On April 26, 2024, the U.S. Department of Health and Human Services (HHS) published its long-awaited Final Rule regarding reproductive health privacy. Although it is tempting to benchmark the Final Rule against the Dobbs decision issued nearly two years ago, it is important to understand that the Final Rule is not just about protecting the privacy of individuals who receive abortion-related care. Through its addition of the newly defined term “reproductive health care” – which encompasses “all matters relating to the reproductive system and to its functions and processes” – the Final Rule creates a higher bar and more accountability for sharing any reproductive information, regardless of the nature of the care or gender of the patient.

Key Takeaways

1. Covered entities do not have to provide abortions or transgender care to be within the scope of the Final Rule changes. The Final Rule defines reproductive health care to mean health care “that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes.” This broad definition reasonably includes services spanning all ages, from circumcision to birth control to menopause treatment and myriad treatments in between. From children’s hospitals to skilled nursing facilities, all covered entities need to take stock of their new obligations.
2. There are three new prohibited uses and disclosures specific to reproductive health care information, turning away from the “permissible” standard that concerned the industry after Dobbs. In the wake of the Dobbs decision, entities were unsure how to shield patients’ records in light of HIPAA classifying as “permissible” (but not required) the disclosure of protected health information (PHI) to law enforcement upon a valid request. HHS Office for Civil Rights (OCR) issued guidance in the days after Dobbs reminding entities of the “permissible” nature, but entities were left to their own creative efforts to find legally supported reasons for not disclosing PHI, with varying success. This was highlighted by the Senate Finance Committee’s April 16, 2024 report on what it regarded as an abuse by state regulators of judicial process to obtain sensitive records. HIPAA will now prohibit uses and disclosures of PHI pertaining to reproductive health care for purposes of a criminal, civil, or administrative investigation or imposition of liability for the mere act of seeking, obtaining, facilitating, or providing reproductive health care.
3. The Final Rule introduces a new required standard for attestations when disclosing PHI “potentially related” to reproductive health care. Covered entities and business associates will need to create a new process for determining whether an attestation is needed under the new Section 164.509. The new rule requires an attestation in four situations that are otherwise considered permissible disclosures without the need for an authorization: as part of health oversight activities, in judicial/administrative proceedings, for law enforcement purposes, and to coroners and medical examiners. The attestation will require a statement that it is not for one of the prohibited civil, criminal, or administrative purposes discussed above; acknowledgment of the signer’s potential criminal liability for misrepresentations; and specifications regarding who is requesting the reproductive health care information, among other prescribed content.
4. Notices of privacy practices (NPP) will need to be updated and redistributed. HIPAA requires covered entities to redistribute its notice “whenever there is a material change to the uses or disclosures, the individual’s rights, the covered entity’s legal duties, or other privacy practices stated in the notice.” 45 CFR 164.520(b)(3). As discussed further below, the Final Rule’s new NPP requirements are certainly material, and while the compliance date for the NPP changes is stayed until February 26, 2026, some covered entities may be in states hostile to these new prohibitions, and updating the NPP earlier may help defend potential government action.

Analysis

New Definitions

The Final Rule adds two new definitions to HIPAA: “public health” and “reproductive health care.” Reproductive health care means health care “that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes.” This broad approach encompasses a vast amount of information – from first date of last menstruation to hormone therapy for menopausal individuals – not just abortion and transgender care, as providers may assume. This broad approach means that providers and their business associates are more likely than not to be subject to these changes.

Impact: This newly defined term is integral to the new prohibitions on uses and disclosures of such information, and on the new attestation requirements, discussed further below.

The new definition of “public health” has a more latent – but still significant – impact. The definition of “public health” applies only as it is used in the terms “public health surveillance,” “public health investigation,” and “public health intervention.” In those contexts, it means “population-level activities to prevent disease in and promote the health of populations. Such activities include identifying, monitoring, preventing, or mitigating ongoing or prospective threats to the health or safety of a population, which may involve the collection of protected health information.” The definition explicitly excludes actions taken:

1. To conduct a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating health care.
2. To impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating health care.
3. To identify any person for any of the activities described at paragraphs (1) or (2) of this definition.

Impact

• Notably, the definition exclusions are not specific to reproductive health care but rather apply to any type of health care.
• The definition limits when regulators, agencies, and law enforcement officials can use the public health authority “permissible use” exception to obtain health information. Because the permissible disclosures under both the judicial and administrative proceedings and law enforcement purposes require a higher bar and more limited scope than under the public health authority permissible use standard, state actors have been able to claim a public health authority role to expand the scope of their investigations into, for instance, transgender care and obtain records they likely could not have under the other permissible purpose standards.
• Previously, HIPAA did not preempt state laws providing for the reporting of disease or injury, child abuse, birth, or death, or for the conduct of public health surveillance, investigations, or intervention. The new definition limits the preemption carveout to ensure that regulators and law enforcement officials investigating patients or providers cannot argue that investigations under their state laws criminalizing or penalizing certain types of care are not subject to the prohibitions or attestation requirements.

Finally, the Final Rule modifies the definition of person to specify that natural person means a “human being who is born alive.” This is impactful to an argument raised that an unborn fetus has rights under HIPAA equivalent to those of the living mother. It also means that an abortion cannot constitute abuse or harm of a “person,” thus prohibiting a workforce member from reporting to authorities on that basis.

Prohibited Uses and Disclosures

The Final Rule includes a new subsection 502(5)(iii) specifically prohibiting the use or disclosure of reproductive health information for any of the following activities:

1. To conduct a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care.
2. To impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care.
3. To identify any person for any purpose described in paragraphs (a)(5)(iii)(A)(1) or (2) of this section.

For this prohibition to apply, the covered entity or business associate receiving the request for the information must have reasonably determined that the reproductive health care is either lawful under the laws of the state where the care was provided or is protected, required, or authorized by federal law, including the U.S. Constitution, regardless of the state in which it was provided. The subsection provides that reproductive care provided outside the covered entity that receives the request for PHI is presumed to be lawful, unless the covered entity or business associate has actual knowledge that it was not lawful under the circumstances or the person requesting the PHI has provided sufficient factual information to show that it was not lawful under the circumstances.

It is important to understand the inclusion of the term “the mere act” and how it limits the applicability of this prohibition.

• In the commentary to the Final Rule, HHS stated that an investigation into “the reasons that the reproductive health care was sought or provided (e.g., an investigation into whether a particular abortion was necessary to save a pregnant person’s life)” would be a prohibited “mere act” investigation.
• The commentary also clarified that just because reproductive health information is contained in a general medical record, so long as the requesting party is able to provide a permissible legal basis for the request other than the “mere act,” disclosure is not prohibited. By way of example, if a state law enforcement agency is investigating a cardiologist for patient abuse during open heart surgery and requests patient medical records that happen to contain reproductive health care information, that would not be an investigation into the “mere act” of providing reproductive health care and would be permitted.
• The commentary also includes clarification that the prohibition does not “prohibit the use or disclosure of PHI where the PHI is sought to investigate or impose liability on a person for submitting a false claim for reproductive health care for payment to the government” because the investigation is into liability under the Federal False Claims act.

The only exception to this prohibition is if the patient executes a valid authorization. The proposed rule included language that even a valid authorization would not be sufficient. However, HHS was persuaded by public comment that such an absolute bar would run afoul of patients’ rights of access and choice. HHS stated in the comments to the Final Rule that it “will continue to monitor complaints we receive and the outcome of enforcement actions to identify potential coercion and the effect of permitting individuals to authorize the disclosure of PHI for purposes that are prohibited under 45 CFR 164.502(a)(5)(iii) on the relationship between health care providers and individuals.”

Notably, patients are not the only persons protected by this new language. Requests related to investigations into the person providing the reproductive health care (the individual health care provider) or the facilitator of such care (arguably, the clinic, hospital, or health system at which the care was provided) are also prohibited. HHS’ commentary to the Final Rule also provided as examples of protected activities “expressing interest in, inducing, using, performing, furnishing, paying for, disseminating information about, arranging, insuring, assisting, or otherwise taking action to engage in reproductive health care; or attempting any of the same.” The inclusion of “insuring” and “paying for” casts the protective net even wider.

Impact: State actors and private individuals seeking to penalize doctors, health systems, insurers, or private payors for their part in reproductive care will not be able to obtain records of the care from the HIPAA covered entity and will have to rely on obtaining an authorization from the patient who received the care.

The commentary clarifies that where law enforcement and the health care provider disagree on whether the provision of reproductive health care is lawful, the patient’s right to privacy outweighs the interests of law enforcement and the provider’s determination carries the day. The commentary also clarifies that even though it allows for federal law, including the Constitution, to form the basis for a provider’s determination that the reproductive health care was lawful, “[t]his final rule in no way supersedes applicable state law pertaining to the lawfulness of reproductive health care.” Taking those two clarifying comments together, the possibility exists that a provider may take the position that state law and the U.S. Constitution are at odds and choose in favor of the Constitution to determine that the care is lawful.

Attestation

The new rule requires covered entities and business associates to obtain an attestation before disclosing PHI “potentially related to reproductive health care” when the disclosure is part of health oversight activities, in judicial/administrative proceedings, for law enforcement purposes, or to coroners and medical examiners, so long as it is not for one of the prohibited purposes discussed above. HHS intentionally included business associates in the new rule, and stated in the commentary that the inclusion was to ensure that it could enforce the rule directly against business associates. The commentary reminds covered entities that they can decide whether business associates are allowed to respond to requests for PHI – which is perhaps a nudge by OCR for covered entities to consider whether, in light of some of the complexities of these new prohibitions and requirements, it would be prudent to limit business associates’ involvement in some of the more complex requests.

The new Section 164.509 specifies the content requirements of a valid attestation:

• A description of the information requested that identifies the information in a specific fashion, including either the name of any individual(s) whose PHI is sought, if practicable, or if including the name(s) of any individual(s) whose PHI is sought is not practicable, a description of the class of individuals whose PHI is sought.
• The name or other specific identification of the person(s), or class of persons, who are requested to make the use or disclosure.
• The name or other specific identification of the person(s), or class of persons, to whom the covered entity is to make the requested use or disclosure.
• A clear statement that the use or disclosure is not for a purpose prohibited under Section 164.502(a)(5)(iii).
• A statement that a person may be subject to criminal penalties pursuant to 42 U.S.C. 1320d-6 if that person knowingly and in violation of HIPAA obtains individually identifiable health information relating to an individual or discloses individually identifiable health information to another person.
• The signature of the person requesting the protected health information, which may be an electronic signature, and date. If the attestation is signed by a representative of the person requesting the information, a description of such representative’s authority to act for the person must also be provided.

While the attestation itself is fairly straightforward, simply receiving the attestation is not the end of the work for covered entities and business associates. While the commentary makes clear that regulated entities are not requiredto investigate the validity of an attestation, reliance is only appropriate “if, under the circumstances, a regulated entity reasonably determines that the request is not for investigating or imposing liability for the mere act of seeking, obtaining, providing, or facilitating allegedly unlawful reproductive health care. . . . If such reliance is not reasonable, then the regulated entity may not rely on the attestation.” The commentary goes on to state that, assuming an attestation is not facially deficient,

a regulated entity must consider the totality of the circumstances surrounding the attestation and whether it is reasonable to rely on the attestation in those circumstances. To determine whether it is reasonable to rely on the attestation, a regulated entity should consider, among other things: who is requesting the use or disclosure of PHI; the permission upon which the person making the request is relying; the information provided to satisfy other conditions of the relevant permission; the PHI requested and its relationship to the stated purpose of the request; and, where the reproductive health care was supplied by another person, whether the regulated entity has: (1) actual knowledge that the reproductive health care was not lawful under the circumstances in which it was provided; or (2) factual information supplied by the person requesting the use or disclosure of PHI that would demonstrate to a reasonable regulated entity a substantial factual basis that the reproductive health care was not lawful under the specific circumstances in which such health care was provided.

In light of the commentary, the line between “investigation” (not required) and considering the totality of the circumstances appears quite thin.

Importantly, the attestation does not excuse compliance with the conditions imposed on disclosures in Section 164.512. For instance, if a regulated entity receives a subpoena that requests PHI that potentially relates to reproductive health care and the warrant reflects that the investigation is related to a criminal fraud investigation and a valid attestation is provided, the regulated entity must still ensure that the other elements of Section 164.512(f) are met: that the information is relevant and material to a legitimate law enforcement inquiry, that it is specific and limited in scope in light of the purpose for which it is sought, and that deidentified information could not reasonably be used.

Impact: Covered entities and business associates will not only need to create an attestation and implement a new policy and procedure to ensure that one is obtained when the request is for one of the four triggering purposes but will also need to identify a standard approach and skilled team to assess the “totality of the circumstances” surrounding the attestation and the request. This standard also creates a scenario in which the regulated entity receives a subpoena to which it must respond but is unable to obtain an attestation and assess the totality of the circumstances before the response date (or at all). The judiciary will need to be brought up to speed on the limitations regulated entities are now subject to in responding to such legal requests.

Notice of Privacy Practices

In addition to the revisions needed to policies and procedures to account for the new prohibitions and attestation requirements, covered entities will need to modify their existing NPP per the Final Rule. Although the compliance date for the Final Rule is December 26, 2024, covered entities have until February 2026 to revise the NPP, in light of the expense and additional Part 2 requirements coming to a head at the same time.

We discussed the changes needed under the Part 2 Final Rule here. In addition to those changes, this Final Rule requires three new elements in an NPP:

• A description, including at least one example, of the newly prohibited disclosures of reproductive health care information, with sufficient detail so that the reader understands.
• A description, including at least one example, of when an attestation is required.
• A statement adequate to put the individual on notice that there is a potential that information disclosed to third parties may no longer be protected by HIPAA and could be redisclosed.

Conclusion

This Final Rule will create significant new administrative burdens for covered entities and, to a lesser extent, their business associates. While the NPP requirements can be put off until 2026, covered entities need to begin assessing how they will implement these changes, particularly in the health information management department. Training of both the health information management department and records retrieval vendors will be integral to compliance, as will identifying a team of skilled individuals to assess borderline requests to ensure a standard approach is adhered to.

[View source.]