This is not a drill: the Texas Attorney General is coming for HIPAA. On September 4, 2024, the State of Texas sued the United States Department of Health and Human Services (DHHS) to enjoin portions of HIPAA regulations, including a modification to the rules intended to protect PHI related to reproductive health care. On behalf of Texas, Attorney General Ken Paxton’s office asserted in a complaint filed in federal district court in the Northern District of Texas that its interests in enforcing Texas laws (presumably regarding abortion care) and DHHS’s lack of statutory authority for adopting the privacy rules that frustrate his efforts, should cause the court to “set aside” significant portions of HIPAA.
What’s the Argument?
In its lawsuit, Texas asserts that the AG’s office is being deprived of a “response to its administrative subpoenas” (which presumably request PHI), which “harms Texas’s investigative abilities.” This harm, the suit alleges, arises from two sources. First, a new set of requirements in HIPAA relevant to “protected health information potentially related to reproductive health care,” (“Reproductive Care Rule”), effective now but not enforceable until December. Second, HIPAA’s current limitations on disclosures of PHI in response to administrative requests for law enforcement purposes, such as civil investigative demands (“Current HIPAA Rules”). The Current HIPAA Rules have been in force since April 2001.
- Texas’ suit presents several arguments in support of its request to set aside the Reproductive Care Rule and the Current HIPAA Rules, including (but not limited to) the following: DHHS violated the Administrative Procedure Act when it promulgated the Reproductive Care Rule, which prevents disclosures of PHI related to reproductive health care if the request is made to support an investigation based on “the mere act” of seeking or receiving reproductive health care, if such care was lawfully provided in the state where it was administered. The Reproductive Care Rule also creates an attestation requirement designed to cause requesting parties to affirm that the purposes of their request for PHI are proper and lawful. Texas’ suit alleges that this rulemaking was motivated by the Dobbs decision, and that DHHS lacked any statutory authority for promulgation of these rules.
- DHHS violated the Administrative Procedure Act when it promulgated the Current HIPAA Rules. This part of HIPAA only requires covered entities to determine that PHI requested for law enforcement purposes is relevant and material to the inquiry, that the request is specific and limited to the extent reasonably practicable, and that de-identified PHI would not be a reasonable substitute. Despite those qualifications, Texas’ suit objects to this infringement on its AG office’s authority and asserts that DHHS lacked statutory authority for these rules as well.
- DHHS failed to provide a “reasonabl[e]” or “satisfactory explanation” of these rulemakings.
- The HIPAA statute explicitly preserves states’ investigative authority, providing “[n]othing in this part [regarding unauthorized disclosures] shall be construed to invalidate or limit the authority, power, or procedures established under any law providing for the reporting of disease or injury, child abuse, birth, or death, public health surveillance, or public health investigation or intervention.” 42 U.S.C. § 1320d-7(b). (It is not clear that the Texas AG’s purposes align to these goals.)
- “Covered entities frequently cite [the Current HIPAA Rules] as a reason they cannot comply with a valid investigative subpoena for documents, and have already begun invoking the [Reproductive Care Rule] for similar purposes.” (Later in the complaint, however, Texas cites only one rejection based on the Reproductive Care Rule.)
Texas is no doubt correct in some of its lawsuit’s assertions, and appears to be wrong about others. It’s true that DHHS had no statutory mandate to promulgate specific rules imposing attestation requirements and prohibitions newly designed to provide greater protections for PHI related to reproductive health care. And it’s also true that “HHS nakedly admitted” that the Reproductive Care Rule was proposed as a direct response to Dobbs. Whether Texas will prevail on its arguments about the Current HIPAA Rules is less certain, but it has a solid argument. As a result, a federal court in Texas may deliver a third blow to DHHS’s HIPAA powers (others came earlier this year, and in 2021). This loss, if it comes, would be the most significant. It could strike a portion of the Privacy Rule that has stood for more than two decades. It also would immediately dispel any basis to think that HIPAA might stand in the way of criminal investigations of reproductive care that use medical records for precisely this purpose.
Texas is also probably right to have concerns about a federal government agency, without direct statutory authority from Congress, exercising its rulemaking authority to directly infringe on state law enforcement agencies’ valid investigations and prosecutions of crimes. (Whether this concern is sincere, and whether the provision or receipt of certain health care should be criminalized, are matters outside the scope of this blog post and that we only discuss after work with a strong drink.)
Here’s where Texas might be wrong: It’s not apparent that HIPAA would prevent its AG from obtaining the PHI it allegedly requested, even when applying the Reproductive Care Rule. If the provider who denied the AG’s request had a reasonable concern that the care under review was lawfully provided, HIPAA still would not preclude the disclosure. Instead, the requestor would have to demonstrate a “substantial factual basis that the reproductive health care was not lawful” and complete a one-page attestation form. Unless that provider has actual knowledge that the care was lawfully delivered, HIPAA would permit (but not require) the disclosure if the requestor meets those burdens.
In any event, it’s unclear from the complaint why the covered entity that rejected the AG’s request for PHI did so. The office may have declined to provide the requisite “substantial” facts in support of his investigation. It’s also possible the denial was based on a misunderstanding of the Reproductive Care Rule. Either way, we may see a core part of the HIPAA Privacy Rule enjoined by a federal court for appropriate legal reasons, but no good practical ones.
And finally, although it’s not our most important observation here: we strongly disagree with Texas’s allegation that DHHS failed to explain these HIPAA rules. The proposed and final versions of these rules include more than 650 pages of explanatory preambles. And that was the small-print, triple column Federal Register formatted page count, for pity’s sake.
What Will Happen to HIPAA if Texas Wins?
The specific relief sought by Texas is for the court to invalidate, vacate, and set aside the entirety of the Reproductive Care Rule and the noted section of the offending portion of the Current HIPAA Rules, payment of Texas’s attorneys’ fees, and such other relief as the court deems just and proper.
If the court agrees with Texas entirely, DHHS will be permanently enjoined from enforcing either part of the rules. Because the Current HIPAA Rules apply to PHI generally, a victory for Texas would ease law enforcement access to all PHI, not only PHI regarding reproductive rights.
In addition, covered entities’ understanding of the pending rule changes is highly variable (see above: the AG’s office might have been entitled to the PHI it requested but was denied) and a decision enjoining a 24-year-old part of the regulations will likely come as a surprise too. It’s very unlikely that law enforcement agencies, private litigants, or health care oversight agencies are any better versed in the already complicated requirements. Given those circumstances, the genuinely high-stakes nature of this topic, and its unfortunate politicization, if Texas wins, you should expect general chaos and uncertainty among the regulated community as we try to navigate the expectations of DHHS, law enforcement, and the courts. Probably you should expect that even if Texas does not win, since the attempt is a roadmap for future challenges which may be plentiful in this climate.
What to Do Now?
If you accept our prediction, it would be prudent to meet with leadership in your organization to get a view on how you might approach covered requests (with and without the Reproductive Care Rules in place). It is very possible to answer this question correctly under regulatory interpretations and still find yourself in a public dispute with a law enforcement agency, so an “institutional guiding light” will be very helpful to decision-making when the first covered request presents itself on your doorstep.
Bigger picture, you should understand that Loper Bright and DHHS’s approach to this new rule have handed Texas a great case to prevail on the claims they are asserting. It is not too soon to develop a secondary plan for compliance (we assume your primary plan remains implementation of the Reproductive Care Rules, which are enforceable by DHHS in December, potentially before the Texas case has a clear outcome). What will your review and response process be for PHI requests if these parts of HIPAA essentially do not exist? Can you pivot within the response time given by typical investigative demands? These questions are worth considering soon.
You should also understand that a victory for Texas in the lawsuit would jeopardize HIPAA generally. Texas is not only attacking the new Reproductive Care Rules. It is attacking a core component of the HIPAA Privacy Rule that was promulgated in 2000 and governs generally provision of PHI to law enforcement. Under Loper Bright, agencies may no longer receive deference from courts when litigants allege that those agencies have exceeded their statutory authority. In the case of HIPAA, the original authorizing statute includes precious little detail about use and disclosure of PHI, or individual rights, when compared to the regulations in place today. As a result, there is a basis to challenge other parts of the HIPAA regulations on the same grounds Texas now asserts. If Texas prevails, or other significant aspects of HIPAA fall, expect a swift escalation in the patchwork nature of state privacy laws and an uncertain future for the broad HIPAA exceptions in those state laws currently.
Finally, we recommend going for a walk, hugging a child or a puppy, eating some ice cream, or watching your favorite guilty-pleasure movie. Privacy law has always been highly changeable, and that’s not changing anytime soon. It will still be here when you get back from your break.