Proposed HIPAA Privacy Rule Changes Would Impact Reproductive Health Data

After the Supreme Court eliminated the constitutionally protected right to abortion in Dobbs v. Jackson Women’s Health Organization (945 F. 3d 265, reversed and remanded) states have begun enacting abortion bans in their entirety or creating carveouts for situations such as rape, incest, and saving the life of the mother, all the while discussing the possibility of restricting interstate travel for abortion.

There is a general presumption against a state’s ability to regulate extraterritorially; however, legal authority suggests that the Constitution does not clearly prohibit a state from regulating abortion travel. Legal scholars have argued that several clauses (Dormant Commerce Clause and Privileges and Immunities Clause) in the U.S. Constitution restrict a state’s ability to regulate extraterritorially and could be an avenue to challenge abortion travel bans.

Interstate travel plays a very key role in expanding or restricting abortion access and therefore has gained increased attention following the Dobbs decision. Thus, the Department of Health and Human Services (HHS) began receiving a lot of questions and concerns as to cross-state health information flows, which included disclosures from health care providers to health plans with multi-state presences or between healthcare providers in different states to treat individuals as they travel across the country.

The prospect of releasing highly sensitive PHI could thereby result in medical mistrust and the deterioration of the confidential environment that is necessary to provide quality healthcare and a functional healthcare system. This is even more exacerbated in reproductive healthcare, given the potential for stigmatization and other adverse consequences to individuals resulting from disclosures they do not want or expect.

Without any changes made, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) breadth of protections left gaps for reproductive healthcare.

Accordingly, on April 17, 2023, the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) issued a notice of proposed rulemaking to modify the Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”) under HIPAA, as amended by the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECT Act).  

HHS issued the Notice of Proposed Rulemaking (NPRM) (88 FR 23506) to solicit comment on its proposal for 60 days, which ended on June 16^th, 2023. Due to the lengthy process from the NPRM into Final Rule form, it is unlikely that we will see any movement until late 2024. If the Proposed Rule is finalized, it will become effective 60 days after publication of the final rule, requiring regulated entities to comply 180 days after the publication of the final rule. The focus of the proposed changes will require regulated entities to make policy, procedure, and training revisions centering on reproductive healthcare.

This Proposed Rule precedes HIPAA’s last update in 2020 when HHS published a Final Rule relating to codes used in Part 162 of the HIPAA Administrative Simplification provisions. The changes to the code only affected retail pharmacy transactions for Schedule II drugs, thus did not receive much widespread attention.

Protection of Reproductive Health Data

The Proposed Rule would modify existing standards that permit the use and disclosure of protected health information (PHI) by limiting uses and disclosures of PHI for certain purposes where the use or disclosure of information is about reproductive healthcare that is lawful under the circumstances in which such healthcare is provided (88 FR 23506).

Under the Constitution, and as it is understood currently, an individual cannot be barred from traveling from one state to another to obtain reproductive healthcare. HHS has then proposed to prohibit the uses and disclosures of PHI where it is sought for use in an investigation into or proceeding against a person for seeking, obtaining, providing, or facilitating reproductive healthcare outside of the state in which the investigation or proceeding is authorized and where such healthcare is lawful under the circumstances in which it is provided (88 FR 23506). This proposal is not limited to circumstances in which healthcare has not yet been obtained, provided, or facilitated. It also includes situations where the healthcare is ongoing or has been completed (88 FR 23506).

In addition, a covered healthcare provider in the state of the individual’s residence that may receive PHI concerning such reproductive healthcare provided out of state ( e.g., a hospital in the home state that receives records from an out-of-state clinic) would be subject to the same restriction (88 FR 23506).  In these circumstances under the Constitution, administrative, civil, or criminal liability may not be imposed for the receipt or provision of the out-of-state care (88 FR 23506).

HHS additionally proposed to add a requirement to obtain an attestation from the person requesting the use and disclosure as a condition for certain permitted uses and disclosures.

Specifically, HHS proposes to add a new section 45 CFR 164.509: “Uses and disclosures for which an attestation is required” (88 FR 23506). This proposed condition would require a regulated entity to obtain assurances from the person requesting the PHI, in the form of a signed and dated written statement attesting that the use or disclosure would not be for a purpose prohibited under 45 CFR 164.502(a)(5)(iii), where the person is making the request under the Privacy Rule permissions at 45 CFR 164.512(d) (disclosures for health oversight activities), (e) (disclosures for judicial and administrative proceedings), (f) (disclosures for law enforcement purposes), or (g)(1) (disclosures about decedents to coroners and medical examiners) (88 FR 23506). This proposed condition would apply when the request is for PHI that is potentially related to reproductive healthcare, as defined in proposed 45 CFR 160.103 (88 FR 23506). Thus, an attestation would not be required when the person making the request does not seek PHI potentially related to reproductive health care (88 FR 23506).  If, however, the request would require a regulated entity to disclose PHI potentially related to reproductive healthcare, a regulated entity would have to first obtain an attestation from the person making the request to ensure that the PHI would not be used or disclosed for a prohibited purpose (88 FR 23506). Consequently, a regulated entity would be tasked with deciphering whether the PHI seeking to be disclosed falls under the definition of reproductive healthcare; which is another reason that HHS proposed a reproductive health care definition in 45 CFR 160.103.

The proposed attestation provision would also include a prohibition on compound attestations. Specifically, the proposal would prohibit the attestation from being “combined with” any other document (88 FR 23506). HHS intends that this prohibition to mean that an attestation must be clearly labeled and distinct from any surrounding text (for example, an attestation would not be combined with a subpoena if it is attached to it, provided that the attestation is clearly labeled as such. As another example, an electronic attestation would not to be impermissibly “combined with” another document where the attestation is on the same screen as the other document, provided that the attestation is clearly and distinctly labeled as such) (88 FR 23506).

Additional Disclosure Requirements

HHS also proposes to modify 45 CFR 164.520(b)(1)(ii) to require that a covered entity add two types of uses and disclosures to those already described in the Notice of Privacy Practices (NPP), putting individuals on notice about how their PHI may or may not be used (88 FR 23506). Specifically, HHS proposes at 45 CFR 164.520(b)(1)(ii)(F) to add to the NPP’s list of required elements two that address the proposed use and disclosure prohibition at 45 CFR 164.502(a)(5)(iii) (88 FR 23506). Under this proposal, a covered entity must separately describe each type of use or disclosure prohibited by 45 CFR 164.502(a)(5)(iii) and must do so in sufficient detail for an individual to understand this prohibition and the proposed attestation requirement (88 FR 23506).

The goal of these modifications would enable the regulated entity to provide the individual with reassurance about their privacy rights and their ability to discuss their reproductive health and related care with any healthcare provider without fear of harm because it would inform an individual that their PHI may not be used or disclosed for the purposes HHS proposes to prohibit (88 FR 23506).

Within the Proposed Rule, HHS has identified six general categories of quantifiable costs/changes arising from these proposals:

1. Creating an attestation form and handling requests for disclosures for which an attestation is required;
2. Revising business associate agreements;
3. Updating the Notice of Privacy Practices (NPP) and posting it online;
4. Developing new or modified policies and procedures;
5. Revising training programs for workforce members; and
6. Requesting an exception from preemption of state law (88 FR 23506).  

The first five categories apply primarily to covered entities such as health care providers and health plans, while the sixth category applies to states and other interested persons (88 FR 23506).

Timeline

Once the Proposed Rule becomes finalized, regulated entities must comply 180 days after the publication of the final rule. HHS has decided that an extension past 180 days would not be necessary; thus, regulated entities will have to stick to the 180-day timeline. And unfortunately, in most cases, ignorance of the law does not let you off the hook from complying.

Public opinion of these proposed modifications has been rooted in the beliefs surrounding the legality of abortion; however, HHS’s neutral concerns with quality, trust and empowerment within the healthcare space has been at the forefront for their proposed modifications. Although these modifications spawned a wide variety of situations, it was disappointing that HHS did not flesh out more situations, such as inadvertent disclosures. It is not a stretch of the imagination to believe that for example, inadvertent disclosures made by a hospital to a healthcare clinic within a state that makes abortion unlawful will occur. Under the Proposed Rule, the intent of the proposed modifications could be logically argued that inadvertent disclosures made in a state where abortion is illegal (whether the patient resides in the state or not) would disallow the state from investigating further. However, perhaps we will gain further guidance on this matter based on the public comments made.

CompliancePoint has a team of experienced healthcare, privacy, and cybersecurity professionals that can help any organization comply with all aspects of HIPAA. Contact us at connect@compliancepoint.com to learn more about our services.