OCR Issues Proposed Rule to Modify HIPAA Privacy Rule

OCR Issues Proposed Rule to Modify HIPAA Privacy Rule to Include Explicit Protections for Reproductive Healthcare

Overview


On April 12, 2023, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a notice of proposed rulemaking detailing its proposal to modify the HIPAA Privacy Rule (Proposed Rule). The Proposed Rule comes as a part of the Biden administration’s response to the US Supreme Court’s ruling in Dobbs v. Jackson Women’s Health Organization.

The Proposed Rule would provide special protections for protected health information (PHI) related to reproductive healthcare. Following the Dobbs decision, many healthcare providers expressed concerns that PHI related to reproductive healthcare may be sought by state and local governments for use in criminal, civil or administrative investigations or proceedings. OCR noted that such compelled uses and disclosures of PHI could have a chilling effect on lawfully obtained healthcare and erode trust in confidential communications between a patient and provider. Additionally, providers could elect to leave out critical details from a patient’s medical record if they fear the information could later be used by a state or local government actor against the patient.

Stakeholders may submit comments on the proposed rule on or before June 16, 2023.

In Depth


Generally, the Proposed Rule seeks to provide heightened protections for PHI “sought for the purposes of conducting a criminal, civil, or administrative investigation into or proceeding against any person in connection with seeking, obtaining, providing, or facilitating reproductive healthcare that is lawful under the circumstances in which is it provided.”

  1. Definitions. The Proposed Rule makes several definition changes to terms in the existing Privacy Rule and adds clarification to others, including the following:
    1. “Person”: OCR proposes to clarify that the meaning of “person” for purposes of the Social Security Act, HIPAA and the Privacy Rule (and other related HIPAA rules) is consistent with that found in 1 U.S.C. § 8, which excludes a fertilized egg, embryo or fetus from the definition of “person” and “child.” Accordingly, OCR proposes to clarify that “natural person” as used in the definition of “person” is limited to the definition at 1 U.S.C. § 8.
    2. “Reproductive Health Care”: OCR proposes to add “reproductive health care” as a sub-category of the existing term “health care.” OCR proposes to define “reproductive health care” as “care, services, or supplies related to the reproductive health of the individual.” OCR states in the preamble guidance to the Proposed Rule that the definition would apply broadly to include not only reproductive healthcare services provided by healthcare providers and prescription supplies but would also include care, services and supplies furnished by “other persons and non-prescription supplies purchased in connection with an individual’s reproductive health.” OCR also states that the definition is intended to include all specified services no matter where a patient receives them, and all types of services, rather than only certain types in a listed definition. OCR is not proposing a separate definition of “reproductive health” but notes in the preamble that the definition of “reproductive health care” would include all types of healthcare related to an individual’s reproductive system, including, but not limited to: contraception, including emergency contraception; pregnancy-related healthcare; fertility or in-fertility related care; and other types of care, services or supplies used for the diagnosis and treatment of conditions related to the reproductive system. Pregnancy-related healthcare includes, but is not limited to, miscarriage management, molar or ectopic pregnancy treatment, pregnancy termination, pregnancy screening, products related to pregnancy, prenatal care and similar or related care. Fertility or infertility-related healthcare would also be interpreted to include services such as assisted reproductive technology and its components, as well as other services or supplies used for the diagnosis and treatment of infertility. This definition would also encompass other types of care, services or supplies used for the diagnosis and treatment of conditions related to the reproductive system or reproductive organs, regardless of whether the healthcare is related to an individual’s pregnancy or whether the individual is of reproductive age. This could potentially extend the protections of the Proposed Rule to individuals seeking gender-affirming care in states where permitted when the individual lives in a state where such care is not permissible.
  2. Prohibited Use and Disclosure of PHI. OCR proposes to prohibit regulated entities from using or disclosing an individual’s PHI for use against any individual, regulated entity or other person for the purpose of a criminal, civil or administrative investigation into or proceeding against such person in connection with seeking, obtaining, providing or facilitating reproductive healthcare that is lawful under the circumstances in which it is provided. The Proposed Rule also prohibits such use for initiating an investigation or proceeding. This use would not be permitted even with authorization. The prohibition is focused on the intended purpose of the use or disclosure of the information and not the type of PHI requested or disclosed. In that regard, OCR proposes to clarify that nothing in the Privacy Rule, as it would be amended by the Proposed Rule, is intended to prohibit a use or disclosure of PHI otherwise permitted by the Privacy Rule unless the use or disclosure is primarily for the purpose of investigating or imposing liability on a person for seeking, obtaining, providing or facilitating reproductive healthcare.
  3. Attestation. The use and disclosure of PHI related to reproductive healthcare to a law enforcement or regulatory agency would be permissible in connection with civil, criminal or administrative proceedings only where the Covered Entity has received an attestation from the person requesting the use and disclosure. The attestation would have to be signed, dated and include a written statement that the disclosure is not for a prohibited use. Even if a permissible use of PHI applies, the attestation would have to include a statement that it is not being used for a prohibited purpose regarding reproductive healthcare. An attestation under the Proposed Rule would need to be clearly labeled and distinct from any other attestation or documentation. A regulated entity would not be obligated to investigate the validity of an attestation, and it could instead rely on the validity of the attestation itself if it is objectively reasonable to do so.
  4. Notice of Privacy Practices. OCR is proposing to add two types of prohibited uses and disclosures to the required Notice of Privacy Practices. Covered Entities would be required to indicate in their notices that they are prohibited from using and disclosing reproductive health information for: (1) criminal, civil or administrative investigations into or proceedings against seeking, obtaining, providing or facilitating lawful reproductive healthcare; or (2) identifying any person for the purpose of initiating such an investigation or proceeding.

Key Takeaways

  • The definition of “reproductive health care” in the Proposed Rule notably does not explicitly include abortion. The Proposed Rule’s definition of reproductive healthcare is “care, services, or supplies related to the reproductive health of the individual.” While intended to broadly capture a wide variety of services, such a definition lacks specificity and may open the door for future debate about whether abortion services are included under the definition, even though it is clear that the Biden administration intends that abortion services would be covered. Both HHS and the White House issued statements explicitly stating that the proposal includes abortion care. The comment period presents an opportunity for commenters to make suggestions as to what should be included in the definition of reproductive healthcare, including adding further specificity to avoid potential ambiguities or debates following any eventual final rule.
  • The Proposed Rule would appear to establish a primary purpose test for purposes of determining whether a regulated entity may make uses or disclosures of PHI that are otherwise permitted under the Privacy Rule—i.e., by inquiring whether the use or disclosure is primarily for the purpose of investigating or imposing liability on a person for seeking, obtaining, providing or facilitating reproductive healthcare.
  • The Proposed Rule will require updates to the Notice of Privacy Practices. These updates will be in addition to the significant updates already contemplated by the 42 C.F.R. Part 2 proposed rule, which we have detailed in a separate On the Subject. Commenters may want to encourage OCR to implement the changes contemplated by the Proposed Rule to the Notice of Privacy Practices at the same time as the Part 2 proposed rule so that Covered Entities are not forced to make piecemeal changes to their notices
  • The rule permits Covered Entities to disclose PHI under Section 164.512 if a regulatory or law enforcement agency attests to the Covered Entity that the purpose of the request for information is not primarily tied to an individual seeking reproductive healthcare. OCR, however, has limited enforcement levers with which to hold state law enforcement or regulatory agencies to their attestations. Therefore, while perhaps a state law enforcement or regulatory agency may initially attest to a regulated entity that the purpose of the request for information is permissible under HIPAA, it is unclear what repercussions such agency would face if it then in fact used the PHI as part of an investigation or proceeding regarding an individual concerning reproductive healthcare.
  • The Privacy Rule preempts conflicting state law, which may prevent enforcement of certain contrary state laws. Violations by regulated entities could result in OCR investigations or civil monetary penalties. Such discussions in the Proposed Rule indicate that OCR may be willing to use its enforcement tools to ensure that the rule, if finalized, is applied even in states where state law may otherwise allow the use of PHI for investigatory purposes or in civil, criminal or administrative proceedings.

Please contact the authors or your regular McDermott lawyer if you are interested in assistance in submitting comments to the Proposed Rule or if you have any questions concerning its implications.