Privacy Act of 1974; System of Records

Issuing agencies

Abstract

In accordance with the Privacy Act of 1974, as amended, the Department of Health and Human Services (HHS) is partially modifying an existing system of records maintained by the Office for Civil Rights (OCR), "Program Information Management System (PIMS)," System No. 09- 90-0052. The modifications include changing the system of records name to "HHS Civil Rights and Health Information Privacy Program Records" and affect only certain sections of the System of Records Notice (SORN), so HHS is not republishing the SORN in full. The system of records contains records about individual members of the public who submit or are named or otherwise involved in civil rights, conscience and religious freedom, and health information privacy-related complaints received by and compliance reviews conducted by OCR, and individuals who submit reports to OCR about breaches of unsecured protected health information (PHI) experienced by covered entities and business associates subject to the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, Breach Notification, and Enforcement Rules. OCR is modifying it to include information that programs subject to 42 CFR part 2 ("Part 2") (and, as applicable, a qualified service organization on a Part 2 program's behalf) report to the Secretary with respect to a breach of unsecured substance use disorder (SUD) patient records maintained by a Part 2 program ("Part 2 records") and complaints and compliance reviews involving potential violations of Part 2.

Full Text

<html>
<head>
<title>Federal Register, Volume 91 Issue 31 (Tuesday, February 17, 2026)</title>
</head>
<body><pre>
[Federal Register Volume 91, Number 31 (Tuesday, February 17, 2026)]
[Notices]
[Pages 7291-7294]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2026-03003]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES


Privacy Act of 1974; System of Records

AGENCY: Office for Civil Rights (OCR), Department of Health and Human 
Services (HHS).

ACTION: Notice of a modified system of records.

-----------------------------------------------------------------------

SUMMARY: In accordance with the Privacy Act of 1974, as amended, the 
Department of Health and Human Services (HHS) is partially modifying an 
existing system of records maintained by the Office for Civil Rights 
(OCR), ``Program Information Management System (PIMS),'' System No. 09-
90-0052. The modifications include changing the system of records name 
to ``HHS Civil Rights and Health Information Privacy Program Records'' 
and affect only certain sections of the System of Records Notice 
(SORN), so HHS is not republishing the SORN in full. The system of 
records contains records about individual members of the public who 
submit or are named or otherwise involved in civil rights, conscience 
and religious freedom, and health information privacy-related 
complaints received by and compliance reviews conducted by OCR, and 
individuals who submit reports to OCR about breaches of unsecured 
protected health information (PHI) experienced by covered entities and 
business associates subject to the Health Insurance Portability and 
Accountability Act (HIPAA) Privacy, Security, Breach Notification, and 
Enforcement Rules. OCR is modifying it to include information that 
programs subject to 42 CFR part 2 (``Part 2'') (and, as applicable, a 
qualified service organization on a Part 2 program's behalf) report to 
the Secretary with respect to a breach of unsecured substance use 
disorder (SUD) patient records maintained by a Part 2 program (``Part 2 
records'') and complaints and compliance reviews involving potential 
violations of Part 2.

DATES: The modified system of records is effective upon publication, 
subject to a 30-day period in which to comment on the modifications. 
Submit any comments by March 19, 2026.

ADDRESSES: 
    <bullet> Federal eRulemaking Portal: You may submit electronic 
comments at <a href="http://www.regulations.gov">http://www.regulations.gov</a> by searching for the Docket ID 
number [DOCKET ID]. Follow the instructions at <a href="http://www.regulations.gov">http://www.regulations.gov</a> for submitting electronic comments. Attachments 
should be in Microsoft Word or Portable Document Format (PDF).
    <bullet> Regular, Express, or Overnight Mail: You may mail written 
comments to the following address only: U.S. Department of Health and 
Human Services, Office for Civil Rights, Attention: OCR PIMS SORN, 
Hubert H. Humphrey Building, Room 509F, 200 Independence Avenue SW, 
Washington, DC 20201. Please allow sufficient time for mailed comments 
to be timely received in the event of delivery or security delays.
    Please note that comments submitted by fax or email and those 
submitted after the comment period will not be accepted.
    Inspection of Public Comments: All comments received by the 
accepted methods and due date specified above may be posted without 
change to content to <a href="https://www.regulations.gov">https://www.regulations.gov</a>, which may include 
personal information provided about the commenter, and such posting may 
occur after the closing of the comment period. However, the Department 
may redact certain non-substantive content from comments or attachments 
to comments before posting, including: threats, hate speech, profanity, 
sensitive health information, graphic images, promotional materials, 
copyrighted materials, or individually identifiable information about a 
third-party individual other than the commenter. In addition, comments 
or material designated as confidential or not to be disclosed to the 
public will not be accepted. Comments may be redacted or rejected as 
described above without notice to the commenter, and the Department 
will not consider any redacted or rejected content that would not be 
made available to the public as part of the administrative record.
    Docket: For complete access to background documents or posted 
comments, go to <a href="https://www.regulations.gov">https://www.regulations.gov</a> and search for Docket ID 
number [DOCKET ID].

FOR FURTHER INFORMATION CONTACT: General questions about the modified 
system of records may be submitted to Harold Henderson, Records 
Officer, Strategic Planning Division, Office for Civil Rights, 200 
Independence Ave. SW--Room 509F, Washington, DC 20201. Email address: 
<a href="/cdn-cgi/l/email-protection#ce818d9ca3afa7a28ea6a6bde0a9a1b8"><span class="__cf_email__" data-cfemail="94dbd7c6f9f5fdf8d4fcfce7baf3fbe2">[email&#160;protected]</span></a>.

SUPPLEMENTARY INFORMATION: System of records 09-90-0052, being renamed 
``HHS Civil Rights and Health Information Privacy Program Records,'' is 
used by OCR staff and consists of an electronic repository of 
information and documents about individual members of the public who 
submit or are named or otherwise involved in civil rights, conscience 
and religious freedom, and health information privacy-related 
complaints received by and compliance reviews conducted by OCR and 
individuals who submit reports to OCR about breaches of unsecured 
protected health information (PHI) experienced by HIPAA covered 
entities and their business associates. The scope of individuals whose 
information is contained in OCR's repository includes, but is not 
limited to, those who meet the definition of individuals in the Privacy 
Act or the HIPAA Rules; however, this system of records notice applies 
to individuals as defined in the Privacy Act. OCR uses the system of 
records to manage documents and information related to OCR's civil 
rights and health information privacy authorities and activities.
    In February 2024, HHS published a final rule, Confidentiality of 
Substance

[[Page 7292]]

Use Disorder (SUD) Patient Records, at 89 FR 12472 (Feb. 16, 2024), and 
in August 2025, the Secretary published a delegation of civil 
enforcement authority for 42 CFR part 2 (Part 2) to OCR, at 90 FR 41833 
(Aug. 27, 2025). This authority includes the administration and 
enforcement of Part 2 requirements governing confidentiality of SUD 
patient records through, among other activities, conducting complaint 
investigations and compliance reviews and collecting (and publicly 
posting, as applicable) reports of breaches of unsecured Part 2 
records. A Part 2 breach report form approved by OMB for collection of 
information will be accessible from OCR's website at <a href="https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html">https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html</a>. 
This form must be filed through the HHS website. A Part 2 complaint 
form approved by OMB for collection of information will be accessible 
from OCR's website at <a href="https://www.hhs.gov/ocr/complaints/index.html">https://www.hhs.gov/ocr/complaints/index.html</a>. 
Complaints may be filed through the HHS website, but are not required 
to be filed online.
    The modifications made to system of records 09-90-0052 affect the 
following sections of the System of Records Notice (SORN), as follows:
    <bullet> The Authority section is being revised to include U.S. 
Code cites for all Acts and Public Laws previously cited and to make 
other, minor revisions to those authorities; to add 42 U.S.C. 290dd-2 
and 290dd-2 note as authority for maintenance of the ``Part 2'' 
records; and to cite these statutes (and one uncodified appropriations 
law), which were not previously cited in any manner, as additional 
authority for maintenance of other records: 8 U.S.C. 1522(a)(5); 22 
U.S.C. 2151b(f) and 7631(d); 29 U.S.C. 669(a)(5); 34 U.S.C. 12161(g)(3) 
and (i); and 42 U.S.C. 238n, 280g-1(d), 290bb-36(f), 290ff-1(e)(2)(C), 
290kk through 290kk-3, 300a-7, 300x-65, 604a, 1320a-1(h), 1320c-11, 
1395i-5, 1395w-22(j)(3)(B), 1395x(e), 1395x(y)(1), 1395cc(f), 1396a(a), 
1396(f), 1396s(c)(2)(B)(ii), 1396u-2(b)(3)(B), 1396a(w)(3), 1397j-1(b), 
1996a(b)(1), 5106i(a), 6101-6107, 9849, 9858l, 9858n, 9920, and 
14406(2).
    <bullet> The Purpose(s) section is being expanded to include 
collecting and posting on the HHS website information about breaches of 
Part 2 records affecting more than 500 individuals, developing an 
annual report to Congress regarding breach notification by Part 2 
programs (and, as applicable, qualified service organizations on behalf 
of Part 2 programs), and providing technical assistance, training, and 
guidance materials regarding breaches of Part 2 records.
    <bullet> The Categories of Individuals section is being revised to 
add references to ``Part 2 programs, lawful holders of Part 2 records, 
and other persons holding Part 2 records'' and to remove OCR employees 
who use the system to record the status of their work, because if such 
records are considered to be about them instead of the agency they work 
for, the records would be covered in a SORN that covers HHS personnel 
records.
    <bullet> The Categories of Records section is being revised to 
remove an unnecessary statement about exemptions (which are addressed 
in the Exemptions section) and to add the following categories of 
records:
    1. Information that Part 2 programs (or, as applicable, a qualified 
service organization on behalf of a Part 2 program) are required to 
provide to HHS to fulfill their breach notification requirements.
    2. Information collected regarding a Part 2 complaint investigation 
or compliance review of a potential Part 2 violation.
    <bullet> In the Routine Uses section, routine uses I through IV are 
being revised for clarity, routine uses VII through IX are being 
revised to authorize disclosures of Part 2-related information to allow 
OCR to carry out the purposes described above, and routine uses X 
through XIII are unchanged but included for completeness.
    Because some of these changes are significant, HHS provided advance 
notice of the modified system of records to the Office of Management 
and Budget and Congress as required by 5 U.S.C. 552a(r) and OMB 
Circular A-108.

Paula M. Stannard,
Director, Office for Civil Rights.

SYSTEM NAME AND NUMBER:
    HHS Civil Rights and Health Information Privacy Program Records, 
09-90-0052.

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    The address of the agency component responsible for the system of 
records is the HHS Office for Civil Rights, 200 Independence Ave. SW--
Room 509F, Washington, DC 20201.

SYSTEM MANAGER(S):
    Associate Deputy Director for Information Technology, Operations 
and Resources Division, Office for Civil Rights, 200 Independence Ave. 
SW--Room 509F, Washington, DC 20201, Email: <a href="/cdn-cgi/l/email-protection#80cfc3d2ede1e9ecc0e8e8f3aee7eff6"><span class="__cf_email__" data-cfemail="7e313d2c131f17123e16160d50191108">[email&#160;protected]</span></a>.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Authority for the collection, maintenance, and disclosures from 
this system is given under Title VI of the 1964 Civil Rights Act (42 
U.S.C. 2000d et seq.); secs. 245, 533, 542, 794, 855, 1947, and 1908 of 
the Public Health Service Act (42 U.S.C. 238n, 290cc-33, 290dd-1, 296g, 
300x-57, and 300w-7, respectively); secs. 504 and 508 of the 
Rehabilitation Act of 1973 (29 U.S.C. 794 and 794d); Title II of the 
Americans with Disabilities Act of 1990 (42 U.S.C. 12131 et seq.); the 
Age Discrimination Act of 1975 (42 U.S.C. 6101-6107); the Equal 
Employment Opportunity Provisions of the Public Telecommunications 
Financing Act of 1978 (47 U.S.C. 398(b)); Title VI and Title XVI of the 
Public Health Service Act (the ``community services obligation'' of 
facilities funded under the Act) (42 U.S.C. 291 and 300); Title IX of 
the 1972 Education Amendments (20 U.S.C. 1681-1688); sec. 407 of the 
Drug Abuse Office and Treatment Act (42 U.S.C. 290ee-3); Section 321 of 
the Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment, 
and Rehabilitation Act of 1970 (42 U.S.C. 290dd-2(i)); sec. 508 of the 
Social Security Act (42 U.S.C. 708); the Family Violence Prevention and 
Services Act (42 U.S.C. 10406); Child Care and Development Block Grant 
Act of 1990 (42 U.S.C. 9858l and 9858n); Low-Income Home Energy 
Assistance Act of 1981 (42 U.S.C. 8625); sec. 1808 of the Small 
Business Job Protection Act of 1996 (42 U.S.C. 1996b); the 
Administrative Simplification Provisions of the Health Insurance 
Portability and Accountability Act of 1996 (42 U.S.C. 1320d through 
1320d-8); the Confidentiality Provisions of the Patient Safety and 
Quality Improvement Act of 2005 (42 U.S.C. 299b-21 through 299b-26); 
secs. 13401, 13402, 13404, 13405, 13406, 13408, 13410, and 13411 of the 
Health Information Technology for Economic and Clinical Health (HITECH) 
Act (42 U.S.C. 17931, 17932, 17934, 17935, 17936, 17938, 17939, and 
17940, respectively); sec. 543 of the Public Health Service Act, as 
amended by sec. 3221 of the CARES Act (42 U.S.C. 290dd-2 and 290dd-2 
note); sec. 401 of the Health Programs Extension Act of 1973 (the 
``Church Amendments'') (42 U.S.C. 300a-7); sec. 507(d) of the 
Departments of Labor, Health and Human Services, and Education, and 
Related Agencies Appropriations Act, 2024, Public Law. 118-47, 138 
Stat. 460, 703 (Mar. 23, 2024) as carried forward by the Full-Year 
Continuing Appropriations and Extensions Act, 2025, Public Law 119-

[[Page 7293]]

4, 139 Stat. 9 (Mar. 15, 2025) (the ``Weldon Amendment''); secs. 1553, 
1557, 1303, and 1411 of the Patient Protection and Affordable Care Act 
(42 U.S.C. 18113, 18116, 18023, and 18081, respectively); 42 U.S.C. 
1395w-22(j)(3)(B), 1396u-2(b)(3)(B), 1395cc(f), 1396a(w)(3), and 
14406(2) (Medicare and Medicaid conscience provisions); 42 U.S.C. 
1320a-1(h), 1320c-11, 1395i-5, 1395x(e), 1395x(y)(1), 1396a(a), and 
1397j-1(b) (conscience provisions related to Religious Nonmedical 
Health Care Institutions); 42 U.S.C. 1396f (conscience provisions 
related to compulsory health care services under Medicaid); 42 U.S.C. 
5106i(a), 280g-1(d), 1396s(c)(2)(B)(ii), 290bb-36(f) and 29 U.S.C. 
669(a)(5) (conscience protections related to compulsory health 
services); 22 U.S.C. 2151b(f) and 7631(d) (conscience protections for 
Global Health Programs); ``Charitable Choice'' Provisions (42 U.S.C. 
9920 (Community Services Block Grant), 604a (Temporary Assistance for 
Needy Families), 300x-65 (Substance Use and Mental Health Block 
Grants), and 290kk through 290kk-3 (Title V of the Public Health 
Services Act); The Head Start Act (42 U.S.C. 9849); Robert T. Stafford 
Disaster Relief and Emergency Assistance Act (42 U.S.C. 5151); the 
Refugee Act of 1980 (8 U.S.C. 1522(a)(5)); the Community Schools Youth 
Services and Supervision Grant Program Act of 1994 (34 U.S.C. 
12161(g)(3) and (i)); the ADAMHA Reorganization Act (42 U.S.C. 290ff-
1(e)(2)(C)); and the American Indian Religious Freedom Act (42 U.S.C. 
1996a(b)(1)).

PURPOSE(S) OF THE SYSTEM:
    The records are used by OCR staff to carry out OCR's civil rights 
and health information privacy responsibilities and are maintained in 
an electronic repository of information and documents. The repository 
is a single, integrated system with enhanced electronic storage, 
retrieval and tracking capacities that allows OCR to more effectively 
manage the information it collects.
    The repository is designed to allow OCR to integrate all of OCR's 
various business processes, including all its compliance activities, to 
allow for real time access and results reporting and other varied 
information management needs. It provides: (1) A single, central, 
electronic repository of all significant OCR documents and information, 
including investigative files, correspondence, administrative records, 
policy and procedure manuals and other documents and information 
developed or maintained by OCR; (2) easy, robust capability to search 
all the information in OCR's repository; (3) better quality control at 
the front end with simplified data entry and stronger data validation; 
and (4) tools to help staff work on and manage their casework. The 
records are also used by OCR: (1) To collect, maintain, and post on the 
HHS website a list of covered entities and Part 2 programs that 
experience breaches of unsecured protected health information and 
unsecured Part 2 records affecting more than 500 individuals using 
information reported to the Secretary by covered entities and Part 2 
programs (or a business associate or qualified service organization on 
behalf of a covered entity or Part 2 program, respectively) as required 
by section 13402(e) of the HITECH Act and section 3221(h) of the CARES 
Act; (2) to develop an annual report to Congress, as required by 
section 13402(i) of the HITECH Act, regarding breach notification using 
information reported to the Secretary by covered entities and Part 2 
programs (or a business associate or qualified service organization on 
behalf of a covered entity or Part 2 program, respectively) pursuant to 
section 13402(e) of the HITECH Act and section 3221(h) of the CARES 
Act; and (3) educate entities regulated under HIPAA and Part 2 on the 
measures needed to prevent future breaches and potential violations of 
the HIPAA Rules and Part 2 by providing technical assistance, training, 
and guidance regarding complaint investigations, compliance reviews, 
and reported breaches of protected health information and Part 2 
records.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    Covered individuals include persons who file complaints alleging 
discrimination or violation of their rights or other violations under 
the statutes identified in the Authority section, above, and persons 
subject to laws administered and enforced by OCR (e.g., covered 
entities, business associates, Part 2 programs, lawful holders of Part 
2 records, other persons holding Part 2 records) who are individuals as 
defined in the Privacy Act and not organizations or institutions, and 
are investigated by OCR as a result of complaints filed or through 
compliance reviews conducted by OCR. Covered individuals also include 
persons who submit correspondence to OCR related to other compliance 
activities (e.g., outreach and public education), and other 
correspondence unrelated to a complaint or compliance review and 
requiring responses by OCR. Covered individuals also include covered 
entities and business associates, as defined in 45 CFR 160.103, and 
Part 2 programs (and, as applicable, qualified service organizations on 
behalf of Part 2 programs) who are individuals as defined in the 
Privacy Act and report breaches of protected health information or Part 
2 records by submitting a breach report through the HHS website..

CATEGORIES OF RECORDS IN THE SYSTEM:
    The system of records encompasses a variety of records having to do 
with civil rights-related and health information privacy-related 
complaints, compliance reviews, correspondence, including reports of 
breaches of protected health information and Part 2 records. Data 
elements contained in the records include, for example, individuals' 
names, Social Security numbers (SSN), tax identification numbers (TIN), 
addresses, dates of birth, provider names and addresses, physicians' 
names, prescriber identification numbers, assigned provider numbers 
(facility, referring/servicing physician), and/or other identification 
numbers of HIPAA covered entities, business associates, Part 2 programs 
(and, as applicable, qualified service organizations on behalf of Part 
2 programs), lawful holders of Part 2 records, and other persons 
holding Part 2 records. The complaint and compliance review files and 
log include complaint allegations, breach reporting, information 
gathered during the investigation, findings and results of the 
investigation, and correspondence relating to the investigation, as 
well as status information for all investigations.

RECORD SOURCE CATEGORIES:
    Information is provided by complainants, covered entities, business 
associates, Part 2 programs, qualified service organizations, lawful 
holders of Part 2 records, and other persons holding Part 2 records.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND THE PURPOSES OF SUCH USES:
    The routine uses are revised to read as follows:
    I. The first routine use for this system, permitting disclosure to 
a congressional office, allows subject individuals to obtain assistance 
from their representatives in Congress, should they so desire. Such 
disclosure would be made only pursuant to the request of, and on behalf 
of, the individual.
    II. The second routine use allows disclosure of records to the 
Department of Justice (DOJ) or to a court or other adjudicative body in 
litigation or other proceedings when any of the following is a party to 
or has a direct and

[[Page 7294]]

substantial interest in the proceeding and the disclosure of such 
records is deemed by HHS to be relevant and necessary to the 
proceeding: (a) HHS or any component thereof, or another agency 
participating in joint or related enforcement activities (e.g., 
Department of Education, Department of Labor); (b) any employee of HHS 
or of another participating agency in the employee's official capacity; 
(c) any employee of HHS in the employee's individual capacity where the 
DOJ, HHS, or participating agency has agreed to represent the employee; 
or (d) the United States.
    III. The third routine use allows the following: Where a record, 
either alone or in conjunction with other information, indicates a 
violation or potential violation of law--criminal, civil, or regulatory 
in nature--the relevant records may be referred to the appropriate 
federal, state, local, territorial, or tribal law enforcement authority 
or other appropriate entity charged with the responsibility for 
investigating or prosecuting such violation or charged with enforcing 
or implementing such law. IV. The fourth routine use allows disclosure 
of records to HHS contractors for the purpose of internal processing 
and maintaining quality control of records in the system.
    V. The fifth routine use allows records to be disclosed to student 
volunteers, persons working under a personal services contract, and 
other persons performing functions for the Department but technically 
not having the status of agency employees, if they need access to the 
records in order to perform their assigned agency functions.
    VI. The sixth routine use allows referrals of Age Discrimination 
Act complaints to the Federal Mediation and Conciliation Service (FMCS) 
for purposes of mediation.
    VII. The seventh routine use allows OCR to post on its website, as 
required by section 13402(e)(4) of the HITECH Act, information reported 
by a covered entity (or a business associate on behalf of a covered 
entity) to the Secretary pursuant to section 13402(e)(3) of the HITECH 
Act that identifies covered entities that experience breaches of 
unsecured protected health information affecting more than 500 
individuals. This routine use also allows OCR to post on its website, 
as required by section 3221(h) of the CARES Act, information reported 
by a Part 2 program (or a qualified service organization on behalf of a 
Part 2 program), to the Secretary pursuant to section 3221(h) of the 
CARES Act, that identifies Part 2 programs that experience breaches of 
unsecured Part 2 records affecting more than 500 individuals. 
Information made public will be limited to information that HHS would 
be required to release to a requester under the Freedom of Information 
Act (FOIA); meaning, information that would not result in an 
unwarranted invasion of personal privacy.
    VIII. The eighth routine use allows OCR to include information that 
identifies subject individuals, when this would not result in an 
unwarranted invasion of personal privacy, in OCR's annual report to 
Congress regarding breaches of unsecured protected health information 
and unsecured Part 2 records, as required by section 13402(i) of the 
HITECH Act and section 3221(h) of the CARES Act.
    IX. The ninth routine use allows OCR to disclose information 
regarding complaint investigations, compliance reviews, and reported 
breaches of unsecured protected health information and unsecured Part 2 
records to the public and to appropriate Federal entities and 
Department contractors as necessary for OCR to provide technical 
assistance, training, and guidance materials, as applicable, to 
Congress, Federal agencies, entities subject to HIPAA or Part 2, and 
consumers, after OCR determines that the disclosure would not 
constitute an unwarranted invasion of personal privacy.
    X. The tenth routine use allows OCR to disclose information to 
appropriate agencies, entities, and persons when (1) HHS suspects or 
has confirmed that there has been a breach of the system of records; 
(2) HHS has determined that as a result of the suspected or confirmed 
breach there is a risk of harm to individuals, HHS (including its 
information systems, programs, and operations), the Federal Government, 
or national security; and (3) the disclosure made to such agencies, 
entities, and persons is reasonably necessary to assist in connection 
with HHS's efforts to respond to the suspected or confirmed breach or 
to prevent, minimize, or remedy such harm.
    XI. The eleventh routine use allows OCR to disclose information to 
HHS contractors to investigate violations and potential violations, as 
well as to conduct compliance reviews, of the Federal laws and 
regulations that OCR has legal authority to enforce.
    XII. The twelfth routine use allows OCR to disclose relevant 
information to the public to inform the public of the results of 
investigations and compliance reviews of the Federal laws and 
regulations that OCR has legal authority to enforce, after OCR 
determines that the disclosure would not constitute an unwarranted 
invasion of personal privacy.
    XIII. The thirteenth routine use allows OCR to disclose information 
to another Federal agency or Federal entity, when HHS determines that 
information from this system of records is reasonably necessary to 
assist the recipient agency or entity in (1) responding to a suspected 
or confirmed breach or (2) preventing, minimizing, or remedying the 
risk of harm to individuals, the recipient agency or entity (including 
its information systems, programs, and operations), the Federal 
Government, or national security, resulting from a suspected or 
confirmed breach.

HISTORY:
    75 FR 18841 (Apr. 13, 2010), updated at 83 FR 6591 (Feb. 14, 2018).

[FR Doc. 2026-03003 Filed 2-12-26; 4:15 pm]
BILLING CODE 4153-01-P


</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body>
</html>