HHS Proposes to Amend HIPAA to Strengthen Privacy of Reproductive Health Information Post-Dobbs

HHS issued the proposed rule in response to concerns for patients and health care providers that, following the Supreme Court’s decision in in Dobbs overturning the constitutional right to an abortion under Roe v. Wade, patient medical records could be used to penalize them for seeking, obtaining, providing, or facilitating reproductive health care. In particular, as state prosecutors and law enforcement agencies turn to patient medical records and related health-care information in the search for evidence of potential civil and criminal violations to enforce restrictive abortion laws, questions have arisen as to whether HIPAA sufficiently protects patients and their health care providers.

The proposed rule follows President Biden’s Executive Order 14076, which directed HHS to consider ways to strengthen the protection of sensitive information related to reproductive health care services and bolster patient-provider confidentiality, as well as guidance issued last summer by the Office for Civil Rights (OCR) within HHS (the agency that enforces HIPAA) addressing permitted disclosures of PHI relating to reproductive health care and their limitations under the Privacy Rule.

The proposed rule seeks to bolster privacy protections for reproductive health care by prohibiting a HIPAA covered entity from using or disclosing PHI for the criminal, civil, or administrative investigation of or proceeding against anyone for seeking, obtaining, providing, or facilitating reproductive health care, as well as the identification of any person for the purpose of initiating such an investigation or proceeding. Protected activities include expressing interest in, inducing, using, performing, furnishing, paying for, disseminating information about, arranging, insuring, assisting, or otherwise taking action to engage in reproductive health care.

Such disclosures of PHI would be prohibited only when the reproductive health care: (1) is lawfully provided outside of the state where the investigation or proceeding is authorized; (2) is protected, required, or authorized by Federal law, regardless of the state in which the health care is provided; or (3) is lawfully provided in the state in which the investigation or proceeding is authorized. However, the prohibition is not intended to apply to uses or disclosures of PHI for an investigation, civil action or prosecution concerning abortion or related activity that occurred within a state in which the abortion or other activity is restricted or lawful. Moreover, the prohibition would apply only to use or disclosures of protected information by covered entities (health care providers, health plans, healthcare clearinghouses and their business associates), and not to compulsory disclosures by others, including patients and their relatives and friends (although, of course, patients and others under criminal investigation may have a separate basis to withhold information).

To assist in effectuating this prohibition, HHS is proposing clarifications to the definitions of certain terms, including “person” and “public health”; limitations on the existing exception for child abuse reporting to ensure it is not used to report access to reproductive health care; and ensuring that a patient’s personal representative (who under HIPAA is generally authorized to make health care decisions on the patient’s behalf) is not disqualified from making those decisions because the representative authorizes reproductive health care.

HHS is also proposing to require covered entities to obtain an attestation from anyone who requests the use or disclosure of information potentially related to reproductive health care that the use or disclosure is not for a prohibited purpose. Finally, the Department proposes to require modifications to Notice of Privacy Practices (NPP) to ensure that individuals are aware of and understand the proposed prohibition.

Below we summarize each of these key takeaways of the proposed rule.

Protection of Patient Reproductive Health Information under HIPAA and Proposed Amendments

As a reminder, at the federal level, HIPAA sets a floor of comprehensive standards for the protection of individually identifiable health information (referred to as “protected health information” or “PHI”) for covered entities, including health care providers, health plans, and their business associates. The Privacy Rule generally prohibits the use or disclosure of PHI (including reproductive health information) without the written authorization of the patient or her personal representative. However, there are exceptions to this general rule, including exceptions that allow law enforcement agencies, private litigants and courts to obtain health records through warrants, investigative demands, and discovery in litigation. The proposed rule would limit these exceptions insofar as they might be used to obtain reproductive health information for purposes of investigating or penalizing reproductive health care.

Specifically, the NPRM proposes to strengthen the Privacy Rule’s protections as follows:

• Clarification of Certain Terms under 45 CFR Section 160.103

To operationalize its proposed modifications to the Privacy Rule (see Amending Section 164.502, below), HHS also proposes revising or clarifying certain definitions and terms that apply to the Privacy Rule and other regulations promulgated under HIPAA.

First, HHS proposes to modify the scope of “person” in 45 C.F.R. § 160.103 to clarify that the term “natural person” in the existing definition means “a human being who is born alive.”

HHS further proposes to clarify the definition of “public health activities” as a basis for permissive for certain uses and disclosures of PHI explicitly excludes any such uses or disclosures “for the criminal, civil, or administrative investigation into or proceeding against a person in connection with obtaining, providing, or facilitating reproductive health care, or for the identification of any person in connection with a criminal, civil, or administrative investigation into or proceeding against a person in connection with obtaining, providing, or facilitating reproductive health care.”  Rather, the exception extends only to population-based activities.

The proposed rule also clarifies that HHS interprets the exception under the Privacy Rule permitting uses and disclosures of PHI to report “child abuse” excludes conduct based solely on seeking, obtaining, providing, or facilitating reproductive health care – in other words, that facilitating reproductive health care does not constitute child abuse for purposes of the exception.

Finally, HHS proposes to add “reproductive health care” as a term under the regulations, which would be a subcategory of the existing term “health care” under HIPAA, and would be defined as “care, services, or supplies related to the reproductive health of the individual.” As with “health care,” the term “reproductive health care” would be interpreted broadly and functionally to include all types of health care, services, or supplies related to an individual’s reproductive system, regardless of where and by whom such care, services, or supplies are provided, including but not be limited to: “contraception, including emergency contraception; pregnancy-related health care; fertility or infertility-related health care; and other types of care, services, or supplies used for the diagnosis and treatment of conditions related to the reproductive system.”[i]

• Amending Section 164.502 Regarding Permitted and Prohibited Uses and Disclosures of Protected Health Information

The NPRM proposes amending Section 164.502 of the Privacy Rule to add a new category of prohibited uses and disclosures of PHI involving the lawful provision of reproductive health care, where the use or disclosure is for criminal, civil, or administrative investigation into or proceeding against any person in connection with seeking, obtaining, providing, or facilitating reproductive health care, or to identify any person for the purposes of initiating such investigation or proceeding.

The prohibition applies where the use or disclosure of PHI is for an investigation or proceeding in connection with a person seeking, obtaining, providing, or facilitating reproductive health care:

(i) outside of the state where the investigation or proceeding is authorized and where such health care is lawful in the state in which it is provided;

(ii) that is protected, required, or authorized by federal law (regardless of the state in which it was provided); and/or

(iii) that is provided in the state in which the investigation or proceeding is authorized and is permitted by the law of that state.

The prohibited purposes are intended to encompass any type of legal or administrative investigation or proceeding, including law enforcement investigations, third party investigations in a civil proceeding, state licensure proceedings, criminal prosecution, and family law proceedings.

For example, where a covered entity provides lawful abortion (under the laws of the state in which the abortion was provided) to an out-of-state patient, the covered entity could not disclose PHI to law enforcement from the patient’s home state pursuant to an investigation or proceeding against the patient or a provider for seeking, obtaining, or facilitating the lawful abortion. Likewise, a covered entity in the patient’s home state could not use or disclose PHI received from the out-of-state covered entity providing the lawful abortion for such investigation or proceeding.

However, where the reproductive health care was performed in a state that deemed such care unlawful, and the care provided was not otherwise mandated by federal law (e.g. under EMTALA), then the proposed prohibition in Section 164.502 would not prevent the use or disclosure of PHI for an investigation or proceeding for obtaining, providing, or facilitating the allegedly unlawful abortion.

Additionally, the proposed prohibition would only apply where the use or disclosure of PHI involving lawful reproductive health care is used or disclosed for one of the prohibited purposes noted above. For example, HHS notes that the proposed changes to Section 164.502 would not prevent the disclosure of an individual’s PHI to law enforcement for purposes of investigating a sexual assault committed against that individual, as the disclosure here would not be for purposes of an investigation against a person in connection with seeking or obtaining reproductive health care, or to identify any such person. Similarly, HHS states that the proposed prohibition would not prevent the use or disclosure of PHI involving lawful reproductive health care for health oversight purposes, such as to investigate the submission of a false claim, nor would it prevent the use of such PHI to defend against an investigation or proceeding relating to professional misconduct or negligence involving reproductive care.

While 45 C.F.R. § 164.508 permits a covered entity to make any use or disclosure of PHI that is properly authorized by the individual, the proposed rule would invalidate any such authorizations in the case of a prohibited use or disclosure of reproductive health information. HHS notes that the intent of this proposed change is to fully protect individuals’ privacy by precluding the possibility of a third party, such as law enforcement, from circumventing the rule by coercing the individual to sign an authorization.

Lastly, HHS proposes revising Section 164.502 to limit the ability of a covered entity to elect not to treat a person as the personal representative of the individual patient, based merely on the representative’s consent to reproductive health care services on behalf of the patient. This would not curtail the ability of a covered entity to elect not to treat an individual as the patient’s personal representative if it suspected domestic violence, abuse or neglect by the personal representative, or where treating such person as the personal representative could endanger the individual (assuming the basis for such belief isn’t predicated on the personal representative facilitating reproductive health care for and at the request of the individual patient).

• Creating New Section 164.509 on “Uses and Disclosures for which an Attestation is Required”

The NPRM proposes to create a new section of the Privacy Rule, 45 C.F.R. § 164.509, that would require a covered entity to obtain assurances, in the form of a signed and dated written attestation, from a party requesting PHI that potentially relates to reproductive health care. Underlying the attestation requirement is HHS’s view that it would offer covered entities a “standard mechanism” to discern and confirm, in writing, whether using or disclosing PHI in response to the request would be prohibited by the proposed Section 164.502(a)(5)(iii). The attestation requirement would apply when the request for PHI is for any of the following: health oversight activities; judicial and administrative proceedings; law enforcement purposes; or disclosures to coroners and medical examiners.

The proposed rule spells out what constitutes a “valid” or “defective” attestation. For example, to be valid, the attestation must be written in plain language, include a “clear statement that the use or disclosure is not for a purpose prohibited”, and may not be combined with another document – meaning it “must be clearly labeled and distinct from any surrounding text”.

HHS’s proposed rule will not require the covered entity to investigate the validity of the attestation; rather, it could rely on the attestation provided – as long as it is “objectively reasonable under the circumstances” to believe the statement. If, however, there is a basis to believe that the representations contained in the attestation were materially false, then the covered entity must cease any uses or disclosures of PHI requested.

To reduce the burden on regulated entities implementing this proposed attestation, HHS is considering developing a model attestation that a covered entity may use when developing its own attestation templates.

• Updating the Notice of Privacy Practices Content Requirements under Section 164.520

Lastly, the NPRM would modify the required contents of a covered entity’s notice of privacy practices to include a description and at least one example of the types of uses and disclosures that are prohibited, and the types of uses and disclosures that require an attestation, as described above.  HHS is proposing such changes due to concerns that otherwise individuals may “avoid accessing crucial health care.”  The changes would be intended for providers to provide reassurance of an individual’s privacy rights and ability to discuss their reproductive health and related care with their provider.

HHS is encouraging stakeholders to submit comments through regulations.gov, which are due 60 days after publication of the NPRM in the Federal Register.

[i] In commentary, HHS distinguished between the treatment of the newly proposed “reproductive health information” and psychotherapy notes. HIPAA has long provided special protections for psychotherapy notes, which are carved out from the definition of PHI, given the sensitivity of the information. However, unlike information related to an individual’s reproductive health – which is not easily defined or segregated, psychotherapy notes are by their “very nature are easily defined and segregated”. For this reason, the safeguards proposed focus on purpose-based prohibitions on certain uses and disclosures of reproductive health information, rather than creating a separate category of protected information as is the case with psychotherapy notes.