Proposed Changes to the HIPAA Privacy Rule to Support Reproductive Health Care Privacy

On April 12, 2023, the Office for Civil Rights (“OCR”) in the U.S. Department of Health & Human Services (“HHS”) issued a Notice of Proposed Rulemaking (“NPRM”) to strengthen privacy protections under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) for reproductive health care. The proposed rule builds on the previous guidance issued by OCR (“Guidance”) that sought to clarify a health care provider’s obligations to protect protected health information (“PHI”) regarding reproductive health care under HIPAA. The NPRM is part of HHS’s efforts in response to President Biden’s Executive Orders regarding the protection of access to reproductive health care, one of which expressly directed HHS to consider additional action under HIPAA to ensure sensitive information related to reproductive health care is better protected to bolster patient-provider confidentiality. The White House released a Fact Sheet the same day regarding other efforts being taken by the administration with respect to protecting privacy and ensuring access to reproductive health care. Public comments on the proposed changes will be due 60 days from the date of official publication in the Federal Register.

The NPRM is intended to respond to privacy concerns that arose as a consequence of the Supreme Court’s decision in Dobbs v. Jackson Women’s Health, which removed federal constitutional protections for abortion and reverted the regulation of abortion to the states. Following Dobbs, providers and others raised questions regarding civil, criminal or administrative investigations or proceedings instituted or threatened against patients, providers or others based on reproductive health care, including abortion. OCR expressed concern that releasing PHI related to reproductive health care could result in deterioration of the patient-provider relationship, as individuals may be avoid providing accurate symptoms and medical history to health care providers for fear of legal action. The NPRM proposes additional privacy protections when PHI is sought for purposes of identifying, investigating, suing or prosecuting someone for seeking, obtaining, providing or facilitating lawful reproductive health care, including abortion.

Proposed Changes

The noteworthy, proposed changes include the following:

• Clarifying the definition of “person” to mean a human being who is born alive. Notably, this could impact the definition of “individual” for purposes of applying HIPAA’s requirements and the applicability of exceptions to confidentiality and the right of access when intending to prevent a serious and imminent threat or otherwise prevent harm.
• Specifying that the term “public health” as used in the terms “public health surveillance,” “public health investigation” and “public health intervention” means population-level activities to prevent disease and promote health of populations. Such activities do not include uses and disclosures for the criminal, civil or administrative investigation into or proceeding against a person in connection with obtaining, providing or facilitating reproductive health care, or for the identification of any person in connection with a criminal, civil or administrative investigation into or proceeding against a person in connection with obtaining, providing or facilitating reproductive health care.
• Adding a definition of “reproductive health care” to mean care, services or supplies related to the reproductive health of the individual. OCR indicated that this is intended to include, but not be limited to, prenatal care, abortion, miscarriage management, infertility treatment, contraception use and treatment for reproductive-related conditions such as ovarian cancer.
• Adding a new prohibition on the use or disclosure of PHI where the use or disclosure is for the purpose of (1) a criminal, civil or administrative investigation into or proceeding against any person in connection with seeking, obtaining, providing or facilitating reproductive health care; or (2) identifying any person for the purpose of initiating such activity. Seeking, obtaining, providing or facilitating reproductive health care includes, but is not limited to, expressing interest in, inducing, using, performing, furnishing, paying for, disseminating information about, arranging, insuring, assisting or otherwise taking action to engage in reproductive health care; or attempting any such activity. The prohibition would be applicable where one or more of the following conditions exists:
  • The relevant criminal, civil or administrative investigation or proceeding is in connection with any person seeking, obtaining, providing or facilitating reproductive health care outside of the state where the investigation or proceeding is authorized and where such health care is lawful in the state in which it is provided (e.g., if a resident of one state traveled to another state to receive an abortion that is lawful in the state where such health care was provided);
  • The relevant criminal, civil or administrative investigation or proceeding is in connection with any person seeking, obtaining, providing or facilitating reproductive health care that is protected, required or authorized by federal law, regardless of the state in which such health care is provided (e.g., if miscarriage management is required under the Emergency Medical Treatment and Labor Act to stabilize the health of the pregnant individual); or
  • The relevant criminal, civil or administrative investigation or proceeding is in connection with any person seeking, obtaining, providing or facilitating reproductive health care that is provided in the state in which the investigation or proceeding is authorized and that is permitted by the law of that state (e.g., if a resident of a state receives a pregnancy test or treatment for an ectopic pregnancy in the state where they reside and that reproductive health care is lawful in that state).
• Under the proposal, the covered entity would still be permitted to use or disclose PHI for purposes otherwise permitted under the Privacy Rule so long as the request for PHI is not made primarily for the purpose of investigating or imposing liability on any person for the mere act of seeking, obtaining, providing or facilitating reproductive health care. For example:
  • Disclosing PHI to defend against an investigation or proceeding related to professional misconduct or negligence with respect to the provision of reproductive health care.
  • Using or disclosing PHI to defend any person in a criminal, civil or administrative proceeding where liability could be imposed on that person for providing reproductive health care.
  • Using or disclosing PHI to an Inspector General where the PHI is sought to conduct an audit for health oversight purposes.
• A covered entity is required to obtain a valid attestation prior to using or disclosing PHI potentially related to reproductive health care from the non-covered entity requesting the use or disclosure that verifies that the use or disclosure is not prohibited by HIPAA, where the purpose of the request is for:
  • Health oversight activities as specified in § 164.512(d);
  • Judicial and administrative proceedings as specified in § 164.512(e);
  • Law enforcement purposes as specified in § 164.512 (f); or
  • Coroners and medical examiners regarding disclosures about decedents as specified in § 164.512 (g)(1).

In addition to a clear statement the use or disclosure of PHI is not for an impermissible purpose, the attestation is required to be written in plain language, signed and dated, and contain similar information to that required in a patient authorization, including a specific description of the information sought, the name of the individual(s) whose PHI is sought or, if not practical, the class of individuals whose PHI is sought and the name or specific identification of who is being requested to use or disclose PHI and to whom the requested use or disclosure is to be made. If the attestation is signed by a representative of the person requesting the information, a description of such representative’s authority to act for the person must also be provided. It may be obtained electronically as long as all required elements are present. An attestation is considered defective where:

• It lacks a required element or statement or includes an element or statement other than what is required;
• It is combined with any other document;
• The covered entity has actual knowledge that material information in the attestation is false; or
• It is objectively unreasonable for the covered entity to believe that the attestation is true with respect to the statement that that the use or disclosure is not for a prohibited purpose.

If, during the course of using or disclosing PHI in reasonable reliance on a facially valid attestation, a covered entity discovers information reasonably showing that the representations in the attestation were materially false, leading to uses or disclosures f PHI for a prohibited purpose, the covered entity must cease such use or disclosure.

• The NPRM proposes modifications to provisions of HIPAA regarding the disclosure of PHI to report abuse, neglect or domestic violence to clarify that such provision does not apply when the report of abuse, neglect or domestic violence is based primarily on the provision of reproductive health care. It also adds a clarification that the ability to refuse to recognize a parent or guardian as a personal representative based on alleged abuse or neglect does not apply where the primary basis for the covered entity’s belief is the facilitation or provision of reproductive health care by such person for and at the request of the individual.
• Finally, the NPRM proposes requiring covered entities to update Notice of Privacy Practices to reference the new prohibitions on use and disclosure of PHI related to reproductive health care and related attestation requirements.

Practical Takeaways

Covered entities should carefully review the proposed rule’s changes and determine potential impacts on their policies, procedures and processes, if finalized. Additionally, organizations should consider whether to publicly comment for HHS’s consideration when finalizing the changes, whether in support, seeking additional clarification or objecting to any aspect of the proposed rule and its impact. Comments are due 60 days from the publication date in the Federal Register and can be submitted as follows:

• Federal eRulemaking Portal: You may submit electronic comments at http://www.regulations.gov by searching for the Docket ID number HHS–OCR–0945–AA20. Follow the instructions at http://www.regulations.gov for submitting electronic comments. Attachments should be in Microsoft Word or Portable Document Format (PDF).
• Regular, Express or Overnight Mail: You may mail written comments (one original and two copies) to the following address only: U.S. Department of Health and Human Services, Office for Civil Rights, Attention: HIPAA and Reproductive Health Care Privacy NPRM, Hubert H. Humphrey Building, Room 509F, 200 Independence Avenue, SW, Washington, DC 20201.

If finalized, covered entities will be required to timely implement compliance with new and changed requirements.

If you have any questions, would like assistance preparing public comments or would like additional information about this topic, please contact:

• Stephane Fabus at (414) 721-0904 or sfabus@hallrender.com;
• Emily Beukema at (248) 457-7882 or ebeukema@hallrender.com; or
• Your primary Hall Render contact.

Hall Render blog posts and articles are intended for informational purposes only. For ethical reasons, Hall Render attorneys cannot—outside of an attorney-client relationship—answer specific questions that would be legal advice.