On April 17, 2023, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a notice of proposed rulemaking (NPRM) that would modify the Standards for Privacy of Individually Identifiable Health Information (Privacy Rule) under the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, as amended (collectively, HIPAA). The comment period recently closed on June 16, 2023.
If finalized in its current form, the Proposed Rule would modify existing standards under the Privacy Rule by prohibiting uses and disclosures of protected health information (PHI) for criminal, civil or administrative investigations or proceedings against individuals, covered entities or their business associates (collectively, Regulated Entities), or other persons for seeking, obtaining, providing or facilitating reproductive healthcare, including abortion-related healthcare, that is lawful under the circumstances in which it is provided.
In 1973, the Supreme Court of the United States (SCOTUS), in its Roe v. Wade decision, confirmed an individual’s right to access abortion and related services before the point of fetal viability, and in 1992, in Planned Parenthood v. Casey, SCOTUS reaffirmed this constitutional right to abortion. On June 24, 2022, in Dobbs v. Jackson Women’s Health Organization, SCOTUS overturned Roe and Casey, ruling that such decisions should be deferred to individual state legislatures. Following this decision, an increasing number of U.S. jurisdictions are enacting abortion laws that impose potential civil, criminal and/or administrative liability on all individuals involved in, seeking or providing abortion-related services.
In response to these developments in the law, President Biden signed two Executive Orders directing HHS to consider taking additional actions, including under HIPAA, to strengthen the protection of patients’ sensitive information related to reproductive healthcare services and bolster patient-provider confidentiality. In response, HHS issued the NPRM, which would, among other things: (i) clarify the definition of “person”; (ii) adopt new definitions of “public health” surveillance, investigation or intervention, and “reproductive health care”; (iii) impose, in certain circumstances, new attestation requirements; (iv) modify requirements for Notice of Privacy Practices; and (v) clarify when PHI may be used or disclosed by Regulated Entities and when such uses or disclosures are prohibited.
HHS has determined that information about reproductive health is particularly sensitive and therefore requires heightened protections to safeguard the patient from investigations or proceedings that could result in medical mistrust and the deterioration of the confidential, safe environment necessary to provide and maintain quality healthcare, a functional healthcare system and the public’s health generally.
The existing Privacy Rule permits, but does not require, covered entities to disclose PHI to law enforcement officials and others without the individual’s written authorization, under specific circumstances. In the wake of these recent legal developments, patients, providers and organizations have expressed concerns that especially sensitive PHI detailing a patient’s need for, or receipt of, lawful reproductive healthcare will be used or disclosed without their knowledge or consent. Recognizing the validity of these concerns, the NPRM seeks to enhance protections for PHI related to reproductive healthcare by prohibiting the use or disclosure of PHI for the criminal, civil or administrative investigation of or proceeding against an individual, Regulated Entity or other person for seeking, obtaining, providing or facilitating reproductive healthcare that is lawful under the circumstances in which it is provided. It also seeks to prohibit the identification of any person for the purpose of initiating such an investigation or proceeding. Under this NPRM, “reproductive health care” would be broadly defined to include (but not be limited to), prenatal care, abortion, miscarriage management, infertility treatment, contraception use and treatment of reproductive-related conditions such as ovarian cancer.
Under the NPRM, Regulated Entities would be prohibited from disclosing PHI when the reproductive healthcare falls within at least one of three sets of circumstances:
- It is provided outside the state where the investigation or proceeding is authorized and where such healthcare is lawfully provided (e.g., if a resident of one state traveled to another state to receive reproductive healthcare, such as an abortion, that is lawful in the state where such healthcare was provided).
- It is protected, required or authorized by federal law, regardless of the state in which such healthcare is provided (e.g., if the reproductive healthcare, such as miscarriage management, is required under the Emergency Medical Treatment and Labor Act to stabilize the health of the pregnant person).
- It is provided in the state in which the investigation or proceeding is authorized and the care provided is permitted by the law of that state (e.g., if a resident of a state received reproductive healthcare, such as a pregnancy test or treatment for an ectopic pregnancy, in the state where the individual resides, and that reproductive healthcare is lawful in that state).
If the NPRM is finalized as proposed, disclosure of PHI related to reproductive healthcare in these circumstances could result in an OCR investigation and the imposition of civil monetary penalties against a Regulated Entity.
To assist in effectuating this prohibition, the NPRM would require Regulated Entities to obtain an attestation from the person or entity requesting the PHI that such use or disclosure is not for a prohibited purpose.
Key Takeaways and Potential Implications for Healthcare Organizations
This NPRM would apply to all HIPAA-covered entities, including healthcare providers that conduct covered electronic transactions, health plans, covered pharmacies and, in certain circumstances, healthcare clearinghouses. HHS expects that the NPRM will have varying effects on different covered entities and would have the most direct effect on covered healthcare providers, their business associates and health plans. Thus, HHS suggests that if the NPRM is finalized, all affected covered entities would at least need to adopt or alter some existing policies and procedures, enhance security of any IT system that contains PHI, retrain certain employees on the new requirements, and revise certain business associate agreements that may be affected by the Rule.
McGuireWoods will continue to monitor developments in this area and provide updates, as necessary. The team is ready and available to assist in a review of a practice’s, provider’s or facility’s policies and procedures and assess the risk of specific situations. If you have any questions, please do not hesitate to contact the authors of this alert.