On April 26, 2024, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) published the HIPAA Privacy Rule to Support Reproductive Health Care Privacy (the “Final Rule”). This Final Rule strengthens the privacy protections under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) for reproductive health care by prohibiting the use and disclosure of protected health information (“PHI”) related to lawful reproductive health care. Our earlier alerts on this topic and the proposed rule can be found here and here.
This Final Rule is part of HHS’s response to President Biden’s Executive Order regarding safeguarding access to reproductive health care following the Supreme Court’s decision in Dobbs v. Jackson Women’s Health, which removed federal constitutional protections for abortion and returned the regulation of abortion to the states. The Executive Order directed HHS to take additional action under HIPAA to ensure that sensitive information related to reproductive health care is better protected, thereby strengthening patient-provider confidentiality and ensuring that people have access to high-quality health care. The Final Rule includes additional privacy protections when PHI is sought for purposes of identifying, investigating, suing or prosecuting someone for seeking, obtaining, providing or facilitating lawful reproductive health care, including, but not limited to, abortion.
The Final Rule was designed to support and clarify the privacy interests of individuals who seek lawful reproductive health care, not to obstruct lawful investigations or prevent states from imposing liability on unlawful reproductive health care provisions. However, OCR acknowledged that this new regulatory presumption may create difficulties for enforcement agencies and officials in investigating whether reproductive health care was lawful under the circumstances in which it was provided. After considering those interests, OCR determined that countervailing privacy benefits justify these effects.
Updated and New Definitions
- Person: For the first time, the Final Rule adopted a definition of the term “person” as meaning “a natural person (meaning a human being who is born alive), trust or estate, partnership, corporation, professional association or corporation, or other entity, public or private.” Therefore, under the HIPAA Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”), an “individual,” “child” or “victim” must be a natural person who has been born alive.
- Public Health: HIPAA does not preempt state laws that provide for certain public health reporting, such as the required reporting of a disease, injury, birth or death. The Final Rule modified the definition of “public health” to maintain a clear distinction between public health investigations and criminal investigations for purposes of applying this preemption provision. “Public health,” as used in the terms “public health surveillance,” “public health investigation” and “public health intervention,” is clarified to mean “population-level activities to prevent disease in and promote the health of populations.” Such activities include identifying, monitoring, preventing or mitigating ongoing or prospective threats to the health or safety of a population, which may involve the collection of PHI, but expressly exclude the prohibited activities related to reproductive health care. State laws requiring the use or disclosure of PHI for the purpose of investigating or imposing liability on a person for the mere act of seeking, obtaining, providing or facilitating health care, or identifying a person for such activities, are subject to preemption by HIPAA. Additionally, the Privacy Rule’s public health provisions permitting the disclosure of PHI to report disease, injury, birth or death do not permit prohibited uses or disclosures of PHI related to reproductive health care under the Final Rule. OCR indicated that authorities investigating or seeking to impose liability on a person for unlawful reproductive health care may be able to obtain such PHI pursuant to provisions regarding disclosures for law enforcement purposes where such disclosure otherwise complies with HIPAA’s conditions.
- Reproductive Health Care: The Final Rule defined “reproductive health care” as a subset of the term “health care.” “Reproductive health care” means health care “that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes.” The definition is intended to be broad, similar to the definition of “health care.” The Final Rule provides a non-exhaustive list of examples of what would be included in reproductive health care, including, but not limited to contraception, preconception screening and counseling, pregnancy management and pregnancy-related conditions, diagnosis and treatment of conditions that affect the reproductive system and other types of care, services and supplies used for the diagnosis and treatment of conditions related to the reproductive system. The definition does not set forth a standard of care for or regulate what constitutes clinically appropriate reproductive health care, nor is it limited to only health care that is determined to be appropriate by a health care professional. “Reproductive health care” can also include that which the individual determines is appropriate, such as over-the-counter contraceptives. However, to be protected by HIPAA, such information must still also qualify as PHI.
Restrictions on Use and Disclosure of PHI
A covered entity (or business associate) may not use or disclose PHI (1) to conduct a criminal, civil or administrative investigation into or impose criminal, civil or administrative liability on any person for the mere act of seeking, obtaining, providing or facilitating reproductive health care, where such is lawful under the circumstances in which it is provided; or (2) to identify of any person for the purpose of conducting such investigation or imposing such liability (the “Prohibition”).
Generally, the Prohibition only applies where the covered entity or business associate has reasonably determined one of the following: (1) the reproductive health care is lawful in the state in which such health care is provided; or (2) the reproductive health care is protected, required or authorized by federal law, regardless of the state in which it is provided. Where the reproductive health care was provided by another person, the reproductive health care may be presumed lawful unless the covered entity or business associate has actual knowledge that the reproductive health care was not lawful under the circumstances in which it was provided or the person making the request for PHI provides factual information that demonstrates a substantial factual basis that the reproductive health care was not lawful under the specific circumstances in which it was provided.
The Final Rule also refined language regarding the use or disclosure of PHI for purposes of reporting of abuse, neglect or domestic violence. If the sole basis of the report of abuse, neglect or domestic violence is the provision or facilitation of reproductive health care, the Prohibitions will take precedence over the permissive disclosure. Such permissions cannot be construed as circumventing the Prohibition. Additionally, a covered entity cannot refuse to treat a person as a personal representative based on reasonably believed abuse, neglect or endangerment situations, where the covered entity’s belief is based on the provision or facilitation of reproductive health care by the personal representative for and at the request of the individual. These changes were aimed in part at permitting parents to assist their children in obtaining lawful reproductive health care services without challenge by providers under these provisions of HIPAA.
Attestation Requirements
To implement the above Prohibition, before using or disclosing PHI “potentially related” to reproductive health care, a covered entity or business associate must first obtain a signed attestation from the person or entity requesting the use or disclosure when the request relates to one of the following purposes: (1) health oversight activities; (2) judicial and administrative proceedings; (3) law enforcement purposes; and (4) disclosures to coroners and medical examiners. Obtaining an attestation is required in addition to compliance with the Privacy Rule’s other conditions for these types of permissive uses and disclosures. Disclosures made for these purposes also must be included in any accounting of disclosures, including when they are made pursuant to an attestation.
Reliance on a defective attestation, similar to the regulations regarding authorizations, is a HIPAA violation. A valid attestation verifies that the use or disclosure is not prohibited by the Prohibition, must include all required elements in plain language and cannot contain any other element or statement that is not required by HIPAA. OCR’s model attestation form and instructions can be accessed here. An attestation can be electronically signed so long as the signature complies with all applicable e-signature laws. The attestation must be limited to the specific use or disclosure, meaning that each use or disclosure of PHI will require a new attestation. An attestation may not be combined with any other document except where needed to demonstrate a permitted purpose (such as where the requestor provides factual evidence that the reproductive health care was unlawful). Additionally, an attestation is invalid where the regulated entity has actual knowledge that contains material information that is false or a regulated entity in the same position would not reasonably believe that the attestation is true.
A regulated entity is not required to investigate the validity of an attestation and is generally permitted to rely on an attestation if it reasonably determines that the request is not for a prohibited purpose or where adequate supporting documentation is provided. Where not facially deficient, a regulated entity should consider the following, amongst other things, in assessing whether it is reasonable to rely on an attestation:
- Who is requesting the use or disclosure of PHI;
- The permission upon which the person making the request is relying;
- The information provided to satisfy other conditions of the relevant permission; and
- The PHI requested and its relationship to the stated purpose of the request.
Uses and disclosures pursuant to a valid attestation will still be subject to the minimum necessary standard unless specifically exempted. If the requestor is also a regulated entity, that entity will also need to make reasonable efforts to limit its request to the minimum necessary to accomplish the intended purpose of the use, disclosure or request. If at any point a covered entity or business associate discovers that any representation made in the attestation was materially false, the covered entity or business associate must cease reliance on it for the use or disclosure of PHI.
Updates to Notice of Privacy Practices
Covered entities will need to update their Notices of Privacy Practices (“NPPs”) to comply with the Final Rule. These updates are required to address both the provisions on reproductive health care privacy discussed in this alert and also laws that are more stringent than HIPAA, such as the modifications to the confidentiality of substance use disorder patient records at 42 C.F.R. Part 2, as required by the Coronavirus Aid, Relief, and Economic Security Act of 2020. Our alert on the modifications to 42 C.F.R. Part 2 can be found here. The Final Rule requires NPPs to provide sufficient details on how PHI related to reproductive health care can be used and disclosed. This includes providing a description and at least one example of (1) the prohibited uses and disclosures of PHI relating to reproductive health care and (2) the types of uses and disclosures that require an attestation from the requestor. Additionally, NPPs must now also include a statement about the potential for information disclosed under HIPAA to be redisclosed and no longer subject to HIPAA’s protections. This is intended to help provide the public with more transparency about the limitations of HIPAA’s protections.
Effective Dates
While the Final Rule became effective June 25, 2024, regulated entities have until December 23, 2024, to comply with its requirements. However, to align timeframes with NPP changes addressed in the Part 2 Final Rule, regulated entities have until February 16, 2026, to make the necessary updates to their NPPs.
Practical Takeaways
In assessing implementation and compliance with the provisions of this Final Rule, covered entities and, to the extent appropriate, their business associates should:
- Assess the PHI they have in their possession and their health information technology systems to determine data flagging mechanisms and how to best identify PHI subject to the Final Rule’s prohibitions because the broad definition of reproductive health care may make identifying PHI “potentially related” to such care difficult to identify. Additionally, connections that transmit such data to other systems will need to be assessed to determine if the transmission is for purposes that require an attestation.
- Update policies and procedures to address the prohibitions on the use and disclosure of PHI related to reproductive health care and the attestation requirements. Regulated entities may also wish to assess the use of the sample form attestation and how the form may be incorporated into electronic data-sharing systems and software.
- Ensure that workforce members are appropriately trained on these new requirements and any updated organizational processes to implement them. For example, frontline staff who may be approached by law enforcement will need to be aware of the need to restrict disclosure of PHI until the request can be appropriately assessed where reproductive health care is potentially at issue and how to respond if they get pushback from requestors. Those responsible for assessing the validity of attestations will need to understand how to assess the lawfulness of the care at issue and applicability of the presumption.
- Review business associate relationships and agreements to identify any revisions that may be necessary to comply with the Final Rule. This may be particularly important in relationships with business associates that provide the release of information services or that are involved in the exchange of data for affected activities, such as health information networks and exchanges. However, because the prohibitions on use and disclosure and the attestation requirement are purpose-focused versus content-focused, it may be prudent to assess all business associate relationships to ensure that they are not responding to investigative requests in a manner prohibited by the regulations.
- Make the required revisions to their NPPs a priority to comply with the Final Rule. Given the focus on ensuring that the NPP captures the requirement of more stringent bodies of law applicable to the covered entity, this may require assessing other applicable laws, such as 42 C.F.R. Part 2 or state law, to ensure the NPP is providing the requisite notice to the public.
If you have any questions or would like additional information about this topic, please contact:
- Stephane Fabus at (414) 721-0904 or sfabus@hallrender.com;
- Charise Frazier at (317) 977-1406 or cfrazier@hallrender.com;
- Katherine Kuchan at (414) 721-0479 or kkuchan@hallrender.com;
- Waseem Chachar at (317) 977-1496 or wchachar@hallrender.com; or
- Your primary Hall Render contact.
Special thanks to Zachary Renier, Summer Associate, for his assistance in preparing this article.
Hall Render blog posts and articles are intended for informational purposes only. For ethical reasons, Hall Render attorneys cannot—outside of an attorney-client relationship—answer specific questions that would be legal advice.
