On April 26, 2024, the Department of Health and Human Services’ Office for Civil Rights (“OCR”) published a final rule entitled HIPAA Privacy Rule to Support Reproductive Health Care Privacy (the “Final Rule”) to address new privacy issues that have resulted in the wake of the Supreme Court decision in Dobbs v. Jackson Women’s Health Organization (“Dobbs”). The Final Rule aims to strengthen reproductive health care privacy under the Health Insurance Portability and Accountability Act and its implementing regulations (collectively, “HIPAA”) by prohibiting covered entities and business associates (collectively, “regulated entities”) from using or disclosing protected health information (“PHI”) to investigate or impose liability on any person for the “mere act” of seeking, obtaining, providing, or facilitating lawful reproductive health care, or to identify any person for such purposes.
Background
OCR notes that the HIPAA Privacy Rule “is intended to ensure that individuals are not afraid to seek health care from, or share important information with, their health care providers because of a concern that their sensitive information will be disclosed outside of their relationship with their health care provider.” OCR further notes that the changes in the Final Rule are necessary to address concerns post-Dobbs that PHI may be disclosed in ways that harm patients, such as to initiate criminal, civil, and administrative investigations, or “chill an individual’s willingness to seek lawful health care treatment.” As such, the Final Rule creates a new prohibition on uses and disclosures for certain purposes related to reproductive health care.
Key Changes
1. Prohibited Uses and Disclosures
Most significantly, the Final Rule creates a new prohibition (“New Prohibition”) on the use or disclosure of PHI by a regulated entity for any of the following activities (collectively, “Prohibited Purposes”):
- To conduct a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care.
- To impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care.
- To identify any person for any of the above purposes.
This is a purpose-based prohibition and prohibits any PHI from being used or disclosed for the purposes above. The Final Rule does not create a newly defined subset of PHI for reproductive health information due to concerns related to segregating such information from the rest of the medical record and the fact that PHI about reproductive health may be reflected throughout the medical record.
The New Prohibition applies to activities related to investigating or imposing liability on “any person.” This means that the New Prohibition is not limited to the use or disclosure of PHI against the individual, but also the use or disclosure of PHI against a regulated entity or another entity, such as a health care provider, for obtaining, providing, or facilitating lawful reproductive health care.
For the New Prohibition to apply, the reproductive health care at issue must have been lawful under the circumstances in which it was provided. Responsibility for this determination falls on the regulated entity that receives the request, and such determinations must be reasonable. Specifically, for the New Prohibition to apply, the regulated entity that received the request must reasonably determine that at least one of the following conditions is met:
- The reproductive health care is lawful under the law of the state in which such health care is provided under the circumstances in which it is provided.
- The reproductive health care is protected, required, or authorized by Federal law, including the United States Constitution, under the circumstances in which such health care is provided, regardless of the state in which it is provided.
- The presumption described below applies.
The Final Rule includes a presumption that reproductive health care provided by a person other than the regulated entity that received the request is lawful unless the regulated entity has any of the following:
- Actual knowledge that the reproductive health care was not lawful under the circumstances in which it was provided.
- Factual information from the requestor of PHI that demonstrates a substantial factual basis that the reproductive health care was not lawful under the circumstances in which it was provided.
2. Attestation
To make it easier for regulated entities to determine if a request for PHI is subject to the New Prohibition, the Final Rule prohibits regulated entities from using or disclosing PHI potentially related to reproductive health care for certain purposes without first obtaining a valid, signed attestation that the use or disclosure requested is not for a Prohibited Purpose. This attestation requirement applies when the request is made under HIPAA’s provisions regarding disclosures for health oversight activities, disclosures for judicial and administrative proceedings, disclosures for law enforcement purposes, or disclosures about decedents to coroners and medical examiners.
The Final Rule outlines requirements for an attestation to be considered valid, which include a statement that the use or disclosure is not for a Prohibited Purpose and a statement that a person may be subject to criminal penalties if the person knowingly and in violation of HIPAA obtains individually identifiable health information or discloses such information to another person. The Final Rule also clarifies that using or disclosing PHI in reliance on a defective attestation is considered a HIPAA violation. For example, this may be the case if a reasonable regulated entity in the same position would not believe the attestation’s statement that the use or disclosure is not for a Prohibited Purpose.
In a departure from OCR’s 2023 Notice of Proposed Rulemaking (the “NPRM”), the Final Rule imposes direct liability on business associates (in addition to covered entities) for compliance with the attestation requirement. This is true regardless of whether compliance with the requirement is specifically addressed in the applicable business associate agreement (“BAA”).
OCR plans to publish a model attestation prior to the Final Rule’s compliance date.
3. Definitions
a. “Reproductive Health Care”
The Final Rule adopts the new term “reproductive health care” to mean health care “that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes.” This definition, which includes a few minor modifications from the definition proposed in the NPRM, is intended to be broad.
The preamble clarifies that reproductive health care includes contraception, including emergency contraception; preconception screening and counseling; management of pregnancy and pregnancy-related conditions, including pregnancy screening, prenatal care, miscarriage management, treatment for preeclampsia, hypertension during pregnancy, gestational diabetes, molar or ectopic pregnancy, and pregnancy termination; fertility and infertility diagnosis and treatment, including assisted reproductive technology and its components (e.g., in vitro fertilization); diagnosis and treatment of conditions that affect the reproductive system (e.g., perimenopause, menopause, endometriosis, adenomyosis); and other types of care, services, and supplies used for the diagnosis and treatment of conditions related to the reproductive system (e.g., mammography, pregnancy-related nutrition services, postpartum care products). This is not intended to be an exhaustive list.
b. “Person”
The Final Rule modifies the definition of “person” to clarify that a person is a natural person, “meaning a human being who is born alive.” OCR states that this is intended to provide clarity to a covered entity regarding when it may need to disclose PHI to report a person’s death or a victim of abuse, neglect, or domestic violence. This clarification also impacts the scope of the permission to disclose PHI to avert a serious threat to health or safety at 45 C.F.R. §164.512(j)(i). OCR states that the HIPAA Privacy Rule does not permit disclosures when the perceived threat does not involve the health or safety of a natural person or the public, or when an individual has not caused serious physical harm to a natural person.
c. “Public Health”
The Final Rule modifies the definition of “public health,” as used in the terms “public health surveillance,” “public health investigations,” and “public health interventions,” to mean population-level activities to prevent disease in and promote the health of populations. The Final Rule ensures that the definition of public health focuses on activities aimed at preventing disease and improving the health of populations and creates a distinction between such activities and criminal investigations. This definition does not prevent disclosures of PHI by covered entities to public health authorities for public health activities that have been permitted under the HIPAA Privacy Rule.
4. Disclosures Based on Administrative Requests
HIPAA permits regulated entities to disclose PHI pursuant to an administrative request, but only if certain conditions are met. As explained in the Final Rule and NPRM, OCR is aware that some regulated entities are interpreting this existing provision that permits disclosures pursuant to administrative requests in a manner inconsistent with OCR’s intent by disclosing PHI to law enforcement without consulting legal counsel and without a warrant or subpoena. As such, the Final Rule adopts changes to clarify that PHI may only be disclosed pursuant to an administrative request “for which response is required by law,” such as an administrative subpoena or summons, a civil or authorized investigative demand, or similar process authorized under law.
5. Personal Representatives in the Context of Reproductive Health Care
HIPAA generally permits a covered entity to elect not to treat a person as an individual’s personal representative if the covered entity believes that the individual has been or may be subjected to domestic violence, abuse, or neglect by such person. This created concerns that covered entities could elect not to recognize a person as a personal representative strictly because the covered entity disagrees with the person’s reproductive health care decisions.
Thus, the Final Rule prohibits denying personal representative status where the basis of the denial is that the person provided or facilitated reproductive health care. This represents a slight departure from the standard proposed in the NPRM that would have prohibited denial “primarily” based on these actions. As a result of this change, the covered entity need not determine whether the provision or facilitation of reproductive health care is the “primary” basis for believing that a person who is an individual’s personal representative has abused, neglected, or endangered the individual, or may do so in the future.
6. Notices of Privacy Practices
The Final Rule modifies HIPAA provisions regarding Notices of Privacy Practices (“NPPs”) to require covered entities to revise their NPPs to address changes related to reproductive health care privacy in the Final Rule and recently finalized changes to regulations at 42 C.F.R. part 2 (“Part 2”) regarding the confidentiality of substance use disorder records, which we covered in a previous client alert.
Key Dates
The Final Rule is effective on June 25, 2024. Compliance with the majority of its provisions will be required by December 23, 2024, except for changes to NPP requirements, which have a compliance date of February 16, 2026 to align with the compliance date of recent Part 2 changes.
Takeaways
The Final Rule should have significant implications for patients as well as health care providers and other regulated entities that maintain information related to reproductive health care. While the Final Rule does not expressly create a special subset of PHI for reproductive health information, regulated entities must now be cognizant of when information requests implicate reproductive health care as such requests may trigger the New Prohibition and other requirements under the Final Rule.
It is important for all regulated entities to familiarize themselves with the New Prohibition and other changes made in the Final Rule to ensure that their processes remain compliant, particularly those around disclosing PHI to health oversight agencies, for judicial and administrative proceedings, to law enforcement, and to coroners and medical examiners. Regulated entities should review their policies and procedures, update training to their workforce members, and update their NPPs. The requirement that attestations include a statement about criminal liability, in addition to the preamble’s various reminders about potential criminal penalties, indicate that enforcement of the New Prohibition and related requirements will be taken seriously.
* * *
For more information on the Final Rule or to better understand how the New Prohibition may impact your organization, please contact the professionals listed below or your regular Crowell & Moring contact.