August 10, 2023

HHS OCR Proposes Changes to HIPAA to Support Reproductive Health Care Privacy

On April 17, 2023, the Office for Civil Rights (“OCR”) of the U.S. Department of Health and Human Services (“HHS”) issued a notice of proposed rulemaking to modify the Standards for Privacy for Individually Identifiable Health Information (the “Privacy Rule”) under the Health Insurance Portability and Accountability Act (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”).[1] The proposed rule would modify existing standards that permit uses and disclosures of protected health information (“PHI”) relating to reproductive health care that may be detrimental to individuals seeking care and may restrict access to such lawful care (the “Proposed Rule”). The full text of HHS’s Notice of Proposed Rulemaking can be found here.

The Proposed Rule was open for comment for 60 days, ending June 16, 2023, and received nearly 9,000 comments. Of the publicly published comments from individuals and organizations, the overwhelming majority support increased protections for reproductive health information. If the Proposed Rule is finalized, it will become effective 60 days after publication of the final rule, requiring regulated entities to comply 180 days after publication of the final rule.

The Privacy Rule currently in force protects the privacy of PHI and limits certain disclosures and uses of PHI. Under HIPAA, health care providers, health plans, health care clearinghouses, and their business associates (collectively, Regulated Entities) may not use or disclose a patient’s PHI without the patient’s authorization, except for treatment, payment, or health care operations, or pursuant to certain limited exceptions such as where disclosure is required by law, including pursuant to a court-ordered warrant, subpoena, summons, grand jury subpoena, or administrative request.

In the wake of the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization (Dobbs) on June 24, 2022, the White House called for increased protections for patients’ privacy, safety, and security with respect to reproductive health care and reproductive health information.[2] In response, the OCR now seeks to amend the Privacy Rule to strengthen protections for reproductive health information on behalf of patients seeking lawful reproductive care and of health care professionals providing such care.

The proposed modification to the Privacy Rule under HIPAA would add, in part, a prohibition on the disclosure of reproductive PHI held by Regulated Entities “[w]here the use or disclosure is for a criminal, civil, or administrative investigation into a proceeding against any person in connection with seeking, obtaining, providing, or facilitating [lawful] reproductive health care.”[3]

The Proposed Rule also expands the definition of “health care” to include “reproductive health care.” HIPAA currently defines health care as “care, services, or supplies related to the health of an individual.” The Proposed Rule adds reproductive health care as a subcategory of health care to include “care, services, or supplies related to the reproductive health of the individual,” applying broadly to care, services, and supplies provided by a health care provider, including prescription medications, as well as those provided by other persons and nonprescription care, services, and supplies purchased in connection with an individual’s reproductive health.[4] Reproductive health care includes, but is not limited to, prenatal care, abortion, miscarriage management, infertility treatment, contraceptive use, and treatment for reproductive-related conditions such as ovarian cancer.[5] The preamble to the Proposed Rule also specifies that other care, services, and supplies related to reproductive organs, regardless of whether the individual is pregnant or of reproductive age, are sufficiently related to the reproductive health of an individual to be included in the definition.[6]

In practice, if the Proposed Rule were to go into effect, a Regulated Entity’s reproductive health care records would be protected from use or disclosure if such use or disclosure were sought for the purpose of a criminal, civil, or administrative investigation or proceeding against an individual seeking care, a Regulated Entity, or any other individual otherwise relating to the provision of lawful reproductive health care (a Prohibited Purpose) – regardless of the individual’s home state, the location of the Regulated Entity or other involved persons, or the laws of such states. The Proposed Rule specifically states that it would apply to protect the records of a patient who travels to a state where certain reproductive health care services are legal but may be investigated by another state (presumably the patient’s home state to which the patient returns after receiving reproductive health care).

Under the Proposed Rule, if a Regulated Entity receives a request to disclose PHI related to reproductive health care, the requesting party would be required to attest that the primary purpose for requesting the PHI is not for a Prohibited Purpose. That attestation must include: (1) a specific description of the information requested that identifies the information; (2) a specific identification of who is requested to make the disclosure and to whom; (3) a clear statement that the use or disclosure is not for a prohibited purpose under the Proposed Rule; and (4) the signature of the person requesting the information. In the event that a Regulated Entity discovers that the attestation contains material misrepresentations, the Regulated Entity must cease disclosure of such information to the requesting party.

To clarify the meaning of lawful reproductive care, given the current discrepancies among state laws regarding such care, the Proposed Rule contemplates three circumstances that constitute the provision of lawful reproductive health care:[7]

1. Traveling across state lines – reproductive health care that is sought, obtained, provided, or facilitated in a state where the health care is lawful and outside of the state where the investigation or proceeding is authorized. For example, a resident of one state may travel to another state to receive reproductive health care, such as an abortion, that is lawful in the state where such care was provided.

Of note, in the preamble to the Proposed Rule, HHS asserts that “under the Constitution, an individual cannot be barred from traveling from one state to another to obtain reproductive health care.” With this statement, HHS clarifies its stance that legal reproductive care includes care provided in any state where that care is legal, regardless of where the patient travels from to seek that care. For clinics providing reproductive health care, this provides support for the position that the clinic must comply only with the laws of the state in which the clinic is located with respect to the care they provide and need not practice in accordance with the laws of a patient’s state, if different.

2. Federally protected health care – reproductive health care that is protected, required, or expressly authorized by federal law, regardless of the state in which such health care is provided.

The Proposed Rule emphasizes the legality of certain reproductive care at the federal level, records of which would also be protected. For example, reproductive health care such as miscarriage management may be required under the Emergency Medical Treatment and Labor Act (“EMTALA”) to stabilize the health of a pregnant individual.

The White House confirmed that EMTALA preempts state-level restrictions on abortion care.[8] In a letter to health care providers, HHS Secretary Xavier Becerra emphasized that EMTALA “protects your clinical judgment and the action that you take to provide stabilizing medical treatment to your pregnant patients, regardless of the restrictions in the state where you practice.”[9] Any Regulated Entity providing reproductive health care for patients in the above-described circumstances would be permitted to limit disclosure of related PHI for a Prohibited Purpose, regardless of whether the Regulated Entity was located in a state that restricted such care.

3. Legal in-state health care – reproductive health care that is provided in the state where the investigation or proceeding is authorized and is permitted by the law of the state in which such health care is provided. For example, a resident of a state receives reproductive health care, such as a pregnancy test or treatment for an ectopic pregnancy, in the resident’s state of residence, and that reproductive health care is lawful in that state. So long as the care provided is legal in the state where it is provided, the Regulated Entity’s records associated with such care would be protected from disclosure for use for any Prohibited Purpose.

Whether in connection with the Proposed Rule or otherwise, these three circumstances provide a useful framework for providers when considering whether care is legally permitted, particularly in today’s landscape of differing and rapidly changing state laws.

Finally, HHS emphasizes that the broad purpose of HIPAA is to “ensure that individuals do not forgo lawful health care when needed – or withhold important information from their health care providers that may affect the quality of health care they receive – out of fear that their sensitive information would be revealed outside of their relationship with their health care provider,” and affirms the importance of protecting “trust between individuals and health care providers.”[10] In the wake of the Dobbs decision, HHS identifies that circumstances now exist, which had not previously, such that the prospect of disclosure of highly sensitive PHI relating to reproductive health care to be used against a person or Regulated Entity has increased. Given this change in circumstances, HHS proposed modifications to the Privacy Rule to avoid a chilling effect on “access to lawful health care and full communication between individuals and their health care providers,” which could undermine the quality of health care provided and public health overall. In doing so, the Proposed Rule would protect Regulated Entities offering lawful reproductive health care and help patients maintain access to high-quality, lawful health care.

As rulemaking develops in this area, Regulated Entities offering reproductive care should consult with legal counsel to determine how state- and federal-level reproductive health laws may affect their businesses and to ensure that their PHI disclosures are compliant with applicable laws.

Read Goodwin’s previous insights for more information on how the recent changes to abortion laws may affect fertility clinics and technology companies.

[1] 88 Fed. Reg. 23,506.

[2] Executive Orders 14076.

[3] 88 Fed. Reg. 23,506.

[4] 88 Fed. Reg. at 23,527.

[5] U.S. Department of Health and Human Services, “HHS Proposes Measures to Bolster Patient-Provider Confidentiality Around Reproductive Health Care” (Apr. 12, 2023).

[6] 88 Fed. Reg. at 23,527.

[7] Proposed Rule 45 C.F.R. § 164.502(a)(5)(iii)(C); 88 Fed. Reg. at 23,531; Privacy Fact Sheet.

[8] Executive Orders 14076; 14079.

[9] Secretary of Health and Human Services, “Letter to Health Care Professionals” (Jul. 11, 2022).

[10] S88 Fed. Reg. at 23,509.