Health privacy has become the new frontier for reproductive rights in the wake of Dobbs v. Jackson Women’s Health Organization. The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently issued a Final Rule to strengthen privacy protections for patients, health care providers, and others when obtaining, providing, or facilitating lawful reproductive health care. The Final Rule amends the Heath Insurance Portability and Accountability Act (HIPAA) Privacy Rule by prohibiting disclosure or use of protected health information (PHI) potentially related to lawful reproductive health care[1] without permission and requiring new disclosures and attestations related to such prohibitions.
Key Takeaways
- Regulated entities should review and revise current policies and procedures regarding PHI disclosures, in addition to business associate agreements, to ensure they comply with the Final Rule.
- Regulated entities should also consider updating employee trainings to help ensure employees conform with the prohibition and obtain the relevant attestations before disclosing PHI potentially related to reproductive health care.
- The Final Rule is effective on June 25, 2024, and regulated entities will have until December 23, 2024, to comply, excluding the required updates to the Notice of Privacy Practices (NPP), which will not be enforced until February 16, 2026.
Background
Even before the Final Rule, the HIPAA Privacy Rule restricted how HIPAA covered entities and business associates (“regulated entities”) use and disclose PHI, including reproductive health care information. Specifically, the Privacy Rule permitted, but did not require, regulated entities to disclose PHI without written authorization of the individual in response to an order of a court or administrative tribunal or in response to a subpoena, discovery request, or other lawful process if certain requirements are met. 45 C.F.R. 164.512(e)(1).
Following Dobbs, however, concerns grew that PHI could be sought for an investigation against or to impose liability on patients who travel across state lines to obtain reproductive health care or on health care providers who administer lawful reproductive health care.
Summary of Final Rule
- Regulated entities may not use or disclose PHI for investigations related to the lawful provision of reproductive health care.
- The Final Rule bans regulated entities from using or disclosing PHI for the purpose of conducting a criminal, civil, or administrative investigations or imposing criminal, civil, or administrative liability on any person for seeking, obtaining, providing, or facilitating reproductive health care that is lawful under the circumstances in which it is provided. Additionally, PHI cannot be used or disclosed to identify a person for these purposes.
- Reproductive health care is lawful if it is provided in a state in which the care is lawful. For example, if an abortion is performed at four weeks of gestation in a state that prohibits abortion after six weeks of gestation, the reproductive health care would be lawful, and information regarding the care would be protected from compelled disclosure under HIPAA.
- Reproductive health care is also lawful if it is protected, required, or authorized by federal law, regardless of the state in which it is provided. For example, contraception provided to an individual in any state is lawful under federal law and information regarding the care would also be protected from compelled disclosure under HIPAA.[2]
- HHS noted that this change may require regulated entities to revise existing business associate agreements where such agreements permit regulated entities to engage in activities that are no longer permitted under the revised Privacy Rule.
- Regulated entities must obtain a signed attestation that a request is not for a prohibited purpose.
- Regulated entities must obtain a signed and dated written statement attesting that the use or disclosure would not be for a prohibited purpose from the person requesting PHI potentially related to reproductive health care before the PHI is used or disclosed.
- This includes where the use or disclosure is for health oversight activities, judicial and administrative proceedings, law enforcement purposes, or coroners and medical examiners.
- Each use or disclosure request for PHI requires a new attestation.
- Both covered entities and business associates will be held directly liable for compliance with the attestation requirement, regardless of whether compliance with the requirement is explicitly included in a business associate agreement.
- Persons who request PHI under false pretenses may be subject to criminal penalties under HIPAA.
- HHS intends to publish a model attestation prior to December 23, 2024.
- Covered entities must include new disclosures in their NPP, including:
- A description with at least one example of the types of uses and disclosures prohibited under the Final Rule in sufficient detail for an individual to understand the prohibition;
- A description with at least one example of the types of uses and disclosures for which an attestation is required; and
- A statement explaining that disclosed PHI may be subject to redisclosure and no longer protected by the Privacy Rule to help individuals to make informed decisions about to whom they provide access to or authorize the disclosure of their PHI.
- New formal definition for “public health.”
- The Final Rule also introduced a few additional clarifications to the Privacy Rule, including adding a formal definition for “public health.”
- Under the Privacy Rule, a regulated entity may use or disclose PHI for “public health” surveillance, investigation, or intervention.
- The Final Rule limits such activities to population-level health and excludes activities that involve:
- conducting a criminal, civil, or administrative investigation into an individual for seeking, obtaining, providing, or facilitating health care;
- imposing liability on an individual for seeking, obtaining, providing, or facilitating health care; or
- identifying an individual for any of the activities described in (i) or (ii).
- Preemption and preparing for conflict.
- Notably, and importantly for regulated entities assessing the impact of the Final Rule, the Final Rule expressly preempts state law to the extent necessary to achieve Congress’s directive to establish a standard for the privacy of individually identifiable health information for the purpose of improving the effectiveness of the health care system.
- As a result, a regulated entity should expect to receive requests from law enforcement or a court to compel reproductive health care information that is protected by the Final Rule, especially in states that criminalize abortion. In such cases, the regulated entity should refuse disclosure due to HIPAA, but it is possible that some requestors would challenge such refusal, putting the regulated entity in a catch-22: spend time and money defending the decision in court and potentially be held in contempt for failure to provide the information, or violate HIPAA by turning the information over and risk OCR enforcement and civil penalties.
- Covered entities and business associates should be prepared with how they plan to address potential conflicts between federal and state law in these circumstances.
Carson Martinez, Associate, contributed to the drafting of this alert.
[1] Reproductive health care is defined in the Final Rule as “health care. . . that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes.” 45 C.F.R. 160.103.
[2] See Griswold v. Connecticut, 381 U.S. 479 (1965); Eisenstadt v. Baird, 405 U.S. 438 (1972); Dobbs, 597 U.S. 345 (Kavanaugh, J., concurring) (Dobbs “does not threaten or cast doubt on” the precedents providing constitutional protection for contraception).