Skip to Main Content
Publications

Reproductive Privacy Rights: Changes Coming for Health Care Organizations

On April 17, 2023, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) published a Proposed Rule to support reproductive health care privacy in the Federal Register. Through the Proposed Rule, OCR seeks to modify the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to create heightened privacy standards for reproductive health care records. If the proposed changes are put into effect, health care organizations will need to evaluate their practices surrounding, and interactions with, reproductive health care information including, (1) determining mechanisms by which they can determine the lawfulness of any reproductive health care for which they have protected health information (PHI) and, (2) developing an attestation of HIPAA compliance for those disclosures that OCR believes could be used to conduct proceedings against individuals for receiving, or other persons for providing or facilitating, lawful reproductive health care.

Following the U.S. Supreme Court's overruling of Roe v. Wade in Dobbs v. Jackson Women's Health Organization and subsequent state law abortion bans, OCR seeks to solidify specific protections for reproductive health care records by incorporating such protections into the HIPAA Privacy Rule directly. Recognizing the administrative burdens that creating a new category of PHI would create, OCR proposes to instead create a new purpose for which disclosures are prohibited and require an attestation of HIPAA compliance in circumstances where disclosure might violate this new prohibition.

These changes will require health care organizations (including both covered entities and business associates) to update their practices with regard to reproductive health care information. If the proposals are put in place, health care organizations would need to comply with the revisions 180 days after the issuance of the Final Rule.

Background

In reaction to the Dobbs decision and the related state law abortion bans, several agencies under the Biden administration have proposed changes that aim to protect access to abortions. Privacy rights under HIPAA were signaled early on as an avenue that the Biden administration would likely use to craft protections responsive to the state law abortion bans and related criminal penalties.

In June 2022, OCR issued guidance regarding the appropriate use of several permitted third-party disclosure categories that could be used to access PHI related to reproductive health, including medical records on any abortions. The guidance limited these types of disclosures to situations where a state law explicitly required a HIPAA-covered entity or business associate to report the information or where an enforceable court order accompanied the request. The Proposed Rule builds on this guidance to further develop HIPAA as a protective mechanism for reproductive health records.

Proposed Rule

Updated Definitions

Under the Proposed Rule, OCR would clarify several definitions under the HIPAA Privacy Rule and add a new definition for "reproductive health care." Specifically, OCR seeks to define:

  • A "person" and a "child" to exclude a fertilized egg, embryo, or fetus in line with the U.S. Code's Rules of Construction.
     
  • "Public health" surveillance, investigation, or intervention, which cannot be invalidated or limited by HIPAA, to exclude criminal, civil, or administrative investigations or proceedings based on whether a person sought, obtained, provided, or facilitated reproductive health care.
     
  • "Reproductive health care" as "care, services, or supplies related to the reproductive health of the individual," which shall be interpreted broadly regardless of whether provided by a health care provider or the location where services are provided.

OCR additionally clarifies that (i) the public health exceptions to non-disclosure of PHI for reporting disease or injury, birth, or death do not permit disclosure of PHI for purposes of investigating or punishing a person for seeking, obtaining, providing, or facilitating reproductive health care, and (ii) the non-disclosure exceptions permitted related to child abuse also do not encompass this conduct.

New Prohibited Disclosure Purpose

The Proposed Rule seeks to create a new category of prohibited uses and disclosures under 45 CFR 164.502 that prohibits a regulated entity from using or disclosing PHI where the PHI would be used for (i) a criminal, civil, or administrative investigation into or proceeding against any person in connection with "seeking, obtaining, providing, or facilitating" lawful reproductive health care, or (ii) identifying a person for such an investigation or proceeding. Lawful reproductive care contemplates both state law permissions and requirements under the Emergency Medical Treatment and Active Labor Act.

If this addition is made, it would preempt any state laws requiring such disclosure and would require regulated entities to not disclose such information even when required for purposes of a law enforcement investigation, or pursuant to a court order. However, this prohibited disclosure would not prevent regulated entities from using or disclosing such PHI in order to defend themselves in an investigation or proceeding related to professional misconduct or negligence where reproductive health care was involved.

Attestation Requirement for Certain Disclosures

A second significant modification to the law would be to create a requirement that regulated entities obtain assurances from a person requesting PHI via a signed and dated written statement attesting that the use or disclosure would not be for one of the new prohibited purposes. This attestation requirement would apply to (i) disclosures for health oversight activities, (ii) disclosures for judicial and administrative proceedings, (iii) disclosures for law enforcement purposes, and (iv) disclosures about decedents to coroners and medical examiners. The regulated entity would not be required to investigate the validity of an attestation but would need to determine that the request was objectively reasonable under the circumstances and cease disclosure if the entity developed reason to believe that the attestation was materially false.

This attestation could be in electronic format but must be clearly labeled and distinct from any other document. Currently, OCR anticipates that each use or disclosure request would require a new attestation. OCR is considering developing a model attestation that entities can use, but this has not yet been developed.

Additional Protections

Additional protections for reproductive health care that OCR proposes to put in place are:

  • Updates to the language in the HIPAA Privacy Rule allowing disclosures to personal representatives that prohibits a regulated entity from denying personal representative status primarily because that person provides reproductive health care for an individual.
     
  • Updated requirements for the Notice of Privacy Practices (NPP) requiring regulated entities to describe the two new prohibited uses and disclosures related to reproductive health care.

Implications for Health Care Organizations

If these changes are put in place, health care organizations – covered entities and, in many instances, business associates – will need to take several steps to update their practices. At a minimum, health care organizations will need to update their forms and disclosure procedures to determine when reproductive health care records qualify as lawful and ensure disclosures are not permitted for (i) criminal, civil, or administrative investigation into or proceeding against any person in connection with "seeking, obtaining, providing, or facilitating" lawful reproductive health care, or (ii) identifying a person for such an investigation or proceeding. Health care organizations will also need to either draft an attestation form or wait to see if OCR will release a model form. Regardless, the attestation would need to become part of the health care organization's procedures. Health care organizations will also need to update their NPP and other related policy documents to integrate these new disclosure requirements into their general HIPAA compliance program.

The effects of the Proposed Rule are limited to covered entities regulated by HIPAA. Reproductive health care data that is maintained by entities that are not regulated by HIPAA, such as consumer-directed applications, will not necessarily be protected from disclosure. However, direct-to-consumer product applications are still subject to regulation by the Federal Trade Commission (FTC), which issued guidance in 2022 recognizing the sensitive nature of any data relating to reproductive health and prioritizing enforcement actions against entities that share such data contrary to state law, federal law, or the entity's privacy policy.

Takeaway

While this Proposed Rule has not yet been finalized, the ramifications of the rule will require substantial revisions to health care organizations' practices. Health care organizations will only benefit from conducting an evaluation of what steps will be necessary to bring their HIPAA programs into compliance with the requirements of this rule so that future modifications will be easier to organize and implement. Interested parties can also submit comments on the Proposed Rule. OCR is accepting comments on the Proposed Rule until June 16, 2023.

If you have any questions about the proposed rule, please contact Alisa L. Chestler, Katherine Denney, or any member of the Baker Donelson Health Law team.

Subscribe to
Publications

Related Practices

Related Industry

Have Questions?
Let's Talk!

To discuss how this topic could affect
your company, click above to email us.

Email Disclaimer

NOTICE: The mailing of this email is not intended to create, and receipt of it does not constitute an attorney-client relationship. Anything that you send to anyone at our Firm will not be confidential or privileged unless we have agreed to represent you. If you send this email, you confirm that you have read and understand this notice.
Cancel Accept