HHS Modifies Privacy Act System of Records

Content

ACTION:

Notice of a modified system of records.

SUMMARY:

In accordance with the Privacy Act of 1974, as amended, the Department of Health and Human Services (HHS) is partially modifying
an existing system of records maintained by the Office for Civil Rights (OCR), “Program Information Management System (PIMS),”
System No. 09-90-0052. The modifications include changing the system of records name to “HHS Civil Rights and Health Information
Privacy Program Records” and affect only certain sections of the System of Records Notice (SORN), so HHS is not republishing
the SORN in full. The system of records contains records about individual members of the public who submit or are named or
otherwise involved in civil rights, conscience and religious freedom, and health information privacy-related complaints received
by and compliance reviews conducted by OCR, and individuals who submit reports to OCR about breaches of unsecured protected
health information (PHI) experienced by covered entities and business associates subject to the Health Insurance Portability
and Accountability Act (HIPAA) Privacy, Security, Breach Notification, and Enforcement Rules. OCR is modifying it to include
information that programs subject to 42 CFR part 2 (“Part 2”) (and, as applicable, a qualified service organization on a Part
2 program's behalf) report to the Secretary with respect to a breach of unsecured substance use disorder (SUD) patient records
maintained by a Part 2 program (“Part 2 records”) and complaints and compliance reviews involving potential violations of
Part 2.

DATES:

The modified system of records is effective upon publication, subject to a 30-day period in which to comment on the modifications.
Submit any comments by March 19, 2026.

ADDRESSES:

• Federal eRulemaking Portal: You may submit electronic comments at http://www.regulations.gov by searching for the Docket ID number [DOCKET ID]. Follow the instructions at http://www.regulations.gov for submitting electronic comments. Attachments should be in Microsoft Word or Portable Document Format (PDF).

• Regular, Express, or Overnight Mail: You may mail written comments to the following address only: U.S. Department of Health and Human Services, Office for Civil
Rights, Attention: OCR PIMS SORN, Hubert H. Humphrey Building, Room 509F, 200 Independence Avenue SW, Washington, DC 20201.
Please allow sufficient time for mailed comments to be timely received in the event of delivery or security delays.

Please note that comments submitted by fax or email and those submitted after the comment period will not be accepted.

Inspection of Public Comments: All comments received by the accepted methods and due date specified above may be posted without change to content to https://www.regulations.gov, which may include personal information provided about the commenter, and such posting may occur after the closing of the comment
period. However, the Department may redact certain non-substantive content from comments or attachments to comments before
posting, including: threats, hate speech, profanity, sensitive health information, graphic images, promotional materials,
copyrighted materials, or individually identifiable information about a third-party individual other than the commenter. In
addition, comments or material designated as confidential or not to be disclosed to the public will not be accepted. Comments
may be redacted or rejected as described above without notice to the commenter, and the Department will not consider any redacted
or rejected content that would not be made available to the public as part of the administrative record.

Docket: For complete access to background documents or posted comments, go to https://www.regulations.gov and search for Docket ID number [DOCKET ID].

FOR FURTHER INFORMATION CONTACT:

General questions about the modified system of records may be submitted to Harold Henderson, Records Officer, Strategic Planning
Division, Office for Civil Rights, 200 Independence Ave. SW—Room 509F, Washington, DC 20201. Email address: OCRmail@hhs.gov.

SUPPLEMENTARY INFORMATION:

System of records 09-90-0052, being renamed “HHS Civil Rights and Health Information Privacy Program Records,” is used by
OCR staff and consists of an electronic repository of information and documents about individual members of the public who
submit or are named or otherwise involved in civil rights, conscience and religious freedom, and health information privacy-related
complaints received by and compliance reviews conducted by OCR and individuals who submit reports to OCR about breaches of
unsecured protected health information (PHI) experienced by HIPAA covered entities and their business associates. The scope
of individuals whose information is contained in OCR's repository includes, but is not limited to, those who meet the definition
of individuals in the Privacy Act or the HIPAA Rules; however, this system of records notice applies to individuals as defined
in the Privacy Act. OCR uses the system of records to manage documents and information related to OCR's civil rights and health
information privacy authorities and activities.

In February 2024, HHS published a final rule, Confidentiality of Substance

  Use Disorder (SUD) Patient Records, at 89 FR 12472 (Feb. 16, 2024), and in August 2025, the Secretary published a delegation
  of civil enforcement authority for 42 CFR part 2 (Part 2) to OCR, at 90 FR 41833 (Aug. 27, 2025). This authority includes
  the administration and enforcement of Part 2 requirements governing confidentiality of SUD patient records through, among
  other activities, conducting complaint investigations and compliance reviews and collecting (and publicly posting, as applicable)
  reports of breaches of unsecured Part 2 records. A Part 2 breach report form approved by OMB for collection of information
  will be accessible from OCR's website at *https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html.* This form must be filed through the HHS website. A Part 2 complaint form approved by OMB for collection of information will
  be accessible from OCR's website at *https://www.hhs.gov/ocr/complaints/index.html.* Complaints may be filed through the HHS website, but are not required to be filed online.

The modifications made to system of records 09-90-0052 affect the following sections of the System of Records Notice (SORN),
as follows:

• The Authority section is being revised to include U.S. Code cites for all Acts and Public Laws previously cited and to make other, minor revisions to those authorities; to add 42 U.S.C. 290dd-2 and 290dd-2 note as authority for maintenance of the “Part 2” records; and to cite these statutes (and one uncodified appropriations law), which were not previously cited in any manner, as additional authority for maintenance of other records: 8 U.S.C. 1522(a)(5); 22 U.S.C. 2151b(f) and 7631(d); 29 U.S.C. 669(a)(5); 34 U.S.C. 12161(g)(3) and (i); and 42 U.S.C. 238n, 280g-1(d), 290bb-36(f), 290ff-1(e)(2)(C), 290kk through 290kk-3, 300a-7, 300x-65, 604a, 1320a-1(h), 1320c-11, 1395i-5, 1395w-22(j)(3)(B), 1395x(e), 1395x(y)(1), 1395cc(f), 1396a(a), 1396(f), 1396s(c)(2)(B)(ii), 1396u-2(b)(3)(B), 1396a(w)(3), 1397j-1(b), 1996a(b)(1), 5106i(a), 6101-6107, 9849, 9858l, 9858n, 9920, and 14406(2).
• The Purpose(s) section is being expanded to include collecting and posting on the HHS website information about breaches of Part 2 records affecting more than 500 individuals, developing an annual report to Congress regarding breach notification by Part 2 programs (and, as applicable, qualified service organizations on behalf of Part 2 programs), and providing technical assistance, training, and guidance materials regarding breaches of Part 2 records.
• The Categories of Individuals section is being revised to add references to “Part 2 programs, lawful holders of Part 2 records, and other persons holding Part 2 records” and to remove OCR employees who use the system to record the status of their work, because if such records are considered to be about them instead of the agency they work for, the records would be covered in a SORN that covers HHS personnel records.
• The Categories of Records section is being revised to remove an unnecessary statement about exemptions (which are addressed in the Exemptions section) and to add the following categories of records:
• Information that Part 2 programs (or, as applicable, a qualified service organization on behalf of a Part 2 program) are required to provide to HHS to fulfill their breach notification requirements.

1. Information collected regarding a Part 2 complaint investigation or compliance review of a potential Part 2 violation.

• In the Routine Uses section, routine uses I through IV are being revised for clarity, routine uses VII through IX are being revised to authorize disclosures of Part 2-related information to allow OCR to carry out the purposes described above, and routine uses X through XIII are unchanged but included for completeness. Because some of these changes are significant, HHS provided advance notice of the modified system of records to the Office of Management and Budget and Congress as required by 5 U.S.C. 552a(r) and OMB Circular A-108.

Paula M. Stannard, Director, Office for Civil Rights.

SYSTEM NAME AND NUMBER:

HHS Civil Rights and Health Information Privacy Program Records, 09-90-0052.

SECURITY CLASSIFICATION:

Unclassified.

SYSTEM LOCATION:

The address of the agency component responsible for the system of records is the HHS Office for Civil Rights, 200 Independence
Ave. SW—Room 509F, Washington, DC 20201.

SYSTEM MANAGER(S):

Associate Deputy Director for Information Technology, Operations and Resources Division, Office for Civil Rights, 200 Independence
Ave. SW—Room 509F, Washington, DC 20201, Email: OCRmail@hhs.gov.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

Authority for the collection, maintenance, and disclosures from this system is given under Title VI of the 1964 Civil Rights
Act (42 U.S.C. 2000d et seq.); secs. 245, 533, 542, 794, 855, 1947, and 1908 of the Public Health Service Act (42 U.S.C. 238n, 290cc-33, 290dd-1, 296g,
300x-57, and 300w-7, respectively); secs. 504 and 508 of the Rehabilitation Act of 1973 (29 U.S.C. 794 and 794d); Title II
of the Americans with Disabilities Act of 1990 (42 U.S.C. 12131 et seq.); the Age Discrimination Act of 1975 (42 U.S.C. 6101-6107); the Equal Employment Opportunity Provisions of the Public Telecommunications
Financing Act of 1978 (47 U.S.C. 398(b)); Title VI and Title XVI of the Public Health Service Act (the “community services
obligation” of facilities funded under the Act) (42 U.S.C. 291 and 300); Title IX of the 1972 Education Amendments (20 U.S.C.
1681-1688); sec. 407 of the Drug Abuse Office and Treatment Act (42 U.S.C. 290ee-3); Section 321 of the Comprehensive Alcohol
Abuse and Alcoholism Prevention, Treatment, and Rehabilitation Act of 1970 (42 U.S.C. 290dd-2(i)); sec. 508 of the Social
Security Act (42 U.S.C. 708); the Family Violence Prevention and Services Act (42 U.S.C. 10406); Child Care and Development
Block Grant Act of 1990 (42 U.S.C. 9858l and 9858n); Low-Income Home Energy Assistance Act of 1981 (42 U.S.C. 8625); sec.
1808 of the Small Business Job Protection Act of 1996 (42 U.S.C. 1996b); the Administrative Simplification Provisions of the
Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. 1320d through 1320d-8); the Confidentiality Provisions
of the Patient Safety and Quality Improvement Act of 2005 (42 U.S.C. 299b-21 through 299b-26); secs. 13401, 13402, 13404,
13405, 13406, 13408, 13410, and 13411 of the Health Information Technology for Economic and Clinical Health (HITECH) Act (42
U.S.C. 17931, 17932, 17934, 17935, 17936, 17938, 17939, and 17940, respectively); sec. 543 of the Public Health Service Act,
as amended by sec. 3221 of the CARES Act (42 U.S.C. 290dd-2 and 290dd-2 note); sec. 401 of the Health Programs Extension Act
of 1973 (the “Church Amendments”) (42 U.S.C. 300a-7); sec. 507(d) of the Departments of Labor, Health and Human Services,
and Education, and Related Agencies Appropriations Act, 2024, Public Law. 118-47, 138 Stat. 460, 703 (Mar. 23, 2024) as carried
forward by the Full-Year Continuing Appropriations and Extensions Act, 2025, Public Law 119-

  4, 139 Stat. 9 (Mar. 15, 2025) (the “Weldon Amendment”); secs. 1553, 1557, 1303, and 1411 of the Patient Protection and Affordable
  Care Act (42 U.S.C. 18113, 18116, 18023, and 18081, respectively); 42 U.S.C. 1395w-22(j)(3)(B), 1396u-2(b)(3)(B), 1395cc(f),
  1396a(w)(3), and 14406(2) (Medicare and Medicaid conscience provisions); 42 U.S.C. 1320a-1(h), 1320c-11, 1395i-5, 1395x(e),
  1395x(y)(1), 1396a(a), and 1397j-1(b) (conscience provisions related to Religious Nonmedical Health Care Institutions); 42
  U.S.C. 1396f (conscience provisions related to compulsory health care services under Medicaid); 42 U.S.C. 5106i(a), 280g-1(d),
  1396s(c)(2)(B)(ii), 290bb-36(f) and 29 U.S.C. 669(a)(5) (conscience protections related to compulsory health services); 22
  U.S.C. 2151b(f) and 7631(d) (conscience protections for Global Health Programs); “Charitable Choice” Provisions (42 U.S.C.
  9920 (Community Services Block Grant), 604a (Temporary Assistance for Needy Families), 300x-65 (Substance Use and Mental Health
  Block Grants), and 290kk through 290kk-3 (Title V of the Public Health Services Act); The Head Start Act (42 U.S.C. 9849);
  Robert T. Stafford Disaster Relief and Emergency Assistance Act (42 U.S.C. 5151); the Refugee Act of 1980 (8 U.S.C. 1522(a)(5));
  the Community Schools Youth Services and Supervision Grant Program Act of 1994 (34 U.S.C. 12161(g)(3) and (i)); the ADAMHA
  Reorganization Act (42 U.S.C. 290ff-1(e)(2)(C)); and the American Indian Religious Freedom Act (42 U.S.C. 1996a(b)(1)).

PURPOSE(S) OF THE SYSTEM:

The records are used by OCR staff to carry out OCR's civil rights and health information privacy responsibilities and are
maintained in an electronic repository of information and documents. The repository is a single, integrated system with enhanced
electronic storage, retrieval and tracking capacities that allows OCR to more effectively manage the information it collects.

The repository is designed to allow OCR to integrate all of OCR's various business processes, including all its compliance
activities, to allow for real time access and results reporting and other varied information management needs. It provides:
(1) A single, central, electronic repository of all significant OCR documents and information, including investigative files,
correspondence, administrative records, policy and procedure manuals and other documents and information developed or maintained
by OCR; (2) easy, robust capability to search all the information in OCR's repository; (3) better quality control at the front
end with simplified data entry and stronger data validation; and (4) tools to help staff work on and manage their casework.
The records are also used by OCR: (1) To collect, maintain, and post on the HHS website a list of covered entities and Part
2 programs that experience breaches of unsecured protected health information and unsecured Part 2 records affecting more
than 500 individuals using information reported to the Secretary by covered entities and Part 2 programs (or a business associate
or qualified service organization on behalf of a covered entity or Part 2 program, respectively) as required by section 13402(e)
of the HITECH Act and section 3221(h) of the CARES Act; (2) to develop an annual report to Congress, as required by section
13402(i) of the HITECH Act, regarding breach notification using information reported to the Secretary by covered entities
and Part 2 programs (or a business associate or qualified service organization on behalf of a covered entity or Part 2 program,
respectively) pursuant to section 13402(e) of the HITECH Act and section 3221(h) of the CARES Act; and (3) educate entities
regulated under HIPAA and Part 2 on the measures needed to prevent future breaches and potential violations of the HIPAA Rules
and Part 2 by providing technical assistance, training, and guidance regarding complaint investigations, compliance reviews,
and reported breaches of protected health information and Part 2 records.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

Covered individuals include persons who file complaints alleging discrimination or violation of their rights or other violations
under the statutes identified in the Authority section, above, and persons subject to laws administered and enforced by OCR
(e.g., covered entities, business associates, Part 2 programs, lawful holders of Part 2 records, other persons holding Part 2 records)
who are individuals as defined in the Privacy Act and not organizations or institutions, and are investigated by OCR as a
result of complaints filed or through compliance reviews conducted by OCR. Covered individuals also include persons who submit
correspondence to OCR related to other compliance activities (e.g., outreach and public education), and other correspondence unrelated to a complaint or compliance review and requiring responses
by OCR. Covered individuals also include covered entities and business associates, as defined in 45 CFR 160.103, and Part
2 programs (and, as applicable, qualified service organizations on behalf of Part 2 programs) who are individuals as defined
in the Privacy Act and report breaches of protected health information or Part 2 records by submitting a breach report through
the HHS website..

CATEGORIES OF RECORDS IN THE SYSTEM:

The system of records encompasses a variety of records having to do with civil rights-related and health information privacy-related
complaints, compliance reviews, correspondence, including reports of breaches of protected health information and Part 2 records.
Data elements contained in the records include, for example, individuals' names, Social Security numbers (SSN), tax identification
numbers (TIN), addresses, dates of birth, provider names and addresses, physicians' names, prescriber identification numbers,
assigned provider numbers (facility, referring/servicing physician), and/or other identification numbers of HIPAA covered
entities, business associates, Part 2 programs (and, as applicable, qualified service organizations on behalf of Part 2 programs),
lawful holders of Part 2 records, and other persons holding Part 2 records. The complaint and compliance review files and
log include complaint allegations, breach reporting, information gathered during the investigation, findings and results of
the investigation, and correspondence relating to the investigation, as well as status information for all investigations.

RECORD SOURCE CATEGORIES:

Information is provided by complainants, covered entities, business associates, Part 2 programs, qualified service organizations,
lawful holders of Part 2 records, and other persons holding Part 2 records.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES:

The routine uses are revised to read as follows:

I. The first routine use for this system, permitting disclosure to a congressional office, allows subject individuals to obtain
assistance from their representatives in Congress, should they so desire. Such disclosure would be made only pursuant to the
request of, and on behalf of, the individual.

II. The second routine use allows disclosure of records to the Department of Justice (DOJ) or to a court or other adjudicative
body in litigation or other proceedings when any of the following is a party to or has a direct and

  substantial interest in the proceeding and the disclosure of such records is deemed by HHS to be relevant and necessary to
  the proceeding: (a) HHS or any component thereof, or another agency participating in joint or related enforcement activities
  (*e.g.,* Department of Education, Department of Labor); (b) any employee of HHS or of another participating agency in the employee's
  official capacity; (c) any employee of HHS in the employee's individual capacity where the DOJ, HHS, or participating agency
  has agreed to represent the employee; or (d) the United States.

III. The third routine use allows the following: Where a record, either alone or in conjunction with other information, indicates
a violation or potential violation of law—criminal, civil, or regulatory in nature—the relevant records may be referred to
the appropriate federal, state, local, territorial, or tribal law enforcement authority or other appropriate entity charged
with the responsibility for investigating or prosecuting such violation or charged with enforcing or implementing such law.
IV. The fourth routine use allows disclosure of records to HHS contractors for the purpose of internal processing and maintaining
quality control of records in the system.

V. The fifth routine use allows records to be disclosed to student volunteers, persons working under a personal services contract,
and other persons performing functions for the Department but technically not having the status of agency employees, if they
need access to the records in order to perform their assigned agency functions.

VI. The sixth routine use allows referrals of Age Discrimination Act complaints to the Federal Mediation and Conciliation
Service (FMCS) for purposes of mediation.

VII. The seventh routine use allows OCR to post on its website, as required by section 13402(e)(4) of the HITECH Act, information
reported by a covered entity (or a business associate on behalf of a covered entity) to the Secretary pursuant to section
13402(e)(3) of the HITECH Act that identifies covered entities that experience breaches of unsecured protected health information
affecting more than 500 individuals. This routine use also allows OCR to post on its website, as required by section 3221(h)
of the CARES Act, information reported by a Part 2 program (or a qualified service organization on behalf of a Part 2 program),
to the Secretary pursuant to section 3221(h) of the CARES Act, that identifies Part 2 programs that experience breaches of
unsecured Part 2 records affecting more than 500 individuals. Information made public will be limited to information that
HHS would be required to release to a requester under the Freedom of Information Act (FOIA); meaning, information that would
not result in an unwarranted invasion of personal privacy.

VIII. The eighth routine use allows OCR to include information that identifies subject individuals, when this would not result
in an unwarranted invasion of personal privacy, in OCR's annual report to Congress regarding breaches of unsecured protected
health information and unsecured Part 2 records, as required by section 13402(i) of the HITECH Act and section 3221(h) of
the CARES Act.

IX. The ninth routine use allows OCR to disclose information regarding complaint investigations, compliance reviews, and reported
breaches of unsecured protected health information and unsecured Part 2 records to the public and to appropriate Federal entities
and Department contractors as necessary for OCR to provide technical assistance, training, and guidance materials, as applicable,
to Congress, Federal agencies, entities subject to HIPAA or Part 2, and consumers, after OCR determines that the disclosure
would not constitute an unwarranted invasion of personal privacy.

X. The tenth routine use allows OCR to disclose information to appropriate agencies, entities, and persons when (1) HHS suspects
or has confirmed that there has been a breach of the system of records; (2) HHS has determined that as a result of the suspected
or confirmed breach there is a risk of harm to individuals, HHS (including its information systems, programs, and operations),
the Federal Government, or national security; and (3) the disclosure made to such agencies, entities, and persons is reasonably
necessary to assist in connection with HHS's efforts to respond to the suspected or confirmed breach or to prevent, minimize,
or remedy such harm.

XI. The eleventh routine use allows OCR to disclose information to HHS contractors to investigate violations and potential
violations, as well as to conduct compliance reviews, of the Federal laws and regulations that OCR has legal authority to
enforce.

XII. The twelfth routine use allows OCR to disclose relevant information to the public to inform the public of the results
of investigations and compliance reviews of the Federal laws and regulations that OCR has legal authority to enforce, after
OCR determines that the disclosure would not constitute an unwarranted invasion of personal privacy.

XIII. The thirteenth routine use allows OCR to disclose information to another Federal agency or Federal entity, when HHS
determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in
(1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals,
the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national
security, resulting from a suspected or confirmed breach.

HISTORY:

75 FR 18841 (Apr. 13, 2010), updated at 83 FR 6591 (Feb. 14, 2018).

[FR Doc. 2026-03003 Filed 2-12-26; 4:15 pm] BILLING CODE 4153-01-P

Download File

Download