Nixon Peabody LLP

Trending Topics

    Practices

    View All

    Industries

    View All

    Value-Added Services

    View All

    Alert / Healthcare

    OCR releases final HIPAA Privacy Rule to Support Reproductive Health Care Privacy

    April 24, 2024

    By Valerie Montague and Meredith LaMaster

    The Final Rule prohibits the disclosure of protected health information (PHI) related to lawful reproductive health care in certain scenarios.

    What’s the impact?

    • New regulations implement, with some changes, previously-proposed limitations on when covered entities and business associates may use and disclose reproductive health information
    • Persons seeking reproductive health information will need to provide attestation as to a compliant purpose in certain circumstances
    • Covered entities need to modify their Notice of Privacy Practices in relation to this Final Rule and the recent 42 CFR Part 2 regulations addressing substance use disorder information

    DOWNLOAD

    OCR releases final HIPAA Privacy Rule to Support Reproductive Health Care Privacy (PDF)

    To further protect the privacy of reproductive health care, on April 22, 2024, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) issued a final rule modifying the HIPAA Privacy Rule (the Final Rule). The Final Rule is scheduled to be published in the Federal Register on April 26, 2024.

    Background

    Following the June 24, 2022, US Supreme Court decision in Dobbs v. Jackson Women’s Health Organization (Dobbs) OCR issued a notice of proposed rulemaking (NPRM) on April 17, 2023, proposing to modify the HIPAA Privacy Rule to support the privacy of reproductive health care information (2023 NPRM). OCR expressed concern that the confidentiality of reproductive health information may be impacted by those who wish to use such information to initiate criminal, civil, and administrative investigations or proceedings. The 2023 NPRM was designed, in part, to prevent this information from being targeted and to continue to protect the confidentiality of this sensitive data.

    As previously described in the 2023 NPRM, in the preamble to the Final Rule, OCR reiterates how it wants to continue to protect patient privacy in order to promote trust between individuals and health care providers, as well as to support access to health care. OCR also raises concerns about the risks of incomplete medical records if patients are not fully transparent with their treating providers. Citing comments to the 2023 NPRM, as well as congressional feedback and OCR’s expertise in administering the HIPAA Privacy Rule, OCR seeks to modify the Privacy Rule to limit when an individual’s reproductive health PHI can be used or disclosed in a manner detrimental to the individual’s privacy, the privacy of another person, or a patient’s trust in their health care providers.

    OCR describes how, following Dobbs and state laws enacted to restrict abortion access, health care providers may “feel compelled” by a law outside of HIPAA to disclose PHI to law enforcement or other individuals who may use that information against a patient or someone who provided or facilitated reproductive health care, even in scenarios when the patient lawfully obtained health care services. OCR also discusses how this is a nationwide issue that is not limited to states restricting reproductive health care, as patients travel outside their home state for care, and information may be shared across state lines.

    Modifications to the Privacy Rule

    Purpose-based Prohibition

    In the Final Rule, OCR is adopting its “purpose-based prohibition” on certain uses and disclosures of PHI related to reproductive health care. The Final Rule prohibits covered entities and business associates from using or disclosing PHI for any of the activities described below:

    • To conduct a criminal, civil, or administrative investigation into a person, or to impose civil, criminal, or administrative liability on any person, for the mere act of seeking, obtaining, providing, or facilitating reproductive health care.
    • To identify any person for any purpose described above in the first bullet.

    These activities are referred to herein as the “Prohibited Purposes.”

    Rule of Applicability

    Although OCR decided not to finalize its proposed “Rule of Construction,” the Final Rule adopts a slightly modified “Rule of Applicability” from what was proposed in the 2023 NPRM. The Rule of Applicability clarifies that the prohibition outlined above applies only when the relevant activity is connected with a person seeking, obtaining, providing, or facilitating reproductive health care, and the HIPAA-regulated entity that receives the request for PHI has reasonably determined that one of three conditions exists:

    • The reproductive health care is lawful under the law of the state in which the care is provided and under the circumstances in which it is provided. This first condition combines two conditions that were listed separately in the NPRM.
    • The reproductive health care is protected, required, or authorized under federal law, including the US Constitution, under the circumstances provided, regardless of the state in which care is provided. Modifying the NPRM’s proposal, this language specifically references care protected by the Constitution.
    • The scenario is one where the Final Rule’s “presumption” applies, as discussed below.

    As commenters raised concerns with how health care providers would determine whether requested PHI concerns reproductive health care that was lawful under the circumstances provided, the Final Rule includes a presumption that the reproductive health care at issue in a request is presumed to be lawful under the circumstances in which it was provided, when the care is provided by a person other than the entity receiving the request for PHI. The presumption can be overcome if the entity receiving the request for PHI has either (i) actual knowledge that the care was not lawful under the circumstances, or (ii) “factual information” supplied by the requestor, demonstrating a “substantial factual basis” that the care was not lawful under the circumstances provided.

    In the preamble, OCR is clear that, once effective, these new regulations will result in scenarios where a HIPAA-regulated entity may be permitted under the current Privacy Rule to disclose PHI, but where a request implicates a Prohibited Purpose, and the reproductive health care was lawfully provided, the entity will be prohibited from disclosing the PHI. OCR also acknowledges the likelihood of scenarios where a health care provider and a requestor may disagree on whether the reproductive health care was lawfully provided. The topics governed by these regulations, and many of the examples OCR describes, involve challenging circumstances for the entity being asked to use or disclose PHI. HIPAA-regulated entities will be well-served to arm their workforce with as much information as possible on how to respond to requests involving reproductive health care information, including when such requests must be accompanied by an attestation by the requestor.

    Attestation

    To address the challenge facing a HIPAA-regulated entity in determining whether a PHI request is for a permissible purpose or a Prohibited Purpose, OCR adopts a modified version of the attestation requirement it proposed in the 2023 NPRM. Clarifying that this applies to business associates as well, the Final Rule provides that HIPAA-regulated entities may not use or disclose PHI potentially related to reproductive health care for (i) health oversight activities, (ii) judicial and administrative proceedings, (iii) law enforcement purposes, or (iv) to coroners and medical examiners (related to decedents), without obtaining a valid attestation from the requestor.

    OCR outlines the requirements for a valid attestation, which include, among other requirements, a clear statement that the use or disclosure is not for a Prohibited Purpose and a statement that a person may be subject to criminal penalties for knowingly obtaining or disclosing individually identifiable health information in violation of HIPAA. Similar to other HIPAA forms, the attestation must be written in plain language. Similar to its approach with most HIPAA authorizations, OCR requires that the attestation may not be combined with any other document (acknowledging that additional supporting documentation may be provided).

    OCR cautions that a covered entity or business associate is not in compliance with HIPAA if they rely on a defective attestation. The Final Rule provides several examples of defective attestations. Notably, a defective attestation includes one where the document contains an element or statement that is not required by the Final Rule; OCR clarifies that covered entities and business associates may not require that additional data be added to the attestation over and above what the amended Privacy Rule requires. Along the same lines, workforce members of a HIPAA-regulated entity must carefully review attestations to confirm that the content complies with the Privacy Rule requirements.

    An attestation also is defective if the HIPAA-regulated entity has actual knowledge that “material information” in the attestation is false and when a “reasonable” covered entity or business associate in the same position would not believe that the attestation is true with respect to the statement that the use or disclosure is not for a Prohibited Purpose. Addressing questions as to when it would be reasonable for a HIPAA-regulated entity to rely on an attestation, OCR explains in the preamble that, if the attestation satisfies the regulatory requirements, the entity must consider the “totality of the circumstances surrounding the attestation.” An entity should consider who is requesting the use or disclosure of PHI; the permission upon which the requester relies; the information provided to satisfy the other conditions of the relevant permission; the PHI requested and its relationship to the request’s purpose, such as whether it complies with the minimum necessary standards; and, where the regulatory presumption discussed above applies, whether the requestor provides information to overcome that presumption. As an example, OCR notes that it may not be reasonable to rely on an attestation submitted by a public official if that official has publicly stated their interest in investigating the physician or patient whose information is requested.

    OCR notes in the preamble that it intends to publish a model attestation form prior to the Final Rule’s compliance date (described below), but clarified that an attestation that meets the Privacy Rule requirements, electronic or hard copy, is compliant even if it does not take the form promulgated by OCR.

    Notice of Privacy Practices

    Both the 2022 NPRM for the Confidentiality of Substance Use Disorder Patient Records and the 2023 NPRM governing the privacy of reproductive health care information proposed changes to the HIPAA Privacy Rule requirements for Notices of Privacy Practices (NPP). The Part 2 final rule, published on February 16, 2024, reserved the Part 2-related modifications to the NPP to this Final Rule. HIPAA covered entities are required to update their NPPs to address the following:

    • OCR modified the NPP requirement that required a covered entity to describe how uses and disclosures of PHI for treatment, payment, and health care operations or without an authorization are prohibited by, or materially limited by, “other applicable law.” The Final Rule clarifies that these other laws include Part 2, such that the NPP should reflect any Part 2 limitations. OCR implemented the same change related to the requirement that the NPP contain sufficient detail to place the individual on notice of uses and disclosures permitted or required by HIPAA or other laws, including Part 2.
    • The NPP must describe in sufficient detail, including by use of an example, the types of uses and disclosures that are not permitted due to their Prohibited Purpose, consistent with the requirements of the Final Rule.
    • The NPP must describe, including by use of an example, the types of uses and disclosures for which an attestation is required, as discussed above.
    • The NPP also must include a statement notifying an individual that PHI disclosed pursuant to the Privacy Rule may be redisclosed and no longer protected by the Privacy Rule.
    • If the covered entity maintains Part 2 records, the Final Rule also requires that the NPP describe that a Part 2 record, or testimony relaying the content of a Part 2 record, may not be used or disclosed in a civil, criminal, administrative, or legislative proceeding against the individual without either the individual’s written consent or a court order after the individual is provided notice and an opportunity to be heard. The NPP must describe that a court order authorizing this use or disclosure must be accompanied by a subpoena or other legal requirement compelling disclosure prior to the record being used or disclosed.
    • Again with respect to Part 2 records, the NPP must provide a “clear and conspicuous” opportunity for an individual to elect not to receive fundraising communications if the covered entity intends to use Part 2 records for fundraising purposes.

    The Final Rule also clarifies that covered entities that create or maintain Part 2 records and that participate in an organized health care arrangement may not, through the use of a joint NPP, remove any of their obligations or duties with respect to Part 2 records, or remove any of the rights of patients who are the subjects of Part 2 records.

    Reporting Abuse, Neglect, or Domestic Violence

    The Final Rule adds a clarification to OCR’s proposal in the 2023 NPRM, which stated that providing or facilitating access to reproductive health care, provided in a lawful manner, is not abuse, neglect, or domestic violence. In the Final Rule, OCR provides that the “sole basis” of a report of abuse, neglect, or domestic violence cannot be providing or facilitating access to lawful reproductive care. OCR notes that facilitating access may be one element causing a provider to submit such a report.

    Responding to Law Enforcement Administrative Requests

    Based on OCR’s awareness, through comments, a congressional inquiry, and otherwise, that HIPAA-regulated entities were misinterpreting the Privacy Rule provision regarding permissible disclosures following receipt of administrative requests from law enforcement, OCR adopts a language change to clarify that disclosures are permissible following administrative requests “for which a response is required by law.” This applies to disclosures of all PHI, not just PHI related to reproductive health care.

    Recognition of Personal Representative

    OCR clarifies that a covered entity may not deny personal representative status to a person based on a reasonable belief that the individual has been or may be subjected to domestic violence, abuse, or neglect by this person, or that the individual would be endangered, if the basis for this belief is the provision or facilitation of reproductive health care by such person for the individual and at the individual’s request. For example, a hospital is not permitted to determine that a patient’s mother is not the patient’s personal representative due to the fact that the mother sought reproductive health care for the patient at the request of the patient.

    Disclosures Pursuant to Individual’s Authorization

    OCR walked back its proposal to prohibit a HIPAA-regulated entity from using or disclosing reproductive health care PHI when an individual authorizes such use or disclosure. In the 2023 NPRM, OCR expressed concern that an individual may be coerced, by law enforcement or otherwise, to execute an authorization that would circumvent the Prohibited Purposes. OCR describes how commenters raised concerns regarding state laws which permit disclosures with the patient’s authorization, as well as the burden on health care providers to determine whether an authorization is valid. Going forward, OCR committed to monitoring complaints and questions on this issue in an attempt to determine whether individuals experience harm based on authorized disclosures of PHI in this context.

    Applicability to Health Plans and Business Associates

    Although it is likely that the requirements of the Final Rule will apply predominately to health care providers, the Final Rule provides further clarification that the prohibition on the use and disclosure of reproductive health care information discussed herein applies to health plans as well. OCR adds examples to what it considers to be seeking, obtaining, providing, or facilitating reproductive health care, which include administering, authorizing, approving, and providing coverage for, reproductive health care, many of which may be typical activities of health plans.

    Similarly, although much of the Final Rule preamble analyzes scenarios whereby a HIPAA covered entity is responding to a request for PHI, OCR is clear that the Final Rule applies to HIPAA business associates as well. It includes an example of a law enforcement agency requesting PHI from a health care provider’s business associate related to an investigation into the provider’s care. Business associates should ensure that they also are implementing processes to comply with the Final Rule’s requirements, and covered entities should consider whether to engage in outreach with their business associates on these new regulations.

    Definitions

    The Final Rule updates the definition of “person” in the HIPAA regulations to clarify that a “natural person” is a “human being who is born alive.” This provides clarity to a covered entity regarding when it may need to disclose PHI to report a person’s death, for example.

    OCR also adds a definition of “public health,” slightly modifying what it proposed in the 2023 NPRM. As part of OCR’s desire to maintain a “clear distinction” between investigations of public health issues and criminal investigations, the definition clarifies that public health surveillance, investigation, and intervention refer to “population-level activities to prevent disease in and promote the health of populations,” offering several examples.

    Finally, the Final Rule adds a definition of “reproductive health care,” which also is slightly modified from the 2023 NPRM. Consistent with the Privacy Rule’s definition of “health care,” OCR takes a broad approach, defining the term to mean health care “that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes.”

    Enforcement

    In its preamble to the Final Rule, OCR states that a person, including a HIPAA-regulated entity or a person requesting PHI, who knowingly obtains or discloses individually identifiable health information in violation of the HIPAA regulations could be subject to criminal liability, which would include a person who falsifies an attestation. OCR also reminds covered entities and business associates that disclosing PHI without obtaining a valid attestation when one is required could result in the imposition of civil penalties.

    Effective and compliance dates

    The Final Rule takes effect 60 days after publication in the Federal Register. HIPAA-regulated entities need to comply with the requirements of the Final Rule 240 days after publication in the Federal Register, with the exception of the provisions described above requiring modification of a covered entity’s NPP. The Final Rule requirements for NPPs, as well as NPP updates based on the Part 2 final rule, require compliance by February 16, 2026.

    Challenges for covered entities and business associates

    The Final Rule and the OCR preamble make it clear that the restrictions on the use and disclosure of PHI do not prevent all uses and disclosures of reproductive health care information, only those with a Prohibited Purpose, subject to the Rule of Applicability. Covered entities and business associates now face the challenge of implementing these new requirements and training their workforce members on how to analyze and respond to requests for reproductive health care information. In the preamble, OCR commits to providing HIPAA-regulated entities with additional resources as they prepare to comply with the Final Rule.

    Insights And Happenings

    The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.

    Stay informed of the latest legal news, alerts, and business trends.Subscribe