On June 25, 2024, the Department of Health and Human Services Office for Civil Rights (OCR) published an extensive Final Rule amending the HIPAA privacy rule, providing new protections for the privacy of reproductive health information (RHI). This Final Rule attempts to balance state autonomy with HIPAA's objectives of maintaining health information privacy. Compliance is required by December 23, 2024, except for the notice of privacy practices (NPP) provisions, which are required by February 16, 2026.
The Final Rule was born out of concerns that recent legal developments may erode patients' trust in the health care system. The Supreme Court's decision in Dobbs overturned Roe v. Wade and Planned Parenthood of Southeastern Pennsylvania v. Casey enabled states to restrict access to abortion. The concern is that this legal shift may interfere with the longstanding expectations of individuals, established by HIPAA and the Privacy Rule, with respect to the privacy of their RHI.
The changes in the legal landscape have nationwide implications, not only because of their effects on the relationship between health care providers and individuals, but also because of the potential effects on the flow of health information across state lines. For example, an individual who travels out-of-state to obtain reproductive health care that is lawful under the circumstances in which it is provided may now be reluctant to have that information disclosed to a health care provider in their home state if they fear that it may then be used against them. Additionally, individuals and health care providers may be reluctant to disclose protected health information (PHI) to health plans with a multi-state presence because of concerns that one of those states will seek PHI to investigate or impose liability on the individual or the health care provider, even if there is no nexus with that state other than the health plan's presence.
The Final Rule aims to balance these legal shifts by explicitly limiting the scope of the Privacy Rule's law enforcement exception. To clarify, the pre-existing permissions for law enforcement disclosure did not mandate disclosure to law enforcement agencies. Rather, they established the conditions under which HIPAA-covered entities and their business associates (collectively, "Regulated Entities") may disclose PHI if they choose to do so.
The Final Rule delineates specific circumstances which Regulated Entities may disclose RHI by prohibiting RHI use or disclosure to conduct a criminal, civil, or administrative investigation into a person or their identity or to impose civil, criminal, or administrative liability on any person, for the sheer act of seeking, obtaining, providing, or facilitating reproductive health care lawful under the circumstances it was provided. See the OCR press release here. This includes cases in which the Regulated Entity receiving the request had no actual knowledge that the reproductive health care was unlawful and the requestor has not provided any factual information that the health care was unlawful. This prohibition effectively preempts state laws mandating the use or disclosure of PHI pursuant to a court order or other legal process for a prohibited purpose.
The Final Rule does not apply if the reproductive health care is known by the Regulated Entity to have been delivered unlawfully. In that case, a Regulated Entity would be permitted, but not required, to disclose PHI to law enforcement if aligned with the Privacy Rule.
The Final Rule also requires Regulated Entities to obtain an attestation from the person or entity requesting PHI potentially related to RHI for health care oversight activities, judicial and administrative proceedings, law enforcement purposes, and disclosures to coroners and medical examiners. It must (1) state that the requested use or disclosure of PHI is not for a prohibited purpose and (2) provide notice of criminal penalties for individuals who knowingly violate HIPAA. A model attestation from HHS can be obtained here.
Additionally, the Final Rule requires Regulated Entities to revise their NPPs in several ways to strengthen reproductive health care privacy, including informing individuals about how their PHI may or may not be used or disclosed along with examples.
OCR's identified potential benefits of the Final Rule include:
- Maintaining or reducing levels of maternal mortality and morbidity by ensuring that individuals freely communicate with clinicians and have access to complete information needed for quality lawful health care, including coordination of care.
- Preventing or reducing re-victimization of pregnant individuals who have survived rape or incest by protecting their PHI from undue scrutiny.
- Maintaining the economic well-being of regulated entities by not exposing regulated entities or workforce members to costly investigations or activities to impose liability on them for engaging in lawful activities.
Regardless of these potential benefits, the Final Rule now puts Regulated Entities in the difficult position of deciding whether to comply with state law requirements to disclose RHI or the federal HIPAA privacy prohibition.
Preliminary Questions and Answers
When can Regulated Entities presume that reproductive health care provided was lawful under the circumstances?
Care is presumed lawful unless the Regulated Entity has actual knowledge that the reproductive care was not or if the requester provided factual information demonstrating a substantial basis that the reproductive health care was not lawful under the circumstances.
How should Regulated Entities proceed when state law requirements conflict with the Final Rule's prohibitions?
Given some of the "gray" status of protections of RHI at both the federal and state levels, providers should consider their local enforcement environment and the potential challenges to OCR's oversight. A Regulated Entity faced with a subpoena from law enforcement in a state that does not permit abortion may feel pressured to comply despite the Final Rule. Additionally, OCR still needs to determine how it will support Regulated Entities pressured to disclose RHI. Regulated Entities' legal and compliance departments should consider establishing a compliance hotline to answer questions related to law enforcement requests.
Additional Takeaways for Regulated Entities
When complying with the Final Rule, Regulated Entities and other stakeholders should:
- Update HIPAA Policies and Procedures, NPPs, and Business Associate Agreements.Regulated Entities must also post updated NPPs to their websites.
- Draft Attestations. Consider if attestations should be completed with all PHI requests versus for only those potentially related to RHI. Reproductive health care is often inseparably intertwined with the patient's general medical records.
- Understand the Scope of Protected Data. The Final Rule does not mandate sweeping prohibitions against all RHI disclosure nor limit permissible PHI uses and disclosures. The Final Rule also does not provide privacy protections for individuals' health information maintained and stored on personal devices, like location information or information patients voluntarily upload to apps. Additionally, the Final Rule does not apply to entities not subject to HIPAA. Regulated Entities should also consider the patchwork of state-specific abortion shield laws. For example, California prohibits California-based companies providing electronic communication services from cooperating with out-of-state search warrants related to abortion investigations.
- Retrain Their Staff. Train staff to understand when information regarding RHI may and may not be provided to law enforcement entities and other officials.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
