On June 25, 2024, changes to the HIPAA Privacy Rule that are aimed at supporting reproductive health care privacy will take effect. One of the most significant of those changes is the creation of new prohibitions against using or disclosing protected health information (PHI) to investigate or impose liability upon someone for seeking, obtaining, providing, or facilitating lawful reproductive health care, or using or disclosing PHI to identify someone for either of those purposes. It is important for local health departments, law enforcement, judicial officials, patients, and others to understand how these new prohibitions will limit the sharing of health information for certain purposes.

Background

In July of 2022, following the U.S. Supreme Court’s decision in Dobbs v. Jackson, President Biden issued an executive order instructing the U.S. Department of Health and Human Services (HHS) to explore pathways for increasing the protection of sensitive information related to reproductive health care services. In April of 2023, HHS issued a notice of proposed rulemaking (NPRM) to amend the HIPAA Privacy Rule in furtherance of the goals identified in the President’s order. On April 26, 2024, HHS announced the Final Rule, which can be read in its entirety here.

Why the Final Rule, and Why Now?

In the preamble to the Final Rule, HHS explained its reasoning for the regulatory changes to increase privacy protections around reproductive health care: “The Supreme Court’s decision in Dobbs overturned Roe v. Wade and Planned Parenthood of Southeastern Pennsylvania v. Casey, thereby enabling states to significantly restrict access to abortion. […] This change has also led to questions about both the current and future lawfulness of other types of reproductive health care […]. Thus, these developments have created an environment in which individuals are more likely to fear that their PHI will be requested from regulated entities for use against individuals, health care providers, and others […]. A health care provider may be unable to provide appropriate health care if they are unaware of the individual’s recent health history, which could have significant negative health consequences.” (89 FR 32987).

The Key Changes

For reference, a summary of key changes to the HIPAA Privacy Rule is included below. Except for the new prohibited uses/disclosures of PHI, these changes are not addressed in this post.

• 45 CFR 160.103- New definitions for terms including “person,” “public health,” and “reproductive health care”
• 45 CFR 164.502- Newly prohibited uses/disclosures of PHI for certain purposes; clarification around personal representatives in cases of suspected abuse, neglect, or domestic violence (DV)
• 45 CFR 164.509- Identifies four types of use/disclosure that now require an attestation
• 45 CFR 164.512- Clarification around disclosing PHI as it relates to abuse, neglect, and DV
• 45 CFR 164.520- Adds requirements for Notice of Privacy Practices (NPPs)
• 45 CFR 164.535- Severability provisions

Important Dates

The Final Rule takes effect on June 25, 2024. Entities that must abide by HIPAA (covered entities and business associates) must come into compliance with all of the requirements of the Final Rule no later than December 23, 2024.

There is one exception: the required updates to NPPs, which are addressed in 45 CFR 164.520, do not have to be implemented until February 16, 2026.

New Prohibited Uses/Disclosures

The three new categories of prohibited uses/disclosures of PHI are subject to what HHS refers to as the “Rule of Applicability.” The new prohibitions do not allow a covered entity/business associate to use or disclose PHI for the purpose of investigating or imposing liability upon someone for seeking, obtaining, providing, or facilitating lawful reproductive health care, or using or disclosing PHI to identify someone for either of those purposes. The Rule of Applicability clarifies that these prohibitions only apply when the reproductive health care at issue is lawful. These pieces- the three prohibited use/disclosures and the Rule of Applicability- are discussed in further detail next.

The Three Prohibited Uses/Disclosures

The Final Rule creates a new provision in HIPAA- 45 CFR 164.502(a)(5)(iii)- which reads as follows:

“[…] a covered entity or business associate may not use or disclose protected health information for any of the following activities:

(1) To conduct a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care.

(2) To impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care.

(3) To identify any person for any purpose described in paragraphs (a)(5)(iii)(A)(1) or (2) of this section.”

What does it mean to seek, obtain, provide, or facilitate reproductive health care? Pursuant to the new 45 CFR 164.502(a)(5)(iii)(D), this includes the following litany of activities:

• Expressing interest in,
• Using,
• Performing,
• Furnishing,
• Paying for,
• Disseminating information about,
• Arranging,
• Insuring,
• Administering,
• Authorizing,
• Providing coverage for,
• Approving,
• Counseling about,
• Assisting, or
• Otherwise taking action to engage in…

… reproductive health care, or attempting to do any of these things.

The Final Rule also creates a new definition for the term “reproductive health care” at 45 CFR 160.103, which is “health care (as defined at 45 CFR 160.103) that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes” (emphasis added). This definition is broad- and intentionally so, as HHS explained in the preamble to the Final Rule. Rather than attempt to list every type of reproductive health care and risk missing one, HHS opted for a broad definition; however, to make compliance with the new prohibitions on use/disclosure easier, HHS provided a non-exhaustive list of services that would be considered “reproductive health care” under the new definition:

• Contraception (including emergency contraception)
• Preconception screening and counseling
• Management of pregnancy and pregnancy-related conditions (hypertension, pre-eclampsia, ectopic pregnancy, gestational diabetes, etc.)
• Prenatal care
• Miscarriage management
• Pregnancy termination (abortion)
• Fertility care (e.g., IVF)
• Diagnosis/treatment of conditions that affect the reproductive system (e.g., menopause, endometriosis)
• Mammography
• Pregnancy-related nutrition services
• Postpartum care products

The Rule of Applicability

The Rule of Applicability is found at 45 CFR 164.502(a)(iii)(B)-(C) and places limits on when the three new prohibitions against certain uses and disclosures of PHI apply. Under this provision, the use or disclosure is only prohibited if the covered entity or business associate makes a “reasonable determination” that one or more of the following is true:

• The reproductive health care was lawful in the state and under the circumstances in which it was provided;
• The reproductive health care is protected, required, or authorized by federal law in the circumstances in which it was provided, regardless of which state it was provided in (e.g., accessing contraception, which is protected under the U.S. Constitution pursuant to Griswold v. Connecticut and Eisenstadt v. Baird); or
• The reproductive health care was provided by someone other than the covered entity/business associate and can be presumed lawful.

Many health care professionals will not have memorized the myriad state and federal laws that govern reproductive health care across the country. In the preamble to the Final Rule, HHS clarified that covered entities and business associates are not expected to conduct research or analyses to confirm whether the reproductive health care at issue was lawful. As a result, health care professionals may be frequently relying on the presumption that care provided by someone else was lawful.

But when should a covered entity or business associate make that presumption? Under 45 CFR 164.502(a)(5)(iii)(C), the reproductive health care must be presumed lawful unless the covered entity/business associate has actual knowledge that the reproductive health care was not lawful as provided or if the requestor of the PHI provides information that “demonstrates a substantial factual basis” for determining that the care was unlawful.

“Actual knowledge” is a high standard and means that the covered entity/business associate must have more than mere suspicion. A covered entity/business associate might have actual knowledge that a patient received unlawful care if, for example, the patient shared that they received abortion services from someone who is not a licensed health professional and the covered entity/business associate knows that such care can only be lawfully provided by a licensed health professional.

The other way to overcome this presumption of lawful care places the burden on the requestor to offer up evidence to the covered entity/business associate that shows that the care was not lawful. If the requestor of the PHI can supply enough information to “demonstrate substantial factual basis” for determining that the care was unlawful, then the disclosure- which would otherwise be prohibited if the care were lawful- can be made to the extent otherwise permitted by HIPAA (e.g., in accordance with a valid court order).

Frequently Asked Questions

Q1: The three new prohibited uses/disclosures do not permit using or disclosing PHI to investigate or impose liability upon someone for seeking, obtaining, providing, or facilitating lawful reproductive health care, or using or disclosing PHI to identify someone for either of those purposes. Do these prohibitions apply to PHI generally, or just PHI about reproductive health care?

A1: The three new prohibited uses/disclosures apply to all types of PHI- not just information about a patient’s reproductive health care. Many health records that do not on their face seem relevant to reproductive health care may, in fact, contain snippets of reproductive health information. For example, records pertaining to a heart surgery might include information about pregnancy status, date of last menses, current medications (including contraception), etc. that could be relevant to how the heart surgery is performed. HHS has applied the prohibitions against the three impermissible uses and disclosures to all PHI in recognition that information related to reproductive health may appear in many places in someone’s health record.

What does this mean in practice? If a covered entity received a request for an individual’s heart surgery records, and the PHI in those records will be used to help investigate that individual’s receipt of lawful reproductive health care, then the covered entity would be prohibited from disclosing the heart surgery records for that purpose.

Q2: How will a covered entity/business associate know if someone is requesting PHI for one of the three newly prohibited purposes?

A2: It will not always be easy for a covered entity/business associate to know whether PHI is being requested for one of the three new prohibited purposes; however, the new attestation requirement created by the Final Rule (and found at 45 CFR 164.509) may offer some help to covered entities/business associates in these situations. Under the new attestation requirement, requestors who are seeking access to PHI that is “potentially related” to reproductive health care for one of four purposes- health oversight activities, judicial and administrative proceedings, certain law enforcement uses, and certain coroner/medical examiner uses- will be required to submit an attestation to the covered entity/business associate stating that the requestor will not use the PHI for any of the three newly prohibited purposes. This attestation requirement will be addressed in a forthcoming Coates’ Canons blog post.

Q3: Does “reproductive health care” include gender transition health care?

A3: It is not clear whether HHS intended for gender transition health care to be included under “reproductive health care,” which is defined for the first time by the Final Rule as health care “that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes” (emphasis added). Gender transition health care that relates to a person’s reproductive system- such as orchiectomies, mastectomies, certain hormone therapies, and more- would appear to fall under the new HIPAA definition of “reproductive health care.”  At the time at which this blog is published, HHS has not issued any guidance on this point.

Q4: Does HIPAA preempt state laws that require disclosure of PHI pursuant to a court order or other type of legal process for one of HIPAA’s three new prohibited uses/disclosures?

A4: Yes. HHS addressed this question in the preamble to the Final Rule: “[…] consistent with [HHS’s] HIPAA authority, the prohibition would preempt state or other laws requiring a regulated entity to use or disclose PHI in response to a court order or other type of legal process for a purpose prohibited under [45 CFR 164.502(a)(5)(iii)].”

Additional Resources

During a June 20, 2024 webinar on the Final Rule, HHS indicated that it would continue to update and add to its existing guidance on the Final Rule, which is available here.

Questions?

A related blog post is forthcoming and will address the 2024 HIPAA Final Rule’s new attestation requirement related to reproductive health care information. In the meantime, if you have questions about these three new prohibited uses and disclosures of PHI under HIPAA, feel free to send me an email at kirsten@sog.unc.edu.