Rule2024-08503
HIPAA Privacy Rule To Support Reproductive Health Care Privacy
Primary source
Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.
Published
April 26, 2024
Effective
June 25, 2024
Issuing agencies
Health and Human Services Department
Abstract
The Department of Health and Human Services (HHS or "Department") is issuing this final rule to modify the Standards for Privacy of Individually Identifiable Health Information ("Privacy Rule") under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act). The Department is issuing this final rule after careful consideration of all public comments received in response to the notice of proposed rulemaking (NPRM) for the HIPAA Privacy Rule to Support Reproductive Health Care Privacy ("2023 Privacy Rule NPRM") and public comments received on proposals to revise provisions of the HIPAA Privacy Rule in the NPRM for the Confidentiality of Substance Use Disorder (SUD) Patient Records ("2022 Part 2 NPRM").
Full Text
<html>
<head>
<title>Federal Register, Volume 89 Issue 82 (Friday, April 26, 2024)</title>
</head>
<body><pre>
[Federal Register Volume 89, Number 82 (Friday, April 26, 2024)]
[Rules and Regulations]
[Pages 32976-33066]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2024-08503]
[[Page 32975]]
Vol. 89
Friday,
No. 82
April 26, 2024
Part V
Department of Health and Human Services
-----------------------------------------------------------------------
45 CFR Parts 160 and 164
HIPAA Privacy Rule To Support Reproductive Health Care Privacy; Final
Rule
��Federal Register / Vol. 89 , No. 82 / Friday, April 26, 2024 / Rules
and Regulations��
[[Page 32976]]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Office of the Secretary
45 CFR Parts 160 and 164
RIN 0945-AA20
HIPAA Privacy Rule To Support Reproductive Health Care Privacy
AGENCY: Office for Civil Rights (OCR), Office of the Secretary,
Department of Health and Human Services.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: The Department of Health and Human Services (HHS or
``Department'') is issuing this final rule to modify the Standards for
Privacy of Individually Identifiable Health Information (``Privacy
Rule'') under the Health Insurance Portability and Accountability Act
of 1996 (HIPAA) and the Health Information Technology for Economic and
Clinical Health Act of 2009 (HITECH Act). The Department is issuing
this final rule after careful consideration of all public comments
received in response to the notice of proposed rulemaking (NPRM) for
the HIPAA Privacy Rule to Support Reproductive Health Care Privacy
(``2023 Privacy Rule NPRM'') and public comments received on proposals
to revise provisions of the HIPAA Privacy Rule in the NPRM for the
Confidentiality of Substance Use Disorder (SUD) Patient Records (``2022
Part 2 NPRM'').
DATES:
Effective date: This final rule is effective on June 25, 2024.
Compliance date: Persons subject to this regulation must comply
with the applicable requirements of this final rule by December 23,
2024, except for the applicable requirements of 45 CFR 164.520 in this
final rule. Persons subject to this regulation must comply with the
applicable requirements of 45 CFR 164.520 in this final rule by
February 16, 2026.
FOR FURTHER INFORMATION CONTACT: Marissa Gordon-Nguyen at (202) 240-
3110 or (800) 537-7697 (TDD), or by email at <a href="/cdn-cgi/l/email-protection#e8a7abbab89a819e898b91a880809bc68f879e"><span class="__cf_email__" data-cfemail="b7f8f4e5e7c5dec1d6d4cef7dfdfc499d0d8c1">[email protected]</span></a>.
SUPPLEMENTARY INFORMATION:
Table of Contents
I. Executive Summary
A. Overview
B. Effective and Compliance Dates
1. 2023 Privacy Rule NPRM
2. Overview of Comments
3. Final Rule
4. Response to Public Comments
II. Statutory and Regulatory Background
A. Statutory Authority and History
1. Health Insurance Portability and Accountability Act of 1996
(HIPAA)
2. Health Information Technology for Economic and Clinical
Health (HITECH) Act
B. Regulatory History
1. 2000 Privacy Rule
2. 2002 Privacy Rule
3. 2013 Omnibus Rule
4. 2024 Privacy Rule
III. Justification for This Rulemaking
A. HIPAA Encourages Trust and Confidence by Carefully Balancing
Individuals' Privacy Interests With Others' Interests in Using or
Disclosing PHI
1. Privacy Protections Ensure That Individuals Have Access to,
and Are Comfortable Accessing, High-Quality Health Care
2. The Department's Approach to the Privacy Rule Has Long Sought
To Balance the Interests of Individuals and Society
B. Developments in the Legal Environment Are Eroding
Individuals' Trust in the Health Care System
C. To Protect the Trust Between Individuals and Health Care
Providers, the Department Is Restricting Certain Uses and
Disclosures of PHI for Particular Non-Health Care Purposes
IV. General Discussion of Public Comments
A. General Comments in Support of the Proposed Rule
B. General Comments in Opposition to the Proposed Rule
C. Other General Comments on the Proposed Rule
V. Summary of Final Rule Provisions and Public Comments and
Responses
A. Section 160.103 Definitions
1. Clarifying the Definition of ``Person''
2. Interpreting Terms Used in Section 1178(b) of the Social
Security Act
3. Adding a Definition of ``Reproductive Health Care''
4. Whether the Department Should Define Any Additional Terms
B. Section 164.502--Uses and Disclosures of Protected Health
Information: General Rules
1. Clarifying When PHI May Be Used or Disclosed by Regulated
Entities
2. Adding a New Category of Prohibited Uses and Disclosures
3. Clarifying Personal Representative Status in the Context of
Reproductive Health Care
4. Request for Comments
C. Section 164.509--Uses and Disclosures for Which an
Attestation is Required
1. Current Provision
2. Proposed Rule
3. Overview of Public Comments
4. Final Rule
5. Responses to Public Comments
D. Section 164.512--Uses and Disclosures for Which an
Authorization or Opportunity To Agree or Object Is Not Required
1. Applying the Prohibition and Attestation Condition to Certain
Permitted Uses and Disclosures
2. Making a Technical Correction to the Heading of 45 CFR
164.512(c) and Clarifying That Providing or Facilitating
Reproductive Health Care Is Not Abuse, Neglect, or Domestic Violence
3. Clarifying the Permission for Disclosures Based on
Administrative Processes
4. Request for Information on Current Processes for Receiving
and Addressing Requests Pursuant to 164.512(d) Through (g)(1)
E. Section 164.520--Notice of Privacy Practices for Protected
Health Information
1. Current Provision
2. CARES Act
3. Proposals in 2022 Part 2 NPRM and 2023 Privacy Rule NPRM
4. Overview of Public Comments
5. Final Rule
6. Responses to Public Comments
F. Section 164.535--Severability
G. Comments on Other Provisions of the HIPAA Rules
VI. Regulatory Impact Analysis
A. Executive Order 12866 and Related Executive Orders on
Regulatory Review
1. Summary of Costs and Benefits
2. Baseline Conditions
3. Costs of the Rule
B. Regulatory Alternatives to the Final Rule
C. Regulatory Flexibility Act--Small Entity Analysis
D. Executive Order 13132--Federalism
E. Assessment of Federal Regulation and Policies on Families
F. Paperwork Reduction Act of 1995
Explanation of Estimated Annualized Burden Hours
Table of Acronyms
------------------------------------------------------------------------
Term Meaning
------------------------------------------------------------------------
AMA......................... American Medical Association.
API......................... Application Programming Interface.
CARES Act................... Coronavirus Aid, Relief, and Economic
Security Act.
CDC......................... Centers for Disease Control and
Prevention.
CLIA........................ Clinical Laboratory Improvement Amendments
of 1988.
CMS......................... Centers for Medicare & Medicaid Services.
DOD......................... Department of Defense.
[[Page 32977]]
Department or HHS........... Department of Health and Human Services.
EHR......................... Electronic Health Record.
E.O......................... Executive Order.
FDA......................... Food and Drug Administration.
FHIR[supreg]................ Fast Healthcare Interoperability
Resources[supreg].
FTC......................... Federal Trade Commission.
GINA........................ Genetic Information Nondiscrimination Act
of 2008.
Health IT................... Health Information Technology.
HIE......................... Health Information Exchange.
HIPAA....................... Health Insurance Portability and
Accountability Act of 1996.
HITECH Act.................. Health Information Technology for Economic
and Clinical Health Act of 2009.
ICR......................... Information Collection Request.
IIHI........................ Individually Identifiable Health
Information.
NCVHS....................... National Committee on Vital and Health
Statistics.
NICS........................ National Instant Criminal Background Check
System.
NPP......................... Notice of Privacy Practices.
NPRM........................ Notice of Proposed Rulemaking.
OCR......................... Office for Civil Rights.
OHCA........................ Organized Health Care Arrangement.
OMB......................... Office of Management and Budget.
ONC......................... Office of the National Coordinator for
Health Information Technology.
PHI......................... Protected Health Information.
PRA......................... Paperwork Reduction Act of 1995.
RFA......................... Regulatory Flexibility Act.
RIA......................... Regulatory Impact Analysis.
SBA......................... Small Business Administration.
SSA......................... Social Security Act of 1935.
TPO......................... Treatment, Payment, or Health Care
Operations.
UMRA........................ Unfunded Mandates Reform Act of 1995.
------------------------------------------------------------------------
I. Executive Summary
A. Overview
In this final rule, the Department of Health and Human Services
(HHS or ``Department'') modifies certain provisions of the Standards
for Privacy of Individually Identifiable Health Information (``Privacy
Rule''), issued pursuant to section 264 of the Administrative
Simplification provisions of title II, subtitle F, of the Health
Insurance Portability and Accountability Act of 1996 (HIPAA).\1\ The
Privacy Rule \2\ is one of several rules, collectively known as the
HIPAA Rules,\3\ that protect the privacy and security of individuals'
protected health information \4\ (PHI), which is individually
identifiable health information \5\ (IIHI) transmitted by or maintained
in electronic media or any other form or medium, with certain
exceptions.\6\
---------------------------------------------------------------------------
\1\ Subtitle F of title II of HIPAA (Pub. L. 104-191, 110 Stat.
1936 (Aug. 21, 1996)) added a new part C to title XI of the Social
Security Act of 1935 (SSA), Public Law 74-271, 49 Stat. 620 (Aug.
14, 1935), (see sections 1171-1179 of the SSA (codified at 42 U.S.C.
1320d-1320d-8)), as well as promulgating section 264 of HIPAA
(codified at 42 U.S.C. 1320d-2 note), which authorizes the Secretary
to promulgate regulations with respect to the privacy of
individually identifiable health information. The Privacy Rule has
subsequently been amended pursuant to the Genetic Information
Nondiscrimination Act of 2008 (GINA), title I, section 105, Public
Law 110-233, 122 Stat. 881 (May 21, 2008) (codified at 42 U.S.C.
2000ff), and the Health Information Technology for Economic and
Clinical Health (HITECH) Act of 2009, Public Law 111-5, 123 Stat.
226 (Feb. 17, 2009) (codified at 42 U.S.C. 1390w-4(O)(2)).
\2\ 45 CFR parts 160 and 164, subparts A and E. For a history of
the Privacy Rule, see infra Section II.B., ``Regulatory History.''
\3\ See also the HIPAA Security Rule, 45 CFR parts 160 and 164,
subparts A and C; the HIPAA Breach Notification Rule, 45 CFR part
164, subpart D; and the HIPAA Enforcement Rule, 45 CFR part 160,
subparts C, D, and E.
\4\ 45 CFR 160.103 (definition of ``Protected health
information'').
\5\ 42 U.S.C. 1320d. See also 45 CFR 160.103 (definition of
``Individually identifiable health information'').
\6\ At times throughout this final rule, the Department uses the
terms ``health information'' or ``individuals' health information''
to refer generically to health information pertaining to an
individual or individuals. In contrast, the Department's use of the
term ``IIHI'' refers to a category of health information defined in
HIPAA, and ``PHI'' is used to refer specifically to a category of
IIHI that is defined by and subject to the privacy and security
standards promulgated in the HIPAA Rules.
---------------------------------------------------------------------------
The Privacy Rule requires the disclosure of PHI only in the
following circumstances: when required by the Secretary to investigate
a regulated entity's compliance with the Privacy Rule and to the
individual pursuant to the individual's right of access and the
individual's right to an accounting of disclosures.\7\ Any other uses
or disclosures described in the Privacy Rule are either permitted or
prohibited, as specified in the Privacy Rule. For example, the Privacy
Rule permits, but does not require, a regulated entity to disclose PHI
to conduct quality improvement activities when applicable conditions
are met, and it prohibits a regulated entity from selling PHI except
pursuant to and in compliance with 45 CFR 164.508(a)(4).\8\
---------------------------------------------------------------------------
\7\ See 45 CFR 164.502(2) and (4).
\8\ See 45 CFR 164.512(i) and 164.502(a)(5)(ii).
---------------------------------------------------------------------------
In accordance with its statutory mandate, the Department
promulgated the Privacy Rule and continues to administer and enforce it
to ensure that individuals are not afraid to seek health care from, or
share important information with, their health care providers because
of a concern that their sensitive information will be disclosed outside
of their relationship with their health care provider. Protecting
privacy promotes trust between health care providers and individuals,
advancing access to and improving the quality of health care. To
achieve this goal, the Department generally has applied the same
privacy standards to nearly all PHI, regardless of the type of health
care at issue. Notably, special protections were given to psychotherapy
notes, owing in part to the particularly
[[Page 32978]]
sensitive information those notes contain.\9\
---------------------------------------------------------------------------
\9\ See 45 CFR 164.501 and 164.508(a)(2).
---------------------------------------------------------------------------
Under its statutory authority to administer and enforce the HIPAA
Rules, the Department may modify the HIPAA Rules as needed.\10\ The
Supreme Court decision in Dobbs v. Jackson Women's Health Organization
\11\ (Dobbs) overturned precedent that protected a constitutional right
to abortion and altered the legal and health care landscape. This
decision has far-reaching implications for reproductive health care
beyond its effects on access to abortion.\12\ This changing legal
landscape increases the likelihood that an individual's PHI may be
disclosed in ways that cause harm to the interests that HIPAA seeks to
protect, including the trust of individuals in health care providers
and the health care system.\13\ The threat that PHI will be disclosed
and used to conduct such an investigation against, or to impose
liability upon, an individual or another person is likely to chill an
individual's willingness to seek lawful health care treatment or to
provide full information to their health care providers when obtaining
that treatment, and on the willingness of health care providers to
provide such care.\14\ These developments in the legal environment
increase the potential that use and disclosure of PHI about an
individual's reproductive health will undermine access to and the
quality of health care generally.
---------------------------------------------------------------------------
\10\ Section 1174(b)(1) of Public Law 104-191 (codified at 42
U.S.C. 1320d-3).
\11\ 597 U.S. 215 (2022).
\12\ See Melissa Suran, ``Treating Cancer in Pregnant Patients
After Roe v Wade Overturned,'' JAMA (Sept. 29, 2022), <a href="https://jamanetwork-com.hhsnih.idm.oclc.org/journals/jama/fullarticle/2797062?resultClick=1">https://jamanetwork-com.hhsnih.idm.oclc.org/journals/jama/fullarticle/2797062?resultClick=1</a> and Rita Rubin, ``How Abortion Bans Could
Affect Care for Miscarriage and Infertility,'' JAMA (June 28, 2022),
<a href="https://jamanetwork-com.hhsnih.idm.oclc.org/journals/jama/fullarticle/2793921?resultClick=1">https://jamanetwork-com.hhsnih.idm.oclc.org/journals/jama/fullarticle/2793921?resultClick=1</a>.
\13\ See infra National Committee on Vital and Health Statistics
(NCVHS) discussion, Section II.A.1., expressing concern for harm
caused by disclosing identifiable health information for non-health
care purposes.
\14\ See Whitney S. Rice et al. `` `Post-Roe' Abortion Policy
Context Heightens Imperative for Multilevel, Comprehensive,
Integrated Health Education,'' (Sept. 29, 2022), <a href="https://journals.sagepub.com/doi/full/10.1177/10901981221125399">https://journals.sagepub.com/doi/full/10.1177/10901981221125399</a> (``New
ethical and legal complexities around patient counseling are
emerging, particularly in states limiting or eliminating abortion
access, due to more extreme abortion restrictions. Clinicians in
such contexts may be forced to adhere to legal requirements of
states which run counter to well-being and desires of patients,
violating the medical principles of beneficence and respect for
patient autonomy'').
---------------------------------------------------------------------------
In order to continue to protect privacy in a manner that promotes
trust between individuals and health care providers and advances access
to, and improves the quality of, health care, we have determined that
the Privacy Rule must be modified to limit the circumstances in which
provisions of the Privacy Rule permit the use or disclosure of an
individual's PHI about reproductive health care for certain non-health
care purposes, where such use or disclosure could be detrimental to
privacy of the individual or another person or the individual's trust
in their health care providers. This determination was informed by our
expertise in administering the Privacy Rule, questions we have received
from members of the public and Congress, comments we received on the
2023 HIPAA Privacy Rule to Support Reproductive Health Care Privacy
notice of proposed rulemaking (NPRM) (``2023 Privacy Rule NPRM''),\15\
and our analysis of the state of privacy for IIHI.
---------------------------------------------------------------------------
\15\ 88 FR 23506 (Apr. 17, 2023).
---------------------------------------------------------------------------
This final rule (``2024 Privacy Rule'') amends provisions of the
Privacy Rule to strengthen privacy protections for highly sensitive PHI
about the reproductive health care of an individual, and directly
advances the purposes of HIPAA by setting minimum protections for PHI
and providing peace of mind that is essential to individuals' ability
to obtain lawful reproductive health care. This final rule balances the
interests of society in obtaining PHI for non-health care purposes with
the interests of the individual, the Federal Government, and society in
protecting individual privacy, thereby improving the effectiveness of
the health care system by ensuring that persons are not deterred from
seeking, obtaining, providing, or facilitating reproductive health care
that is lawful under the circumstances in which such health care is
provided.
The Department carefully analyzed state prohibitions and
restrictions on an individual's ability to obtain high-quality health
care and their effects on health information privacy and the
relationships between individuals and their health care providers after
Dobbs; assessed trends in state legislative activity with respect to
the privacy of PHI; and conducted a thorough review of the text,
history, and purposes of HIPAA and the Privacy Rule. The Department
also engaged in extensive discussions with HHS agencies and other
Federal departments, including the Department of Justice; consulted
with the National Committee on Vital and Health Statistics (NCVHS) and
the Attorney General as required by section 264(d) of HIPAA, and with
Indian Tribes as required by Executive Order 13175; \16\ held listening
sessions with and reviewed correspondence from stakeholders, including
covered entities, states, individuals, and patient advocates; and
reviewed correspondence to HHS from Members of Congress.\17\ The
modifications made to the Privacy Rule by this final rule are the
result of this work.
---------------------------------------------------------------------------
\16\ See 65 FR 67249 (Nov. 11, 2000). See also Presidential
Memorandum on Tribal Consultation and Strengthening Nation-to-Nation
Relationships (Jan. 26, 2021), <a href="https://www.whitehouse.gov/briefing-room/presidential-actions/2021/01/26/memorandum-on-tribal-consultation-and-strengthening-nation-to-nation-relationships/">https://www.whitehouse.gov/briefing-room/presidential-actions/2021/01/26/memorandum-on-tribal-consultation-and-strengthening-nation-to-nation-relationships/</a> and
Dep't of Health and Human Servs., Tribal Consultation Policy,
<a href="https://www.hhs.gov/sites/default/files/iea/tribal/tribalconsultation/hhs-consultation-policy.pdf">https://www.hhs.gov/sites/default/files/iea/tribal/tribalconsultation/hhs-consultation-policy.pdf</a>. See also 88 FR 23506
(Apr. 17, 2023) (notice of Tribal consultation). The Department
consulted with representatives of Tribal Nations on May 17, 2023.
During the consultation, the representatives raised issues of health
inequities and privacy of health information, specifically among
American Indians and Alaskan Natives after Dobbs.
\17\ Letter from U.S. Senator Tammy Baldwin et al. to HHS Sec'y
Xavier Becerra (Mar. 7, 2023) (addressing HIPAA privacy regulations
and Dobbs v. Jackson Women's Health Organization). Letter from U.S.
Senator Patty Murray et al. to HHS Sec'y Xavier Becerra (Sept. 13,
2022) (addressing HIPAA privacy regulations and Dobbs v. Jackson
Women's Health Organization). Letter from U.S. Representative Earl
Blumenauer et al. to HHS Sec'y Xavier Becerra (Aug. 30, 2022)
(addressing HIPAA privacy regulations and Dobbs v. Jackson Women's
Health Organization). Letter from U.S. Senator Michael F. Bennet et
al. to HHS Sec'y Xavier Becerra (July 1, 2022) (addressing HIPAA
privacy regulations and Dobbs v. Jackson Women's Health
Organization).
---------------------------------------------------------------------------
B. Effective and Compliance Dates
1. 2023 Privacy Rule NPRM
In the 2023 Privacy Rule NPRM, the Department proposed an effective
date for a final rule that would occur 60 days after publication, and a
compliance date that would occur 180 days after the effective date.\18\
Taken together, the two dates would give entities 240 days after
publication to implement compliance measures. In the preamble to the
proposed rule, the Department stated that it did not believe that the
proposed rule would pose unique implementation challenges that would
justify an extended compliance period (i.e., a period longer than the
standard 180 days provided in 45 CFR 160.105).\19\ The Department also
asserted that adherence to the standard compliance period is necessary
to timely address the circumstances described in the 2023 Privacy Rule
NPRM.
---------------------------------------------------------------------------
\18\ See 88 FR 23506, 23510 (Apr. 17, 2023).
\19\ See id.
---------------------------------------------------------------------------
2. Overview of Comments
A commenter urged the Department to move quickly to issue the final
rule and to provide a 180-day compliance period
[[Page 32979]]
as proposed. Some commenters requested that the Department provide
additional time for regulated entities to comply with the proposed
modifications to the Privacy Rule. Several commenters requested that
the Department coordinate compliance deadlines across its rulemakings,
while a few commenters specifically encouraged the Department to
provide additional time for compliance with the modifications to the
Notice of Privacy Practices (NPP) requirements proposed in the 2023
Privacy Rule NPRM.
3. Final Rule
This final rule is effective on June 25, 2024. Covered entities and
business associates of all sizes will have 180 days beyond the
effective date of the final rule to comply with the final rule's
provisions, with the exception of the NPP provisions, which we address
separately below. We understand that some covered entities and business
associates remain concerned that a 180-day period may not provide
sufficient time to come into compliance with the modified requirements.
However, we believe that providing a 180-day compliance period best
comports with section 1175(b)(2) of the Social Security Act of 1935
(SSA), 42 U.S.C. 1320d-4, and our implementing provision at 45 CFR
160.104(c)(1), which require the Secretary to provide at least a 180-
day period for covered entities to comply with modifications to
standards and implementation specifications in the HIPAA Rules, and
also that providing a 180-day compliance period best protects the
privacy and security of individuals' PHI in a timely manner that
reflects the urgency of addressing the changes in the legal landscape
and their effects on individuals, regulated entities, and other
persons, while balancing the burden imposed upon regulated entities of
implementing this final rule.
Section 160.104(a) permits the Department to adopt a modification
to a standard or implementation specification adopted under the Privacy
Rule no more frequently than once every 12 months.\20\ As discussed
above, we are required to provide a minimum of a 180-day compliance
period when adopting a modification, but we are permitted to provide a
longer compliance period based on the extent of the modification and
the time needed to comply with the modification in determining the
compliance date for the modification.\21\ The Department makes every
effort to consider the burden and cost of implementation for regulated
entities when determining an appropriate compliance date.
---------------------------------------------------------------------------
\20\ 45 CFR 160.104(a).
\21\ 45 CFR 160.104(c)(2).
---------------------------------------------------------------------------
While we recognize that regulated entities will need to revise and
implement changes to their policies and procedures in response to the
modifications in this final rule, we do not believe that these changes
are so significant as to require more than a 180-day compliance period.
This final rule narrowly tailors the application of its changes to
certain limited circumstances involving lawful reproductive health care
and clarifies that regulated entities are not expected to know or be
aware of laws other than those with which they are required to comply.
While it adds a condition to certain requests for uses and disclosures,
the affected requests already require careful review by regulated
entities for compliance with previously imposed conditions. Thus, we do
not believe it will be difficult for regulated entities to adjust their
policies and procedures to accommodate this new requirement. The other
modifications finalized in this rule are in service of implementing the
two changes above and impose minimal burden on regulated entities.
Additionally, the Department believes, based on its evaluation of the
evolving privacy landscape, that the changes made by this final rule
are of particular urgency. Accordingly, we believe that a 180-day
compliance period, combined with a 60-day effective date, is sufficient
for regulated entities to make the changes required by most of the
modifications in this final rule, with the exception of the NPP
provisions.
We separately consider the question of the compliance date for the
modifications to the NPP provisions. In the 2022 Confidentiality of
Substance Use Disorder (SUD) Patient Records NPRM (``2022 Part 2
NPRM''),\22\ the Department proposed, among other things, to revise 45
CFR 164.520 as required by section 3221 of the Coronavirus Aid, Relief,
and Economic Security (CARES) Act.\23\ The Department proposed to
provide the same compliance date for both the proposed modifications to
45 CFR 164.520 and the more extensive modifications to 42 CFR part 2
(``Part 2'').\24\ The 2024 Confidentiality of Substance Use Disorder
(SUD) Patient Records Final Rule (``2024 Part 2 Rule'') explicitly
noted that the Department was not finalizing the proposed modifications
to the NPP provisions at that time, but that we planned to do so in a
future HIPAA final rule.\25\ The Department also acknowledged that some
covered entities might have NPPs that would not reflect updated changes
to policies and procedures addressing how Part 2 records are used and
disclosed. Rather than requiring covered entities to revise their NPPs
twice in a short period of time, the Department announced in the 2024
Part 2 Rule that it would exercise enforcement discretion related to
the requirement that covered entities update their NPPs whenever
material changes are made to privacy practices until the compliance
date established by a future HIPAA final rule.\26\ The Department is
finalizing the modifications to the NPP required by section 3221 of the
CARES Act in this rule and aligning the effective and compliance dates
for all of the modified NPP requirements with those of the 2024 Part 2
Rule.
---------------------------------------------------------------------------
\22\ 87 FR 74216 (Dec. 2, 2022).
\23\ Public Law 116-136, 134 Stat. 281 (Mar. 27, 2020).
\24\ 89 FR 12472 (Feb. 16, 2024).
\25\ Id. at 12482, 12528, and 12530.
\26\ Id. at 12482, 12528, and 12530.
---------------------------------------------------------------------------
The compliance date of the 2024 Part 2 Rule is February 16, 2026,
substantially later than the compliance date for most of this final
rule, because of the significant changes required for compliance with
the 2024 Part 2 Rule. Accordingly, in compliance with 45 CFR 160.104
and consistent with the NPP proposals included in the 2022 Part 2 NPRM
and public comment, we are aligning the compliance date for the NPP
changes required by this final rule with the compliance date for the
2024 Part 2 Rule so that covered entities regulated under both rules
can implement all changes to their NPPs at the same time. Covered
entities are expected to be in compliance with the modifications to 45
CFR 164.520 on February 16, 2026.
4. Response to Public Comments
Comment: One commenter expressed support for the proposal in the
2023 Privacy Rule NPRM to establish a 180-day compliance date and urged
the Department to issue a final rule quickly. Some commenters sought an
extension of the compliance date for twelve to eighteen months,
explaining that extensive policy and legal work, process and software
changes, documentation and training would be required to implement the
2023 Privacy Rule NPRM.
One commenter suggested phasing in the attestation requirement so
that ``downstream'' regulated entities, such as business associates and
managed care organizations, would have a later compliance date than
health care providers.
[[Page 32980]]
Response: We appreciate the commenters' suggestions, but as
discussed above, based on our assessment, we do not believe the
modifications required by this final rule will require longer to
implement.
Comment: Some commenters requested that the Department coordinate
compliance deadlines of final rules that revise the Privacy Rule or
publish one final rule addressing the proposals in the NPRMs to enable
regulated entities to leverage the resources required to implement the
changes to achieve compliance with all of the new requirements at one
time.
One commenter explained that each NPRM would involve operational
changes requiring significant resources and effort and expressed their
belief that a single comprehensive final rule would allow regulated
entities to make all of the required changes, including revisions to
policies and procedures, development of new or revised workflows,
electronic health record (EHR) updates, and technology enhancements.
Response: We appreciate the commenters' suggestion, but we do not
believe that it is necessary to fully align the compliance dates for
the 2024 Part 2 Rule and the 2024 Privacy Rule. By imposing separate
compliance deadlines, we are able to act more quickly to protect the
privacy of PHI.
However, consistent with 45 CFR 160.104 and as requested by public
comment, we are applying the same compliance date for covered entities
to revise their NPPs to address modifications made to 45 CFR 164.520 in
response to and consistent with the CARES Act and to support
reproductive health care privacy. The compliance date for the NPP
provisions is February 16, 2026.\27\ Part 2 programs, including those
that are covered entities, can choose to implement the changes to their
NPPs that are required by the 2024 Part 2 Rule prior to the compliance
date, but there is no requirement that they do so.
---------------------------------------------------------------------------
\27\ 89 FR 12472 (Feb. 16, 2024).
---------------------------------------------------------------------------
II. Statutory and Regulatory Background
A. Statutory Authority and History
1. Health Insurance Portability and Accountability Act of 1996 (HIPAA)
In 1996, Congress enacted HIPAA \28\ to reform the health care
delivery system to ``improve portability and continuity of health
insurance coverage in the group and individual markets.'' \29\ To
enable health care delivery system reform, Congress included in HIPAA
requirements for standards to support the electronic exchange of health
information. According to section 261, ``[i]t is the purpose of this
subtitle to improve [. . .] the efficiency and effectiveness of the
health care system, by encouraging the development of a health
information system through the establishment of standards and
requirements for the electronic transmission of certain health
information [. . .].'' \30\ Congress applied the Administrative
Simplification provisions directly to three types of entities known as
``covered entities''--health plans, health care clearinghouses, and
health care providers who transmit information electronically in
connection with a transaction for which HHS has adopted a standard.\31\
---------------------------------------------------------------------------
\28\ Public Law 104-191, 110 Stat. 1936 (Aug. 21, 1996).
\29\ See H.R. Rep. No. 104-496, at 66-67 (1996).
\30\ 42 U.S.C. 1320d note (Statutory Notes and Related
Subsidiaries: Purpose). Subtitle F also amended related provisions
of the SSA.
\31\ See section 262 of Public Law 104-191, adding section 1172
to the SSA (codified at 42 U.S.C. 1320d-1). See also section 13404
of the American Recovery and Reinvestment Act of 2009, Public Law
111-5, 123 Stat. 115 (Feb. 17, 2009) (codified at 42 U.S.C. 17934)
(applying privacy provisions and penalties to business associates of
covered entities).
---------------------------------------------------------------------------
Section 262(a) of HIPAA required the Secretary to adopt uniform
standards ``to enable health information to be exchanged
electronically.'' \32\ Congress directed the Secretary to adopt
standards for unique identifiers to identify individuals, employers,
health plans, and health care providers across the nation \33\ and
standards for, among other things, transactions and data elements
relating to health information,\34\ the security of that
information,\35\ and verification of electronic signatures.\36\
---------------------------------------------------------------------------
\32\ 42 U.S.C. 1320d2(a)(1).
\33\ 42 U.S.C. 1320d-2(b)(1).
\34\ 42 U.S.C. 1320d-2(a), (c), and (f).
\35\ 42 U.S.C. 1320d-2(d).
\36\ 42 U.S.C. 1320d-2(e).
---------------------------------------------------------------------------
Congress recognized that the standardization of certain electronic
health care transactions required by HIPAA posed risks to the privacy
of confidential health information and viewed individual privacy,
confidentiality, and data security as critical for orderly
administrative simplification.\37\ Thus, as explained in the preamble
to the 2023 Privacy Rule NPRM,\38\ Congress provided the Department
with the authority to regulate the privacy of IIHI. According to one
Member of Congress, privacy standards would create an additional layer
of protection beyond the oath pledged by health care providers to keep
information secure and, as described by another Member, would further
protect information from being used in a ``malicious or discriminatory
manner.'' \39\ Congress intended for the law to enhance individuals'
trust in health care providers, which required that the law provide
additional protection for the confidentiality of IIHI. As described by
a Member of Congress: ``The bill would also establish strict security
standards for health information because Americans clearly want to make
sure that their health care records can only be used by the medical
professionals that treat them. Often, we assume that because doctors
take an oath of confidentiality that in fact all who touch their
records operate by the same standards. Clearly, they do not.'' \40\
Moreover, Congress considered that health care reform required an
approach that would not compromise privacy as health information became
more accessible.\41\
---------------------------------------------------------------------------
\37\ On a resolution waiving points of order against the
Conference Report to H.R. 3103, members debated an ``erosion of
privacy'' balanced against the administrative simplification
provisions. Thus, from HIPAA's inception, privacy has been a central
concern to be addressed as legislative changes eased disclosures of
PHI. See 142 Cong. Rec. H9777 and H9780; see also H.R. Rep. No. 104-
736, at 177 and 264 (1996); 142 Cong. Rec. H9780 (daily ed. Aug. 1,
1996) (statement of Rep. Sawyer); 142 Cong. Rec. H9792 (daily ed.
Aug. 1, 1996) (statement of Rep. McDermott); and 142 Cong. Rec.
S9515-16 (daily ed. Aug. 2, 1996) (statement of Sen. Simon).
\38\ 88 FR 23506, 23511 (Apr. 17, 2023).
\39\ See statement of Rep. Sawyer, supra note 37. See also
statement of Sen. Simon, supra note 37.
\40\ Statement of Rep. Sawyer, supra note 37.
\41\ See H.R. Rep. No. 104-496 Part 1, at 99-100 (Mar. 25,
1996).
---------------------------------------------------------------------------
Accordingly, section 264(a) directed the Secretary to submit to
Congress detailed recommendations for Federal ``standards with respect
to the privacy of [IIHI]'' nationwide within one year of HIPAA's
enactment.\42\ The statute made clear that the Secretary had the
authority to promulgate regulations if Congress did not enact
legislation covering these matters within three years.\43\ Congress
directed the Secretary to ensure that the regulations promulgated
``address at least'' the following three subjects: (1) the rights that
an individual who is a subject of IIHI should have; (2) the procedures
that should be established for the exercise of such rights; and (3) the
uses and disclosures of such information that should be authorized or
required.\44\
---------------------------------------------------------------------------
\42\ 42 U.S.C. 1320d-2 note.
\43\ Id.
\44\ Id.
---------------------------------------------------------------------------
Additionally, Congress provided a clear statement that HIPAA's
provisions would ``supersede any contrary
[[Page 32981]]
provision of State law,'' with certain limited exceptions.\45\ One
exception to this general preemption authority is for ``state privacy
laws that are contrary to and more stringent than the corresponding
federal standard, requirement, or implementation specification.'' \46\
Thus, Congress intended for the Department to create privacy standards
to safeguard health information while respecting the ability of states
to provide individuals with additional health information privacy.
---------------------------------------------------------------------------
\45\ 42 U.S.C. 1320d-7.
\46\ 65 FR 82580 (the exception applies under section
1178(a)(2)(B) of the SSA and section 264(c)(2) of HIPAA).
---------------------------------------------------------------------------
Congress required the Secretary to consult with the NCVHS,\47\
thereby ensuring that the Secretary's decisions reflected public and
expert involvement and advice in carrying out the requirements of
section 264.\48\ NCVHS sent its initial recommendations to the
Secretary in a letter to the Secretary on June 27, 1997. Importantly,
NCVHS advised that ``strong substantive and procedural protections''
should be imposed if health information were to be disclosed to law
enforcement, and, where identifiable health information would be made
available for non-health purposes, individuals should be afforded
assurances that their data would not be used against them.\49\
Additionally, NCVHS ``unanimously'' recommended that ``[. . .] the
Secretary and the Administration assign the highest priority to the
development of a strong position on health privacy that provides the
highest possible level of protection for the privacy rights of
patients.'' \50\ NCVHS further noted that failure to do so would
``undermine public confidence in the health care system, expose
patients to continuing invasions of privacy, subject record keepers to
potentially significant legal liability, and interfere with the ability
of health care providers and others to operate the health care delivery
and payment system in an effective and efficient manner,'' which would
undermine what Congress intended.\51\
---------------------------------------------------------------------------
\47\ NCVHS serves as the Secretary's statutory public advisory
body for health data, statistics, privacy, and national health
information policy and HIPAA. NCVHS also advises the Secretary,
``reports regularly to Congress on HIPAA implementation, and serves
as a forum for interaction between HHS and interested private sector
groups on a range of health data issues.'' Nat'l Comm. On Vital and
Health Statistics, ``About NCVHS,'' <a href="https://ncvhs.hhs.gov/">https://ncvhs.hhs.gov/</a>; see also
``NCVHS 60th Anniversary Symposium and History,'' U.S. Dep't of
Health and Human Servs., at 28-29 (Feb. 2011), <a href="https://ncvhs.hhs.gov/wp-content/uploads/2014/05/60_years_of_difference.pdf">https://ncvhs.hhs.gov/wp-content/uploads/2014/05/60_years_of_difference.pdf</a>.
\48\ See section 264(a) and (d) of Public Law 104-191 (codified
at 42 U.S.C. 1320d-2 note).
\49\ Letter from NCVHS Chair Don E. Detmer to HHS Sec'y Donna E.
Shalala (June 27, 1997) (forwarding NCVHS recommendations), <a href="https://ncvhs.hhs.gov/rrp/june-27-1997-letter-to-the-secretary-with-recommendations-on-health-privacy-and-confidentiality/">https://ncvhs.hhs.gov/rrp/june-27-1997-letter-to-the-secretary-with-recommendations-on-health-privacy-and-confidentiality/</a>.
\50\ Id. at Principal Findings and Recommendations.
\51\ Id.
---------------------------------------------------------------------------
NCVHS further recommended that ``any rules regulating disclosures
of identifiable health information be as clear and as narrow as
possible. Each group of users must be required to justify their need
for health information and must accept reasonable substantive and
procedural limitations on access.'' \52\ According to NCVHS, this would
allow for the disclosures that society deemed necessary and appropriate
while providing individuals with clear expectations regarding their
health information privacy.
---------------------------------------------------------------------------
\52\ Id. at Third-Party Disclosures.
---------------------------------------------------------------------------
As we noted in the 2023 Privacy Rule NPRM,\53\ Congress
contemplated that the Department's rulemaking authorities under HIPAA
would not be static. Congress specifically built in a mechanism to
adapt such regulations as technology and health care evolve, directing
that the Secretary review and modify the Administrative Simplification
standards as determined appropriate, but not more frequently than once
every 12 months.\54\ That statutory directive complements the
Secretary's general rulemaking authority to ``make and publish such
rules and regulations, not inconsistent with this chapter, as may be
necessary to the efficient administration of the functions with which
each is charged under this chapter.'' \55\
---------------------------------------------------------------------------
\53\ 88 FR 23506, 23513 (Apr. 17, 2023).
\54\ See section 1174(b)(1) of Public Law 104-191 (codified at
42 U.S.C. 1320d-3).
\55\ Section 1102 of the SSA (codified at 42 U.S.C. 1302).
---------------------------------------------------------------------------
2. Health Information Technology for Economic and Clinical Health
(HITECH) Act
On February 17, 2009, Congress enacted the Health Information
Technology for Economic and Clinical Health Act of 2009 (HITECH Act)
\56\ to promote the widespread adoption and standardization of health
information technology (health IT). The HITECH Act included additional
HIPAA privacy and security requirements for covered entities and
business associates and expanded certain rights of individuals with
respect to their PHI.
---------------------------------------------------------------------------
\56\ Title XIII of Division A and Title IV of Division B of the
American Recovery and Reinvestment Act of 2009, Public Law 111-5,
123 Stat. 115 (Feb. 17, 2009) (codified at 42 U.S.C. 201 note).
---------------------------------------------------------------------------
Congress understood the importance of a relationship between a
connected health IT landscape, ``a necessary and vital component of
health care reform,'' \57\ and privacy and security standards when it
enacted the HITECH Act. The Purpose statement of an accompanying House
of Representatives report \58\ on the Energy and Commerce Recovery and
Reinvestment Act \59\ recognizes that ``[i]n addition to costs,
concerns about the security and privacy of health information have also
been regarded as an obstacle to the adoption of [health IT].'' The
Senate Report for S. 336 \60\ similarly acknowledges that
``[i]nformation technology systems linked securely and with strong
privacy protections can improve the quality and efficiency of health
care while producing significant cost savings.'' \61\ As the Department
explained in the 2013 regulation referred to as the ``Omnibus Rule''
\62\ and discussed in greater detail below, the HITECH Act's additional
HIPAA privacy and security requirements \63\ supported Congress' goal
of promoting widespread adoption and interoperability of health IT by
``strengthen[ing] the privacy and security protections for health
information established by HIPAA.'' \64\
---------------------------------------------------------------------------
\57\ C. Stephen Redhead, Cong. Rsch. Serv., R40161, ``The Health
Information Technology for Economic and Clinical Health (HITECH)
Act,'' (2009), <a href="https://crsreports.congress.gov/product/pdf/R/R40161/9">https://crsreports.congress.gov/product/pdf/R/R40161/9</a> (``[Health IT], which generally refers to the use of computer
applications in medical practice, is widely viewed as a necessary
and vital component of health care reform.'').
\58\ H.R. Rep. No. 111-7, at 74 (2009), accompanying H.R. 629,
111th Cong.
\59\ H.R. 629, Energy and Commerce Recovery and Reinvestment Act
of 2009, introduced in the House on January 22, 2009, contained
nearly identical provisions to subtitle D of the HITECH Act.
\60\ Congress enacted the American Recovery and Reinvestment Act
of 2009, which included the HITECH Act, on February 17, 2009. While
it was the House version of the bill, H.R. 1, that was enacted, the
Senate version, S. 336, contained nearly identical provisions to
subtitle D of the HITECH Act.
\61\ S. Rep. No. 111-3 accompanying S. 336, 111th Cong., at 59
(2009).
\62\ 78 FR 5566 (Jan. 25, 2013).
\63\ Subtitle D of title XIII of the HITECH Act (codified at 42
U.S.C. 17921, 42 U.S.C. 17931-17941, and 42 U.S.C. 17951-17953).
\64\ 78 FR 5566, 5568 (Jan. 25, 2013).
---------------------------------------------------------------------------
In passing the HITECH Act, Congress instructed the Department that
any new health IT standards adopted under section 3004 of the Public
Health Service Act (PHSA) must take into account the privacy and
security requirements of the HIPAA Rules.\65\ Congress also affirmed
that the existing HIPAA Rules were to remain in effect to the extent
that they are consistent with the HITECH Act and directed the Secretary
to revise the HIPAA Rules as necessary for consistency with the
[[Page 32982]]
HITECH Act.\66\ Congress confirmed that the new law was not intended to
have any effect on authorities already granted under HIPAA to the
Department, including section 264 of that statute and the regulations
issued under that provision.\67\ Congress thus affirmed the Secretary's
ongoing rulemaking authority to modify the Privacy Rule's standards and
implementation specifications as often as every 12 months when
appropriate, including to strengthen privacy and security protections
for IIHI.
---------------------------------------------------------------------------
\65\ Section 3009(a)(1)(B) of the PHSA, as added by section
13101 of the HITECH Act (codified at 42 U.S.C. 300jj-19(a)(1)).
\66\ Section 13421(b) of the HITECH Act (codified at 42 U.S.C.
17951).
\67\ Section 3009(a)(1)(A) of the PHSA, as added by section
13101 of the HITECH Act (codified at 42 U.S.C. 300jj-19(a)(1)).
---------------------------------------------------------------------------
B. Regulatory History
The Secretary has delegated the authority to administer the HIPAA
Rules and to make decisions regarding their implementation,
interpretation, and enforcement to the HHS Office for Civil Rights
(OCR).\68\ Since the enactment of the HITECH Act, the Department has
exercised its authority to modify the Privacy Rule several times--in
2013, 2014, and 2016.\69\
---------------------------------------------------------------------------
\68\ See U.S. Dep't of Health and Hum. Servs., Off. of the
Sec'y, Off. for Civil Rights; Statement of Delegation of Authority,
65 FR 82381 (Dec. 28, 2000); U.S. Dep't of Health and Hum. Servs.,
Off. of the Sec'y, Off. for Civil Rights; Delegation of Authority,
74 FR 38630 (Aug. 4, 2009); U.S. Dep't of Health and Hum. Servs.,
Off. of the Sec'y, Statement of Organization, Functions and
Delegations of Authority, 81 FR 95622 (Dec. 28, 2016).
\69\ See 78 FR 5566 (Jan. 25, 2013); 79 FR 7290 (Feb. 6, 2014);
81 FR 382 (Jan. 6, 2016).
---------------------------------------------------------------------------
1. 2000 Privacy Rule
As directed by HIPAA, the Department provided a series of
recommendations to Congress for a potential new law that would address
the confidentiality of IIHI.\70\ Congress did not act within its three-
year self-imposed deadline. Accordingly, the Department published a
proposed rule on November 3, 1999,\71\ and issued the first final rule
establishing ``Standards for Privacy of Individually Identifiable
Health Information'' (``2000 Privacy Rule'') on December 28, 2000.\72\
---------------------------------------------------------------------------
\70\ See U.S. Dep't of Health and Hum. Servs., Off. of the
Assistant Sec'y for Plan. and Evaluation, ``Recommendations of the
Secretary of Health and Human Services, pursuant to section 264 of
the Health Insurance Portability and Accountability Act of 1996,''
Section I.A. (Sept. 1997), <a href="https://aspe.hhs.gov/reports/confidentiality-individually-identifiable-health-information">https://aspe.hhs.gov/reports/confidentiality-individually-identifiable-health-information</a>.
\71\ 64 FR 59918 (Nov. 3, 1999).
\72\ 65 FR 82462 (Dec. 28, 2000).
---------------------------------------------------------------------------
The primary goal of the Privacy Rule was to provide greater
protection to individuals' privacy to engender a trusting relationship
between individuals and health care providers. As announced, the final
rule set standards to protect the privacy of IIHI to ``begin to address
growing public concerns that advances in electronic technology and
evolution in the health care industry are resulting, or may result, in
a substantial erosion of the privacy surrounding'' health
information.\73\ On the eve of that rule's issuance, the President
issued an Executive Order recognizing the importance of protecting
individual privacy, explaining that ``[p]rotecting the privacy of
patients' protected health information promotes trust in the health
care system. It improves the quality of health care by fostering an
environment in which patients can feel more comfortable in providing
health care professionals with accurate and detailed information about
their personal health.'' \74\
---------------------------------------------------------------------------
\73\ Id.
\74\ See Executive Order 13181 (Dec. 20, 2000), 65 FR 81321.
---------------------------------------------------------------------------
Since its promulgation, the Privacy Rule has protected PHI by
limiting the circumstances under which covered entities and their
business associates (collectively, ``regulated entities'') are
permitted or required to use or disclose PHI and by requiring covered
entities to have safeguards in place to protect the privacy of PHI. In
adopting these regulations, the Department acknowledged the need to
balance several competing factors, including existing legal
expectations, individuals' privacy expectations, and societal
expectations.\75\ The Department noted in the preamble that the large
number of comments from individuals and groups representing individuals
demonstrated the deep public concern about the need to protect the
privacy of IIHI and constituted evidence of the importance of
protecting privacy and the potential adverse consequences to
individuals and their health if such protections are not extended.\76\
Through its policy choices in the 2000 Privacy Rule, the Department
struck a balance between competing interests--the necessity of
protecting privacy and the public interest in using identifiable health
information for vital public and private purposes--in a way that was
also workable for the varied stakeholders.\77\
---------------------------------------------------------------------------
\75\ See 65 FR 82462, 82471 (Dec. 28, 2000).
\76\ See id. at 82472.
\77\ See id.
---------------------------------------------------------------------------
In the 2000 Privacy Rule, the Department established ``general
rules'' for uses and disclosures of PHI, codified at 45 CFR
164.502.\78\ The 2000 Privacy Rule also specified the circumstances in
which a covered entity was required to obtain an individual's
consent,\79\ authorization,\80\ or the opportunity for the individual
to agree or object.\81\ Additionally, it established rules for when a
covered entity is permitted to use or disclose PHI without an
individual's consent, authorization, or opportunity to agree or
object.\82\ In particular, the Privacy Rule permits certain uses and
disclosures of PHI, without the individual's authorization, for
identified activities that benefit the community, such as public health
activities, judicial and administrative proceedings, law enforcement
purposes, and research.\83\
---------------------------------------------------------------------------
\78\ 65 FR 82462 (Dec. 28, 2000).
\79\ 45 CFR 164.506 was originally titled ``Consent for uses or
disclosures to carry out treatment, payment, or health care
operations.''
\80\ 45 CFR 164.508.
\81\ 45 CFR 164.510.
\82\ 45 CFR 164.512.
\83\ See 64 FR 59918, 59955 (Nov. 3, 1999).
---------------------------------------------------------------------------
The Privacy Rule also established the rights of individuals with
respect to their PHI, including the right to receive adequate notice of
a covered entity's privacy practices, the right to request restrictions
of uses and disclosures, the right to access (i.e., to inspect and
obtain a copy of) their PHI, the right to request an amendment of their
PHI, and the right to receive an accounting of disclosures.\84\
---------------------------------------------------------------------------
\84\ See 45 CFR 164.520, 164.522, 164.524, 164.526, and 164.528.
---------------------------------------------------------------------------
In the 2000 Privacy Rule, the Secretary exercised her statutory
authority to adopt 45 CFR 160.104(a), which reserves the Secretary's
ability to modify any standard or implementation specification adopted
under the Administrative Simplification provisions.\85\ The Secretary
first invoked this modification authority to amend the Privacy Rule in
2002 \86\ and made additional modifications in 2013,\87\ and 2016,\88\
as described below.
---------------------------------------------------------------------------
\85\ See 65 FR 82462, 82800 (Dec. 28, 2000).
\86\ See 67 FR 53182 (Aug. 14, 2002).
\87\ 78 FR 5566 (Jan. 25, 2013).
\88\ 81 FR 382 (Jan. 6, 2016).
---------------------------------------------------------------------------
2. 2002 Privacy Rule
After publication of the 2000 Privacy Rule, the Department received
many inquiries and unsolicited comments about the Privacy Rule's
effects and operation. As a result, the Department opened the 2000
Privacy Rule for further comment in February 2001, less than one month
before the effective date and 25 months before the compliance date for
most covered entities, and issued clarifying guidance on its
implementation.\89\ NCVHS' Subcommittee on Privacy, Confidentiality and
Security held public
[[Page 32983]]
hearings about the 2000 Privacy Rule. From those hearings, the
Department obtained additional information about concerns related to
key provisions and their potential unintended consequences for health
care quality and access.\90\ On March 27, 2002, the Department proposed
modifications to the 2000 Privacy Rule to clarify the requirements and
correct potential problems that could threaten access to, or quality
of, health care.\91\
---------------------------------------------------------------------------
\89\ 66 FR 12738 (Feb. 28, 2001).
\90\ 67 FR 53182, 53183 (Aug. 14, 2002).
\91\ 67 FR 14775 (Mar. 27, 2002).
---------------------------------------------------------------------------
In response to comments on the proposed rule, the Department
finalized modifications to the Privacy Rule on August 14, 2002 (``2002
Privacy Rule'').\92\ This final rule clarified HIPAA's requirements
while maintaining strong protections for the privacy of IIHI.\93\ These
modifications addressed certain workability issues, including but not
limited to clarifying distinctions between health care operations and
marketing; modifying the minimum necessary standard to exclude
disclosures authorized by individuals and clarify its operation;
eliminating the consent requirement for uses and disclosures of PHI for
treatment, payment, or health care operations (TPO), and to otherwise
clarify the role of consent in the Privacy Rule; and making other
modifications and conforming amendments consistent with the proposed
rule. The Department also included modifications to the provisions
permitting the use or disclosure of PHI for public health activities
and for research activities without consent, authorization, or an
opportunity to agree or object.
---------------------------------------------------------------------------
\92\ 67 FR 53182 (Aug. 14, 2002). See the final rule for changes
in the entirety. The 2002 Privacy Rule was issued before the
compliance date for the 2000 Privacy Rule. Thus, covered entities
never implemented the 2000 Privacy Rule. Instead, they implemented
the 2000 Privacy Rule as modified by the 2002 Privacy Rule.
\93\ See 67 FR 53182 (Aug. 14, 2002).
---------------------------------------------------------------------------
3. 2013 Omnibus Rule
Following the enactment of the HITECH Act, the Department issued an
NPRM, entitled ``Modifications to the HIPAA Privacy, Security, and
Enforcement Rules Under the Health Information Technology for Economic
and Clinical Health [HITECH] Act'' (``2010 NPRM''),\94\ which proposed
to implement certain HITECH Act requirements. In 2013, the Department
issued the final rule, Modifications to the HIPAA Privacy, Security,
Enforcement, and Breach Notification Rules Under the Health Information
Technology for Economic and Clinical Health [HITECH] Act and the
Genetic Information Nondiscrimination Act, and Other Modifications to
the HIPAA Rules (``2013 Omnibus Rule''),\95\ which implemented many of
the new HITECH Act requirements, including strengthening individuals'
privacy rights related to their PHI.
---------------------------------------------------------------------------
\94\ 75 FR 40868 (July 14, 2010).
\95\ 78 FR 5566 (Jan. 25, 2013). In addition to finalizing
requirements of the HITECH Act that were proposed in the 2010 NPRM,
the Department adopted modifications to the Enforcement Rule not
previously adopted in an earlier interim final rule, 74 FR 56123
(Oct. 30, 2009), and to the Breach Notification Rule not previously
adopted in an interim final rule, 74 FR 42739 (Aug. 24, 2009). The
Department also finalized previously proposed Privacy Rule
modifications as required by GINA, 74 FR 51698 (Oct. 7, 2009).
---------------------------------------------------------------------------
The Department also finalized regulatory provisions that were not
required by the HITECH Act, but were necessary to address the
workability and effectiveness of the Privacy Rule and to increase
flexibility for and decrease burden on regulated entities.\96\ In the
2010 NPRM, the Department noted that it had not amended the Privacy
Rule since 2002.\97\ It further explained that information gleaned from
contact with the public since that time, enforcement experience, and
technical corrections needed to eliminate ambiguity provided the
impetus for the Department's actions to make certain regulatory
changes.\98\
---------------------------------------------------------------------------
\96\ See 78 FR 5566 (Jan. 25, 2013) (explaining that the
Department was using its general authority under HIPAA to make a
number of changes to the Privacy Rule that were intended to increase
workability and flexibility, decrease burden, and better harmonize
the requirements with those under other Departmental regulations).
The Department's general authority to modify the Privacy Rule is
codified in HIPAA section 264(c), and OCR conducts rulemaking under
HIPAA based on authority granted by the Secretary.
\97\ See 75 FR 40868, 40871 (July 14, 2010).
\98\ 75 FR 40868, 40871 (July 14, 2010).
---------------------------------------------------------------------------
For example, the Department modified its prior interpretation of
the Privacy Rule requirement at 45 CFR 164.508(c)(1)(iv) that a
description of a research purpose must be study specific.\99\ The
Department explained that, under its new interpretation, the research
purposes need only be described adequately such that it would be
reasonable for an individual to expect that their PHI could be used or
disclosed for such future research.\100\ In the 2013 Omnibus Rule, the
Department explained that this change was based on the concerns
expressed by covered entities, researchers, and other commenters on the
2010 NPRM that the former requirement did not represent current
research practices. The Department provided a similar explanation for
its modifications to the Privacy Rule that permit certain disclosures
of student immunization records to schools without an
authorization.\101\ Additionally, based on a recommendation made at an
NCVHS meeting, the Department requested comment on and finalized
proposed revisions to the definition of PHI to exclude information
regarding an individual who has been deceased for more than 50
years.\102\ For the latter, the Department noted that it was balancing
the privacy interests of decedents' living relatives and other affected
individuals against the legitimate needs of public archivists to obtain
records.\103\
---------------------------------------------------------------------------
\99\ See 78 FR 5566, 5611 (Jan. 25, 2013).
\100\ See id. at 5612.
\101\ Id. at 5616-17. See also 45 CFR 164.512(b)(1).
\102\ 78 FR 5566, 5614 (Jan. 25, 2013). See also 45 CFR
164.502(f) and the definition of ``Protected health information'' at
45 CFR 160.103, excluding IIHI regarding a person who has been
deceased for more than 50 years.
\103\ In addition to the rulemakings discussed here, the
Department has modified the Privacy Rule for workability purposes
and in response to changes in circumstances on two other occasions,
and it issued another notice of proposed rulemaking in 2021 for the
same reasons. See 79 FR 7289 (Feb. 6, 2014), 81 FR 382 (Jan. 6,
2016), and 86 FR 6446 (Jan. 21, 2021).
---------------------------------------------------------------------------
None of the changes described in the paragraph above were required
by the HITECH Act. Rather, the Department determined that it was
necessary to promulgate these changes pursuant to its existing general
rulemaking authority under HIPAA. NCVHS and the public also recommended
other changes between the publication of the 2002 Privacy Rule and the
2013 Omnibus Rule, including the creation of specific categories of
PHI, such as ``Sexuality and Reproductive Health Information'' that
would allow for special protections of such PHI.\104\ The Department
declined to propose specific protections for certain categories of PHI
at that time because of concerns about the ability of regulated
entities to segment PHI and the effects on care coordination. Many of
those concerns are still present and so, the Department did not propose
and determined not to establish a specific category of particularly
sensitive PHI in this rulemaking. Instead, as discussed more fully
below, the Department is finalizing a purpose-based prohibition against
certain uses and disclosures.
---------------------------------------------------------------------------
\104\ See Letter from NCVHS Chair Simon P. Cohn to HHS Sec'y
Michael O. Leavitt (June 22, 2006), <a href="https://ncvhs.hhs.gov/rrp/june-22-2006-letter-to-the-secretary-recommendations-regarding-privacy-and-confidentiality-in-the-nationwide-health-information-network/">https://ncvhs.hhs.gov/rrp/june-22-2006-letter-to-the-secretary-recommendations-regarding-privacy-and-confidentiality-in-the-nationwide-health-information-network/</a>;
Letter from NCVHS Chair Simon P. Cohn to HHS Sec'y Michael O.
Leavitt (Feb. 20, 2008) (listing categories of health information
that are commonly considered to contain sensitive information),
<a href="https://ncvhs.hhs.gov/wp-content/uploads/2014/05/080220lt.pdf">https://ncvhs.hhs.gov/wp-content/uploads/2014/05/080220lt.pdf</a>;
Letter from NCVHS Chair Justine M. Carr to HHS Sec'y Kathleen
Sebelius (Nov. 10, 2010) (forwarding NCVHS recommendations), <a href="https://ncvhs.hhs.gov/wp-content/uploads/2014/05/101110lt.pdf">https://ncvhs.hhs.gov/wp-content/uploads/2014/05/101110lt.pdf</a>.
---------------------------------------------------------------------------
[[Page 32984]]
4. 2024 Privacy Rule
On April 17, 2023, the Department issued an NPRM \105\ to modify
the Privacy Rule for the purpose of prohibiting uses and disclosures of
PHI for criminal, civil, or administrative investigations or
proceedings against persons for seeking, obtaining, providing, or
facilitating reproductive health care that is lawful under the
circumstances in which it is provided. To properly execute the HIPAA
statutory mandate, and in accordance with the regulatory authority
granted to it by Congress, the Department continually monitors and
evaluates the evolving environment for health information privacy
nationally, including the interaction of the Privacy Rule and state
statutes and regulations governing the privacy of health information.
In keeping with the Department's practice, this final rule accommodates
state autonomy to the extent consistent with the need to maintain rules
for health information privacy that serve HIPAA's objectives. The
regulation thus preempts state law only to the extent necessary to
achieve Congress' directive to establish a standard for the privacy of
IIHI for the purpose of improving the effectiveness of the health care
system. As discussed below, achieving that objective requires
individuals to trust that their health care providers will maintain
privacy of PHI about lawful reproductive health care. In addition,
NCVHS held a virtual public meeting that included a discussion about
the proposed rule on June 14, 2023,\106\ and provided recommendations
to the Department based on this discussion, briefings at their July
2022 \107\ and December 2022 \108\ meetings, and the expertise of its
members.\109\ The resultant public record and subsequent
recommendations submitted to the Department by NCVHS, along with other
public comments on the 2023 Privacy Rule NPRM, informed the development
of these modifications.
---------------------------------------------------------------------------
\105\ 88 FR 23506.
\106\ See Meeting of NCVHS (June 14, 2023), <a href="https://ncvhs.hhs.gov/meetings/full-committee-meeting-13/">https://ncvhs.hhs.gov/meetings/full-committee-meeting-13/</a>.
\107\ See Meeting of NCVHS, Briefing on Legislative Developments
in Data Privacy (July 21, 2022), <a href="https://ncvhs.hhs.gov/meetings/full-committee-meeting-11/">https://ncvhs.hhs.gov/meetings/full-committee-meeting-11/</a>.
\108\ See Meeting of NCVHS, Briefing by Cason Schmit (Dec. 7,
2022), <a href="https://ncvhs.hhs.gov/meetings/full-committee-meeting-12/">https://ncvhs.hhs.gov/meetings/full-committee-meeting-12/</a>.
\109\ Letter from NCVHS Chair Jacki Monson to HHS Sec'y Xavier
Becerra (June 14, 2023) (forwarding NCVHS recommendations), <a href="https://ncvhs.hhs.gov/wp-content/uploads/2023/06/NCVHS-Comments-on-HIPAA-Reproduction-Health-NPRM-Final-508.pdf">https://ncvhs.hhs.gov/wp-content/uploads/2023/06/NCVHS-Comments-on-HIPAA-Reproduction-Health-NPRM-Final-508.pdf</a>.
---------------------------------------------------------------------------
III. Justification for This Rulemaking
A. HIPAA Encourages Trust and Confidence by Carefully Balancing
Individuals' Privacy Interests With Others' Interests in Using or
Disclosing PHI
1. Privacy Protections Ensure That Individuals Have Access to, and Are
Comfortable Accessing, High-Quality Health Care
The goal of a functioning health care system is to provide high-
quality health care that results in the best possible outcomes for
individuals. To achieve that goal, a functioning health care system
depends in part on individuals trusting health care providers. Thus,
trust between individuals and health care providers is essential to an
individual's health and well-being.\110\ Protecting the privacy of an
individual's health information is ``a crucial element for honest
health discussions.'' \111\ The original Hippocratic Oath required
physicians to pledge to maintain the confidentiality of health
information they learn about individuals.\112\ Without confidence that
private information will remain private, individuals--to their own
detriment--are reluctant to share information with health care
providers.
---------------------------------------------------------------------------
\110\ See Jennifer Richmond et al., ``Development and Validation
of the Trust in My Doctor, Trust in Doctors in General, and Trust in
the Health Care Team Scales,'' 298 Social Science & Medicine 114827
(2022), <a href="https://www.sciencedirect.com/science/article/abs/pii/S0277953622001332?via%3Dihub">https://www.sciencedirect.com/science/article/abs/pii/S0277953622001332?via%3Dihub</a>; see also Fallon E. Chipidza et al.,
``Impact of the Doctor-Patient Relationship,'' The Primary Care
Companion for CNS Disorders (Oct. 2015), <a href="https://www.psychiatrist.com/pcc/delivery/patient-physician-communication/impact-doctor-patient-relationship/">https://www.psychiatrist.com/pcc/delivery/patient-physician-communication/impact-doctor-patient-relationship/</a>. See Testimony (transcribed) of
William G. Plested, III, M.D., Member, Board of Trustees, American
Medical Association, Hearing on Confidentiality of Patient Medical
Records before House of Representatives Committee on Ways and Means,
Subcommittee on Health (Feb. 17, 2000), <a href="https://www.govinfo.gov/content/pkg/CHRG-106hhrg66897/html/CHRG-106hhrg66897.htm">https://www.govinfo.gov/content/pkg/CHRG-106hhrg66897/html/CHRG-106hhrg66897.htm</a>. (``Trust
is the foundation of the patient/physician relationship.'')
\111\ See Am. Med. Ass'n, ``Patient Perspectives Around Data
Privacy,'' (2022), <a href="https://www.ama-assn.org/system/files/ama-patient-data-privacy-survey-results.pdf">https://www.ama-assn.org/system/files/ama-patient-data-privacy-survey-results.pdf</a>.
\112\ See John C. Moskop et al., ``From Hippocrates to HIPAA:
Privacy and Confidentiality in Emergency Medicine--Part I:
Conceptual, Moral, and Legal Foundations,'' 45 Ann Emerg. Med.1
(Jan. 2005) (quoting the Oath of Hippocrates, ``What I may see or
hear in the course of the treatment or even outside of the treatment
in regard to the life of men, which on no account one must spread
abroad, I will keep to myself [. . .].''), <a href="https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7132445/#bib1">https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7132445/#bib1</a>.
---------------------------------------------------------------------------
When proposing the 2000 Privacy Rule, the Department recognized
that individuals may be deterred from seeking needed health care if
they do not trust that their sensitive information will be kept
private.\113\ The Department described its policy choices as stemming
from a motivation to develop and maintain a relationship of trust
between individuals and health care providers. The Department explained
that a fundamental assumption of the 2000 Privacy Rule was that the
greatest benefits of improved privacy protection would be realized in
the future as individuals gain increasing trust in their health care
provider's ability to maintain the confidentiality of their health
information.\114\ As a result, the Privacy Rule strengthened
protections for health information privacy, including the right of
individuals to determine who has access to their health information.
---------------------------------------------------------------------------
\113\ See 64 FR 59918, 60006 (Nov. 3, 1999) (In the 1999 Privacy
Rule NPRM, the Department discussed confidentiality as an important
component of trust between individuals and health care providers and
cited a 1994 consumer privacy survey that indicated that a lack of
privacy may deter patients from obtaining preventive care and
treatment.). See id. at 60019.
\114\ See 64 FR 59918, 60006 (Nov. 3, 1999).
---------------------------------------------------------------------------
Despite the Privacy Rule's rights and protections, individuals do
not have confidence that their IIHI is being protected adequately. In a
2022 survey on patient privacy, the American Medical Association (AMA)
found that, of 1,000 patients surveyed: (1) nearly 75% were concerned
about protecting the privacy of their own health information; and (2)
59% of patients worried about health data being used by companies to
discriminate against them or their loved ones.\115\ According to the
AMA, a lack of health information privacy raises many questions about
circumstances that could put individuals and health care providers in
legal peril, and that the ``primary purpose of increasing [health
information] privacy is to build public trust, not inhibit data
exchange.'' \116\
---------------------------------------------------------------------------
\115\ See ``Patient Perspectives Around Data Privacy,'' supra
note 111.
\116\ Id. at 2.
---------------------------------------------------------------------------
The Federal Government also has a strong interest in ensuring that
individuals have access to high-quality health care.\117\ This is true
at both an
[[Page 32985]]
individual and population level. In the 2000 Privacy Rule, the
Department noted that high-quality health care depends on an individual
being able to share sensitive information with their health care
provider based on the trust that the information shared will be
protected and kept confidential.\118\ An effective health care system
requires an individual to share sensitive health information with their
health care providers. They do so with the reasonable expectation that
this information is going to be used to treat them. The prospect of the
disclosure of highly sensitive PHI by regulated entities can result in
medical mistrust and the deterioration of the confidential, safe
environment that is necessary to provide high-quality health care,
operate a functional health care system, and improve the public's
health generally.\119\ High-quality health care cannot be attained
without patient candor. Health care providers rely on an individual's
health information to diagnose them and provide them with appropriate
treatment options and may not be able to reach an accurate diagnosis or
recommend the best course of action for the individual if the
individual's medical records lack complete information about their
health history. However, an individual may be unwilling to seek
treatment or share highly sensitive PHI when they are concerned about
the confidentiality and security of PHI provided to treating health
care providers.\120\ The Department has long recognized that health
care professionals who lose the trust of their patients cannot deliver
high-quality care.\121\ Similarly, if a health care provider does not
trust that the PHI they include in an individual's medical records will
be kept private, the health care provider may leave gaps or include
inaccuracies when preparing medical records, creating a risk that
ongoing or future health care would be compromised. In contrast,
heightened confidentiality and privacy protections enable a health care
provider to feel confident maintaining full and complete medical
records.
---------------------------------------------------------------------------
\117\ See Testimony (transcribed) of Peter R. Orszag, Director,
Congressional Budget Office, Hearing on Comparative Clinical
Effectiveness before House of Representatives Committee on Ways and
Means, Subcommittee on Health, 2007 WL 1686358 (June 12, 2007)
(``because federal health insurance programs play a large role in
financing medical care and represent a significant expenditure, the
federal government itself has an interest in evaluations of the
effectiveness of different health care approaches''); Statement of
Sen. Durenberger introducing S.1836, American Health Quality Act of
1991 and reading bill text, 137 Cong. Rec. S26720 (Oct. 17, 1991)
(``[T]he Federal Government has a demonstrated interest in assessing
the quality of care, access to care, and the costs of care through
the evaluative activities of several Federal agencies.'').
\118\ See 65 FR 82462, 82463 (Dec. 28, 2000).
\119\ See, e.g., Brooke Rockwern et al., Medical Informatics
Committee and Ethics, Professionalism and Human Rights Committee of
the American College of Physicians, ``Health Information Privacy,
Protection, and Use in the Expanding Digital Health Ecosystem: A
Position Paper of the American College of Physicians,'' 174 Ann
Intern Med. 994 (Jul. 2021) (discussing the need for trust in the
health care system as necessary to mitigate a global pandemic);
Johanna Birkh[auml]uer et. al, ``Trust in the Health Care
Professional and Health Outcome: A Meta-Analysis,'' 12 PLoS One
e0170988 (Feb. 7, 2017). See also Eric Boodman, ``In a doctor's
suspicion after a miscarriage, a glimpse of expanding medical
mistrust,'' STAT News (June 29, 2022), <a href="https://www.statnews.com/2022/06/29/doctor-suspicion-after-miscarriage-glimpse-of-expanding-medical-mistrust/">https://www.statnews.com/2022/06/29/doctor-suspicion-after-miscarriage-glimpse-of-expanding-medical-mistrust/</a> (Sarah Prager, professor of obstetrics and
gynecology at the University of Washington, stating that it is a bad
precedent if clinical spaces become unsafe for patients because,
``[a health care provider's] ability to take care of patients relies
on trust, and that will be impossible moving forward.'').
\120\ See ``Development and Validation of the Trust in My
Doctor, Trust in Doctors in General, and Trust in the Health Care
Team Scales,'' supra note 110; Bradley E. Iott et al., ``Trust and
Privacy: How Patient Trust in Providers is Related to Privacy
Behaviors and Attitudes,'' 2019 AMIA Annu Symp Proc 487 (Mar. 2020),
<a href="https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7153104/">https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7153104/</a>; Pamela Sankar
et al., ``Patient Perspectives of Medical Confidentiality: a Review
of the Literature,'' 18 J. of Gen. Internal Med. 659 (Aug. 2003),
<a href="https://pubmed.ncbi.nlm.nih.gov/12911650/">https://pubmed.ncbi.nlm.nih.gov/12911650/</a>.
\121\ See 65 FR 82462, 82468 (Dec. 28, 2000).
---------------------------------------------------------------------------
Incomplete medical records and health care avoidance not only
inhibit the quality of health care an individual receives; they are
also detrimental to efforts to improve public health. The objective of
public health is to prevent disease in and improve the health of
populations. Barriers that undermine the willingness of individuals to
seek health care in a timely manner or to provide complete and accurate
health information to their health care providers undermine the overall
objective of public health. For example, individuals who are not candid
with their health care providers because of concerns about potential
negative consequences of a loss of privacy may withhold information
about a variety of health matters that have public health implications,
such as communicable diseases or vaccinations.\122\ Experience also
shows that medical mistrust--especially in communities of color and
other communities that have been marginalized or negatively affected by
historical and current health care disparities--can create damaging and
chilling effects on individuals' willingness to seek appropriate and
lawful health care for medical conditions that can worsen without
treatment.\123\
---------------------------------------------------------------------------
\122\ See Letter from NCVHS Chair Simon P. Cohn, supra note 104,
at 2 (2006) (with forwarded NCVHS recommendations, ``Individual
trust in the privacy and confidentiality of their personal health
information also promotes public health, because individuals with
potentially contagious or communicable diseases are not inhibited
from seeking treatment.'').
\123\ See Texas Dep't of State Health Servs., ``Texas Maternal
Mortality and Morbidity Review Committee and Department of State
Health Services Joint Biennial Report 2022,'' at 41 (Dec. 2022)
<a href="https://www.dshs.texas.gov/sites/default/files/legislative/2022-Reports/2022-MMMRC-DSHS-Joint-Biennial-Report.pdf">https://www.dshs.texas.gov/sites/default/files/legislative/2022-Reports/2022-MMMRC-DSHS-Joint-Biennial-Report.pdf</a>; Lynn M. Paltrow
et al., ``Arrests of and forced interventions on pregnant women in
the United States, 1973-2005: implications for women's legal status
and public health,'' 38 J. Health Pol. Pol'y Law 299 (2013) (finding
that hospital staff are most likely to report pregnant low-income
and patients of color, especially Black women, to the authorities.);
Terri-ann Monique Thompson et al., ``Racism Runs Through It:
Examining the Sexual and Reproductive Health Experience of Black
Women in the South,'' 41 Health Affairs 195 (Feb. 2022) (discussing
how individual racism affects reproductive health care use by
undermining the patient-doctor relationship), <a href="https://www.healthaffairs.org/doi/10.1377/hlthaff.2021.01422">https://www.healthaffairs.org/doi/10.1377/hlthaff.2021.01422</a>); Joli Hunt,
``Maternal Mortality among Black Women in the United States,''
Ballard Brief (July 2021), <a href="https://ballardbrief.byu.edu/issue-briefs/maternal-mortality-among-black-women-in-the-united-states/">https://ballardbrief.byu.edu/issue-briefs/maternal-mortality-among-black-women-in-the-united-states/</a>
(discussing the disproportionately high rate of Black maternal
mortality and morbidity); Austin Frakt, ``Bad Medicine: The Harm
that Comes from Racism,'' The New York Times (July 8, 2020), <a href="https://www.nytimes.com/2020/01/13/upshot/bad-medicine-the-harm-that-comes-from-racism.html">https://www.nytimes.com/2020/01/13/upshot/bad-medicine-the-harm-that-comes-from-racism.html</a>.
---------------------------------------------------------------------------
2. The Department's Approach to the Privacy Rule Has Long Sought To
Balance the Interests of Individuals and Society
While recognizing the importance of preserving individuals' trust,
the Department has consistently taken the approach of balancing the
interests of the individual in the privacy of their PHI with society's
interests, including in the free flow of information that enables the
provision of effective and efficient health care services. Such an
approach derives from Congress's direction, in 1996, to improve the
efficiency and effectiveness of the health care system by encouraging
the development of a health information system while taking into
account the privacy of IIHI and the uses and disclosures of such
information that should be authorized or required.\124\ In past
rulemakings, the Department has made revisions to the Privacy Rule to
balance an individual's privacy expectations with a covered entity's
need for information for reimbursement and quality purposes.\125\ As
the Department previously explained, ``Patient privacy must be balanced
against other public goods, such as research and the risk of
compromising such research projects if researchers could not continue
to use such data.'' \126\ The 2000 Privacy Rule included permissions
for regulated entities to disclose PHI under certain conditions,
including for judicial and administrative proceedings and law
enforcement purposes, because an individual's right to privacy in
information about themselves is not absolute. For example, it does not
prevent reporting of public health information on communicable
diseases, nor does it prevent law enforcement
[[Page 32986]]
from obtaining information when due process has been observed.\127\
---------------------------------------------------------------------------
\124\ 42 U.S.C. 1320d note and 1320d-2 note.
\125\ See 67 FR 53182, 53216 (Aug. 14, 2002).
\126\ Id. at 53226.
\127\ 65 FR 82462, 82464 (Dec. 28, 2000).
---------------------------------------------------------------------------
In more recent rulemakings revising the Privacy Rule, the
Department has continued its efforts to build and maintain individuals'
trust in the health care system while balancing the interests of
individuals with those of others. For example, in explaining revisions
made as part of the 2013 Omnibus Rule, the Department recognized that
covered entities must balance protecting the privacy of health
information with sharing health information with those responsible for
ensuring public health and safety.\128\ The Privacy Rule was also
revised in 2016 (``2016 Privacy Rule'') in accordance with an
administration-wide effort to curb gun violence across the nation.\129\
The 2016 Privacy Rule was tailored to authorize the disclosure of a
limited set of PHI \130\ for a narrow, specific purpose, that is, to
permit only regulated entities that are state agencies or other
entities designated by a state to collect and report information to the
National Instant Criminal Background Check System (NICS) or a lawful
authority making an adjudication or commitment as described by 18
U.S.C. 922(g)(4) to disclose to NICS the identities of individuals who
are subject to a Federal ``mental health prohibitor,'' that
disqualifies them from shipping, transporting, possessing, or receiving
a firearm. As explained in the 2016 Privacy Rule, the Federal mental
health prohibitor applies only to the extent that the individual is
involuntarily committed or determined by a court or other lawful
authority to be a danger to self or others, or is unable to manage
their own affairs because of a mental illness or condition.\131\
Similar to this final rule, the 2016 Privacy Rule balanced public
safety goals with individuals' privacy interests by clearly limiting
permissible disclosures to those that are necessary to ensure that
individuals are not discouraged from seeking lawful health care, in
this case, voluntary treatment for mental health needs.\132\ In the
2013 Omnibus Rule and 2016 Privacy Rule, the Department ensured that
the disclosures were necessary for the public good and were not for the
purpose of harming the individual. This approach is consistent with the
NCVHS recommendations to the Secretary relating to health information
privacy: ``The Committee strongly supports limiting use and disclosure
of identifiable information to the minimum amount necessary to
accomplish the purpose. The Committee also strongly believes that when
identifiable health information is made available for non-health uses,
patients deserve a strong assurance that the data will not be used to
harm them.'' \133\
---------------------------------------------------------------------------
\128\ See 78 FR 5566, 5616 (Jan. 25, 2013).
\129\ 81 FR 382 (Jan. 6, 2016); see, e.g., 78 FR 4297 (Jan. 22,
2013) and 78 FR 4295 (Jan. 22, 2013); see also Colleen Curtis,
``President Obama Announces New Measures to Prevent Gun Violence,''
The White House President Barack Obama (Jan. 16, 2013), <a href="https://obamawhitehouse.archives.gov/blog/2013/01/16/president-obama-announces-new-measures-prevent-gun-violence">https://obamawhitehouse.archives.gov/blog/2013/01/16/president-obama-announces-new-measures-prevent-gun-violence</a>.
\130\ This PHI includes limited demographic and certain other
information needed for the purposes of reporting to NICS. 45 CFR
164.512(k)(7)(iii)(A). In preamble, the Department explained that
generally the information described at 45 CFR 164.512(k)(7)(iii)(A)
would be limited to the data elements required to create a NICS
record and certain other elements to the extent that they are
necessary to exclude false matches: Social Security number, State of
residence, height, weight, place of birth, eye color, hair color,
and race. 81 FR 382, 390 (Jan. 6, 2016).
\131\ 81 FR 382, 386-388 (Jan. 6, 2016).
\132\ Id. The Department addressed concerns about the possible
chilling effect on individuals seeking health care by explaining
that (1) the permission is limited to only those covered entities
that order the involuntary commitments or make the other
adjudications that cause individuals to be subject to the Federal
mental health prohibitor, or that serve as repositories of such
information for NICS reporting purposes; (2) the specified regulated
entities are permitted to disclose NICS data only to designated
repositories or the NICS; (3) the information that may be disclosed
is limited to certain demographic or other information that is
necessary for NICS reporting; and (4) the rulemaking did not expand
the permission to encompass State law prohibitor information.
\133\ Letter from NCVHS Chair Don E. Detmer to HHS Sec'y Donna
E. Shalala (June 27, 1997) (forwarding NCVHS recommendations),
<a href="https://ncvhs.hhs.gov/rrp/june-27-1997-letter-to-the-secretary-with-recommendations-on-health-privacy-and-confidentiality/">https://ncvhs.hhs.gov/rrp/june-27-1997-letter-to-the-secretary-with-recommendations-on-health-privacy-and-confidentiality/</a>.
---------------------------------------------------------------------------
Consistent with Congress's directive to promulgate ``standards with
respect to the privacy of [IIHI]'' that, among other things, address
the ``uses and disclosures of such information that should be
authorized or required,'' \134\ the Department recognizes a variety of
interests with respect to health information. These include
individuals' interests in the privacy of their health information,
society's interests in ensuring the effectiveness of the health care
system, and other interests of society in using IIHI for certain non-
health care purposes. As part of balancing these interests, the
Department has also recognized that it may be necessary to afford
additional protection to certain types of health information because
those types of information are particularly sensitive and often involve
highly personal health care decisions. For example, the Department
affords special privacy protections to psychotherapy notes. These
protections are afforded in part because of the particularly sensitive
information those notes contain and in part because of the unique
function of these records, which are by definition maintained
separately from an individual's medical record.\135\ As we previously
explained, the primary value of psychotherapy notes is to the specific
provider, and the promise of strict confidentiality helps to ensure
that the patient will feel comfortable freely and completely disclosing
very personal information essential to successful treatment.\136\ The
Department elaborated that even the possibility of disclosure may
impede development of the confidential relationship necessary for
successful treatment because of the sensitive nature of the problems
for which individuals consult psychotherapists and the potential
embarrassment that may be engendered by the disclosure of confidential
communications made during counseling sessions.\137\ Therefore, to
support the development and maintenance of an individual's trust and
protect the relationship between an individual and their therapist, the
Privacy Rule permits the disclosure of psychotherapy notes without an
individual's authorization only in limited circumstances, such as to
avert a serious and imminent threat to health or safety. Those limited
circumstances do not include judicial and administrative proceedings or
law enforcement purposes unless the disclosure is ``necessary to
prevent or lessen a serious and imminent threat to the health or safety
of a person or the public.'' \138\
---------------------------------------------------------------------------
\134\ 42 U.S.C. 1320d-2 note.
\135\ See 45 CFR 164.501 (definition of ``Psychotherapy
notes'').
\136\ See 64 FR 59918, 59941 (Nov. 3, 1999).
\137\ See id.
\138\ 45 CFR 164.508(a)(2).
---------------------------------------------------------------------------
Information about an individual's reproductive health and
associated health care is also especially sensitive and has long been
recognized as such. As stated in the AMA's Principles of Medical
Ethics, the ``decision to terminate a pregnancy should be made
privately within the relationship of trust between patient and
physician in keeping with the patient's unique values and needs and the
physician's best professional judgment.'' \139\ NCVHS first noted
reproductive health information as an example of a category of health
information commonly considered to contain sensitive information in
[[Page 32987]]
2006.\140\ Between 2005 and 2010, NCVHS held nine hearings that
addressed questions about sensitive information in medical records and
identified additional categories of sensitive information beyond those
addressed in Federal and state law, including ``sexuality and
reproductive health information.'' In several letters to the Secretary
during that period, NCVHS recommended that the Department identify and
define categories of sensitive information, including ``reproductive
health.'' \141\ In a 2010 letter to the Secretary, NCVHS elaborated
that, after extensive testimony on sensitive categories of health
information, ``reproductive health'' should be expanded to ``sexuality
and reproductive health information,'' because:
---------------------------------------------------------------------------
\139\ Council on Ethical and Judicial Affairs, ``Ethics,
Amendment to Opinion 4.2.7, Abortion H-140.823,'' Am. Med. Ass'n
(2022), <a href="https://policysearch.ama-assn.org/policyfinder/detail/%224.2.7%20Abortion%22?uri=%2FAMADoc%2FHOD.xml-H-140.823.xml">https://policysearch.ama-assn.org/policyfinder/detail/%224.2.7%20Abortion%22?uri=%2FAMADoc%2FHOD.xml-H-140.823.xml</a>.
\140\ See Letter from NCVHS Chair Simon P. Cohn (2006), supra
note 104.
\141\ See Letter from NCVHS Chair Simon P. Cohn (2006), supra
note 104; Letter from NCVHS Chair Simon P. Cohn (2008), supra note
104; Letter from NCVHS Chair Justine M. Carr (2010), supra note 104.
Information about sexuality and reproductive history is often
very sensitive. Some reproductive issues may expose people to
political controversy (such as protests from abortion proponents),
and public knowledge of an individual's reproductive history may
place [them] at risk of stigmatization.'' Additionally, individuals
may wish to have their reproductive history segmented so that it is
not viewed by family members who otherwise have access to their
records. Parents may wish to delay telling their offspring about
adoption, gamete donation, or the use of other forms of assisted
reproduction technology in their conception, and, thus, it may be
important to have the capacity to segment these records.\142\
---------------------------------------------------------------------------
\142\ See Letter from NCVHS Chair Justine M. Carr (2010), supra
note 104.
The Department did not provide specific protections for certain
categories of PHI upon receipt of the recommendation or as part of the
2013 Omnibus Rule because of concerns about the ability of regulated
entities to segment PHI and the effects on care coordination. While we
recognized the sensitive nature of reproductive health information
before this rulemaking, the Department believed that the Supreme
Court's recognition of a constitutional right to abortion coupled with
the privacy protections afforded by the HIPAA Rules provided the
necessary trust to promote access to and quality of health care. As a
result of the changed legal landscape for reproductive health care
broadly, including abortion, the range of circumstances in which PHI
about legal reproductive health care could be sought and used in
investigations or to impose liability expanded significantly. Now that
states have much broader power to criminalize and regulate reproductive
choices--and that some states have already exercised that power in a
variety of ways \143\--individuals legitimately have a far greater fear
that especially sensitive information about lawful health care will not
be kept private. This changed environment requires additional privacy
protections to help restore the Privacy Rule's carefully-struck balance
between individual and societal interests. Because the concerns
regarding segmentation and the negative impact on care coordination
remain, the Department did not propose and is not establishing a new
category of particularly sensitive PHI in this final rule. Instead, as
discussed more fully below, the Department is finalizing its proposed
purpose-based prohibition against certain uses and disclosures.
---------------------------------------------------------------------------
\143\ See LePage v. Center for Reproductive Medicine, SC-2022-
0515 (Feb. 16, 2024).
---------------------------------------------------------------------------
B. Developments in the Legal Environment Are Eroding Individuals' Trust
in the Health Care System
The Supreme Court's decision in Dobbs overturned Roe v. Wade \144\
and Planned Parenthood of Southeastern Pennsylvania v. Casey,\145\
thereby enabling states to significantly restrict access to
abortion.\146\ Following the Supreme Court's decision, the legal
landscape has shifted as laws significantly restricting access to
abortion have in fact become effective in some jurisdictions. This
change has also led to questions about both the current and future
lawfulness of other types of reproductive health care, and therefore,
the ability of individuals to access such health care.\147\ Thus, this
shift may interfere with the longstanding expectations of individuals,
established by HIPAA and the Privacy Rule, with respect to the privacy
of their PHI.\148\ For example, while the Privacy Rule currently
permits, but does not require, uses and disclosures of PHI for certain
purposes,\149\ including when another law requires a regulated entity
to make the use or disclosure,\150\ regulated entities after Dobbs may
feel compelled by other applicable law to use or disclose PHI to law
enforcement or other persons who may use that health information
against an individual, a regulated entity, or another person who has
sought, obtained, provided, or facilitated reproductive health care,
even when such health care is lawful in the circumstances in which the
health care is obtained.\151\
---------------------------------------------------------------------------
\144\ 410 U.S. 113 (1973).
\145\ 505 U.S. 833 (1992).
\146\ Dobbs, 597 U.S. 299-302.
\147\ See, e.g., Carmel Shachar et al., ``Informational Privacy
After Dobbs,'' 75 Ala. L. Rev. 1 (2023), <a href="https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4570500">https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4570500</a> and Andrzej Kulczycki, ``Dobbs:
Navigating the New Quagmire and Its Impacts on Abortion and
Reproductive Health Care,'' Health Education & Behavior (2022),
<a href="https://doi.org/10.1177/10901981221125430">https://doi.org/10.1177/10901981221125430</a>.
\148\ See, e.g., Kayte Spector-Bagdady & Michelle M. Mello,
``Protecting the Privacy of Reproductive Health Information After
the Fall of Roe v. Wade,'' 3 JAMA Network e222656 (June 30, 2022),
<a href="https://jamanetwork.com/journals/jama-health-forum/fullarticle/2794032">https://jamanetwork.com/journals/jama-health-forum/fullarticle/2794032</a>; Lisa G. Gill, ``What does the overturn of Roe v. Wade mean
for you?,'' Consumer Reports (June 24, 2022), <a href="https://www.consumerreports.org/health-privacy/what-does-the-overturn-of-roe-v-wade-mean-for-you-a1957506408/">https://www.consumerreports.org/health-privacy/what-does-the-overturn-of-roe-v-wade-mean-for-you-a1957506408/</a>.
\149\ 45 CFR 164.502(a)(1).
\150\ 45 CFR 164.512(a).
\151\ See Laura J. Faherty et al. ``Consensus Guidelines and
State Policies: The Gap Between Principle and Practice at the
Intersection of Substance Use and Pregnancy,'' American Journal of
Obstetrics & Gynecology Maternal-Fetal Medicine (Aug. 2020)
(discussing a concern raised by multiple organizations that pregnant
women will hesitate to seek prenatal care and addiction treatment
during pregnancy because their concerns that disclosing substance
use to health care providers will increase the likelihood that they
will face legal penalties); see also ``Informational Privacy After
Dobbs,'' supra note 147.
---------------------------------------------------------------------------
As a consequence of these developments in Federal and state law, an
individual's expectation of privacy of their health information
(irrespective of whether an individual is or was pregnant) is
threatened by the potential use or disclosure of PHI to identify
persons who seek, obtain, provide, or facilitate lawful reproductive
health care. Thus, these developments have created an environment in
which individuals are more likely to fear that their PHI will be
requested from regulated entities for use against individuals, health
care providers, and others, merely because such persons sought,
obtained, provided, or facilitated lawful reproductive health
care.\152\ The potential increased demand for PHI for these purposes is
not limited to states in which providing or obtaining certain
reproductive health care is no longer legal. Rather, the changes in the
legal landscape have nationwide implications, not only because of their
effects on the relationship between health care providers and
individuals, but also because of the potential effects on the flow of
health information across state lines. For example, an individual who
travels out-of-state to obtain reproductive health care that is lawful
under the circumstances in which it is provided may now be reluctant to
have that information disclosed to a health care provider in their home
state if they
[[Page 32988]]
fear that it may then be used against them or a loved one in their home
state. A health care provider may be unable to provide appropriate
health care if they are unaware of the individual's recent health
history, which could have significant negative health consequences.
Individuals and health care providers may also be reluctant to disclose
PHI to health plans with a multi-state presence because of concerns
that one of those states will seek to obtain that PHI to investigate or
impose liability on the individual or the health care provider, even if
there is no nexus with that state other than the presence of the health
plan in that state. Such reluctance may have significant ramifications
for access to reproductive health care, given the cost associated with
obtaining such health care, and health care generally.
---------------------------------------------------------------------------
\152\ See, e.g., Yvonne Lindgren et al., ``Reclaiming Tort Law
to Protect Reproductive Rights,'' 75 Alabama L. Rev. 355 (2023),
<a href="https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4435834">https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4435834</a>.
---------------------------------------------------------------------------
Additionally, PHI is more likely to be transmitted across state
lines as the electronic exchange of PHI increases because it is easier
and more efficient to send information electronically. For instance,
the Trusted Exchange Framework and Common Agreement (TEFCA) initiative
established under the 21st Century Cures Act and the Centers for
Medicare & Medicaid Services (CMS) Interoperability and Prior
Authorization Final Rule will spur greater use and disclosure of PHI by
regulated entities and to health apps and others.\153\ Different
components of a health information exchange/health information network
(HIE/HIN) may be located in different states, meaning that the PHI may
be transmitted across state lines, and thus affected by laws severely
restricting access to reproductive health care, even where both the
health care and the recipient of the PHI are located in states where
access to such health care is not substantially restricted.
---------------------------------------------------------------------------
\153\ See section 3001(c) of the PHSA, as amended by section
4003(b) of the 21st Century Cures Act, Public Law 114-255, 130 Stat.
1165 (codified at 42 U.S.C. 300jj-11(c)). For more information, see
Office of the Nat'l Coordinator for Health Info. Tech., ``Trusted
Exchange Framework and Common Agreement (TEFCA),'' <a href="https://www.healthit.gov/topic/interoperability/policy/trusted-exchange-framework-and-common-agreement-tefca">https://www.healthit.gov/topic/interoperability/policy/trusted-exchange-framework-and-common-agreement-tefca</a>; See also 89 FR 8758 (Feb. 8,
2024); ``CMS Interoperability and Prior Authorization Final Rule
CMS-0057-F,'' Centers for Medicare & Medicaid (Jan. 17, 2024),
<a href="https://www.cms.gov/newsroom/fact-sheets/cms-interoperability-and-prior-authorization-final-rule-cms-0057-f">https://www.cms.gov/newsroom/fact-sheets/cms-interoperability-and-prior-authorization-final-rule-cms-0057-f</a>.
---------------------------------------------------------------------------
According to commenters, individuals are increasingly concerned
about the confidentiality of discussions with their health care
providers. As a result, some individuals are not confiding fully in
their health care providers, increasing the risk that their medical
records will not be complete and accurate, leading to decreases in
health care quality and safety. This lack of openness is also likely to
affect the information and treatment recommendations health care
providers provide to individuals because health care providers will not
be sufficiently informed to provide thorough and accurate information
and guidance.\154\
---------------------------------------------------------------------------
\154\ See Eric Boodman, ``In a doctor's suspicion after a
miscarriage, a glimpse of expanding medical mistrust,'' STAT News
(June 29, 2022), https://www.statnews.com/2022/06/29/doctor-
suspicion-after-miscarriage-glimpse-of-expanding-medical-mistrust/
#:~:text=In%20a%20doctor's%20suspicion%20after,glimpse%20of%20expandi
ng%20medical%20mistrust&text=The%20idea%20that%20she,used%20contracep
tives%20and%20trusted%20them.
---------------------------------------------------------------------------
Individuals are not alone in their fears. Indeed, according to
commenters, some health care providers are afraid to provide lawful
health care because they are concerned that in doing so, they risk
being subjected to investigation and possible liability.\155\ The
Department is aware that some health care providers, such as clinicians
and pharmacies, are hesitant to provide lawful health care or lawfully
prescribe or fill prescriptions for medications that can result in
pregnancy loss, even when the health care or those prescriptions are
intended to treat individuals for other health matters, because of fear
of law enforcement action.\156\ Some health care providers are also not
providing individuals with information to address concerns about their
reproductive health, even where their communications would be lawful,
out of fear of criminal prosecution, civil suit, or loss of their
clinical license.\157\ This may result in individuals making decisions
about their health care with incomplete information, which could have
serious implications for health outcomes. These fears also increase the
risk that individual medical records will not be maintained with
completeness and accuracy, which will in turn affect the quality of
health care provided to individuals and their safety. Fears about
potential prosecution, even when Federal law protects the actions of
health care providers, are likely to negatively affect the accuracy of
medical records maintained by health care providers and thereby harm
individuals.
---------------------------------------------------------------------------
\155\ See also Melissa Suran, ``As Laws Restricting Health Care
Surge, Some US Physicians Choose Between Fight or Flight,'' JAMA,
329(22):1899-1903 (May 17, 2023) (discussing a maternal-fetal
medicine specialist who stated that she moved to another state
because of legislation that restricts evidence-based health care and
prevents her from fulfilling her ethical obligation to protect her
patients' health.), <a href="https://pubmed.ncbi.nlm.nih.gov/37195699/">https://pubmed.ncbi.nlm.nih.gov/37195699/</a>.
\156\ See Off. for Civil Rights, ``HHS Office for Civil Rights
Resolves Complaints with CVS and Walgreens to Ensure Timely Access
to Medications for Women and Support Persons with Disabilities,''
U.S. Dep't of Health and Human Servs. (June 16, 2023), <a href="https://www.hhs.gov/civil-rights/for-providers/compliance-enforcement/agreements/cvs-walgreens/index.html">https://www.hhs.gov/civil-rights/for-providers/compliance-enforcement/agreements/cvs-walgreens/index.html</a>. See also Kathryn Starzyk et
al., ``More than half of patients with a rheumatic disease or
immunologic condition undergoing methotrexate treatment reside in
states in which the overturning of Roe v. Wade can jeopardize access
to medications with abortifacient potential,'' 75 Arthritis
Rheumatol 328 (Feb. 2023); see also Celine Castronuovo, ``Many
Female Arthritis Drug Users Face Restrictions After Dobbs,''
Bloomberg Law (Nov. 14, 2022) (noting that 16 out of 524 patients
responding to a survey indicated that they've had trouble getting
methotrexate, their arthritis medication, since the Dobbs decision.)
<a href="https://news.bloomberglaw.com/health-law-and-business/many-female-arthritis-drug-users-face-restrictions-after-dobbs">https://news.bloomberglaw.com/health-law-and-business/many-female-arthritis-drug-users-face-restrictions-after-dobbs</a>; Interview with
Donald Miller, PharmD, ``Methotrexate access becomes challenging for
some patients following Supreme Court decision on abortion,''
Pharmacy Times (July 20, 2022), <a href="https://www.pharmacytimes.com/view/methotrexate-access-becomes-challenging-for-patients-following-supreme-court-decision-on-abortion">https://www.pharmacytimes.com/view/methotrexate-access-becomes-challenging-for-patients-following-supreme-court-decision-on-abortion</a>; Jamie Ducharme, ``Abortion
restrictions may be making it harder for patients to get a cancer
and arthritis drug,'' Time (July 6, 2022), <a href="https://time.com/6194179/abortion-restrictions-methotrexate-cancer-arthritis/">https://time.com/6194179/abortion-restrictions-methotrexate-cancer-arthritis/</a>; Katie Shepherd
& Frances Stead Sellers, ``Abortion bans complicate access to drugs
for cancer, arthritis, even ulcers,'' The Washington Post (Aug. 8,
2022), <a href="https://www.washingtonpost.com/health/2022/08/08/abortion-bans-methotrexate-mifepristone-rheumatoid-arthritis/">https://www.washingtonpost.com/health/2022/08/08/abortion-bans-methotrexate-mifepristone-rheumatoid-arthritis/</a>.
\157\ See Michelle Oberman & Lisa Soleymani Lehmann, ``Doctors'
duty to provide abortion information,'' J. of Law and Biosciences.
(Sept. 1, 2023) <a href="https://www.ncbi.nlm.nih.gov/pmc/articles/PMC10474560/">https://www.ncbi.nlm.nih.gov/pmc/articles/PMC10474560/</a>; Whitney Arey et al., ``Abortion Access and Medically
Complex Pregnancies Before and After Texas Senate Bill 8,'' 141
Obstet Gynecol. 995 (May 1, 2023) (concluding that ``Abortion
restrictions limit shared decision making, compromise patient care,
and put pregnant people's health at risk.''); ``1 Year Without
Roe,'' Center for American Progress (Jun. 23, 2023) (where a
physician detailed her fear about speaking freely with her patients
after Dobbs ``worried a vigilante posing as a new patient would
attempt to bait her into talking about abortion and attempt to sue
her, and she sometimes skirts the topic of abortion when speaking
with patients about their health care options.'')
---------------------------------------------------------------------------
As explained by commenters and supported by research, these
impingements on the privacy of health information about reproductive
health care are likely to have a disproportionately greater effect on
women, individuals of reproductive age, and individuals from
communities that have been historically underserved, marginalized, or
subject to discrimination or systemic disadvantage by virtue of their
race, disability, social or economic status, geographic location, or
environment.\158\ Historically
[[Page 32989]]
underserved and marginalized individuals are also more likely to be the
subjects of investigations and other activities to impose liability for
seeking or obtaining reproductive health care, even where such health
care is lawful under the circumstances in which it is provided.\159\
They are also less likely to have adequate access to legal counsel to
defend themselves from such actions.\160\ These inequities may be
exacerbated where individuals face multiple, intersecting disparities,
such as having limited English proficiency \161\ and disability.\162\
Such individuals are thus especially likely to be concerned that
information they share with their health care providers about their
reproductive health care will not remain private. This is particularly
true considering the historic lack of trust, negative experiences, and
fear of discrimination that many members of historically
underrepresented and marginalized communities and communities of color
have in the health care system; \163\ such individuals are more likely
to be deterred from seeking or obtaining health care--or from giving
their health care providers full information.
---------------------------------------------------------------------------
\158\ See Christine Dehlendorf et al., ``Disparities in Abortion
Rates: A Public Health Approach,'' Am. J. of Pub. Health (Oct.
2013), <a href="https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3780732/">https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3780732/</a>. See
also Kiara Alfonseca, ``Why Abortion Restrictions Disproportionately
Impact People of Color,'' ABC News (June 24, 2022), <a href="https://abcnews.go.com/Health/abortion-restrictions-disproportionately-impact-people-color/story?id=84467809">https://abcnews.go.com/Health/abortion-restrictions-disproportionately-impact-people-color/story?id=84467809</a>; Dulce Gonzalez et al., Robert
Wood Johnson Foundation, ``Perceptions of Discrimination and Unfair
Judgment While Seeking Health Care'' (Mar. 31, 2021), <a href="https://www.rwjf.org/en/insights/our-research/2021/03/perceptions-of-discrimination-and-unfair-judgment-while-seeking-health-care.html">https://www.rwjf.org/en/insights/our-research/2021/03/perceptions-of-discrimination-and-unfair-judgment-while-seeking-health-care.html</a>;
Susan A. Cohen, ``Abortion and Women of Color: The Bigger Picture,''
11 Guttmacher Pol'y Rev. (Aug. 6, 2008), <a href="https://www.guttmacher.org/gpr/2008/08/abortion-and-women-color-bigger-picture">https://www.guttmacher.org/gpr/2008/08/abortion-and-women-color-bigger-picture</a>; ``The
Disproportionate Harm of Abortion Bans: Spotlight on Dobbs v.
Jackson Women's Health,'' Center for Reproductive Rights (Nov. 29,
2021), <a href="https://reproductiverights.org/supreme-court-case-mississippi-abortion-ban-disproportionate-harm/">https://reproductiverights.org/supreme-court-case-mississippi-abortion-ban-disproportionate-harm/</a> (``Abuses such as
forced sterilization of Black, Indigenous, and other people of color
and individuals with disabilities specifically exacerbate medical
mistrust within reproductive healthcare.'').
\159\ See Brief of Amici Curiae for Organizations Dedicated to
the Fight for Reproductive Justice--Mississippi in Action, et al. at
*35-36, Dobbs, 597 U.S. 215 (discussing the likelihood that
individuals, particularly those from marginalized communities who
terminate their pregnancies and anyone who assists them may be
disproportionally likely to face criminal investigation or arrest,
given the rates of incarceration of persons from such communities.);
see also Elizabeth Yuko, ``Women of Color Will Face More
Criminalized Pregnancies in Post-`Roe' America,'' Rolling Stone
(Jul. 7, 2020) (``Historically, we've seen the criminalization of
people of color, young people, and people with lower incomes who've
had miscarriages and other types of pregnancy losses that the state
deemed were their fault [. . .] These groups are the most likely to
be reported to law enforcement and investigated''); see also
Sentencing Project, State-by-State Data, <a href="https://www.sentencingproject.org/research/us-criminal-justice-data/">https://www.sentencingproject.org/research/us-criminal-justice-data/</a> (last
visited Feb. 16, 2024) (U.S. Total: Imprisonment rate per 100,000
residents--355; Black/White disparity--4.8:1; Latinx/White
disparity--1.3:1); Racial Disparities in Incarceration, Vera
Institute of Justice (Aug. 21, 2023), <a href="https://trends.vera.org/">https://trends.vera.org/</a>
(Prison population rate per 100,000 residents ages 15 to 64. U.S.
total incarceration rate 2021 Q2--298, Asian American/Pacific
Islander incarceration rate 2021 Q2--100, Black/African American
incarceration rate 2021 Q2--1,310, Latinx incarceration rate 2021
Q2--671, Native American incarceration rate 2021 Q2--1,021, White
incarceration rate 2021 Q2--281).
\160\ See Columbia Law Sch. Hum. Rts. Inst. & and Ne. Univ. Sch.
of Law Program on Hum. Rts. and the Glob. Econ.,'' Equal Access to
Justice: Ensuring Meaningful Access to Counsel in Civil Cases,
Including Immigration Proceedings'' (July 2014), <a href="https://hri.law.columbia.edu/sites/default/files/publications/equal_access_to_justice_-_cerd_shadow_report.pdf">https://hri.law.columbia.edu/sites/default/files/publications/equal_access_to_justice_-_cerd_shadow_report.pdf</a>. See also Lauren
Hoffman et al., Ctr. For Am. Progress, ``Report: State Abortion Bans
Will Harm Women and Families' Economic Security Across the US''
(Aug. 25, 2022), <a href="https://www.americanprogress.org/article/state-abortion-bans-will-harm-women-and-families-economic-security-across-the-us/">https://www.americanprogress.org/article/state-abortion-bans-will-harm-women-and-families-economic-security-across-the-us/</a>.
\161\ See Myasar Ihmud, ``Lost in Translation: Language Barriers
to Accessing Justice in the American Court System,'' UIC Law Review
(2023) (discussing ``access to justice for [limited English
proficient (LEP)] individuals is hindered because they are unable to
communicate with the court or understand the proceedings. Case law
shows that, when unable to communicate with the court, LEP litigants
are unable to defend themselves appropriately in criminal or
immigration hearings, protect their homes, or keep custody of their
children.''), <a href="https://repository.law.uic.edu/cgi/viewcontent.cgi?article=2908&context=lawreview">https://repository.law.uic.edu/cgi/viewcontent.cgi?article=2908&context=lawreview</a>; see also ``Language
Access & Cultural Sensitivity,'' Legal Services Corporation (last
visited Feb. 21, 2024) (describing how legal aid organizations
should plan for providing meaningful access to language services. As
of 2013, ``close to 25 million people, about 8 percent of the
population, has limited English proficiency.''), <a href="https://www.lsc.gov/i-am-grantee/model-practices-innovations/language-access-cultural-sensitivity">https://www.lsc.gov/i-am-grantee/model-practices-innovations/language-access-cultural-sensitivity</a>.
\162\ See, e.g., Gautam Gulati et al., ``The experience of law
enforcement officers interfacing with suspects who have an
intellectual disability--A systematic review,'' International
Journal of Law and Psychiatry (Sept.-Oct. 2020) (``It is not
uncommon for people with [intellectual disability] to be suspects or
accused persons when interfacing with Law Enforcement Officers
(LEOs) and therefore face arrest, interview and/or custody.''),
<a href="https://www.sciencedirect.com/science/article/pii/S016025272030073X">https://www.sciencedirect.com/science/article/pii/S016025272030073X</a>.
\163\ See Leslie Read et al., The Deloitte Ctr. for Health
Solutions, ``Rebuilding Trust in Health Care: What Do Consumers
Want--and Need--Organizations to Do?,'' at 3 (Aug. 5, 2021) (With
focus groups of 525 individuals in the United States who identify as
Black, Hispanic, Asian, or Native American, ``[f]ifty-five percent
reported a negative experience where they lost trust in a health
care provider.''), <a href="https://www2.deloitte.com/us/en/insights/industry/health-care/trust-in-health-care-system.html">https://www2.deloitte.com/us/en/insights/industry/health-care/trust-in-health-care-system.html</a>; Liz Hamel et
al., Kaiser Family Foundation, ``The Undefeated Survey on Race and
Health,'' at 23 (Oct. 2020) (Percent who say they can trust the
health care system to do what is right for them or their community
almost all of the time or most of the time: Black adults: 44%;
Hispanic adults: 50%; White adults: 55%), <a href="https://files.kff.org/attachment/Report-Race-Health-and-COVID-19-The-Views-and-Experiences-of-Black-Americans.pdf">https://files.kff.org/attachment/Report-Race-Health-and-COVID-19-The-Views-and-Experiences-of-Black-Americans.pdf</a>; U.S. Dep't of Health and Hum.
Servs., Assistant Sec'y for Pol. & Eval., Off. of Health Pol.,
``Issue Brief: Health Insurance Coverage and Access to Care for
LGBTQ+ Individuals: Current Trends and Key Challenges,'' at 9 (June
2021) (A 2021 survey found that 18 percent of LGBTQ+ individuals
reported avoiding going to a doctor or seeking health care out of
concern that they would face discrimination or poor treatment
because of their sexual orientation or gender identity.), <a href="https://aspe.hhs.gov/sites/default/files/2021-07/lgbt-health-ib.pdf">https://aspe.hhs.gov/sites/default/files/2021-07/lgbt-health-ib.pdf</a>; Abigail
A. Sewell, ``Disaggregating Ethnoracial Disparities in Physician
Trust,'' Soc. Science Rsch. (Nov. 2015), <a href="https://pubmed.ncbi.nlm.nih.gov/26463531/">https://pubmed.ncbi.nlm.nih.gov/26463531/</a>; Irena Stepanikova et al.,
``Patients' Race, Ethnicity, Language, and Trust in a Physician,''
J. of Health and Soc. Behavior (Dec. 2006), <a href="https://pubmed.ncbi.nlm.nih.gov/17240927/">https://pubmed.ncbi.nlm.nih.gov/17240927/</a>.
---------------------------------------------------------------------------
Congress contemplated that the Department would need to modify
standards adopted under HIPAA's Administrative Simplification
provisions and directed the Secretary to review standards adopted under
42 U.S.C. 1320d-2 periodically.\164\ In accordance with this directive
and based on the Department's expertise and analysis and the recent
developments in the legal landscape, there is a compelling need to
provide additional protections to PHI about lawful reproductive health
care. Accordingly, consistent with Congress's directions to the
Department, in HIPAA, as amended by Genetic Information
Nondiscrimination Act (GINA) and the HITECH Act, to establish standards
and requirements for the electronic transmission of certain health
information, including the privacy thereof, for the development of a
health information system, the Department is restricting certain uses
and disclosures of PHI for particular non-health care purposes to
provide such protections.
---------------------------------------------------------------------------
\164\ Congress' directions regarding the issuance of standards
for the privacy of IIHI are codified at 42 U.S.C. 1320d-2 note. See
also 45 CFR 160.104(a).
---------------------------------------------------------------------------
C. To Protect the Trust Between Individuals and Health Care Providers,
the Department Is Restricting Certain Uses and Disclosures of PHI for
Particular Non-Health Care Purposes
As discussed above, Congress enacted HIPAA to improve the
efficiency and effectiveness of the health care system, which includes
ensuring that individuals have trust in the health care system.
Congress also directed the Department to develop standards with respect
to the privacy of IIHI as part of its decision to encourage the
development of a health information system. To preserve such trust, and
to encourage the development and use of a nationwide health information
system, it is appropriate and necessary for Federal law and policy to
protect the confidentiality of medical records, especially those that
are highly sensitive. Accordingly, to protect the trust between
individuals and health care providers, this rule restricts certain uses
and disclosures of PHI for particular non-health care purposes, i.e.,
for using or disclosing PHI to conduct a criminal, civil, or
administrative investigation into or to impose criminal, civil, or
administrative liability on any person for the mere act of seeking,
obtaining, providing, or facilitating
[[Page 32990]]
lawful reproductive health care, or to identify any person to initiate
such activities.
Information about reproductive health care is particularly
sensitive and requires heightened privacy protection. The Department's
approach is consistent with efforts across the Federal Government. For
example, the Department of Defense (DOD) has recognized such privacy
concerns. In a memorandum to DOD leaders, the Secretary of Defense
directed the DOD to ``[e]stablish additional privacy protections for
reproductive health care information'' for service members and
``[d]isseminate guidance that directs Department of Defense health care
providers that they may not notify or disclose reproductive health
information to commanders unless this presumption is overcome by
specific exceptions set forth in policy.'' \165\ The Federal Trade
Commission (FTC) has also recognized that information about personal
reproductive matters is ``particularly sensitive'' and has committed to
using the full scope of its authorities to protect consumers' privacy,
including the privacy of their health information and other sensitive
data.\166\ In business guidance, the FTC explained that ``[t]he
exposure of health information and medical conditions, especially data
related to sexual activity or reproductive health, may subject people
to discrimination, stigma, mental anguish, or other serious harms.''
\167\
---------------------------------------------------------------------------
\165\ Dep't of Defense, Memorandum Re: Ensuring Access to
Reproductive Health Care, at 1 (Oct. 20, 2022) (removed emphasis on
``not'' in original), <a href="https://media.defense.gov/2022/Oct/20/2003099747/-1/-1/1/MEMORANDUM-ENSURING-ACCESS-TO-REPRODUCTIVE-HEALTH-CARE.PDF">https://media.defense.gov/2022/Oct/20/2003099747/-1/-1/1/MEMORANDUM-ENSURING-ACCESS-TO-REPRODUCTIVE-HEALTH-CARE.PDF</a>.
\166\ Kristin Cohen, ``Location, health, and other sensitive
information: FTC committed to fully enforcing the law against
illegal use and sharing of highly sensitive data'', Federal Trade
Commission Business Blog (July 11, 2022), <a href="https://www.ftc.gov/business-guidance/blog/2022/07/location-health-and-other-sensitive-information-ftc-committed-fully-enforcing-law-against-illegal">https://www.ftc.gov/business-guidance/blog/2022/07/location-health-and-other-sensitive-information-ftc-committed-fully-enforcing-law-against-illegal</a> (last
accessed Nov. 15, 2022).
\167\ Id.
---------------------------------------------------------------------------
As discussed above, the Department has long provided special
protections for psychotherapy notes because of the sensitivity around
this information. However, unlike psychotherapy notes, which by their
very nature are easily segregated, reproductive health information is
not easily segregated. Additionally, regulated entities generally do
not have the ability to segment certain PHI such that regulated
entities could afford special protections for specific categories of
PHI.\168\ Where such technology is available, it is generally cost
prohibitive and burdensome to implement.\169\ Therefore, the Department
did not propose, and is not finalizing, a newly defined subset of PHI.
Creating such a subset would create barriers to disclosing PHI for care
coordination because the PHI would need to be segregated from the
remaining medical record. Instead, consistent with the Privacy Rule's
longstanding overall approach,\170\ the Department is finalizing a
purpose-based prohibition against certain uses and disclosures. This
rule seeks to protect individuals' privacy interests in their PHI about
reproductive health care and the interests of society in an effective
health care system by enabling individuals and licensed health care
professionals to make decisions about reproductive health care based on
a complete medical record, while balancing those interests with other
interests of society in obtaining PHI for certain non-health care
purposes.
---------------------------------------------------------------------------
\168\ See Daniel M. Walker et al., ``Interoperability in a Post-
Roe Era Sustaining Progress While Protecting Reproductive Health
Information,'' JAMA (Nov. 1, 2022) (discussing that segregation of
records for reproductive health care is more difficult than for SUD
treatment records because ``reproductive health services are often
provided in the same settings as other primary and acute care and
thus could be inferred or directly reflected in many parts of the
record.''), <a href="https://jamanetwork-com.ezproxyhhs.nihlibrary.nih.gov/journals/jama/fullarticle/2797865">https://jamanetwork-com.ezproxyhhs.nihlibrary.nih.gov/journals/jama/fullarticle/2797865</a>; See, e.g., 87 FR 74216, 74221
(Dec. 2, 2022) (noting that 42 CFR part 2 previously resulted in the
separation of SUD treatment records previous from other health
records, which led to the creation of data ``silos'' that hampered
the integration of SUD treatment records into covered entities'
electronic record systems and billing processes. When considering
amendments to the relevant statute, some lawmakers argued that the
silos perpetuated negative stereotypes about persons with SUD and
inhibited coordination of care during the opioid epidemic.). See
also Health Info. Tech. Advisory Comm., ``Health Information
Technology Advisory Committee (HITAC) Annual Report for Fiscal Year
2019,'' 2019 ONC Ann. Rep., at 37 (Feb. 19, 2020), <a href="https://www.healthit.gov/sites/default/files/page/2020-03/HITAC%20Annual%20Report%20for%20FY19_508.pdf">https://www.healthit.gov/sites/default/files/page/2020-03/HITAC%20Annual%20Report%20for%20FY19_508.pdf</a> (``The new
certification criteria that support the sharing of data via third-
party apps will help advance the use of data segmentation, but
adoption of this capability by the industry is not yet
widespread.'').
\169\ See 88 FR 23746, 23898 (Apr. 18, 2023) (explaining that
while there are standards for security labels for document-based
exchange that the Office of the National Coordinator for Health
Information Technology (ONC) adopted in full in 2020 for the
criteria in 45 CFR 170.315(b)(7) and (b)(8) to support the
application of security labels at a granular level for sending in
and receiving, standards to define the technical requirements for
the actions described by the security label vocabularies do not yet
exist. In the 21st Century Cures Act: Interoperability, Information
Blocking, and the ONC Health IT Certification Program Final Rule,
published in 2020, ONC estimated a cost of the certification
criteria and standards adopted for security labels in 45 CFR
170.315(b)(7) and (b)(8). The Department estimated the total cost to
developers could range from $2,910,400 to $6,933,600 and that it
would be a onetime cost. (85 FR 25926) The criteria do not include
the ability for health IT to take the actions described by the
security labels. Additionally, ONC did not require that health IT be
certified to the criteria described above, making it essentially
voluntary. Accordingly, the estimates for health IT developer and
health care provider costs were likely significantly lower than they
would have been if health IT were required to be certified to the
criteria for participation. Thus, the total cost of implementing
full segmentation capabilities is likely substantially higher than
the per-product cost estimates provided by the Department in that
rule). See also 88 FR 23746, 23875 (Apr. 18, 2023) (discussing
examples of challenges or technical limitations to electronic health
information segmentation that have been described to ONC).
\170\ See 64 FR 59918, at 59924, 59939, and 59955 (Nov. 3,
1999).
---------------------------------------------------------------------------
To assist in effectuating this prohibition, the Department is also
requiring regulated entities to obtain an attestation in certain
circumstances from the person requesting the use or disclosure stating
that the use or disclosure is not for a prohibited purpose. A person
(including a regulated entity or someone who requests PHI) who
knowingly and in violation of the Administrative Simplification
provisions obtains or discloses IIHI relating to another individual
would be subject to potential criminal liability.\171\ Thus, a person
who knowingly and in violation of HIPAA falsifies an attestation (e.g.,
makes a material misrepresentation about the intended uses of the PHI
requested) to obtain (or cause to be disclosed) an individual's IIHI
could be subject to the criminal penalties provided by the
statute.\172\ Additionally, a regulated entity is subject to potential
civil penalties for violations of the HIPAA Rules, including a failure
to obtain a valid attestation before disclosing PHI, where an
attestation is required.\173\ The purpose-based prohibition, in concert
with the attestation, will restrict the use and disclosure of PHI about
lawful reproductive health care where the use or disclosure could harm
HIPAA's overall goals of increasing trust in the health care system,
improving health care quality, and protecting individual privacy. At
the same time, it will allow uses and disclosures that either support
those goals or do not substantially interfere with their achievement.
---------------------------------------------------------------------------
\171\ See 42 U.S.C. 1320d-6(a).
\172\ See 42 U.S.C. 1320d-6(b).
\173\ See 42 U.S.C. 1320d-5. See also 45 CFR part 160, subparts
A, D, and E.
---------------------------------------------------------------------------
Consistent with the Privacy Rule's approach, the Department is
clarifying that the purpose-based prohibition applies only in certain
circumstances, recognizing the interests of both the Federal Government
and states while also protecting the information privacy interests of
persons who seek, obtain, provide, or facilitate lawful reproductive
health care. Thus, the Department is finalizing a Rule of
[[Page 32991]]
Applicability that balances the privacy interests of individuals and
the interests of society in an effective health care system with those
of society in the use of PHI for other non-health care purposes by
limiting the new prohibition to certain circumstances.
The Department's experience administering the Privacy Rule,
research cited below, our assessment of the needs of individuals and
health care providers in light of recent developments to the legal
landscape, public comments, and the Regulatory Impact Analysis, in
Section VI below, all provide support for the changes finalized in this
rulemaking. These changes will improve individuals' confidence in the
confidentiality of their PHI and their trust in the health care system,
creating myriad benefits for the health care system. Balancing the
privacy interests of individuals and the use of PHI for other societal
priorities will continue to support an effective health care system, as
Congress intended. This final rule will deter the creation of
inaccurate and incomplete medical records, which will help to support
the provision of appropriate lawful health care. Health care providers
base their treatment recommendations on PHI contained within existing
medical records, as well as information shared with them directly by
the individual. Thus, where individuals withhold information from their
health care providers about lawful health care, health care providers
may not be in possession of all of the necessary information to make an
informed recommendation for an appropriate treatment plan, which may
result in negative health outcomes at both the individual and
population level. It will also improve the confidence of individuals,
including among the Nation's most vulnerable communities, that they can
securely seek or obtain or share that they sought or obtained lawful
reproductive health care without that information being used or
disclosed for the purpose of investigating or imposing liability on
them for seeking or obtaining that lawful health care. By improving
individuals' confidence and trust in their relationships with their
health care providers, it will make individuals more likely to, for
example, comply with preventative health screening recommendations,
which will protect against a decline in individual and population
health outcomes related to missed preventative health screenings.
Additional intangible benefits from increased privacy protections in
this area include enhanced support for survivors of rape, incest, and
sex trafficking. The new attestation requirement discussed in greater
detail below will help to assure regulated entities of their ability to
operationalize these changes and avoid exposure to HIPAA liability for
impermissible disclosures.
IV. General Discussion of Public Comments
The Department received more than 25,900 comments in response to
its proposed rule. Overall, these comments represent the views of
approximately 51,500 individuals and 350 organizations. Slightly more
than half of the individuals and organizations who shared their views
expressed general support for the 2023 Privacy Rule NPRM and its
objectives. Less than one percent expressed mixed views. Organizational
commenters included professional and trade associations, including
those representing medical professionals, health plans, health care
providers, health information management professionals, health
information management system vendors, release-of-information vendors,
employers, epidemiologists, and attorneys. The Department also received
comments from advocacy organizations, including those representing
patients, privacy advocates, faith-based organizations, and civil
rights organizations. The NCVHS also provided comments, as did members
of Congress, state, local, and Tribal government officials and public
health authorities. Other commenters included health care systems,
hospitals, and health care professionals.
A. General Comments in Support of the Proposed Rule
Comment: Many commenters expressed general support for the proposed
rule and urged the Department to protect the privacy of individuals by
limiting uses and disclosures of PHI for certain purposes where the use
or disclosure of information is about reproductive health care that is
lawful under the circumstances in which such health care is provided.
Many health care providers and individuals emphasized the
importance of trusting relationships between individuals and their
health care providers. According to individual commenters, a trusting
relationship permits individuals to participate in sensitive and
difficult conversations with their health care providers and enables
health care providers to furnish high-quality and appropriate health
care and to maintain accurate and complete medical records, including
records that contain information about reproductive health care.
Many organizations also submitted comments that expressed agreement
with the Department's position on the importance of the relationship
between HIPAA and the HIPAA Rules and trust between individuals and
health care providers. For example, an organization commented that
privacy has long been a ``hallmark'' of medical care and agreed with
the Department that Congress recognized this principle when it enacted
HIPAA. Some organizations commented that the HIPAA framework of law and
rules provides individuals with the necessary trust and confidence to
seek reproductive health care without fear of being prosecuted or
targeted by law enforcement, including in medical emergencies.
Other commenters stated that a trusting confidential relationship
between an individual and a health care provider is an essential
prerequisite to the delivery of high-quality health care. They also
asserted that protective privacy laws, including HIPAA, help to ensure
that individuals do not forgo health care.
Many individuals asserted that the proposed safeguards are urgently
needed to provide individuals with the confidence to seek health care.
According to the commenters, the proposal would increase the likelihood
that pregnant individuals would receive essential health care, thus
improving their overall well-being. One commenter expressed support for
the proposal because they believe people should not be held liable or
face punishment for seeking, obtaining, providing, or facilitating
lawful health care. Another commenter expressed concerns that the
increase in state legislation targeting reproductive health care has
placed significant burdens on physicians and increased the risk of
maternal morbidity and mortality for individuals.
A few commenters also expressed agreement with the Department's
assertion that the proposed restrictions would clarify legal
obligations of regulated entities with respect to the disclosure of PHI
for certain non-health related purposes and would enable persons
requesting PHI, including health plans, to better understand when such
disclosures are permitted.
Response: The Department appreciates these comments and is
finalizing the proposed rule with modification, as described in greater
detail below. Consistent with HIPAA's goals, this final rule will
support the development and maintenance of trust between individuals
and their health care providers, encouraging individuals
[[Page 32992]]
to be forthright with health care providers regarding their health
history and providing valuable clarity to the regulated community and
individuals concerning their privacy rights with respect to lawfully
provided health care. In so doing, the Department helps to support
access to health care by increasing individuals' confidence in the
privacy of their PHI about lawfully provided reproductive health care.
We are taking these actions as a result of our ongoing evaluation of
the environment, including the legal landscape, and consistent with the
Privacy Rule's longstanding balance of individual privacy and societal
interests in PHI for non-health care purposes.
Comment: A wide cross-section of commenters, including individuals,
health care providers, patient advocacy organizations, reproductive
rights organizations, state law enforcement agencies, and others all
agreed that individuals who frequently experience discrimination
generally also experience it when seeking health care.
Many of these commenters urged the Department to recognize that
there is a trust deficit in relationships between individuals and
health care providers in communities that frequently experience
discrimination. Many commenters cited scholarly journals and research
articles showing that women of color especially suffer poorer medical
outcomes, including higher maternal mortality and denial of medical
interventions or treatments.
Commenters who answered the Department's request for comment about
whether members of ``historically underserved and minority
communities'' are more likely to be the subject of investigations into
or proceedings against persons in connection with seeking, obtaining,
providing, or facilitating lawful reproductive health care unanimously
responded in the affirmative. Some commenters expressed concern about
the current legal environment's disproportionately negative effect on
the privacy of women and members of marginalized and historically
underserved communities and communities of color, such as immigrants
who might avoid obtaining health care because of fears that their PHI
could be shared with government officials. In general, commenters
encouraged the Department to consider the likely negative implications
of reduced health information privacy when combined with these
disparities on health outcomes for members of marginalized and
historically underserved communities and communities of color when
crafting the final rule.
Some commenters expressed concern about the current legal
environment's disproportionately negative effect on the privacy of
members of marginalized and historically underserved communities and
communities of color, such as women of color, immigrants and American
Indians and Alaska Natives, who might withhold information from health
care providers or avoid obtaining health care because of fears that
their PHI could be shared with government officials or used to
investigate or impose liability on them.
Among commenters that addressed this topic, many supported the
Department's proposed purpose-based prohibition. Commenters stated that
the proposed rule would help to mitigate medical mistrust of
individuals in marginalized and historically underserved communities
and communities of color and reduce the racial disparities that result
from the increased criminalization of reproductive health care.
Several commenters also addressed the issue of the availability of
legal counsel among these communities. A few commenters asserted that
individuals who are members of marginalized and historically
underserved communities and communities of color are less likely to
have access to legal counsel, despite being more likely to be subjects
of investigations into or proceedings against persons in connection
with obtaining providing or facilitating lawful sexual and reproductive
health care and cited to related studies.
Response: We appreciate these comments and thank commenters for
sharing these important considerations. As we discussed in the 2023
Privacy Rule NPRM and again here, the experiences of individuals from
communities that have been historically underserved, marginalized, or
subject to discrimination or systemic disadvantage by virtue of their
race, disability, social or economic status, geographic location, or
environment have significant negative effects on their relationships
with health care providers and their willingness to seek necessary
health care. We agree that the current legal landscape has exacerbated
the health inequities that these individuals encounter when seeking
reproductive health care services. The Department expects that the
steps we have taken in this rule will meaningfully strengthen the
privacy of PHI about lawful reproductive health care, and as a result,
will help to mitigate the exacerbation of health disparities for
members of marginalized and historically underserved communities and
communities of color.
The Department is actively working to reduce health disparities. In
recent months, we released a new plan to address language barriers and
strengthen language access in health care,\174\ and issued three
proposed rules to address health disparities: one to revise existing
regulations to strengthen prohibitions against discrimination on the
basis of a disability in health care and human services programs; \175\
another to issue new regulations to advance non-discrimination in
health and human service programs for the LGBTQI+ community; \176\ and
a third to revise existing regulations to prohibit discrimination on
the basis of race, color, national origin, sex, age, and disability in
a range of health programs.\177\ The Department will continue to work
to address these concerns, ensure that individuals have access to and
do not forgo necessary health care, and build individuals' trust that
health care providers can and will protect the privacy of individuals'
sensitive health information.
---------------------------------------------------------------------------
\174\ Press Release, ``Breaking Language Barriers: Biden-Harris
Administration Announces New Plan to Address Language Barriers and
Strengthen Language Access,'' U.S. Dep't of Health and Human Servs.
(Nov. 15, 2023), <a href="https://www.hhs.gov/about/news/2023/11/15/breaking-language-barriers-biden-harris-administration-announces-new-plan-address-language-barriers-strengthen-language-access.html">https://www.hhs.gov/about/news/2023/11/15/breaking-language-barriers-biden-harris-administration-announces-new-plan-address-language-barriers-strengthen-language-access.html</a>.
\175\ Press Release, ``HHS Issues New Proposed Rule to
Strengthen Prohibitions Against Discrimination on the Basis of a
Disability in Health Care and Human Services Programs,'' U.S. Dep't
of Health and Human Servs. (Sept. 7, 2023), <a href="https://www.hhs.gov/about/news/2023/09/07/hhs-issues-new-proposed-rule-to-strengthen-prohibitions-against-discrimination-on-basis-of-disability-in-health-care-and-human-services-programs.html">https://www.hhs.gov/about/news/2023/09/07/hhs-issues-new-proposed-rule-to-strengthen-prohibitions-against-discrimination-on-basis-of-disability-in-health-care-and-human-services-programs.html</a>.
\176\ Press Release, ``HHS Issues Proposed Rule to Advance Non-
discrimination in Health and Human Service Programs for LGBTQI+
Community,'' U.S. Dep't of Health and Human Servs. (July 11, 2023),
<a href="https://www.hhs.gov/about/news/2023/07/11/hhs-issues-proposed-rule-advance-non-discrimination-health-human-service-programs-lgbtqi-community.html">https://www.hhs.gov/about/news/2023/07/11/hhs-issues-proposed-rule-advance-non-discrimination-health-human-service-programs-lgbtqi-community.html</a>.
\177\ Press Release, ``HHS Announces Proposed Rule to Strengthen
Nondiscrimination in Health Care,'' U.S. Dep't of Health and Human
Servs. (July 25, 2022), <a href="https://www.hhs.gov/about/news/2022/07/25/hhs-announces-proposed-rule-to-strengthen-nondiscrimination-in-health-care.html">https://www.hhs.gov/about/news/2022/07/25/hhs-announces-proposed-rule-to-strengthen-nondiscrimination-in-health-care.html</a>.
---------------------------------------------------------------------------
Comment: A few commenters agreed with the Department's position
that the proposed rule would appropriately protect individuals against
growing threats to their privacy with respect to PHI about reproductive
health care while permitting states to conduct law enforcement
activities.
Response: The Privacy Rule always has and continues to balance
privacy interests and other societal interests by permitting
disclosures of PHI to support
[[Page 32993]]
public policy goals, including disclosures to support certain criminal,
civil, and administrative law enforcement activities; the operation of
courts and tribunals; health oversight activities; the duties of
coroners and medical examiners; and the reporting of child abuse,
domestic violence, and neglect to appropriate authorities. We
appreciate these comments that recognized the growing threat to the
privacy of PHI and the need to strike an appropriate balance between
ensuring health care privacy and conducting law enforcement activities.
We are finalizing the proposed rule with modification as described in
greater detail below.
B. General Comments in Opposition to the Proposed Rule
Comment: Several commenters generally opposed the proposed rule
because of their opposition to certain types of reproductive health
care. Many commenters opposed the proposed rule generally because they
believed that it would harm women and children. Other commenters
expressed concern that the proposals would increase administrative
burdens and costs for health care providers; impede parental rights;
prevent mandatory reporting of child abuse or abuse, domestic violence,
and neglect; infringe upon states' rights; thwart law enforcement
investigations; inhibit disclosures for public health activities; and
protect those who engage in unlawful activities.
Response: The modifications to the Privacy Rule in this final rule
directly advance Congress' directive in HIPAA to improve the efficiency
and effectiveness of the health care system by encouraging the
development of a health information system through the establishment of
standards and requirements for the electronic transmission of certain
health information,\178\ including a standard for the privacy of IIHI
that, among other things, addresses the ``uses and disclosures of such
information that should be authorized or required.'' \179\ As discussed
in greater detail elsewhere in this final rule, a trusting relationship
between individuals and health care providers is the foundation of
effective health care. A primary goal of the Privacy Rule is to ensure
the privacy of an individual's PHI while permitting necessary uses and
disclosures of PHI that enable high-quality health care and protect the
health and well-being of all individuals, including women and children,
and the public.
---------------------------------------------------------------------------
\178\ See 42 U.S.C. 1320d note.
\179\ See 42 U.S.C. 1320d-2 note.
---------------------------------------------------------------------------
From the outset, the Department structured the Privacy Rule to
ensure that individuals do not forgo lawful health care when needed--or
withhold important information from their health care providers that
may affect the quality of health care they receive out of a fear that
their sensitive information would be revealed outside of their
relationship with their health care provider. The Department has long
been committed to protecting the privacy of PHI and providing the
opportunity for an authentic, trusting relationship between individuals
and health care providers. As we discussed in the 2023 Privacy Rule
NPRM and again here, this final rule will help engender trust between
individuals and health care providers and confidence in the health care
system. We believe that this confidence will eliminate some of the
burdens health care providers face in providing high-quality health
care, encourage health care providers to accurately document PHI in an
individual's medical record, and encourage individuals to provide
health care providers with their complete and accurate health history,
all of which will ultimately support better health outcomes. Nothing in
this final rule sets forth a particular standard of care or affects the
ability of health care providers to exercise their professional
judgment.
This final rule protects the relationship between individuals and
health care providers by protecting the privacy of PHI in circumstances
where recent legal developments have increased concerns about that
information being used and disclosed to harm persons who seek, obtain,
provide, or facilitate reproductive health care under circumstances in
which such health care is lawful, while continuing to permit uses and
disclosures that confer other social benefits. It is narrowly tailored
and respects the interests of both states and the Department. The final
rule continues to permit regulated entities to use or disclose PHI to
comply with certain mandatory reporting laws, for public health
activities, and for law enforcement purposes when the uses and
disclosures are compliant with the applicable provisions of the Privacy
Rule.
Further, consistent with the longstanding operation of the Privacy
Rule, this final rule requires that, in certain circumstances,
regulated entities obtain information from persons requesting PHI, such
as law enforcement, before the regulated entities may use or disclose
the requested PHI. The Department recognizes that this final rule may
increase the burden on those persons making requests for PHI, such as
federal and state law enforcement officials, by requiring, in certain
circumstances, that regulated entities obtain more information from
such persons than previously required, and may, at times, prevent
regulated entities from using or disclosing PHI that they previously
would have been permitted to use or disclose. For example, the
Department recognizes that situations may arise where a regulated
entity reasonably determines that reproductive health care was lawfully
provided, while at the same time, the person requesting the PHI (e.g.,
law enforcement) reasonably believes otherwise. In such circumstances,
where the regulated entity provided the reproductive health care, and
upon receiving a request for the PHI for a purpose that implicates the
prohibition, reasonably determines that the provision of reproductive
health care was lawful, the final rule would prohibit the regulated
entity from disclosing PHI for certain types of investigations into the
provision of such health care. This constitutes a change from the
current Privacy Rule, under which a regulated entity is permitted, but
not required, to make a use or disclosure under 45 CFR 164.512(f) of
information that is ``relevant and material to a legitimate'' law
enforcement inquiry, provided that certain conditions are met; these
conditions include, for example, that the request is specific and
limited in scope to the extent reasonably practicable given the purpose
for which the information is sought.\180\ Similarly, the Department
acknowledges that, where the regulated entity did not provide the
reproductive health care that is the subject of the investigation or
imposition of liability, the Rule of Applicability and Presumption,
discussed below, may require regulated entities to obtain additional
information, that is, factual information that demonstrates to the
regulated entity a substantial factual basis that the reproductive
health care was not lawful under the specific circumstances in which it
was provided, from persons requesting PHI before using or disclosing
the requested PHI.
---------------------------------------------------------------------------
\180\ See 45 CFR 164.512(f)(1)(ii)(C).
---------------------------------------------------------------------------
Consistent with HIPAA and the Department's longstanding approach in
the Privacy Rule, the Department is finalizing an approach that strikes
an appropriate balance between the privacy interests of individuals and
the interests of law enforcement, and private parties afforded legal
rights of action, in
[[Page 32994]]
obtaining PHI for certain non-health care purposes. While this approach
may adversely affect particular interests of law enforcement, and
private parties afforded legal rights of action, in some cases, the
Department believes that the final rule best balances these competing
interests by enhancing privacy protections without unduly interfering
with legitimate law enforcement activities and does so in a manner that
is consistent with the approach taken elsewhere in the Privacy Rule. As
explained above, individual privacy interests are especially strong
where individuals seek lawful reproductive health care. In particular,
individuals may forgo lawful health care or avoid disclosing previous
lawful health care to providers because they fear that their PHI will
be disclosed. The Department believes these concerns are exacerbated by
the prospect of state investigations into, and resulting intimidation
and criminalization of, health care providers for providing lawful
reproductive health care, as well as state laws encouraging state
residents to sue persons who facilitate individuals' access to legal
health care. The final rule addresses these interests by protecting
privacy in situations where the reproductive health care at issue is
especially likely to be lawful under the circumstances in which such
health care was provided. Where a regulated entity receives a request
for PHI about reproductive health care that the regulated entity
provided, such health care is likely to be lawful where the regulated
entity reasonably determines, based on all information in its
possession, that such health care was lawful under the circumstances in
which it was provided. Similarly, where a regulated entity receives a
request for PHI about reproductive health care that the regulated
entity did not provide, such health care is likely to be lawful where
law enforcement is unable to provide factual information that
demonstrates to the regulated entity a substantial factual basis that
the reproductive health care was not lawful under the specific
circumstances in which such health care was provided.
The Department recognizes that, in some cases, the approach adopted
in this final rule may inadvertently prohibit the disclosure of PHI
about reproductive health care that was unlawfully provided, such as
where a health care provider reasonably but incorrectly determines that
the reproductive health care it provided was lawful under the
circumstances in which such health care was provided. This is similar
to how the Privacy Rule has always potentially prevented the use or
disclosure of PHI that could be useful to law enforcement in certain
circumstances because the request for PHI does not meet the conditions
of the applicable permission. Nevertheless, given the importance of
protecting individual privacy in this area, the Department has
determined that the final rule adopts the appropriate balance between
individual privacy and the interests of other persons, such as law
enforcement. Specifically, the Department believes that the benefits to
individual privacy of a broadly protective rule outweigh the benefits
to societal interests in the use or disclosure of PHI from a narrower
rule. While a narrower rule would more broadly permit disclosures
related to PHI that might concern reproductive health care that is not
lawful under the circumstances in which it is provided, such a rule
would inadvertently permit more disclosures of PHI about lawful
reproductive health care. Accordingly, the Department concludes that
the final rule must be sufficiently broad to protect against such
disclosures, given the paramount importance of individual privacy in
this area.
Moreover, as explained above, individual privacy interests are
paramount to promote free and open communication between individuals
and their health care providers, thereby ensuring that individuals
receive high-quality care based on their accurate medical history.
Society has long recognized that information exchanged as part of a
specific relationship for which trust is paramount should be entitled
to heightened protection (e.g., marital privilege, attorney-client
privilege, doctor-patient privilege). Similarly, this final rule seeks
to address situations where privacy interests are especially important,
based both on the content of the information that is protected from
disclosure (concerning lawful reproductive health care) and the context
in which that information is shared (concerning a trust-based
relationship between individuals and their health care providers).
In contrast, the potential adverse effects of this final rule on
other interests, such as those of law enforcement, are limited by the
narrow scope of this final rule. This final rule does not seek to
prohibit disclosures of PHI where the request is for reasons other than
investigating or imposing liability on persons for the mere act of
seeking, obtaining, providing, or facilitating reproductive health care
that is lawful under the circumstances in which such health care is
provided. For example, as explained in the NPRM and below, the final
rule does not prohibit the use or disclosure of PHI for investigating
alleged violations of the Federal False Claims Act or a state
equivalent; conducting an audit by an Inspector General aimed at
protecting the integrity of the Medicare or Medicaid program where the
audit is not inconsistent with this final rule; investigating alleged
violations of Federal nondiscrimination laws or abusive conduct, such
as sexual assault, that occur in connection with reproductive health
care; or determining whether a person or entity violated 18 U.S.C. 248
regarding freedom of access to clinic entrances. In each of these
cases, the request is not made for the purpose of investigating or
imposing liability on any person for the mere act of seeking,
obtaining, providing, or facilitating reproductive health care.
Even when the request is for the purpose of investigating or
imposing liability on the mere act of seeking, obtaining, providing, or
facilitating reproductive health care, this final rule does not seek to
prohibit disclosures of PHI about reproductive health care that is not
lawful under the circumstances in which it was provided. Thus, in most
situations involving reproductive health care that is not lawful under
the circumstances in which it is provided, this final rule will not
prevent the use or disclosure of PHI to investigate or impose liability
on persons for such legal violations, provided such disclosures are
otherwise permitted by the Privacy Rule. Moreover, where a regulated
entity did not provide the reproductive health care at issue, this
final rule prohibits the use or disclosure of PHI where the person
making the request does not provide sufficient information to overcome
the presumption of legality. In such cases, law enforcement agencies
and other persons have a reduced interest in obtaining such PHI where
the information does not demonstrate to the regulated entity a
substantial factual basis that the reproductive health care was not
lawful under the circumstances in which such health care was provided.
This final rule does not prohibit the use or disclosure of PHI to
investigate or impose liability on persons where reproductive health
care is unlawful under the circumstances in which it is provided.
Instead, the final rule prohibits the use or disclosure of PHI in
narrowly tailored circumstances (i.e., where the use or disclosure is
to conduct an investigation or impose liability on a person for the
mere act of seeking, obtaining, providing, or facilitating reproductive
health care that
[[Page 32995]]
is lawful under the circumstances in which such health care is
provided, or to identify a person for such activities). For example,
once this final rule is in effect, a covered health care provider may
still disclose PHI to a medical licensing board investigating a health
care provider's actions related to their obligation to report suspected
elder abuse, assuming the disclosure meets the conditions of an
applicable Privacy Rule permission. This is because the final rule does
not bar the use or disclosure of PHI for health oversight purposes,
which is unrelated to the mere act of seeking, obtaining, providing, or
facilitating reproductive health care.
Additionally, even where the final rule prohibits the use or
disclosure of PHI to investigate potentially unlawful reproductive
health care (i.e., where a regulated entity reasonably determines that
the reproductive health care they provided was lawful, or where the
presumption of legality is not overcome), law enforcement retains other
ways of investigating reproductive health care that they suspect may
have been unlawfully provided. For example, law enforcement retains the
use of other traditional and otherwise lawful investigatory means for
obtaining information, such as conducting witness interviews and
accessing other sources of information not covered by HIPAA. The final
rule is therefore tailored to protect the relationship between
individuals and their health care providers specifically, while leaving
unaffected law enforcement's ability to conduct investigations using
information from other sources.
With respect to commenters' concerns about parental rights, this
final rule also does not interfere with the ability of states to define
the nature of the relationship between a minor and a parent or
guardian.
Comment: A few commenters that expressed negative views asserted
that the proposed rule exceeded the Department's statutory authority
under HIPAA or was beyond the Department's rulemaking authority. Some
commenters stated that the rulemaking was arbitrary and capricious and
would make it difficult for law enforcement to investigate reproductive
health care and engage in health oversight activities and would require
health care providers to provide certain types of health care against
which they have objections. Some commenters expressed concern about the
balance of powers between the states and the federal government. Other
commenters suggested that the proposals preempt state laws serving
public health, safety, and welfare.
Response: As discussed above, Congress explicitly stated that the
purpose of HIPAA's Administrative Simplification provisions was to
improve the efficiency and effectiveness of the health care system. For
the health care system to be effective, individuals must trust that
information that they share with health care providers about lawful
health care will remain private. Accordingly, since their inception,
the HIPAA Rules have required that regulated entities narrowly tailor
disclosures to law enforcement to protect an individual's privacy.\181\
While the Department is adopting an approach in this final rule that is
more protective of privacy interests than the current Privacy Rule in
certain circumstances, these changes are necessary to appropriately
balance privacy interests and the interests of law enforcement, and
private parties afforded legal rights of action, in light of the
changing legal environment. This is discussed in detail above. In both
the 2023 Privacy Rule NPRM and this final rule, the Department cited to
multiple studies documenting the real-world harm to health and health
care in the changing legal environment. As explained above, the
Department acknowledges that this final rule may affect certain state
interests in obtaining PHI to investigate potentially unlawful
reproductive health care, but the Department has tailored the final
rule to strike the appropriate balance between privacy interests and
state interests. This final rule limits the potential harm to
individuals, health care providers, and others resulting from the
disclosure of PHI to investigate or punish individuals for the mere act
of seeking, obtaining, providing, or facilitating reproductive health
care that is lawful under the circumstances in which such health care
is provided. We emphasize that nothing in this rule or any of the HIPAA
Rules requires a health care provider to provide any type of health
care, including any type of reproductive health care.
---------------------------------------------------------------------------
\181\ See, e.g., 45 CFR 164.512(f) and 164.514(d)(3)(iii).
---------------------------------------------------------------------------
Comment: Several commenters asserted that the proposed rule would
impede states' enforcement of their own laws, including those
concerning sexual assault and sex trafficking. Many commenters opposed
the proposed rule because they believed it would inhibit the ability of
states to investigate or enforce laws prohibiting minors from obtaining
certain types of health care and prevent the commenters from reporting
minors who they believe are coerced into obtaining such health care to
authorities.
Response: This rule does not prohibit the disclosure of PHI for
investigating allegations of or imposing liability for sexual assault,
sex trafficking, or coercing minors into obtaining reproductive health
care. Rather, this final rule modifies the existing HIPAA Privacy Rule
standards by prohibiting uses and disclosures of PHI to investigate or
impose liability on individuals, regulated entities, or other persons
for the mere act of seeking, obtaining, providing, or facilitating
reproductive health care that is lawful under the circumstances in
which such reproductive health care is provided, or to identify any
person to investigate or impose liability on them for such purposes.
Accordingly, requests for the disclosure of PHI to investigate such
allegations of or impose liability for such crimes do not fall within
the final rule's prohibition, and the presumption of lawfulness
likewise would not be triggered because the prohibition would not
apply. A regulated entity therefore would not be prohibited from
disclosing an individual's PHI when subpoenaed by law enforcement for
the purpose of investigating such allegations, assuming that law
enforcement provided a valid attestation and met the other conditions
of the applicable permission.
Moreover, as explained above, the final rule is tailored to
prohibit disclosures related to lawful reproductive health care,
thereby reducing the interference with law enforcement interests to
create an appropriate balance with privacy interests.
Comment: Some states expressed concern that the proposed rule would
intrude into areas where the HIPAA Rules have previously acknowledged
state control, such as enforcement of state and local laws, regulation
of the practice of health care, and reporting of abuse.
Response: This final rule balances the interests of individuals in
the privacy of their PHI and of society in an effective health care
system with those of society in obtaining PHI for certain non-health
care purposes. The Privacy Rule always has and continues to permit
disclosures of PHI to support public policy goals, including
disclosures to support criminal, civil, and administrative law
enforcement activities; the operation of courts and tribunals; health
oversight activities; the duties of coroners and medical examiners; and
the reporting of child abuse, domestic violence, and neglect to
appropriate authorities. As explained above, while the final rule
adopts an approach that is more
[[Page 32996]]
protective of privacy interests in certain circumstances than the
previous Privacy Rule, the final rule continues to balance the
interests that HIPAA Rules have long sought to protect with those of
society in PHI.
C. Other General Comments on the Proposed Rule
Comment: Commenters urged the Department to provide enhanced
privacy protections for health information that is not covered by
existing frameworks or specifically addressed in the proposed rule. A
few professional associations expressed support for revising the
Privacy Rule to provide stronger protection for the privacy of
reproductive health care information and urged the Department to modify
the Privacy Rule to provide even stronger protections than those
proposed in the 2023 Privacy Rule NPRM.
Response: The Department's authority under HIPAA is limited to
protecting the privacy of IIHI that is maintained or transmitted by
covered entities and, in some cases, their business associates.
Specific modifications to the Privacy Rule to protect the privacy of
PHI are described in greater detail below. Consistent with the
Department's longstanding approach with respect to the Privacy Rule,
the modifications we are finalizing in this rule strike a balance
between protecting an individual's right to health information privacy
with the interests of society in permitting the disclosure of PHI to
support the investigation or imposition of liability for unlawful
conduct. In particular, the final rule does not prohibit the disclosure
of PHI about reproductive health care that was unlawfully provided,
because an individual's privacy interests in reproductive health care
that is not lawful (e.g., a particular type of reproductive health care
that is provided by a nurse practitioner in a state that requires that
type of reproductive health care to be provided by a physician) are
comparatively lower than a state's interests in investigating and
imposing liability on persons for unlawful reproductive health care. We
will continue to monitor legal developments and their effects on
individual privacy as we consider the need for future modifications to
the Privacy Rule.
Comment: Several commenters questioned how the proposed rule would
affect their current business associate and data exchange agreements.
Response: The modifications in this final rule may require
regulated entities to revise existing business associate agreements
where such agreements permit regulated entities to engage in activities
that are no longer permitted under the revised Privacy Rule. Regulated
entities must be in compliance with the provisions of this rule by
December 23, 2024.
Comment: A few commenters requested clarification of whether minors
and legal adults have the same protections under the Privacy Rule and
whether this rule would alter existing protections.
Response: The final rule does not change how the Privacy Rule
applies to adults and minors. Thus, all of the protections provided to
PHI by this final rule apply equally to adults and minors. For example,
under this final rule, a regulated entity is prohibited from using or
disclosing a minor's PHI for the purposes prohibited under 45 CFR
164.502(a)(5)(iii). The Privacy Rule generally permits a parent to have
access to the medical records about their child as their minor child's
personal representative when such access is consistent with state or
other law, with limited exceptions.\182\ Additional information about
how the Privacy Rule applies to minors can be found at 45 CFR
164.502(g) and on the OCR website.\183\
---------------------------------------------------------------------------
\182\ See 45 CFR 164.502(g) (describing personal
representatives) and 164.524(a)(3) (describing reviewable grounds
for denial of access to PHI by a personal representative).
\183\ Off. for Civil Rights, ``Health Information Privacy,''
U.S. Dep't of Health and Human Servs., <a href="https://www.hhs.gov/hipaa/index.html">https://www.hhs.gov/hipaa/index.html</a>.
---------------------------------------------------------------------------
Comment: Many commenters urged the Department to take an
educational approach, rather than a punitive one, with respect to
enforcement against regulated entities. In addition, many commenters
addressed the need for resources and education for successful
implementation of the proposed changes to the Privacy Rule. They called
for the Department to collaborate with and educate regulated entities,
individuals, and others affected by the proposed revisions, such as law
enforcement, as well as for the Department to partner with other
Federal agencies and state governments to conduct the education. Some
suggested that educational resources should include multiple media
formats and a centralized platform.
Response: The Department frequently issues non-binding guidance and
conducts outreach to help regulated entities achieve compliance. We
appreciate these recommendations and will consider these topics for
future guidance. Regulated entities are expected to comply with the
Privacy Rule as revised once the compliance date has passed.
V. Summary of Final Rule Provisions and Public Comments and Responses
The Department is modifying the Privacy Rule to strengthen privacy
protections for individuals' PHI by adding a new category of prohibited
uses and disclosures of PHI. This final rule prohibits a regulated
entity from using or disclosing an individual's PHI for the purpose of
conducting a criminal, civil, or administrative investigation into or
imposing criminal, civil, or administrative liability on any person for
the mere act of seeking, obtaining, providing, or facilitating
reproductive health care that is lawful under the circumstances in
which it is provided, meaning that it is either: (1) lawful under the
circumstances in which such health care is provided and in the state in
which it is provided; or (2) protected, required, or authorized by
Federal law, including the United States Constitution, regardless of
the state in which such health care is provided. In both of these
circumstances, as explained above, the interests of the individual in
the privacy of their PHI and of society in ensuring an effective health
care system outweighs those of society in the use of PHI for non-health
care purposes. To operationalize this modification, the Department is
revising or clarifying certain definitions and terms that apply to the
Privacy Rule, as well as other HIPAA Rules. This final rule also
prohibits a regulated entity from using or disclosing an individual's
PHI for the purpose of identifying an individual, health care provider,
or other person for the purpose of initiating such an investigation or
proceeding against the individual, a health care provider, or other
person in connection with seeking, obtaining, providing, or
facilitating reproductive health care that is lawful under the
circumstances in which it is provided.
To effectuate these proposals, the Department is finalizing
conforming and clarifying changes to the HIPAA Rules. These changes
include, but are not limited to, clarifying the definition of
``person'' to reflect longstanding statutory language defining the
term; adopting new definitions of ``public health'' surveillance,
investigation, or intervention, and ``reproductive health care'';
adding a new category of prohibited uses and disclosures; clarifying
that a regulated entity may not decline to recognize a person as a
personal representative for the purposes of the Privacy Rule because
they provide or facilitate reproductive health care for an individual;
imposing a new
[[Page 32997]]
requirement that, in certain circumstances, regulated entities must
first obtain an attestation that a requested use or disclosure is not
for a prohibited purpose; and requiring modifications to covered
entities' NPPs to inform individuals that their PHI may not be used or
disclosed for a purpose prohibited under this final rule.
The Department's section-by-section description of the final rule
is below.
A. Section 160.103 Definitions
1. Clarifying the Definition of ``Person''
HIPAA does not define the term ``person.'' \184\ The HIPAA Rules
have long defined ``person'' to mean ``a natural person, trust or
estate, partnership, corporation, professional association or
corporation, or other entity, public or private.'' \185\ This meaning
was based on the definition of ``person'' adopted by Congress in the
original SSA, as an ``individual, a trust or estate, a partnership, or
a corporation.'' \186\
---------------------------------------------------------------------------
\184\ See 42 U.S.C. 1320d-1320d-8.
\185\ 45 CFR 160.103.
\186\ See section 1101(3) of Public Law 74-271, 49 Stat. 620
(Aug. 14, 1935) (codified at 42 U.S.C. 1301(3)).
---------------------------------------------------------------------------
In 2002, Congress enacted 1 U.S.C. 8, which defines ``person,''
``human being,'' ``child,'' and ``individual.'' \187\ The statute
specifies that these definitions shall apply when ``determining the
meaning of any Act of Congress, or of any ruling, regulation, or
interpretation of the various administrative bureaus and agencies of
the United States.'' \188\ The Department understands 1 U.S.C. 8 to
provide definitions of ``person,'' ``individual,'' and ``child'' that
do not include a fertilized egg, embryo, or fetus, and are consistent
with the Department's understanding of those terms, as used in the SSA,
HIPAA, and the HIPAA Rules.
---------------------------------------------------------------------------
\187\ 1 U.S.C. 8(a). The Department is not opining on whether
any state law confers a particular legal status upon a fertilized
egg, embryo, or fetus. Rather, the Department cites to this statute
to help define the scope of privacy protections that attach pursuant
to HIPAA and its implementing regulations.
\188\ Id.
---------------------------------------------------------------------------
The Department proposed to clarify the term ``natural person'' in a
manner consistent with 1 U.S.C. 8.\189\ Thus, the Department proposed
to clarify that all terms subsumed within the definition of ``natural
person,'' such as ``individual,'' \190\ are limited to the confines of
the term ``person.'' \191\ As discussed in the 2023 Privacy Rule NPRM,
the purpose of this proposal was to better explain to regulated
entities and other stakeholders the parameters of an ``individual''
whose PHI is protected by the HIPAA Rules.
---------------------------------------------------------------------------
\189\ 88 FR 23506, 23523 (Apr. 17, 2023).
\190\ 45 CFR 160.103 (definition of ``Individual'').
\191\ See Sharon T. Phelan, ``The Prenatal Record and the
Initial Prenatal Visit,'' The Glob. Libr. of Women's Med. (last
updated Jan. 2008) (PHI about the fetus is included in the mother's
PHI), <a href="https://www.glowm.com/section-view/heading/The%20Prenatal%20Record%20and%20the%20Initial%20Prenatal%20Visit/item/107#.Y7WRKofMKUl">https://www.glowm.com/section-view/heading/The%20Prenatal%20Record%20and%20the%20Initial%20Prenatal%20Visit/item/107#.Y7WRKofMKUl</a>.
---------------------------------------------------------------------------
Many individuals and organizations commented on the proposal to
clarify the definition ``person.'' Organizational commenters, including
professional associations representing health care providers, advocacy
groups, and academic departments, generally supported the proposal.
Several commenters applauded the proposed clarification because they
believed it would limit disclosures of PHI in cases where no individual
has been harmed.
Most opponents of the proposed clarification were individuals
participating in form letter campaigns who expressed concern that the
proposal might diminish access to prenatal care. Others asserted that
the proposed clarification would contradict or conflict with existing
laws, such as mandatory reporting laws and Federal statutes that rely
upon a different definition of ``person.''
The final rule adopts the proposed clarification of the definition
of person, to mean a ``natural person (meaning a human being who is
born alive), trust or estate, partnership, corporation, professional
association or corporation, or other entity, public or private.''
Therefore, an ``individual,'' ``child,'' or ``victim'' (e.g., a victim
of crime) under the HIPAA Rules must be a natural person. As we
explained in the 2023 Privacy Rule NPRM, this clarification is
consistent with the SSA, HIPAA, and 1 U.S.C. 8. This clarification
applies only to regulations issued pursuant to the Administrative
Simplification provisions of HIPAA.\192\
---------------------------------------------------------------------------
\192\ See 42 U.S.C. 1320d.
---------------------------------------------------------------------------
This clarification is consistent with the Privacy Rule's
longstanding definitions of ``person'' \193\ and ``individual,'' \194\
as applied to Privacy Rule provisions permitting certain types of
reports or other disclosures of PHI. For example, a regulated entity is
permitted to disclose PHI about an individual who the regulated entity
reasonably believes to be a victim of abuse, neglect, or domestic
violence only where the individual is a ``natural person.'' \195\ In
addition, because a ``victim'' necessarily is a natural person, the
permission to disclose PHI to avert a serious threat to health or
safety at 45 CFR 164.512(j)(i) does not permit disclosures when the
perceived threat does not involve the health or safety of a natural
person or the public, or when an individual has not caused serious
physical harm to a natural person.
---------------------------------------------------------------------------
\193\ 45 CFR 160.103 (definition of ``Person''). The Department
first defined the term ``person'' in the HIPAA Rules as part of the
2003 Civil Money Penalties: Procedures for Investigations,
Imposition of Penalties, and Hearings Interim Final Rule (2003
Interim Final Rule) to distinguish a ``natural person'' who could
testify in the context of administrative proceedings from an
``entity'' (defined therein as a ``legal person'') on whose behalf a
person would testify. See 45 CFR 160.502 of the 2003 Interim Final
Rule, 68 FR 18895, 18898 (Apr. 17, 2003) (Person is defined to mean
a natural person or a legal person).
\194\ 45 CFR 160.103 (definition of ``Individual''). The
definition of ``individual'' in the HIPAA Rules was first adopted in
the 2000 Privacy Rule.
\195\ See 45 CFR 164.512(c)(1). This provision explicitly
excludes reports of child abuse, which are addressed by 45 CFR
164.512(b)(1).
---------------------------------------------------------------------------
Comment: Many organizational commenters expressed support for the
proposal to clarify the definition of ``person.''
One commenter stated that this clarification should prevent law
enforcement from attempting to avoid the proposed prohibition.
According to another commenter, this proposed clarification is crucial
as stakeholders adapt to the current reproductive health landscape.
Several commenters expressed support for the Department's proposal
but requested additional clarifications. For example, one commenter
recommended that the Department clarify whether the definition would
preempt state laws.
Response: We take the opportunity to emphasize here that the
clarification only applies to the HIPAA Rules and explains certain
terms that apply to the permissions for uses and disclosures of PHI by
regulated entities. We do not believe it is necessary to further
clarify the final regulatory text because the current definition
remains unchanged other than to incorporate the plain wording of 1
U.S.C. 8.
Comment: A few commenters expressed opposition to the Department's
proposed clarification of ``person'' as tantamount to eliminating legal
protections for and recognition of categories of human beings based on
developmental stage. Some commenters maintained that the proposed
clarification of ``person'' was inaccurate.
Several commenters opposed the proposed clarification of ``person''
because it would affect the provision of prenatal care.
A few commenters asserted that the proposed clarification would
prevent the collection of medical information about reproductive health
care for
[[Page 32998]]
important purposes, such as public health and research.
Response: We are clarifying the definition of person consistent
with applicable Federal law only for the purpose of applying HIPAA's
Administrative Simplification provisions. This clarification will not
affect how the term ``person'' is applied for purposes of other laws,
affect any rights or protections provided by any other law, or affect
standards of health care, including prenatal care.
This final rule does not affect the reporting of vital statistics,
nor does it affect the ability of regulated entities to use and
disclose PHI for research. The Privacy Rule's standards for uses and
disclosures for public health surveillance, investigations, and
interventions, or for health oversight activities, are discussed
elsewhere.
Comment: Several commenters requested additional clarifications to
the Department's proposed clarification of ``person.'' A few commenters
asserted that the proposed clarification would be overly expansive.
Most of these same commenters disagreed with the Department's
interpretation of 1 U.S.C. 8.\196\ Commenters asserted that the
clarification was inconsistent or conflicted with other laws.
---------------------------------------------------------------------------
\196\ 1 U.S.C. 8(a).
---------------------------------------------------------------------------
Response: The clarified definition of person that we are finalizing
in this rule does not change the Department's interpretation of the
term or change definitions under other law, such as state law. It also
is consistent with Federal law, including 1 U.S.C. 8, which
specifically applies to Federal regulations, and other examples cited
by commenters. For example, both GINA and the Privacy Rule protect the
genetic information of a fetus carried by a pregnant individual as the
PHI of the pregnant individual.\197\
---------------------------------------------------------------------------
\197\ Public Law 110-2
[…truncated; see source link]Indexed from Federal Register on April 26, 2024.
This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.