On April 12, 2023, the U.S. Department of Health & Human Services (HHS) released a Notice of Proposed Rulemaking (Proposed Rule) that seeks to enhance safeguards of reproductive health care information through changes to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. The proposal is intended to align with President Biden’s Executive Order 14076, which instructed HHS to examine avenues to reinforce protections of HIPAA protected health information (PHI) and patient-provider confidentiality in the wake of the U.S. Supreme Court’s 2022 decision in Dobbs v. Jackson Women’s Health Organization.

Strengthening the HIPAA Privacy Rule

According to HHS, the Dobbs decision “makes it more likely” that PHI may be disclosed in ways that impair the privacy interests HIPAA “seeks to protect.”  HHS is concerned that these developments increase the potential for improper uses or disclosures of PHI that may “undermine access to and quality of health care generally” in part because “medical mistrust” can create “damaging and chilling effects” on access to essential care, particularly in vulnerable communities. A fundamental principal underlying the Privacy Rule has long been the need to appropriately protect the relationship of trust between patients and providers, while also preserving access to that information for patients. Under the Privacy Rule, this principal is reasonably balanced against the interests of providers and society in allowing appropriate disclosures of PHI, including for treatment or operational purposes. In response to post-Dobbs legislation and policy proposals that in HHS’s view threaten that privacy and trust, and thus threaten that balance, HHS determined that “information about reproductive health care… requires heightened protections” under HIPAA because of its sensitivity.

Accordingly, in the Proposed Rule HHS seeks specifically to restrict the use and disclosure of certain PHI for “non-health care purposes,” and in doing so proposes to establish conditional restrictions on uses and disclosures based on whether the PHI includes reproductive health care information. Similar to the Privacy Rule’s protections of psychotherapy notes, this Proposed Rule seeks to implement safeguards to protect reproductive health care information. However, in recognition that reproductive health care information is embedded within a patient’s medical records and cannot readily be separated (as in the case of psychotherapy notes), HHS proposes a “purpose-based prohibition on certain uses and disclosures” to protect individuals and their PHI.

How would the Proposed Rule change the Privacy Rule regulations?

In the Proposed Rule, HHS proposes a new category of prohibited uses and disclosures that would prohibit:

            “using or disclosing an individual’s PHI for the purpose of conducting a criminal, civil, or administrative investigation into or proceeding against the individual, a health care provider, or other person in connection with seeking, obtaining, providing, or facilitating reproductive health care that:

            (1) is provided outside of the state where the investigation or proceeding is authorized and such health care is lawful in the state in which it is provided;

            (2) is protected, required, or authorized by Federal law, regardless of the state in which such health care is provided; or

            (3) is provided in the state in which the investigation or proceeding is authorized and that is permitted by the law of that state.”

The Proposed Rule further would prohibit “using or disclosing an individual’s PHI for the purpose of identifying an individual, health care provider, or other person for the purpose of initiating such an investigation or proceeding against the individual, a health care provider, or other person in connection with seeking, obtaining, providing, or facilitating reproductive health care that is lawful under the circumstances in which it is provided.”

In order to protect individuals under HIPAA, HHS proposes to newly require entities to obtain an attestation prior to certain uses and disclosures of PHI without the individual’s authorization under the Privacy Rule (at 45 C.F.R. § 164.512), by adding a new regulation to the Privacy Rule (which would be found at 45 C.F.R. § 164.509). This will require certain parties seeking PHI from covered entities (or their business associates) to submit an attestation – limited to the specific use or disclosure – stating that the use or disclosure is not for a prohibited purpose related to reproductive health care, as a condition to use or disclosure without an authorization (i) for health oversight purposes, (ii) for judicial and administrative proceedings, (iii) for law enforcement purposes, or (iv) regarding decedents to coroners or medical examiners.

HHS also proposes certain additional definitions and changes to the regulations deemed necessary to operationalize these changes and implement the Proposed Rule. These include, among other things, a proposal to require covered entities to update their Notices of Privacy Practices (NPPs) to ensure the NPPs address the new proposed safeguards for reproductive health care PHI.

Rules of Applicability and Construction

In the Proposed Rule, HHS incorporates a proposed “Rule of Applicability” that would guide the applicability of the new proposed prohibition related to reproductive health care PHI.  Specifically, the Rule of Applicability states that it applies where one or more of the following exist:

            (1) The relevant criminal, civil, or administrative investigation or proceeding is in connection with any person seeking, obtaining, providing, or facilitating reproductive health care outside of the state where the investigation or proceeding is authorized and where such health care is lawful in the state in which it is provided;

            (2) The relevant criminal, civil, or administrative investigation or proceeding is in connection with any person seeking, obtaining, providing, or facilitating reproductive health care that is protected, required, or authorized by Federal law, regardless of the state in which such health care is provided; or

            (3) The relevant criminal, civil, or administrative investigation or proceeding is in connection with any person seeking, obtaining, providing, or facilitating reproductive health care that is provided in the state in which the investigation or proceeding is authorized and that is permitted by the law of that state.

Second, in recognition of the potential challenge to covered entities and business associates posed by a new “purpose-based” prohibition on uses and disclosures of reproductive health care PHI, and the reality that such information may be embedded throughout patient medical records, in the Proposed Rule HHS proposes a “Rule of Construction” to guide covered entities. This Rule states that only where a proposed use or disclosure that otherwise would be permitted under the Privacy Rule is “primarily for the purpose of investigating or imposing liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care” would the use or disclosure be prohibited. As an example, per HHS the Rule of Construction clarifies that the Proposed Rule “does not inhibit the ability of a covered health care provider to use or disclose [PHI] to defend themselves” in an investigation or litigation related to professional practice.

Comments on the Proposed Rule; Fact Sheet

HHS has issued a Fact Sheet (available here) which describes the Proposed Rule and provides additional information regarding public comment submission.

HHS is accepting public comments on the Proposed Rule through June 16, 2023.  During the 60-day public comment period, the existing Privacy Rule will stay in place.  

*This post was co-authored by Paul Sevigny, legal intern at Robinson+Cole. Paul is not admitted to practice law.

Photo of Conor Duffy Conor Duffy

Conor Duffy is a member of Robinson+Cole’s Health Law Group and the firm’s Data Privacy + Security Team. Mr. Duffy advises hospitals, physician groups, accountable care organizations, community providers, post-acute care providers, and other health care entities on general corporate matters and health…

Conor Duffy is a member of Robinson+Cole’s Health Law Group and the firm’s Data Privacy + Security Team. Mr. Duffy advises hospitals, physician groups, accountable care organizations, community providers, post-acute care providers, and other health care entities on general corporate matters and health care issues. He provides legal counsel on a full range of transactional and regulatory health law issues, including contracting, licensure, mergers and acquisitions, the False Claims Act, the Stark Law, Medicare and Medicaid fraud and abuse laws and regulations, HIPAA compliance, state breach notification requirements, and other health care regulatory matters. Read his full rc.com bio here.