May 10, 2024

Reproductive Healthcare Privacy Rule Brings New Requirements for All Providers

OCR in Overdrive: Significant Regulatory Changes for the Healthcare Industry – Part 1
Holland & Knight Alert
Beth Neal Pitman | Shannon Britton Hartsfield | Eddie Williams III | Julia Hesse

Highlights

  • The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released the HIPAA Privacy Rule to Support Reproductive Health Care Privacy.
  • The rule has broad-reaching implications for all healthcare providers, not just reproductive care providers.
  • This Holland & Knight alert is Part 1 of our "OCR in Overdrive" series focused on emerging regulatory developments at OCR and the impact on patient privacy and data security requirements for healthcare providers and their business associates.

In the midst of an industry reeling from the Change Healthcare cybersecurity incident, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has issued a series of final rules requiring significant compliance implementation by virtually all Health Insurance Portability and Accountability Act (HIPAA) covered entities and many of their business associates. The first final rule released by OCR, the HIPAA Privacy Rule to Support Reproductive Health Care Privacy, has broad-reaching implications. For covered entities that think the new HIPAA Reproductive Health Information rule (RHI Rule), effective April 26, 2024, applies only to reproductive health providers, think again. These final rules will require significant compliance investment by a wide range of providers (despite the very modest executive administration financial impact analysis). Compliance is required by Dec. 23, 2024, except for required updates to the Notice of Privacy Practices that are required by Feb. 16, 2026.

The RHI Rule makes a number of changes including the following:

  • defines RHI broadly, including over-the-counter medications, and is not limited to specific procedures, treatment or medications
  • applies to reproductive healthcare that is lawful in the state rendered
  • applies to any covered entity (and its business associates) that maintains protected health information (PHI) which includes RHI – whether the RHI was created by the covered entity or not
  • prohibits disclosure of RHI for conducting a criminal, civil or administrative investigation into any person for the mere act of seeking, obtaining, providing or facilitating legally rendered reproductive healthcare, imposing criminal, civil or administrative liability on any person for the mere act of seeking, obtaining, providing or facilitating legally rendered reproductive healthcare, or to identify any person for these purposes
  • requires an attestation by the records requestor prior to disclosure for certain nonhealth purposes affirming that the request is not for an improper purpose. Affected requests include healthcare oversight activities, such as audits, law enforcement purposes, judicial and administrative proceedings, and disclosures to coroners and medical examiners.

OCR also made significant amendments to or commented on HIPAA definitions that are impacted by this RHI Rule. Some of those include:

  • permitted public health disclosures were revised to specifically exclude disclosures for the prohibited purposes of using or disclosing RHI to conduct investigations or imposing liability or identifying persons for the mere act of seeking, obtaining providing or facilitating healthcare, including reproductive healthcare
  • HHS clarified and confirmed that administrative disclosures (164.512(f)(1)) are only those "required by law" referring to the 2003 Privacy Rule establishing that these are requirements arising under "a mandate contained in law that compels an entity to make a use or disclosure of protected health information and that is enforceable in a court of law"
  • conditions for when a covered entity may decline to recognize a personal representative or is required to report abuse are also updated based on the RHI Rule
  • the definition of a "person" is amended to clarify that this relates to a human being that is born alive

Reproductive Health Information Definition

OCR issued the RHI Rule in response to the U.S. Supreme Court's decision in Dobbs v. Jackson Women's Health Organization and state laws banning abortion services. The definition of RHI, however, extends far beyond the scope of abortion services and encompasses the general gamut of women's health, as well as healthcare for others affecting the reproductive system in virtually any way.

The RHI Rule defines reproductive healthcare as PHI that includes healthcare "that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes." The RHI Rule is clear that the definition is to be "interpreted broadly" and, through its list of examples, the range of services falling within this definition extend from contraceptive medications to peri- and post-menopausal treatments, and the provision of medications and devices, including over-the-counter medications or devices.

The pervasive and unsegmented nature of RHI within the health records of patients extends the applicability of the RHI Rule to nearly all healthcare providers, health payers, pharmacies and other HIPAA-regulated organizations, including business associates. Identifying records containing RHI will be a compliance imperative for all providers and health plans.

Prohibited Disclosures and Attestation Condition to Uses and Disclosures  

Rather than setting aside RHI as a specific new category of PHI, such as Part 2 substance use disorder records or psychotherapy notes, OCR seeks to protect reproductive health records through purpose-driven protections. In effect, however, these changes seem to create a new category of super-confidential data.

The RHI Rule prohibits a regulated entity for using or disclosing RHI for the following:

  • conducting criminal, civil or administrative investigations of any person for the mere act of seeking, obtaining, providing or facilitating reproductive healthcare
  • imposing criminal, civil or administrative liability on any person for the mere act of seeking, obtaining, providing or facilitating reproductive healthcare
  • identifying any person for these purposes

The prohibition on disclosure of RHI applies to: 1) reproductive healthcare that is lawful in the state in which it is provided, 2) care that is protected, required or authorized by federal law, such as Emergency Medical Treatment and Active Labor Act (EMTALA) or the U.S. Constitution, under the circumstances in which it is provided without regard to the state law or 3) when the care is provided by someone other than the recipient of the request. Lawfulness is presumed unless the request recipient has actual knowledge that it is not lawful or the requestor demonstrates unlawfulness.

Notably, OCR declined to finalize its proposed restriction against permitting a patient to authorize disclosures that are prohibited – meaning that the RHI rule states that an individual can authorize a disclosure of their own RHI that would otherwise be prohibited. The proposal was made to protect against the use of coercion by law enforcement to obtain a patient's authorization to disclose, and also to prevent a situation where an individual's pre-existing general authorization to release PHI (which may have been obtained via acknowledgement of a Notice of Privacy Practices) would be used to support the release of RHI. OCR recognized that its decision "could also expose a health care provider or other person who provides or facilitates reproductive health care to liability in the event the authorization is used to affect a disclosure for a prohibited purpose in connection with lawful reproductive health care.

In addition to the above prohibition, the RHI Rule also protects RHI through an additional purpose-driven obligation by implementing a new HIPAA standard in 45 C.F.R. 164.509, Uses And Disclosures For Which An Attestation Is Required. Pursuant to this new regulation, disclosures for nonhealth purposes under 45 C.F.R. 165.512 (d) – (g)(1), healthcare oversight activities, such as payer audits, judicial and administrative proceedings (court order, subpoena or government regulatory investigation), disclosures for law enforcement, coroners and medical examiners would require an attestation. When an attestation is required but not obtained, OCR commented that the requestor will either need to seek RHI from a nonregulated entity or demonstrate that the reproductive healthcare was not lawful.

Healthcare providers that have already invested significant resources with respect to compliance with the 21st Century Cures Act (Cures Act) information blocking regulations may be required to make further changes as there will likely be delay in responding to requests for exchange of electronic health information that includes RHI. While HHS does not consider compliance with the RHI Rule as an impediment to compliance with the Cures Act, both the prohibition and required attestation will result in either denials or delays in access and exchange of electronic health information (EHI) requiring documentation to support that no information blocking is occurring.

What Now?

Healthcare providers should take steps now in response to the RHI Rule, including the following compliance recommendations:

  • identify locations of RHI in PHI, including billing and other administrative records. Discuss potential assistance that health IT vendors can provide to tag or otherwise flag this type of information
  • review and update HIPAA business associate agreements to require that business associates implement processes for compliance with the RHI Rule
  • adopt and update existing policies and procedures that are impacted by the RHI Rule, such as HIPAA definitions, permitted disclosures, Required by Law disclosures, disclosures pursuant to subpoenas and implementing an attestation policy and form
  • train health information management personnel and others responsible for responding to requests for information, including processes for assuring that attestations are obtained when required
  • update the Information Blocking policies and documentation to specifically address the delay in exchange of EHI likely when reproductive health information is involved
  • watch for additional guidance from the OCR

Holland & Knight Insight

The RHI Rule creates uncertainty for regulated entities in a number of areas, including, not insignificantly, for those who will not have insight into the purpose behind a disclosure that is Required by Law under HIPAA and may not be able to compel or require execution of an attestation. This creates a real dilemma for HIPAA-regulated entities who may be put in a position of choosing whether to comply with a state law legal requirement to disclose information or the HIPAA RHI privacy prohibition.

For additional information on the RHI Rule, please contact the authors or another member of Holland & Knight's HIPAA and Healthcare Privacy Team.

Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem, and it should not be substituted for legal advice, which relies on a specific factual analysis. Moreover, the laws of each jurisdiction are different and are constantly changing. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. If you have specific questions regarding a particular fact situation, we urge you to consult the authors of this publication, your Holland & Knight representative or other competent legal counsel.

Related Practices

Data Strategy, Security & Privacy Healthcare & Life Sciences Healthcare & Life Sciences Policy Healthcare Regulatory Compliance HIPAA and Healthcare Privacy Healthcare Litigation Hospitals and Health Systems

Related Industry

Healthcare & Life Sciences
Subscribe to Updates and Events
Click to Sign Up

Related Insights