The Final Rule: Protection of Reproductive Health Information under HIPAA

On April 26, 2024, just one year after issuing its proposed rule, the Department of Health and Human Services (HHS) finalized changes to the HIPAA Privacy Rule on the protection of reproductive health information (Final Rule).  In 91 pages of tiny font in the Federal Register, HHS addressed the 25,000 comments it received and ultimately adopted a new prohibited use of protected health information (PHI) related to reproductive health information.  While the Final Rule takes effect on June 25, 2024, covered entities and business associates have until December 23, 2024 to comply.

Background

After Dobbs v. Jackon Women’s Health Organization, which overturned the constitutional right to an abortion, several states adopted laws prohibiting certain reproductive health care and imposing civil or criminal liability on patients, providers and those who assist with accessing such care.   Many feared that those laws would result in attempts to gain access to lawful reproductive health information and then used in investigations or to pursue liability.  HHS expressed concern that this vulnerability to reproductive health information could “chill an individual’s willingness to seek lawful health care treatment . . . and [] the willingness of health care providers to provide such care.”[i]

Ten months after the US Supreme Court’s Dobbs decision, HHS issued a proposed rule on April 17, 2023 seeking to protect reproductive health information (Proposed Rule).  One year later, HHS issued its Final Rule, which is incredibly speedy for federal agency rulemaking.[ii]

I.   Protection of Reproductive Health Information

In summary, HHS finalized its proposal to create a new class of prohibited uses or disclosures.  HIPAA now prohibits the use or disclosure of reproductive health information for investigating or legally pursing individuals who seek, provide, or assist in lawful reproductive healthcare or for identifying such individuals.

To do this, HHS weaves the threads of the new prohibited purpose into HIPAA’s fabric with a handful of targeted regulatory changes highlighted below.

A.   Changes to Key Definitions

HHS finalized the proposed clarification to the definition of “person” to explicitly state that a natural person is “a human being who is born alive” and revised the two new proposed definitions.

It revised the definition of “public health” to make clear the types of activities that constitute public health activities and to specifically exclude investigations or proceedings related to accessing lawful healthcare.[iii]  HHS extensively explained that public health surveillance was unrelated to investigations into or actions against someone for the mere act of seeking healthcare.[iv]

HHS also revised the proposed definition of “reproductive health care” to emphasize its breadth.  Many commenters sought a concrete list of care and services that qualify as reproductive health care.  While HHS refused to provide an exhaustive list, it pointed to the Proposed Rule’s preamble, which provided a non-exhaustive list: contraception, including emergency contraception; pregnancy-related health care; fertility or infertility-related health care; and other types of care, services, or supplies used for the diagnosis and treatment of conditions related to the reproductive system.[v]

B.   New Purpose-based Prohibition

Prior to the Final Rule, HIPAA only specifically prohibited the use or disclosure of two categories of information:  the use of genetic information for underwriting purposes and the sale of protected health information.[vi]  There is now a third category:  the use or disclosure of reproductive health information under the following specific circumstances:[vii]

  1. to conduct an investigation into any person for the mere act of seeking, obtaining, providing or facilitating lawful reproductive healthcare;
  2. to impose criminal, civil or administrative liability on any person for the mere act of seeking, obtaining, providing or facilitating lawful reproductive healthcare; and
  3. to identify any person for any purpose described in (1) or (2).

Notably, this new prohibition applies only if the healthcare at issue is lawful.[viii]  And it would not apply where a person requesting PHI identifies a legal basis for the request,[ix] such as a request by the Inspector General for information related to a Medicare or Medicaid audit.[x]

HHS provided the following revised examples of “seeking, obtaining, providing or facilitating reproductive health care”:

expressing interest in, using, performing, furnishing, paying for, disseminating information about, arranging, insuring, administering, authorizing, providing coverage for, approving, counseling about, assisting, or otherwise taking action to engage in reproductive health care; or attempting any of the same.[xi]

Importantly, HHS notes that the prohibition would preempt conflicting state laws including in response to a court order or other type of legal process for a purpose prohibited under the Final Rule.[xii]

C.   Authorization Signed by the Patient

HHS did not finalize the proposed change that would not allow for the use or disclosure of reproductive health information for a prohibited purpose with a valid authorization from the patient.  Many commenters, including DMC Law, explained to HHS that not allowing a disclosure with a valid authorization would not provide additional protection because right of access rules still permit access, would increase the burden on providers and could conflict with state laws.  HHS acknowledged and agreed.[xiii]

D.   Permissive Disclosures Requiring an Attestation

HHS finalized its proposal that requires an attestation from the requesting individual when the requested PHI potentially relates to reproductive health care and falls under the Privacy Rule’s permissive disclosures that are more likely to involve a prohibited purpose. Specially, an attestation would be required for any use or disclosure of information potentially related to reproductive health care for health oversight activities (45 CFR §164.512(d)), judicial and administrative proceedings (45 CFR §164.512(e)), law enforcement (45 CFR §164.512(f)) or coroners and medical examiners (45 CFR §164.512(g)(1)).[xiv]

To be clear, to disclose reproductive health information under 45 CFR §§ 164.512(d)-(g)(1), there must be a valid attestation AND all of the other requirements under those provisions must be met to permit the disclosure.

HHS intends to publish a model attestation, which many providers may find helpful.  But nothing prevents providers from creating their own attestation forms.

Attestation Form Requirements

To be valid an attestation must be in plain language and limited to the specific use or disclosure at hand, can be electronic, and:

  • Not be combined with other forms (although it may include documentation in support of the attestation);[xv]
  • Be clearly labeled and completed in its entirety;[xvi]
  • Contain the following and no additional elements or statements:
    • A description of the information requested;
    • The name or other specific identification of the person(s), or class of persons, who are requested to make the use or disclosure.
    • The name or other specific identification of the person(s), or class of persons, to whom the covered entity is to make the requested use or disclosure.
    • A clear statement that the use or disclosure is not for a purpose prohibited under § 502(a)(5)(iii).
    • A statement that a person may be subject to criminal penalties under HIPAA for violations.
    • Signature of the person requesting the protected health information, which may be an electronic signature, and date.
  • The covered entity or business associate receiving the attestation must not have any actual knowledge that material information in the attestation is false and must reasonably believe that the information in the attestation is true.[xvii]

E.  Keys to Implementing New Requirements

Of particular significance is that the Final Rule adds requirements to permissive disclosures.  It does not create any new obligations to disclose.  Prior to the Final Rule, in most instances, covered entities and business associates had the option not to disclose information requested by third parties under HIPAA.  The Final Rule now requires additional hurdles prior to a permissive disclosure when reproductive health information could be at risk.

Any request for PHI that is accompanied by a valid authorization from the patient or that is for treatment, payment or healthcare operations under HIPAA is not for a prohibited purpose.  This should cover most requests for PHI that organizations receive.  It’s all the other “requests,” which can include letters from state agencies, requests from law enforcement, and subpoenas, that require extra scrutiny.

Providers will need to establish a workflow to meet these requirements.  That workflow may be different for different types of practices (e.g., OB/GYN practices will have a different workflow than a pediatric practice).

II.   Changes to the Notice of Privacy Practices (NPP)

HHS finalized the changes to the NPP requirements in the Proposed Rule[xviii] as well as those required by the Cares Act related substance use disorder treatment information under 42 CFR Part 2.  This Final Rule does not address the NPP proposals in the 2021 proposed HIPAA changes.  HHS likely will address those in a separate final rule.

To align compliance with the recent changes to 42 CFR Part 2 for a similarly required patient notice, HHS set the compliance date for the NPP changes to February 16, 2026.  We will address the specific NPP changes in a future article.

III.   Timing of Other HIPAA Changes

Given the overlap of the sections undergoing changes for the protection of reproductive health information, many of the proposed changes to HIPAA in the 2021 proposed rule cannot be finalized until at least 12 months after the effective date of the most recent changes.[xix]

I anticipate that we will see a final rule for the 2021 proposed changes to HIPAA between April 26, 2025 (12 months from the Final Rule) and June 21, 2025 (this would make the compliance date February 16, 2026, which would align with the NPP changes).

IV.   HIPAA Helpline Webinar

DMC Law will host a HIPAA Helpline webinar on June 18th at 1pm to address key considerations in operationalizing these new requirements.  Register here.

 

[i]           89 FR 32976, 32978.

[ii]           By way of comparison, HHS released proposed changes to the HIPAA Privacy rule for coordination of care in January 20221, which received fewer than 1,500 comments, and HHS has yet to issue a final rule.  Also, there were three years between the proposed and final rules for HIPAA’s 2013 omnibus changes.

[iii]          45 CFR §160.103 (Eff. June 25, 2024).

[iv]          89 FR 32976, 32997-33004.

[v]           89 FR 32976, 33005.

[vi]          45 CFR §164.502(a)(5) (Eff. June 25, 2024).

[vii]         45 CFR §164.502(a)(5)(iii)(A) (Eff. June 25, 2024).

[viii]         45 CFR §164.502(a)(5)(iii)(B) (Eff. June 25, 2024).  45 CFR §164.502(a)(5)(iii)(C) and 89 FR at 33013-33015 address the determination of lawfulness.

[ix]          89 FR at 33012.

[x]           89 FR at 33013.

[xi]          Id.

[xii]         89 FR at 33000 (“state laws requiring the use or disclosure of PHI for the purpose of investigating or imposing liability on a person for the mere act of seeking, obtaining, providing, or facilitating health care, or identifying a person for such activities, are subject to HIPAA’s general preemption provision”).

[xiii]         89 FR at 33008 (“And while we remain concerned about the potential for coercion or attempted coercion, even if the Department were to finalize the proposed limitation on uses and disclosures with an authorization, the individual would retain the individual access right to direct, which is enshrined in statute. We also believe it would be inconsistent with the spirit of individual access right to direct for the Department to limit the ability of an individual to authorize a regulated entity to disclose their PHI to another person.”)

[xiv]         45 CFR §164.509(a) (Eff. June 25, 2024).

[xv]          45 CFR §164.509(b)(3) (Eff. June 25, 2024); 89 FR at 33030.

[xvi]         89 FR at 33030.

[xvii]        45 CFR §164.509(b)(1)(iv) and (v) (Eff. June 25, 2024).

[xviii]       Related to the Final Rule, the NPP must contain a description and at least one example of: (1) the types of uses and disclosures related to reproductive health information that are prohibited; and (2) the types of uses and disclosures that require an attestation.  45 CFR §164.520(b)(ii)(F) and (G).

[xix]         45 CFR §160.104(a) (Eff. June 25, 2024).