On April 17, the Office for Civil Rights (“OCR”) at the U.S. Department of Health & Human Services (“HHS”) published a notice of proposed rulemaking that would revise the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule to bar certain uses and disclosures of protected health information (“PHI”) related to reproductive health care.  Specifically, the proposed rule (“Rule”) would amend the Privacy Rule to prohibit covered entities or business associates (collectively, “regulated entities”) from using or disclosing PHI for purposes of (1) criminal, civil, or administrative investigations into or proceedings against any person in connection with seeking, obtaining, providing, or facilitating lawful reproductive health care, or (2) the identification of any person for the purpose of initiating such investigations or proceedings.

The Rule appears to be designed to further President Biden’s executive order directing HHS to consider actions that would “strengthen the protection of sensitive information related to reproductive healthcare services and bolster patient-provider confidentiality.”  President Biden issued the order in the wake of the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization

Below, we provide a brief summary of the proposed changes and a timeline for commenting.

Key Provisions

Categories of prohibited uses and disclosures:  As discussed above, the Rule would prohibit a regulated entity from using or disclosing PHI if the use or disclosure is for (1) criminal, civil, or administrative investigations into or proceedings against any person in connection with seeking, obtaining, providing, or facilitating lawful reproductive health care, or (2) the identification of any person for the purpose of initiating such investigations or proceedings (“Prohibited Purposes”).

Of note, the Rule would apply only where reproductive health care is provided or sought lawfully. Specifically, this prohibition on use or disclosure would apply where:

  • (1) Reproductive health care is sought, obtained, provided, or facilitated lawfully in one state and an investigation arises in another state;
  • (2) Reproductive health care is protected, required, or expressly authorized by Federal law; or
  • (3) Reproductive health care is sought, obtained, provided, or facilitated lawfully in the same state as the investigation.   

This means that the Rule would apply where an individual obtained an abortion in a state where abortion is legal—even if the individual traveled from a state where abortion is not legal—or where an individual received care that is protected under the Emergency Medical Treatment and Labor Act (“EMTALA”) (i.e., care necessary to stabilize a patient).   

Attestations: The Rule would also require that a covered entity obtain a written attestation from a person requesting the use or disclosure of PHI potentially related to reproductive health care.  The attestation would be required to state that the use or disclosure is not for a Prohibited Purpose.  The Rule would also establish a number of other prescriptive requirements for this attestation, including that the attestation not be combined with another document.  An attestation would be required for requests in the context of health oversight activities, judicial and administrative proceedings, law enforcement proceedings, and disclosures to coroners and medical advisors.  For example, in order for a covered entity to disclose PHI to a coroner, the covered entity would need to (1) comply with HIPAA’s existing conditions for such a disclosure and (2) get an attestation from the coroner.  

Under the Rule, a covered entity may rely on an attestation only if it is objectively reasonable and does not contain material information that the covered entity knows to be false.  Further, unlike HIPAA’s existing authorization provision—which permits future uses and disclosures that are contemplated by an initial authorization—attestations would apply only to the specific use or disclosure.  Covered entities would need to obtain a new attestation for each future use or disclosure.  

Authorizations: The Rule would bar regulated entities from using or disclosing PHI for Prohibited Purposes even with an individual’s authorization.  This is similar to a current authorization exception, which bars a health plan from using or disclosing genetic information for underwriting purposes, even with an individual’s authorization. 

Notice of Privacy Practices: The Rule would require covered entities to update their Notices of Privacy Practices to describe the Prohibited Purposes and describe the types of uses and disclosures that require an attestation, including an example under both descriptions. 

Additional Clarifications and Definitions: The Rule would clarify certain provisions and add definitions.  For example, it would clarify that regulated entities may disclose PHI only pursuant to an administrative request “for which a response is required by law.”  (Previously, there had been some ambiguity around when a regulated entity had to comply with an administrative request.)  In addition, the Rule would define reproductive health care as “care, services, or supplies related to the reproductive health of the individual.”

What Doesn’t Change

The Rule would not prevent uses or disclosures of PHI that are permitted by other provisions of the Privacy Rule.  (Though, as noted above, certain disclosures may require an additional attestation.) 

HHS has emphasized that:

  • Covered health care providers would still be permitted to use or disclose PHI to defend themselves in an investigation or proceeding related to professional misconduct or negligence;
  • Regulated entities would still be permitted to use or disclose PHI to defend any person in a criminal, civil, or administrative proceeding where liability could be imposed on that person for providing reproductive health care; and
  • Regulated entities would still be permitted to disclose PHI to a health oversight agency for health oversight activities, such as investigating whether reproductive health care was actually provided or appropriately billed.

In addition, individuals would retain the ability to direct a covered entity to transmit an electronic copy of their PHI to third parties, including law enforcement, regardless of their intended use of PHI.  HHS has expressed concerns that law enforcement or others could coerce individuals into exercising this right of access to get around the new Rule’s Prohibited Purposes. HHS nevertheless retained this right because it views the right of access as “paramount to an individual’s ability to make decisions regarding their own health care.”

Comment Period

Stakeholders interested in commenting on the Rule should submit their comments on or before June 16, 2023.

HHS has specifically sought comments on a number of topics, including:

  • Whether the proposed Prohibited Purposes appropriately limit harmful uses or disclosures while permitting beneficial ones;
  • Whether HHS should permit uses and disclosures for Prohibited Purposes where there is a valid authorization from the individual; and
  • Whether third parties might circumvent the Prohibited Purposes by coercing individuals to exercise their right to direct a covered entity to transmit to a third party an electronic copy of their PHI in an electronic health record.
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports…

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state privacy laws, including the California Consumer Privacy Act and California Privacy Rights Act.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.

As part of her practice, she also regularly represents clients in strategic transactions involving personal data and cybersecurity risk. She advises companies from all sectors on compliance with laws governing the handling of health-related data. Libbie is recognized as an Up and Coming lawyer in Chambers USA, Privacy & Data Security: Healthcare. Chambers USA notes, Libbie is “incredibly sharp and really thorough. She can do the nitty-gritty, in-the-weeds legal work incredibly well but she also can think of a bigger-picture business context and help to think through practical solutions.”

Photo of Anna D. Kraus Anna D. Kraus

Anna Durand Kraus advises on issues relating to the complex array of laws governing the health care industry. Her background as Deputy General Counsel to the U.S. Department of Health and Human Services (“HHS”) gives her broad experience with, and valuable insight into…

Anna Durand Kraus advises on issues relating to the complex array of laws governing the health care industry. Her background as Deputy General Counsel to the U.S. Department of Health and Human Services (“HHS”) gives her broad experience with, and valuable insight into, the programs and issues within the purview of HHS, including Medicare, Medicaid, fraud and abuse, and HIPAA privacy and security. Anna is co-chair of the firm’s Health Care Industry practice group.

Anna regularly advises clients on Medicare reimbursement matters, particularly those arising under Part B and the Part D prescription drug benefit. She also has extensive experience with the Medicaid Drug Rebate program. She assists numerous pharmaceutical and device manufacturers, health care providers, pharmacy benefit managers, and other health care industry stakeholders to navigate the challenges and opportunities presented by the Affordable Care Act.

Anna is a trusted adviser on health information privacy, security and breach notification issues, including those arising under the Health Insurance Portability and Accountability Act (“HIPAA”) and the Health Information Technology for Economic and Clinical Health (“HITECH”) Act. Her background in this area dates back to the issuance of the original HIPAA privacy regulations.

Anna’s clients depend on her to guide them through compliance with the Anti-Kickback statute, the Stark regulations, and other laws preventing fraud and abuse in the health care industry. Her deep knowledge of these laws has made her an important component of the firm’s representation of pharmaceutical companies and health care organizations under federal investigation or facing allegations under the False Claims Act. In addition, clients contemplating acquisitions in the health care sector rely on her to guide due diligence efforts.

Photo of Ariel Dukes Ariel Dukes

Ariel Dukes is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity Practice Group.

Ariel counsels clients on data privacy, cybersecurity, and artificial intelligence. Her practice includes partnering with clients on compliance with comprehensive privacy…

Ariel Dukes is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity Practice Group.

Ariel counsels clients on data privacy, cybersecurity, and artificial intelligence. Her practice includes partnering with clients on compliance with comprehensive privacy laws, FTC and consumer protection laws and guidance, and laws governing the handling of health-related data. Additionally, Ariel routinely counsels clients on drafting and negotiating privacy terms with vendors and third parties, developing privacy notices and consent forms, and responding to regulatory inquiries regarding privacy and cybersecurity topics. Ariel also advises clients on trends in artificial intelligence regulations and helps design governance programs for the development and deployment of artificial intelligence technologies across a number of industries.

Photo of Olivia Vega Olivia Vega

Olivia Vega provides strategic advice to global companies on a broad range of privacy, health care, and technology issues, including in technology transactions, mergers and acquisitions, and regulatory compliance. Within her practice, Olivia counsels clients on navigating the complex web of federal and…

Olivia Vega provides strategic advice to global companies on a broad range of privacy, health care, and technology issues, including in technology transactions, mergers and acquisitions, and regulatory compliance. Within her practice, Olivia counsels clients on navigating the complex web of federal and state privacy and data security laws and regulations, including on topics such as HIPAA, California’s Confidentiality of Medical Information Act, and the California Consumer Privacy Act. In addition, Olivia maintains an active pro bono practice.

Photo of Elizabeth Brim Elizabeth Brim

Elizabeth Brim is an associate in the firm’s Washington, DC office, where she is a member of the Data Privacy and Cybersecurity and Health Care Practice Groups and advises clients on a broad range of regulatory and compliance issues related to privacy and…

Elizabeth Brim is an associate in the firm’s Washington, DC office, where she is a member of the Data Privacy and Cybersecurity and Health Care Practice Groups and advises clients on a broad range of regulatory and compliance issues related to privacy and health care.

Elizabeth’s practice includes counseling clients on compliance with the complex web of health information privacy laws and regulations, such as HIPAA, the FTC’s Health Breach Notification Rule, and state medical and consumer health privacy laws as well as state consumer privacy and genetic privacy laws. She also advises clients on health care compliance issues, such as fraud and abuse, market access, and pricing and reimbursement activities.

Elizabeth routinely advises on regulatory compliance as part of transactions, clinical trial programs, collaborations and other activities that involve genetic data, and the development and operation of digital health products. As part of her practice, Elizabeth routinely counsels clients on drafting and negotiating privacy and health care terms with vendors and third parties and developing privacy notices and consent forms. In addition, Elizabeth maintains an active pro bono practice.

Elizabeth is an author of the American Health Law Association treatise, Pricing, Market Access, and Reimbursement Principles: Drugs, Biologicals and Medical Devices and the U.S. chapter of the Global Legal Insights treatise, Pricing & Reimbursement Laws and Regulations.