On April 22, 2024, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services announced final regulatory updates to the Privacy Rule under the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act of 2009 (HIPAA). The final rule, "HIPAA Privacy Rule to Support Reproductive Health Care Privacy," is a response to the U.S. Supreme Court's decision in Dobbs v. Jackson Women's Health Organization overruling Roe v. Wade and Planned Parenthood of Southeastern Pennsylvania v. Casey, allowing states to restrict access to abortion. Further, the final rule, which discusses the fact that the Dobbs decision has changed the legal landscape with respect to abortion and created legal uncertainty around certain health care issues, is primarily focused on limiting the ability of state authorities and other parties to use HIPAA-protected health information (PHI) related to reproductive health care, as defined in the final rule, for prosecutorial or similar purposes. The following sections discusses the key elements of the final rule and its impact on health care organizations.
Important Action Items for Health Care Organizations
At the outset, it is important for covered entities (providers, health plans, and health care clearinghouses) and their business associates (a wide variety of health care service providers) to understand and keep in front of mind that the final rule will require a number of specific actions, which include the following:
- Carefully consider and prepare for any possible situations in which your organization may use, disclose, or be called upon to use or disclose, PHI related to reproductive health care in the manner addressed by the final rule, as further discussed in detail below;
- Update HIPAA practices and privacy policies with respect to the use and disclosure of PHI since both are affected by the final rule;
- Implement attestation forms (and consider OCR's model form), as further discussed below;
- Update HIPAA Notices of Privacy Practices in the manner required by the final rule; and
- Train staff on the new requirements under the final rule.
Definition of Reproductive Health Care
Understanding the scope of OCR's reproductive health care definition is essential for understanding the legal and practical impact of the final rule. OCR defines reproductive health care as "health care...that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes..." To clarify the scope of the definition and convey its breadth, OCR provides a number of examples that fall within the definition in its regulatory commentary:
"[C]ontraception, including emergency contraception; preconception screening and counseling; management of pregnancy and pregnancy-related conditions, including pregnancy screening, prenatal care, miscarriage management, treatment for preeclampsia, hypertension during pregnancy, gestational diabetes, molar or ectopic pregnancy, and pregnancy termination; fertility and infertility diagnosis and treatment, including assisting reproductive technology and its components (e.g., in vitro fertilization (IVF)); diagnosis and treatment of conditions that affect the reproductive system (e.g., perimenopause, menopause, endometriosis, adenomyosis); and other types of care, services, and supplies used for the diagnosis and treatment of conditions related to the reproductive system (e.g., mammography, pregnancy-related nutrition services, postpartum care products)."
Prohibition on Certain Uses and Disclosures of Protected Health Information
Most importantly, the final rule adds a new provision to 45 C.F.R. § 164.502(a) that prohibits both covered entities and their business associates from using or disclosing PHI to (1) conduct a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care; (2) impose criminal, civil, or administrative liability on any person, or identify any such person, for the mere act of seeking, obtaining, providing, or facilitating reproductive health care; or (3) identify any person for either of the foregoing purposes. For example, this disclosure prohibition could be implicated if law enforcement officials request reproductive health care information from a health care provider or its business associate. For purposes of the prohibition, the phrase "seeking, obtaining, providing, or facilitating reproductive health care" should be interpreted broadly. OCR clarifies that the phrase includes a wide variety of activities, such as expressing interest in, using, performing, furnishing, paying for, disseminating information about, arranging, insuring, administering, authorizing, providing coverage for, approving, counseling about, assisting, or otherwise taking action to engage in reproductive health care (including attempting any of these activities).
The final rule further provides, as a "Rule of Applicability," that the foregoing prohibition only applies where the covered entity or business associate that received the request for PHI concerning the person has reasonably determined that: (A) the reproductive health care is lawful under the law of the state in which such health care is provided under the circumstances in which it is provided; (B) the reproductive health care is protected, required, or authorized by federal law, including the U.S. Constitution, under the circumstances in which such health care is provided, regardless of the state in which it is provided; or (C) a presumption of lawfulness applies, in instances involving reproductive health care provided by another person (i.e., someone other than the person receiving the request). Significantly, reproductive care provided by another person is to be presumed lawful under the final rule unless the covered entity or business associate has actual knowledge that the care was not lawful under the circumstances in which it was provided or factual information supplied by the party requesting the PHI that demonstrates a substantial factual basis that the reproductive health care was not lawful under the specific circumstances in which it was provided.
Because the HIPAA Privacy Rule permits, but does not require, uses and disclosures of PHI in most instances, health care organizations will now need to carefully consider whether any otherwise permitted uses and disclosures of PHI that relates to reproductive health care could fall within the scope of this new prohibition. In doing so, health care organizations will need to be mindful of the broad definition of reproductive health care information. The prohibition could be triggered in situations in which they receive requests for PHI relating to reproductive health care in connection with law enforcement investigations, civil proceedings, criminal prosecutions, state licensure matters, and even family law proceedings.
In its commentary, OCR emphasizes that the prohibition does not apply when a person requesting PHI identifies a legal basis for the request beyond the mere act of a person seeking, obtaining, providing, or facilitating reproductive health care that was lawful (e.g., a legal basis such as investigating false claims matters, substandard medical care or patient abuse). As to the Rule of Applicability, OCR explains that an entity should make a reasonable determination about lawfulness by examining the facts and circumstances in which reproductive health care was provided, including the individual's diagnosis and prognosis, the time and location at which the care was provided, and the particular health care provider who rendered the care. Further, OCR emphasizes that the presumption of lawfulness created by the final rule is intended help ensure that covered entities and their business associates are not required to conduct research, review the applicable PHI, or make determinations about the lawfulness of health care services when they did not provide the care at issue and do not have a firsthand knowledge of the facts concerning such care. While these clarifications help to some extent, the above disclosure prohibition may at times create difficult judgment calls for covered entities and their business associates and, potentially, in some instances, disputes with public officials or law enforcement.
Signed Attestation Requirement for Certain Disclosures of Protected Health Information
In addition to the new use and disclosure provision added as 45 C.F.R. § 164.502(a)(5)(iii), the final rule requires that covered entities and business associates obtain a special attestation from the requesting party when a requesting party seeks the use or disclosure of PHI potentially related to reproductive health care under the following existing HIPAA regulations:
- 45 C.F.R. § 164.512(d) (i.e., disclosures to health oversight agencies for oversight activities authorized by law);
- 45 C.F.R. § 164.512(e) (i.e., disclosures for judicial and administrative proceedings, such as pursuant to court or administrative orders, subpoenas, discovery requests, or other lawful process);
- 45 C.F.R. § 164.512(f) (disclosures for law enforcement purposes, including mandatory reporting laws, court orders, warrants, subpoenas, or administrative requests, in response to a law enforcement request in specific instances, reporting individuals who have died to law enforcement when the covered entity suspects that such death may have resulted from criminal conduct, reporting crime on premises to law enforcement if the covered entity believes PHI is evidence of such crime or reporting crime in the event of certain emergencies); and
- 45 C.F.R. § 164.512(g)(1) (disclosures to a coroner or medical examiner for the purpose of identifying a deceased person, determining a cause of death, or other duties as authorized by law).
OCR believes the foregoing provisions of 45 C.F.R. § 164.512 most clearly implicate the concerns it articulated as the reason for the final rule. Thus, in these specific situations and in addition to ensuring a use or disclosure is not prohibited by 45 C.F.R. § 164.502(a)(5)(iii) (i.e., the new disclosure prohibition), covered entities must not use or disclose protected health information potentially relating to productive health care until they obtain an attestation from the requesting party that: (1) describes the information requested and identifies the information in a specific fashion with reference to the name of the individual whose PHI is sought or a description of the class of individuals whose PHI is sought if names are not practicable; (2) provides the name or other specific identification of the person, or class of persons, who are requested to make the disclosure; (3) provides the name or other specific identification of the person, or classes of persons, to whom the covered entity is to make the requested use or disclosure; (4) includes a clear statement that the use or disclosure is not for a purpose prohibited under 45 C.F.R. § 164.502(a)(5)(iii) (the new disclosure prohibition under the final rule); (5) includes a statement that a person may be subject to criminal penalties pursuant to 42 U.S.C. 1320d-6 if that person knowingly and in violation of HIPAA obtains individually identifiable health information (IIHI) relating to an individual or discloses IIHI to another person; and (6) includes the signature of the person requesting the PHI. Additionally, attestations must not be combined with other documents and must not contain any defects specified in the regulations (including the covered entity or business knowing that material information in the attestation is false). If a covered entity or business associate discovers that any representation in an attestation is false, it must cease any use or disclosure covered by the attestation. Further, if a reasonable covered entity or business associate in the same position would not believe an attestation with respect to 45 C.F.R. § 164.502(a)(5)(iii) (the new disclosure prohibition under the final rule), such as in a situation where the requesting party has made public statements that contradict that particular attestation, then a covered entity or business associate should not treat the written attestation as valid.
OCR has indicated that it will create a model attestation form for use by covered entities, business associates, and parties requesting information under the above regulations. While that will make the process of obtaining a valid attestation somewhat simpler, covered entities and business associates may still be faced with difficult decisions as to whether a particular request potentially relates to reproductive health care, even if it is otherwise able to determine that the disclosure is not prohibited by 45 C.F.R. § 164.502(a)(5)(iii).
Required Changes to Notices of Privacy Practices
The final rule changes a number of requirements, including content requirements, with respect to notices of privacy practices (NPPs) that covered entities have long been required to provide and make available to individuals in written form under 45 C.F.R. § 164.520. Many of the NPP changes pertain to the final rule's other requirements with respect to PHI that relates to reproductive health care. However, OCR is also implementing a number of NPP provisions required under the CARES Act with respect to covered entities with PHI that is also a record of substance use disorder treatment information under the federal substance use disorder confidentiality regulations at 42 C.F.R. Part 2. Prior to this final rule, 45 C.F.R. § 164.520 had not been updated since 2013, so covered entities are now required to update the language of their NPPs for the first time in over a decade.
Handling of PHI in Abuse, Neglect, and Endangerment Situations
Under HIPAA, covered entities must treat a personal representative, such as the parent or guardian of a child, as if they are the individual for purposes of the Privacy Rule, with limited exceptions. One such exception under existing 45 C.F.R. § 164.502(g)(5) is abuse, neglect, and endangerment situations. Specifically, a covered entity may elect not to treat a person as a personal representative of an individual for HIPAA purposes if the covered entity has a reasonable belief that the individual (i.e., the patient) has been or may be subjected to domestic violence, abuse, or neglect by the person or treating such person as the personal representative could endanger the individual and the covered entity, in the exercise of professional judgment, decides that it is not in the best interest of the individual to treat the person as the individual's personal representative. The final rule adds to this existing regulation the clarification that a covered entity does not have a "reasonable belief" for purposes of the above determination if the basis for their belief is the provision or facilitation of reproductive health care by such person for and at the request of the individual. OCR added this clarification to the regulation based on their articulated concern that a covered entity or business associate could refuse to recognize a person as a personal representative if the person makes reproductive health care decisions or provides or facilitates reproductive health care on behalf of an individual (i.e., a patient) with which the covered entity or business associate disagrees.
OCR also added a similar clarification to 45 C.F.R. § 164.512(c), which permits disclosures about victims of abuse, neglect, or domestic violence. The clarification indicates that 45 C.F.R. § 164.512(c) does not permit a disclosure otherwise prohibited by 45 C.F.R. § 164.502(a)(5)(iii) (the new disclosure prohibition) when the sole basis of the report of abuse, neglect, or domestic violence is the provision or facilitation of reproductive health care.
Uses and Disclosures for Public Health Activities
While the final rule does not include an attestation requirement in connection with uses and disclosures of PHI under 45 C.F.R. § 164.512 (b) (the regulation that permits uses and disclosures for public health activities) that potentially relate to reproductive health care, it does include a new HIPAA definition of "public health" that impacts 45 C.F.R. § 164.512 (b) and other provisions of the HIPAA Privacy Rule. Among other things, the new definition clarifies that public health activities do not include activities with the purpose of (1) conducting a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating health care; (2) imposing criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating health care; or (3) identifying any person for either of the foregoing activities.
Applicability of the Final Rule
It is possible that states or other parties may pursue challenges to OCR's final rule. In anticipation of that possibility, the final rule includes a new Privacy Rule severability regulation at 45 C.F.R. § 164.535 seeking to preserve as much of the final rule as possible if a court find that some portion or application of the rule is invalid or unenforceable. Pending the resolution of any such challenges, covered entities, and business associates should be aware that the final rule is effective June 25, 2024, although compliance is not required as of that date. The compliance date is December 23, 2024, except for the updated Notice of Privacy Practices requirements, for which the compliance date is February 16, 2026.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.