BY Colleen Byrom and Beth Anne Jackson, Brown, and Fortunato
The political battle between state abortion laws and federal laws and regulations wages on as providers struggle to remain in compliance with both sets of laws. Texas’s abortion law is no exception and has faced its own enforcement challenges. The newest challenge on the horizon comes in the form of modifications to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule regulations.
On April 12, 2023, the Office of Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) proposed modifications to the HIPAA Privacy Rule regulations relating to protection of an individual’s reproductive health care information.
HHS believes that the modifications are necessary to maintain patient trust with their health care providers in a post-Dobbs world. Further, HHS has the growing concern that such reproductive health information will be disclosed to achieve “certain public policy goals” and that personal health information (PHI) will be sought out to as evidence for criminal, civil, and administrative investigations or proceedings against persons seeking, obtaining, providing, or facilitating reproductive health care, even in states where the procedure is legal.
Under the proposed rule, an individual’s reproductive health care PHI may not be used or disclosed for “a criminal, civil, or administrative investigation of or proceeding against an individual, regulated entity, or other person for seeking, obtaining, providing, of facilitating reproductive health care,” or “to identify any person for the purpose of initiating such an investigation or proceeding.”
Further, such prohibited use and disclosure applies when reproductive health care: is provided outside of the state where the investigation or proceeding is authorized and where such health care is lawfully provided; is protected, required, or authorized by Federal law, regardless of the state in which such health care is provided; or is provided in the state in which the investigation or proceeding is authorized and that is permitted by the law of that state.
The proposed rule defines “reproductive health care” to mean “care, services, or supplies related to the reproductive health of the individual” and is intended to be broadly defined to include miscarriage management, molar or ectopic pregnancy treatment, pregnancy termination, pregnancy screening, products related to pregnancy, prenatal care, and similar or related care.
The proposed rule also puts in place a new attestation requirement. Prior to using or disclosing PHI that potentially relates to reproductive healthcare, a covered entity or business associate must obtain a written attestation from the person requesting the PHI. The attestation must be signed, dated, and include a written statement attesting that the use or disclosure of the requested PHI will not be used for a prohibited purpose. The attestation requirement applies when a request for PHI is made in any of the following circumstances: health oversight activities, judicial and administrative proceedings, law enforcement purposes and disclosures to coroners and medical examiners. The attestation may not be combined with another document (e.g., a subpoena), and the covered entity must cease to use or disclose the PHI upon discovering information that reasonably shows that the representations in the attestation are false.
HHS’s commentary within the rule’s preamble acknowledges that if finalized, the rule will preempt state abortion ban laws. This will include certain provisions of the Texas Heartbeat Act (“Heartbeat Act”). Signed into law on May 19, 2021, the Heartbeat Act prohibits a physician from knowingly performing or inducing an abortion if the physician has “detected a fetal heartbeat for the unborn child . . . or failed to perform a test to detect a fetal heartbeat.” The Heartbeat Act also permits a private citizen to bring a civil action against an individual who performs or induces an illegal abortion, aids, or abets in the performance or inducement of an abortion, or intends to perform, induce, or aid in an illegal abortion.
If finalized, HHS’s proposed rule would put a Texas covered entity (or business associate) in an untenable position when faced with a civil investigation pursuant to the Heartbeat Act. For example, if a Texas covered entity’s patient obtains an abortion in a state where the procedure is legal, the new rule would prohibit that entity from disclosing its patient’s reproductive health PHI in response to a court order for a law enforcement investigation. HHS warns that such a disclosure would be in violation of the new rule and would result in a potential OCR investigation and civil money penalty, while non-disclosure risks violation of the Heartbeat Act.
HHS’s proposed rule highlights the ever-shifting landscape that complicates providers’ ability to comply with both state and federal law. Providers must remain vigilant in monitoring developments in federal laws and rules that may have a direct impact on their compliance with state law, including any potential legal challenges to the proposed HIPAA rule.