In response to concerns about the confidentiality of protected health information (PHI) related to reproductive health care less than one year after Dobbs v. Jackson Women’s Health Organization decision, and the prospect of such PHI being weaponized by states and used against patients, the U.S. Department of Health & Human Services Office for Civil Rights (OCR) has proposed amendments to the HIPAA Privacy Rule to protect that information.
OCR issued a Notice of Proposed Rulemaking (NPRM) on April 12, 2023 that would modify the HIPAA Privacy Rule to prohibit providers and others subject to HIPAA (Regulated Entities) from using and disclosing PHI sought for the purposes of criminal, civil, or administrative investigations or proceedings against any person in connection with seeking, obtaining, providing, or facilitating reproductive health care that is otherwise lawful.
As discussed in our two-part blog series on protecting PHI post Dobbs, there are a number of different avenues under HIPAA permitting health care providers to disclose reproductive health information to regulatory or law enforcement authorities when required to do so under state law. In explaining its rationale for the NPRM, OCR noted the expanded state interest after Dobbs in using highly sensitive reproductive health care information for criminal, civil investigations or proceedings targeting patients. OCR also noted the chilling effect that the potential for law enforcement use of this information could have on physician-patient communications and the physician-patient trust necessary for quality care.
Under the NPRM, OCR would modify HIPAA to prohibit a Regulated Entity from (i) using or disclosing PHI where the PHI would be used for a criminal, civil, or administrative investigation into or proceeding against any person in connection with seeking, obtaining, providing, or facilitating lawful reproductive health care; or (ii) identifying any person for the purpose of initiating such an investigation or proceeding.
OCR would apply this new prohibition where the relevant investigation or proceeding relates to reproductive health care that: (1) is provided outside of the state where the investigation or proceeding is authorized and that is lawful in the state in which such health care is provided; (2) is authorized by Federal law (EMTALA, for example), regardless of the state in which such health care is provided; or (3) is lawful in the state where the investigation or proceeding is authorized.
OCR made clear that it is prohibiting uses of reproductive health care information when that use is primarily for the purpose of investigating or imposing liability on a person for the mere act of seeking or providing reproductive health care. While a Regulated Entity would be prohibited from using or disclosing PHI as part of an investigation into a person’s reproductive health care, the Regulated Entity could, for example, use or disclose PHI to defend that person in a proceeding related to reproductive health care.
New Attestation Requirement
So how will a Regulated Entity know what a law enforcement, regulatory authority or other third party intends to do with requested reproductive health information? OCR has proposed a new written attestation requirement intended to document the third party’s intent. Specifically, an attestation is required when a third party is requesting reproductive health information for the following purposes:
- health oversight activities;
- judicial and administrative proceedings;
- law enforcement purposes; or
- disclosures about decedents to coroners and medical examiners.
The attestation could be written or electronic, must be in plain language, must not be combined with other documents (for example, a subpoena) and meet other content requirements. In order to reduce administrative burden, OCR is considering a model attestation for Regulated Entities to use in developing their own forms.
Proposed New HIPAA Definitions
As part of the NPRM, OCR added some new definitions to the Privacy Rule. First, it clarified that a “person” for the purposes of the Privacy Rule does not include a fertilized egg, embryo, or fetus; rather, “person” means “a natural person (meaning a human being who is born alive).
It also proposed to broadly define “reproductive health care” as “care, services, or supplies related to the reproductive health of the individual” including:
- contraception, including emergency contraception;
- pregnancy-related health care (which would include, but not be limited to, miscarriage management, molar or ectopic pregnancy treatment, pregnancy termination, pregnancy screening, products related to pregnancy, prenatal care, and similar or related care);
- fertility or infertility-related health care (which would include services such as assisted reproductive technology, as well as other care, services, or supplies used for the diagnosis and treatment of infertility); and
- other types of care, services, or supplies used for the diagnosis and treatment of conditions related to the reproductive system (which would include health care related to reproductive organs, regardless of whether the health care is related to an individual’s pregnancy or whether the individual is of reproductive age).
Updated Notice of Privacy Practices
Under the proposal, Regulated Entities would be required to add elements to their notices of privacy practices (NPPs) addressing the new requirements.
In strengthening privacy protections for reproductive health information, OCR seeks to insulate both patients and providers from the risk of their highly confidential and sensitive treatment communications being used against them. OCR is seeking comments on its approach under the NPRM which are due 60 days after publication of the NPRM in the Federal Register. The NPRM is currently scheduled to be published on April 17, 2023 and comments would be due June 16, 2023. We will continue to monitor this rapidly evolving area of health care privacy law for any additional guidance from OCR and, if applicable, the release of finalized rules.