DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
HHS Issues a Final Rule to Support Reproductive Healthcare Privacy
Seeking to strengthen reproductive healthcare privacy in the wake of the 2022 Supreme Court opinion in Dobbs v. Jackson Women’s Health Organization, which overruled Roe v. Wade, the Department of Health and Human Services’ Office for Civil Rights issued a Notice of Proposed Rulemaking to modify the HIPAA Privacy Rule in April of 2023.
In April of 2024, HHS issued a Final Rule, the HIPAA Privacy Rule to Support Reproductive Healthcare Privacy. In a press release accompanying the Final Rule, HHS reports that “The Final Rule strengthens the Health Insurance Portability Act of 1996 (HIPAA) Privacy Rule by prohibiting the disclosure of protected health information (PHI) related to lawful reproductive healthcare in certain circumstances.”
The law does not go “on the books” (become official) until June 25, 2024. The earliest time the Final Rule will be enforced is December 23, 2024.
What Does the Final Rule Do?
The Final Rule modifies the existing Privacy Rule by changing the definition of the term “person.” The Final Rule adds definitions for the terms “public health” and “reproductive healthcare.”
According to a Fact Sheet accompanying the Final Rule, the Final Rule “strengthens privacy protections by prohibiting the use or disclosure of protected health information (PHI) by a covered health care provider, health plan, or health care clearinghouse—or their business associate—for either of the following activities:
To conduct a criminal, civil, or administrative investigation into or impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive healthcare, where such health care is lawful under the circumstances in which it is provided.
The identification of any person for the purpose of conducting such investigation or imposing such liability.”
What Are Permitted Uses or Disclosures of PHI?
Per the Fact Sheet, “The Final Rule continues to permit covered health care providers, health plans, or health care clearinghouses (or business associates) to use or disclose PHI for purposes otherwise permitted under the Privacy Rule where the request for the use or disclosure of PHI is not made to investigate or impose liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive healthcare,” or where the request is not made to identify someone for the purpose of conducting such an investigation or imposing such liability.
Other Final Rule Requirements: Attestations and Notices of Privacy Practices (NPPs)
The Fact Sheet reports that the Final Rule “requires a covered health care provider, health plan, or health care clearinghouse (or business associates), when it receives a request for PHI potentially related to reproductive healthcare, to obtain a signed attestation that the use or disclosure is not for a prohibited purpose.”
The Fact Sheet also reports that the Final Rule “requires covered health care providers, health plans, and health care clearinghouses to revise their Notices of Privacy Practices (NPPs) to support reproductive healthcare privacy.”
What Other Changes Does the Final Rule Make to the Notice of Privacy Practices (NPP) Requirement?
The Final Rule requires covered entities to revise their Notices of Privacy Practices to cover patient rights with respect to the confidentiality of substance use disorder records under 42 CFR Part 2. This requirement will not be enforced until February 16, 2026, at the earliest.
What Else Should I Know About The Final Rule?
The rule is subject to being challenged in court; we will include information regarding legal proceedings in the Compliancy Group blog as this information becomes available.
The Final Rule itself can be viewed here. This document includes the actual changes to the Privacy Rule regulations, information relating to the impact of the regulatory changes, as well as HHS commentary and response to comments received. The actual text of the Final Rule begins on the page marked “33062” and ends on the page marked “33066”.
Update (8/13/24): HHS has published a Model Attestation for a Requested Use or Disclosure of Protected Health Information Potentially Related to Reproductive Health Care. The model attestation can be found here.
Update (9/4/24):
On September 4, 2024, the state of Texas filed a lawsuit in federal District Court seeking a declaration from a District Court judge that the Final Rule should be declared illegal – stricken from the law books – because, as Texas claims, no legal authority gave HHS the right to issue the Final Rule in the first place.
Why Does Texas Seek Invalidation of the HIPAA Reproductive Healthcare Privacy Rule?
In this lawsuit against the United States, Texas makes two, interrelated arguments in support of its conclusion that the HIPAA Reproductive Healthcare Privacy Rule should be declared invalid.
The first legal argument is a federalism argument. Federalism is a political and legal doctrine whose proponents claim that the federal government’s authority to regulate the states is, and should be, limited and narrow.
Consider what the HIPAA Reproductive Healthcare Privacy Rule requires. It requires that providers who receive a request for reproductive healthcare-related PHI (PHI related to, for example, contraceptive care, abortion-related care, or miscarriage treatment) may not use or disclose that PHI for any of the following activities:
- To conduct a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care.
- To impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care.
- To identify any person for any purpose described in paragraphs (1) or (2) above.
The following scenario, then, might play out in the real world – A physician in a state where provision of abortion care is legal, receives a subpoena from Texas, which bans abortion at all stages of pregnancy (save for certain circumstances). The patient who received the abortion care is a resident of Texas, and traveled to the other state to lawfully receive the abortion care from the physician. In the subpoena, Texas demands that the physician disclose details of the procedure – when it was performed, what the outcome was, and who (including any Texas residents) assisted in the performing of the care or transporting the patient to where the care was provided.
Under principles of federalism, Texas argues that the federal government cannot, through the Final Rule, block its ability to have the subpoena enforced. In other words, Texas argues that the federal government cannot prohibit Texas from conducting a criminal investigation into violations of that state’s own laws (which prohibit not only abortion, but what Texas calls “aiding and abetting” of it), by requiring providers to refuse to disclose PHI in response to the subpoena.
The current Texas Attorney General, Ken Paxton, claims HIPAA does not give the HHS the authority to order providers to refuse to cooperate with state investigations into its residents’ medical procedures. “The federal government is attempting to undermine Texas’s law enforcement capabilities, and I will not allow this to happen.” HHS may counter this argument by arguing that Texas lacks the power to enforce its laws extraterritorially – that is, to conduct that occurs outside of its borders.
Texas’ second argument, a more legalesey one, is that the text of the HIPAA statute itself does not actually state that providers are prohibited from complying with state law enforcement investigations. In other words, Texas argues, the HIPAA regulations are an attempt to expand the scope of the HIPAA statute, to prohibit activity the law does not actually prohibit.
Statutes are laws passed by Congress and signed by the President. Regulations are issued by the administrative agencies tasked with enforcing the laws. A regulation may not, as Texas notes, add to what a law requires; only Congress can expand upon a law, either by amending it or by passing a new law. (HHS may counter this argument by stating that it is impossible for a law to spell out every conceivable detail of how the law is to be enforced, and that it is the role of agencies, including HHS, to fill in “regulatory gaps,” within reasonable limits).
Texas also argues that the Privacy Rule initially published in 2000 contains a similar improper “expand the scope” defect, as that Rule, too, limits the circumstances under which providers could disclose PHI for law enforcement investigation purposes; HHS may counter that this argument against the 2000 Rule is barred by the 6-year statute of limitations within which an entity (one that existed when a regulation was in effect) has to bring a lawsuit challenging a federal government regulation.
What Happens Next with the Lawsuit to Invalidate the HIPAA Reproductive Healthcare Privacy Rule?
The case has been assigned to U.S. District Judge James Wesley Hendrix. There is no specific timeline by which Judge Hendrix must issue a decision. Compliancy Group will monitor developments in the litigation and will post updates about those developments as they occur
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article