The Department of Health and Human Services Office for Civil Rights (OCR) issued a proposed rule on April 17, 2023, to amend provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to strengthen privacy protections for individuals’ protected health information (PHI) related to reproductive healthcare (the Proposed Rule). The Proposed Rule would prohibit covered entities and business associates (collectively “regulated entities”) from using and disclosing PHI for criminal, civil, or administrative investigations or proceedings against individuals for seeking, obtaining, providing, or facilitating reproductive healthcare that is lawful under the circumstances in which it is provided. Comments on the Proposed Rule are due on or before June 16, 2023.
Background
Shortly following the U.S. Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization, OCR released guidance clarifying its position on the disclosure of reproductive health information for law enforcement and administrative and legal proceedings. (For additional discussion of OCR and HIPAA guidance concerning the Privacy Rule and reproductive health information, see Akerman’s Practice Update Providing Healthcare in a Post-Dobbs America Presents Evolving Challenges). The Proposed Rule incorporates and builds on that guidance to strengthen protections for reproductive healthcare information and to avoid circumstances where the Privacy Rule could allow sensitive information to be used for a detrimental, non-healthcare related purpose.
In the preamble to the Proposed Rule, OCR expresses concern that patient care could be adversely affected if individuals believe their PHI may be disclosed without their consent to initiate investigations or proceedings against them or others. As a result, individuals may be less forthcoming about their medical history or may avoid seeking necessary medical services altogether. For example, an individual who received a lawful abortion in one state may avoid emergency treatment in another state where such abortions are illegal, out of fear of potential repercussions for themselves, their healthcare providers, and others who may have assisted them in obtaining the lawful healthcare. OCR also notes that healthcare providers may omit certain information related to reproductive care out of fear for their patients, staff, and themselves if they are concerned that such information could be disclosed to government authorities. The potential for incomplete medical records, due to fear from the patient, provider, or both, can have harmful effects on patient care and erode trust in the healthcare system.
Protecting Reproductive Healthcare
The Proposed Rule takes a fairly narrow approach to protecting reproductive health information by prohibiting regulated entities from using or disclosing reproductive health information for either of two specific purposes, described below. This approach, according to OCR, is in “keeping with the Privacy Rule’s purpose-based approach.”
The primary restriction would prohibit uses and disclosures of reproductive information when the purpose of the use or disclosure is for a criminal, civil, or administrative investigation into, or a proceeding against, any person in connection with seeking, obtaining, providing, or facilitating reproductive healthcare. The second restriction would prohibit uses and disclosures of such reproductive information for purposes of identifying any person for such investigations or proceedings. (See proposed 45 C.F.R. § 164.502(a)(5)(iii).)
OCR acknowledges that the Privacy Rule generally preempts contrary provisions of state law, and that the Proposed Rule may create a conflict between the Privacy Rule and some state laws. However, OCR believes it has “carefully crafted” the Proposed Rule to apply “only in circumstances in which the state lacks any substantial interest in seeking the disclosure.” To accomplish this balancing act, the Proposed Rule is only applicable where the relevant criminal, civil, or administrative investigation or proceeding is in connection with a person seeking, obtaining, providing, or facilitating reproductive healthcare and one or more of the following criteria is satisfied:
- the reproductive healthcare is sought, provided, obtained, or facilitated in a state where it is lawful and outside the state where the investigation or proceeding is authorized
- the reproductive healthcare is protected, required, or expressly authorized by federal law, regardless of the state in which such healthcare is provided (e.g., medical care required by the Emergency Medical Treatment and Active Labor Act); or
- the reproductive healthcare is provided in the state where the investigation or proceeding is authorized and is permitted by the law of the state in which such healthcare is provided (for example, an abortion at a point in the pregnancy when such healthcare is permitted by state law).
Under these circumstances, a regulated entity could not provide, for example, information about a lawful abortion in response to investigations or proceedings related to reproductive healthcare against either the individual seeking care or the provider(s). Such a disclosure would constitute a breach of unsecured PHI and trigger breach notification requirements under HIPAA. Note, however, that the Proposed Rule would not preempt state laws requiring the use and/or disclosure of PHI for other purposes, such as investigating a sexual assault committed against an individual.
Revised Definitions
The Proposed Rule includes new and revised defined terms under the Privacy Rule, including the definitions of “person,” “public health,” and the new term “reproductive health care.” The definition of “person” would be revised to clarify that a natural person is an individual that is born alive and would not include a fertilized egg, embryo, or fetus. The Proposed Rule also clarifies that “public health” activities do not include uses and disclosures for criminal, civil, or administrative investigations or proceedings based on whether a person sought, obtained, provided, or facilitated reproductive healthcare. Finally, the Proposed Rule adds a broad definition for “reproductive health care” encompassing the care, services, or supplies related to the reproductive health of an individual.
Attestation Requirement
OCR proposes an attestation process to assist covered entities in evaluating requests for PHI under existing HIPAA rules that could potentially capture reproductive healthcare and that may be prohibited under the Proposed Rule’s primary restrictions. Under this process, if the information potentially relates to reproductive healthcare, a covered entity would need an attestation from a requestor prior to using or disclosing the PHI under existing Privacy Rule provisions that allow for use and disclosure for health oversight activities, judicial and administrative proceedings, law enforcement purposes, and disclosures about decedents to coroners or medical examiners. (These existing rules are found at 45 C.F.R. § 164.512(d), (e), (f), and (g)(1), respectively.)
The attestation must contain certain information including:
- the name of the individual whose PHI is being requested, if available, or class of individuals;
- a specific description of the information requested;
- the name or specific identification of the person or class of persons to whom the disclosure is to be made; and
- a clear statement that the request is not for a prohibited purpose.
The Proposed Rule also provides that an attestation:
- cannot be combined with other documents;
- is required for each individual use or disclosure of PHI; and
- is invalid if the covered entity has actual knowledge that material information in the document is false or it is objectively unreasonable for the covered entity to believe that the attestation is true with respect to the required statement that the use or disclosure is not for a prohibited purpose.
A covered entity must cease use or disclosure of PHI if it discovers information reasonably showing that the representations in the attestation form were materially false. Conceptually, the attestation form can assist covered entities in evaluating requests for PHI by establishing a standard mechanism, but they will still need to develop a process to determine whether the information responsive to the request includes reproductive health information and whether the attestation is legally sufficient. OCR plans to provide a sample attestation form as a guide.
Revision to Notice of Privacy Practices
The Privacy Rule requires covered entities to provide individuals with a Notice of Privacy Practices (NPP) describing their rights under HIPAA and how the covered entity may use and disclose the individuals’ PHI. The Proposed Rule would require covered entities to update their NPPs to include a detailed description of the uses and disclosures of PHI prohibited under the Proposed Rule as well as the uses and disclosures that require an attestation.
Comments
OCR also requests comments from the general public, including the following questions:
- Should the proposed prohibition on uses and disclosures apply broadly to any healthcare and not just reproductive healthcare?
- Should there be additional protections afforded to “highly sensitive” PHI?
- Does the proposed attestation requirement address all relevant types of permitted uses and disclosures of PHI under the Privacy Rule, or is the proposed revision overinclusive, creating unreasonable burdens on regulated entities?
- Are individuals aware of their right to restrict uses and disclosures of their PHI under 45 C.F.R. § 164.522(a)(1), are covered entities receiving more requests from individuals exercising this right, and are covered entities more or less likely to grant these requests?
Next Steps
As noted above, comments to the Proposed Rule are due on or before June 16, 2023. The final rule will be effective 60 days after publication and regulated entities would have 180 days after the effective date to comply with the final rule by developing and implementing the necessary policies and procedures. Regardless of whether the Proposed Rule is finalized, covered entities and business associates should consider:
- assessing the extent to which they in fact hold reproductive health information;
- if the assessment shows the regulated entity does have reproductive health information, develop and implement written policies and procedures addressing how the entity will respond to requests for such information, including evaluating whether a request implicates reproductive health information and the attestation provided by the requestor; and
- reviewing and, if necessary, updating their NPP to ensure it aligns with the organization’s actual procedures for handling reproductive health information.
Since much of the Proposed Rule may impact business associates’ ability to use and disclose reproductive health information, business associates should also consider their relationship to reproductive healthcare information and prepare to comply should the rule be finalized.