On April 26, 2024, almost a year after issuing a notice of proposed rulemaking to modify the Privacy Rule, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) finalized the HIPAA Privacy Rule to Support Reproductive Health Care Privacy (Final Rule). In practice, the Final Rule shields patients' protected health information (PHI) related to a patient seeking and/or receiving lawful reproductive health care and to a health care provider facilitating and/or rendering such health care services from civil, criminal, and administrative scrutiny. We review key facets of the rule below.
Background
The Standards for Privacy of Individually Identifiable Health Information (the Privacy Rule) under the Health Insurance Portability and Accountability Act (HIPAA) generally prohibits covered entities such as health care providers and health plans (Covered Entities) from disclosing PHI without patient authorization except for treatment, payment, and health care operations. However, pursuant to certain exceptions under the Privacy Rule, Covered Entities have historically been allowed to disclose PHI without patient authorization in connection with certain public health activities; health oversight activities (e.g., in response to a request from a health oversight agency for audits; civil, administrative, or criminal investigations; proceedings; or actions); or judicial and administrative proceedings when disclosure is ordered by the court or pursuant to a non-court-ordered subpoena when the disclosing party receives satisfactory assurance that the receiving party will appropriately safeguard the PHI(i.e., reasonable efforts were made to ensure the individual subject of the PHI was given notice of the request or to secure a qualified protective order).
The Supreme Court's decision in Dobbs v. Jackson Women's Health Organization (Dobbs) and the subsequent passing of laws restricting abortion in some states have created concern about law enforcement authorities and others accessing PHI using the exceptions that allow the disclosure of PHI for health oversight and judicial and/or administrative proceedings and using it to prosecute patients and health care providers. The OCR proposed changes to the Privacy Rule to address these concerns last year.
The Final Rule
Uses and Disclosures: Prohibited Purposes
The Final Rule expands and strengthens patient privacy protections by prohibiting Covered Entities and their business associates (together with Covered Entities, Regulated Entities) from using or disclosing patients' PHI related to the provision of "lawful reproductive health care," including abortion care, for the following "prohibited purposes": (1) conducting a criminal, civil, or administrative investigation or imposing criminal, civil, or administrative liability on any person for seeking, obtaining, providing, or facilitating lawful reproductive health care, or to identify any person to initiate such activities; or (2) identifying any person to conduct criminal, civil, or administrative investigations for such activities.1
Lawful Reproductive Care
"Lawful reproductive health care" is defined as health care that "affects the health of an individual in all matters relating to the reproductive system, including its functions and processes," and that is: (1) lawful under the laws of the state where such healthcare is provided under the circumstances in which it is provided (e.g., an abortion performed at 12 weeks' gestation in a state that permits abortions through 24 weeks' gestation): or (2) protected, required, or authorized by federal law, including the US Constitution,2 regardless of the state where such health care is provided (e.g., miscarriage management care provided as necessary, stabilizing care under the Emergency Medical Treatment & Labor Act [EMTALA] to a patient in an emergency department in a state with a fetal-heartbeat-based abortion ban).3
Presumption of Lawful Reproductive Health Care
Under the Final Rule, there is a presumption that reproductive health care provided by a person other than the Regulated Entity receiving the request for disclosure of PHI is lawful, and that related PHI is, therefore, protected from disclosure, unless one of two conditions is met: (1) the Regulated Entity has actual knowledge that the reproductive health care was not lawful under the circumstances in which it was provided, or (2) the Regulated Entity receives information from the person making the request for the use or disclosure of PHI that demonstrates a substantial factual basis that the reproductive health care was not lawful under the circumstances in which it was provided.4 For example, the Regulated Entity knows, or receives credible information from the requesting entity, that an abortion was illegally performed in a state where such care is banned or was performed by a unlicensed individual.
Attestation
When PHI related to lawful reproductive health care is requested for health oversight activities, judicial and administrative proceedings, law enforcement purposes, or disclosures to coroners and medical examiners, the Regulated Entity must obtain an attestation from the requesting party that the use or disclosure of such PHI is not for a prohibited purpose.5
Public Health
The Final Rule also modifies the definition of "public health" to clarify that public health activities do not include activities: "(1) To conduct a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating health care; (2) To impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating health care."6
Notice of Privacy Practices
Covered Entities are required to revise their Notice of Privacy Practices to reflect the Final Rule's updated privacy and other protections for reproductive health care.7
Supporting Access to Care and Protecting Patient Privacy
In making these updates to the HIPAA Privacy Rule, HHS-OCR continued to emphasize its goal of encouraging individuals' trust and confidence in accessing high-quality reproductive health care by "carefully balancing individuals' privacy interests with others' interests in using or disclosing PHI."8 HHS-OCR referenced concerns that patients may be reluctant to seek such care if they fear that their PHI could be requested from Regulated Entities to investigate and potentially impose liability upon them for having sought, obtained, or facilitated lawful reproductive health care.9 Alternatively, patients who doubt the confidentiality of their discussions with healthcare providers may choose not to disclose their complete or accurate medical or reproductive-health care history for fear of repercussions. This could, in turn, hinder health care providers from offering safe and effective information or treatment recommendations to their patients. Health care providers may also be reluctant to provide legal reproductive health care for fear of facing investigation or liability in the fluctuating legal environment that currently surrounds such care. HHS-OCR implemented the Final Rule to mitigate these concerns by protecting particularly sensitive PHI.
Key Insights
Regulated Entities must comply with the Final Rule by December 23, 2024, but Covered Entities have until February 16, 2026, to make necessary corresponding updates to their Notice of Privacy Practices.10 As rulemaking develops in this area and as the Final Rule goes into effect, Regulated Entities offering reproductive health care services should update their policies and procedures related to the use and disclosure of PHI as appropriate. Regulated Entities that receive requests for disclosures of PHI related to lawful reproductive health care should ensure they are not disclosing PHI for any prohibited purpose and should obtain attestations when appropriate. In addition, Covered Entities should ensure that their Notice of Privacy Practices accurately reflects their practices with respect to compliance with the Final Rule's additional privacy protections for reproductive health care.
It is important to note that health care providers providing reproductive-health care services who are not engaging in "standard transactions" under HIPAA (i.e., pre-authorization services and/or submission of electronic claims to health plans) and other entities not regulated by HIPAA (e.g., fertility- and pregnancy-tracking apps) are not considered Regulated Entities under HIPAA, and their patients' or users' personal information is, therefore, not considered PHI and would not be protected from use or disclosure under the Final Rule.
As rulemaking develops in this area, Regulated Entities offering reproductive health care should consult with legal counsel to determine how state- and federal-level reproductive health laws may affect their businesses and to ensure their PHI disclosures are compliant with applicable laws.
Footnotes
1. 89 Fed. Reg. at 33,063.
2. As fetal-personhood bills continue to be passed in abortion-ban states and as states such as Missouri, Idaho, and Louisiana entertain hearings on legislative bans to contraception, access to contraception may be at risk.
3. Whether EMTALA permits healthcare providers to provide abortions to stabilize patients experiencing medical emergencies in emergency departments in states with restrictive abortion bans is an issue that is in front of the US Supreme Court this term. 89 Fed. Reg. at 33,063; US Department of Health and Human Services, "HIPAA Privacy Rule Final Rule to Support Reproductive Health Care Privacy: Fact Sheet" (Apr. 22, 2024).
4. Id. at 33,063.
5. Id. at 33,029−30.
6. 89 Fed. Reg. at 33,062−3.
7. Id. at 33,046−47.
8. Id. at 32,984.
9. Id.
10. Id. at 32,976.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.