proceedings.\243\
---------------------------------------------------------------------------

\240\ See 45 CFR 164.512(b)(1)(ii).
\241\ State laws require certain persons, such as health care
providers, to report known or suspected child abuse or neglect; such
persons are often called ``mandatory reporters.'' See ``Mandatory
Reporters of Child Abuse and Neglect,'' U.S. Dep't of Health and
Human Servs., Administration for Children and Families, Children's
Bureau, Child Welfare Information Gateway (Apr. 2019), <a href="https://www.childwelfare.gov/pubPDFs/manda.pdf">https://www.childwelfare.gov/pubPDFs/manda.pdf</a>. See also ``Factsheet: How
the Child Welfare System Works,'' U.S. Dep't of Health and Human
Servs., Administration for Children and Families, Children's Bureau,
Child Welfare Information Gateway (Oct. 2020), <a href="https://www.childwelfare.gov/pubPDFs/cpswork.pdf">https://www.childwelfare.gov/pubPDFs/cpswork.pdf</a>.
\242\ See 45 CFR 164.502(b) and 164.514(d).
\243\ See 45 CFR 164.512(e) and (f).
---------------------------------------------------------------------------

As discussed above, the Department understands the term ``person''
as it is used in the SSA, HIPAA, and the HIPAA Rules to be consistent
with 1 U.S.C. 8. Congress also defined the term ``child'' in 1 U.S.C.
8, and the Department similarly understands the term ``child'' in the
Privacy Rule to be consistent with that definition. Further, at the
time HIPAA was enacted, ``most, if not all, states had laws that
mandated reporting of child abuse or neglect to the appropriate
authorities.'' \244\ As such, the Department believes that to the
ex

[…truncated; see source link]

View on FederalRegister.gov →Plain-text source

Indexed from Federal Register on April 17, 2023.

This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.