Earlier this year, we learned that the U.S. Department of Health & Human Services’ (HHS) Office for Civil Rights (OCR) would propose changes to HIPAA to protect reproductive health information in the wake of the 2022 Dobbs v. Jackson Women’s Health Organization decision. Since learning about the impending proposal, many of us speculated on OCR’s likely approach.
We worried about regulations that could interfere with healthcare delivery. We worried about new and significant operational challenges. And most importantly, we worried about regulations that, in practice, were not likely to provide any additional privacy protections. Those worries all but vanished for me last week.
On April 12, 2023, OCR released the proposed changes in advance of the April 17, 2023 Federal Register publication.[i] OCR’s Notice of Proposed Rule Making (NPRM) is one of the best-written, well-reasoned and thoughtfully considered proposed rules I have ever read.
The agency considered all relevant issues, including operational burdens on healthcare providers, who have been left to shoulder the burden of protecting patients’ information after Dobbs.[ii] It also considered the true efficacy of the proposal as well as potential legal challenges. OCR laid out the reasons for its approach and the reasons it rejected other approaches. The NPRM is thorough and clear.
I take the time to emphasize my appreciation for the agency’s effort here because, more than ever, we need clear and effective rules to protect health privacy from the political circus. While the proposal presents some operational challenges for healthcare providers, I am certain that those can be overcome through the comment process.
Summary of the Proposed Changes
OCR proposes to create a new class of prohibited use or disclosure. It proposes to prohibit the use or disclosure of reproductive health information when it is to be used in a proceeding against or an investigation into any person or to identify any person in connection with lawful access to reproductive healthcare. For the protection of the patient, as proposed, such information cannot be used or disclosed for these purposes even if the patient signs an authorization.
To implement this prohibition, OCR proposes three definitional changes and several language tweaks to clarify that accessing lawful reproductive health care cannot be classified as abuse or harmful to the patient under the regulations. Further, OCR proposes to continue to allow disclosures for health oversight, judicial and administrative proceedings, law enforcement and to coroners and medical examiners so long as the use of the information is not tied to the lawful access of reproductive health care but only with an attestation by the requestor. The attestation must confirm that the use or disclosure is not for a prohibited purpose.
Overall, the changes are relatively straightforward and narrowly tailored to protect information related to the lawful reproductive health services. OCR proposes revisions to four sections and the addition of one.[iii] These changes seek to protect not only the patient but also caregivers and healthcare providers.
The Proposed Changes in More Detail
OCR proposes to clarify the definition of “person” to explicitly state that a natural person is “a human being who is born alive.” This is to ensure that “person” cannot be interpreted to mean a fetus.
OCR proposes to add definitions for “reproductive health care” and “public health.” It proposes to define reproductive health care as “care, services, or supplies related to the reproductive health of the individual.” OCR did not provide an exhaustive list of such care or services, nor did it define reproductive health or other terms because it did not believe it was necessary, although it asked for comments on the subject. As for “public health,” OCR’s proposed definition excludes investigations or proceedings related to obtaining providing or facilitating reproductive health care.
Addition of General Prohibition – Purpose-based Prohibition
HIPAA generally prohibits the use of genetic information for underwriting purposes and the sale of protected health information.[iv] OCR proposes to add a prohibition on the use or disclosure of reproductive health information for two specific purposes. First, uses or disclosures of such information would not be permitted where the use or disclosure is for a “criminal, civil, or administrative investigation into or proceeding against any person in connection with seeking, obtaining, providing, or facilitating reproductive healthcare.” Second, the use or disclosure would not be permitted “to identify any person for the purpose of initiating” such an investigation or proceeding.
According to OCR, this approach is “consistent with the general approach and structure of the Privacy Rule, the proposed prohibition focuses on the purpose of the use or disclosure, rather than the type of PHI requested or the type of regulated entity that receives the use or disclosure request.”[v] After careful consideration, it opted not to pursue a blanket prohibition of the use of reproductive health information.[vi]
Like the prohibition on the use of genetic information for underwriting purposes, clear public policy supports the prohibition on the use or disclosure for the limited purposes outlined above. OCR emphasized the narrow applicability of the prohibition throughout its NPRM.
To ensure that there is no confusion on how to apply the proposed rule, OCR offers subsections on scope, a rule of applicability, and a rule of construction.[vii] The scope subsection provides a non-exhaustive list of examples of “seeking, obtaining, providing, or facilitating reproductive health care.”
The rule of applicability explains that the prohibition applies only when the provision of the reproductive healthcare at issue is lawful. Specifically, at least one of three possible conditions must exist with respect to the reproductive healthcare at issue: (1) it is provided outside of the state where the investigation or proceeding is authorized and is lawful in the state in which such health care is provided; (2) it is protected, required, or authorized by Federal law, regardless of the state in which such health care is provided (e.g., the Emergency Medical Treatment and Labor Act (EMTALA)); or (3) it is provided in the state in which the investigation or proceeding is authorized and is permitted by the law of that state.
Finally, the rule of construction proposes that to be prohibited, the use or disclosure must be “primarily for the purpose of investigating or imposing liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care.” OCR wanted to ensure that the use of such information would be permitted in malpractice actions, health oversight investigations and the like. The “primary purpose” language is intended to address that concern.
Authorization Signed by the Patient
Like the prohibited use of genetic information for underwriting purposes, OCR proposes to apply the limited purpose prohibition of uses and disclosures of reproductive health information even if the patient signs a HIPAA-compliant authorization.[viii] OCR expressed concern that a patient may be coerced into signing an authorization.[ix]
I appreciate and share OCR’s concern about coercion. In practice, however, not allowing the use of the authorization likely will not stop coercion, as explained below. It will, however, create a significant operational burden on providers and it could conflict with state law.
First, OCR emphasizes that a patient retains their right to access their record at any time and that these proposed rules have no effect on that right.[x] If a patient can be coerced to sign an authorization, they similarly can be coerced to sign a letter requesting that copies of their records be sent to a third party. Such a request falls under the right of access rules, not the authorization rules.[xi]
Second, for many healthcare providers, a medical records department or individual acts on authorizations based on the validity of the document. In reality, it would be virtually impossible for medical records personnel to know with certainty whether the requested records are for a prohibited purpose. Most authorizations say something as limited as “for a legal proceeding” or “for an investigation.” To carry out the authorization rule as proposed, medical records clerks would need to play detective to investigate the purpose behind the authorization, which is unrealistic.
Finally, not allowing a patient to consent to the release through an authorization could conflict with recently passed state laws, like the one in Connecticut, which offers similar purpose-driven protections of reproductive health information unless the patient provides express written consent.[xii]
Clarifying Language Related to Abuse or Harm
In leaving no stone unturned, OCR flagged that current regulatory language could be misinterpreted. First, OCR pointed to a covered entity’s discretion to ignore a personal representative’s status if the covered entity reasonably believes that the patient could be harmed or endangered by recognizing such status.[xiii] This includes allowing the personal representative to make medical decisions related to reproductive health care for the patient.
To address this, OCR proposes clarifying language that indicates that such section does not apply when the covered entity’s primary basis for its belief is the personal representative’s involvement in the lawful reproductive health care of the patient at the patient’s request.[xiv]
Second, OCR addresses abuse reporting, which permits disclosures of PHI about victims of abuse, neglect or domestic violence under certain circumstances.[xv] In addition to grammatical changes, OCR proposes a rule of construction to clarify that providing or facilitating access to appropriate and lawful reproductive healthcare is not abuse, neglect, or domestic violence.[xvi]
Permissive Disclosures Requiring Attestation
In its most creative proposal, OCR introduces the concept of an attestation to continue to allow certain permitted disclosures, for example, in lawsuits or licensure investigations, that may be valid based on the purpose of the use or disclosure. One of the benefits of this provision is that it helps to keep healthcare providers from having to play the role of detective.
Here’s the proposal: for any use or disclosure of information potentially related to reproductive health care for health oversight activities, judicial and administrative proceedings, law enforcement or coroners and medical examiners, the requestor must provide an attestation.[xvii] That attestation must confirm that the information is not being requested for a prohibited purpose.
The attestation cannot be combined with any other document, and it must contain several specific elements. Covered entities can rely on a facially valid attestation unless the covered entity has actual knowledge that it is false, or it is not reasonable for the covered entity to rely on the attestation (the same standards that apply to authorizations).
OCR asks for comments on whether it should provide sample language and I plan to submit a comment indicating that it would be helpful to do so. Additionally, I will suggest that OCR go one step further and create a universal attestation form with an explanatory cover page so that covered entities can direct requesting parties to such a form when a request is made without an attestation.
This is critically important because often requestors, including attorneys and courts unfamiliar with HIPAA, question the covered entity’s understanding of the rules. An OCR-approved form with a short explanation of the legal basis for the required use of the form would greatly reduce the burden on healthcare providers and staff. Further, it would streamline compliance.
Changes to the Notice of Privacy Practices
To complement its theme of ensuring trust and confidence in the healthcare system, OCR proposes two additions to the Notice of Privacy Practices (NPP) to ensure that patients understand the new protections. The NPP would have to contain a description and at least one example of: (1) the types of uses and disclosures related to reproductive health information that are prohibited; and (2) the types of uses and disclosures that require an attestation.[xviii]
Obligations on Healthcare Providers if Finalized
If the changes are finalized as proposed, healthcare providers will need to take the following steps to ensure compliance:
- create an attestation form and handle requests for disclosures for which an attestation is required (or implement a process for using an OCR-sanctioned template);
- revise business associate agreements for those business associates that will respond to requests for records on the covered entity’s behalf or that may maintain reproductive health information for the covered entity;
- update the Notice of Privacy Practices and post it online;
- develop new or modified policies and procedures; and
- revise training programs for workforce members.
As is standard for most all proposed changes to HIPAA, any final rule will take effect 60 days after it is announced. Compliance will be required 180 days after the effective date (in other words, 240 days from the announced final rule).
Without mincing words, OCR made clear that state laws requiring disclosure of the type of information the proposed language seeks to protect would be preempted.
The Privacy Rule generally preempts contrary provisions of state laws. Thus, if this NPRM were to be finalized, provisions of state law that are contrary to these proposals would be preempted.[xix]
Preemption includes court orders or other types of legal process.[xx]
Hey, What About the Other Proposed Changes to HIPAA?
Currently, there are three pending sets of proposed changes to HIPAA’s Privacy Rule.[xxi] OOCR issued the first in December of 2020 detailing a major overhaul of regulations tied to improving coordination of care (2020 Proposed Changes), the second in December 2022 related to substance use disorder treatment records (2022 Proposed Changes) and the third is the subject of this article (2023 Proposed Changes).
It’s important to note that the HIPAA regulations only permit modifications no more frequently than every 12 months.[xxii] There is overlap between the proposed rules which would result in changes to the same standards or implementation specifications. In fact, there is significant overlap between the 2020 and 2023 Proposed Changes and all three include changes to the Notice of Privacy Practices.
Certainly, the 2023 Proposed Changes are the Biden administration’s highest priority. Having said that, they are only at the beginning of a lengthy rulemaking process. The process can take months or even years.
While I do not have a crystal ball, I suspect that OCR will hold off on issuing the final rule on the 2020 Proposed Changes and will prioritize its review of the comments on its most recent NPRM. I would not be surprised to see the 2023 Proposed Changes finalized this year. If that happens, OCR will have to wait at least 12 months to issue a final rule on the 2020 Proposed Changes, which I suspect may also include the 2022 Proposed Changes.
As noted above, these proposed changes are at the very beginning of their rulemaking journey. The comment period closes on June 16, 2023. I suspect OCR will receive thousands of comments. It could take months (or even years) to reach the next step, however, I believe we will see OCR move more quickly than normal given the current environment and need for the proposed changes.
If you would like to submit comments to the proposed rule, you can do so at https://www.regulations.gov/ on or before June 16, 2023.
[i] 88 FR 23506 (Apr. 17, 2023). On-line PDF version: https://www.govinfo.gov/content/pkg/FR-2023-04-17/pdf/2023-07517.pdf.
[ii] Providers of Care and Defenders of Privacy: Strategies to Protect Patient Privacy After the Reversal of Roe v. Wade, Dena M. Castricone, https://dmclawllc.com/2022/07/25/providers-of-care-and-defenders-of-privacy/.
[iii] Proposed changes to existing regulations: 45 CFR §160.103 (definitions); §164.502 (general prohibitions); §164.512 (permissive disclosures); §164.520 (notice of privacy practices). Proposed new section: 45 CFR §164.509 (attestations)
[iv] 45 CFR §164.502(a)(5).
[v] 88 FR 23506, 23529.
[vi] “Enforcing such a blanket protection would require regulated entities to restrict the flow of this category of information, possibly disrupting existing health care delivery models. For example, implementing differing rules for a newly designated category of PHI would require costly updates to electronic record systems to allow for segmenting of certain data elements for extra protection and create barriers for care coordination. Providing routine treatments for conditions such as hormonal imbalances, miscarriage, pregnancy complications, or gynecological emergencies would be problematic for health care providers attempting to navigate a blanket prohibition against disclosure of the category of information related to reproductive health care. Thus, this proposal does not limit the prohibition to the use or disclosure of certain types of PHI or to PHI that is held or maintained by certain types of covered health care providers, such as a gynecologist or endocrinologist.” Id. at 23530.
[vii] Proposed addition at 45 CFR §164.502(a)(5)(iii).
[viii] Proposed change to 45 CFR §164.502(a)(5)(iv).
[ix] 88 FR 23506, 23528.
[x] Id. at 23533.
[xi] 45 CFR §164.524(c)(3)(ii).
[xiii] 45 CFR §164.502(g)(5).
[xiv] Proposed addition at 45 CFR §164.502(g)(5)(iii).
[xv] 45 CFR §164.512(c).
[xvi] Proposed addition at 45 CFR §164.512(c)(3).
[xvii] Proposed addition of 45 CFR §164.509.
[xviii] Proposed addition at 45 CFR §164.520(b)(1)(ii)(F) and (G).
[xix] 88 FR 23506, 23531.
[xx] Id. at 23532.
[xxi] 88 FR 23506 (Apr. 2023; reproductive health information; comment period ends June 16, 2023), 87 FR 74216 (Dec. 2022; substance use disorder changes; comment period ended Jan. 31, 2023), 86 FR 13683 (Dec. 2020; major HIPAA changes; comment period ended May 6, 2021)
[xxii] 45 CFR §160.104