SUMMARY
-
The US Department of Health and Human Services’ Office for Civil Rights (HHS) is proposing changes to the Privacy Rule under the Health Insurance Portability and Accountability Act (HIPAA).
-
HHS's proposed changes would impact HIPAA Covered Entities by restricting the use and disclosure of certain reproductive health care information, requiring an attestation prior to certain disclosures, and mandating revisions to the Notice of Privacy Practices to provide examples of restrictions and at least one scenario where an attestation would be required.
INTRODUCTION AND CONTEXT
HHS’s Office for Civil Rights has published a notice of proposed rulemaking (NPRM) that proposes to modify privacy standards under HIPAA and the Health Information Technology for Economic and Clinical Health Act.1 Specifically, the NPRM would modify privacy standards regarding the use and disclosure of protected health information (PHI) regarding reproductive health care that is permitted by state law under the circumstances in which the care was provided.
In explaining the context and background for the NPRM, HHS reiterated that HIPAA’s Privacy Rule (Privacy Rule) balances individual privacy expectations with “vital public and private” interests in the use of PHI for judicial proceedings and law enforcement purposes. It accomplishes this, according to HHS, by requiring covered entities and business associates governed by HIPAA (collectively, “regulated entities”) to implement safeguards to protect patient privacy, while allowing certain disclosures for public and law enforcement purposes.2 HHS further expresses its concern that developments in the legal environment after the US Supreme Court’s decision in Dobbs vs. Jackson Women’s Health Center are “eroding individuals’ trust in the health care system,”3 particularly as it relates to sensitive issues such as reproductive care and sexual history. To illustrate this, HHS points to actions taken by states to regulate and criminalize reproductive health care that have expanded the range of circumstances in which persons are attempting to obtain sensitive PHI for use in criminal, civil, and administrative investigations or proceedings. For example, HHS states that it is aware of reports “that persons or authorities have reached or intend to reach beyond their own states’ borders to investigate reproductive health care that has been performed in other states where that health care is legal.”4
Emphasizing that Dobbs did not disturb “other longstanding constitutional principles,” such as the right of interstate travel, or to use contraception, nor did it displace federal statutes, such as the Emergency Medical Treatment and Labor Act (EMTALA), HHS indicates that the Privacy Rule, as currently written, could result in the disclosure of PHI related to lawful reproductive health care to law enforcement or other persons intending to use that PHI against an individual, regulated entity, or another person. For this reason, HHS is proposing to provide heightened protections for “PHI that is sought for the purposes of conducting a criminal, civil, or administrative investigation into or proceeding against any person in connection with seeking, obtaining, providing, or facilitating reproductive health care that is lawful under the circumstances in which it is provided.”5
SUMMARY OF KEY PROPOSALS
Definitional Changes to Key Terms
HHS proposes several new defined terms, as well as changes to the definitions of existing terms:
-
“Reproductive health care,” a new term and a subcategory of the existing term “health care,” would mean “care, services, or supplies related to the reproductive health of the individual.”6
-
“Public health,” as used in the terms “public health surveillance,” “public health investigation,” or “public health intervention,” would mean population-based activities to prevent disease and promote health of populations that do not include uses and disclosures for criminal, civil, or administrative investigations into or proceedings against any person in connection with seeking, obtaining, providing, or facilitating reproductive health care or to identify any person for the purpose of initiating such an investigation or proceeding.7
-
“Person” means a natural person (meaning a human being who is born alive), trust or estate, partnership, corporation, professional association or corporation, or other entity, public or private.8
-
HHS also proposes to clarify that providing or facilitating access to appropriate reproductive health care is not abuse, neglect, or domestic violence within the meaning of 45 C.F.R. § 164.512(c).9
New Prohibitions on Uses and Disclosures
Central to the proposed rule is the establishment of a new prohibited class of uses and disclosures of PHI. Specifically, the changes would bar a regulated entity from using or disclosing PHI when the purpose of the use or disclosure is any criminal, civil, or administrative investigation or proceeding against any person in connection with seeking, obtaining, providing, or facilitating reproductive health care (Reproductive Health Care Proceeding).10 Relatedly, PHI could not be used or disclosed to identify any person for the purpose of initiating a Reproductive Health Care Proceeding.11 The prohibition applies when a Reproductive Health Care Proceeding relates to: (1) reproductive health care provided in another state, where the health care is lawful in the state in which it was provided (for example, a resident of State A travels to State B to receive reproductive health care, such as an abortion, that is lawful in State B); (2) reproductive health care protected, required, or authorized by federal law, regardless of which state the health care is provided (for example, reproductive health care, such as miscarriage management, is required under EMTALA to stabilize the health of the pregnant individual); and (3) reproductive health care that is both provided and permitted in the state in which the Reproductive Health Care Proceeding is to take place (for example, a resident of State A receives reproductive health care, such as treatment for an ectopic pregnancy, in State A, which is lawful in State A).12
Attestation Requirement
In connection with the Reproductive Health Care Proceeding bar, the proposed rule would require an attestation that the use or disclosure sought is not prohibited by the proposed rule’s prohibition set forth above. Any person requesting the use or disclosure of PHI that is potentially related to reproductive health care for health oversight activities, judicial and administrative proceedings, law enforcement purposes, or decedents’ activities would need to provide a valid attestation.13 The attestation must be in plain language, may not be combined with any other document, and must contain a series of required elements, including, for example, a clear statement that the use or disclosure is not for a prohibited purpose. A regulated entity would only be permitted to rely on such attestation so long it does not have actual knowledge of material information that the attestation is false and so long as it is not objectively unreasonable to believe that the attestation is true.14
Notice of Privacy Practices
HHS also proposes to require covered entities to add two types of uses and disclosures to those already described in their Notice of Privacy Practices: (1) a description, including at least one example, of the types of uses and disclosures for Reproductive Health Care Proceedings that would be prohibited, as described above, in sufficient detail for an individual to understand the prohibition; and (2) a description, including at least one example, of the types of uses and disclosures for which an attestation is required. HHS explains its concern that, without adequate assurances about prohibited uses and disclosures of their PHI, individuals may avoid accessing crucial health care.
REQUEST FOR COMMENTS
HHS is soliciting comments on its proposal and has outlined several specific requests for comments, including its proposed compliance time frame, which is 180 days after the effective date of a final rule. Other specific requests include: (1) whether the proposed definitions are appropriate; (2) whether it is necessary to define “reproductive health,” and, if so, suggested definitions and support; (3) whether the proposed prohibition on uses and disclosures for lawful reproductive health care is sufficiently narrow so as to limit harmful uses or disclosures, such as investigating individuals who have obtained, or health care providers who have provided, lawful health care, while permitting beneficial uses or disclosures, such as conducting investigations into health care fraud or billing audits; (4) the effects of individuals’ concerns about the potential disclosure of their PHI to law enforcement or others on their willingness to confide in their health care providers; and (5) the effects of health care providers’ concerns about potential Reproductive Health Care Proceedings against them or their patients on the completeness and accuracy of medical records and continuity of care. Comments are due on or before 16 June 2023. K&L Gates’ Health Care and FDA practice regularly advises stakeholders on health privacy matters, including HIPAA’s Privacy and Security Rules, and assists clients with public comments on proposed rulemakings. Contact the authors of this article for questions or assistance with preparing comments in response to this NPRM.
FOOTNOTES
1 Notice of Proposed Rulemaking, HIPAA Privacy Rule To Support Reproductive Health Care Privacy, 88 Fed. Reg. 23,506 (Apr. 17, 2023), available at https://www.federalregister.gov/documents/2023/04/17/2023-07517/hipaa-privacy-rule-to-support-reproductive-health-care-privacy.
2 Id. at 23,514. See also Dep’t of Health & Hum. Servs., HIPAA Privacy Rule and Disclosures of Information Relating to Reproductive Health Care (June 29, 2022), https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/phi-reproductive-health/index.html; Gina L. Bertolini, Jacqueline B. Hoffman & Martin A. Folliard, Privacy of Health Information After Dobbs: OCR Guidance on Disclosures of PHI and the Privacy of Personal Information on Devices, K&L GATES HUB (July 14, 2022), https://www.klgates.com/Privacy-of-Health-Information-After-Dobbs-OCR-Guidance-on-Disclosures-of-PHI-and-the-Privacy-of-Personal-Information-on-Devices-7-14-2022.
3 88 Fed. Reg. 23,519.
4 Id.
5 Id. at 23,510.
6 Id. at 23,527. As with “health care,” HHS states that “reproductive health care” applies broadly and includes reproductive health care and services furnished by a health care provider, supplies furnished in accordance with a prescription, and care, services, or supplies furnished by other persons and nonprescription supplies purchased in connection with an individual’s reproductive health.
7 Id. at 23,525.
8 Id. at 23,552.
9 The proposed rule also clarifies that disclosures concerning victims of abuse, neglect, or domestic violence based primarily on the provision of reproductive health care are not permitted if the purpose of the disclosure otherwise falls within the new proposed class of uses and disclosures. Id. at 23,553.
10 Id. at 23,552. HHS further specifies that this prohibition only applies when the “primary” purpose of a use or disclosure is to investigate or impose liability on a person for the “mere act of seeking, obtaining, providing, or facilitating reproductive health care.”
11 Id. Likewise, the prohibition would apply to anyone expressing interest in, inducing, using, performing, furnishing, paying for, disseminating information about, arranging, insuring, assisting, or otherwise taking action to engage in reproductive health care or attempting any of the same.
12 Id.
13 Id. at 23,553
14 Id.