On April 13, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) released a Notice of Proposed Rulemaking (NPRM) to amend the HIPAA Privacy Rule, 45 C.F.R. Part 160 and Part 164, Subparts A and E, to strengthen federal privacy protections for Protected Health Information (PHI) pertaining to reproductive health care. The NPRM, a response to the Supreme Court of the United States’ decision in Dobbs v. Jackson Women’s Health Organization, 597 U.S. ___, 142 S. Ct. 2228 (2022) (No. 1901392) (June 24, 2022), and the subsequent threats and potential impact of state-level prosecution and law enforcement actions related to the provision of reproductive health care, would prohibit the use and disclosure of such PHI in certain criminal, civil or administrative proceedings, impose new attestation requirements for certain uses and disclosures of PHI, require Notice of Privacy Practices (NPP) changes, and revise the law enforcement exception.
Proposed Changes Would Have Broad Impact Based on the Definition of “Reproductive Health Care”
To create heightened protection for PHI relating to reproductive health, OCR proposes an intentionally broad definition of “reproductive health care” to mean “care, services, or supplies related to the reproductive health of the individual.” According to OCR, the term would include contraception, pregnancy-related health care (including miscarriage management, molar or ectopic pregnancy treatment, pregnancy termination, pregnancy screening, products related to pregnancy, and prenatal care), and fertility or infertility-related health care (including assisted reproductive technology), regardless of the individual’s age or whether the care is pregnancy-related. The impact of this defined term is that most covered entities, rather than only providers of gynecological or fertility-related care, would be required to implement changes.
Proposed Prohibitions on the Use and Disclosure of Reproductive Health Care Related PHI
Although the proposed changes impact a broad category of PHI, the prohibited uses and disclosures of such information would be purpose-driven. OCR proposes to prohibit covered entities and business associates from identifying any person or using or disclosing PHI for investigations and prosecutions of covered entities and other persons related to seeking, obtaining, providing, or facilitating reproductive health care (Restricted Disclosures) that is either of the following:
- Provided lawfully according to the law of the state where it was provided.
- Federally protected, required, or authorized.
These uses and disclosures would be prohibited even with an individual’s authorization. The proposed changes would not restrict covered entities from making other currently permitted uses and disclosures, such as those for treatment, payment and health care operations, and would not affect disclosures otherwise required for criminal or civil proceedings when they are unrelated to the prohibited purposes.
OCR interprets the phrase “seeking, obtaining, providing, or facilitating reproductive health care” to include, without limitation, expressing interest in, inducing, using, performing, furnishing, paying for, disseminating information about, arranging, insuring, assisting, or otherwise taking action to engage in reproductive health care; or attempting any of these. As a result, covered entities would be required to carefully review requests that could be viewed as investigative or related to law enforcement to confirm the medical records at issue do not relate to a Restricted Disclosure.
New Attestation Requirement as a Condition for Certain Uses and Disclosures
The NPRM would prohibit a covered entity from using or disclosing PHI that potentially relates to reproductive health care under the health oversight exception, the judicial/administrative proceedings exception, the law enforcement exception, or the exception for disclosure of PHI regarding deceased individuals to coroners or medical examiners unless the covered entity first obtains from the requestor an attestation that the purpose of the request is not a Restricted Disclosure. For example, any subpoena for medical records in litigation would require an attestation if the requested PHI was potentially related to reproductive health care. If an attestation is not provided, the covered entity (or its business associate handling responses to subpoenas) would need to carefully review the responsive records to determine whether the disclosure of any such PHI is prohibited. For instance, if a covered entity receives a subpoena for all of a patient’s medical records for the last five years and the records document that the patient requested or asked their provider about birth control at one point within that timeframe, the covered entity would need to obtain an attestation before releasing that portion of the records. As a result, if the attestation requirement is finalized, covered entities will need controls or procedures in place to examine all requests for PHI under the applicable exceptions to determine whether there is potential disclosure of PHI related to reproductive health care and, if so, how to respond to the request.
The NPRM also prescribes content requirements for a valid attestation, which are modeled after the requirements of a compliant general authorization under HIPAA. This attestation could not be combined with consents, authorizations or any other document, and a new attestation would be required for each requested use and disclosure pursuant to the applicable exceptions of PHI potentially related to reproductive health care. OCR is considering providing a model attestation and indicates that a covered entity would be able to rely on an attestation when the reliance is objectively reasonable under the circumstances.
Expanding the Required Content of a Notice of Privacy Practices
For the second time in the last five months, HHS has proposed changes to the NPP requirements that would obligate covered entities to update and add content to their NPPs. In the NPRM, OCR proposes that an NPP must separately describe (1) the Restricted Disclosures and (2) the attestation requirement. If finalized, this will require all covered entities to update their NPPs. On November 28, 2022, HHS proposed extensive revisions to the required NPP content under HIPAA related to its proposed changes to the substance use disorder privacy regulations at 42 C.F.R. Part 2. These changes would limit a covered entity’s ability to apply the terms of an updated NPP to PHI held by the covered entity prior to the updates (a covered entity would only be able to implement material changes described in the NPP to PHI created or received after the NPP revisions were effective).
These consecutive proposals are in contrast to the December 2020 notice of proposed rulemaking in which OCR – citing many stakeholders’ comments that NPPs pose administrative burdens on providers, confuse patients, and are in large part not read by individuals when presented with them – proposed to streamline the NPP content and implementation provisions.
Modifying Standards for Personal Representatives
OCR expressed concern that a covered entity may seek to prevent a personal representative (such as a parent of a minor) from making decisions for a patient about reproductive health care when the covered entity disagrees with that care decision by finding that a decision would amount to abuse of the patient or otherwise is not in the patient’s best interest. To address this concern, the NPRM would not permit a covered entity to deny personal representative status to a person when the primary basis for denying that authority was the fact that the person has facilitated or provided, or is facilitating or providing, reproductive health care for the patient.
Clarification of OCR’s Interpretation of the Law Enforcement Exception
In the NPRM, OCR seeks to narrow the part of the law enforcement exception that permits disclosure of PHI pursuant to an administrative request, such as a civil investigative demand or similar process authorized by law. OCR takes the position that the administrative request portion of the law enforcement exception only applies to requests for which a covered entity is required by law to respond. Although OCR states that this clarification is not meant to be a substantive change and that it is consistent with prior preamble guidance, the phrase is not mentioned in the existing administrative request portion of the exception, nor does prior preamble guidance limit the exception as proposed in the NPRM. This change potentially complicates the ability of covered entities to comply with the Privacy Rule when a law enforcement agency is authorized to request records, but a response by the covered entity is not clearly required by law. As such, this change would be contrary to the current practices of some covered entities.
Information Blocking and Interoperability Considerations
The NPRM potentially conflicts with other efforts of HHS to promote the exchange of PHI and interoperability, including the recent growth in participation in Health Information Exchanges (HIEs). HIEs typically promote automated exchanges of PHI without the opportunity to review requested information line-by-line for potential reproductive health care information. Further, certified electronic health record (EHR) systems often do not allow for data segmentation. In a recent Information Blocking proposed rule announced the same week as the NPRM, HHS requested comments regarding the capabilities of EHRs to segment data, particularly in cases where special handling or other restriction of access to particular portions of electronic PHI is required by law. In contrast, OCR’s HIPAA proposals arguably do not consider the practical challenges faced by covered entities in distinguishing between reproductive health care records and other PHI. OCR appears to recognize this possibility as it requests comments on how covered entities currently receive and address law enforcement and similar requests for PHI.
Public Comments
Comments on the NPRM may be submitted on or before June 16, 2023.
