Biden Administration Updates HIPAA to Protect the Privacy of Reproductive Health Care

7 minute read | April.30.2024

The Department of Health and Human Services (HHS), through the Office for Civil Rights (OCR), has issued a final rule updating the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule in an effort to better protect data related to reproductive health.

The rule comes in response to the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization. Following that decision, multiple states passed laws to criminalize having, providing, or aiding and abetting abortion. The final rule is designed to support the Biden administration’s policy to protect access to reproductive health care in response to these laws.

The final rule will prohibit using or disclosing protected health information (PHI) for certain purposes related to penalizing a person for accessing, seeking access to, or facilitating reproductive health care. This prohibition will apply to both covered entities and business associates. The final rule also will require nearly all covered entities to update their Notice of Privacy Practices (NPP).

What is prohibited?

The final rule will prohibit covered entities and business associates from using or disclosing PHI for either of the following non-health care purposes:

To conduct a criminal, civil, or administrative investigation into or impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided.
The identification of any person for the purpose of conducting such an investigation or imposing such liability.

How will the prohibition apply in practice?

In practice, the prohibition will apply when a covered entity or business associate has “reasonably determined” that:

The reproductive health care is lawful under the law of the state in which the health care is provided under the circumstances in which it is provided. For example, if a resident of one state traveled to another state to receive reproductive health care, such as an abortion, that is lawful in the state where such health care was provided.
The reproductive health care is protected, required, or authorized by federal law, including the U.S. Constitution, regardless of the state in which such health care is provided. For example, if the reproductive health care, such as contraception, is protected by the Constitution.
The reproductive health care was provided by a person other than the covered entity or business associate in possession of the PHI, and the presumption created by the final rule (described below) applies.

What presumption does the final rule create?

When a covered entity or business associate possesses PHI related to reproductive health care provided by a person other than the covered entity or business associate, the final rule will create a presumption that the care was lawful. The presumption will apply unless the covered entity or business associate has either of the following:

Actual knowledge that the reproductive health care was not lawful under the circumstances in which it was provided. For example, an individual discloses to their doctor that they obtained reproductive health care from an unlicensed person and the doctor knows that a licensed health care provider must provide the specific reproductive health care.
Factual information from the person making the request for the use or disclosure of PHI that demonstrates a “substantial factual basis” that the reproductive health care was not lawful under the circumstances in which it was provided. For example, a law enforcement official provides a health plan with evidence that the information being requested is reproductive health care that was provided by an unlicensed person where the law requires a licensed health care provider to provide such health care.

How do companies ensure a use or disclosure is not for a prohibited purpose?

Where the prohibition does not apply outright, the final rule will require a covered entity or business associate that receives a request for PHI potentially related to reproductive health care to obtain a signed attestation that the use or disclosure is not for a prohibited purpose. The requirement is designed to provide a way for entities that receive a request to obtain written representations from the requestor that the request is not for a prohibited purpose.

This attestation requirement applies when the PHI request is for:

Health oversight activities.
Judicial and administrative proceedings.
Law enforcement purposes.
Disclosures about decedents to coroners and medical examiners.

The final rule includes form and content requirements for the attestation, including a statement that the use or disclosure is not for a prohibited purpose and that a person may be subject to criminal penalties for obtaining individually identifiable health information in violation of HIPAA. OCR will publish model attestation language before the compliance date.

Do companies need to update their Notices of Privacy Practices?

The final rule will add several new content requirements for NPPs. All covered entities that maintain an NPP will likely need to revise it prior to the updated provisions coming into effect. The final rule updates NPP disclosure requirements to include a description, including at least one example, of the types of:

Prohibited uses and disclosures of PHI in terms of reproductive health care in sufficient detail for an individual to understand the prohibition.
Uses and disclosures of PHI related to reproductive health care for which an attestation is required.

Additionally, the final rule requires covered entities that handle certain substance use disorder (SUD) patient records subject to 42 CFR Part 2 to update their NPPs to comply with a recent comprehensive update to the Part 2 regulations.

What new definitions does the final rule add?

The final rule will define public health, a term used throughout the HIPAA regulations but not previously defined, to mean population-level activities to prevent disease in and promote the health of populations. Such activities include identifying, monitoring, preventing, or mitigating ongoing or prospective threats to the health or safety of a population, which may involve the collection of protected health information.

Explicitly excluded from the definition of public health are any activities conducted with any of the following purposes:

To conduct a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating health care.
To impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating health care.
To identify any person for any of the above activities.

These exceptions mirror uses or disclosures of PHI prohibited under the final rule.

Reproductive health care will mean health care that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes. The term should be broadly construed. It will include:

Contraception, including emergency contraception.
Management of pregnancy and pregnancy-related conditions, including pregnancy screening, prenatal care, miscarriage management, and pregnancy termination.
Fertility and infertility diagnosis and treatment.
Diagnosis and treatment of conditions that affect the reproductive system (e.g., menopause and endometriosis).
Other types of care, services and supplies used for the diagnosis and treatment of conditions related to the reproductive system (e.g., mammography, pregnancy-related nutrition services, and postpartum care products).

The definition does not set a standard of care for or regulate what constitutes clinically appropriate reproductive health care.

When must companies comply?

The final rule will become effective on June 25, 2024. Covered entities and business associates of all sizes will have 180 days beyond the effective date of the final rule (i.e., until December 23, 2024) to comply with most of the final rule’s provisions.

The compliance date for the NPP provisions will be on February 16, 2026, to align with the compliance date for the updated Part 2 regulations. This will permit covered entities to implement all required changes to their NPPs by the same date.

The health data compliance landscape in the United States is rapidly evolving. We encourage any company managing PHI or other types of health data to routinely engage with counsel to ensure compliance. The Orrick team is monitoring updates and is available to support your organization’s compliance needs. We can help you build and enhance HIPAA and consumer health data compliance programs that are tailored to your organization. Please contact the authors, Thora Johnson or Cosmas Robless, or another Orrick team member, if you have questions.

Authors

Thora Johnson Partner, Life Sciences & HealthTech, Cyber, Privacy & Data Innovation

Washington, D.C.

See my bio

Practice:

Technology & Innovation Sector
Life Sciences & HealthTech
Cyber, Privacy & Data Innovation
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Thora Johnson Partner

Washington, D.C.

Thora works with medical device, pharmaceutical, biotech and digital health companies, helping them navigate the increasingly complex patchwork of state and federal health privacy laws. One client described her to the Legal 500 as a “very practical” advisor providing “exceptional guidance” on health information privacy and HIPAA compliance matters.

Her breadth and depth of experience enable Thora to assist clients in harnessing the power of artificial intelligence and executing data-sharing arrangements, all while protecting health data. As a result, Thora spends much of her time counseling pioneering startups and high-growth companies on responsible innovation in healthcare and life sciences.

Thora brings extensive experience counseling clients, including Fortune 500 companies and brick and mortar providers, on the Health Insurance Portability and Accountability Act (HIPAA) and other state and federal health privacy and regulatory compliance regimes including:

Office of the National Coordinator for Health Information Technology’s interoperability and information blocking regulations
Centers for Medicare & Medicaid Service’s (CMS’s) interoperability and patient access regulations
Part 2 confidentiality requirements applicable to substance abuse records
State health information privacy laws
State consumer privacy laws with special controls for health data
Medicare/Medicaid compliance
Mental Health Parity and Addiction Equity Act (MHPAEA)
Genetic Information Nondiscrimination Act (GINA)
Affordable Care Act (ACA) compliance
Regulatory requirements of the Employer Retirement Income Security Act (ERISA), the Internal Revenue Code, HIPAA, and the ACA as they apply to employer health and wellness plans

Thora routinely helps companies and large employers prepare for and respond to privacy and security incidents involving health information. She also defends clients in government investigations initiated by the OCR, OIG, DOJ, FTC and State AGs, among others.

Cosmas Robless Associate, Cyber, Privacy & Data Innovation

Washington, D.C.

See my bio

D:+1 202 339 8663
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation

vCard

See full bio

Cosmas Robless Associate

Washington, D.C.

Cosmas provides guidance on issues relating to numerous privacy and cybersecurity laws, including the U.S. state privacy laws in California, Colorado, Connecticut, Utah, Virginia and other states, state data breach notification laws, and Europe’s General Data Protection Regulation (GDPR).

Cosmas graduated with honors from Harvard Law School. During law school, he participated in the Berkman Klein Center's Cyberlaw Clinic, completed a clinical placement in the Securities, Financial & Cyber Fraud Unit of the United States Attorney’s Office for the District of Massachusetts, and interned with the Special Assistant for Legal & Legislative Matters to the Secretary of the Navy. Prior to law school, Cosmas served as a submarine officer in the U.S. Navy.

Cosmas is accredited by the International Association of Privacy Professionals (IAPP) as a Certified Information Privacy Professional in the United States (CIPP/US).