Comments
EPIC Comments to HHS, CMS re Prohibiting Sex-Rejecting Procedures for Children
COMMENTS OF THE ELECTRONIC PRIVACY INFORMATION CENTER
to the
DEPARTMENT OF HEALTH AND HUMAN SERVICES
CENTERS FOR MEDICARE & MEDICAID SERVICES
Request for Comment on Notice of Proposed Rulemaking regarding Medicare and Medicaid Programs; Hospital Condition of Participation: Prohibiting Sex-Rejecting Procedures for Children
90 Fed. Reg. 59,463
February 17, 2026
The Electronic Privacy Information Center (EPIC) submits these comments in response to the Centers for Medicare and Medicaid Services (CMS)’s Notice of Proposed Rulemaking (NPRM) regarding CMS’s proposed de facto ban on transgender health care for minors, file code CMS-3481-P. We call on CMS to withdraw this unlawful, legally deficient, and medically invasive rulemaking.
By notice published on December 19, 2025, CMS has requested comments on a notice of proposed rulemaking regarding “Hospital Condition of Participation: Prohibiting Sex-Rejecting Procedures for Children” in Medicare and Medicaid programs.[1] CMS’s proposed rule seeks to ban transgender health care by preventing hospitals that provide such care from receiving any Medicare and Medicaid funding. This NPRM fails to demonstrate CMS’s legal authority for introducing such a sweeping ban on health care; it attempts to control physicians’ practice of medicine and hospitals’ administration of services in violation of the Social Security Act; and it violates the medical privacy of patients nationwide.
EPIC is a public interest research center in Washington, D.C., established in 1994 to focus public attention on emerging civil liberties issues and to secure the fundamental right to privacy in the digital age for all people through advocacy, research, and litigation.[2] For decades, EPIC has worked with federal agencies under different administrations to safeguard individuals’ personal data and to protect patients’ medical privacy.[3] EPIC also fights to protect the privacy rights of individuals and marginalized communities, including the LGBTQ+ community. EPIC has submitted FOIA requests,[4] provided comment on regulations,[5] and filed complaints[6] regarding unlawful practices harmful to LGBTQ+ persons.
The instant NPRM introduces a de facto ban on transgender health care for minors by prohibiting all hospitals that provide gender affirming care for transgender youth from receiving any Medicaid reimbursements. This is far more sweeping than prohibiting reimbursements for the specific services implicated in the NPRM. The NPRM exceeds the scope of its purported concerns—minors’ gender affirming care—by prohibiting a hospital from receiving reimbursements for all health services, including services entirely unrelated to minors’ gender affirming care. Most hospitals cannot operate without Medicaid and Medicare reimbursements, so this proposed rule is conditional in name only. In effect, CMS has introduced a nationwide ban on a specific type of health services, an act that exceeds the scope of CMS’s legal authority and rests with Congress alone. CMS apparently tries to circumvent this legal deficiency (as well as the great weight of medical research[7]), by explaining that “we believe” that the provision of gender-affirming care to minors “is not healthcare and hence [is] not subsumed under the term of ‘the practice of medicine.’”[8] The NPRM fails to provide any evidence for this belief and merely cites the NPRM’s review discussing the risks and benefits of gender affirming care. This does not sufficiently explain how or why gender affirming care would not be classified as health care. CMS is not authorized to ban a type of health care nationwide based solely on its “beliefs.”
The Social Security Act forbids the NPRM’s proposed rule. Section 1801 (Prohibition Against Any Federal Interference) prohibits the very kind of activity that CMS has undertaken through this NPRM:
Nothing in this title shall be construed to authorize any Federal officer or employee to exercise any supervision or control over the practice of medicine or the manner in which medical services are provided, or over the selection, tenure, or compensation of any officer or employee of any institution, agency, or person providing health services; or to exercise any supervision or control over the administration or operation of any such institution, agency, or person.[9]
This prohibition is applicable to the NPRM and explicit. It does not provide an exception allowing for federal interference when the institution “believes” that its actions do not implicate the practice of medicine. Moreover, the Social Security Act’s prohibition against federal interference is broader than the practice of medicine. It also extends to the control over the administration of any institution that provides health services. Hospitals unquestionably fall under the scope of this definition, and CMS is prohibited from trying to use Medicare and Medicaid funding to control the administration and operations of hospitals. The proposed rule patently violates this prohibition and CMS has failed to provide a sufficient argument or any evidence as to why its attempt to control hospitals’ operations would be excluded from the Social Security Act’s prevention of such action.
This proposed rule is a blatant violation of health privacy. This NPRM is an ideologically driven intrusion into the exam rooms of specific patients. It undermines an ancient tenet of health provision—health privacy[10]—by interfering upon the private relationship between provider and patient. The Department of Health and Human Services should use its resources to safeguard the protected health information of all patients instead of intruding into private medical decisions between children, their parents, and their physicians. Indeed, HHS will likely need to expend additional resources defending the dubious legality of this rule if it chooses to go forward with the proposal.
EPIC strongly urges CMS to withdraw the instant proposed rulemaking. This NPRM seeks to ban a specific type of health care by restricting Medicaid reimbursements, an act reserved for Congress, without legal authority; it blatantly violates the Social Security Act’s prohibition against federal interference into the control of health services and administration of hospitals; and it squarely violates the medical privacy of patients across the country. If you have any additional questions, please contact EPIC Senior Counsel Sara Geoghegan at [email protected].
Sincerely,
/s/ Sara Geoghegan
Senior Counsel &
Director, Consumer Privacy Program
ELECTRONIC PRIVACY
INFORMATION CENTER (EPIC)
1519 New Hampshire Ave. NW
Washington, DC 20036
202-483-1140 (tel)
202-483-1248 (fax)
[1] Notice of Proposed Rulemaking, Medicare and Medicaid Programs; Hospital Condition of Participation: Prohibiting Sex-Rejecting Procedures for Children, 90 Fed. Reg. 59,463 (Dec. 19, 2025), https://www.federalregister.gov/documents/2025/12/19/2025-23465/medicare-and-medicaid-programs-hospital-condition-of-participation-prohibiting-sex-rejecting [hereinafter “NPRM”].
[2] EPIC, About Us (2025), https://epic.org/about/.
[3] EPIC Comments to FTC on RFI for Information on Gender-Affirming Care for Minors (Sept. 26, 2025), https://epic.org/documents/comments-of-the-electronic-privacy-information-center-to-the-federal-trade-commission-on-request-for-information-on-gender-affirming-care-for-minors/; EPIC Comments to HHS on HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information, 90 Fed. Reg. 898 (Mar. 7, 2025), https://epic.org/wp-content/uploads/2025/03/EPIC-HHS-HIPAA-cybersecurity-rule-NPRM-comments.pdf; EPIC Comments to the CFPB on the Prohibition on Creditors and Consumer Reporting Agencies Concerning Medical Information, Docket No. CFPB-2024-0023 (Aug. 2024), https://epic.org/documents/comments-of-epic-to-the-cfpb-on-the-prohibition-on-creditors-and-consumer-reporting-agencies-concerning-medical-information/; Comments of EPIC in re the Federal Trade Commission’s Proposed Order with Blackbaud, Inc., FTC File No. 202-3181 (Mar. 2024), https://epic.org/documents/comments-of-epic-in-re-the-federal-trade-commissions-proposed-order-settlement-with-blackbaud/.
[4] EPIC, Freedom of Information Act (2025), https://epic.org/issues/open-government/foia/.
[5] EPIC, FTC Rulemaking on Commercial Surveillance & Data Security (2022), https://epic.org/ftc-rulemaking-on-commercial-surveillance-data-security/.
[6] EPIC, In re Grindr, LLC, (2023), https://epic.org/documents/in-re-grindr-llc/; Comments of EPIC, CHLP, PrEP4All, et al. to HHS (Feb. 22, 2023), https://epic.org/documents/comments-of-epic-chlp-prep4all-and-patient-privacy-rights-to-hhs-on-hiv-prep-database-sorn/; EPIC Comment to the Department of State on Notice of Proposed Information Collection: U.S. Passport Application, Renewal Application, and Limited Passport Replacement for Eligible Individuals (Mar. 20, 2025), https://epic.org/documents/epic-comment-to-department-of-state-on-notice-of-proposed-information-collection-u-s-passport-application-renewal-application-and-limited-passport-replacement-for-eligible-individuals/.
[7] See, e.g., Jason Rafferty et al., Ensuring Comprehensive Care and Support for Transgender and Gender-Diverse Children and Adolescents, 142(4) Pediatrics (Oct. 01, 2018).
[8] NPRM at 59,471.
[9] 42 U.S.C. § 1395.
[10] Sara Geoghegan, et al., Beyond HIPAA: Reimagining How Privacy Laws Apply to Health Data to Maximize Equity in the Digital Age, EPIC at 10-11 (Jan. 2026), https://epic.org/wp-content/uploads/2026/01/EPIC-Beyond-HIPAA-Jan2026.pdf.
Support Our Work
EPIC's work is funded by the support of individuals like you, who allow us to continue to protect privacy, open government, and democratic values in the information age.
Donate