US HHS and HIPAA’s New Rule for Reproductive Health Care Disclosures

The US Department of Health and Human Services issued a Final Rule and a fact sheet that changed the Privacy Rule of the Health Insurance Portability and Accountability Act (“HIPAA”) of 1996. The rule was updated at the direction of the Biden-Harris administration, through the Office for Civil Rights (OCR) at the U.S. Department of Health & Human Services (HHS).

The Biden-Harris administration directed the rule change in response to the US Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization which has led to state abortion bans and other reproductive rights restrictions in 21 states. The Final Rule “supports President Biden’s Executive Orders (EOs) on protecting access to reproductive health care.” Specifically, EO 14076 directed HHS to consider taking additional actions, including under HIPAA, to help support patient-provider confidentiality and the patient/provider relationship– to make reproductive health care information private.

How does the Final Rule change HIPAA?

HIPAA was enacted in 1996 to help prevent the disclosure and use of protected health information (PHI) by covered healthcare providers, health plans, and healthcare clearinghouses (or the business associates of any of these entities) for the following purposes:

  • Conducting a:
    • “Criminal, civil, or administrative investigation into or impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided.”
  • Obtaining the identification information of any person for the purpose of starting an investigation or imposing liability (as described above)

The Final Rule applies where any of the covered entities reasonably determines that any of the following conditions apply:

  • Reproductive health care is lawful pursuant to the state laws where the health care is being provided. For example – where a woman goes to a state where abortion healthcare is lawful to receive healthcare in that state.
  • The type of reproductive health care is “protected, required, or authorized by Federal law, including the U.S. Constitution, regardless of the state in which such health care is provided.” For example, a woman who receives contraception healthcare is currently protected under the US Constitution.
  • “The reproductive health care was provided by a person other than the covered health care provider, health plan, or health care clearinghouse (or business associates) that receives the request for PHI and the presumption described [explained below] applies.”

Healthcare providers include doctors, clinics, psychologists, pharmacies, and other healthcare providers who transmit patient healthcare information electronically. A “business associate” is “a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity,” other than members of the covered entity’s workforce.

HIPAA’s Privacy Rule

The Final Rule still allows covered entities (healthcare providers, health plans, healthcare clearinghouses – and business associates) to disclose or use PHI for purposes otherwise permitted – provided the disclosure or use is not being made to investigate or impose liability for anyone who is “seeking, obtaining, providing, or facilitating reproductive health care.”

The US HHS provides the following examples:

  • A doctor could disclose or use PHI to defend themselves in a medical malpractice or misconduct action that involved providing reproductive health care.
  • A doctor, nurse, health plan, or clearinghouse (or business associate) could disclose our use PHI to “defend any person in a criminal, civil, or administrative proceeding where liability could be imposed on that person for providing reproductive health care.”
  • A covered person/entity could disclose or use PHI to an Inspector General who is seeking to use the PHI to conduct an audit for the purpose of health oversight.

The Final Rules’ presumption of lawfulness

The Final Rule provides that there is a presumption that reproductive health care provided by a person other than a covered person/entity provided the care lawfully. There is a presumption of lawfulness unless any of the following conditions applies:

  • The covered person/entity has “actual knowledge” that the reproductive health care that was provided was not legal. For example, a doctor is aware that reproductive healthcare must be provided by a licensed healthcare provider – and that the provider was not licensed.
  • The covered person/entity “receives factual information” from the person requesting the disclosure or use of PHI that substantially shows that the reproductive healthcare that was provided was not lawful under the circumstances. For example, a law enforcement officer provides evidence to a healthcare plan that the PHI involved reproductive health care that was provided by an unlicensed person when the provider was required to be licensed.

The Final Rule request that the covered person/entity obtain an “attestation”

The Final Rule requires that when a covered health care provider, health plan, or health care clearinghouse (or business associate) receives a PHI request that is possibly related to reproductive health care that the covered person/entity “obtain a signed attestation that the use or disclosure is not for a prohibited purpose.”

The requirement for an attestation applies to PHI requests involving the following:

  • Health oversight activities.
  • Judicial and administrative proceedings.
  • Law enforcement purposes.
  • Disclosures to coroners and medical examiners.

Written representations serve two purposes:

  • The representations/attestations help protect the covered person/entity.
  • The representations/attestations serve as a warning to the person making the request to disclose or use PHI that there may be criminal penalties for obtaining the PHI in violation of HIPAA’s Privacy Rule.

The Final Rule requires that covered people/entities update their privacy practice notices. Other requirements may also apply.

HIPAA’s Privacy rule does permit the disclosure or use of PHI, without obtaining authorization, only where the disclosures or uses are expressly permitted or required by the HIPAA Privacy Rule. Disclosures to law enforcement are only permitted “where all three of the following conditions are met:

  • The disclosure is not subject to the prohibition.
  • The disclosure is required by law.
  • The disclosure meets all applicable conditions of the Privacy Rule permission to use or disclose PHI as required by law.”

As a result of a Final Rule issued by the US Department of Health and Human Services, people and entities covered by HIPAA need to understand when and when they cannot disclose our use Private Health Information when reproductive health care is provided. Generally, the covered people and entities must review when a request violates the Final Rule’s Prohibition against disclosure or protected reproductive healthcare information – and must understand if a valid attestation from the requester is required. In addition, patients must be notified of the new prohibition against the disclosure and use of protected reproductive healthcare information and the need to obtain a written valid attestation.

Healthcare providers, health plans, clearinghouses, and business associates should contact Cohen Healthcare Law Group, PC to review their legal and healthcare compliance requirements regarding the disclosure and use of reproductive healthcare information. Our experienced healthcare lawyers advise healthcare professionals and companies about compliance laws and regulations issues.

Cohen Healthcare Law Logo

Contact our healthcare law and FDA attorneys for legal advice relevant to your healthcare venture.

Book Your Legal Strategy Session

Contact Us

    Start typing and press Enter to search