On April 26, 2024, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published the HIPAA Privacy Rule to Support Reproductive Health Care Privacy Final Rule (Final Rule) modifying the HIPAA Privacy Rule. The Final Rule is effective June 25, 2024. Covered entities and business associates must be compliant with the Final Rule by Dec. 23, 2024.
For context, in response to the June 24, 2022, U.S. Supreme Court decision in Dobbs v. Jackson Women’s Health Organization (Dobbs), OCR issued a Notice of Proposed Rule Making April 17, 2023, to modify the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule in order to better support the privacy of protected health information (PHI) related to reproductive health care (Proposed Rule). In light of Dobbs, OCR expressed concern that the confidentiality of reproductive health care information could be compromised or otherwise impacted by those who wished to use a person’s reproductive health care information to conduct criminal, civil, or administrative investigations or to impose criminal, civil, or administrative liabilities on a person for the “mere act of seeking, obtaining, providing, or facilitating reproductive health care that is lawful under the circumstances in which it is provided.”[1] OCR states that the Final Rule is intended to promote trust between individuals and health care providers and to support greater access to reproductive health care.
New Definitions
The Final Rule adopts several key definitions around reproductive health care.
- A “person” is defined as a legal entity or a “human being who is born alive,” thereby excluding fertilized eggs, embryos, and fetuses.
- “Public health,” for the purposes of the HIPAA Privacy Rule, means population-level activities to prevent disease in and promote the health of populations. Expressly carved out from the definition of “public health” is conducting criminal, civil, or administrative investigation or imposing criminal, civil, or administrative liability on any person for the act of seeking, obtaining, providing, or facilitating health care.
- “Reproductive health care” is defined as health care “that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes.”[2] Importantly, the new HIPAA definition of “reproductive health care” expressly provides that it shall not be construed to set forth a standard of care for reproductive health care.
Purpose-Based Prohibition
As originally set forth in the Proposed Rule, the Final Rule imposes a “purpose-based prohibition” on certain uses and disclosures of PHI related to reproductive health care. Covered entities and business associates are now prohibited from using or disclosing PHI for certain “Prohibited Purposes”:
- To conduct criminal, civil, or administrative investigations into a person or to impose criminal, civil, or administrative liabilities on a person “for the mere act of seeking, obtaining, providing, or facilitating reproductive health care ;”[3] and
- To identify any person for any purpose described above.
These purpose-based prohibitions apply either when the reproductive health care is lawful in the state where it is provided or when the care is “protected, required, or authorized by Federal law, including the United States Constitution.” The Final Rule also imposes a presumption that all reproductive health care is lawful in a state unless the covered entity or business associate has (i) actual knowledge that the care was not lawful “under the circumstances in which it was provided”; or (ii) received factual information from the person requesting the use or disclosure of the information that demonstrates a substantial factual basis that the care was not lawful “under the specific circumstances in which it was provided.”
Attestations
In order facilitate compliance with this new purpose-based prohibition, OCR has conditioned a regulated entity’s use or disclosure of reproductive health care PHI on its receipt of an attestation by the requesting party that the use or disclosure of the information is for a permissible or Prohibited Purpose. Attestations will be required when a request is made relative to health oversight activities, judicial and administrative proceedings, law enforcement purposes, and disclosure to coroners or medical examiners.
OCR is clear that failure to comply with the new requirement could result in an enforcement action. Requesting parties may be subject to criminal liabilities if they knowingly obtain reproductive health care PHI in violation of HIPAA. Covered entities and business associates that permit the use or disclosure of reproductive health care PHI based on a defective attestation will also be viewed as having violated the HIPAA Privacy Rule. In terms of on-the-ground efforts to achieve compliance, regulated entities should take note that OCR will view compound attestations as defective and noncompliant.
Notice of Privacy Practices (NPPs)
The Final Rule also changes the HIPAA NPP requirements. These changes were previewed in February 2024, when HHS published the Confidentiality of Substance Use Disorder Patient Records Final Rule, which implemented changes to 42 C.F.R. Part 2 (Part 2) and reserved Part 2-related modifications of the HIPAA NPP requirement to this Final Rule.
Specifically, the Final Rule implements the following changes to the HIPAA NPP relating to reproductive health care PHI[4]:
- The NPP must describe the types of uses and disclosures for which a reproductive health care PHI attestation is required, and provide an example;
- The NPP must describe the types of uses and disclosures that are not permitted due to their Prohibited Purposes, and provide an example; and
- The NPP must provide a statement notifying an individual that PHI disclosed pursuant to the HIPAA Privacy Rule may be redisclosed and no longer protected by the HIPAA Privacy Rule (akin to the existing HIPAA authorization content requirement).
Personal Representative Treatment
The Final Rule also broadens a covered entity’s discretion in deciding to treat someone as an individual’s personal representative if, in the covered entity’s professional judgment, such treatment is not in the best interests of the individual. HIPAA has long permitted covered entities to take such action upon a reasonable belief that someone could endanger the individual or that the individual has been or may be subjected to violence, abuse, or neglect by the person. The Final Rule limits covered entity discretion by stating that a covered entity does not have a reasonable belief for these purposes “if the basis for their belief is the provision or facilitation of reproductive health care by such person for and at the request of the individual.”[5] In other words, OCR has determined that the HIPAA Privacy Rule will not support a covered entity’s decision in this regard if such decision is founded on equating a personal representative’s potential decisions regarding reproductive health treatment with subjecting the individual to abuse.
[1] 89 FR 32976, 32997 (April 26, 2024).
[2] 45 CFR § 160.103 definition of “reproductive health care.”
[3] Seeking, obtaining, providing, or facilitating reproductive health care includes but is not limited to expressing interest in, using, performing, furnishing, paying for, disseminating information about, arranging, insuring, administering, authorizing, providing coverage for, approving, counseling about, assisting, or otherwise taking action to engage in reproductive health care; or attempting any of the same. 45 C.F.R. § 164.502(a)(5)(D).
[4] The Final Rule also enacted Part 2-related NPP modifications applicable to Part 2 Programs. For more information on the Final Rule Confidentiality of Substance Use Disorder Patient Records Final Rule, please see Greenberg Traurig’s March 2024 Behavioral Health Law Ledger.
[5] 45 CFR §164.402(g)(5)(ii).