1. 1. Objective and Rationale.

The primary objective of the Biden-Harris Administration is to strengthen the existing Health Insurance Portability Act of 1996 (HIPAA) Privacy Rule by prohibiting disclosure of protected health information (PHI) related to lawful reproductive health care in a few circumstances.

This becomes particularly important in light of the 2022 U.S. Supreme Court decision in Dobbs v. Jackson Women’s Health Organization that took away the constitutional right to abortion allowing states to ban abortion. Since the 2022 decision, HHS has noticed that there are several Americans who shy away from accessing reproductive health care since they are worried that their private medical information will be disclosed without their consent. Moreover, the HHS has also observed that many Americans resort to giving incomplete or incorrect medical information that is not only an administrative nightmare for the Covered Entities, but more importantly also prevents patients from getting the right health care.  

The Final Rule aims to improve patient-provider confidentiality thereby encouraging Americans to access reproductive health care. Further, the Final Rule protects PHI relating to reproductive health care irrespective of where an individual accesses health care.

2. Applicability.

The prohibition of disclosure of protected health information (PHI) related to reproductive health care in certain scenarios is applicable to: (a) health care provider; (b) health plan; (c) health care clearinghouse; and (d) their business associates (‘(a)’ to ‘(d)’ collectively referred to as “Regulated Entities”).

3. Major Changes to the existing Privacy Rule.

The important modifications made to the existing Privacy Rule can be divided into the following three buckets:

A. Prohibition of use or disclosure in certain circumstances.

Regulated Entities are prohibited from using or disclosing PHI for the following two purposes:

• To conduct a criminal, civil, or administrative investigation into or impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided.
• The identification of any person for the purpose of conducting such investigation or imposing such liability.

Even though the disclosure relates to a patient or prospective patient’s PHI, the Final Rule aims to protect both patients and medical practitioners. For instance, if there is a criminal investigation against ‘Doctor A’ for merely providing lawful reproductive health care to ‘Patient B’, the Regulated Entities cannot use or divulge Patient B’s PHI to assist the ongoing criminal investigations against Doctor A. However, HHS clarifies that the Regulated Entities can use or disclose Patient B’s PHI to defend Doctor A in any ongoing proceedings where liability might be imposed on the doctor for providing reproductive health care.

Further, the prohibition only applies when a Regulated Entity has reasonably determined that the reproductive health care is ‘lawful’. Reproductive health care is considered lawful if:

• Reproductive health care is lawful under the law of the state. For example, a resident of State A (where abortion is banned), travels to State B (where abortion is legal) to get medical assistance regarding abortion. In such instances, the reproductive health care sought by the resident of State A is ‘lawful’ as the health care was provided in State B where abortion is legal.
• Reproductive health care is protected under the US Constitution or other federal legislation. For instance, prescribing contraceptives is lawful reproductive health care as ‘contraception’ is protected by the US Constitution.
• Reproductive health care is provided by a person other than the Regulated Entities provided the ‘presumption’ applies as discussed below.

The Final Rule ‘presumes’ that any reproductive health care provided by a person is ‘lawful’ unless:

• Regulated Entities have actual knowledge that the reproductive health care was not lawful.
• Person requesting the use or disclosure of PHI provides sufficient factual information that provides a substantial basis for the Regulated Entities to determine that the reproductive health care was unlawful.

Lastly, the prohibition on use or disclosure of PHI relating to reproductive health care does not extend to (a) investigation or proceeding related to professional misconduct or negligence while providing reproductive health care; and (b) using or disclosing PHI to an Inspector General to conduct an audit for health oversight purposes.

B. Requirement of Attestation.

HHS has introduced an ‘attestation requirement’ for ensuring effective implementation of the prohibition discussed above. In the event that an individual or entity requests the use or disclosure of PHI related to reproductive health care, the Regulated Entities must obtain a signed attestation from such individual or entity that they are not requesting PHI for using or disclosing it for a prohibited purpose. The Final Rule further states that a signed attestation is compulsory if the use or disclosure relates to (a) judicial or administrative proceedings; (b) law enforcement purposes; (c) health oversight activities; or (d) disclosures to coroners or medical examiners. Lastly, a person or entity signing false attestations will potentially attract criminal penalties.

C. Need to update Notice of Privacy Practices (“NPP”).

The Final Rule requires Regulated Entities to update the HIPAA required NPP (specifically updates relating to reproductive health care PHI) in the following ways:

• NPP must provide information with examples on the types of uses and disclosures for which ‘Attestation’ is required.
• NPP also must provide information with examples on the types of uses and disclosures that are prohibited under the Final Rule.
• NPP must include a statement that explicitly states that PHI disclosed lawfully in consonance with the HIPAA Privacy Rule may be subject to further disclosures and will no longer be protected by the HIPAA Privacy Rule.   

4. Next Steps for Regulated Entities.

The current HIPAA Privacy Rule stays in effect until the Final Rule takes effect. The Final Rule will be effective on June 25, 2024. However, Covered Entities and Business Associates (irrespective of their size) will not be required to comply with the provisions of the New Rule for another 180 days after the effective date. This essentially gives the Covered Entities and Business Associates time until December 22, 2024, to comply with the requirements of the New Rule. However, Regulated Entities must start planning to (a) update their NPPs and Business Associate Agreements; (b) draft attestations; and (c) formulate a comprehensive HIPAA training for its members to ensure compliance with the Final Rule by December 22, 2024.