On April 17, the Office for Civil Rights (“OCR”) at the U.S. Department of Health & Human Services (“HHS”) published a notice of proposed rulemaking that would revise the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule to bar certain uses and disclosures of protected health information (“PHI”) related to reproductive health care. Specifically, the proposed rule (“Rule”) would amend the Privacy Rule to prohibit covered entities or business associates (collectively, “regulated entities”) from using or disclosing PHI for purposes of (1) criminal, civil, or administrative investigations into or proceedings against any person in connection with seeking, obtaining, providing, or facilitating lawful reproductive health care, or (2) the identification of any person for the purpose of initiating such investigations or proceedings.
The Rule appears to be designed to further President Biden’s executive order directing HHS to consider actions that would “strengthen the protection of sensitive information related to reproductive healthcare services and bolster patient-provider confidentiality.” President Biden issued the order in the wake of the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization.
Below, we provide a brief summary of the proposed changes and a timeline for commenting.
Categories of prohibited uses and disclosures: As discussed above, the Rule would prohibit a regulated entity from using or disclosing PHI if the use or disclosure is for (1) criminal, civil, or administrative investigations into or proceedings against any person in connection with seeking, obtaining, providing, or facilitating lawful reproductive health care, or (2) the identification of any person for the purpose of initiating such investigations or proceedings (“Prohibited Purposes”).
Of note, the Rule would apply only where reproductive health care is provided or sought lawfully. Specifically, this prohibition on use or disclosure would apply where:
- (1) Reproductive health care is sought, obtained, provided, or facilitated lawfully in one state and an investigation arises in another state;
- (2) Reproductive health care is protected, required, or expressly authorized by Federal law; or
- (3) Reproductive health care is sought, obtained, provided, or facilitated lawfully in the same state as the investigation.
This means that the Rule would apply where an individual obtained an abortion in a state where abortion is legal—even if the individual traveled from a state where abortion is not legal—or where an individual received care that is protected under the Emergency Medical Treatment and Labor Act (“EMTALA”) (i.e., care necessary to stabilize a patient).
Attestations: The Rule would also require that a covered entity obtain a written attestation from a person requesting the use or disclosure of PHI potentially related to reproductive health care. The attestation would be required to state that the use or disclosure is not for a Prohibited Purpose. The Rule would also establish a number of other prescriptive requirements for this attestation, including that the attestation not be combined with another document. An attestation would be required for requests in the context of health oversight activities, judicial and administrative proceedings, law enforcement proceedings, and disclosures to coroners and medical advisors. For example, in order for a covered entity to disclose PHI to a coroner, the covered entity would need to (1) comply with HIPAA’s existing conditions for such a disclosure and (2) get an attestation from the coroner.
Under the Rule, a covered entity may rely on an attestation only if it is objectively reasonable and does not contain material information that the covered entity knows to be false. Further, unlike HIPAA’s existing authorization provision—which permits future uses and disclosures that are contemplated by an initial authorization—attestations would apply only to the specific use or disclosure. Covered entities would need to obtain a new attestation for each future use or disclosure.
Authorizations: The Rule would bar regulated entities from using or disclosing PHI for Prohibited Purposes even with an individual’s authorization. This is similar to a current authorization exception, which bars a health plan from using or disclosing genetic information for underwriting purposes, even with an individual’s authorization.
Notice of Privacy Practices: The Rule would require covered entities to update their Notices of Privacy Practices to describe the Prohibited Purposes and describe the types of uses and disclosures that require an attestation, including an example under both descriptions.
Additional Clarifications and Definitions: The Rule would clarify certain provisions and add definitions. For example, it would clarify that regulated entities may disclose PHI only pursuant to an administrative request “for which a response is required by law.” (Previously, there had been some ambiguity around when a regulated entity had to comply with an administrative request.) In addition, the Rule would define reproductive health care as “care, services, or supplies related to the reproductive health of the individual.”
What Doesn’t Change
The Rule would not prevent uses or disclosures of PHI that are permitted by other provisions of the Privacy Rule. (Though, as noted above, certain disclosures may require an additional attestation.)
HHS has emphasized that:
- Covered health care providers would still be permitted to use or disclose PHI to defend themselves in an investigation or proceeding related to professional misconduct or negligence;
- Regulated entities would still be permitted to use or disclose PHI to defend any person in a criminal, civil, or administrative proceeding where liability could be imposed on that person for providing reproductive health care; and
- Regulated entities would still be permitted to disclose PHI to a health oversight agency for health oversight activities, such as investigating whether reproductive health care was actually provided or appropriately billed.
In addition, individuals would retain the ability to direct a covered entity to transmit an electronic copy of their PHI to third parties, including law enforcement, regardless of their intended use of PHI. HHS has expressed concerns that law enforcement or others could coerce individuals into exercising this right of access to get around the new Rule’s Prohibited Purposes. HHS nevertheless retained this right because it views the right of access as “paramount to an individual’s ability to make decisions regarding their own health care.”
Stakeholders interested in commenting on the Rule should submit their comments on or before June 16, 2023.
HHS has specifically sought comments on a number of topics, including:
- Whether the proposed Prohibited Purposes appropriately limit harmful uses or disclosures while permitting beneficial ones;
- Whether HHS should permit uses and disclosures for Prohibited Purposes where there is a valid authorization from the individual; and
- Whether third parties might circumvent the Prohibited Purposes by coercing individuals to exercise their right to direct a covered entity to transmit to a third party an electronic copy of their PHI in an electronic health record.