On April 12, 2023, the Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking (the “Notice”) to solicit comments on its proposal to modify the HIPAA Privacy Rule. Specifically, the Privacy Rule modifications described in the Notice (the “Proposal”) are intended to strengthen reproductive health care privacy by giving individuals additional confidence that their protected health information (“PHI”), including information relating to abortions and other sexual and reproductive health care, will remain private.
What You Need to Know:
The Proposal would apply when the relevant criminal, civil, or administrative investigation or proceeding is in connection with reproductive health care that is:
- sought, obtained, provided, or facilitated in a state where the health care is lawful and outside of the state where the investigation or proceeding is authorized, such as when a resident of one state travels to another state to receive reproductive health care, such as an abortion, that is lawful in the state where such health care was provided;
- protected, required, or expressly authorized by federal law, regardless of the state in which such health care is provided, such as when the reproductive health care, such as miscarriage management, is required under the Emergency Medical Treatment and Labor Act (EMTALA) to stabilize the health of the pregnant individual; and/or
- provided in the state where the investigation or proceeding is authorized and is permitted by the law of the state in which such health care is provided, such as when a resident of a state receives reproductive health care, such as a pregnancy test or treatment for an ectopic pregnancy, in the state where they reside, and that reproductive health care is lawful in that state.
The Proposal is one of many actions that HHS has taken in support of President Biden’s two Executive Orders, issued in the weeks after the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization, to protect access to reproductive care, including abortion. Post-Dobbs, multiple states have considered or enacted statutes that restrict rights to reproductive care, and Idaho recently enacted a criminal statute that makes helping a pregnant minor get an abortion in another state, whether through medication or a procedure, punishable by two to five years in prison.
The Proposal seeks to strengthen privacy protections by prohibiting the use or disclosure of PHI by HIPAA-covered entities and business associates (“Regulated Entities”) for either of the following purposes (each a “Prohibited Purpose”):
- A criminal, civil, or administrative investigation into or proceeding against any person in connection with seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided.
- The identification of any person for the purpose of initiating such investigations or proceedings.
A fact sheet for the Notice has been posted.
The Proposal permits Regulated Entities to continue to use or disclose PHI for purposes otherwise permitted under the Privacy Rule where the request for PHI is not made primarily for the purpose of investigating or imposing liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, such as to defend against professional misconduct or negligence involving reproductive health care, to defend any person in a criminal, civil, or administrative proceeding where liability could be imposed on that person for providing reproductive health care, and to use or disclose PHI to an Inspector General where the PHI is sought to conduct an audit for health oversight purposes.
The Proposal also would require Regulated Entities, when receiving a request for PHI potentially related to reproductive health care, to obtain a signed attestation confirming that the use or disclosure is not for a Prohibited Purpose. This attestation requirement would apply when the request is for PHI for health oversight activities, judicial and administrative proceedings, law enforcement purposes, and disclosures to coroners and medical examiners, and is intended to (i) ensure that the existing Privacy Rule permissions could not be used to circumvent the Proposal; (ii) continue permitting essential disclosures; and (iii) limit the additional burden on Regulated Entities receiving requests for such uses and disclosures by providing a standard mechanism by which the Regulated Entities would determine whether a requested use or disclosure would be prohibited under the Proposal.
As explained in OCR guidance, the current Privacy Rule permits, but does not require, certain disclosures to law enforcement and others, subject to specific conditions.
Public comments on the Notice are due 60 days after publication of the Notice in the Federal Register. If the Notice is published on April 17, 2023 as scheduled, then the public comments will be due on June 16, 2023.
In a post-Dobbs environment, there likely will be continued statutory changes in many states, and ongoing litigation at the state and federal levels, which may encourage the Federal Government’s executive branch to respond to uphold President Biden’s priorities in the absence of any congressional activity.