Introduction
On April 22, 2024, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) issued a final rule to modify certain provisions of the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, as amended (collectively, “HIPAA”) Privacy Rule (the “Privacy Rule”) to support reproductive health care privacy (the “Final Rule”).1 In accordance with the Notice of Proposed Rulemaking issued on April 12, 2023,2 and in response to the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization and subsequent state abortion bans, the Final Rule strengthens protections concerning the use and disclosure of reproductive health care information. In doing so, the Final Rule seeks to protect access to and the privacy of reproductive health care and bolster patient-provider confidentiality.
The Final Rule is effective on June 25, 2024. Covered health care providers, health plans, health care clearinghouses, and their business associates (collectively, “Regulated Entities”) must comply with all provisions of the Final Rule by December 22, 2024, except for the requirement to update their Notice of Privacy Practices for which they have until February 16, 2026 to comply.3
Background
In response to the Dobbs decision, on June 29, 2022, OCR released guidance materials discussing the role that HIPAA plays in safeguarding women’s protected health information (“PHI”) and began this rulemaking process the following year. With each of these actions, OCR has emphasized that its purpose-based motivations are to ensure that the Dobbs decision and subsequent developments in federal and state law do not diminish individuals’ expectations of privacy of their health information in a manner that leads to their distrust and refusal to access health care.4
The Final Rule
Enhanced Protection of PHI Related to Reproductive Health Care
The Final Rule modifies the Privacy Rule to limit circumstances in which an individual’s PHI about reproductive health care may be used or disclosed for non-health care purposes, particularly where such use or disclosure could detrimentally impact the individual’s privacy or their trust in their health care providers.5 The PHI covered by the Final Rule includes information related to reproductive health care services—including patients’ receipt of contraception, management of pregnancy and pregnancy-related conditions, miscarriage management, pregnancy termination, fertility or infertility diagnosis and treatment, assistive reproductive technology, and other diagnoses, treatment and care that affect the reproductive system—that was lawfully obtained.6
The Final Rule explicitly prohibits the use or disclosure of PHI by Regulated Entities for the following activities:
- To conduct a criminal civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided;7
- To impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided;8 and
- The identification of any person for the purpose of conducting such investigation or imposing such liability.9
This prohibition preempts state laws mandating the use or disclosure of PHI pursuant to a court order or other legal process for a prohibited purpose,10 and is only applicable when a Regulated Entity has reasonably determined that at least one of the following conditions exists:
- The reproductive health care is lawful under the law of the state in which such health care is provided under the circumstances in which it is provided;11
- The reproductive health care is protected, required, or authorized by federal law, including the U.S. Constitution,12 regardless of the state in which such health care is provided;13
- The reproductive health care was provided by a person other than the Regulated Entity that receives the request for PHI, and the presumption is that the care provided was lawful.14 Such presumption applies unless one of the following conditions is met:
- The Regulated Entity has actual knowledge that the reproductive health care was not lawful under the circumstances in which it was provided; or
- The Regulated Entity receives factual information from the person making the request for the use or disclosure of PHI that demonstrates a substantial factual basis that the reproductive health care was not lawful under the circumstances in which it was provided.15
If any of the aforementioned conditions are not satisfied (e.g., if the reproductive health care is known by the Regulated Entity to have been delivered unlawfully), then the Final Rule’s protections do not apply, and a Regulated Entity would be permitted, but not required to disclose PHI to law enforcement so long as such disclosure is otherwise in accordance with the Privacy Rule.16
Attestation Requirement
The Final Rule requires that Regulated Entities obtain a signed and dated attestation from the person or entity requesting PHI potentially related to reproductive health care for health care oversight activities, judicial and administrative proceedings, law enforcement purposes and disclosures to coroners and medical examiners.17 The attestation must (i) state that the requested use or disclosure of PHI is not for a prohibited purpose; and (ii) provide a statement of notice of criminal penalties for persons who knowingly obtain or disclose individually identifiable health information in violation of HIPAA.18 The attestation is designed to facilitate compliance with the Final Rule by assisting Regulated Entities in determining whether the use or disclosure of PHI is permitted. A sample attestation will be published prior to the Final Rule’s compliance date.
Notice of Privacy Practices (“NPPs”)
The Final Rule also requires Regulated Entities that are health care providers, health plans, or health care clearinghouses to revise their NPPs in a number of ways to strengthen reproductive health care privacy.19 For example, the Final Rule specifically requires that Regulated Entities revise their NPPs to inform individuals about how their PHI may or may not be used or disclosed for purposes set forth above and provide examples.20
Key Takeaways
Regulated Entities and other stakeholders should consider the following when complying with the new requirements under the Final Rule.
- Update HIPAA Polices and Procedures, NPPs and Business Associate Agreements (“BAAs”). Regulated Entities must update their HIPAA policies and procedures concerning the use and disclosure of information potentially related to reproductive health care. Health care providers, health plans, and health care clearinghouses must update their NPPs and post the updated NPPs to their websites. In addition, to the extent prohibitions under the Final Rule are inconsistent with existing BAAs and/or the BAAs do not adequately contemplate the process for responding to requests received for the use or disclosure of PHI for the certain non-health care purposes described above, Regulated Entities must update their BAAs to reflect the new protections under the Final Rule.
- Draft Attestations. Regulated Entities must adopt an attestation form and implement a process for workforce members to administer the attestation form in accordance with the Final Rule. In addition, Regulated Entities should consider whether implementation of the attestation process will be administratively simpler if attestations are required by the Regulated Entity for all PHI requests for the non-health care purposes set forth under the “Attestation Requirement” section above (rather than only those potentially related to reproductive health care). Given the broad definition of reproductive health care, this approach will limit the possibility that a Regulated Entity fails to appropriately identify whether PHI is potentially related to reproductive health care. Further, unlike psychotherapy notes, which are easily severable from a patient’s other health care information, PHI related to one’s reproductive health care is often inextricably intertwined with the patient’s general medical records, making such severability extremely challenging, if not impossible.
- Compliance Training. Regulated Entities must update their HIPAA training for workforce members to reflect the limitations on the uses and disclosure of PHI under the Final Rule and the new attestation form requirement.
- Scope of Protected Data. Patients should take note of the limited scope of the Final Rule’s application. As described above, the Final Rule does not mandate a blanket prohibition against disclosure for all reproductive PHI nor does it limit otherwise permissible PHI uses and disclosures under the Privacy Rule. The Final Rule also does not provide privacy protections for individuals’ health or other sensitive information maintained and stored on their personal devices. For instance, the Final Rule does not protect the location information of a patient visiting an abortion clinic or information patients voluntarily upload to consumer mobile applications. In addition, the Final Rule does not apply to entities not subject to HIPAA, such as health care apps, or other entities subject to Federal Trade Commission (“FTC”) jurisdiction. These entities should be aware, however, that the FTC has taken a similar stance regarding the protection of reproductive health care information, including health and location data, in the enforcement of its Health Breach Notification Rule.21 These entities should also consider whether state abortion shield laws prohibit the disclosure of certain sensitive information that they store. For example, California law prohibits California-based companies that provide electronic communication services from cooperating with out-of-state search warrants related to abortion investigations.
- Enforcement. Given the status of protections of reproductive health information at the federal and state levels, providers should consider the local enforcement environment and the potential challenges to OCR’s oversight of the attestation process. A Regulated Entity faced with a subpoena from a law enforcement agency in a state that does not permit abortion may feel pressured to comply with the subpoena despite the Final Rule. OCR will need to determine how it will support Regulated Entities that are pressured to disclose reproductive PHI. Regulated Entities’ legal and compliance departments should consider establishing a hotline to answer questions related to requests from law enforcement.
Avenues for Further Clarification
Notwithstanding these takeaways, in light of the current regulatory and political environment surrounding access to reproductive health care, the scope of reproductive health care services that may be considered “authorized by Federal law” remains uncertain. For example, the emergency care mandated under the Emergency Medical Treatment and Labor Act (“EMTALA”) may conflict with state abortion bans. EMTALA requires hospitals to administer stabilizing care, which may include abortions, to patients experiencing medical emergencies. As a result, EMTALA may require care that is prohibited by certain state abortion laws.22 The Supreme Court heard oral arguments on April 22, 2024 addressing whether EMTALA preempts such state laws and thus requires hospitals to provide emergency abortions even in states with stringent abortion laws.23 As the term “authorized by Federal law” is continuously evolving, future regulatory and sub-regulatory guidance responsive to legislation and/or judicial opinions may offer clarity as to its scope.
Ropes & Gray will continue to monitor developments in this area. If you have any questions, please do not hesitate to contact the authors or your usual Ropes & Gray advisor.
- See https://www.hhs.gov/sites/default/files/hipaa-privacy-rule-support-reproductive-health-care-privacy.pdf.
- See https://www.ropesgray.com/en/insights/alerts/2023/04/hhs-proposes-changes-to-the-hipaa-privacy-rule-to-strengthen-privacy-protections.
- https://www.hhs.gov/sites/default/files/hipaa-privacy-rule-support-reproductive-health-care-privacy.pdf at 9, 12.
- https://www.hhs.gov/sites/default/files/hipaa-privacy-rule-support-reproductive-health-care-privacy.pdf at 36.
- https://www.hhs.gov/sites/default/files/hipaa-privacy-rule-support-reproductive-health-care-privacy.pdf at 7. In the preamble to the Final Rule, OCR clarifies that in creating the protections for PHI related to reproductive health care the Department was not “finalizing a newly defined subset of PHI,” but instead “finalizing a purpose-based prohibition against certain uses and disclosures.” Id. at 44.
- Id. at 93-94.
- The Final Rule indicates “The prohibition’s reference to the ‘mere act’ of seeking, obtaining, providing, or facilitating lawful reproductive health care includes the reasons that the reproductive health care was sought or provided (e.g., an investigation into whether a particular abortion was necessary to save a pregnant person’s life would constitute an investigation into the ‘mere act’ of seeking, obtaining, providing, or facilitating reproductive health care). The reference to ‘mere act’ operates the same way with respect to activities conducted to identify any individual for the purposes described above. This includes but is not limited to law enforcement investigations, third party investigations in furtherance of civil proceedings, state licensure proceedings, criminal prosecutions, and family law proceedings.” https://www.hhs.gov/sites/default/files/hipaa-privacy-rule-support-reproductive-health-care-privacy.pdf at 113.
- See https://www.hhs.gov/sites/default/files/hipaa-privacy-rule-support-reproductive-health-care-privacy.pdf at 278; see also, https://www.hhs.gov/hipaa/for-professionals/special-topics/reproductive-health/final-rule-fact-sheet/index.html. The Finale Rule adds a new definition of “reproductive health care,” defined as health care that “affects the health of an individual in all matters relating to the reproductive system and to its functions and processes.” Id. at 277. It also clarifies the definition of “person” to mean “a natural person (meaning human being who is born alive), trust or estate, partnership, corporation, professional association or corporation, or other entity, public or private.” Id. The Final Rule also specifies that “seeking, obtaining, providing, or facilitating reproductive health care” includes, but is not limited to: “expressing interest in, using, performing, furnishing, paying for, disseminating information about, arranging, insuring, administering, authorizing, providing coverage for, approving, counseling about, assisting, or otherwise taking action to engage in reproductive health care; or attempting any of the same.” Id. at 280.
- See id.
- See https://www.hhs.gov/hipaa/for-professionals/special-topics/reproductive-health/final-rule-fact-sheet/index.html.
- See id. at 279.
- The Final Rule indicates that, “the U.S. Constitution is not the sole source of Federal law, and that Federal statutes, regulations, and policies may be the relevant legal authority for determining whether the reproductive health care is protected, required, or authorized under Federal law. This final rule in no way supersedes applicable state law pertaining to the lawfulness of reproductive health care.” See https://www.hhs.gov/sites/default/files/hipaa-privacy-rule-support-reproductive-health-care-privacy.pdf at 121.
- See id. at 279.
- See https://www.hhs.gov/sites/default/files/hipaa-privacy-rule-support-reproductive-health-care-privacy.pdf at 279.
- See https://www.hhs.gov/sites/default/files/hipaa-privacy-rule-support-reproductive-health-care-privacy.pdf at 279.
- See id. Under the Final Rule, such disclosure is only permitted when “The disclosure is not subject to the prohibition; the disclosure is required by law; [and] the disclosure meets all applicable conditions of the Privacy Rule permission to use or disclose PHI as required by law.” See id.
- See https://www.hhs.gov/sites/default/files/hipaa-privacy-rule-support-reproductive-health-care-privacy.pdf at 281; see also https://www.hhs.gov/hipaa/for-professionals/special-topics/reproductive-health/final-rule-fact-sheet/index.html.
- See id. at 175; 282.
- See id. at 284. We recognize that required changes to NPPs under the Final Rule also include revisions to address proposals made in the Notice of Proposed Rulemaking for the Confidentiality of Substance Use Disorder (“SUD”) Patient Records (“Part 2 NPRM”), as required by or consistent with the Coronavirus Aid, Relief, and Economic Security (CARES) Act of 2020. These changes are outside the scope of review of this alert.
- See id. at 227.
- See id. at 42. On April 26, 2024, the FTC issued a final rule on changes to its Health Breach Notification Rule (“HBNR”), clarifying HBNR’s application to health apps and other technologies and extending the scope of information that covered entities are required to provide to consumers within health data breach notifications. See https://www.ftc.gov/news-events/news/press-releases/2024/04/ftc-finalizes-changes-health-breach-notification-rule. The HBNR mandates vendors of personal health records (“PHR”) and related entities that are not covered by HIPAA to notify individuals, the FTC, and, in certain circumstances, the media of a breach of unsecured personally identifiable health data. Additionally, it mandates that third-party service providers to vendors of PHRs and PHR-related entities notify vendors and PHR-related entities upon the discovery of a breach. Id. The final rule specifically references the FTC’s efforts to protect reproductive health care information, stating that the FTC has “also recognized that information about personal reproductive matters is ‘particularly sensitive’ and has committed to using the full scope of its authorities to protect consumers’ privacy, including the privacy of their health information and other sensitive data.” Through its business guidance, the FTC has explained that “[t]he exposure of health information and medical conditions, especially data related to sexual activity or reproductive health, may subject people to discrimination, stigma, mental anguish, or other serious harms…The [FTC] is committed to using the full scope of its legal authorities to protect consumers’ privacy.” See Kristin Cohen, “Location, health, and other sensitive information: FTC committed to fully enforcing the law against illegal use and sharing of highly sensitive data,” Federal Trade Commission Business Blog (July 11, 2022), https://www.ftc.gov/business-guidance/blog/2022/07/location-health-and-other-sensitive-information-ftc-committed-fully-enforcing-law-against-illegal; see also id. at 43.
- See https://apnews.com/article/abortion-supreme-court-idaho-emergency-care-000a2482fdd1f1299599c91a6cc7635a.
- See id.
Stay Up To Date with Ropes & Gray
Ropes & Gray attorneys provide timely analysis on legal developments, court decisions and changes in legislation and regulations.
Stay in the loop with all things Ropes & Gray, and find out more about our people, culture, initiatives and everything that’s happening.
We regularly notify our clients and contacts of significant legal developments, news, webinars and teleconferences that affect their industries.