By Elizabeth Neal Pitman and Ashley L. Thomas
The U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) recently published a Proposed Rule proposing amendments to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule to strengthen privacy protections for reproductive health information. According to OCR, the Proposed Rule is intended to strengthen patient-provider confidentiality and facilitate full exchange of healthcare information between healthcare providers and patients.
As a result of certain state laws passed and pending following the Dobbs v. Jackson Women’s Health Organization decision, there have been growing concerns that law enforcement and others are increasingly likely to request protected health information (PHI) from healthcare providers and others, such as technology vendors, for use against individuals, healthcare providers and others, solely because such persons sought, obtained, provided or facilitated lawful reproductive healthcare services. Developments in the aftermath of Dobbs have made information related to reproductive healthcare more likely to be of interest for punitive non-healthcare purposes. Furthermore, OCR believes that additional privacy protection would reduce the risks that medical records relating to legal reproductive healthcare would be inaccurate or incomplete.
OCR has determined, in accordance with other federal agencies, that information about reproductive healthcare is particularly sensitive and requires heighted protections, similar to the nature and treatment of mental healthcare in psychotherapy notes. OCR acknowledges, that in most cases, information about an individual’s reproductive healthcare includes the kind of highly sensitive information that patients would be reluctant to share if they knew it could be disclosed and used against them, thus leading to inaccurate and incomplete medical records.
OCR set out a proposed definition for reproductive health information (RHI), as a subset of PHI, but recognized the need to establish a shield against certain uses of RHI rather than creating a protected category of information. The proposed restrictions on disclosure are purpose-based as opposed to category-based.
OCR intends to interpret “reproductive healthcare” to include, but not be limited to:
contraception, including emergency contraception
pregnancy-related healthcare, including but not limited to miscarriage management, molar or ectopic pregnancy treatment, pregnancy termination, pregnancy screening, products related to pregnancy, prenatal care and similar or related care
fertility- or infertility-related healthcare
other types of care, services or supplies used for the diagnosis and treatment of conditions related to the reproductive system
Disclosures of RHI
Under the Proposed Rule, disclosures of PHI would be prohibited when RHI is sought for the purpose of conducting a criminal, civil or administrative investigation into or proceeding against an individual, a healthcare provider or other person in connection with seeking, obtaining, providing or facilitating reproductive healthcare that 1) is provided outside of the state where the investigation or proceeding is authorized and where such healthcare is lawfully provided, 2) is protected, required or authorized by federal law, regardless of the state in which such healthcare is provided, or 3) is provided in the state in which the investigation or proceeding is authorized and that is permitted by the law of that state.
The Proposed Rule would also prohibit a covered entity from using or disclosing an individual’s PHI for the purpose of identifying an individual, healthcare provider or other person for the purpose of initiating such an investigation or proceeding against an individual, a healthcare provider or other person in connection with obtaining or providing reproductive healthcare that is lawful under the circumstances in which it is provided.
Under the HIPAA Privacy Rule, as it currently stands, the law permits but does not require certain disclosures to law enforcement and others, subject to specific conditions, and which are referred to as “required by law” disclosures. In 2022, OCR published clarifying guidance on the HIPAA Privacy Rule’s requirements around sharing PHI with law enforcement. OCR explained that disclosures for non-healthcare purposes, such as disclosures to law enforcement officials, are permitted only in narrow circumstances tailored to protect the individual’s privacy and support their access to healthcare.
The definition and scope of RHI encompasses a wide range of healthcare providers and business associates and includes over-the-counter medications. State laws that are contrary to the proposed regulations will be preempted by HIPAA.
The Proposed Rule would prohibit disclosure of RHI related to interstate reproductive healthcare services if the services are received in a state where it is lawful to receive such care.
If the reproductive health services sought or obtained are illegal under state law in which the services are provided, there is no protection against disclosure – except in situations where there are federal requirements to provide services (i.e., under the Emergency Medical Treatment and Active Labor Act (EMTALA) or services provided by the U.S. Department of Veterans Affairs). Assuming law enforcement subpoenas or requests for information are otherwise permissible, disclosures of this information would also be permitted. This means that PHI could potentially be disclosed for patients receiving reproductive healthcare in states where the procedure is illegal when the procedure is performed in that state.
If a request is received for PHI that is potentially related to reproductive healthcare, the covered entity or business associate will be required to obtain a signed attestation that the use or disclosure is not for a prohibited purpose. This will likely be an administrative burden on healthcare providers to obtain and verify information contained in an attestation. Furthermore, if a healthcare provider becomes aware of an attestation that has been falsified or misrepresented, the healthcare provider may be required to report it as a data breach to the individual and OCR.
The Proposed Rules apply to only HIPAA-covered entities and business associates and do not apply to healthcare apps or products that fall outside of the scope of HIPAA; therefore, direct-to-consumer female technology (FemTech) apps or products may not have the same restrictions with respect to sharing information for law enforcement purposes. Direct-to-consumer health apps and products not offered on behalf of a covered entity are subject to oversight by the Federal Trade Commission (FTC). The FTC has also recognized that information related to personal reproductive matters is “particularly sensitive.” The FTC has published its own guidance indicating that it will pursue enforcement against any unauthorized disclosure made in violation of federal or state law or contrary to the statements made in public privacy notices.
Elizabeth Neal Pitman is a partner in Holland & Knight’s Birmingham office. Ashley L. Thomas is senior counsel in Holland & Knight’s Washington, D.C., office.