HHS Finalizes Changes with Respect to Strengthening the Privacy of Reproductive Health Care Information under HIPAA

Introduction

On April 22, 2024, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) issued a final rule to modify certain provisions of the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, as amended (collectively, “HIPAA”) Privacy Rule (the “Privacy Rule”) to support reproductive health care privacy (the “Final Rule”).¹ In accordance with the Notice of Proposed Rulemaking issued on April 12, 2023,² and in response to the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization and subsequent state abortion bans, the Final Rule strengthens protections concerning the use and disclosure of reproductive health care information. In doing so, the Final Rule seeks to protect access to and the privacy of reproductive health care and bolster patient-provider confidentiality.

The Final Rule is effective on June 25, 2024. Covered health care providers, health plans, health care clearinghouses, and their business associates (collectively, “Regulated Entities”) must comply with all provisions of the Final Rule by December 22, 2024, except for the requirement to update their Notice of Privacy Practices for which they have until February 16, 2026 to comply.³

Background

In response to the Dobbs decision, on June 29, 2022, OCR released guidance materials discussing the role that HIPAA plays in safeguarding women’s protected health information (“PHI”) and began this rulemaking process the following year. With each of these actions, OCR has emphasized that its purpose-based motivations are to ensure that the Dobbs decision and subsequent developments in federal and state law do not diminish individuals’ expectations of privacy of their health information in a manner that leads to their distrust and refusal to access health care.⁴

The Final Rule

Enhanced Protection of PHI Related to Reproductive Health Care

The Final Rule modifies the Privacy Rule to limit circumstances in which an individual’s PHI about reproductive health care may be used or disclosed for non-health care purposes, particularly where such use or disclosure could detrimentally impact the individual’s privacy or their trust in their health care providers.⁵ The PHI covered by the Final Rule includes information related to reproductive health care services—including patients’ receipt of contraception, management of pregnancy and pregnancy-related conditions, miscarriage management, pregnancy termination, fertility or infertility diagnosis and treatment, assistive reproductive technology, and other diagnoses, treatment and care that affect the reproductive system—that was lawfully obtained.⁶

The Final Rule explicitly prohibits the use or disclosure of PHI by Regulated Entities for the following activities:

• To conduct a criminal civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided;⁷
• To impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided;⁸ and
• The identification of any person for the purpose of conducting such investigation or imposing such liability.⁹

This prohibition preempts state laws mandating the use or disclosure of PHI pursuant to a court order or other legal process for a prohibited purpose,¹⁰ and is only applicable when a Regulated Entity has reasonably determined that at least one of the following conditions exists:

• The reproductive health care is lawful under the law of the state in which such health care is provided under the circumstances in which it is provided;¹¹
• The reproductive health care is protected, required, or authorized by federal law, including the U.S. Constitution,¹² regardless of the state in which such health care is provided;¹³
• The reproductive health care was provided by a person other than the Regulated Entity that receives the request for PHI, and the presumption is that the care provided was lawful.¹⁴ Such presumption applies unless one of the following conditions is met:
  • The Regulated Entity has actual knowledge that the reproductive health care was not lawful under the circumstances in which it was provided; or
  • The Regulated Entity receives factual information from the person making the request for the use or disclosure of PHI that demonstrates a substantial factual basis that the reproductive health care was not lawful under the circumstances in which it was provided.¹⁵

If any of the aforementioned conditions are not satisfied (e.g., if the reproductive health care is known by the Regulated Entity to have been delivered unlawfully), then the Final Rule’s protections do not apply, and a Regulated Entity would be permitted, but not required to disclose PHI to law enforcement so long as such disclosure is otherwise in accordance with the Privacy Rule.¹⁶

Attestation Requirement

The Final Rule requires that Regulated Entities obtain a signed and dated attestation from the person or entity requesting PHI potentially related to reproductive health care for health care oversight activities, judicial and administrative proceedings, law enforcement purposes and disclosures to coroners and medical examiners.¹⁷ The attestation must (i) state that the requested use or disclosure of PHI is not for a prohibited purpose; and (ii) provide a statement of notice of criminal penalties for persons who knowingly obtain or disclose individually identifiable health information in violation of HIPAA.¹⁸  The attestation is designed to facilitate compliance with the Final Rule by assisting Regulated Entities in determining whether the use or disclosure of PHI is permitted.  A sample attestation will be published prior to the Final Rule’s compliance date.

Notice of Privacy Practices (“NPPs”)

The Final Rule also requires Regulated Entities that are health care providers, health plans, or health care clearinghouses to revise their NPPs in a number of ways to strengthen reproductive health care privacy.¹⁹  For example, the Final Rule specifically requires that Regulated Entities revise their NPPs to inform individuals about how their PHI may or may not be used or disclosed for purposes set forth above and provide examples.²⁰

Key Takeaways

Regulated Entities and other stakeholders should consider the following when complying with the new requirements under the Final Rule.

1. Update HIPAA Polices and Procedures, NPPs and Business Associate Agreements (“BAAs”). Regulated Entities must update their HIPAA policies and procedures concerning the use and disclosure of information potentially related to reproductive health care. Health care providers, health plans, and health care clearinghouses must update their NPPs and post the updated NPPs to their websites. In addition, to the extent prohibitions under the Final Rule are inconsistent with existing BAAs and/or the BAAs do not adequately contemplate the process for responding to requests received for the use or disclosure of PHI for the certain non-health care purposes described above, Regulated Entities must update their BAAs to reflect the new protections under the Final Rule.
2. Draft Attestations. Regulated Entities must adopt an attestation form and implement a process for workforce members to administer the attestation form in accordance with the Final Rule. In addition, Regulated Entities should consider whether implementation of the attestation process will be administratively simpler if attestations are required by the Regulated Entity for all PHI requests for the non-health care purposes set forth under the “Attestation Requirement” section above (rather than only those potentially related to reproductive health care). Given the broad definition of reproductive health care, this approach will limit the possibility that a Regulated Entity fails to appropriately identify whether PHI is potentially related to reproductive health care. Further, unlike psychotherapy notes, which are easily severable from a patient’s other health care information, PHI related to one’s reproductive health care is often inextricably intertwined with the patient’s general medical records, making such severability extremely challenging, if not impossible.
3. Compliance Training. Regulated Entities must update their HIPAA training for workforce members to reflect the limitations on the uses and disclosure of PHI under the Final Rule and the new attestation form requirement.
4. Scope of Protected Data. Patients should take note of the limited scope of the Final Rule’s application. As described above, the Final Rule does not mandate a blanket prohibition against disclosure for all reproductive PHI nor does it limit otherwise permissible PHI uses and disclosures under the Privacy Rule. The Final Rule also does not provide privacy protections for individuals’ health or other sensitive information maintained and stored on their personal devices. For instance, the Final Rule does not protect the location information of a patient visiting an abortion clinic or information patients voluntarily upload to consumer mobile applications. In addition, the Final Rule does not apply to entities not subject to HIPAA, such as health care apps, or other entities subject to Federal Trade Commission (“FTC”) jurisdiction. These entities should be aware, however, that the FTC has taken a similar stance regarding the protection of reproductive health care information, including health and location data, in the enforcement of its Health Breach Notification Rule.²¹ These entities should also consider whether state abortion shield laws prohibit the disclosure of certain sensitive information that they store. For example, California law prohibits California-based companies that provide electronic communication services from cooperating with out-of-state search warrants related to abortion investigations.
5. Enforcement. Given the status of protections of reproductive health information at the federal and state levels, providers should consider the local enforcement environment and the potential challenges to OCR’s oversight of the attestation process. A Regulated Entity faced with a subpoena from a law enforcement agency in a state that does not permit abortion may feel pressured to comply with the subpoena despite the Final Rule. OCR will need to determine how it will support Regulated Entities that are pressured to disclose reproductive PHI. Regulated Entities’ legal and compliance departments should consider establishing a hotline to answer questions related to requests from law enforcement.

Avenues for Further Clarification

Notwithstanding these takeaways, in light of the current regulatory and political environment surrounding access to reproductive health care, the scope of reproductive health care services that may be considered “authorized by Federal law” remains uncertain. For example, the emergency care mandated under the Emergency Medical Treatment and Labor Act (“EMTALA”) may conflict with state abortion bans. EMTALA requires hospitals to administer stabilizing care, which may include abortions, to patients experiencing medical emergencies. As a result, EMTALA may require care that is prohibited by certain state abortion laws.²² The Supreme Court heard oral arguments on April 22, 2024 addressing whether EMTALA preempts such state laws and thus requires hospitals to provide emergency abortions even in states with stringent abortion laws.²³ As the term “authorized by Federal law” is continuously evolving, future regulatory and sub-regulatory guidance responsive to legislation and/or judicial opinions may offer clarity as to its scope.

Ropes & Gray will continue to monitor developments in this area. If you have any questions, please do not hesitate to contact the authors or your usual Ropes & Gray advisor.