On April 17, the Office for Civil Rights (“OCR”) at the U.S. Department of Health & Human Services (“HHS”) published a notice of proposed rulemaking that would revise the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule to bar certain uses and disclosures of protected health information (“PHI”) related to reproductive health care.  Specifically, the proposed rule (“Rule”) would amend the Privacy Rule to prohibit covered entities or business associates (collectively, “regulated entities”) from using or disclosing PHI for purposes of (1) criminal, civil, or administrative investigations into or proceedings against any person in connection with seeking, obtaining, providing, or facilitating lawful reproductive health care, or (2) the identification of any person for the purpose of initiating such investigations or proceedings.

The Rule appears to be designed to further President Biden’s executive order directing HHS to consider actions that would “strengthen the protection of sensitive information related to reproductive healthcare services and bolster patient-provider confidentiality.”  President Biden issued the order in the wake of the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization

Below, we provide a brief summary of the proposed changes and a timeline for commenting.

Key Provisions

Categories of prohibited uses and disclosures:  As discussed above, the Rule would prohibit a regulated entity from using or disclosing PHI if the use or disclosure is for (1) criminal, civil, or administrative investigations into or proceedings against any person in connection with seeking, obtaining, providing, or facilitating lawful reproductive health care, or (2) the identification of any person for the purpose of initiating such investigations or proceedings (“Prohibited Purposes”).

Of note, the Rule would apply only where reproductive health care is provided or sought lawfully. Specifically, this prohibition on use or disclosure would apply where:

  • (1) Reproductive health care is sought, obtained, provided, or facilitated lawfully in one state and an investigation arises in another state;
  • (2) Reproductive health care is protected, required, or expressly authorized by Federal law; or
  • (3) Reproductive health care is sought, obtained, provided, or facilitated lawfully in the same state as the investigation.   

This means that the Rule would apply where an individual obtained an abortion in a state where abortion is legal—even if the individual traveled from a state where abortion is not legal—or where an individual received care that is protected under the Emergency Medical Treatment and Labor Act (“EMTALA”) (i.e., care necessary to stabilize a patient).   

Attestations: The Rule would also require that a covered entity obtain a written attestation from a person requesting the use or disclosure of PHI potentially related to reproductive health care.  The attestation would be required to state that the use or disclosure is not for a Prohibited Purpose.  The Rule would also establish a number of other prescriptive requirements for this attestation, including that the attestation not be combined with another document.  An attestation would be required for requests in the context of health oversight activities, judicial and administrative proceedings, law enforcement proceedings, and disclosures to coroners and medical advisors.  For example, in order for a covered entity to disclose PHI to a coroner, the covered entity would need to (1) comply with HIPAA’s existing conditions for such a disclosure and (2) get an attestation from the coroner.  

Under the Rule, a covered entity may rely on an attestation only if it is objectively reasonable and does not contain material information that the covered entity knows to be false.  Further, unlike HIPAA’s existing authorization provision—which permits future uses and disclosures that are contemplated by an initial authorization—attestations would apply only to the specific use or disclosure.  Covered entities would need to obtain a new attestation for each future use or disclosure.  

Authorizations: The Rule would bar regulated entities from using or disclosing PHI for Prohibited Purposes even with an individual’s authorization.  This is similar to a current authorization exception, which bars a health plan from using or disclosing genetic information for underwriting purposes, even with an individual’s authorization. 

Notice of Privacy Practices: The Rule would require covered entities to update their Notices of Privacy Practices to describe the Prohibited Purposes and describe the types of uses and disclosures that require an attestation, including an example under both descriptions. 

Additional Clarifications and Definitions: The Rule would clarify certain provisions and add definitions.  For example, it would clarify that regulated entities may disclose PHI only pursuant to an administrative request “for which a response is required by law.”  (Previously, there had been some ambiguity around when a regulated entity had to comply with an administrative request.)  In addition, the Rule would define reproductive health care as “care, services, or supplies related to the reproductive health of the individual.”

What Doesn’t Change

The Rule would not prevent uses or disclosures of PHI that are permitted by other provisions of the Privacy Rule.  (Though, as noted above, certain disclosures may require an additional attestation.) 

HHS has emphasized that:

  • Covered health care providers would still be permitted to use or disclose PHI to defend themselves in an investigation or proceeding related to professional misconduct or negligence;
  • Regulated entities would still be permitted to use or disclose PHI to defend any person in a criminal, civil, or administrative proceeding where liability could be imposed on that person for providing reproductive health care; and
  • Regulated entities would still be permitted to disclose PHI to a health oversight agency for health oversight activities, such as investigating whether reproductive health care was actually provided or appropriately billed.

In addition, individuals would retain the ability to direct a covered entity to transmit an electronic copy of their PHI to third parties, including law enforcement, regardless of their intended use of PHI.  HHS has expressed concerns that law enforcement or others could coerce individuals into exercising this right of access to get around the new Rule’s Prohibited Purposes. HHS nevertheless retained this right because it views the right of access as “paramount to an individual’s ability to make decisions regarding their own health care.”

Comment Period

Stakeholders interested in commenting on the Rule should submit their comments on or before June 16, 2023.

HHS has specifically sought comments on a number of topics, including:

  • Whether the proposed Prohibited Purposes appropriately limit harmful uses or disclosures while permitting beneficial ones;
  • Whether HHS should permit uses and disclosures for Prohibited Purposes where there is a valid authorization from the individual; and
  • Whether third parties might circumvent the Prohibited Purposes by coercing individuals to exercise their right to direct a covered entity to transmit to a third party an electronic copy of their PHI in an electronic health record.
Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports…

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state privacy laws, including the California Consumer Privacy Act and California Privacy Rights Act.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.

Read more about Libbie Canter
Show more Show less
Photo of Anna D. Kraus Anna D. Kraus

Anna Durand Kraus has a multi-disciplinary practice advising clients on issues relating to the complex array of laws governing the health care industry. Her background as Deputy General Counsel to the U.S. Department of Health and Human Services (HHS) gives her broad experience…

Anna Durand Kraus has a multi-disciplinary practice advising clients on issues relating to the complex array of laws governing the health care industry. Her background as Deputy General Counsel to the U.S. Department of Health and Human Services (HHS) gives her broad experience with, and valuable insight into, the programs and issues within the purview of HHS, including Medicare, Medicaid, fraud and abuse, and health information privacy. Ms. Kraus regularly advises clients on Medicare reimbursement matters, the Medicaid Drug Rebate program, health information privacy issues (including under HIPAA and the HITECH Act), and the challenges and opportunities presented by the Affordable Care Act.

Read more about Anna D. Kraus
Show more Show less
Photo of Ariel Dukes Ariel Dukes

Ariel Dukes is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity Practice Group.

Ariel counsels clients on data privacy, cybersecurity, and artificial intelligence. Her practice includes partnering with clients on compliance with comprehensive privacy…

Ariel Dukes is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity Practice Group.

Ariel counsels clients on data privacy, cybersecurity, and artificial intelligence. Her practice includes partnering with clients on compliance with comprehensive privacy laws, FTC and consumer protection laws and guidance, and laws governing the handling of health-related data. Additionally, Ariel routinely counsels clients on drafting and negotiating privacy terms with vendors and third parties, developing privacy notices and consent forms, and responding to regulatory inquiries regarding privacy and cybersecurity topics. Ariel also advises clients on trends in artificial intelligence regulations and helps design governance programs for the development and deployment of artificial intelligence technologies across a number of industries.

Read more about Ariel Dukes
Show more Show less
Photo of Olivia Vega Olivia Vega

Olivia Vega provides strategic advice to global companies on a broad range of privacy, health care, and technology issues, including in technology transactions, mergers and acquisitions, and regulatory compliance. Within her practice, Olivia counsels clients on navigating the complex web of federal and…

Olivia Vega provides strategic advice to global companies on a broad range of privacy, health care, and technology issues, including in technology transactions, mergers and acquisitions, and regulatory compliance. Within her practice, Olivia counsels clients on navigating the complex web of federal and state privacy and data security laws and regulations, including on topics such as HIPAA, California’s Confidentiality of Medical Information Act, and the California Consumer Privacy Act. In addition, Olivia maintains an active pro bono practice.

Show more Show less
Photo of Elizabeth Brim Elizabeth Brim

Elizabeth Brim is an associate in the firm’s Washington, DC office. She is a member of the firm’s Health Care and Data Privacy and Cybersecurity Practice Groups, advising clients on a broad range of regulatory and compliance issues. In addition, Elizabeth maintains an…

Elizabeth Brim is an associate in the firm’s Washington, DC office. She is a member of the firm’s Health Care and Data Privacy and Cybersecurity Practice Groups, advising clients on a broad range of regulatory and compliance issues. In addition, Elizabeth maintains an active pro bono practice.

Read more about Elizabeth Brim
Show more Show less