Overview of the new amendments

The Privacy Rule includes permitted, required, and prohibited uses and disclosures of PHI.[6] The heart of the new amendments is a prohibition on the use or disclosure of PHI for purposes of investigating or imposing liability on a person for seeking, obtaining, providing, or facilitating reproductive healthcare. This prohibition, however, is only applicable in certain circumstances, to be discussed later. To determine whether a request for PHI is for a prohibited purpose, the amendments also require covered entities (CEs) and business associates (BAs) to obtain certain requestors’ attestations that they do not intend to use or disclose PHI for a prohibited purpose. The amendments also require CEs to amend their notices of privacy practices to reflect the new prohibition and the new attestation requirement and make other changes to reflect recent amendments to the Confidentiality of Substance Use Disorder Patient Records Rule at 42 C.F.R. Part 2 (the Part 2 Rule). The Privacy Rule’s amendments also include:

• Various other changes, including new or revised definitions of “person,” “public health,” and “reproductive health care.”

• Clarification that certain activities involving facilitating reproductive healthcare do not qualify as “abuse” for purposes of certain Privacy Rule provisions.

• Clarification regarding when a CE or BA may disclose PHI in response to a law enforcement official’s administrative request.

The new prohibition

The amendments include a new prohibition on the use and disclosure of PHI at 45 C.F.R. § 164.502(a)(5)(iii), joining the prohibitions on health plans using PHI for underwriting purposes and on the sale of PHI. A CE or BA (a HIPAA “regulated entity”) may not use or disclose PHI for three purposes related to reproductive healthcare:

1. “To conduct a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care.

2. “To impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care.

3. “To identify any person for any purpose described paragraphs (a)(5)(iii)(A)(1) or (2) of this section [e.g., to identify a person to investigate or impose liability in relation to reproductive healthcare].”

This prohibition is subject to a “rule of applicability” and a “presumption” subsequently discussed.

The prohibition is tied to the “mere act” of seeking, obtaining, providing, or facilitating reproductive healthcare. It does not prohibit other uses and disclosures related to reproductive healthcare, such as a review of the quality of care given while providing reproductive healthcare. Such an action would focus on the quality of care rather than the mere act of the clinician providing the reproductive healthcare.

The prohibition is subject to the rule of applicability, which focuses on the legality of reproductive healthcare services under state and federal law. Specifically, the prohibition will only apply in two circumstances. First, it will apply if reproductive healthcare is lawful under the state’s law in which such healthcare is provided under the circumstances in which it was provided. For example, if a patient travels from Texas to Colorado to receive an abortion that is lawful under Colorado law (but would be unlawful if done in Texas), then the prohibition would apply. In contrast, if a state’s laws prohibit abortions after six weeks of gestation and an abortion is performed at seven weeks gestation (and does not fall under any exceptions under the state law and is not authorized or required by federal law), then the prohibition would not apply, and HIPAA would permit a disclosure of PHI to investigate or impose liability with respect to the reproductive healthcare. Second, the prohibition will apply if reproductive healthcare is protected, required, or authorized by federal law, including the U.S. Constitution—under the circumstances in which the reproductive healthcare was provided—regardless of the state in which it was provided. For example, if reproductive healthcare is prohibited under a state’s laws but required by the federal Emergency Medical Treatment & Labor Act or the care is provided by the U.S. Department of Veterans Affairs employees and authorized by federal law, then the prohibition would apply.

The prohibition is also subject to presumption when the reproductive healthcare was provided by someone else. For purposes of the prohibition, reproductive healthcare provided by another person is presumed lawful under the rule of applicability unless the regulated entity has either of the following:

1. “Actual knowledge that the reproductive healthcare was not lawful under the circumstances in which it was provided.

2. “Factual information supplied by the person requesting the use or disclosure of protected health information that demonstrates a substantial factual basis that the reproductive health care was not lawful under the specific circumstances in which it was provided.”

For example, an Idaho woman travels to Washington to receive an abortion. An Idaho healthcare provider subsequently receives her complete medical record, including information about the abortion that was performed in Washington. The Idaho healthcare provider then receives a law enforcement request for the woman’s medical record. Because the Idaho healthcare provider did not perform the reproductive healthcare at issue, the provider must presume that the abortion in Washington was lawful unless the provider has actual knowledge that it was not or the law enforcement official demonstrates a substantial factual basis that the reproductive healthcare was unlawful (e.g., an affidavit of a witness in Washington stating that the abortion occurred past the point of fetal viability and was not necessary to protect the life or health of the woman and evidence that this violated Washington law).

The attestation requirement

The new prohibition is tied to the requestor’s purpose rather than the PHI’s nature. For example, a regulated entity may not even disclose an individual’s weight or body temperature if the intent is to use this PHI to investigate or impose liability for seeking or obtaining reproductive healthcare. But how can a regulated entity know what a requester intends to do with the requested PHI? The answer is that for certain uses and disclosures of PHI, the Privacy Rule now includes a requirement at 45 C.F.R. § 164.509 requiring the regulated entity to obtain an attestation from the person requesting the use or disclosure of PHI to ensure that the use or disclosure is not for a prohibited purpose.

A regulated entity must obtain an attestation if the disclosure is:

1. for health oversight activities;

2. for judicial and administrative proceedings;

3. for law enforcement purposes; or

4. about decedents to a coroner or medical examiner.

The use or disclosure of PHI can be for multiple purposes, such as the healthcare operations of the CE (e.g., its legal defense) and for judicial and administrative proceedings. If a use or disclosure is for a purpose other than the four previously mentioned (such as healthcare operations), then an attestation is not required, even if the use or disclosure is also for one of the aforementioned purposes. For example, a CE may disclose PHI to defend itself in criminal prosecution as part of its healthcare operations—and does not need an attestation to do so—even if such a disclosure may also be permissible as a disclosure for law enforcement or judicial purposes.

An attestation is only required for the above purposes if the request is for PHI potentially related to reproductive healthcare. For example, if a law enforcement official’s request is for PHI limited to information about a gunshot wound, then an attestation will not be required if the regulated entity determines that the PHI does not potentially relate to reproductive healthcare. In contrast, if a law enforcement official is investigating potential healthcare fraud and requests an entire medical record, then an attestation from the law enforcement official is required if the medical record potentially contains PHI related to reproductive healthcare.

The attestation must include the following elements:

“(i) A description of the information requested that identifies the information in a specific fashion, including one of the following elements:

“(A) The name of any individual(s) whose protected health information is sought, if practicable.

“(B) If including the name(s) of any individual(s) whose protected health information is sought is not practicable, a description of the class of individuals whose protected health information is sought.

“(ii) The name or other specific identification of the person(s), or class of persons, who are requested to make the use or disclosure.

“(iii) The name or other specific identification of the person(s), or class of persons, to whom the covered entity is to make the requested use or disclosure.

“(iv) A clear statement that the use or disclosure is not for a purpose prohibited under [the new prohibition at 45 C.F.R.] § 164.502(a)(5)(iii).

“(v) A statement that a person may be subject to criminal penalties pursuant to 42 U.S.C. § 1320d-6 if that person knowingly and in violation of HIPAA obtains individually identifiable health information relating to an individual or discloses individually identifiable health information to another person.

“(vi) The signature of the person requesting the protected health information, which may be an electronic signature, and date. If the attestation is signed by a representative of the person requesting the information, a description of such representative's authority to act for the person must also be provided.”

Additionally, an attestation will be defective if:

• “The attestation lacks an element or statement required [above]”;

• “The attestation contains an element or statement not required [above]” [HHS included this provision to address concerns that regulated entities might require persons requesting PHI to provide attestation information beyond that which HIPAA requires];

• The attestation is a compound attestation because it is combined with any other document (except where the document is needed to demonstrate that the use or disclosure is not for a prohibited purpose or to provide a factual basis that the reproductive healthcare was not lawful under the specific circumstances in which it was provided);

• The regulated entity has actual knowledge that material information in the attestation is false; or

• A reasonable regulated entity in the same position would not believe that the attestation is true with respect to the statement that it is not for a prohibited purpose.

In preamble commentary, HHS clarifies it does not require a regulated entity to investigate the validity of an attestation provided by a person requesting the use or disclosure of PHI. Rather, if a regulated entity knows of information that would make it unreasonable to believe the requestor, it cannot ignore this information. For example, HHS indicates that it likely would not be reasonable for a regulated entity to rely on an attestation from a public official who represents that their request is for a purpose that is not prohibited if the request for PHI is overly broad for its purported purpose; the regulated entity knows that the public official has publicly stated that they will be investigating healthcare providers for providing reproductive healthcare.

Changes to notices of privacy practices

The amendments also require CEs to make several changes to their notices of privacy practices.

With respect to reproductive healthcare, a CE must revise its notice to include: (1) a description, including at least one example, of the types of uses and disclosures of PHI related to reproductive healthcare that are now prohibited; and (2) a description, including at least one example, of the types of uses and disclosures for which an attestation is now required. The most challenging aspect of these changes is that the prohibition must be described in sufficient detail for an individual to understand it. Because the prohibition is complex—only applying in certain circumstances—briefly explaining the prohibition to individuals in plain language may prove difficult.

More broadly, CEs must revise their notices to include a statement that puts individuals on notice that disclosures under the Privacy Rule may be subject to redisclosure by recipients and no longer protected by the Privacy Rule. Such language has long been a requirement for authorizations, and individuals may consider this limitation when choosing whether to agree to the authorization. Placing the language in the notice of privacy practices puts individuals on notice that HIPAA’s reach is limited, although their only recourse may be limiting what information they are willing to share with healthcare providers due to concerns that such information could eventually leave the protections of the Privacy Rule.

The amendments also include several required changes referencing substance use disorder records subject to the Part 2 Rule. If a CE is subject to the Part 2 Rule, then its HIPAA notice of privacy practices will need to reflect the Part 2 Rule’s more stringent limitations on the use and disclosure of Part 2 records. Additionally, the notice must reflect that Part 2 records shall not be used or disclosed in civil, criminal, administrative, or legislative proceedings against the individual unless based on the individual’s consent or a court order after notice and an opportunity to be heard is provided to the individual or the holder of the record—as provided by the Part 2 Rule. If a CE that creates or receives Part 2 records intends to use or disclose such records for fundraising purposes, then the notice must include a statement informing the individual that the individual must first be provided with a clear and conspicuous opportunity to elect not to receive any fundraising communications. The Part 2 Rule continues to separately require a privacy notice addressing Part 2 records. Accordingly, a CE subject to the Part 2 Rule may maintain a HIPAA notice of privacy practices (amended as reflected above) and a separate Part 2 Rule privacy notice or combine the two notices into one document.

Miscellaneous changes

The amendments also include changing the requirements for responding to law enforcement requests, some new definitions, and clarifications that facilitating reproductive healthcare does not constitute abuse.

The Privacy Rule at 45 C.F.R. § 164.512(f)(1) has always permitted a CE to disclose PHI to a law enforcement official in response to “an administrative request, including an administrative subpoena or summons, a civil or an authorized investigative demand, or similar process authorized under law,” provided that the law enforcement official documented that: “(1) The information sought is relevant and material to a legitimate law enforcement inquiry; (2) The request is specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought; and (3) De-identified information could not reasonably be used.” After the Dobbs decision, however, there was some question as to whether the above permitted disclosure in response to any written law enforcement request that included the required three statements. As clarification, HHS revised this provision in the Privacy Rule to indicate that the administrative request must be one “for which response is required by law.” This change applies to all law enforcement administrative requests, regardless of whether they relate to reproductive healthcare.

The amendments also add two definitions and change one. HHS has added a definition for “public health” as the term is used with respect to “public health surveillance,” “public health investigation,” and “public health intervention.” It means “population-level activities to prevent disease in and promote the health of populations,” including “identifying, monitoring, preventing, or mitigating ongoing or prospective threats to the health or safety of a population, which may involve the collection of protected health information.”[7] Of note, the definition explicitly exempts activities conducted for the following purposes:

1. “To conduct a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating health care.

2. “To impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating health care.

3. “To identify any person for any of the activities described in paragraphs [(1) or (2)] of this [definition].”

These are the same activities found in the new prohibition, except not limited to reproductive healthcare. The reason that HHS added this definition is because HIPAA generally preempts state law but does not preempt state laws that are for the conduct of public health surveillance, investigation, or intervention.[8] HHS was concerned that a state would categorize its activities related to investigating or imposing liability concerning reproductive healthcare (or other healthcare) as public health activities for purposes of claiming that HIPAA does not preempt state law with respect to such activities.

The amendments also add a definition of “reproductive health care,” which means “health care, as defined in [45 C.F.R. § 160.103 of the HIPAA regulations], that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes.”[9] The definition clarifies that it should not be construed to set forth a standard of care for or regulate what constitutes clinically appropriate reproductive healthcare.

Third, the amendments revise the definition of “person” to clarify that a “natural person” means “a human being who is born alive.” In the preamble commentary to the amendments, HHS clarifies that this is not a new definition but instead revises the HIPAA definition to be consistent with the statutory definition enacted by Congress in the Born-Alive Infants Protection Act of 2002 at 1 U.S.C. § 8. The impact of this revision is to make clear that references to persons, like the permission for a CE to disclose PHI to avert a serious and imminent threat to the health or safety of a person, do not encompass threats to the health of the fetus. Otherwise, the Privacy Rule would permit a workforce member to report a potential abortion to law enforcement as a serious and imminent threat to the life of the fetus.

Finally, the amendments include two clarifications that facilitating reproductive healthcare does not constitute abuse for purposes of the Privacy Rule. While a parent or legal guardian generally is treated as a personal representative for purposes of the Privacy Rule, there is an exception if the CE reasonably believes that the individual has been or may be subjected to abuse by such person and certain other criteria are met. The amendments clarify that the “reasonable belief” previously referenced does not include the provision or facilitation of reproductive healthcare by such person at the individual’s request. For example, if a minor requests that their parent assist them with obtaining contraceptives or an abortion, a CE may not use this fact alone as the basis for a reasonable belief that the parent has abused the child. Likewise, while the Privacy Rule permits a CE to disclose PHI to a government authority to report abuse, the amendments clarify that this does not include reports solely based on facilitating reproductive healthcare. If a parent or guardian facilitates reproductive healthcare for a child and there is other evidence of abuse, however, the CE still may act on the other evidence of abuse.

Likely challenges

Regulated entities generally have until December 23, 2024, to comply with the new amendments. However, CEs have until February 16, 2026, to revise their notices of privacy practices (the later compliance date is tied to the compliance date for recent Part 2 Rule amendments).

One of the biggest challenges of the new amendments is likely to be increased friction between regulated entities and certain requestors, such as courts, law enforcement officials, and health oversight agencies. At best, regulated entities may need to educate requestors about the need to provide attestations. At worst, regulated entities may find themselves facing threats of obstruction of justice, contempt of court, or licensure sanctions by refusing to provide PHI due to the new prohibition. This problem is not new—for almost 50 years, the Part 2 Rule has required certain entities to refuse to provide Part 2 records in response to court orders or other judicial or law enforcement processes. But the Privacy Rule’s amendments are likely to lead to more fights over reproductive healthcare services than we have seen in the past concerning substance use disorder records, especially in the current, politically charged landscape surrounding reproductive healthcare.

Another substantial challenge will be fine-tuning release-of-information programs so that internal staff understand (1) when an attestation is required before disclosing PHI, and (2) how to review an attestation for regulatory compliance.

Finally, it is common for BA agreements to require the CE to notify the BA of any new limitations in the notice of privacy practices that limit the BA’s use or disclosure of PHI. As CEs amend their notices of privacy practices to reflect the new prohibitions, they may need to notify some or all their BAs of these new limitations.

Looming over all of this is the possibility of a judicial challenge to the regulations and the likelihood of rescission if there is a change in administration after the next election. In the meantime, healthcare providers and other regulated entities have some work ahead of them to substantially revise their release-of-information processes and prepare for potential fights with law enforcement officials and courts.

Takeaways

• HIPAA has a new prohibition on using or disclosing protected health information (PHI) to investigate or impose liability for seeking, obtaining, providing, or facilitating reproductive healthcare.

• Certain requests for PHI that potentially relate to reproductive healthcare must include an attestation that the request is not for a prohibited purpose.

• Covered entities will need to amend their notices of privacy policies to address these new requirements and changes to 42 C.F.R. Part 2.

• Regulated entities may often find themselves at odds with courts and law enforcement due to the new prohibition.

• Regulated entities must train staff to understand the new prohibition and when an attestation is required to disclose PHI.

*Adam Greene is a Partner in the Washington, DC, office of Davis Wright Tremaine LLP and co-chair of its Health Information Practice Group.

1 Dobbs v. Jackson Women’s Health Organization, 597 U.S. 215 (2022).

2 Nadine El-Bawab, “1 in 5 patients travel to other states for abortion care, according to new data,” ABC News, December 7, 2023, https://abcnews.go.com/Health/1-5-patients-travel-states-abortion-care-new/story?id=105429693.

3 See, e.g., A.B. 2091, 2021-2022 Reg. Sess. (Cal. 2022); S.B. 859, 2023 Reg. Sess. (Md. 2023); H.B. 1469, 2023-24 Reg. Sess. (Wash. 2023).

4 Standards for Privacy of Individually Identifiable Health Information, 45 C.F.R. §§ 160, 164.02, 164.500.

5 HIPAA Privacy Rule To Support Reproductive Health Care Privacy, 89 Fed. Reg. 32,976 (April 26, 2024), https://www.federalregister.gov/documents/2024/04/26/2024-08503/hipaa-privacy-rule-to-support-reproductive-health-care-privacy.

6 45 C.F.R. § 164.502(a) (2023).

7 HIPAA Privacy Rule To Support Reproductive Health Care Privacy, 89 Fed. Reg. 32,976 (April 26, 2024), (to be codified at 45 C.F.R. § 160.103 (definition of “public health”).

8 45 C.F.R. § 160.203(c) (2023).

9 HIPAA Privacy Rule To Support Reproductive Health Care Privacy, 89 Fed. Reg. 32,976 (April 26, 2024) (to be codified at 45 C.F.R. § 160.103 (definition of “reproductive health care”).