Locke Lord QuickStudy: Amendments to HIPAA Privacy Rule to Support Reproductive Health Care Privacy

On April 22, 2024, the U.S. Department of Health & Human Services (HHS) Office for Civil Rights (OCR) issued a Final Rule modifying the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule to support reproductive health care privacy. This Final Rule reflects continued efforts by the Biden-Harris Administration to protect access to reproductive care and furthers President Biden’s Executive Order 14076 which directs HHS to consider actions to better protect reproductive health care information and to bolster patient-provider confidentiality.

HHS has long recognized that individuals may be deterred from seeking needed health care if they do not trust that their information will be kept private. At the same time, HHS has consistently taken the approach that individuals’ privacy rights must be weighed against “society’s interests, including in the free flow of information that enables the provision of effective and efficient health care services.” As part of balancing these interests, HHS has created additional protection for reproductive health information because it is particularly sensitive and involves highly personal health care decisions. Frequently citing the special protections afforded to psychotherapy notes in this Final Rule, HHS acknowledges that information about an individual’s reproductive health and associated health care is especially sensitive and, thus, takes a step towards further protecting reproductive health care information.

In the preamble to the Final Rule, OCR noted the several reasons for promulgating the Final Rule, including the following: 

• “Changes in the legal landscape [resulting from the U.S. Supreme Court’s Dobbs decision] have nationwide implications, not only because of their effects on the relationship between health care providers and individuals, but also because of the potential effects on the flow of health information across state lines. For example, an individual who travels out-of-state to obtain reproductive health care that is lawful under the circumstances in which it is provided may now be reluctant to have that information disclosed to a health care provider in their home state if they fear that it may then be used against them or a loved one in their home state.” OCR also stated that individuals and health care providers may also be reluctant to disclose PHI to health plans with a multi-state presence because of concerns that one of those states will seek to obtain that PHI to investigate or impose liability on the individual or the health care provider, even if there is no nexus with that state other than the presence of the health plan in that state.Such reluctance may have significant ramifications for access to reproductive health care, given the cost associated with obtaining such health care, and health care generally.
• Additionally, PHI is more likely to be transmitted across state lines as the electronic exchange of PHI increases because it is easier and more efficient to send information electronically. For instance, the Trusted Exchange Framework and Common Agreement (TEFCA) initiative established under the 21st Century Cures Act and the Centers for Medicare & Medicaid Services (CMS) Interoperability and Prior Authorization Final Rule will spur greater use and disclosure of PHI by regulated entities and to health apps and others. Different components of a health information exchange/health information network (HIE/HIN) may be located in different states, meaning that the PHI may be transmitted across state lines, and thus affected by laws severely restricting access to reproductive health care, even where both the health care and the recipient of the PHI are located in states where access to such health care is not substantially restricted.

This Final Rule prohibits a covered entities and business associates (“regulated entities”) from using or disclosing an individual’s PHI for the purpose of conducting a criminal, civil, or administrative investigation into or imposing liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care that is or was lawful under the circumstances it was provided.

SUMMARY OF THE FINAL RULE

In order to better protect reproductive health care information, HHS modified the HIPAA Privacy Rule as follows.

DEFINITIONAL CHANGES

The Final Rule clarifies the definition of “person” to reflect longstanding statutory language, and to make it clear that for the purposes of applying the HIPAA privacy regulation the words “child,” “individual,” or “person” do not include a fertilized egg, embryo or fetus; adopts a new definition of “public health” surveillance, investigation, or intervention to limit those terms to population-level activities to promote health or limit disease; and includes a new definition of reproductive health care, defining it to include health care of an individual in all matters relating to the reproductive system and to its functions and processes. HHS’s commentary indicates that permissible disclosures of PHI for the purpose of public health activities does not include investigations or imposing liability on any person for the mere act of seeking, obtaining, providing, or facilitating health care, including reproductive health care.

PROHIBITED USES AND DISCLOSURES

The Privacy Rule prohibits the use or disclosure of PHI except as permitted or required by the Privacy Rule.  Paragraph (a)(5) of Section 164.502 includes specific purposes for which the Privacy Rule explicitly prohibits the use and disclosure of PHI.^[1] In this Final Rule, HHS adds a new category of prohibited uses that “restricts the ability of regulated entities to use or disclose PHI for activities with the purpose of investigating or imposing liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care that is lawful under the circumstances in which it was provided, or to identify any person for such purposes.” This prohibition applies to, but is not limited to, law enforcement investigations, third party investigations in furtherance of civil proceedings, state licensure proceedings, criminal prosecutions, and family law proceedings.

For example, as OCR provides in the commentary to the Rule, a covered entity will be prohibited from using or disclosing PHI to third parties for the mere purpose of a law enforcement investigation into a health care provider for lawfully providing or facilitating the disposal of an embryo. Another prohibited use or disclosure would be for a civil suit brought by a person exercising a private right of action provided for under state law against an individual or health care provider who obtained or participated in a lawful abortion. The prohibition, however, would not restrict a regulated entity from using or disclosing PHI to a health oversight agency conducting health oversight activities, such as investigating whether reproductive health care was actually provided or appropriate billed. Where this new prohibition does not apply, the Privacy Rule may permit the requested PHI to be used or disclosed depending on the circumstances. For instance, the Final Rule does not prohibit the use or disclosure of PHI related to reproductive health care in all instances because, in some circumstances, law enforcement’s interests in the PHI for non-healthcare purposes will outweigh the privacy interests of the individual. For example, if a person obtains reproductive health care that was unlawful, such health care would not be “lawful under the circumstances in which it was provided” and the prohibition would not apply. To address concerns from commenters about how to determine whether reproductive health care is “lawful”, as part of the Rule of Applicability, discussed below, HHS requires that a regulated entity that receives a request for PHI make a reasonable determination about the lawfulness of the reproductive care.

RULE OF APPLICABILITY

HHS recognizes the interests of both the Federal Government and states while also protecting the information privacy interests of persons who participate in lawful reproductive care. As such, HHS finalizes a Rule of Applicability that “balances the privacy interests of individuals and the interests of society in an effective health care system with those of society in the use of PHI for other non-health care purposes” which limits this new prohibition to certain circumstances. The Rule of Applicability requires that a regulated entity that receives a request for PHI make a reasonable determination about the lawfulness of the reproductive health care in the circumstances in which such health care was provided, using the law of the state in which the health care was provided.

Although these requirements may initially appear onerous for the regulated entity receiving the request for PHI, a concern raised by many commentators, the Final Rule includes a presumption that the reproductive health care provided by a person other than the regulated entity receiving the request was lawful.^[2] 

For example, consider a situation in which an investigator requests information from a health plan about claims for coverage of certain reproductive health care provided by a particular provider. The health plan must presume that the care was lawful unless the plan has actual knowledge that the care was not lawful, or the investigator supplied information that demonstrates a substantial factual basis to believe the care was not lawful under the law of the state in which the care occurred.

ATTESTATION

In addition to the prohibition related to disclosure of PHI, the Final Rule also includes a new requirement for covered entities, in some specific situations, to obtain an attestation from the person or entity seeking the PHI prior to using or disclosing PHI potentially related to reproductive health care. Specifically, the Final Rule requires covered entities that receive a request for PHI for health oversight activities, judicial and administrative proceedings, law enforcement purposes, or disclosures to coroners and medical examiners to obtain an attestation from the requestor that such use or disclosure is not for a prohibited purpose. The Final Rule includes details on what is required as part of this attestation, however, HHS has also indicated they intend to publish a model attestation before the compliance date of this Final Rule.^[3] HHS explained that this requirement will help ensure that these permitted disclosures will not be used to circumvent the new prohibitions.

REVISION TO NOTICE OF PRIVACY PRACTICES

The Final Rule also requires covered entities to revise their Notice of Privacy Practices (NPPs) to not only support reproductive health care privacy but also requires revisions to NPPs to address proposed changes made in the Notice of Proposed Rulemaking for the Confidentiality of Substance Use Disorder (SUD) Patient Records (Part 2 NPRM”), which were made final in connection with this Final Rule.^[4]

GUIDANCE FOR COVERED ENTITIES

In light of these changes to the HIPAA Privacy Rule, covered entities must carefully consider what policies and procedures must be modified to comply with these new requirements. The Final Rule will take effect on June 25, 2024 and persons subject to regulation must comply by December 23, 2024, with the exception of the NPP provisions for which compliance is required by February 16, 2026. Covered entities are encouraged to carefully review the commentary to the Final Rule in which HHS includes details and examples for how to handle and respond to requests for information potentially related to reproductive care.

Review Policies and Procedures for Requests for PHI

Covered entities should review their policies for responding to requests for PHI which should include a method of ensuring that PHI is not provided in violation of the new prohibition. In revising policies, covered entities may want to consider including how to respond if there is reason to believe the reproductive care provided was unlawful. As the comments to the Final Rule note, this also may include carefully reviewing and revising contracts with business associates.

Establish Procedures for Attestations When Required

Further, covered entities must create a method for requesting and responding to attestations. This should include careful review of what is required as part of the attestation as well as potential liability if attestations are incorrectly completed or relied on.

Revise Notice of Privacy Practices

Covered entities must revise their NPPs to address the modifications made in this Final Rule. What is required is extensive as the changes to the NPP covers both SUD records as well as information related to reproductive care. The modifications to 45 CFR 164.520 should be carefully reviewed as part of this process. 

CONCLUSION

HHS explains in the commentary to the Final Rule that “[t]he Supreme Court decision in Dobbs v. Jackson Women’s Health Organization (Dobbs) overturned precedent that protected a constitutional right to abortion and altered the legal and health care landscape.” These changes increase the likelihood that an individual’s PHI may be disclosed in ways that cause harm to the interests HIPAA seeks to protect. Recognizing the inherently sensitive nature of reproductive health care information, this Final Rule balances the interests of society in obtaining PHI for non-health care purposes with the interests of the individual, the Federal Government, and society in maintaining an effective health care system. HHS hopes this balance will improve the effectiveness of the health care system by ensuring that individuals are not deterred from seeking, obtaining, providing, or facilitating reproductive health care that is lawful under the circumstances in which such health care is provided.

As discussed above, covered entities must carefully review this Final Rule and review and modify existing policies to comply with these changes. If you need assistance, please reach out to the authors of this article.

Special thanks to Boston Legal Intern Sydney Goldberg who assisted in the drafting of this QuickStudy.

---