Proposed modifications to the HIPAA Privacy Rule would protect providers in states where abortion is legal from having to provide reproductive health care information when law enforcement agencies from states where abortion is illegal request it, an expert says. If finalized, the rule may offer some comfort to providers in a very fraught environment. More states are enacting abortion bans, and a federal judge in Texas on April 12 ruled that the Food and Drug Administration’s 2000 approval of mifepristone—a drug used in medication abortions—wasn’t valid, although a federal judge in Washington state decided differently the same day. Meanwhile, the Biden administration has asked the Supreme Court to hear an appeal of the Texas court decision.
According to the proposed HIPAA regulation, announced by the HHS Office for Civil Rights (OCR) on April 12, “regulated entities” (covered entities and business associates) would be prohibited from turning over their patients’ protected health information (PHI) about reproductive health care, including abortion, to law enforcement in states where abortion is illegal if the reproductive health care was legal where it was provided, said attorney Randi Seigel, with Manatt, Phelps & Phillips LLP in New York City.[1]
“Providers would be protected from being compelled to provide PHI that could be used in a criminal proceeding against them, the patients or others who were involved in facilitating access to reproductive health services,” including abortion, she explained.
To bring this protection to life, the proposed rule would add a new category of prohibited uses and disclosures of PHI. Regulated entities wouldn’t be permitted to use or disclose a person’s PHI in a criminal, civil or administrative investigation “into or proceeding against the individual, a health care provider, or other person in connection with seeking, obtaining, providing, or facilitating reproductive health care that (1) is provided outside of the state where the investigation or proceeding is authorized and such health care is lawful in the state in which it is provided; (2) is protected, required, or authorized by Federal law, regardless of the state in which such health care is provided; or (3) is provided in the state in which the investigation or proceeding is authorized and that is permitted by the law of that state.”
Under these three circumstances, the state has no “substantial interest” in pursuing the disclosure, OCR explained.
“It provides some comfort regarding providers’ concerns about being forced to disclose information and the chilling effect” that has on the willingness of patients to seek reproductive health care, and the chilling effect that has on providers to document reproductive health care and aftercare for patients who have an abortion and return to their home state for aftercare, Seigel said. The proposed rule also would “make it harder for law enforcement to pursue cases under criminal and civil statutes that prohibit the provision of abortion services.”
An Exception to Disclosure With Attestation
OCR carved out an exception. Providers from a state where abortion is legal would be allowed to turn over PHI to investigators from a state where abortion is illegal, assuming they have a subpoena and produce an attestation that they plan to use the PHI to investigate civil, criminal or administrative conduct unrelated to reproductive purposes. The example OCR gave of an unrelated investigation is a “sexual assault committed against the individual, provided the attestation described later in this preamble is obtained.”
But OCR makes it clear there are consequences for disingenuous attestations, including criminal penalties. “The Department notes that pursuant to HIPAA, a person who knowingly and in violation of the Administrative Simplification provisions obtains or discloses IIHI [i.e., individually identifiable health information] relating to another individual or discloses IIHI to another person would be subject to criminal liability,” the rule states. “Thus, a requester who knowingly falsifies an attestation (e.g., makes material misrepresentations as to the intended uses of the PHI requested) to obtain (or cause to be disclosed) an individual’s IIHI would be in violation of HIPAA and could be subject to criminal penalties as outlined in the statute.”
For that and other reasons, it may be a while before the proposed rule is a done deal, Seigel said. People have 60 days to comment from the date the proposed rule is in the Federal Register and it goes into effect 180 days after it’s finalized. Based on OCR’s long explanation about its authority to make this change, including its history of amending HIPAA regulations, “I believe they anticipate lots of challenges to this proposed rule from individuals and states hostile to abortion,” Seigel said.
The rule was proposed about nine months after OCR posted guidance on the disclosure of information about reproductive health care under HIPAA.[2] The guidance came down in the wake of the Supreme Court decision, Dobbs v. Jackson Women’s Health Organization, that overturned the constitutional right to abortion enshrined in Roe vs. Wade. The guidance reinforced the fact that the Privacy Rule allows covered entities (CEs) to disclose PHI without patient consent under narrow circumstances but in most cases doesn’t require them to, and that state law often is the arbiter of what should be disclosed. There are limited exceptions, including for disclosures to law enforcement, but they must be backed by something else, such as court orders and state laws.
Prohibition Would Preempt State Law
That left a gap because it deferred to state laws, Seigel said. “This proposed rule attempts to address that gap by creating a new prohibition that would preempt state law because HIPAA has always preempted state law unless state law affords greater protection,” she noted.
The proposed rule emphasized the importance of preserving the trust patients have in their providers and health care systems. “Individuals’ health privacy concerns affect their trust in health care providers, and thus, their willingness to provide complete and accurate information to health care providers,” OCR stated. “Individuals must disclose sensitive information to their health care providers to obtain appropriate health care. If individuals do not trust that the sensitive information they disclose to their health care providers will be kept private, they may be deterred from seeking or obtaining needed health care or withhold information from their health care providers, compromising the quality of the health care they receive.”
Contact Seigel at rseigel@manatt.com.