HHS Proposes HIPAA Changes to Protect Reproductive Health Information

The U.S. Department of Health and Human Services' (HHS) Office for Civil Rights (OCR) published a Notice of Proposed Rule Making (Proposed Rule) on April 12, 2023, proposing amendments to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule to strengthen privacy protections for reproductive health information and specifically requesting comments to certain of the proposed amendments. According to OCR, the Proposed Rule is intended to strengthen patient-provider confidentiality and facilitate full exchange of healthcare information between healthcare providers and patients. The Proposed Rule will be published in the Federal Register on April 17, 2023, and comments will be accepted for 60 days thereafter.

Background

As a result of certain state laws passed and pending following the Dobbs v. Jackson Women's Health Organization decision, there have been growing concerns that law enforcement and others are increasingly likely to request protected health information (PHI) from healthcare providers and others, such as technology vendors, for use against individuals, healthcare providers and others, solely because such persons sought, obtained, provided or facilitated lawful reproductive healthcare. Developments in the aftermath of Dobbs have made information related to reproductive healthcare more likely to be of interest for punitive non-healthcare purposes. Furthermore, OCR believes that additional privacy protection would reduce the risks that medical records relating to legal reproductive healthcare would be inaccurate or incomplete. As an example, OCR cited in the preamble of a recently filed lawsuit that details the decision made by a plaintiff's out-of-state healthcare provider to describe the plaintiff's condition as something other than an abortion, even though the abortion was lawful in the state in which it was provided, because the healthcare provider was concerned about the ramifications of documenting the healthcare provided as an abortion.

OCR has determined, in accordance with other federal agencies, that information about reproductive healthcare is particularly sensitive and requires heighted protections, similar to the nature and treatment of mental healthcare in psychotherapy notes. However, unlike psychotherapy notes, which by their very nature are easily defined and segregated, reproductive health information is not easily defined or segregated. OCR acknowledges, that in most cases, information about an individual's reproductive healthcare includes the kind of highly sensitive information that patients would be reluctant to share if they knew it could be disclosed and used against them, thus leading to inaccurate and incomplete medical records. This chill on open and complete health information sharing in the physician-patient relationship, OCR noted, would have an overall negative impact on both the quality and availability of legal reproductive healthcare services. For that reason, OCR set out a proposed definition for Reproductive Health Information (RHI), as a subset of PHI, but recognized the need to establish a shield against certain uses of RHI rather than creating a protected category of information. The proposed restrictions on disclosure are purpose-based as opposed to category-based.

The Proposed Rule adds and defines a new term, "reproductive healthcare," that is a subcategory of the existing term "healthcare." OCR intends to interpret "reproductive healthcare" to include, but not be limited to:

• contraception, including emergency contraception
• pregnancy-related healthcare, including but not limited to miscarriage management, molar or ectopic pregnancy treatment, pregnancy termination, pregnancy screening, products related to pregnancy, prenatal care and similar or related care
• fertility- or infertility-related healthcare
• other types of care, services or supplies used for the diagnosis and treatment of conditions related to the reproductive system

Prohibitions in Disclosures of RHI

Under the Proposed Rule, disclosures of PHI would be prohibited when RHI is sought for the purpose of conducting a criminal, civil or administrative investigation into or proceeding against the individual, a healthcare provider or other person in connection with seeking, obtaining, providing or facilitating reproductive healthcare that 1) is provided outside of the state where the investigation or proceeding is authorized and where such healthcare is lawfully provided, 2) is protected, required or authorized by federal law, regardless of the state in which such healthcare is provided, or 3) is provided in the state in which the investigation or proceeding is authorized and that is permitted by the law of that state. For example, if a patient who resides in a state that prohibits certain reproductive health services goes out of state for lawful services, that patient may return to her state of residence and share all health information with her provider without the risk of having that information used for punitive purposes against her or her providers.

The Proposed Rule would also prohibit a covered entity from using or disclosing an individual's PHI for the purpose of identifying an individual, healthcare provider or other person for the purpose of initiating such an investigation or proceeding against the individual, a healthcare provider or other person in connection with obtaining or providing reproductive healthcare that is lawful under the circumstances in which it is provided.

Under the HIPAA Privacy Rule, as it currently stands, the law permits but does not require certain disclosures to law enforcement and others, subject to specific conditions, and which are referred to as "required by law" disclosures. In 2022, OCR published clarifying guidance on the HIPAA Privacy Rule's requirements around sharing PHI with law enforcement. OCR explained that disclosures for non-healthcare purposes, such as disclosures to law enforcement officials, are permitted only in narrow circumstances tailored to protect the individual's privacy and support their access to healthcare, including abortion care. Covered entities can use and disclose PHI without an individual's signed authorization only as expressly permitted or required by the HIPAA Privacy Rule. OCR's guidance explained the HIPAA Privacy Rule's permits disclosures of PHI when required by law, subject to the minimum necessary restrictions, for law enforcement purposes and to avert a serious threat to health or safety. These "required by law" disclosures are not restricted under the proposed rule, when the information sought is not for the punitive purpose prohibited by the proposed regulations.

The prohibition against disclosure applies even if a patient has executed an authorization. OCR reasoned that the authorization could be used improperly. In addition, OCR proposes an attestation requirement for disclosures that are "required by law" or similar when not prohibited. The Proposed Rule will require covered entities in certain circumstances to obtain an attestation from the person requesting the use or disclosure that the use or disclosure is not for a prohibited purpose. A requester who knowingly falsifies an attestation (e.g., makes material misrepresentations as to the intended uses of the PHI requested) to obtain an individual's information would be in violation of HIPAA and could be subject to criminal penalties. OCR is considering whether to develop a model attestation that a covered entity may use.

Takeaways

The definition and scope of RHI encompasses a wide range of healthcare providers and business associates and includes over-the-counter medications. State laws that are contrary to the proposed regulations will be preempted by HIPAA.

If the reproductive health services sought or obtained are illegal under state law in which the services are provided, there is no protection against disclosure – except in situations where there are federal requirements to provide services (i.e., under the Emergency Medical Treatment and Active Labor Act (EMTALA) or services provided by the U.S. Department of Veterans Affairs). Assuming law enforcement subpoenas or requests for information are otherwise permissible, disclosures of this information would also be permitted. This means that PHI could potentially be disclosed for patients receiving reproductive healthcare in states where the procedure is illegal when the procedure is performed in that state.

The Proposed Rule would prohibit disclosure of RHI related to interstate reproductive healthcare services if the services are received in a state where it is lawful to receive such care.

If a request is received for PHI that is potentially related to reproductive healthcare, the covered entity or business associate will be required to obtain a signed attestation that the use or disclosure is not for a prohibited purpose. This will likely be an administrative burden on healthcare providers to obtain and verify information contained in an attestation. Furthermore, if a healthcare provider becomes aware of an attestation that has been falsified or misrepresented, the healthcare provider may be required to report it as a data breach to the individual and OCR.

The Proposed Rules apply to only HIPAA-covered entities and business associates and do not apply to healthcare apps or products that fall outside of the scope of HIPAA; therefore, direct-to-consumer female technology (FemTech) apps or products may not have the same restrictions with respect to sharing information for law enforcement purposes. Direct-to-consumer health apps and products not offered on behalf of a covered entity are subject to oversight by the Federal Trade Commission (FTC). The FTC has also recognized that information related to personal reproductive matters is "particularly sensitive." The FTC has published its own guidance indicating that it will pursue enforcement against any unauthorized disclosure made in violation of federal or state law or contrary to the statements made in public privacy notices.

For more information on how the Proposed Rule impacts your business, please contact the authors or another member of Holland & Knight's HIPAA and Healthcare Privacy Team.

Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem, and it should not be substituted for legal advice, which relies on a specific factual analysis. Moreover, the laws of each jurisdiction are different and are constantly changing. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. If you have specific questions regarding a particular fact situation, we urge you to consult the authors of this publication, your Holland & Knight representative or other competent legal counsel.