A final HIPAA rule on reproductive health care privacy prohibits covered entities from disclosing reproductive health care information to law enforcement agencies, with an exception.[1] The HHS Office for Civil Rights (OCR) released the rule April 22, two days before the U.S. Supreme Court heard oral arguments on whether Idaho’s abortion ban violates the Emergency Medical Treatment and Labor Act (EMTALA)—events that have pushed abortion deeper into the compliance realm.[2]
The HIPAA rule adds a category of prohibited uses and disclosures of protected health information (PHI) that “encompasses the use or disclosure of PHI for any activities conducted for the purpose of investigating or imposing liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care that the regulated entity that has received the request for PHI has reasonably determined is lawful under the circumstances in which such health care is provided.” Covered entities have 240 days to comply from the date the rule is published in the Federal Register.
“This has the potential to be the most consequential HIPAA rule since the [original] HIPAA rule,” said attorney Rob Keenan, with King & Spalding in Atlanta, with the possible exception of the breach notification rule. “Like everything that’s part of the culture wars, it’s going to be challenged and defended in every possible way.”
The rule requires covered entities (e.g., hospitals and physicians) to update their notice of privacy practices (NPP) to include the prohibition, said attorney Reece Hirsch, with Morgan, Lewis & Bockius LLP in San Francisco. But they have until 2026 to align IT with the NPP changes required by the 2024 Confidentiality of Substance Use Disorder Patient Records regulation (known as Part 2), he said.[3]
The HIPAA rule’s prohibition is consistent with the Biden administration’s moves to protect reproductive health care in the wake of the 2022 Supreme Court decision in Dobbs v. Jackson Women’s Health Organization, which overturned the right to abortion enshrined in Roe v. Wade. For example, OCR posted guidance on the disclosure of information about reproductive health care under HIPAA that reinforced the fact that the Privacy Rule allows covered entities to disclose PHI without patient consent under narrow circumstances but in most cases doesn’t require them to, and that state law often is the arbiter of what should be disclosed.[4] There are limited exceptions, including for disclosures to law enforcement, but they must be backed by something else, such as court orders and state laws.
With the new rule, OCR has taken the protections to another level. Under the so-called rule of applicability, the prohibition on disclosures applies if (1) the reproductive health care is lawful in the state where the health care is provided; (2) “the reproductive health care is protected, required, or authorized by Federal law,” including the U.S. Constitution; or (3) the covered entity or business associate that gets the request for the reproductive health care information determines that the presumption of lawfulness under state or federal law applies.
It's Not Just About Crossing State Lines
Although a lot of attention has been paid to the rule’s protection of providers in states where abortion is legal from having to turn over reproductive health care information to law enforcement agents from states where abortion is illegal, Keenan said the rule also applies in states where abortion is legal for a limited time (e.g., abortions are allowed for up to 15 weeks in Montana). “Maybe you will see law enforcement agents wanting information” about abortions provided to patients who live in the state where the clinic is located to determine whether the abortions were performed within the permitted time frame, he explained.
Federal law might come up in reference to EMTALA, Hirsch said. In providing emergency care, hospitals may perform medically necessary abortions, he noted. Whether EMTALA protects reproductive health care is an open question in certain states, but the rule of applicability says the prohibition can apply when the reproductive health care is legal under state or federal laws, Hirsch explained. The Supreme Court’s decision about whether EMTALA supersedes state abortion laws is expected this summer and it has implications for EMTALA’s authority in other states with strict abortion laws.
Attestations Allow Certain Disclosures
There’s an exception to the prohibition on uses and disclosures of reproductive health care information. If law enforcement agents or others provide an attestation that the use or disclosure isn’t for prohibited purposes, HIPAA-regulated entities may provide reproductive health care information. But, OCR makes it clear there are consequences for disingenuous attestations, including criminal penalties.
OCR requires attestations when a request is made under the Privacy Rule for disclosures for health oversight activities; disclosures for judicial and administrative proceedings; disclosures for law enforcement purposes; and disclosures about decedents to coroners and medical examiners. Examples of reasonable requests include seeking PHI without individual identifiers for public health purposes (e.g., disease control) and investigating alleged violations of the False Claims Act, said attorney Diane Soubly, with Butzel Long. The rule also doesn’t prohibit the disclosure of reproductive health care PHI for an audit by the HHS Office of Inspector General.
But an attestation isn’t valid if: (i) “the covered entity or business associate has actual knowledge that material information in the attestation is false” or (ii) “A reasonable covered entity or business associate in the same position would not believe that the attestation is true,” according to the rule.
The final rule’s version of the attestation is a bit different from the proposed rule. For example, OCR is now holding business associates “directly liable for compliance with the attestation requirement” regardless of whether it’s mentioned in the business associate agreement.
OCR agreed with comments that just like providers and clearinghouses, business associates should review the attestations that must accompany requests for PHI of pregnant people who seek reproductive health care, Soubly said. “All of those entities must reasonably determine if a request falls within lawful disclosure,” she noted.
Also, OCR isn’t requiring HIPAA-regulated entities to “assess the intent of the party requesting the PHI,” Hirsch said, which he called “a welcome change.” They’re allowed to rely on the attestation that the requesting entity isn’t seeking the reproductive health care information for a prohibited purpose. “The final rule’s attestation standard is much less subjective,” Hirsch said.
‘The Stakes Are So High for Providers’
But if covered entities have doubts about the authenticity of an attestation, they have an obligation to determine if there’s a reason not to rely on it, Keenan said. If they wind up lacking confidence in the attestation, they can’t disclose the PHI because they’re not permitted to disclose to law enforcement without a valid attestation, he said. “The stakes are so high for providers because it’s imposing a high burden,” Keenan said. “If they get it wrong, it’s life altering for the individual, but it’s also high stakes for the entity that provided abortion services or counseling or recommendations [about reproductive health services]. Or it could be pharmacists” who dispensed abortifacients (i.e., medications that induce abortions), he noted. “The burden will be shouldered by the covered entity that somebody thinks got it wrong.” The liability could come from OCR or patients who file lawsuits alleging they were adversely impacted by a disclosure. Although HIPAA has no private right of action, its requirements could be used to establish the standard of care.
Keenan expects the updated Privacy Rule to be challenged by state attorneys general in states with anti-abortion laws. “I think it will be fought hard at every level,” he said. “I would expect that people who are opposed to the rule will file challenges to the rule itself” on the grounds that HHS has exceeded its statutory authority. Another possibility is litigation from covered entities that are opposed to the burdens and legal jeopardy imposed on them by the rule, Keenan said.
Can’t Pick and Choose Personal Representatives
The rule also requires covered entities to recognize the personal representative for the patient in the context of reproductive health care, the same as they would in any other situation, Hirsch said. “If you meet the definition under state law, that’s it,” he explained. For example, “a covered entity can’t say ‘the personal representative is going to help this minor facilitate an abortion, so I won’t recognize them as a personal representative and give them the authority to act on behalf of the individual with respect to health care decision-making.’”
Hirsch also noted that the rule clarifies the definition of “person” for HIPAA purposes. “The final rule adopts the proposed clarification of the definition of person, to mean a ‘natural person (meaning a human being who is born alive), trust or estate, partnership, corporation, professional association or corporation, or other entity, public or private.’ Therefore, an ‘individual,’ ‘child,’ or ‘victim’ (e.g., a victim of crime) under the HIPAA Rules must be a natural person,” the rule stated. “This clarification applies only to regulations issued pursuant to the Administrative Simplification provisions of HIPAA.”
Contact Keenan at rkeenan@kslaw.com, Soubly at soubly@butzel.com and Hirsch at reece.hirsch@morganlewis.com.