Reproductive Privacy Rights: Changes Coming for Healthcare Organizations

The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) published a Proposed Rule on April 17 to support reproductive healthcare privacy in the Federal Register. Through the Proposed Rule, OCR seeks to modify the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to create heightened privacy standards for reproductive healthcare records.

If the proposed changes are put into effect, healthcare organizations will need to evaluate their practices surrounding, and interactions with, reproductive healthcare information including:

• Determining mechanisms by which they can determine the lawfulness of any reproductive healthcare for which they have protected health information (PHI).
• Developing an attestation of HIPAA compliance for those disclosures that OCR believes could be used to conduct proceedings against individuals for receiving, or other persons for providing or facilitating, lawful reproductive healthcare.

Following the U.S. Supreme Court's overruling of Roe v. Wade in Dobbs v. Jackson Women's Health Organization and subsequent state law abortion bans, OCR seeks to solidify specific protections for reproductive healthcare records by incorporating such protections into the HIPAA Privacy Rule directly. Recognizing the administrative burdens that creating a new category of PHI would create, OCR proposes to instead create a new purpose for which disclosures are prohibited and require an attestation of HIPAA compliance in circumstances where disclosure might violate this new prohibition.

These changes will require healthcare organizations (including both covered entities and business associates) to update their practices with regard to reproductive healthcare information. If the proposals are put in place, healthcare organizations would need to comply with the revisions 180 days after the issuance of the Final Rule.

Background

In reaction to the Dobbs decision and the related state law abortion bans, several agencies under the Biden administration have proposed changes that aim to protect access to abortions. Privacy rights under HIPAA were signaled early on as an avenue that the Biden administration would likely use to craft protections responsive to the state law abortion bans and related criminal penalties.

In June 2022, OCR issued guidance regarding the appropriate use of several permitted third-party disclosure categories that could be used to access PHI related to reproductive health, including medical records on any abortions. The guidance limited these types of disclosures to situations where a state law explicitly required a HIPAA-covered entity or business associate to report the information or where an enforceable court order accompanied the request. The Proposed Rule builds on this guidance to further develop HIPAA as a protective mechanism for reproductive health records.

Proposed Rule - Updated Definitions

Under the Proposed Rule, OCR would clarify several definitions under the HIPAA Privacy Rule and add a new definition for "reproductive healthcare."

Specifically, OCR seeks to define:

• A "person" and a "child" to exclude a fertilized egg, embryo, or fetus in line with the U.S. Code's Rules of Construction.
• "Public health" surveillance, investigation, or intervention, which cannot be invalidated or limited by HIPAA, to exclude criminal, civil, or administrative investigations or proceedings based on whether a person sought, obtained, provided, or facilitated reproductive health care.
• "Reproductive health care" as "care, services, or supplies related to the reproductive health of the individual," which shall be interpreted broadly regardless of whether provided by a health care provider or the location where services are provided.

OCR additionally clarifies that (i) the public health exceptions to non-disclosure of PHI for reporting disease or injury, birth, or death do not permit disclosure of PHI for purposes of investigating or punishing a person for seeking, obtaining, providing, or facilitating reproductive healthcare, and (ii) the non-disclosure exceptions permitted related to child abuse also do not encompass this conduct.

New Prohibited Disclosure Purpose

The Proposed Rule seeks to create a new category of prohibited uses and disclosures under 45 CFR 164.502 that prohibits a regulated entity from using or disclosing PHI where the PHI would be used for (i) a criminal, civil, or administrative investigation into or proceeding against any person in connection with "seeking, obtaining, providing, or facilitating" lawful reproductive healthcare, or (ii) identifying a person for such an investigation or proceeding. Lawful reproductive care contemplates both state law permissions and requirements under the Emergency Medical Treatment and Active Labor Act.

If this addition is made, it would preempt any state laws requiring such disclosure and would require regulated entities to not disclose such information even when required for purposes of a law enforcement investigation, or pursuant to a court order. However, this prohibited disclosure would not prevent regulated entities from using or disclosing such PHI in order to defend themselves in an investigation or proceeding related to professional misconduct or negligence where reproductive healthcare was involved.

Attestation Requirement for Certain Disclosures

A second significant modification to the law would be to create a requirement that regulated entities obtain assurances from a person requesting PHI via a signed and dated written statement attesting that the use or disclosure would not be for one of the new prohibited purposes.

This attestation requirement would apply to (i) disclosures for health oversight activities, (ii) disclosures for judicial and administrative proceedings, (iii) disclosures for law enforcement purposes, and (iv) disclosures about decedents to coroners and medical examiners. The regulated entity would not be required to investigate the validity of an attestation but would need to determine that the request was objectively reasonable under the circumstances and cease disclosure if the entity developed reason to believe that the attestation was materially false.

This attestation could be in electronic format but must be clearly labeled and distinct from any other document. Currently, OCR anticipates that each use or disclosure request would require a new attestation. OCR is considering developing a model attestation that entities can use, but this has not yet been developed.

Additional Protections

Additional protections for reproductive health care that OCR proposes to put in place are:

• Updates to the language in the HIPAA Privacy Rule allowing disclosures to personal representatives that prohibits a regulated entity from denying personal representative status primarily because that person provides reproductive health care for an individual.
• Updated requirements for the Notice of Privacy Practices (NPP) requiring regulated entities to describe the two new prohibited uses and disclosures related to reproductive healthcare.

Implications for Healthcare Organizations

If these changes are put in place, healthcare organizations – covered entities and, in many instances, business associates – will need to take several steps to update their practices. At a minimum, healthcare organizations will need to update their forms and disclosure procedures to determine when reproductive healthcare records qualify as lawful and ensure disclosures are not permitted for (i) criminal, civil, or administrative investigation into or proceeding against any person in connection with "seeking, obtaining, providing, or facilitating" lawful reproductive health care, or (ii) identifying a person for such an investigation or proceeding.

Healthcare organizations will also need to either draft an attestation form or wait to see if OCR will release a model form. Regardless, the attestation would need to become part of the health care organization's procedures. Healthcare organizations will also need to update their NPP and other related policy documents to integrate these new disclosure requirements into their general HIPAA compliance program.

The effects of the Proposed Rule are limited to covered entities regulated by HIPAA. Reproductive healthcare data that is maintained by entities that are not regulated by HIPAA, such as consumer-directed applications, will not necessarily be protected from disclosure. However, direct-to-consumer product applications are still subject to regulation by the Federal Trade Commission (FTC), which issued guidance in 2022 recognizing the sensitive nature of any data relating to reproductive health and prioritizing enforcement actions against entities that share such data contrary to state law, federal law, or the entity's privacy policy.

Takeaway

While this Proposed Rule has not yet been finalized, the ramifications of the rule will require substantial revisions to healthcare organizations' practices. Healthcare organizations will only benefit from conducting an evaluation of what steps will be necessary to bring their HIPAA programs into compliance with the requirements of this rule so that future modifications will be easier to organize and implement. Interested parties can also submit comments on the Proposed Rule. OCR is accepting comments on the Proposed Rule until June 16, 2023.

Alisa L. Chestler is a shareholder in Baker Donelson’s Nashville, Tennessee, and Washington, D.C., offices and chair of the firm’s Data Protection, Privacy and Cybersecurity Team.

Katherine Denney is an associate in Baker Donelson's Nashville, Tennessee, office and a member of the Health Law Group.