Following the Supreme Court decision in Dobbs v. Jackson Women’s Health Organization overturning Roe v. Wade, the federal government, pursuant to President Biden’s Executive Order (the EO) took several steps to protect reproductive health privacy, some of which we previously discussed here. Specifically, the EO called for agencies to protect “women’s fundamental right to make reproductive health decisions.” Shortly following issuance of the EO, the Biden Administration created its HHS Reproductive Healthcare Access Task Force, requiring all relevant federal agencies to draft measurable actions that they could undertake “to protect and bolster access to sexual and reproductive health care.”
The most recent development emanating from this initiative is the Department of Health and Human Services, Office for Civil Rights (OCR) proposed rule to modify the Health Insurance Portability and Accountability Act (HIPAA) to protect privacy with respect to protected health information (PHI) related to reproductive health care, which is open for comment until June 16th (see link to submit comments below). All references to PHI herein refer to PHI related to reproductive health care. In the preamble of the proposed rule, OCR repeatedly frames its interest in the regulation as a desire to combat state actions that impinge upon individuals’ reproductive health privacy in the wake of the Dobbs decision and to maintain public trust in the health care system. The proposed rule broadly defines reproductive health care and seeks to protect relevant PHI by affirmatively prohibiting certain disclosures. Nonetheless, patient privacy and reproductive health advocates may argue that the proposed rule as currently drafted does not go far enough to protect reproductive health privacy. Stakeholders have the opportunity to address any perceived shortcomings of the proposed rule in comments.
The proposed rule has three basic components: (1) the proposed definition of reproductive health care; (2) prohibitions against certain disclosures of PHI related to reproductive health; and (3) the requirement for an attestation of proper use of such PHI.
The Definition of Reproductive Health Care
The proposed rule defines reproductive health care as a subcategory of health care, to include “care, services, or supplies related to the reproductive health of the individual.” The preamble notes that the definition is intentionally broad and designed to cover a wide swath of reproductive health care. However, the Department stops short of defining what constitutes reproductive health, and instead invites comments on this key definition. According to the Department, the definition may include a variety of services including:
- contraception, including emergency contraception
- pregnancy-related healthcare, including but not limited to miscarriage management, molar or ectopic pregnancy treatment, pregnancy termination, pregnancy screening, products related to pregnancy, prenatal care and similar or related care
- fertility- or infertility-related healthcare
- other types of care, services or supplies used for the diagnosis and treatment of conditions related to the reproductive system
The definition of reproductive health care is a key component to the proposed regulation and potentially future rules that will use this definition. If stakeholders have recommendations to improve on the proposed scope of the definition, this comment period is likely the best opportunity.
Prohibitions Against the Disclosure of PHI
The proposed rule enumerates several limitations on uses and disclosures of PHI related to reproductive health. The rule even goes so far as to prohibit disclosure of certain reproductive health PHI even when a patient has executed an authorization for disclosure under limited circumstances (e.g., if the disclosure would be for a prohibited purpose described below). Under the proposed rule, disclosures of PHI would be prohibited when the data is sought for the purpose of conducting a criminal, civil, or administrative investigation into, or proceeding against, the individual, a healthcare provider or other person in connection with seeking, obtaining, providing or facilitating reproductive healthcare:
- where the reproductive healthcare service was provided in a state where it is permitted but the request is coming from a court or law enforcement entity in a state where the product/service is prohibited;
- where the product/service is protected, required, or authorized by federal law; or
- where the reproductive health care is provided in the state in which the investigation or proceeding is authorized and that is permitted by the law of that state.
It should be noted that the preamble proposes to construe “seeking, obtaining, providing, or facilitating” quite broadly. It intends for those actions to include, but not be limited to, “expressing interest in, inducing, using, performing, furnishing, paying for, disseminating information about, arranging, insuring, assisting, or otherwise taking action to engage in reproductive health care, as well as attempting to engage in any of the same.”
The proposed rule also prohibits covered entities and business associates from using or disclosing an individual’s PHI for the purpose of identifying an individual, a regulated entity or other person for the purpose of initiating an investigation or proceeding against that individual.
While this proposed rule takes a strong approach toward protecting PHI from disclosures in the absence of individual authorization, it does not protect disclosure of PHI in instances where the reproductive health care service at issue is unlawful. It also does not prevent disclosure by non-HIPAA regulated entities such as direct-to-consumer health app companies or messengers, and it does not protect consumer health data related to reproductive health from disclosure (e.g., evidence that an individual received assistance traveling across state lines to receive an abortion). Further, OCR has released guidance expressly stating that it is not protecting consumer data related to reproductive health due to the fact that entities collecting such data are out of the scope of OCR’s jurisdiction.
The third main portion of the proposed rule requires entities requesting PHI for a non-prohibited purpose to provide a signed attestation that confirms such use or disclosure of PHI will not be used for a prohibited purpose. A requester who knowingly falsifies an attestation (e.g., makes material misrepresentations as to the intended uses of the PHI requested) to obtain an individual’s reproductive health care information would be in violation of HIPAA and could be subject to civil and criminal penalties. An attestation is required when the request for PHI is in the context of any of the below circumstances:
- Health oversight activities,
- Judicial and administrative proceedings,
- Law enforcement purposes, or
- Disclosures to coroners and medical examiners.
Stakeholders should note that OCR is considering whether to develop a model attestation that regulated entities may use to evaluate third party requests for PHI. This attestation provides disclosing covered entities with a way to confirm in writing that they are not disclosing PHI for a prohibited purpose. Given the broad definition of reproductive health care, this proposed rule may be burdensome to providers and could require configurations in electronic health records to identify, segment and prevent improper disclosure of PHI in response to third party requests. Finally, the proposed regulation does not create a private right of action for disclosing covered entities to take legal action against recipients of PHI who falsely attest or use the requested PHI in a prohibited manner. Individuals who falsely attest may be subject to HIPAA’s existing criminal penalties. Additionally, covered entities who disclose reproductive health care PHI, but then later learn that the disclosure was based on false or misrepresented information, may be required to notify patients that their reproductive health care PHI was impermissibly disclosed. Covered entities may also be required to notify the Secretary of HHS, and in some cases, the media of such impermissible disclosures.
This overview of the proposed rule will be expanded upon in an upcoming publication by the authors of this blog. The deadline to submit comments on this proposed rule is June 16, 2023, which may be submitted in accordance with the “Addresses” section of the proposed rule. EBG can assist with preparing comments related to this proposed regulation.
Epstein Becker Green will be closely following this rulemaking process. For additional information about the issues discussed above, or if you have any other privacy, cybersecurity, and data asset management concerns, please contact the Epstein Becker Green attorney who regularly handles your legal matters, or one of the authors of this blog post. Read more about our expansive capabilities and offerings here.
- Senior Counsel
- Member of the Firm