On April 12, 2023, the U.S. Department of Health and Human Services - Office for Civil Rights (OCR) issued a Notice of Proposed Rulemaking (NPRM) available for public inspection. The NPRM seeks to amend the HIPAA Privacy Rule by proposing additional protections for certain protected health information (PHI) that could otherwise be used or disclosed to “identify, investigate, sue, or prosecute someone for seeking, obtaining, providing, or facilitating lawful reproductive health care.” The Proposed Rule is scheduled to be published on April 17, 2023. OCR issued a three-page HIPAA Reproductive Health Care Privacy Fact Sheet and a seven-page Guidance for Professionals with the NPRM. This advisory provides an overview of the NPRM, the Fact Sheet, and the Guidance.
The NPRM, Fact Sheet, and the Guidance make clear that OCR’s proposed safeguards come in the wake of concerns received about the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization, including the confusion due to various states’ laws after Dobbs, the chilling of individuals’ access to health care and certain medications, and the erosion of trust in the health care system. According to OCR, individuals might not share critical information with their health care providers or might fear receiving emergency care in a state where abortion is unlawful. Health care providers might omit certain information from patients’ medical records or not discuss certain treatment options due to fear of potential liability. This uncertainty, confusion, and “medical mistrust” could adversely affect patients and general public health, especially in vulnerable communities facing past and current health care disparities. The NPRM states it also seeks to safeguard pregnant individuals’ mental health, prevent an increase in maternal morbidity and mortality, and enhance the support for victims of rape, incest, and sex trafficking.
While the current HIPAA Privacy Rule remains in effect, what do HIPAA covered entities and their business associates need to know about this Proposed Rule?
- It is not yet effective. Once comments are received and reviewed, OCR is expected to issue a Final Rule that would become effective 60 days after publication. Covered entities and business associates would then have a future compliance date (likely 180 days after the effective date) to establish and implement policies and practices to comply with new or modified HIPAA Privacy Rule requirements.
- It would only apply to HIPAA covered entities and their business associates. The NPRM would not apply to individuals’ health information possessed by a person who is not a covered entity or a business associate. Per OCR commentary, this means the NPRM would not apply to information that an individual’s friend or family member has or information stored on such an individual’s personal cell phone or tablet.
- The Proposed Rule would add a new definition of sensitive information called “reproductive health care.” This new “reproductive health care” definition (“care, services, or supplies related to the reproductive health of the individual”) would be added to 45 CFR 160.103 and, similar to psychotherapy notes, would be a specially protected category of PHI. While the exact wording of this new definition is brief, OCR clearly intends it to be broad. According to the NPRM, this new definition would include prescription and over-the-counter medications and devices, emergency contraception, pregnancy-related health care (such as molar or ectopic pregnancy treatment, pregnancy termination, pregnancy screening, products related to pregnancy, and prenatal care), fertility or infertility-related health care (such as assisted reproductive technology and its components), and other types of care, services, or supplies used for diagnosing and treating conditions related to the reproductive system (including “health care related to reproductive organs, regardless of whether the health care is related to an individual’s pregnancy or whether the individual is of reproductive age”). Based on OCR commentary, this new definition would also “include, but not be limited to, abortion, miscarriage management, infertility treatment, contraception use, and treatment for reproductive-related conditions such as ovarian cancer.” As explained in the NPRM, this broad definition is appropriate, in part, because some patients post-Dobbs have had difficulty obtaining medications that could result in pregnancy loss, even when the medications were prescribed to treat other health conditions.
- It proposes to amend the definition of “person” in 45 CFR 160.103 of HIPAA’s Privacy Rule so it expressly includes a “natural person (meaning a human being who is born alive).” Per OCR commentary, this proposed amendment would not include “a fertilized egg, embryo, or fetus.”
- It proposes to amend the definition of “public health” in 45 CFR 160.103 of HIPAA’s Privacy Rule. In doing so, OCR noted that “public health officials do not typically investigate criminal activity,” and public health activities should be distinct from criminal investigations. Therefore, according to OCR, state laws that require reporting abortions for certain non-public health purposes involving an individual’s reproductive health care would not be exempt from HIPAA preemption. The Proposed Rule also would prohibit a covered entity or a business associate from refusing to recognize a person as an individual’s “personal representative” under HIPAA solely because they provide or facilitate reproductive health care for an individual.
- It would amend 45 CFR 164.502 (uses and disclosures of PHI) to add a “purpose-based prohibition” to prohibit a covered entity or a business associate from using or disclosing PHI for certain “non-health care” purposes. Non-health care purposes would include (1) a criminal, civil, or administrative investigation into or a proceeding against an individual, a covered entity, a business associate, or other person in connection with seeking, obtaining, providing, or facilitating reproductive health care where such health care is lawful under the circumstances in which it is provided; or (2) identification of an individual, a covered entity, a business associate or other person for the purpose of initiating such investigations or proceedings. According to OCR, this wording is subject to a Rule of Applicability and a Rule of Construction that would be set forth in 45 CFR 164.502 (discussed below). Under the NPRM, “seeking, obtaining, providing, or facilitating” reproductive health care would broadly include, “but not be limited to, expressing interest in, inducing, using, performing, furnishing, paying for, disseminating information about, arranging, insuring, assisting, or otherwise taking action to engage in reproductive health care; or attempting any of the same.” Stay tuned as to how this wording will ultimately be interpreted in a Final Rule in the future.
- Notably, the NPRM proposes that neither a HIPAA authorization nor the permissions under 45 CFR 164.512 could be used to bypass the above purpose-based prohibition. According to OCR, a HIPAA authorization that purported to allow a use or disclosure of PHI for a prohibited purpose would not be valid, and this amendment would help prevent a law enforcement official from coercing an individual to sign a HIPAA authorization.
- The NPRM states it is not a blanket protection for this category of information but is a narrowly tailored proposal for specific prohibited purposes. The NPRM focuses on the purpose of the use or disclosure rather than the type of PHI being requested or the type of covered entity health care provider who receives the request. According to OCR, health plans and many health care providers may still disclose PHI for treatment or payment purposes for (1) reproductive health care; or (2) other health care conditions which affect an individual’s reproductive health (such as routine pregnancy tests before surgery and a cardiologist being informed of an individual’s pregnancy to help monitor the individual’s care).
- OCR also addresses state preemption. OCR notes it drafted the proposed prohibition to apply only “where the state lacks any substantial interest in seeking the disclosure.” Therefore, according to OCR, if a prohibited disclosure of PHI takes place (even in response to a court order or search warrant), the PHI would be disclosed in a manner not permitted by the HIPAA Privacy Rule; further, OCR would presume the disclosure is a breach, unless the entity demonstrates there is a low probability the PHI was compromised.
- Rule of Applicability (to be added to 45 CFR 164.502). OCR proposes to prohibit such disclosures if “the relevant criminal, civil, or administrative investigation or proceeding is in connection with any person seeking, obtaining, providing, or facilitating reproductive health care (1) outside of the state where the investigation or proceeding is authorized and where such health care is lawful in the state in which it is provided; (2) is protected, required or authorized by Federal law, regardless of the state in which such health care is provided; or (3) is provided in the state in which the investigation or proceeding is authorized and that is permitted by the law of that state.” For example, if a covered entity health care provider determines the reproductive health care was provided under circumstances where it was unlawful (in a state where it was unlawful and where federal law does not protect providing such health care), “the proposed prohibition would not apply.”
- Rule of Construction (to be added to 45 CFR 164.502). Here, OCR notes that “an individual cannot be barred from traveling from one state to another to obtain reproductive health care.” OCR proposes that the NPRM not prohibit the use or disclosure of PHI otherwise permitted by HIPAA’s Privacy Rule, “unless such use or disclosure is primarily for the purpose of investigating or imposing liability on any person for the mere act of seeking, obtaining, providing or facilitating reproductive health care.” OCR’s NPRM would not preempt laws that require the use or disclosure of PHI for other purposes such as public health.
- An individual can still obtain their own PHI to initiate a professional misconduct or negligence claim against a covered entity health care provider, a covered entity health care provider can still use and disclose PHI to defend themselves in an investigation or proceeding involving allegations as to reproductive health care, and PHI can still be used for health oversight purposes, Inspector General audit purposes, or investigations of alleged violations of federal nondiscrimination laws or abusive conduct such as sexual assault.
- Covered entities can still disclose PHI in response to individual requests for their own PHI, an individual directing the covered entity to transmit the individual’s PHI to a designated third party, or HHS requests to determine HIPAA compliance.
- It would add a new section (45 CFR 164.509) requiring that when a covered entity receives a request for PHI potentially related to reproductive health care, the covered entity must obtain a signed and dated attestation in certain circumstances. The attestation would confirm that the use or disclosure of PHI is not for a prohibited purpose, in response to a request for PHI potentially related to reproductive health care for (1) health oversight activities; (2) judicial and administrative proceedings; (3) law enforcement purposes; or (4) disclosures about decedents to coroners and medical examiners. If such a request for PHI was potentially related to reproductive health care, a covered entity (or a business associate, as applicable) would need to first obtain the proposed signed and dated attestation to make sure the PHI would not be used or disclosed for a prohibited purpose. OCR expects the attestation will limit burdens in trying to determine if a requested use or disclosure of PHI would be prohibited. The proposed attestation would be modeled after a HIPAA authorization, an electronic attestation would be permitted, and the minimum necessary standard would still apply. OCR is considering developing a model attestation form.
- It would clarify that providing or facilitating reproductive health care is not “abuse, neglect, or domestic violence” that could be reported under 45 CFR 164.512(c) of the HIPAA Privacy Rule. OCR also noted in commentary that “child abuse” would not include activities, such as abortion, related to reproductive health care.
- It would clarify disclosures based on administrative processes in 45 CFR 164.512(f)(1) (disclosing PHI in response to an administrative request); as proposed, an administrative request can result in a permitted disclosure of PHI if the response is required by law. OCR provides examples of these types of administrative requests (administrative subpoenas/summons, civil or other authorized investigative demand, or similar process authorized under law). The NPRM reiterates that the administrative requests would include only those enforceable in a court of law (those, under the law, requiring a response).
- It proposes to modify 45 CFR 164.520 regarding HIPAA Notice of Privacy Practices (NPP). OCR proposes to add new wording that would be required in an NPP so that individuals understand HIPAA’s Privacy Rule would prohibit the use or disclosure of PHI in certain scenarios. As proposed, an NPP would describe and provide at least one example of the following: (1) a use or disclosure of PHI prohibited under 45 CFR 164.502; and (2) when an attestation would be required under (proposed) 45 CFR 164.509.
In the Fact Sheet and the Guidance, OCR specifically addressed the issue of individuals crossing state lines to obtain reproductive health care. OCR clarified that the proposed prohibition would apply where the criminal, civil, or administrative investigation or proceeding is in connection with one of the following:
- The reproductive health care is sought, obtained, provided, or facilitated in a state where the health care is lawful and outside the state where the investigation or proceeding is authorized (for example, a resident of State A travels to State B to receive reproductive health care (such as an abortion), which is lawful in State B).
- The reproductive health care is protected, required, or expressly authorized by federal law, regardless of the state where such health care is provided (for example, managing an individual’s miscarriage is required under the federal Emergency Medical Treatment and Labor Act (EMTALA) to stabilize the pregnant individual).
- The reproductive health care is provided in a state where the investigation or proceeding is authorized and is permitted by the law of the state where the health care is provided (for example, a resident of State A receives reproductive health care in the state where they reside, and such care is lawful in that state).
OCR Guidance emphasizes that HIPAA’s Privacy Rule generally permits (rather than requires) many types of disclosures and that covered entities and business associates can use or disclose PHI without an individual’s signed authorization only as expressly permitted or required by the Privacy Rule. In the context of reproductive health care, OCR addressed three specific scenarios: “required by law,” “law enforcement,” and “avert a serious threat to health or safety.”
Required by law. According to OCR, even if a state law would require a disclosure of PHI, the HIPAA Privacy Rule would permit but does not require such a disclosure. Per the Guidance, if a hospital nurse suspects an emergency department patient is having a miscarriage at 10 weeks because she took medication to end the pregnancy, the Privacy Rule would not permit the nurse to disclose this to law enforcement under HIPAA’s “required by law” provision, unless the state law expressly required such reporting. Also, per OCR, a state law that generally prohibits an abortion after six weeks does not create a mandatory reporting obligation, unless a state law expressly required the reporting.
Law enforcement. OCR emphasizes that HIPAA’s Privacy Rule merely permits (but does not require) disclosure of PHI for law enforcement purposes (even if pursuant to process and as otherwise required by law). As stated in the OCR Guidance, “in the absence of a mandate enforceable in a court of law, the Privacy Rule’s permission to disclose PHI for law enforcement purposes does not permit a disclosure to law enforcement where a hospital or other health care provider’s workforce member chose to report an individual’s abortion or other reproductive health care”—regardless of whether the workforce member first contacted law enforcement or law enforcement first asked the workforce member for the information. As OCR explained, “state fetal homicide laws generally do not penalize the pregnant individual,” and “state laws do not require doctors or other health care providers to report an individual who self-managed the loss of a pregnancy to law enforcement.” In footnotes to the Guidance, OCR states the HIPAA Privacy Rule permits but does not require disclosure of PHI in response to a court order and that other HIPAA Privacy Rule law enforcement provisions (e.g., identification and location, victims of a crime, decedents, crime on premises, and reporting crime in an emergency) are unlikely to apply regarding an individual who seeks or obtains reproductive health care.
Avert a serious threat to health or safety. OCR emphasizes the HIPAA Privacy Rule permits (but does not require) a disclosure of PHI to avert a serious threat to health or safety. Based on information provided by major professional societies (such as the American Medical Association and the American College of Obstetricians and Gynecologists), OCR concludes it would be “inconsistent with professional standards of ethical conduct” to disclose PHI to law enforcement or others regarding “an individual’s interest, intent, or prior experience with reproductive health care.” According to the OCR Guidance, a pregnant patient’s statement to a health care provider in a state that bans abortion that the patient intends to seek an abortion in another state where it is legal “does not qualify as a ‘serious and imminent threat to the health or safety of a person or the public.’” The Guidance also states OCR’s position that it would be inconsistent with professional ethical standards for the health care provider in that example to report the pregnant patient’s statement to law enforcement; according to OCR, such a disclosure to law enforcement (1) compromises the integrity of the patient relationship; (2) may increase the risk of harm to the patient; and (3) would constitute a breach of unsecured PHI.
OCR has requested public comment on several issues, questions, and scenarios throughout the NPRM, including whether OCR should define “highly sensitive PHI” and whether the proposed prohibition should apply broadly to any type of health care versus solely reproductive health care. Public comments are due 60 days after the NPRM’s publication in the Federal Register and, in the meantime, the current HIPAA Privacy Rule remains in effect.
Based on the NPRM’s current wording, OCR expects covered entities and business associates to develop, implement, and maintain compliance documentation in response to the Final Rule’s wording, including an attestation form; updated business associate agreements, policies, and procedures; and training materials. Per the NPRM, when a Final Rule is issued, the total timeframe for compliance would likely be 240 days (60 days from the publication of the Final Rule plus 180 days).