Walking a middle path, the HHS Office for Civil Rights (OCR) published proposed amendments to the HIPAA Privacy Rule on April 17, 2023, to further safeguard the privacy of reproductive health care information. This comes in the wake of the Supreme Court's Dobbs v. Jackson Women's Health Organization decision, an Executive Order, letters from Congress, and questions and concerns coming in from the public. Instead of completely locking down all reproductive health care information, the proposed rule prohibits the use and disclosure of this information for certain criminal, civil, and administrative investigations and proceedings where reproductive health care is legal in the state that it was provided or under federal law (e.g., EMTALA). This would preempt contrary state law in these narrow situations. OCR, however, did not go as far as it arguably could have, taking a more focused, intent-based approach and generally choosing not to preempt state law in states where the reproductive health care is illegal. OCR also proposes other corresponding changes, such as to the requirements for notices of privacy practices and requiring attestations for certain requests for information potentially related to reproductive health care. Public comments are due June 16, 2023. As covered entities and business associates await finalization of this rulemaking, they should consider how they will respond to requests for sensitive reproductive health care information and whether they want to take additional actions to safeguard this information.
Prior OCR Guidance Post-Dobbs
Soon after the Supreme Court first (officially) published the Dobbs decision on June 24, 2022, OCR published two guidance documents related to the privacy of reproductive health information. The first guidance document focused on how HIPAA currently applies to the privacy of reproductive health information. It emphasized that, although HIPAA permits disclosures of reproductive health care information to law enforcement or for judicial proceedings, it does not require those disclosures. The guidance clarified that a disclosure of protected health information (PHI) to law enforcement generally requires a mandate enforceable in a court of law. This arguably was a change of interpretation, as the regulatory language and prior guidance suggested that a covered entity could disclose PHI to law enforcement based on a law enforcement officer's administrative request that includes three required statements, without regard to whether that request was enforceable in a court of law. The guidance also clarified that a disclosure to avert a serious and imminent threat to health and safety must be consistent with standards of ethical conduct, and that it would be inconsistent with most professional standards to disclose to law enforcement or others PHI regarding an individual's interest, intent, or prior experience with reproductive health care. Of note, the guidance did not address certain other HIPAA permissions that could form a basis for a covered entity's workforce member to disclose reproductive health care information to law enforcement, such as where the workforce member believes that reproductive health care constituted a crime on the premises of the facility, or where the workforce member believes the disclosure is necessary to identify a suspect or witness to a potential crime.
OCR also published a second guidance document clarifying that HIPAA does not apply to health information on consumer devices or stored with most consumer apps. OCR provided suggestions to individuals regarding how to safeguard this information.
For a more in-depth analysis of OCR's prior guidance on securing health information after the Dobbs decision, see our analysis in Bloomberg Law.
OCR's Proposed Rule
The following summarizes the proposed changes to the Privacy Rule. A comparison detailing the proposed amendments can be found here.
Prohibition on Uses and Disclosures for Criminal, Civil, or Administrative Investigations or Proceedings Related to Reproductive health care
The primary proposed change to HIPAA is a general prohibition (at 45 C.F.R. § 164.502(a)(5)(iii)) on using or disclosing PHI: (i) where the use or disclosure is for a criminal, civil, or administrative investigation into or proceeding against any person in connection with seeking, obtaining, providing, or facilitating reproductive health care; or (ii) to identify any person for the purpose of initiating an activity described above. For convenience, we will simply refer to the above as investigations or proceedings related to reproductive health care.
These prohibitions would apply in three circumstances where:
- The relevant investigation or proceeding is in connection with any person seeking, obtaining, providing, or facilitating reproductive health care outside of the state where the investigation or proceeding is authorized and where the reproductive health care is lawful in the state in which it is provided. For example, it would violate HIPAA for a Washington State hospital to disclose PHI about a legally obtained abortion to an Idaho court that is seeking to enforce a recently passed Idaho law that prohibits helping a minor obtain an abortion out of state. Likewise, if a Florida health insurance company received PHI about the reproductive health care that lawfully occurred in Washington, then the Florida health insurance company would violate HIPAA by disclosing the PHI to a Florida or Idaho court for purposes of criminal proceedings related to the reproductive health care. In short, if someone obtains an abortion in a state where it is legal and then travels to a state where the procedure would have been illegal, then covered entities and business associates located anywhere, including in states where the abortion would have been illegal, may not disclose the PHI for investigations or proceedings related to the reproductive health care.
- The relevant investigation or proceeding is in connection with any person seeking, obtaining, providing, or facilitating reproductive health care that is protected, required, or authorized by Federal law, regardless of the state in which the health care is provided. For example, it would violate HIPAA for a Texas hospital to disclose PHI to law enforcement officials about an abortion that was necessary to save the life of a patient pursuant to the federal Emergency Medical Treatment and Labor Act (EMTALA), even if the abortion violated Texas law. Another example would be a disclosure of PHI related to reproductive health care provided by the Department of Veterans Affairs and authorized by federal law, even if the care is unlawful under the laws of the state where the reproductive health care was provided.
- The relevant investigation or proceeding is in connection with any person seeking, obtaining, providing, or facilitating reproductive health care that is provided in the state in which the investigation or proceeding is authorized and that is permitted by the law of that state. For example, if Florida law generally prohibits an abortion after six weeks of pregnancy, then a Florida health care provider would violate HIPAA by disclosing PHI about an abortion that occurred at five and a half weeks in response to a law enforcement request for the information related to investigating the reproductive health care.
In short, OCR has proposed for HIPAA to preempt or supersede state law that requires disclosure only when the reproductive health care was lawful under state law or authorized or required by federal law. In the preamble commentary to the proposed rule, OCR indicates that it has "carefully crafted the proposed prohibition to apply only in circumstances in which the state lacks any substantial interest in seeking the disclosure."
The proposed prohibition applies to uses and disclosures for investigations and proceedings related to lawful reproductive health care, regardless of who is the target of the investigation or proceeding. For example, a covered entity could not disclose PHI that is being sought to prosecute someone who performed or helped facilitate a lawful abortion.
While the proposed rule largely avoids conflicting with state law by mostly limiting the prohibition to circumstances where the health care was lawful under state law, it still may place HIPAA-regulated entities between a rock and a hard place if finalized. For example, with respect to the recently passed Idaho law that prohibits someone from helping a minor obtain an abortion out of state, a health care provider with information about the abortion may need to refuse to disclose PHI in response to a court order from an Idaho court. This could lead to a finding of contempt of court if the court refuses to recognize the validity of HIPAA's prohibition. Alternatively, if the health care provider complies with the court order, then it could be subject to civil and criminal penalties under HIPAA. The entity may find itself having to appeal the court's decision with the hope that an appellate court will recognize that HIPAA preempts the state law.
The prohibition on using or disclosing PHI for proceedings related to reproductive health care will apply generally, limiting all of the Privacy Rule's other permissions. For example, a covered entity may not report a crime on the premises, may not seek to avert a perceived serious and imminent threat, may not disclose PHI to a health oversight agency, etc., if the disclosure would violate the proposed prohibition.
To assist covered entities and business associates in determining whether the intent of a request is for a prohibited investigation or proceeding related to reproductive health care, OCR also is proposing a new § 164.509 that provides that a regulated entity may disclose PHI related to reproductive health care only if it receives an attestation from the requestor in certain circumstances. The attestation would be required if the request is for health oversight purposes, a judicial or administrative proceeding, law enforcement purposes, or from a coroner or medical examiner for decedent information. The attestation would need to include certain elements, such as the name of the individual or class of individuals who are the subjects of the PHI, identification of the requestor, and a clear statement that the use or disclosure is not for an investigation or proceeding related to reproductive health care that is lawful under state law or required or authorized under federal law. The attestation must be in plain language and may not be combined with any other document. A covered entity or business associate would not be required to investigate the credibility of an attestation, but could not disclose PHI related to reproductive health care if the regulated entity has actual knowledge that material information in the attestation is false or if it is "objectively unreasonable" to believe that the attestation is true. A disclosure based on an attestation that the regulated entity knows to contain material misrepresentations also may be considered a breach of unsecured PHI that requires breach notification. The attestation requirement is in addition to any other requirements under the Privacy Rule, such as requirements related to responding to a discovery request (e.g., notice to the individual or a qualified protective order).
OCR has suggested that a third party that knowingly submits a false attestation to impermissibly obtain reproductive health information would be in violation of HIPAA and could face criminal penalties.
The attestation requirement may be burdensome on regulated entities. For example, a covered health care provider likely will need to review the requested PHI to determine whether it potentially relates to reproductive health and, if so, request the attestation. Sometimes, the request itself will indicate reproductive health is involved. Other requests will be less clear. Since reproductive health care may include a wide variety of treatments and interventions (such as high blood pressure in a patient with preeclampsia or blood sugar levels for a patient with gestational diabetes), this may not be an easy call (and it also may be time consuming).
Changes to Definitions
OCR also proposed to add or amend three definitions. First, it proposed to amend "person" to clarify that it means a human being who is born alive. The purpose is to clarify that an embryo or fetus is not a "person" for purposes of HIPAA. Second, OCR proposes a definition of "public health" to clarify that the term addresses population-level activities and does not include uses and disclosures for investigations or proceedings against a person related to reproductive health care. Third, OCR proposes to define "reproductive health care" as care, services, or supplies related to the reproductive health of an individual.
Law Enforcement Requests
The Privacy Rule currently permits a covered entity to disclose PHI to law enforcement in response to an "administrative request, including an administrative subpoena or summons, a civil or an authorized investigative demand, or similar process authorized under law, provided that: (1) [t]he information sought is relevant and material to a legitimate law enforcement inquiry; (2) [t]he request is specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought; and (3) [d]e-identified information could not reasonably be used." Because the current Privacy Rule does not define what constitutes an "administrative request" (other than providing some examples) and does not clarify what constitutes an "authorized investigative demand," some have interpreted that any written law enforcement request with the three required statements would suffice, as long as the law enforcement officials were acting within their legal authority. OCR proposed to amend this provision to permit disclosures in response to an administrative request only "for which response is required by law." Accordingly, a regulated entity would need to determine whether it is legally required to respond to a law enforcement official's request (e.g., would it be obstruction of justice to refuse compliance). Of note, this proposed change is not limited to PHI related to reproductive health care – it would apply more generally to all disclosures of PHI in response to law enforcement administrative requests.
Changes to Notices of Privacy Practices
OCR has proposed two changes to the required content elements of a notice of privacy practices to inform individuals about the proposed prohibition. First, the notice of privacy practices would need to include a description, including at least one example, of the types of uses and disclosures of PHI that are prohibited in relation to reproductive health care. For example, a notice would need to indicate that the covered entity may not use or disclose PHI for purposes of investigations or proceedings related to reproductive health care that is lawful under state law or authorized or required by federal law. Second, the notice would need to describe and include at least one example of the types of uses and disclosures of PHI for which an attestation is required.
Abuse and Neglect
A covered entity may elect not to treat a person as an individual's personal representative if the covered entity has a reasonable belief that the individual has been or may be subject to domestic violence, abuse, or neglect by the person, and treating that person as the personal representative could endanger the individual. OCR proposes to clarify that this exception does not apply where the primary basis for the covered entity's belief is the facilitation or provision of reproductive health care. For example, a covered entity could not refuse to treat a parent of a minor as a personal representative because the parent is helping the minor to obtain an abortion.
Similarly, while the Privacy Rule permits a covered entity to report PHI to an appropriate authority in cases of suspected abuse, neglect, or domestic violence against the individual, OCR proposes to amend the Privacy Rule to clarify that this is not a basis to disclose PHI for investigations or proceedings related to reproductive health care.
Authorization vs. Right of Access
OCR proposes to add a new prohibition so that an authorization would not be sufficient to permit the disclosure of PHI for purposes prohibited by HIPAA with respect to reproductive health. Instead, disclosures of reproductive health information are permissible only with the attestation, as described above. This prohibition is modeled after the prohibition that health plans may not use or disclose genetic information for underwriting purposes, even with an individual's authorization. OCR identifies its concerns that law enforcement or other third parties may attempt to coerce the individual to sign an authorization.
OCR, however, reaffirms that the individual's right of access cannot be denied based on the intended purpose of the access, which is consistent with OCR's enforcement initiative to protect the right of access. This would allow an individual to direct a covered entity to transmit to a third party, which could be a law enforcement official, an electronic copy of the PHI in an electronic health record. Although OCR expresses the same concern about coercion, it identifies the right of access as of paramount importance. The problem remains that third parties could coerce the individual to obtain and disclose reproductive health information for impermissible purposes.
The Paths Not Chosen
When considering OCR's proposed changes, it also is worth considering alternative approaches they did not pursue.
The most aggressive changes that OCR could have proposed would have been to treat reproductive health care information similar to how 42 C.F.R. part 2 safeguards substance use disorder patient records, requiring regulated entities to isolate reproductive health care information and not further use or disclose it for nearly any purpose without the individual's consent. OCR also could have sought to preempt all other laws, prohibiting disclosures of reproductive health information even in circumstances where the care is illegal. Those proposals likely would have led to significantly more controversy, could have presented difficulties in segregating reproductive health information, and could have adversely affected treatment and care coordination.
The opposite end of the spectrum would have been to propose no changes or take a very limited approach that does not preempt any state law. For example, OCR could have proposed further limiting the use and disclosure of reproductive health care information for law enforcement purposes but allowing any disclosure that is required by law.
OCR's proposed rule seems to strike a middle ground. It does not attempt to completely lock down reproductive health care information or to preempt all disclosures of reproductive health care information that are required by state law or court orders. Instead, it creates some narrowly tailored additional protections for reproductive health care information to limit when this information may be used or disclosed for investigations and proceedings. Most interestingly, OCR has staked out a position on preemption of state law that generally respects a state's decision to prohibit certain reproductive health care within the state, but preempts the state's laws or its court's orders to the extent that the state seeks to stretch its authority to states where the reproductive health care is permissible or circumstances where the procedure is protected under federal law.
Next Steps for OCR
The proposed rule will be open to comments for 60 days (e.g., until June 16, 2023).
Once the rule is finalized, it will become effective 60 days after publication, and OCR proposed that regulated entities must comply within 180 days after the effective date (i.e., 240 days after publication of the final rule).
OCR has a lot on its plate at the moment. It has not yet finalized the January 2021 proposed rule, it has not finalized proposed changes to 42 C.F.R. part 2, and it needs to publish a proposed rule on distribution of penalties to harmed individuals and positive consideration during audits and investigations for implementation of recognized security practices after it issued a request for information in May 2022. In all likelihood, finalizing the proposed rule on reproductive health care privacy is OCR's top priority in light of the administration's focus on the issue.
Compared to the other proposed rules, these proposed amendments to the HIPAA Privacy Rule pertain to far more controversial subject matter. It seems likely that OCR will receive a large volume of comments in response to its proposals, creating considerable work ahead for OCR (which has a relatively small policy staff) to finalize the rule.
The HIPAA statute and regulation (45 C.F.R. § 160.104) prohibit HHS from modifying a HIPAA standard or implementation specification more than once in a 12-month period. The January 2021 proposed rule, the proposed changes to 42 C.F.R. part 2, and this proposed rule all propose changes to a single implementation specification – the content requirements of a notice of privacy practices. Accordingly, OCR will need to coordinate the finalization of these rules – either finalizing them together or staggering the changes by at least 12 months.
Next Steps for Covered Entities and Business Associates
Regulated entities should evaluate the proposed rule and consider providing comments, including comments in support of proposals with which the entity agrees. A list of OCR's requests for comments is attached here.
It likely will be at least a year before this proposed rule is finalized, but the issues surrounding the privacy of reproductive health care are not waiting. Until this rule is finalized, covered entities should consider whether they want to take additional steps to safeguard PHI related to reproductive health care. For example, covered entities may consider reminding patients about their right to request restrictions on the use or disclosure of this information (although this right does not extend to disclosures to law enforcement or that are required by law). Covered entities should consider whether they have systems in place to limit uses and disclosures if they do agree to a restriction. Covered entities and business associates also should consider how they will interact with law enforcement and courts to the extent that they receive a request for reproductive health care information. Finally, entities should be cognizant of state restrictions on the disclosure of reproductive health information that are already in effect or that states are enacting, such as a 2022 California law at Cal. Civ. Code § 56.108 that prohibits a provider of health care from releasing, in response to a subpoena or request under another state's laws, medical information related to an individual seeking or obtaining an abortion.