Rules and Regulations. Notice of a modified system of records

Agency: Office for Civil Rights (OCR), Department of Health and Human Services (HHS)
Action: Notice of a modified system of records
Citation: FR Doc. 2026-03003

Summary

In accordance with the Privacy Act of 1974, as amended, the Department of Health and Human Services (HHS) is partially modifying an existing system of records maintained by the Office for Civil Rights (OCR), “Program Information Management System (PIMS),” System No. 09-90-0052. The modifications include changing the system of records name to “HHS Civil Rights and Health Information Privacy Program Records” and affect only certain sections of the System of Records Notice (SORN), so HHS is not republishing the SORN in full. The system of records contains records about individual members of the public who submit or are named or otherwise involved in civil rights, conscience and religious freedom, and health information privacy-related complaints received by and compliance reviews conducted by OCR, and individuals who submit reports to OCR about breaches of unsecured protected health information (PHI) experienced by covered entities and business associates subject to the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, Breach Notification, and Enforcement Rules. OCR is modifying it to include information that programs subject to 42 CFR part 2 (“Part 2”) (and, as applicable, a qualified service organization on a Part 2 program's behalf) report to the Secretary with respect to a breach of unsecured substance use disorder (SUD) patient records maintained by a Part 2 program (“Part 2 records”) and complaints and compliance reviews involving potential violations of Part 2.

Dates

The modified system of records is effective upon publication, subject to a 30-day period in which to comment on the modifications. Submit any comments by March 19, 2026.

Supplementary Information

System of records 09-90-0052, being renamed “HHS Civil Rights and Health Information Privacy Program Records,” is used by OCR staff and consists of an electronic repository of information and documents about individual members of the public who submit or are named or otherwise involved in civil rights, conscience and religious freedom, and health information privacy-related complaints received by and compliance reviews conducted by OCR and individuals who submit reports to OCR about breaches of unsecured protected health information (PHI) experienced by HIPAA covered entities and their business associates. The scope of individuals whose information is contained in OCR's repository includes, but is not limited to, those who meet the definition of individuals in the Privacy Act or the HIPAA Rules; however, this system of records notice applies to individuals as defined in the Privacy Act. OCR uses the system of records to manage documents and information related to OCR's civil rights and health information privacy authorities and activities. In February 2024, HHS published a final rule, Confidentiality of Substance Use Disorder (SUD) Patient Records, at 89 FR 12472 (Feb. 16, 2024), and in August 2025, the Secretary published a delegation of civil enforcement authority for 42 CFR part 2 (Part 2) to OCR, at 90 FR 41833 (Aug. 27, 2025). This authority includes the administration and enforcement of Part 2 requirements governing confidentiality of SUD patient records through, among other activities, conducting complaint investigations and compliance reviews and collecting (and publicly posting, as applicable) reports of breaches of unsecured Part 2 records. A Part 2 breach report form approved by OMB for collection of information will be accessible from OCR's website at https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html. This form must be filed through the HHS website. A Part 2 complaint form approved by OMB for collection of information will be accessible from OCR's website at https://www.hhs.gov/ocr/complaints/index.html. Complaints may be filed through the HHS website, but are not required to be filed online. The modifications made to system of records 09-90-0052 affect the following sections of the System of Records Notice (SORN), as follows: • The Authority section is being revised to include U.S. Code cites for all Acts and Public Laws previously cited and to make other, minor revisions to those authorities; to add 42 U.S.C. 290dd-2 and 290dd-2 note as authority for maintenance of the “Part 2” records; and to cite these statutes (and one uncodified appropriations law), which were not previously cited in any manner, as additional authority for maintenance of other records: 8 U.S.C. 1522(a)(5); 22 U.S.C. 2151b(f) and 7631(d); 29 U.S.C. 669(a)(5); 34 U.S.C. 12161(g)(3) and (i); and 42 U.S.C. 238n, 280g-1(d), 290bb-36(f), 290ff-1(e)(2)(C), 290kk through 290kk-3, 300a-7, 300x-65, 604a, 1320a-1(h), 1320c-11, 1395i-5, 1395w-22(j)(3)(B), 1395x(e), 1395x(y)(1), 1395cc(f), 1396a(a), 1396(f), 1396s(c)(2)(B)(ii), 1396u-2(b)(3)(B), 1396a(w)(3), 1397j-1(b), 1996a(b)(1), 5106i(a), 6101-6107, 9849, 9858l, 9858n, 9920, and 14406(2). • The Purpose(s) section is being expanded to include collecting and posting on the HHS website information about breaches of Part 2 records affecting more than 500 individuals, developing an annual report to Congress regarding breach notification by Part 2 programs (and, as applicable, qualified service organizations on behalf of Part 2 programs), and providing technical assistance, training, and guidance materials regarding breaches of Part 2 records. • The Categories of Individuals section is being revised to add references to “Part 2 programs, lawful holders of Part 2 records, and other persons holding Part 2 records” and to remove OCR employees who use the system to record the status of their work, because if such records are considered to be about them instead of the agency they work for, the records would be covered in a SORN that covers HHS personnel records. • The Categories of Records section is being revised to remove an unnecessary statement about exemptions (which are addressed in the Exemptions section) and to add the following categories of records: 1. Information that Part 2 programs (or, as applicable, a qualified service organization on behalf of a Part 2 program) are required to provide to HHS to fulfill their breach notification requirements. 2. Information collected regarding a Part 2 complaint investigation or compliance review of a potential Part 2 violation. • In the Routine Uses section, routine uses I through IV are being revised for clarity, routine uses VII through IX are being revised to authorize disclosures of Part 2-related information to allow OCR to carry out the purposes described above, and routine uses X through XIII are unchanged but included for completeness. Because some of these changes are significant, HHS provided advance notice of the modified system of records to the Office of Management and Budget and Congress as required by 5 U.S.C. 552a(r) and OMB Circular A-108. Paula M. Stannard, Director, Office for Civil Rights. SYSTEM NAME AND NUMBER: HHS Civil Rights and Health Information Privacy Program Records, 09-90-0052. SECURITY CLASSIFICATION: Unclassified. SYSTEM LOCATION: The address of the agency component responsible for the system of records is the HHS Office for Civil Rights, 200 Independence Ave. SW—Room 509F, Washington, DC 20201. SYSTEM MANAGER(S): Associate Deputy Director for Information Technology, Operations and Resources Division, Office for Civil Rights, 200 Independence Ave. SW—Room 509F, Washington, DC 20201, Email: OCRmail@hhs.gov. AUTHORITY FOR MAINTENANCE OF THE SYSTEM: Authority for the collection, maintenance, and disclosures from this system is given under Title VI of the 1964 Civil Rights Act (42 U.S.C. 2000d et seq. ); secs. 245, 533, 542, 794, 855, 1947, and 1908 of the Public Health Service Act (42 U.S.C. 238n, 290cc-33, 290dd-1, 296g, 300x-57, and 300w-7, respectively); secs. 504 and 508 of the Rehabilitation Act of 1973 (29 U.S.C. 794 and 794d); Title II of the Americans with Disabilities Act of 1990 (42 U.S.C. 12131 et seq. ); the Age Discrimination Act of 1975 (42 U.S.C. 6101-6107); the Equal Employment Opportunity Provisions of the Public Telecommunications Financing Act of 1978 (47 U.S.C. 398(b)); Title VI and Title XVI of the Public Health Service Act (the “community services obligation” of facilities funded under the Act) (42 U.S.C. 291 and 300); Title IX of the 1972 Education Amendments (20 U.S.C. 1681-1688); sec. 407 of the Drug Abuse Office and Treatment Act (42 U.S.C. 290ee-3); Section 321 of the Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment, and Rehabilitation Act of 1970 (42 U.S.C. 290dd-2(i)); sec. 508 of the Social Security Act (42 U.S.C. 708); the Family Violence Prevention and Services Act (42 U.S.C. 10406); Child Care and Development Block Grant Act of 1990 (42 U.S.C. 9858l and 9858n); Low-Income Home Energy Assistance Act of 1981 (42 U.S.C. 8625); sec. 1808 of the Small Business Job Protection Act of 1996 (42 U.S.C. 1996b); the Administrative Simplification Provisions of the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. 1320d through 1320d-8); the Confidentiality Provisions of the Patient Safety and Quality Improvement Act of 2005 (42 U.S.C. 299b-21 through 299b-26); secs. 13401, 13402, 13404, 13405, 13406, 13408, 13410, and 13411 of the Health Information Technology for Economic and Clinical Health (HITECH) Act (42 U.S.C. 17931, 17932, 17934, 17935, 17936, 17938, 17939, and 17940, respectively); sec. 543 of the Public Health Service Act, as amended by sec. 3221 of the CARES Act (42 U.S.C. 290dd-2 and 290dd-2 note); sec. 401 of the Health Programs Extension Act of 1973 (the “Church Amendments”) (42 U.S.C. 300a-7); sec. 507(d) of the Departments of Labor, Health and Human Services, and Education, and Related Agencies Appropriations Act, 2024, Public Law. 118-47, 138 Stat. 460, 703 (Mar. 23, 2024) as carried forward by the Full-Year Continuing Appropriations and Extensions Act, 2025, Public Law 119- 4, 139 Stat. 9 (Mar. 15, 2025) (the “Weldon Amendment”); secs. 1553, 1557, 1303, and 1411 of the Patient Protection and Affordable Care Act (42 U.S.C. 18113, 18116, 18023, and 18081, respectively); 42 U.S.C. 1395w-22(j)(3)(B), 1396u-2(b)(3)(B), 1395cc(f), 1396a(w)(3), and 14406(2) (Medicare and Medicaid conscience provisions); 42 U.S.C. 1320a-1(h), 1320c-11, 1395i-5, 1395x(e), 1395x(y)(1), 1396a(a), and 1397j-1(b) (conscience provisions related to Religious Nonmedical Health Care Institutions); 42 U.S.C. 1396f (conscience provisions related to compulsory health care services under Medicaid); 42 U.S.C. 5106i(a), 280g-1(d), 1396s(c)(2)(B)(ii), 290bb-36(f) and 29 U.S.C. 669(a)(5) (conscience protections related to compulsory health services); 22 U.S.C. 2151b(f) and 7631(d) (conscience protections for Global Health Programs); “Charitable Choice” Provisions (42 U.S.C. 9920 (Community Services Block Grant), 604a (Temporary Assistance for Needy Families), 300x-65 (Substance Use and Mental Health Block Grants), and 290kk through 290kk-3 (Title V of the Public Health Services Act); The Head Start Act (42 U.S.C. 9849); Robert T. Stafford Disaster Relief and Emergency Assistance Act (42 U.S.C. 5151); the Refugee Act of 1980 (8 U.S.C. 1522(a)(5)); the Community Schools Youth Services and Supervision Grant Program Act of 1994 (34 U.S.C. 12161(g)(3) and (i)); the ADAMHA Reorganization Act (42 U.S.C. 290ff-1(e)(2)(C)); and the American Indian Religious Freedom Act (42 U.S.C. 1996a(b)(1)). PURPOSE(S) OF THE SYSTEM: The records are used by OCR staff to carry out OCR's civil rights and health information privacy responsibilities and are maintained in an electronic repository of information and documents. The repository is a single, integrated system with enhanced electronic storage, retrieval and tracking capacities that allows OCR to more effectively manage the information it collects. The repository is designed to allow OCR to integrate all of OCR's various business processes, including all its compliance activities, to allow for real time access and results reporting and other varied information management needs. It provides: (1) A single, central, electronic repository of all significant OCR documents and information, including investigative files, correspondence, administrative records, policy and procedure manuals and other documents and information developed or maintained by OCR; (2) easy, robust capability to search all the information in OCR's repository; (3) better quality control at the front end with simplified data entry and stronger data validation; and (4) tools to help staff work on and manage their casework. The records are also used by OCR: (1) To collect, maintain, and post on the HHS website a list of covered entities and Part 2 programs that experience breaches of unsecured protected health information and unsecured Part 2 records affecting more than 500 individuals using information reported to the Secretary by covered entities and Part 2 programs (or a business associate or qualified service organization on behalf of a covered entity or Part 2 program, respectively) as required by section 13402(e) of the HITECH Act and section 3221(h) of the CARES Act; (2) to develop an annual report to Congress, as required by section 13402(i) of the HITECH Act, regarding breach notification using information reported to the Secretary by covered entities and Part 2 programs (or a business associate or qualified service organization on behalf of a covered entity or Part 2 program, respectively) pursuant to section 13402(e) of the HITECH Act and section 3221(h) of the CARES Act; and (3) educate entities regulated under HIPAA and Part 2 on the measures needed to prevent future breaches and potential violations of the HIPAA Rules and Part 2 by providing technical assistance, training, and guidance regarding complaint investigations, compliance reviews, and reported breaches of protected health information and Part 2 records. CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM: Covered individuals include persons who file complaints alleging discrimination or violation of their rights or other violations under the statutes identified in the Authority section, above, and persons subject to laws administered and enforced by OCR ( e.g., covered entities, business associates, Part 2 programs, lawful holders of Part 2 records, other persons holding Part 2 records) who are individuals as defined in the Privacy Act and not organizations or institutions, and are investigated by OCR as a result of complaints filed or through compliance reviews conducted by OCR. Covered individuals also include persons who submit correspondence to OCR related to other compliance activities ( e.g., outreach and public education), and other correspondence unrelated to a complaint or compliance review and requiring responses by OCR. Covered individuals also include covered entities and business associates, as defined in 45 CFR 160.103, and Part 2 programs (and, as applicable, qualified service organizations on behalf of Part 2 programs) who are individuals as defined in the Privacy Act and report breaches of protected health information or Part 2 records by submitting a breach report through the HHS website.. CATEGORIES OF RECORDS IN THE SYSTEM: The system of records encompasses a variety of records having to do with civil rights-related and health information privacy-related complaints, compliance reviews, correspondence, including reports of breaches of protected health information and Part 2 records. Data elements contained in the records include, for example, individuals' names, Social Security numbers (SSN), tax identification numbers (TIN), addresses, dates of birth, provider names and addresses, physicians' names, prescriber identification numbers, assigned provider numbers (facility, referring/servicing physician), and/or other identification numbers of HIPAA covered entities, business associates, Part 2 programs (and, as applicable, qualified service organizations on behalf of Part 2 programs), lawful holders of Part 2 records, and other persons holding Part 2 records. The complaint and compliance review files and log include complaint allegations, breach reporting, information gathered during the investigation, findings and results of the investigation, and correspondence relating to the investigation, as well as status information for all investigations. RECORD SOURCE CATEGORIES: Information is provided by complainants, covered entities, business associates, Part 2 programs, qualified service organizations, lawful holders of Part 2 records, and other persons holding Part 2 records. ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES: The routine uses are revised to read as follows: I. The first routine use for this system, permitting disclosure to a congressional office, allows subject individuals to obtain assistance from their representatives in Congress, should they so desire. Such disclosure would be made only pursuant to the request of, and on behalf of, the individual. II. The second routine use allows disclosure of records to the Department of Justice (DOJ) or to a court or other adjudicative body in litigation or other proceedings when any of the following is a party to or has a direct and substantial interest in the proceeding and the disclosure of such records is deemed by HHS to be relevant and necessary to the proceeding: (a) HHS or any component thereof, or another agency participating in joint or related enforcement activities ( e.g., Department of Education, Department of Labor); (b) any employee of HHS or of another participating agency in the employee's official capacity; (c) any employee of HHS in the employee's individual capacity where the DOJ, HHS, or participating agency has agreed to represent the employee; or (d) the United States. III. The third routine use allows the following: Where a record, either alone or in conjunction with other information, indicates a violation or potential violation of law—criminal, civil, or regulatory in nature—the relevant records may be referred to the appropriate federal, state, local, territorial, or tribal law enforcement authority or other appropriate entity charged with the responsibility for investigating or prosecuting such violation or charged with enforcing or implementing such law. IV. The fourth routine use allows disclosure of records to HHS contractors for the purpose of internal processing and maintaining quality control of records in the system. V. The fifth routine use allows records to be disclosed to student volunteers, persons working under a personal services contract, and other persons performing functions for the Department but technically not having the status of agency employees, if they need access to the records in order to perform their assigned agency functions. VI. The sixth routine use allows referrals of Age Discrimination Act complaints to the Federal Mediation and Conciliation Service (FMCS) for purposes of mediation. VII. The seventh routine use allows OCR to post on its website, as required by section 13402(e)(4) of the HITECH Act, information reported by a covered entity (or a business associate on behalf of a covered entity) to the Secretary pursuant to section 13402(e)(3) of the HITECH Act that identifies covered entities that experience breaches of unsecured protected health information affecting more than 500 individuals. This routine use also allows OCR to post on its website, as required by section 3221(h) of the CARES Act, information reported by a Part 2 program (or a qualified service organization on behalf of a Part 2 program), to the Secretary pursuant to section 3221(h) of the CARES Act, that identifies Part 2 programs that experience breaches of unsecured Part 2 records affecting more than 500 individuals. Information made public will be limited to information that HHS would be required to release to a requester under the Freedom of Information Act (FOIA); meaning, information that would not result in an unwarranted invasion of personal privacy. VIII. The eighth routine use allows OCR to include information that identifies subject individuals, when this would not result in an unwarranted invasion of personal privacy, in OCR's annual report to Congress regarding breaches of unsecured protected health information and unsecured Part 2 records, as required by section 13402(i) of the HITECH Act and section 3221(h) of the CARES Act. IX. The ninth routine use allows OCR to disclose information regarding complaint investigations, compliance reviews, and reported breaches of unsecured protected health information and unsecured Part 2 records to the public and to appropriate Federal entities and Department contractors as necessary for OCR to provide technical assistance, training, and guidance materials, as applicable, to Congress, Federal agencies, entities subject to HIPAA or Part 2, and consumers, after OCR determines that the disclosure would not constitute an unwarranted invasion of personal privacy. X. The tenth routine use allows OCR to disclose information to appropriate agencies, entities, and persons when (1) HHS suspects or has confirmed that there has been a breach of the system of records; (2) HHS has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, HHS (including its information systems, programs, and operations), the Federal Government, or national security; and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with HHS's efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm. XI. The eleventh routine use allows OCR to disclose information to HHS contractors to investigate violations and potential violations, as well as to conduct compliance reviews, of the Federal laws and regulations that OCR has legal authority to enforce. XII. The twelfth routine use allows OCR to disclose relevant information to the public to inform the public of the results of investigations and compliance reviews of the Federal laws and regulations that OCR has legal authority to enforce, after OCR determines that the disclosure would not constitute an unwarranted invasion of personal privacy. XIII. The thirteenth routine use allows OCR to disclose information to another Federal agency or Federal entity, when HHS determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach. HISTORY: 75 FR 18841 (Apr. 13, 2010), updated at 83 FR 6591 (Feb. 14, 2018). [FR Doc. 2026-03003 Filed 2-12-26; 4:15 pm]