HHS Proposes Changes to the HIPAA Privacy Rule to Strengthen Privacy Protections for Reproductive Health Care Information | Insights

Authors:

Deborah L. Gersh , Cara Dermody , Sarah Kelley

Introduction

On April 12, 2023, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) announced proposed changes to the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, as amended (collectively, “HIPAA”), Privacy Rule (the “Privacy Rule”) via a Notice of Proposed Rulemaking (the “Proposed Rule”).¹ If finalized in its current form, the Proposed Rule would alter the current Privacy Rule standards by prohibiting uses and disclosures of protected health information (“PHI”) by health plans, heath care clearinghouses, and most health care providers, as well as their business associates (“Regulated Entities”) relating to criminal, civil, or administrative investigations into or proceedings against any person in connection with seeking, obtaining, providing, or facilitating reproductive health care, including abortion-related care, that is lawful under the circumstances in which it is provided.² The Proposed Rule would strengthen privacy protections for reproductive health information in direct response to the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization.

Background

On June 24, 2022, the Supreme Court issued its opinion in Dobbs v. Jackson Women’s Health Organization, overturning precedent that protected access to abortion services before the point of fetal viability, leaving such decisions to the respective state legislatures.³ In response to the Dobbs decision, on June 29, 2022, OCR released guidance materials discussing the role that HIPAA plays in safeguarding women’s PHI.⁴

Further, on April 7, 2023, two federal district courts issued conflicting orders related to the U.S. Food and Drug Administration’s (“FDA”) approval and oversight of mifepristone for use in medication abortion. The U.S. District Court for the Northern District of Texas issued a nationwide “stay” of the FDA’s approvals of mifepristone, while the U.S. District Court for the Eastern District of Washington issued a preliminary injunction preventing FDA from “altering the status quo” of mifepristone’s availability. In response to the Texas court’s decision, the U.S. Department of Justice announced on April 13, 2023 that it would seek emergency relief from the United States Supreme Court. On April 21, 2023, the Supreme Court stayed the U.S. District Court for the Northern District of Texas’s ruling, ensuring mifepristone will remain available while the appeals proceed. Our previous alert discusses the two conflicting district court decisions in more detail.

Following these events, an increasing number of states have imposed restrictive abortion laws that impose potential civil or criminal liability for those involved in seeking or providing an abortion.⁵ Currently, the Privacy Rule permits but does not require Regulated Entities to disclose PHI when faced with a court order or other mandate requesting the PHI.⁶ Thus, post-Dobbs, Regulated Entities are permitted to disclose PHI related to reproductive health to law enforcement under the Privacy Rule regardless of whether the reproductive care is legal in the state in which it is delivered.⁷

As a result, OCR issued the Proposed Rule to enhance the protection of PHI related to reproductive health care by prohibiting the disclosure of such PHI when such health care services are provided legally.

Regulated Entities must be aware of and be prepared to meet the more rigorous requirements under the Proposed Rule, including understanding when disclosures of PHI are not permitted, training staff on the new requirements, enhancing the level of security of the IT systems maintaining PHI, and ensuring that the Regulated Entity’s policies and procedures will meet the new proposed requirements, once finalized. This client alert expands upon a previous alert published by Ropes & Gray in July 2022 and analyzes the proposed changes to the Privacy Rule as set forth in in the Proposed Rule, as well as their implications for patients, providers, and other stakeholders. Comments on the Proposed Rule are due by June 16, 2023. The resulting final rule would take effect 60 days after publication, with a subsequent 180-day grace period after which Regulated Entities must comply.⁸

The Proposed Rule

Enhanced Protection of PHI Related to Reproductive Health Care

In light of the changing legal environment, OCR proposes to enhance protections for PHI related to “reproductive health care” by setting forth a new prohibition against “the use or disclosure of PHI for the criminal, civil, or administrative investigation of or proceeding against an individual, regulated entity, or other person for seeking, obtaining, providing, or facilitating reproductive health care, as well as the identification of any person for the purpose of initiating such an investigation or proceeding.”⁹ In proposing this prohibition, OCR explicitly refers to the Congressional intent of the Privacy Rule: “[i]t would be contrary to the Congressional intent of protecting the privacy of an individual’s PHI and access to health care if the Privacy Rule were to permit a regulated entity to use or disclose PHI to investigate and bring proceedings against persons for seeking, obtaining, providing or facilitating reproductive health care, or to identify any person for such purposes, where such health care is lawful under state or Federal law.”¹⁰ The Proposed Rule also introduces a new category of PHI related to “reproductive health care,” defined to include “care, services, or supplies related to the reproductive health of the individual.”¹¹ Notably, this term may be interpreted broadly to cover a wide range of PHI beyond abortion care, including fertility treatments and contraception.

Under the Proposed Rule, Regulated Entities would be prohibited from disclosing PHI under the following three circumstances:

When reproductive health care “is sought, obtained, provided, or facilitated in a state where the health care is lawful and outside of the state where the investigation or proceeding is authorized.”¹² This application is rooted in the constitutional right to interstate travel.¹³
- Example: A resident of State A traveled to State B for an abortion because abortion is lawful in State B.¹⁴ Under such circumstances, the Regulated Entity that provided the reproductive care in State B to the State A resident would be prohibited from disclosing PHI to State A law enforcement to be used in an investigation or proceeding relating to the delivery of the abortion.¹⁵ Further, a Regulated Entity in State A that receives PHI related to the out-of-state delivery of such reproductive health care would be subject to the same restrictions.¹⁶
When reproductive health care is “protected, required, or expressly authorized by federal law, regardless of the state in which such health care was provided.”¹⁷ This circumstance would include reproductive care, such as miscarriage management, as mandated under the Emergency Medical Treatment and Labor Act (“EMTALA”) to stabilize a pregnant person experiencing an emergency medical condition. What remains unclear are the implications of FDA’s longstanding approval of mifepristone, the recent conflicting federal court rulings discussed at the beginning of this alert, and whether FDA approval may qualify as authorization under federal law.
When reproductive care is “provided in the state where the investigation or proceeding is authorized and is permitted by the law of the state in which such health care is provided.”¹⁸

In each of the three scenarios noted above, the prohibition on disclosure applies only if the reproductive health care was delivered lawfully and would preempt state and other laws that mandate a Regulated Entity to use or disclose PHI pursuant to a court order or other legal process for a prohibited purpose.¹⁹ However, where such care is delivered unlawfully, the Proposed Rule’s protections would not apply; a Regulated Entity would then be permitted but not required to disclose PHI to law enforcement.

Attestation Requirement

To facilitate the implementation of this prohibition, the Proposed Rule would require Regulated Entities to collect an attestation from the person or entity seeking the PHI that such use or disclosure of the PHI is not for a prohibited purpose.²⁰ The attestation requirement would apply only when the PHI is potentially related to reproductive health care and is requested for health oversight activities, judicial and administrative proceedings, law enforcement purposes, and disclosures to coroners and medical examiners. If implemented, the Proposed Rule would mandate that the Regulated Entity collect assurances from the requesting entity through a signed and dated written statement that the use or disclosure of such PHI would not be for a prohibited purpose.²¹ In requiring the attestation, OCR seeks to prevent circumvention of the Proposed Rule’s privacy protections, allow for essential PHI uses and disclosures, and decrease the administrative burden on the Regulated Entity through a standard approach to determining whether a requested use or disclosure is permitted.²²

Key Takeaways

Providers, patients, and other stakeholders should consider the following when implementing and complying with these new restrictions, if finalized.

New Category of PHI Related to “Reproductive Health Care.” Regulated Entities likely will need to change how they identify, store, and track PHI related to reproductive health care. This will ensure that, should a Regulated Entity receive a subpoena for reproductive PHI, the Regulated Entity knows what information cannot be disclosed in response to the subpoena per the Proposed Rule. Further, Regulated Entities will need to update their training for employees to cover the Proposed Rule, the attestation process, and how to properly respond to requests from law enforcement. Regulated Entities will also need to consider the Proposed Rule when exchanging full patient records with another provider. For example, if a patient moves from California to Texas, the patient’s new Texas provider should consider whether the patient’s full record includes reproductive PHI for procedures obtained legally in California.
Scope of Protected Data. Patients should take note of the limited scope of the Proposed Rule’s application. As described above, the Proposed Rule does not mandate a blanket prohibition against disclosure for all reproductive PHI nor does it limit otherwise permissible PHI uses and disclosures under the Privacy Rule. Even if the Proposed Rule were finalized in its current form, it would not provide privacy protections for individuals’ health or other sensitive information maintained and stored on their personal devices. For instance, the Proposed Rule would not protect the location information of a patient visiting an abortion clinic or web searches for abortion providers.
Other Sensitive Reproductive Health Data. The Proposed Rule does not apply to entities not subject to HIPAA, such as health care apps, or other entities subject to Federal Trade Commission jurisdiction. These entities should consider, however, whether state abortion shield laws prohibit the disclosure of certain sensitive information that they store. For example, California law prohibits California-based companies that provide electronic communication services from cooperating with out-of-state search warrants related to abortion investigations.²³
Enforcement. Given the status of protections of reproductive health information at the federal and state levels, providers should consider the local enforcement environment and the potential challenges to OCR’s oversight of the attestation process. A Regulated Entity faced with a subpoena from a law enforcement agency in a state that does not permit abortion may feel pressured to comply with the subpoena despite the Proposed Rule. OCR will need to determine how it will support Regulated Entities that are pressured to disclose reproductive PHI. Regulated Entities’ legal and compliance departments should consider establishing a hotline to answer questions related to requests from law enforcement.

Ropes & Gray will continue to monitor developments in this area. If you have any questions, please do not hesitate to contact the authors or your usual Ropes & Gray advisor.

HIPAA Privacy Rule to Support Reproductive Health Privacy, available at https://public-inspection.federalregister.gov/2023-07517.pdf, at 1.
Id.
See Interactive Map: US Abortion Polices and Access After Roe, Guttmacher Institute (last accessed April 13, 2023), available at https://states.guttmacher.org/policies/?gclid=EAIaIQobChMIpYOIwIOB-QIVUDizAB2Rng-SEAAYASAAEgKCn_D_BwE.
See OCR, HIPAA Privacy Rule and Disclosures of Information Relating to Reproductive Health Care (June 29, 2022), available at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/phi-reproductive-health/index.html; OCR, Protecting the Privacy and Security of Your Health Information When Using Your Personal Cell Phone or Tablet (June 29, 2022), available at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/cell-phone-hipaa/index.html.
https://public-inspection.federalregister.gov/2023-07517.pdf (p. 43); see, e.g., Giulia Carbonaro, “Texas bill targeting internet abortion access ‘attacks individual liberty’,” Newsweek (Mar. 3, 2023), available at https://www.newsweek.com/texas-bill-targeting-internet-abortion-access-attacks-individual-liberty-1785254; Alice Miranda Ollstein and Megan Messerly, “Missouri wants to stop out-of-state abortions. Other states could follow,” Politico (Mar. 19, 2022), available at https://www.politico.com/news/2022/03/19/travel-abortion-law-missouri-00018539.
HIPAA Privacy Rule to Support Reproductive Health Privacy, available at https://public-inspection.federalregister.gov/2023-07517.pdf, at 43); 45 CFR 164.502(a)(1).
HIPAA Privacy Rule to Support Reproductive Health Privacy, available at https://public-inspection.federalregister.gov/2023-07517.pdf, at 43.
Id. at 16.
Id.; OCR proposes to define “reproductive health care” to include abortion, contraception, pregnancy-related care, fertility or infertility-related care, miscarriage management, molar or ectopic pregnancy treatment, pregnancy screening, prenatal, and other forms of care related to an individual’s reproductive system. Id. at 69. Further, OCR proposes to define “seeking, obtaining, providing, or facilitating” to include “expressing interest in, inducing, using, performing, furnishing, paying for, disseminating information about, arranging, insuring, assisting, or otherwise taking action to engage in reproductive health care, as well as attempting to engage in the same.” Id. at 73.
Id.
See id. at 67.
https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/hipaa-reproductive-health-fact-sheet/index.html (emphasis in original).
https://public-inspection.federalregister.gov/2023-07517.pdf (p. 80); Dobbs, 142 S. Ct. at 2309 (Kavanaugh, J., concurring) (concluding that a state cannot “bar a resident of that State from traveling to another State to obtain an abortion? [...] based on the constitutional right to interstate travel.”).
https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/hipaa-reproductive-health-fact-sheet/index.html.
HIPAA Privacy Rule to Support Reproductive Health Privacy, available at https://public-inspection.federalregister.gov/2023-07517.pdf, at 80.
Id.
Id. at 81.
https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/hipaa-reproductive-health-fact-sheet/index.html (emphasis in original).
Notably, the scope of the prohibition is narrowly tailored and does not provide a blanket protection against disclosure of PHI related to reproductive health care. HIPAA Privacy Rule to Support Reproductive Health Privacy, available at https://public-inspection.federalregister.gov/2023-07517.pdf, at 75 (noting that this proposal is "narrowly tailored to address only uses and disclosures for specified prohibited purposes. It does not otherwise alter a regulated entity’s responsibility to comply with the conditions imposed on the use or disclosure of PHI for other criminal, civil, or administrative investigations or proceedings.”). The purpose-based prohibition does not apply to Regulated Entities that use or disclose PHI where the request is not made “primarily for the purpose of investigating or imposing liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care that is lawful under the circumstances in which it is provided.” Id. at 83. OCR clarified in the Proposed Rule that it does not intend for the prohibition to prevent PHI uses or disclosures otherwise permissible under the Privacy Rule, such as for treatment or payment of reproductive health care. Id. at 76, 84. For instance, an individual would still be able to obtain, use, and disclose their own PHI to bring a professional misconduct or negligence suit related to reproductive care they received against a clinician pursuant to the Privacy Rule’s right of access. Similarly, the Proposed Rule would not prohibit a clinician to use or disclose that same PHI for their defense in such an investigation or proceeding. Id. at 84. Under such circumstances, OCR notes that such an investigation or proceeding would not be predicated on the “mere act of seeking, obtaining, providing, or facility health care,” but rather on the alleged professional misconduct or negligence related to the provision of the reproductive health care. Id. Pursuant to this rule of construction, the prohibition would also not apply to PHI uses or disclosures for: public health purposes, including surveillance, investigation, or investigation; other health oversight activities, such as determining whether reproductive health care was delivered or billed inappropriately in violation of the False Claims Act and other similar state laws; Medicare or Medicaid audits conducted by an Inspector General; or investigations of potential violation of federal non-discrimination laws. Id. at 63 (clarifying that “the Privacy Rule’s permission to use and disclose PHI for the ‘public health’ activities of surveillance, investigation, or intervention do not include criminal, civil, or administrative investigations into, or proceedings against, any person in connection with seeking, obtaining, providing, or facilitating reproductive health care, nor do they include identifying any person for the purpose of initiating such investigations or proceedings. Such actions are not public health activities.”); id. at 60 (proposing to define “public health surveillance, investigation, or intervention” to include “population-based activities to prevent disease and promote health of population.”); id. at 84; see also 45 CFR 164.514(a).
HIPAA Privacy Rule to Support Reproductive Health Privacy, available at https://public-inspection.federalregister.gov/2023-07517.pdf, at 34.
Id. at 93.
https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/hipaa-reproductive-health-fact-sheet/index.html; HIPAA Privacy Rule to Support Reproductive Health Privacy, available at https://public-inspection.federalregister.gov/2023-07517.pdf, at 94.
See Cal. Penal Code § 1524.2(c)(1).