Peter A Clarke

The ongoing political, legal and policy controversy following the Supreme Court decision in  Dobbs v. Jackson Women’s Health Organization (“Dobbs”) to overturn Roe v Wade continues to reverberate.  Including in the area of privacy law.  It should be noted that Roe v Wade was in essence a privacy decision.  The majority opinion written by Justice Harry A. Blackmun, the Court held that a set of Texas statutes criminalizing abortion in most instances violated a constitutional right to privacy, which it found to be implicit in the liberty guarantee of the due process clause of the Fourteenth Amendment (“…nor shall any state deprive any person of life, liberty, or property, without due process of law”).   Roe was a controversial decision politically, and increasingly so, but also a decision that attracted significant debate within the legal community.  The pillars of a constitutional right to privacy are enumerated provision of the Bill of Rights.  

The response to Dobbs at the Federal level by the Executive has been to strengthen the privacy controls on the collection, use and sharing of health information. Yesterday the White House announced, through the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) a Rule entitled HIPAA Privacy Rule to Support Reproductive Health Care Privacy.

Under the Rule there will be a prohibition on the use or disclosure of protected health information (PHI) by a covered healthcare provider, health plan, or healthcare clearinghouse, or their business associate (regulated entities) for:

• conducting a criminal, civil, or administrative investigation into or imposing criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive healthcare, where such healthcare is lawful under the circumstances in which it is provided; or
• identifying any person for the purpose of conducting such investigation or imposing such liability.

The above prohibition applies where the regulated entities have reasonably determined the reproductive healthcare:

• is lawful under the law of the State in which healthcare is provided under the circumstances in which it is provided;
• is protected, required, or authorized by Federal law;
• was provided by a person other than a regulated entity that receives the request for PHI.

The Rule stipulates that regulated entities, when receiving a request for PHI potentially related to reproductive healthcare, must obtain a signed attestation that the use of disclosure is not for a prohibited purpose. This attestation applies when the request for PHI is for health oversight activities, judicial and administrative proceedings, law enforcement purposes, and disclosures to coroners and medical examiners.

Finally, regulated entities, including their workforce members, are only permitted to disclose PHI for law enforcement purposes where they suspect an individual of obtaining reproductive healthcare if the regulated entity is required by law and all applicable conditions are met. Disclosures will only permitted where the disclosure:

• is not subject to a prohibition ;
• is required by law; and
• meets all applicable conditions of the HIPAA Privacy Rule to use or disclose PHI.

The White House’s statement provides:

Today, my Administration is strengthening privacy protections under the Health Insurance Portability and Accountability Act as part of our efforts to help protect access to reproductive health care. No one should have their medical records used against them, their doctor, or their loved one just because they sought or received lawful reproductive health care.

Privacy and confidentiality have always been essential to high-quality health care. But today’s rule comes at a time when access to reproductive health care is under attack following the Supreme Court’s decision to overturn Roe v. Wade. In addition to being forced to travel hundreds of miles for care or having their fertility services interrupted because of Republican officials’ extreme out-of-touch agenda, women and their families live in fear that their deeply personal medical information will be disclosed—simply because of the type of care they needed.

The new protections that my Administration is putting in place are an important step forward in our fight to protect access to reproductive health care and ensure patient privacy and peace of mind. By safeguarding patient information, the new rule will help health care providers give complete and accurate information to patients and improve the quality of health care.

Vice President Harris and I will continue to call on Congress to restore the protections of Roe v. Wade in federal law, and my Administration will keep

The Department of hte Health and Human Services media release provides:

Today, the Biden-Harris Administration, through the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announced a Final Rule, entitled HIPAA Privacy Rule to Support Reproductive Health Care Privacy. The Final Rule strengthens the Health Insurance Portability Act of 1996 (HIPAA) Privacy Rule by prohibiting the disclosure of protected health information (PHI) related to lawful reproductive health care in certain circumstances. HHS is issuing this Final Rule after hearing from communities that changes were needed to better protect patient confidentiality and prevent medical records from being used against people for providing or obtaining lawful reproductive health care. This Final Rule will bolster patient-provider confidentiality and help promote trust and open communication between individuals and their health care providers or health plans, which is essential for high-quality health care.

“Many Americans are scared their private medical information will be being shared, misused, and disclosed without permission. This has a chilling effect on women visiting a doctor, picking up a prescription from a pharmacy, or taking other necessary actions to support their health,” said HHS Secretary Xavier Becerra. “The Biden-Harris Administration is providing stronger protections to people seeking lawful reproductive health care regardless of whether the care is in their home state or if they must cross state lines to get it. With reproductive health under attack by some lawmakers, these protections are more important than ever.”

“Since the fall of Roe v. Wade, providers have shared concerns that when patients travel to their clinics for lawful care, their patients’ records will be sought, including when the patient goes home. Patients and providers are scared, and it impedes their ability to get and to provide accurate information and access safe and legal health care,” said OCR Director Melanie Fontes Rainer. “Today’s rule prohibits the use of protected health information for seeking or providing lawful reproductive health care and helps maintain and improve patient-provider trust that will lead to improved health outcomes and protect patient privacy.”

OCR administers and enforces the Privacy Rule, which requires most health care providers, health plans, health care clearinghouses, and business associates (collectively, “regulated entities”) to safeguard the privacy of PHI and sets limits and conditions on the uses and disclosures of such information. The HIPAA Privacy Rule also gives individuals certain rights over their PHI. In April 2023, OCR published proposed modifications to the HIPAA Privacy Rule to address changes in the legal landscape affecting reproductive health care privacy that make it more likely than before that PHI may be used and disclosed in ways that HIPAA intended to protect. OCR received almost 30,000 comments on the proposed rule from the public. After carefully considering these comments, the Department is issuing a Final Rule that:

• • Prohibits the use or disclosure of PHI when it is sought to investigate or impose liability on individuals, health care providers, or others who seek, obtain, provide, or facilitate reproductive health care that is lawful under the circumstances in which such health care is provided, or to identify persons for such activities.
  • Requires a regulated health care provider, health plan, clearinghouse, or their business associates, to obtain a signed attestation that certain requests for PHI potentially related to reproductive health care are not for these prohibited purposes.
  • Requires regulated health care providers, health plans, and clearinghouses to modify their Notice of Privacy Practices to support reproductive health care privacy.

The Department has summarised the Rule as:

The Biden-Harris Administration, through the Office for Civil Rights (OCR) at the U.S. Department of Health & Human Services (HHS) has issued a Final Rule to modify the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule to support reproductive health care privacy. This Final Rule is one of many actions taken by HHS to protect access to and privacy of reproductive health care after the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization that has led to extreme state abortion bans and other restrictions on reproductive freedom in 21 states. The Final Rule also supports President Biden’s Executive Orders (EOs) on protecting access to reproductive health care. In particular, under EO 14076, President Biden directed HHS to consider taking additional actions, including under HIPAA, to better protect information related to reproductive health care and to bolster patient-provider confidentiality.

Prohibition

The Final Rule strengthens privacy protections by prohibiting the use or disclosure of protected health information (PHI) by a covered health care provider, health plan, or health care clearinghouse—or their business associate—for either of the following activities:

• • To conduct a criminal, civil, or administrative investigation into or impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided.
  • The identification of any person for the purpose of conducting such investigation or imposing such liability.

Under the Final Rule, the prohibition applies where a covered health care provider, health plan, or health care clearinghouse (covered entities) or business associate (collectively, “regulated entities”) has reasonably determined that one or more of the following conditions exists:

• • The reproductive health care is lawful under the law of the state in which such health care is provided under the circumstances in which it is provided.
    • For example, if a resident of one state traveled to another state to receive reproductive health care, such as an abortion, that is lawful in the state where such health care was provided.
  • The reproductive health care is protected, required, or authorized by Federal law, including the U.S. Constitution, regardless of the state in which such health care is provided.
    • For example, if use of the reproductive health care, such as contraception, is protected by the Constitution.
  • The reproductive health care was provided by a person other than the covered health care provider, health plan, or health care clearinghouse (or business associates) that receives the request for PHI and the presumption described below applies.

The Final Rule continues to permit covered health care providers, health plans, or health care clearinghouses (or business associates) to use or disclose PHI for purposes otherwise permitted under the Privacy Rule where the request for the use or disclosure of PHI is not made to investigate or impose liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care. For example:

• • A covered health care provider could continue to use or disclose PHI to defend themselves in an investigation or proceeding related to professional misconduct or negligence where the alleged professional misconduct or negligence involved the provision of reproductive health care.
  • A covered health care provider, health plan, or health care clearinghouse (or business associates) could continue to use or disclose PHI to defend any person in a criminal, civil, or administrative proceeding where liability could be imposed on that person for providing reproductive health care.
  • A covered health care provider, health plan, or clearinghouse (or their business associates) could continue to use or disclose PHI to an Inspector General where the PHI is sought to conduct an audit for health oversight purposes.

Presumption

The Final Rule includes a presumption that the reproductive health care provided by a person other than the covered health care provider, health plan, or health care clearinghouse (or business associates) receiving the request was lawful. In such cases, the reproductive health care is presumed to be lawful under the circumstances in which it was provided unless one of the following conditions are met:

• • The covered health care provider, health plan, or clearinghouse (or business associates) has actual knowledge that the reproductive health care was not lawful under the circumstances in which it was provided.
    • For example, an individual discloses to their doctor that they obtained reproductive health care from an unlicensed person and the doctor knows that the specific reproductive health care must be provided by a licensed health care provider.
  • The covered health care provider, health plan, or health care clearinghouse (or business associates) receives factual information from the person making the request for the use or disclosure of PHI that demonstrates a substantial factual basis that the reproductive health care was not lawful under the circumstances in which it was provided.
    • For example, a law enforcement official provides a health plan with evidence that the information being requested is reproductive health care that was provided by an unlicensed person where the law requires that such health care be provided by a licensed health care provider.

Attestation

To implement the prohibition, the Final Rule requires a covered health care provider, health plan, or health care clearinghouse (or business associates), when it receives a request for PHI potentially related to reproductive health care, to obtain a signed attestation that the use or disclosure is not for a prohibited purpose. This attestation requirement applies when the request is for PHI for any of the following:

• • Health oversight activities.
  • Judicial and administrative proceedings.
  • Law enforcement purposes.
  • Disclosures to coroners and medical examiners.

The requirement to obtain a signed attestation gives a covered health care provider, health plan, or health care clearinghouse (or business associates) a way of obtaining written representations from persons requesting PHI that their requests are not for a prohibited purpose. Additionally, it puts persons making requests for the use or disclosure of PHI on notice of the potential criminal penalties for those who knowingly and in violation of HIPAA obtain individually identifiable health information (IIHI) relating to an individual or disclose IIHI to another person. We intend to publish model attestation language before the compliance date of this Final Rule.

Notice of Privacy Practices (NPP)

The Final Rule requires covered health care providers, health plans, and health care clearinghouses to revise their NPPs to support reproductive health care privacy. The Final Rule also requires revisions to NPPs to address proposals made in the Notice of Proposed Rulemaking for the Confidentiality of Substance Use Disorder (SUD) Patient Records (“Part 2 NPRM”), as required by or consistent with the Coronavirus Aid, Relief, and Economic Security (CARES) Act of 2020.

Disclosures to Law Enforcement

The Privacy Rule permits uses or disclosures of PHI without an individual’s authorization only where such uses or disclosures are expressly permitted or required by the Privacy Rule. As explained in OCR guidance, the Privacy Rule permits, but does not require, certain disclosures to law enforcement and others, subject to specific conditions. Thus, covered health care providers, health plans, and health care clearinghouses (and business associates), including their workforce members, are only permitted to disclose PHI for law enforcement purposes where they suspect an individual of obtaining reproductive health care (lawful or otherwise) if the covered entity or business associate is required by law to do so and all applicable conditions are met. Accordingly, under the Final Rule, such disclosure is only permitted where all three of the following conditions are met:

• • The disclosure is not subject to the prohibition. 
  • The disclosure is required by law. 
  • The disclosure meets all applicable conditions of the Privacy Rule permission to use or disclose PHI as required by law. 

How to file a complaint

If you believe that a HIPAA covered entity or its business associate violated your (or someone else’s) health information privacy rights or committed another violation of the Privacy, Security, or Breach Notification Rules, you may file a complaint with the HHS Office for Civil Rights at: https://www.hhs.gov/hipaa/filing-a-complaint/index.html.