HHS Modifies the HIPAA Privacy Rule To Protect Reproductive Health Information
On April 26, 2024, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) published a final rule to provide new protections for the privacy of reproductive health information under the Health Insurance Portability and Accountability Act (HIPAA).1 The final rule, a proposed version of which was published in April 2023,2 amends the privacy regulations promulgated under HIPAA (the Privacy Rule) by establishing new guardrails against certain uses and disclosures of individually identifiable reproductive health information. These amendments to the Privacy Rule (the Amendments) represent an important part of the Biden-Harris Administration’s efforts to protect access to reproductive health care following the Supreme Court’s decision regarding abortion rights in Dobbs v. Jackson Women’s Health Organization.3
The principal purpose of the Amendments is to restrict the circumstances in which HIPAA-regulated entities may disclose an individual’s reproductive health information for the purpose of an investigation or proceeding against persons for seeking, obtaining, providing, or facilitating lawful reproductive health care, including abortion. Approximately 51,000 individuals and 350 organizations filed comments on the proposed version of the Amendments in the two months after its publication.4 As many of those comments confirmed to OCR, fears of liability for involvement in reproductive health care in the post-Dobbs environment can deter individuals from seeking medical care, to their detriment and to that of the effectiveness of the health care system. This outcome is precisely at odds with the policies underlying the Privacy Rule.5
The Amendments to the Privacy Rule will become effective on June 25, 2024, and regulated entities must be in compliance with most of them by December 22, 2024.6
Background: The Privacy Rule
The Privacy Rule consists of detailed provisions designed to protect the privacy of individuals’ “protected health information” (PHI), which comprises most individually identifiable health information created, received, maintained, or transmitted by “covered entities.”7 Under the Privacy Rule, covered entities and their “business associates”8 (i.e., HIPAA-regulated entities) are prohibited from using or disclosing PHI without obtaining a written authorization from the individual to whom the PHI pertains, unless a specific exception applies. The Privacy Rule details many such exceptions, such as for uses and disclosures necessary to treat a patient or to bill a patient’s insurer for such treatment, as well as uses and disclosures needed for various public policy purposes. Among those public policy purposes is law enforcement activities; the Privacy Rule expressly permits covered entities and their business associates to disclose PHI to law enforcement officials under certain circumstances, including to respond to a subpoena or warrant issued as part of a law enforcement investigation.
Implications of Law Enforcement Disclosures
As explained by OCR in its preamble to the Amendments, the Privacy Rule’s “law enforcement” exception to the general individual authorization requirement could, in the post-Dobbs environment, threaten to undermine the primary goal of the Privacy Rule “to provide greater protections to individuals’ privacy to engender a trusting relationship between individuals and health care providers.”9 As OCR has observed, actions by numerous states to restrict abortion access post-Dobbs has eroded individuals’ expectation of privacy with regards to the use or disclosure of their reproductive health information.10 The Amendments thus aim to limit the scope of the Privacy Rule’s law enforcement exception in a manner that does not interfere with recently enacted state restrictions on reproductive health care.
To achieve this goal, the Amendments add to the Privacy Rule a prohibition on the disclosure of PHI in circumstances where PHI is requested for the purpose of investigating or imposing liability on any person for the act of seeking, obtaining, providing, or facilitating reproductive health care, or to identify a person in connection with such a purpose and:
- The reproductive health care is/was obtained or provided in a state where such care is lawful, and outside of the state where the investigation or proceeding is authorized.
- The reproductive health care is/was “protected, required, or expressly authorized by Federal law,” regardless of which state in which the health care is/was provided.11
- The regulated entity receiving the request has no actual knowledge that the reproductive health care was unlawful and the requesting person has provided no factual information that “demonstrates a substantial factual basis” that the health care was unlawful.12
To ensure compliance with this prohibition, the Amendments require regulated entities that receive requests for PHI potentially related to reproductive health care for law enforcement purposes, or for health oversight, judicial or administrative, or certain individual identification purposes, to obtain a signed attestation from the requesting party to verify that the use or disclosure of that PHI is not prohibited as described above. Regulated entities must presume that the reproductive health care at issue was lawful under the specific circumstances in which it was provided unless they have actual knowledge or factual information that demonstrates a “substantial factual basis” to the contrary.13
Comments and Modifications to the Proposed Privacy Rule
As noted, OCR’s proposed version of the Amendments prompted tens of thousands of comments from individuals and organizations, including State Attorneys General, the American Medical Association, the National Committee on Vital and Health Statistics, Planned Parenthood Federation of America, the American Civil Liberties Union, and the Lawyers Committee for Civil Rights, as well as trade organizations representing health plans, health information management professionals and system vendors, employers, epidemiologists, and attorneys.14 More than half of the comments expressed general support of the proposed Amendments and their objectives.15
Although OCR largely retained in the final Amendments the provisions it proposed in 2023, it made a number of clarifying adjustments and a few substantive changes. Among those changes was the deletion of a proposed prohibition on relying on an individual’s authorization as the basis for disclosure of the individual’s reproductive health-related PHI in circumstances that would otherwise require an attestation. OCR had proposed that prohibition based on concern that persons seeking access to an individual’s reproductive health-related PHI might exert pressure on the individual and effectively coerce the individual into signing an authorization to permit disclosure of the PHI to such persons. The comments OCR received in response to the proposed prohibition, however, convinced the agency that, on balance, it was preferable to leave intact an individual’s right to authorize such disclosures. Although OCR made clear that it remains concerned about duress or coercion being exerted by persons seeking reproductive health-related PHI, it concluded that: “The right of individuals to access their PHI and choose to disclose their PHI to another person is a cornerstone of HIPAA, and as such, we are not proceeding with [that] proposal.”16 OCR stated that it will, on an ongoing basis, monitor the complaints it receives and the outcome of agency enforcement actions to identify potential coercion.17
Conclusion
In order to prepare for compliance with the Amendments by December 22, 2024, regulated entities should update their HIPAA privacy compliance policies and procedures and retrain staff to understand when information regarding reproductive health care may and may not be provided to law enforcement entities and other officials. With respect to the updates required to covered entities’ Notices of Privacy Practices (mentioned in footnote 6 above), OCR plans to provide a model notice that will facilitate updates by the required date (February 16, 2026).
Please feel free to contact the authors of this post or their colleagues in Arnold & Porter’s Privacy, Cybersecurity & Data Strategy team or Life Sciences & Healthcare Regulatory team with further questions regarding this update to the Privacy Rule and its obligations on covered entities and business associates.
© Arnold & Porter Kaye Scholer LLP 2024 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.
-
HHS Office for Civil Rights, “HIPAA Privacy Rule to Support Reproductive Health Care Privacy,” 88 Fed. Reg. 32,976 (Apr. 26, 2024).
-
88 Fed. Reg. 23506 (Apr. 17, 2023).
-
See Executive Order 14076, in which President Biden directed HHS to consider taking action under HIPAA to protect reproductive health information and strengthen patient-provider confidentiality. 87 Fed. Reg. 42053 (July 13, 2022).
-
-
-
The Amendments also include new requirements, not primarily related to reproductive health information, for updates to HIPAA Notices of Privacy Practices. See id. at 33045. The designated date for compliance with those requirements is February 16, 2026. Id. at 32979.
-
A “covered entity” under HIPAA is (1) a health plan; (2) a health care clearinghouse, or (3) a health care provider who transmits health information in electronic form in connection with certain insurance-related transactions. 45 C.F.R. § 160.103.
-
A “business associate” is a person or entity that provides certain services to, or performs certain functions for, a covered entity (or a business associate thereof) and needs access to PHI to perform those services or functions. See id.
-
-
-
This provision would apply to PHI of patients who, for example, seek emergency miscarriage and abortion care in hospital emergency health rooms. The Biden-Harris Administration has taken the position that the federal Emergency Medical Treatment and Labor Act requires physicians to perform stabilizing medical care for such patients even in states where abortion is prohibited. This position is contested in Idaho and Moyle, et al. v. United States, which is pending before the U.S. Supreme Court (oral arguments were heard on April 24, 2024).
-
-
-
Id. at 32991. In its April 2023 notice proposing the Amendments, OCR requested comments on whether individuals from underserved and minority communities are more likely to be the subject of government investigations into the reproductive health care, and whether those individuals are less likely to have access to legal counsel in facing those investigations. As stated in the preamble to the final Amendments, commenters on this point unanimously responded in the affirmative and emphasized the agency’s view that the current legal landscape has exacerbated health inequities by marginalized and historically underserved communities.
-
-
-