HIPAA Reproductive Health Care Amendments: Compliance in an Uncertain Enforcement Landscape
Thursday, December 19, 2024
Print Mail Download info_icon_img/>i

The amendments to the HIPAA Privacy Rule designed to protect reproductive health care information (Amendments) are under legal challenge as the compliance date quickly approaches.

As discussed in more detail in our previous post, regulated entities are required to comply with the Amendments by December 23, 2024 (with a later February 16, 2026 compliance date for the required changes to the Notice of Privacy Practices). Recent legal challenges and a new incoming presidential administration make the enforcement landscape for these Amendments unclear. However, at the time this blog is being published, regulated entities should be prepared to comply as of December 23, 2024.

Recent Cases Challenging the Amendments

Two lawsuits have been filed in the Northern District of Texas against the Department of Health and Human Services (HHS), seeking to invalidate the Amendments. The lawsuits argue that the Amendments violate the Administrative Procedure Act (APA), which governs how federal agencies promulgate and enforce rules and regulations. The plaintiffs argue that under the APA, a court must set aside an agency action that exceeds an agency’s statutory authority, or actions that are determined to be arbitrary, capricious, an abuse of discretion, or not in accordance with the law.

The first lawsuit, State of Texas v. HHS,[1] was filed by the Texas Attorney General in September 2024. The Texas Attorney General claims that HIPAA preserves state investigative authority related to the reporting of disease or injury, child abuse, birth, or death, public health surveillance, or public health investigation or intervention, and thus HHS exceeded its statutory authority by prohibiting regulated entities from disclosing reproductive health care information to state investigators. The Attorney General takes the position that HHS exceeds its statutory authority, as the Amendments obstruct a state’s ability to enforce its own laws on reproductive health care, including abortion and gender affirming care. The Texas Attorney General also seeks to invalidate provisions of the HIPAA Privacy Rule from 2000, claiming that Congress never intended to allow HHS to limit the circumstances related to when a regulated entity can disclose protected health information to law enforcement.

The second lawsuit, Purl v. HHS,[2] was brought by a Texas physician who makes claims similar to the Texas Attorney General. However, the physician claims the Amendments prohibit physicians from reporting abuse or neglect if it involves anything related to reproductive health care, including abortion or gender-transition procedures, or to participate and comply with requests made by law enforcement. Further, the physician argues that the Amendments were arbitrary and capricious because HHS failed to adequately explain why they are implementing these new prohibitions and requirements for reasons other than a response to the Supreme Court’s opinion in Dobbs v. Jackson Women’s Health Organization.[3]

In HHS’ filed response and objection to the Purl case, HHS argues that the Amendments do not interfere with the physician’s duty to report suspected abuse or neglect under state law. Specifically, HHS focused on the fact that the Amendments preserve the definition of “public health,” which includes surveillance, investigation, and intervention as a means to prevent diseases and promote the health of populations, as opposed to conducting investigations or imposing liability on individuals seeking health care. HHS argues that because the Amendments preserved this definition, they do not limit a physician’s ability to report abuse or neglect. Instead, the Amendments only prohibit a physician’s ability to report about activities related to a person seeking, obtaining, providing, or facilitating reproductive health care and thus suspected abuse would be excluded from the prohibition on disclosure.

Change in Administration

It is also unclear at this time if HHS under the Trump Administration will continue to defend these lawsuits and/or enforce these Amendments. However, from December 23, 2024 until the time the court rules on these legality of the Amendments or there is concrete guidance from the Trump Administration once in office, regulated entities should comply with the Amendments when using or disclosing reproductive health care information.

HHS Doubles Down on Support of Reproductive Health Care Information Privacy in Recent Settlement

In November 2024, HHS settled with a hospital for impermissibly disclosing a patient’s full medical record to the patient’s potential employer; the patient had signed an authorization that authorized disclosure of only one test result. The information disclosed included reproductive health care information, which HHS focused on its public statements regarding the settlement — despite this disclosure occurring before the required compliance date of the Amendments.

In the linked press release, HHS stated, “Patients must be able to trust that sensitive, health information in their files is protected to preserve their trust in the patient-doctor relationship and ensure they get the care they need. This is particularly true for reproductive health privacy.” The headline regarding the settlement released by HHS also included the phrase “reproductive health information.” This is indicative of the support that the current HHS has for these Amendments.

Key Takeaways

Although the future of the Amendments is unclear, as of December 23, 2024, regulated entities should be prepared to comply with the Amendments when using or disclosing reproductive health care information until further notice. To prepare to comply, regulated entities should:

  • Update HIPAA privacy policies and processes to ensure reproductive health care information is not used or disclosed in violation of the Amendments.
  • Obtain attestations before reproductive health care information is disclosed to health oversight agencies, law enforcement, or coroners or medical examiners, or in judicial or administrative proceedings (including in response to subpoenas and court orders).
  • Implement updated training for workforce members responsible for disclosing health information to third parties to ensure compliance with the Amendments.

Health care data privacy continues to rapidly evolve and thus regulated entities should closely monitor any new developments and continue to take necessary steps towards compliance.

[1] Texas v. Dep’t Health & Hum. Servs., No. 5:24-cv-00204 (N.D. Tex. Sept. 4, 2024).

[2] Purl v. Dep’t Health & Hum. Servs., No. 2:24-cv-00228 (N.D. Tex. Oct. 21, 2024).

[3] Dobbs v. Jackson Women’s Health Org., 597 U.S. 215 (2022).

© 2024 Foley & Lardner LLP

Current Public Notices

Post Your Public Notice Today!

PUBLIC NOTICE OF UCC SALE: Algorithmic Intuition, INC
Published: 17 December, 2024
PUBLIC NOTICE OF ASSIGNEE SALE: AMS Digital, LLC and it’s Subsidiaries
Published: 16 December, 2024
PUBLIC NOTICE OF DISPOSITION OF COLLATERAL: NUEVO GATEWAY, LLC and PTA DEVELOPMENT LLC
Published: 9 December, 2024
PUBLIC NOTICE OF DISPOSITION OF COLLATERAL: E-Lux Bikes LLC
Published: 9 December, 2024
PUBLIC NOTICE OF UCC SALE: Gaming Society
Published: 6 December, 2024
PUBLIC NOTICE OF UCC SALE: Prime Finance Short Duration Holding Company VII, LLC
Published: 18 September, 2024
NOTIFICATION OF CONTINUED ARTICLE 9 DISPOSITION OF NEWPORT EXCHANGE HOLDINGS, ETC
Published: 17 September, 2024
PUBLIC NOTICE OF ASSIGNEE SALE: Confidential Company operates 24 branded family restaurants
Published: 10 September, 2024
Discover more public notices

Current Legal Analysis

More from Foley & Lardner LLP

Upcoming Events

 
NLR Logo
We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins