The Big Picture
On April 12, 2023, the Department of Health and Human Services (HHS) released a notice of proposed rulemaking to address the privacy of protected health information (PHI) related to reproductive health care services. These proposed regulatory revisions under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) respond to concerns that, in light of new state restrictions on abortion and other procedures following the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization, PHI may be used in investigations or proceedings against either individuals who seek legal reproductive health care services or providers who furnish such services, potentially discouraging individuals from seeking lawful treatment from (or discussing it with) their provider.
For entities subject to HIPAA—including most health care providers and health plans—HHS proposed a new purpose-based prohibition on uses or disclosures of PHI for a criminal, civil, or administrative investigation into, or a proceeding against, any person in connection with seeking, obtaining, providing, or facilitating reproductive health care, where such care is lawful under the circumstances in which it was provided. As described more fully below, this would prohibit the disclosure of information pertaining to:
- Cross-state investigations or enforcement actions in which reproductive health care was sought, obtained, provided, or facilitated in a state where the care is lawful and outside the state where the investigation or proceeding is authorized
- Reproductive health care protected, required, or expressly authorized by federal law, regardless of the state where the care is provided
- In-state investigations or enforcement actions concerning reproductive health care that was authorized and permitted under state law
Comments on the proposed rule are due by June 16, 2023 (assuming the rule is published in the Federal Register on April 17, 2023, as currently scheduled).
Background on the HIPAA Privacy Rules
HIPAA is the primary federal law that protects patients’ health care data and records (referred to as protected health information, or PHI). HIPAA applies to covered entities (CEs)—including health care providers, health plans, and health care clearinghouses—and their business associates, referring to contractors that receive, maintain, or disclose PHI on behalf of a CE. HIPAA establishes a federal floor for privacy protections but not a ceiling—HIPAA generally preempts state law that prevents the application of the HIPAA privacy rules but does not preempt state laws that afford greater privacy protections to PHI.
HIPAA, as implemented through HHS regulations, generally prohibits a CE from using or disclosing PHI unless the use or disclosure is either permitted pursuant to a patient’s written authorization or authorized by regulation under one of several exceptions. Some exceptions permit a CE to make a disclosure, while others require it to do so.
HIPAA, as HHS explained in its June 2022 guidance, permits only in narrow circumstances disclosures for purposes not related to health care, such as disclosures to law enforcement officials. The June guidance notes that the privacy rules permit—but do not require—CEs to disclose PHI about an individual without the individual’s authorization when such disclosure is required by another state or federal law, meaning “a mandate contained in law that compels an entity to make a use or disclosure of PHI and that is enforceable in a court of law.” (For more on the June 2022 guidance, see the Manatt newsletter.)
Although this HIPAA exception is permissive rather than mandatory, CEs typically comply with legally enforceable requests for information (such as warrants or subpoenas) because failure to do so may carry penalties under other applicable laws.
HHS’ Rationale for the New Proposed Rule
In the proposed rule, HHS discusses in detail that HIPAA’s long-standing purposes—including ensuring that individuals do not forgo lawful health care when needed or withhold important information from their health care providers that may affect the quality of care they receive—as well as confusion on the part of and concerns raised by health care providers with regard to the Dobbs decision, indicate a compelling need to provide additional protections for reproductive health care information, which HHS considers especially sensitive. Before Dobbs, HHS explains, “the range of circumstances in which persons attempted to seek or use highly sensitive PHI in criminal, civil, and administrative investigations or proceedings in connection with the provision of reproductive health care was much narrower.”
HHS is thus proposing new protections for reproductive health care information, following the similar model HHS previously developed for enhanced privacy around psychotherapy notes due to the “particularly sensitive information” contained in those notes. As an operational matter, HHS acknowledges that, unlike psychotherapy notes, which are maintained separately from the individual’s general medical records, reproductive health care information is not as “easily defined or segregated.” To address this concern, HHS is proposing a “purpose-based” prohibition on the use and disclosure of PHI, as described below, which would continue to allow certain uses and disclosures of reproductive health care information for purposes that align with the overarching goals of HIPAA.
New Proposed Prohibitions on the Use and Disclosure of PHI Related to Reproductive Health Care
HHS proposes to newly prohibit CEs (and their business associates) from using or disclosing PHI for a criminal, civil, or administrative investigation into, or a proceeding against, any person in connection with seeking, obtaining, providing, or facilitating1 reproductive health care,2 including contraception, pregnancy-related care, fertility- or infertility-related health care, and other types of care, services, or supplies used for the diagnosis and treatment of conditions related to the reproductive system, where such care is lawful under the circumstances in which it was provided.
HHS proposes three specific circumstances in which the use and disclosure by a CE or business associate (referred to collectively as “regulated entities”) would be prohibited because “the state lacks any substantial interest in seeking the disclosure.”
(1) When reproductive health care is sought, obtained, provided, or facilitated in a state where the care is lawful and outside the state where the investigation or proceeding is authorized. This would allow a health clinic in State A to refuse to comply with an out-of-state search warrant or court order from State B seeking records related to reproductive health services that were legally performed under the laws of State A, for the purpose of initiating an investigation into the reproductive health care services. A regulated entity in the individual’s home state (State B) that receives PHI concerning reproductive health care provided out of state (in State A) would be prohibited from using such PHI or disclosing it to law enforcement in State B in an investigation or proceeding in connection with the reproductive health care.
(2) When reproductive health care is protected, required, or expressly authorized by federal law, regardless of the state where the care is provided. HHS expressly stated that this would prohibit the disclosure or use of PHI for an investigation into, or a proceeding against, a regulated entity that provided reproductive health care as required by the Emergency Medical Treatment and Labor Act (EMTALA) or other activities that remain protected, such as the provision of contraception.
(3) When reproductive health care is provided in the state where the investigation or proceeding is authorized and permitted by the law of such state. For instance, use or disclosure of PHI would be prohibited for investigations or enforcement by State A when the health care meets the requirements of an exception to a law in State A (e.g., if the law permits pregnancy termination when the pregnancy is the result of rape or incest or because the life of the pregnant individual is endangered) or when the health care occurred at a point in pregnancy that is permitted by State A law.
The proposed rule would also prohibit the use or disclosure of PHI for the purpose of identifying any individual, health care provider, or other person in order to initiate such an investigation or proceeding.
A regulated entity’s provision of reproductive health care information in violation of these prohibitions would violate HIPAA and be presumed to be a breach of unsecured PHI. Regulated entities that violate HIPAA may be subject to financial penalties imposed by HHS. In addition, criminal charges can be brought by the U.S. Department of Justice against any person (not just a regulated entity) who wrongfully obtains or discloses PHI maintained by a CE.
Under the proposed rule, individuals and regulated entities would still be permitted to use or disclose PHI to defend any person in a criminal, civil, or administrative proceeding related to professional misconduct or negligence involving reproductive health care and for other lawful purposes, including where the purpose of the disclosure is to investigate sexual assault against the relevant individual, provided that an attestation (as described below) is obtained.
Operational Considerations and Proposed Attestation Requirement
HHS proposed that reproductive health care information may not be disclosed for a prohibited purpose, even with an otherwise valid patient authorization for disclosure.3
Because HHS believes it will be difficult for regulated entities to distinguish between use and disclosure requests for reproductive health care for permitted and prohibited purposes, it proposes that a regulated entity be required to obtain from the person requesting PHI a written, signed attestation that the use or disclosure would not be for a prohibited purpose, in cases where the person requests such PHI for health care oversight activities, judicial and administrative proceedings, law enforcement purposes, and matters regarding decedents (i.e., from coroners and medical examiners). The proposed rule prohibits the attestation from being combined with any other document, meaning the attestation must be clearly labeled and distinct from any surrounding text.
HHS does not propose to require a regulated entity to investigate the validity of an attestation provided by the requester; rather, a regulated entity would be permitted to disclose the reproductive health care information if required by law based on the attestation provided that it is objectively reasonable under the circumstances.
HHS highlights that any person who knowingly and in violation of HIPAA obtains PHI or discloses it to another person or entity would be subject to criminal liability, as noted above.
* * *
If the rule is adopted, covered entities would have to comply within 180 days of the final rule’s publication.
The proposed rule is set to be published on April 17, 2023, and interested parties will have 60 days after the date of publication to submit comments to HHS.
1 HHS proposed that “seeking, obtaining, providing, or facilitating” would include, but not be limited to, “expressing interest in, inducing, using, performing, furnishing, paying for, disseminating information about, arranging, insuring, assisting, or otherwise taking action to engage in reproductive health care, as well as attempting to engage in any of the same.”
2 HHS proposed to define “reproductive health care” as “care, services, or supplies related to the reproductive health of the individual” and emphasized that this definition would apply broadly and would include both prescribed and nonprescription supplies as well as services provided by both health care providers and other persons. HHS provided the following as examples of reproductive health care: contraception; pregnancy-related care (including miscarriage management, molar or ectopic pregnancy treatment, pregnancy termination, pregnancy screening, products related to pregnancy, prenatal care, and similar or related care); fertility- or infertility-related health care (including services such as reproductive technology and its components), and “other types of care, services, or supplies used for the diagnosis and treatment of conditions related to the reproductive system” (including health care related to reproductive organs, regardless of whether the health care is related to pregnancy or whether the individual is of reproductive age).
3 Generally, HIPAA permits disclosures to be made if authorized by an individual under a HIPAA-compliant authorization. See 42 C.F.R. §164.502 (a)(1)(iv).