OCR finalizes HIPAA Privacy Rule to Support Reproductive Health Care Privacy

On April 22, 2024, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced the long-awaited HIPAA Privacy Rule To Support Reproductive Health Care Privacy (the Final Rule), which arrives almost two years after the Supreme Court’s decision in Dobbs v. Jackson Women's Health Organization in 2022. The Final Rule remains largely consistent with the previously discussed proposed rule, and is effective on June 25, 2024, with a compliance date of December 22, 2024.[1]

In the Final Rule, OCR amends provisions of the Standards for Privacy of Individually Identifiable Health Information (the HIPAA Privacy Rule) to strengthen privacy protections for individuals’ protected health information (PHI) related to sensitive reproductive healthcare information, setting minimum protections for this type of PHI. These minimum protections are implemented via four mechanisms:

1. Prohibition (prohibiting the disclosure of PHI in certain circumstances)
2. Presumption (presuming the lawfulness of reproductive healthcare obtained)
3. Attestation (finalizing an attestation requirement for persons requesting reproductive healthcare PHI), and
4. Updates to covered entities’ notice of privacy practices (NPP).

Given the contentious national debate over abortion, it would not be surprising if litigation were brought to challenge the provisions of the Final Rule. Such litigation may call into question OCR’s legal basis for the Final Rule, similar to challenges that were weighed by the US District Court for the District of Columbia in the Ciox Health, LLC v. Azar case.[2] Although OCR cites a different statutory provision as the basis for the Final Rule than the one relied upon for the regulation at issue in Ciox, the agency’s adoption of the Final Rule on reproductive healthcare in the absence of a specific authorizing statute will likely be heavily scrutinized.

Prohibition

The HIPAA Privacy Rule is structured to permit, but not require, certain disclosures by covered entities and their business associates (each a Regulated Entity, and together, Regulated Entities) to law enforcement and others, subject to specific conditions. Under the Final Rule, Regulated Entities are now prohibited from using or disclosing PHI regarding reproductive healthcare if it is sought to:

• Conduct a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating reproductive healthcare
• Impose criminal, civil, or administrative liability on a person for the mere act of seeking, obtaining, providing, or facilitating reproductive healthcare[3] that is lawful under the circumstances in which it is provided, or
• Identify any person for the purpose of investigating or imposing liability (each a Prohibited Purpose, and together, the Prohibition).

Further, the Prohibition applies only where the relevant activity is in connection with any person seeking, obtaining, providing, or facilitating reproductive healthcare, and the Regulated Entity determines that one or more of the following conditions exists:

• The reproductive healthcare is lawful in the state where such healthcare is provided
• The reproductive healthcare is protected, required, or authorized by federal law, including the US Constitution, regardless of the state in which it is provided (eg, the Prohibition would apply if the underlying reproductive healthcare, such as contraception, was protected by the Constitution), and/or
• The Presumption (defined below) applies.

Presumption

In a bid to improve workability for Regulated Entities to assess the legality of care provided by another Regulated Entity, OCR includes a provision in the Final Rule[4] that presumes the lawfulness of the reproductive healthcare provided unless:

• The Regulated Entity has actual knowledge that the reproductive healthcare was not lawful when provided, or
• There is factual information supplied by the person requesting the use or disclosure of such PHI that demonstrates a factual basis that the reproductive healthcare was not lawful when provided (together, the Presumption).

OCR emphasizes that the Final Rule does not create a “blanket presumption” that all reproductive healthcare reflected in a Regulated Entity’s records was lawful under the circumstances in which it was provided. Rather, OCR makes clear that the Presumption applies where the reproductive healthcare at issue is provided by someone other than the Regulated Entity that received the request for the use of disclosure of PHI, and the request for PHI involving reproductive healthcare is for a Prohibited Purpose.

Attestation

As previously proposed, OCR sought to require Regulated Entities receiving a request for PHI potentially related to reproductive healthcare, to obtain a signed attestation, in certain circumstances, from the requestor that the use or disclosure is not for a Prohibited Purpose (Attestation). The Attestation would put the requestor on notice of the potential criminal penalties for those persons who knowingly, and in violation of HIPAA, obtain, or disclose to another, individually identifiable health information (IIHI) of a person. OCR finalized this proposal in the Final Rule, subject to its existing Privacy Rule permissions under 45 CFR 164.512; the Attestation requirement applies when PHI is requested for:

• Health oversight activities
• Judicial and administrative proceedings
• Law enforcement purposes, or
• Disclosures to coroners and medical examiners.[5]

Similar to the HIPAA rule for authorizations, OCR prohibits an Attestation from being combined with any other document except where required to satisfy the other provisions of HIPAA related to disclosures of PHI involving reproductive healthcare.

Initially, OCR did not extend the Attestation obligation directly to business associates in its proposed rule; a business associate would have only been required to comply with the Attestation requirement if such obligation was explicitly included within its business associate agreement. However, OCR changed course, and, in the Final Rule, holds business associates directly liable for compliance with the Attestation requirement. This is because it determined that both covered entities and business associates process requests for PHI, and it is appropriate for the Attestation requirement to apply to all Regulated Entities. OCR stated that it intends to publish a model Attestation prior to the compliance date of the Final Rule.

Notice of privacy practices

As proposed, OCR would require Regulated Entities to revise their NPPs to support reproductive healthcare privacy; OCR has now finalized this proposal. OCR will require NPPs to comply with detailed content requirements, including a description, and at least one example of: (1) the prohibited types of uses and disclosures of reproductive healthcare, and (2) the types of uses and disclosures requiring an Attestation. Additionally, NPPs must provide an explanation that PHI disclosed pursuant to the HIPAA Privacy Rule may be subject to redisclosure, and no longer protected by the HIPAA Privacy Rule.

Notable changes to definitions

OCR finalized three key definitions. OCR adds and defines “reproductive health care” as “health care that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes.”[6] However, OCR notes that this definition “shall not be construed to set forth a standard of care for or regulate what constitutes clinically appropriate reproductive health care.”

OCR also adds the term “person,” which was previously not defined under HIPAA, to mean a “natural person (meaning a human being who is born alive), trust or estate, partnership, corporation, professional association or corporation, or other entity, public or private.”

Lastly, OCR defines “public health,” as used in the terms “public health surveillance,” “public health investigation,” or “public health intervention,” to mean population-level activities to prevent disease in and promote the health of populations. In clarifying the term, OCR explains that public health surveillance can include identifying, monitoring, preventing, or mitigating ongoing or prospective threats to the health and safety of a population, which may include the collection of PHI. However, OCR notes that this term does not include activities with any of the following purposes: conducting a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating healthcare; imposing criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating healthcare; or identifying any person for these purposes.

Key takeaways

OCR’s commentary on the Final Rule suggests that the Presumption afforded to Regulated Entities is not an impenetrable shield against all subpoenas or other law enforcement requests for a person’s reproductive healthcare information. A provider subject to HIPAA who receives an out-of-state subpoena for reproductive healthcare provided to residents of states that restrict access to such care may be caught in the crossfire between state law and the HIPAA Privacy Rule. As we previously indicated in our alert for the proposed rule, unless the state in which the provider operates has adopted a law shielding the provider from cooperation and extradition (in the event of a criminal law), such healthcare providers could be in a situation where state law demands a response, but the HIPAA rule prohibits it.

In light of the Final Rule, Regulated Entities may consider:

• Modifying policies and procedures, as well as workforce training programs
• Creating an attestation form and establishing processes for handling requests for the use or disclosure of PHI relating to reproductive healthcare
• Training workforce members on requests for disclosures of PHI in accordance with the Final Rule, and
• Updating and disseminating NPPs with language that aligns with their operations and the Final Rule.

DLA Piper continues to monitor federal- and state-level developments surrounding and further regulatory guidance on reproductive healthcare privacy. For more information about these developments, please contact your DLA Piper relationship partner, the authors of this alert, or any member of our healthcare or privacy groups.


^{[1] Covered entities and business associates have 180 days beyond the effective date of the Final Rule to comply. Because December 22, 2024 is a Sunday, it is likely that the compliance date will be Monday, December 23, 2024, although OCR does not specifically state this. We separately note that the compliance date for the changes required to a covered entity’s notice of privacy practices is February 16, 2026, to align with the changes required under 42 CFR Part 2 and its separate final rule (89 Fed. Reg. 12472, Feb. 16, 2024).
[2] Ciox Health, LLC v. Azar, 18-cv-00040 APM, at *48-49 (D.D.C. January 23, 2020).
[3] OCR finalized a broad definition for “seeking, obtaining, providing, or facilitating reproductive health care” in the Final Rule to mean expressing interest in, using, performing, furnishing, paying for, disseminating information about, arranging, insuring, administering, authorizing, providing coverage for, approving, counseling about, assisting, or otherwise taking action to engage in reproductive healthcare; or attempting any of the same.
[4] 45 CFR 164.502(a)(5)(iii)(C).
[5] See 45 CFR 164.512(g)(1).
[6] The Final Rule also provides guidance on modifications to NPPs relating to confidentiality substance use disorder patient records, which is not analyzed in this alert.}