HHS Modifies Privacy Rule to Support Reproductive Health Care Privacy

On April 26, 2024, the Office for Civil Rights ("OCR") at the U.S. Department of Health & Human Services ("HHS") published a final rule that modifies the Standards for Privacy of Individually Identifiable Health Information ("Privacy Rule") under the Health Insurance Portability and Accountability Act ("HIPAA") regarding protected health information ("PHI") concerning reproductive health. We previously covered the proposed rule (hereinafter, "the NPRM"), which was published on April 17, 2023. The final rule aligns closely with the NPRM.

OCR noted that the Supreme Court's ruling in Dobbs v. Jackson Women's Health Organization (holding that there is no constitutional right to abortion) created a legal landscape that "increase[s] the potential that use and disclosure of PHI about an individual's reproductive health will undermine access to and the quality of health care generally." According to OCR, the final rule aims to "continue to protect privacy in a manner that promotes trust between individuals and health care providers and advances access to, and improves the quality of, health care" by "limit[ing] the circumstances in which provisions of the Privacy Rule permit the use or disclosure of an individual's PHI about reproductive health care for certain non-health care purposes."

The final rule prohibits a regulated entity from using or disclosing an individual's PHI:

• to conduct a criminal, civil, or administrative investigation into or impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care that is lawful under the circumstances in which it is provided; and
• to identify an individual, health care provider, or other person to initiate an investigation or proceeding against that person in connection with seeking, obtaining, providing, or facilitating reproductive health care that is lawful under the circumstances in which it is provided.

"Lawful under the circumstances in which it is provided" means that the reproductive health care is either:

• lawful under the circumstances in which the health care is provided and in the state in which it is provided; or
• protected, required, or authorized by Federal law, including the United States Constitution, regardless of the state in which such health care is provided.

The final rule includes a presumption that the reproductive health care provided by a person other than the regulated entity receiving the request was lawful. The final rule also imposes a new requirement that regulated entities must obtain an attestation from the requestor that a requested use or disclosure of PHI potentially related to reproductive health care is not for a prohibited purpose. OCR plans to publish a model attestation prior to the compliance date of the final rule.

The final rule does not prevent the use or disclosure of PHI for purposes otherwise permitted under the Privacy Rule. Notably, the final rule also does not prohibit the use or disclosure of PHI to investigate or impose liability on persons in situations involving reproductive health care that was unlawful when it was provided.

The final rule also modifies the Privacy Rule in the following ways:

• Clarifying and adopting new definitions: The final rule clarifies that "person" in the HIPAA Rules means "natural person" (meaning a person who is born alive). In a slight departure from the NPRM, the final rule defines "public health," in the context of surveillance, investigation, and intervention, as "population-level activities to prevent disease and promote health of populations." Public health surveillance, investigation, and intervention do not include efforts to conduct criminal, civil, and administrative investigations or impose criminal, civil, nor administrative liability for the mere act of seeking, obtaining, providing, or facilitating health care. This revision was intended to clarify that the final rule does not prevent reporting of public health information on communicable diseases. The definition of "reproductive health care" is expanded from that proposed in the NPRM to mean health care "that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes."
• Personal representatives: The final rule clarifies that a personal representative's provision or facilitation of reproductive health care at the request of the individual does not constitute the basis for a reasonable belief that the personal representative is subjecting the individual to abuse. This clarification responds to a concern that a regulated entity that disagrees with the reproductive services sought by the personal representative could cease to recognize that person as an individual's personal representative by asserting abuse on the part of the personal representative.
• Modifications of Notice of Privacy Practices ("NPP"): Regulated entities must modify their NPPs to inform individuals that their PHI may not be used or disclosed for a purpose prohibited under this final rule.

The final rule goes into effect on June 25, 2024, and regulated entities must implement compliance measures by December 23, 2024. Regulated entities have until February 16, 2026, to comply with the provisions related to NPPs.

Public link

Please use the above public link if you want to share this noodl on another website.