Final HIPAA Privacy Rule Increases Protection of Reproductive Health Care Data
Friday, May 10, 2024
HIPAA reproductive health care privacy
Print Mail Download i

The Office for Civil Rights (“OCR”) at the Department of Health and Human Services (“HHS”) recently issued final regulations (“Reproductive Health Care Rule”) under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) that narrow the permitted uses and disclosures of protected health information (“PHI”) in the context of an individual seeking, obtaining, providing or facilitating reproductive health care that is lawful under the circumstances provided. Plans and providers must comply with most of the new requirements (discussed below) by December 23, 2024 (240 days after the rule was published in the Federal Register). The Reproductive Health Care Rule is summarized by HHS in a fact sheet, and below with our perspective and take aways for health plan sponsors.

Background

Legal Questions Surrounding Reproductive Health Care

The Reproductive Health Care Rule was issued in light of the changing legal landscape following Dobbs v. Jackson Women’s Health Organization (“Dobbs”). In Dobbs, the U.S. Supreme Court held that the U.S. Constitution does not confer a right to abortion, leaving the legality of obtaining an abortion up to the fifty states. State legislatures almost immediately began enacting or resurfacing state laws regulating abortions and imposing civil and criminal liability, including certain laws that would impose liability on anyone who “aids or abets” or “assists” a state resident with obtaining an abortion. These state laws have given rise to many legal questions, including questions related to the privacy of health care information. Therefore, President Biden issued Executive Order 14076 directing HHS to consider taking action under HIPAA to ensure protection of information related to reproductive health care and to support the confidentiality of information exchanged between a patient and their provider.

Review of HIPAA Privacy Requirements

As readers of this blog likely know, covered entities (and, in some cases, business associates) are directly subject to, and must comply with, HIPAA. Although employers are not covered entities, the group health plans (including self-insured and some insured group health plans) sponsored by employers are covered entities, and in many cases, the employer sponsoring the group health plan is responsible for ensuring the group health plan’s compliance.

Under HIPAA, PHI may not be used or disclosed unless it falls within certain permitted or required use and disclosure categories, and except in limited circumstances (such as usage by a health care provider for treatment purposes), these uses and disclosures are subject to the requirement that the information be limited to the minimum necessary to accomplish the intended purpose. Within certain parameters and subject to certain requirements, HIPAA generally permits the use or disclosure of PHI without individual notice or an opportunity to object for judicial and administrative proceedings and for law enforcement purposes. Following Dobbs, there were concerns that states with abortion restrictions could use these exceptions to require plans and health care providers to disclose information about reproductive health care, significantly impacting the free communication between patients and their health care providers to the detriment of patients and the health care system as a whole. The Reproductive Health Care Rule is designed to avoid this result by prohibiting certain uses and disclosures of PHI related to reproductive health care that is lawful under the circumstances provided.

The Reproductive Health Care Rule’s Limitations on Prohibited Uses and Disclosures

The Reproductive Health Care Rule adds a new blanket prohibition to the use and disclosure of PHI for the following activities:

  • to conduct a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care that is lawful under the circumstances in which it is provided;
  • to impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care that is lawful under the circumstances in which it is provided; and
  • to identify any person for any purpose described in the above two bullet points.

Reproductive Health Care Defined

Reproductive health care is defined as health care that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes. The preamble contains a number of examples of items, services and care that would meet this definition, but stresses that it does not contain an exhaustive list and that this definition is intended to be read broadly. The preamble further notes that this definition is not intended to set forth a standard of care or regulate what would be clinically appropriate reproductive health care and highlights that in many circumstances, it may be the individual making determinations for themselves (e.g., purchasing over-the-counter contraceptives would be considered reproductive health care).

When is Care Lawful Under the Circumstances in which it is Provided?

The Reproductive Health Care Rule further provides that reproductive health care is “lawful under the circumstances in which it is provided” if the reproductive health care is:

  • lawful in the state in which the health care is provided under the circumstances in which it is provided; or
  • protected, required, or authorized by Federal law (including the U.S. Constitution) under the circumstances in which the health care is provided without regard to the location.

Note: The scope of this second prong is not yet clear and implicates certain rights and federal laws that are or may be the subject of legal challenges. For example, this may be intended to apply where the Emergency Medical Treatment and Active Labor Act (“EMTALA”) requires hospitals to administer stabilizing care related to reproductive health care that may be in conflict with certain state law (the scope of such requirement is itself the subject of current litigation before the U.S. Supreme Court). The HHS fact sheet provides an example where the use of reproductive health care, such as contraception, is protected by the U.S. Constitution, regardless of the state where it is provided, which can be inferred to reference Griswold v. Connecticut and subsequent decisions.

It is also important to note that the Reproductive Health Care Rule includes a presumption that reproductive health care provided by another person is lawful unless the covered entity or business associate (i) has actual knowledge that it was unlawful or (ii) receives information from the person requesting the use or disclosure of the PHI and such information provides a substantial factual basis that it was unlawful.

Example

As an example of a prohibited disclosure, suppose a resident of one state traveled to a second state in order to obtain an abortion. If the abortion was lawful under the circumstances in which it was obtained in the second state, then the covered entity (e.g., the health care provider performing the abortion or the group health plan paying for the abortion) would be prohibited from disclosing the patient’s PHI to a police officer from the patient’s home state seeking to impose criminal liability on the patient or the health care provider. Moreover, if the patient returned to their home state and disclosed to their general practitioner that they had an abortion, the general practitioner, absent the police officer providing information to demonstrate to her a substantial factual basis supporting that the abortion in the second state was unlawful in that state, would be prohibited from disclosing any of the PHI to the police officer. 

New Attestation Requirement

In addition to the new prohibitions on uses and disclosures of PHI, the Reproductive Health Care Rule requires a covered entity or business associate to obtain an attestation for certain uses and disclosures of PHI that is “potentially related to reproductive health care”. This attestation requirement applies to requests for uses and disclosures relating to health oversight activities, judicial and administrative proceedings, law enforcement purposes, and coroners’ and medical examiners’ purposes in connection with a decedent. As a reminder, even where permitted, disclosure for these purposes is permissive, not mandatory under HIPAA, except in instances where HHS requests information as part of a compliance investigation. However, the covered entity (or business associate) should consider whether state law may require disclosure when not prohibited by HIPAA.

A valid attestation must be written in plain English, must be signed and dated by the person requesting the PHI, and must include the following:

  • A description of the specific information requested, including the name of the individual whose PHI is requested (or, if not practicable, the class of individuals whose PHI is requested).
  • The name (or other identifying information) of the person (or class of persons) of whom the requested use or disclosure is made.
  • The name (or other identifying information) of the person (or class of persons) to whom the requested use or disclosure is to be made. 
  • A statement that the use or disclosure is not for a prohibited purpose.
  • A statement explaining the criminal penalties for knowingly violating HIPAA by obtaining or disclosing individual identifiable health information.

An attestation may be made electronically, but generally may not be combined with other documents or include any statements other than those meeting the requirements above.

The Reproductive Health Care Rule makes it clear that an attestation itself is not determinative of whether the use or disclosure is for a prohibited purpose and the covered entity/business associate must come to its own conclusion by considering the circumstances surrounding the attestation.

Updates to the Notice of Privacy Practices

The Reproductive Health Care Rule will require plans and providers to review and update their Notices of Privacy Practices (“NPPs”). New requirements include a description and examples of the types of prohibited uses and disclosures of PHI and the types of uses and disclosures that would require an attestation, along with a statement to notify individuals of the potential redisclosure of such information that would no longer be protected by HIPAA. 

The rule aligns the deadline for making these updates with the deadline to make changes to the NPP required by the Coronavirus Aid, Relief, and Economic Security Act (the “CARES Act”) that are unrelated to reproductive health care but addressed in the Reproductive Health Care Rule. As a reminder, the CARES Act aligned the use and disclosure rules under the Confidentiality of Substance Use Disorder Patient Records rule (“Part 2”) with HIPAA and directed HHS to update the NPP requirements to include language describing the privacy practices relating to PHI that is also protected by Part 2. 

Additional Clarifications

The Reproductive Health Care Rule contains a couple of clarifications and definitional changes that appear intended to avoid circumvention of the spirit of the rule. For example, the definition of “person” was revised to clarify that for HIPAA purposes a natural person is limited to a human being who is born alive. 

In addition, the Reproductive Health Care Rule adopted a new definition of “public health” as that term is used in “public health surveillance,” “public health investigation,” and “public health intervention” to mean population-level activities to prevent disease in and promote the health of populations. Public health surveillance, investigation, and intervention would include identifying, monitoring, preventing or mitigating threats to the health or safety of a population but would not include activities to identify, conduct criminal, civil, or administrative investigations into, or impose such liability on, any person for seeking, obtaining, providing or facilitating reproductive health care that is lawful under the circumstances provided.

Proskauer Perspective

With covered entities and business associates expected to be in full compliance (except with respect to the NPP changes) by December 23, 2024, they should immediately begin considering how to comply with the Reproductive Health Care Rule. Employers sponsoring self-insured health plans will want to pay particular attention. Potential action items include:

  • Identification and Tracking: Consider implementing a system to identify and track PHI that is potentially related to reproductive health care. Implementing such a system now may be instrumental when responding to a request for use or disclosure of such PHI as it would put the covered entity/business associate on notice that they should scrutinize the request and consider whether an attestation is required.
  • Attestation: Be on the lookout for HHS’s model attestation, which is expected to be published before the compliance date. Once the model attestation has been published, customize it as needed, but keep in mind an attestation will not be valid if combined with other documents or if it contains elements or statements not otherwise required under the Reproductive Health Care Rule. 
  • Policies and Procedures: Review and modify HIPAA policies and procedures to incorporate the Final Rule.
  • Workforce Training: Incorporate the Reproductive Health Care Rule into annual HIPAA training, including steps to consider when responding to a request for use or disclosure of PHI potentially related to reproductive health care and information about the attestation requirement.
  • Business Associate Agreements: Review business associate agreements to determine whether any updates are needed to implement the Reproductive Health Care Rule. For example, parties to a business associate agreement may want to include provisions describing their respective responsibilities for requests for uses or disclosures of PHI related to reproductive health care.
  • Review Plan Communications: Review communications (such as Summary Plan Documents) to make sure all references to HIPAA are accurate and complete.
  • Notice of Privacy Practices: Begin thinking about updating Notice of Privacy Practices to include the new requirements.

We also note that laws around reproductive health care are particularly unsettled and subject to challenge. The preamble to the Reproductive Health Care Rule is designed to support HHS’s reasoning in crafting the rule, containing significant background information and rationales for why these changes are necessary due to changes in the legal landscape and why the Reproductive Health Care Rule strikes an appropriate balance between the need for trust and open communication between patients and health care providers to support the functioning of the U.S. health care system and the other public policy considerations. That being said, we anticipate potential legal challenges to the implementation of the Reproductive Health Care Rule, as did HHS which included a severability provision in the event any portion is determined to be invalid or unenforceable.

© 2024 Proskauer Rose LLP.

Current Legal Analysis

More from Proskauer Rose LLP

Remote Employees & Workplace Sexual Harassment Prevention Training
by: Evandro C Gigante , Jurate Schwartz
Approaching Secondaries Financing from All Angles: Key Considerations for Debt in LP-Led and GP-Led Secondary Transactions
by: Cameron A. Roper , Paul Tannenbaum
District Court Dismisses Class Action Seeking Wilderness Therapy Benefits
by: Sydney L. Juliano , Jennifer Rigterink
Recent Developments in International Arbitration: English Court Sets Aside Arbitral Awards in Landmark Nigeria Case
by: Dorothy Murray , Julia Bihary
The Emerging Legal and Regulatory Risks of Loyalty Programs
by: David Fioccola , Leslie A. Shanklin
ESMA’s Final ESG Fund Name Guidelines
by: John Verwey , Rachel E. Lowe
European Commission Publishes Summary of SFDR Consultation Responses
by: John Verwey , Rachel E. Lowe
Private Credit Deep Dives – Sponsor “Guarantees” (Europe)
by: Privacy and Data Security
Private Market Talks: The Hedge Fund Platform Model with Crestline’s Caroline Cooley [Podcast]
by: Peter J. Antoszyk , Kelli L. Moll
Supreme Court Holds that Copyright Damages Have No Time Limit
by: Sandra A Crawshaw-Sparks , David A. Munkittrick

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins