HHS Amends HIPAA To Further Protect Privacy of Reproductive Health Care Information

The U.S. Department of Health and Human Services (HHS) this week released final amendments to the HIPAA Privacy Rule to further protect the privacy of protected health information (PHI) related to reproductive health care. The amendments will provide patients, health care providers, and others with greater protections from PHI being used and disclosed to conduct investigations or impose liability on those seeking, obtaining, providing, or facilitating reproductive health care.

To comply with the amendments, health care providers will need to implement new policies and procedures for handling requests for PHI related to reproductive health care, including refusing to disclose PHI in certain circumstances without the requestor providing an attestation regarding the intended use of the PHI. One of the biggest challenges of the amendments is that, as with substance use disorder records that are subject to 42 C.F.R. part 2 (the "Part 2 Rule"), health care providers will need to refuse to provide PHI in response to certain court orders, health oversight requests, and law enforcement requests. This potentially places regulated entities in difficult positions of educating requestors and resisting both the requests as well as any resulting contempt-of-court or obstruction-of-justice charges or adverse health oversight decisions.

The final amendments were published in the Federal Register today (April 26, 2024), thus setting a compliance deadline of December 23, 2024, for most of the final amended rule's requirements.

In short, the final rule amends the Privacy Rule to:

• Prohibit certain uses and disclosures of PHI for purposes of investigating or imposing liability on any person for seeking, obtaining, providing, or facilitating lawful reproductive health care;
• Require certain requestors to attest that they are not seeking PHI for such prohibited purposes; and
• Require changes to covered entities' notices of privacy practices to reflect the above prohibition and attestation requirements and to reflect recent changes to the Part 2 Rule.

New Prohibition on Certain Uses or Disclosures of PHI Related to Reproductive Health Care

Under the amendments, a covered entity or business associate may not use or disclose PHI for any of the following activities (subject to the applicability provision, discussed below):

• To conduct a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care;
• To impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care; or
• To identify any person for the above purposes.

The final rule defines "reproductive health care" as:

[H]ealth care, as defined in [45 C.F.R. § 160.103], that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes. This definition shall not be construed to set forth a standard of care for or regulate what constitutes clinically appropriate reproductive health care.

This prohibition related to reproductive health care is applicable, however, only if: (i) the reproductive health care is lawful under the law of the state in which the health care is provided under the circumstances in which it is provided; or (ii) the reproductive health care is protected, required, or authorized by federal law, including the United States Constitution, under the circumstances in which the health care is provided, regardless of the state in which it is provided.

Reproductive health care provided by another person is presumed to be lawful under state or federal law unless the covered entity or business associate has actual knowledge that the reproductive health care was not lawful under the circumstances in which it was provided, or the requestor of the PHI supplies factual information that demonstrates a substantial factual basis for determining that the reproductive health care was not lawful under the circumstances in which it was provided. A requester's statement that the reproductive health care was unlawful, without more, will not suffice.

For example, if a state law generally prohibits abortion after six weeks of gestation and includes an exception to save the life of the mother, then the amended Privacy Rule generally would prohibit disclosing PHI to a law enforcement official who is investigating an abortion that occurred at five weeks of gestation or an abortion that the health care provider believed was necessary to save the life of the mother. In the face of a court order for disclosing this PHI for purposes of a claim against the health care provider or the reproductive health care patient, the health care provider would need to refuse to disclose the PHI. In contrast, if the abortion was unlawful because it occurred at seven weeks, did not fall under a state law exception, and was not protected, required, or authorized by federal law, then the Privacy Rule would permit the health care provider to disclose the PHI in response to the law enforcement request (if the Privacy Rule's criteria for disclosure to law enforcement are met) or the court order. Note that the prohibition applies only to investigations or proceedings related to "the mere act of" seeking, obtaining, providing, or facilitating reproductive health care. For example, the Privacy Rule would not prohibit disclosing PHI to investigate whether a health care provider committed malpractice when providing reproductive health care due to allegations of poor care.

HHS indicated that it does not expect that regulated entities will need to segregate PHI related to reproductive health care due to the prohibition being limited to specific purposes of uses and disclosures. In other words, HHS anticipates a manual review process in response to requests for PHI for certain purposes, rather than a need to place restrictions on the PHI within the electronic health record or other information systems.

HHS had proposed that an individual could not authorize an otherwise prohibited disclosure of PHI for use in investigations or proceedings related to reproductive care. HHS did not finalize this change, meaning that an individual can sign a HIPAA-compliant authorization that permits the disclosure of PHI for investigations or proceedings related to their reproductive health care. HHS remains concerned that an individual will be coerced into signing an authorization for disclosure of PHI related to their reproductive health care but, nevertheless, believes in fully supporting individual autonomy over when to authorize disclosures.

Attestation Requirement

The amendments introduce an attestation requirement for any request for PHI potentially related to reproductive health care for health oversight, law enforcement, judicial or administrative proceedings, or coroner or medical examiner purposes. For these requests, a covered entity or business associate may not disclose the PHI unless it receives an attestation from the requestor stating that the PHI will not be used for any of the prohibited purposes (such as that it will not be used to conduct an investigation into any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care or that the reproductive health care was unlawful and therefore the prohibition is inapplicable). The attestation must meet several criteria both with respect to its content and form (e.g., it may not be combined with any other document). A covered entity or business associate potentially violates the Privacy Rule and may have breach notification obligations if it fails to obtain an attestation or discloses PHI while knowing an attestation to be defective. A requestor is potentially subject to criminal prosecution under HIPAA for submitting a false attestation (and the attestation must include a statement warning the attestor of this risk). When determining whether an attestation is valid, a regulated entity may not solely rely on an attestation on its face, but rather must consider the totality of circumstances. For example, if the attestation is from a public official whom the regulated entity knows has publicly stated that they are seeking to investigate and prosecute persons for furnishing reproductive health care, then it may be unreasonable for the regulated entity to rely on the attestation in those circumstances. HHS intends to release a model attestation form prior to the compliance date of the amendments.

Changes to Notices of Privacy Practices

The amendments also require that the notice of privacy practices: (1) addresses both HIPAA and the Part 2 Rule; (2) describes the additional privacy safeguards for reproductive health care; and (3) includes a statement that puts the individual on notice that PHI disclosed under the Privacy Rule is subject to redisclosure by the recipient and may be no longer protected by the Privacy Rule. The notice of privacy practices now must include a description, and at least one example of the uses and disclosures of PHI related to reproductive health care that are prohibited, as well as a description, and at least one example, of the types of uses and disclosures of PHI for which an attestation is required.

Unlike the compliance date for the rest of these amendments, covered entities have until February 16, 2026, to revise their notices of privacy practices. Since some of the required changes to the notice relate to the Part 2 Rule, HHS used the compliance date for the recent amendments to the Part 2 Rule as the compliance date for revising notices of privacy practices.

Miscellaneous Changes

The amendments also include several other changes, such as:

• Clarifying that a "natural person" is a "human being who is born alive." This avoids certain HIPAA provisions potentially being applied based on the position that a fetus is a "person."
• Creating a formal regulatory definition of "public health," limiting it to population-level activities (which includes individual-level requests for PHI focused on improving population-level health) and clarifying that the definition does not include activities:

1. To conduct a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating health care.

2. To impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating health care.

3. To identify any person for any of the activities described at paragraphs (1) or (2) of this definition.

These changes are intended to: (i) prevent disclosures of PHI for purposes of investigating or imposing liability for seeking, obtaining, providing or facilitating health care (reproductive or otherwise) from being treated as permissible disclosures for public health purposes; and (ii) exclude these types of disclosures from being treated as public health disclosures for purposes of HIPAA's preemption provisions (since HIPAA generally preempts state law but does not do so with respect to certain public health activities).

• Clarifying that a covered entity may not refuse to treat a person as a personal representative due to perceived child abuse because the person provided or facilitated reproductive health care for and at the request of an individual. For example, a health care provider may not refuse to treat a parent as the personal representative of a child on the basis of child abuse solely because the parent is assisting the child with receiving contraception or an abortion.
• Clarifying that a covered entity may not disclose PHI to report abuse, neglect, or domestic violence when the sole basis of the report is the provision or facilitation of reproductive health care.
• Providing that a covered entity only may disclose PHI in response to a law enforcement official's "administrative request" if "response is required by law." For example, under the current regulation, a covered entity arguably could disclose PHI to a law enforcement official as long as the law enforcement official writes certain required statements on the request. Under the amendments, the disclosure is permissible only if the law requires the covered entity to respond to the request. This is not limited to PHI about reproductive health care and will apply broadly to all law enforcement requests.
• Including a severability provision seeking to keep as much of the amendments in force as possible should a court find that one or more provisions are invalid or unenforceable. This implies that HHS believes litigation in response to these amendments is likely.

Likely Impact of the Final Rule

The amendments are likely to provide patients who seek reproductive health care greater privacy protections and greater confidence that their health information will not be used against them or those who assist with their care.

Covered entities and business associates, however, are likely to face a number of operational challenges, which will need to be addressed this year.

• Covered entities may need to revise their privacy policies and procedures to reflect these changes. HIPAA does not require business associates to have written privacy policies and procedures, but they may choose to do so and may find it helpful to create or revisit policies in light of these amendments.
• For certain releases of PHI, covered entities and business associates may need to implement checks to review whether the PHI potentially relates to reproductive health care and, if so, either block the disclosure of the PHI or verify that an appropriate attestation is in place. This may create particular issues for certain business associates, such as cloud service providers, who may not be able to view customer content and, therefore, may not be in a position to identify whether PHI potentially relates to reproductive health care. These business associates may need to determine whether they will treat all customer content as potentially containing PHI that may relate to reproductive health care.
• Covered entities will need to revise their notices of privacy practices in accordance with the amendments (although they have until February 16, 2026, to do so).
• Covered entities and business associates may want to prepare themselves for potential conflicts between federal and state law, where a court, law enforcement official, or health oversight agency is demanding PHI that HIPAA may not permit the regulated entity to disclose. It is likely that at least some requestors will be unwilling to accept that HIPAA prohibits disclosure of the requested PHI, forcing the regulated entity to spend time and money challenging the request. For example, a court may seek to hold a health care provider in contempt for failure to turn over PHI, with the provider having to either violate HIPAA or challenge the court's ruling.

This final rule represents the most significant changes to the Privacy Rule since the amendments implementing the HITECH Act in 2013. The new amendments address one of the most volatile issues in health care and almost certainly will put health care providers at odds with state governmental entities in certain circumstances. There is a high risk that these amendments will be challenged and, if there is a change in administration, repealed. Accordingly, while this may be a final rule, these amendments certainly are not the final word on the privacy of reproductive health care.

+++

For assistance with this rule, please contact one of the authors of this alert or the Davis Wright Tremaine attorney with whom you work.