HHS issued a Final Rule yesterday, the “HIPAA Privacy Rule to Support Reproductive Health Care Privacy.” Despite its name, the Final Rule contains two other significant Privacy Rule modifications; one modifies the Notice of Privacy Practices (NPP), and the second coordinates Part 2 substance use confidentiality with HIPAA.¹
HHS seeks to protect access to and privacy of reproductive health care after the Supreme Court’s decision two years ago in Dobbs v. Jackson Women’s Health Organization. That decision, which overturned Roe v. Wade, has led to extreme state abortion bans and other restrictions on reproductive freedom in 21 states.
Yesterday’s Final Rule strengthens the Privacy Rule by prohibiting the disclosure of protected health information (PHI) related to lawful reproductive health care in certain circumstances. It also creates a presumption that such care is lawful and requires that any request for PHI about reproductive health be certified through attestation.
The purpose is to “better protect patient confidentiality and prevent medical records from being used against people for providing or obtaining lawful reproductive health care.”
Prohibition
The rule prohibits the use or disclosure of PHI by a covered entity or their business associate (regulated entities) for either of the following activities:
- To conduct a criminal, civil, or administrative investigation into or impose liability on any person for seeking, obtaining, providing, or facilitating reproductive health care where such health care is lawful.
- The identification of any person to conduct such investigation or impose such liability.
The prohibition applies where the reproductive health care:
- is lawful under the law of the state in which such health care is provided.
- for example, a resident of one state may travel to another state to receive reproductive health care, such as an abortion, that is lawful in the other state.
- is protected, required, or authorized by Federal law, including the U.S. Constitution, regardless of the state where such health care is provided.
- for example, if the use of reproductive health care, such as contraception, is protected by the Constitution.
- was provided by a person other than the regulated entity that receives the request for PHI, and the presumption described below applies.
Presumption
The rule presumes that the reproductive health care provided by a person other than the regulated entity receiving the request was lawful unless one of the following conditions are met:
- The regulated entity has actual knowledge that the reproductive health care was not lawful.
- For example, an individual discloses to their doctor that they obtained reproductive health care from an unlicensed person, and the doctor knows that a licensed health care provider must provide the specific reproductive health care.
OR
- The regulated entity receives factual information demonstrating that reproductive health care was not lawful.
- For example, a law enforcement official provides a health plan with evidence that the information requested is reproductive health care provided by an unlicensed person when the law requires such health care to be provided by a licensed provider.
Attestation
The Final Rule requires a regulated entity to obtain a signed attestation (verification or proof) that the use or disclosure is permitted by HIPAA when it receives a request for PHI potentially related to reproductive health care.
This requirement applies when the request is for PHI for any of the following:
- Health oversight activities.
- Judicial and administrative proceedings.
- Law enforcement purposes.
- Disclosures to coroners and medical examiners.
This verification requirement allows regulated entities to obtain assurances from persons requesting PHI that their requests are permitted.
It also puts those requesting PHI on notice of the potential criminal penalties for those who knowingly violate HIPAA.
Notice of Privacy Practices (NPP)
All covered entities must modify their NPPs to comply with the Final Rule.
Substance use providers must create and furnish patients with NPPs and adopt new policies to comply with Part 2 confidentiality modifications of SAMHSA.
Disclosures to Law Enforcement
The Privacy Rule permits uses or disclosures of PHI without an individual’s authorization only where such uses or disclosures are expressly permitted or required by the Privacy Rule.
As explained in OCR guidance, the Privacy Rule permits but does not require, certain disclosures to law enforcement, subject to specific conditions. Therefore, regulated entities are only allowed to disclose PHI for law enforcement purposes where they suspect an individual of obtaining reproductive health care (lawful or otherwise) if the covered entity or business associate is required by law to do so and all applicable conditions are met.
Accordingly, under the Final Rule, such disclosure is only permitted where all three of the following conditions are met:
- The disclosure is not subject to the prohibition.
- The disclosure is required by law.
- The disclosure meets all applicable conditions of the Privacy Rule, including permission to use or disclose PHI as required by law.
Final Rule Effective Date
There is time to make changes to comply with the new requirements. The Final Rule will take effect 60 days after publication in the Federal Register, which should occur soon. Regulated entities must comply within 240 days.
¹Because federal law limits HHS to modifying a standard or implementation specification once every 12 months, HHS combined elements from three pending proposed rules. Other proposed Privacy Rule modifications related to the patient right of access and uses and disclosures were left out of this Final Rule. However, they may reappear in a future Final Rule after 12 months.