OCR Proposes HIPAA Amendments to Strengthen Reproductive Health Care Privacy

On April 17, 2023, the Department of Health and Human Services’ Office for Civil Rights (“OCR”) published a Notice of Proposed Rulemaking (“NPRM”) entitled HIPAA Privacy Rule To Support Reproductive Health Care Privacy. The NPRM, which OCR released in response to the Supreme Court’s 2022 decision in Dobbs v. Jackson Women’s Health Organization (“Dobbs”), aims to amend regulations implementing the Health Insurance Portability and Accountability Act (collectively, “HIPAA”) to mitigate concerns about reproductive health care privacy that have arisen as a consequence of the Dobbs ruling.  

The NPRM attempts to achieve this primarily by prohibiting covered entities and business associates (“Regulated Entities”) from using or disclosing protected health information (“PHI”) for specific purposes related to reproductive health care. In doing so, according to OCR, the NPRM advances the purposes of HIPAA and responds to the increasing concern that sensitive information will be released in harmful and punitive ways, hindering access to lawful and comprehensive health care following Dobbs.

Key Proposals

The NPRM is intended to add limitations on the uses and disclosures of PHI for purposes related to reproductive health care. Key proposals in the NPRM are summarized below.

A.   New Category of Prohibited Uses and Disclosures

The NPRM proposes to create a new category of prohibited uses and disclosures of PHI (the “Proposed Prohibition”). Specifically, the Proposed Prohibition would prohibit using or disclosing PHI for:

• A criminal, civil, or administrative investigation into or proceeding against any person in connection with seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided; or
• The identification of any person for the purpose of initiating such investigations or proceedings.

For the Proposed Prohibition to apply, the reproductive health care at issue must be provided under circumstances in which the provision of such health care is lawful. This means that the reproductive health care must have been provided in a state where it is lawful or the care is otherwise protected, required, or authorized by federal law (e.g., the Emergency Medical Treatment and Labor Act). In situations where the reproductive health care was provided under circumstances where it is unlawful, the Proposed Prohibition would not apply.

The NPRM also clarifies that a Regulated Entity would still be permitted to use or disclose PHI for other permissible purposes under the HIPAA Privacy Rule where the request is not made primarily for investigating or imposing liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care that is lawful under the circumstances in which it is provided. For example, a covered health care provider would be permitted to use or disclose an individual’s PHI to defend itself in an investigation or proceeding related to professional misconduct or negligence, even where the alleged misconduct or negligence involves reproductive health care. In that instance, the investigation or proceeding would not be based on the mere act of seeking, obtaining, providing, or facilitating reproductive health care, but would instead be based on allegations of professional misconduct or negligence in providing reproductive health care. Further, the NPRM clarifies that Regulated Entities are expected to comply with and disclose PHI where required by HIPAA, such as in response to an individual’s request for their own PHI or a request from the Secretary of OCR to disclose PHI as part of an investigation into the Regulated Entity’s HIPAA compliance. An individual’s right of access to their own PHI cannot be denied based on their intended use of the PHI, despite OCR expressing some concern that a law enforcement official could coerce an individual into exercising their right of access in order to circumvent the Proposed Prohibition.

B.    Definition of “Reproductive Health Care”

To effectuate the Proposed Prohibition, the NPRM proposes to add and change several definitions. Perhaps most notably, the NPRM adds a definition of “reproductive health care,” a subcategory of “health care,” to mean “care, services, or supplies related to the reproductive health of the individual.” The NPRM clarifies that this term includes not only reproductive health care and services furnished by a health care provider and supplies furnished in accordance with a prescription, but also care, services, or supplies furnished by other persons and non-prescription supplies purchased in connection with an individual’s reproductive health. This is a functional definition based on the underlying activities and is intended to be interpreted broadly. The NPRM clarifies that “reproductive health care” includes contraception, including emergency contraception; pregnancy-related health care; fertility or infertility-related health care; and other types of care, services, or supplies used for the diagnosis and treatment of conditions related to the reproductive system.

According to the NPRM, OCR does not intend to define “reproductive health” but invites comment on whether doing so would be helpful. OCR also requests comment on whether it should provide examples of “reproductive health care” in the regulatory text versus only in preamble guidance.

C.   Personal Representatives in the Context of Reproductive Health Care

The NPRM proposes to add a provision to ensure that a Regulated Entity cannot deny personal representative status to a person primarily because that person facilitates, facilitated, or provided reproductive health care for an individual. This proposal is intended to mitigate OCR’s concern that some Regulated Entities may interpret the HIPAA Privacy Rule as providing them with the ability to refuse to recognize as an individual’s personal representative a person who makes reproductive health care decisions, on behalf of the individual, with which the Regulated Entity disagrees. This is due to the HIPAA Privacy Rule provision that permits a Regulated Entity to elect not to recognize a person as the personal representative of an individual if the Regulated Entity believes the personal representative is subjecting the individual to abuse.

D.   Attestation

To facilitate compliance with the Proposed Prohibition, the NPRM would require Regulated Entities to obtain assurances from a requester of PHI when the request is for a disclosure of PHI for health oversight activities, judicial and administrative proceedings, law enforcement purposes, or about decedents to coroners and medical examiners. The attestation would be in the form of a signed and dated written statement attesting that the use or disclosure is not for one of the prohibited investigation- and proceeding-related purposes in the Proposed Prohibition.

OCR has modeled its proposed attestation provision on HIPAA’s current authorization requirements. To help ensure that a requester provides a Regulated Entity with the information needed to ascertain whether the request falls under the Proposed Prohibition, the proposed attestation requirement would require the person requesting the disclosure of PHI to confirm the types of PHI that they are requesting; clearly identify the name of the individual whose PHI is being requested, if practicable, or if not practicable, the class of individuals whose PHI is being requested; and confirm, in writing, that the use or disclosure is not for one of the Proposed Prohibition’s prohibited purposes related to investigations and proceedings.

In addition, the proposed attestation provision would prohibit compound attestations, i.e., combining an attestation with any other document. Thus, an attestation would need to be clearly labeled and distinct from surrounding text.

Unlike authorizations, however, attestations would be limited to the specific use or disclosure. Therefore, each use or disclosure request would require a new attestation.

OCR is declining to propose a new exception to the minimum necessary standard for uses and disclosures made pursuant to an attestation. Thus, Regulated Entities would have to limit a use or disclosure to the minimum necessary when provided in response to a request that triggers the proposed attestation requirement. Where the requester is also a Regulated Entity, the requester would be required to make reasonable efforts to limit their request to the minimum necessary as well.

The NPRM proposes to require a Regulated Entity to cease use or disclosure of PHI if it believes, during the course of the use or disclosure, that the representations in an attestation are materially false, leading to uses or disclosures that fall under the Proposed Prohibition. Notably, the NPRM clarifies that a requester who knowingly falsifies an attestation by materially misrepresenting the intended uses of the requested PHI would be in violation of HIPAA and could be subject to criminal liability. Moreover, if a Regulated Entity becomes aware of material misrepresentations on an attestation but discloses PHI anyway, such disclosure would constitute an impermissible disclosure of PHI and could trigger HIPAA breach notification requirements.

OCR invites comment on several aspects of the proposed attestation provision, including whether a model attestation would be helpful.

Preemption

The NPRM is also notable in its discussion of HIPAA preemption of state laws. HIPAA rules generally supersede any contrary provision of state law, except for state privacy laws that are contrary to and more stringent than the corresponding HIPAA rule. However, state laws that require the disclosure of PHI for public health surveillance, investigation, or intervention are generally exempt from HIPAA preemption and would remain intact if the NPRM is finalized.

To effectuate the Proposed Prohibition, OCR proposes to preempt state law that would require use or disclosure of PHI for prohibited purposes included in the Proposed Prohibition. In addition, OCR proposes definitions of “person” and “public health” to limit and further clarify the scope of HIPAA preemption. OCR anticipates that many states may choose to file a request for an exception to preemption as a result. Therefore, there will likely be a flurry of activity on this issue if the Proposed Prohibition is finalized.

Key Dates

Comments are due on June 16, 2023. OCR proposes that a final rule would take effect 60 days after publication and that the compliance date would be 180 days after that.

Takeaways

The NPRM should have significant implications for patients and providers that maintain information related to reproductive health care. HIPAA currently does not generally distinguish between types of health care, so the NPRM is notable in creating the subcategory of reproductive health care and imposing special rules around the use and disclosure of PHI for certain purposes related to reproductive health care. But given the Biden Administration’s post-Dobbs Executive Orders and privacy guidance issued by OCR, it is no surprise that the agency is taking steps to materially amend HIPAA regulations to curb the use of information for reproductive health care-related purposes in ways that may create risk for patients, providers, and others assisting in care.  

The NPRM suggests that OCR may be considering rules with broader implications beyond reproductive health care. For example, OCR invites comment on whether to expand the Proposed Prohibition broadly to any health care, rather than limiting it to reproductive health care. In addition, OCR requests comment on whether it should amend HIPAA to prohibit or limit uses or disclosures of “highly sensitive PHI” for certain purposes. OCR asks whether this would be technically feasible (i.e., whether Regulated Entities have the technical ability to differentiate between types of PHI in their systems and apply different levels of protection), what the estimated burden would be, how “highly sensitive PHI” should be defined, and what additional protections such PHI should be accorded.

The NPRM is also notable in what it does not do. For example, the Proposed Prohibition would not apply where reproductive health care was received in a state where it is unlawful. It also would not be limited to specific types of PHI (e.g., reproductive health care information) since OCR has decided to define the Proposed Prohibition based on the purpose of the use or disclosure, not the type of PHI at issue. Lastly, the NPRM would not affect the use or disclosure of PHI, including PHI related to reproductive health care, for other lawful purposes that fall outside the limited investigation- and proceeding-related activities described in the Proposed Prohibition, such as public health activities and treatment.

***

For more information on the NPRM, to better understand how the Proposed Prohibition may impact your organization, or for assistance with submitting comments, please contact the professionals listed below or your regular Crowell & Moring contact.