OCR Issues HIPAA Privacy Rule to Support Reproductive Health Care Privacy
By: Claudia Stedman, Snell & Wilmer, LLP
On April 17, 2023, the Department of Health and Human Services’ Office for Civil Rights (“OCR”) proposed modifications to HIPAA’s Privacy Rule to further protect the privacy of reproductive health care information. The proposed rule, arriving in the wake of Dobbs v. Jackson Women’s Health Organization, is the result of growing concern regarding the confidentiality of reproductive health information and how that information could be used to initiate civil, criminal, or administrative proceedings.
On April 26, 2024, OCR issued its Final Rule: the HIPAA Privacy Rule to Support Reproductive Health Care Privacy (the “Final Rule”). The Final Rule establishes a “purpose-based prohibition” on certain uses and disclosures of protected health information (“PHI”) related to reproductive health care. Specifically, the Final Rule prohibits covered entities and business associates (also referred to as “regulated entities”) from disclosing PHI when:
- That information is sought to investigate or impose liability on patients, healthcare providers, or others who seek, obtain, provide, or facilitate lawful reproductive health care; or
- That information is sought to identify any person for any of the above purposes.
In the Final Rule, OCR also clarified that this prohibition only applies when the relevant activity involves a “person seeking, obtaining, providing, or facilitating reproductive health care,” and the regulated entity receiving the PHI request has reasonably determined that at least one of three conditions exists:
- The reproductive care is lawful in the state where the care is provided and under the circumstances in which it is provided;
- The care is protected, required, or authorized under federal law, including the U.S. Constitution, “under the circumstances in which such health care is provided,” regardless of the state in which the care is provided;[1] or
- The care being provided is presumed lawful, as explained further below.
The Final Rule includes a presumption that reproductive health care performed by another person (e.g., not the covered entity or business associate receiving the PHI request) is lawful unless either (1) the entity receiving the request for the PHI has actual knowledge that the care was not lawful, or (2) factual information from the requester demonstrates a “substantial factual basis” that the care provided was unlawful.
The Final Rule also provides that regulated entities may not use or disclose PHI related to reproductive care for health oversight activities, judicial administrative proceedings, law enforcement purposes, or to coroners and medical examiners without first obtaining a valid attestation from the requestor. The attestation must:
- Include specific identification of the information sought, including the applicable individual or class of individuals implicated by the request;
- Include the name of the individual or entity from whom information is sought;
- Include the name and signature of the requester and the date;
- Include a clear statement that the use or disclosure of the PHI is not for a prohibited purpose;
- Include a statement that a person may be subject to criminal penalties for knowingly obtaining or disclosing PHI in violation of HIPAA;
- Be written in plain language; and
- Not be combined with any other documents.
OCR intends to publish a model attestation form prior to the Final Rule’s effective date on June 25, 2024. An attestation that meets the Privacy Rule’s requirements is compliant even if it does not match the exact form promulgated by OCR.
The Final Rule also modifies provisions of the Privacy Rule regarding Notices of Privacy Practices. These changes require covered entities to address the above reproductive care changes as well as recently finalized changes to 42 CFR Part 2 (addressing substance use health information confidentiality). While regulated entities must comply with the majority of the Final Rule’s provisions by December 23, 2024, compliance with the Final Rule’s changes to Notices of Privacy Practices is not required until February 16, 2026.
Regulated entities should be aware that new requests for information may implicate these new reproductive health care privacy requirements and may now trigger the above prohibitions or mandates under the Final Rule. Regulated entities should review their policies and procedures to ensure that PHI disclosed to health oversight agencies, to law enforcement, coroners, and medical examiners, or for judicial or administrative proceedings complies with the Final Rule’s requirements. Regulated entities should also review and update their Notices of Privacy Practices.
[1] This provision would apply, for example, to those seeking emergency miscarriage and abortion care in hospital emergency rooms pursuant to EMTALA, though this is subject to ongoing litigation at the U.S. Supreme Court. Additionally, contraception provided in any state is lawful under federal law and information regarding the care provided in connection with that contraception would be protected from compelled disclosure under HIPAA.