OCR issues proposed rule to modify HIPAA and strengthen the privacy of reproductive healthcare information
On April 12, 2023, the US Department of Health and Human Services Office for Civil Rights (OCR) issued a proposed rule (the Proposed Rule) to strengthen privacy protections for individuals’ protected health information (PHI) related to reproductive healthcare and, accordingly, limit the uses and disclosures of such PHI in certain circumstances.
Specifically, OCR would modify the HIPAA Privacy Rule[1] to restrict cooperation by abortion providers and their business associates in states where abortion is legal with out-of-state law enforcement requests from states where abortion is outlawed.
Additionally, the Proposed Rule seeks to avoid the circumstance where a person uses an existing provision of the Privacy Rule to request the use or disclosure of an individual’s PHI as a pretext for obtaining PHI related to reproductive healthcare for a non-healthcare purpose, where such use or disclosure would be detrimental to any person (eg, a criminal investigation or proceeding).
The Proposed Rule comes on the heels of previous guidance issued by OCR in July 2022, which we summarized in a client alert, and President Biden’s Executive Order No. 10476.
Disruption of balance
In the Proposed Rule, OCR acknowledges that developments in the legal environment disrupted the Privacy Rule’s balance between an individual’s privacy on one side, and the use of disclosure of PHI for certain non-healthcare purposes, including in certain criminal, civil, and administrative investigations, and proceedings, on the other side. These developments include, among others, the Supreme Court’s decision in Dobbs v. Jackson Women's Health Organization last year and situations where persons or authorities have reached or intended to reach beyond their own states’ borders to investigate reproductive healthcare performed in other states, where such healthcare services are legal.
Characterizing this disruption as a “mismatch” between privacy expectations and current legal protections for health information privacy, OCR believes the mismatch also undermines trust between individuals and healthcare providers nationwide, thereby decreasing access to, and effectiveness of, healthcare for individuals.
Summary of Proposed Rule
The proposed rule seeks to address the “mismatch” between privacy expectations and current legal protections for health information privacy by establishing when HIPAA prohibits disclosures of reproductive healthcare PHI for (i) the criminal, civil, or administrative investigation of or proceeding against an individual (Investigation or Proceeding), a covered entity or their business associates (each a Regulated Entity and together, Regulated Entities), or other person for seeking, obtaining, providing, or facilitating reproductive healthcare; and (ii) the identification of any person for the purpose of initiating such an investigation or proceeding. Specifically, under the Proposed Rule, OCR would prohibit covered entities and business associates from using or disclosing PHI for these purposes when the reproductive healthcare:
- is lawfully provided outside of the state where the investigation or proceeding is authorized
- is protected, required, or authorized by federal law, regardless of the state in which such healthcare is provided or
- is lawfully provided in the state in which the investigation or proceeding is authorized.
Of note, “seeking, obtaining, providing, or facilitating” discussed in (i) above is defined broadly and would include, but not be limited to, expressing interest in, inducing, using, performing, furnishing, paying for, disseminating information about, arranging, insuring, assisting, or otherwise taking action to engage in reproductive healthcare, as well as attempting to engage in any of the same.
However, the Proposed Rule also states that, if a Regulated Entity determines that the reproductive healthcare was provided under circumstances or in a state where it was unlawful, the proposed prohibition will not apply, and the Regulated Entity would be permitted to use or disclose the PHI for an investigation or proceeding against a person in connection with seeking, obtaining, providing, or facilitating reproductive healthcare.
New, revised, or clarifying definitions
To effectuate the intent of the Proposed Rule, OCR also proposed revisions or clarifications of certain definitions and terms that apply to the Privacy Rule, as well as to other HIPAA Rules. While we have not addressed every revision or clarification addressed in the Proposed Rule, we have provided a summary of some key terms below.
- “natural person” specifically does not include a fertilized egg, embryo, or fetus
- the permissions to use and disclose PHI for “public health” surveillance, investigation, or intervention do not include criminal, civil, or administrative investigations into, or proceedings against, any person in connection with seeking, obtaining, providing, or facilitating reproductive healthcare, nor do they include identifying any person for the purpose of initiating such investigations or proceedings as these actions are not public health activities
- “reproductive healthcare” means “care, services, or supplies related to the reproductive health of the individual,” which includes, but is not limited to, contraception, including emergency contraception; pregnancy-related healthcare; fertility or infertility-related healthcare; and other types of care, services, or supplies used for the diagnosis and treatment of conditions related to the reproductive system.
New requirements under the Proposed Rule and additional clarifications
- Attestation: As a condition to allowing a permitted use or disclosure of reproductive healthcare PHI, OCR proposes to add a requirement for a Regulated Entity to obtain an attestation from the person requesting the use and disclosure, in the form of a signed and dated written statement, attesting that the use or disclosure would not be for a prohibited purpose where the person is making the request under certain permitted purposes under the Privacy Rule 45 CFR 164.512(d) (disclosures for health oversight activities), (e) (disclosures for judicial and administrative proceedings), (f) (disclosures for law enforcement purposes), or (g)(1) (disclosures about decedents to coroners and medical examiners).
- Updated Notice of Privacy Practices (NOPP): OCR proposes to require that a covered entity add two types of uses and disclosures to its NOPP, including a description and at least one example of: (1) the types of uses and disclosures prohibited under the Proposed Rule regarding reproductive health information; and (2) the types of uses and disclosures for which an attestation is required under the Proposed Rule.
- Clarifying Personal Representative Status in the Context of Reproductive Healthcare: OCR proposes to modify the current requirements to ensure that a Regulated Entity could not deny personal representative status to a person, where such status would otherwise be consistent with state and other applicable law, primarily because that person facilitates or facilitated or provided reproductive healthcare for an individual.
- Child Abuse: OCR proposes changes that would clarify that the permission to use or disclose PHI in reports of abuse, neglect, or domestic violence does not permit uses or disclosures based primarily on the provision or facilitation of reproductive healthcare to the individual.
Takeaways
In its current form, the Proposed Rule would potentially leave abortion providers that receive an out-of-state subpoena or other law enforcement request concerning the care provided to residents of states that ban abortion in a difficult position. Unless the state in which the provider operates has adopted a law shielding the provider from cooperation and extradition (in the event of a criminal law), such healthcare providers could be in a situation where state law demands a response, but the HIPAA rule prohibits it.
It is also worth noting that HIPAA’s application is limited to covered entities and business associates. The Proposed Rule does not address or reach the ability of law enforcement to seek health information from entities that collect information outside of this ecosystem, such as healthcare apps that are not offered by these types of entities.
If adopted, the Proposed Rule would have broader implications for HIPAA compliance in general. Covered entities and business associates providing covered entity functions may consider, where appropriate:
- modifying policies and procedures to account for the changes in the Proposed Rule
- creating an attestation form and process for handling requests for the use or disclosure of PHI when the Proposed Rule requires an attestation
- revising business associate agreements, as necessary
- revising training programs for workforce members and
- updating and disseminating the Covered Entity’s NOPP in accordance with the Proposed Rule.
OCR is soliciting comments to its proposed rulemaking through June 13, 2023. All comments must be identified by inclusion of RIN Number 0945-AA20 and be submitted either electronically through the eRulemaking Portal at http://www.regulations.gov by searching for Docket ID number HHS–OCR–0945–AA20 or through hardcopy mail service to: U.S. Department of Health and Human Services, Office for Civil Rights, Attention: HIPAA and Reproductive Health Care Privacy NPRM, Hubert H. Humphrey Building, Room 509F, 200 Independence Avenue, SW, Washington, DC 20201.
For more information about these developments, please contact your DLA Piper relationship partner, the authors of this alert, or any member of our healthcare industry group.
[1] Standards for Privacy of Individually Identifiable Health Information, 45 C.F.R. parts 160 and 164, subparts A and E.