Privacy in the Post Roe v. Wade World: How Could Proposed HIPAA Restrictions on Reproductive PHI Affect Labs?
Key points labs should know about the recently proposed OCR rule on privacy protections for PHI associated with reproductive health care.
The legal battle over abortion rights may have major compliance ramifications for your lab, especially if you provide diagnostic testing for reproductive care or pathology services associated with stillbirth post-mortems. One key issue is the medical privacy of patients considering abortion or other services that may be restricted under state law now that the US Supreme Court has overturned Roe v. Wade. Two weeks after the controversial ruling in Dobbs v. Jackson Women’s Health Organization, President Biden issued an Executive Order directing the Department of Health and Human Services (HHS) to submit a report to him on ways the department can “protect and expand access to abortion care” as well as “protect and expand access to the full range of reproductive healthcare services.”1
Although the EO didn’t direct the HHS to update patient-provider confidentiality, the agency decided to proceed with proposals for amending Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulations. On April 17, 2023, the HHS’s Office for Civil Rights (OCR)—the agency in charge of enforcing HIPAA—issued a Notice of Proposed Rulemaking (NPR) purporting to bolster privacy protections for PHI associated with reproductive health care.2 Here are some key points aiming to help labs ensure compliance with the NPR if it goes into effect.
Question 1. What Does HIPAA Have to Do with Abortion Rights?
Answer: The HIPAA Privacy Rule makes it illegal for labs and other providers to collect, use, and disclose an individual’s protected health information (PHI) without their authorization unless the use or disclosure meets an exception. The definition of PHI as “individually identifiable health information” transmitted by or maintained in electronic media or any other form or medium is broad enough to include the lab test results of reproductive care patients.3 HIPAA’s general prohibition on the use or disclosure of PHI is subject to exceptions permitting—but not requiring—the use and disclosure of PHI for designated purposes, such as treatment, payment, and healthcare operations, among others. One exception allowing for disclosure of PHI without authorization is for law enforcement.
The Dobbs decision casts a different light on the law enforcement exception since it ousts the federal government from regulating abortion access, allowing states unfettered latitude to adopt or ease restrictions. If a state adopts tighter abortion restrictions, the PHI law enforcement exception comes into play. In issuing the NPR, HHS expressed concern that state law changes might embolden law enforcement agencies to request health information associated with abortion-related care that may be newly restricted or banned by a state. As previous OCR guidance notes, providers don’t need authorization from the patient to disclose PHI when:4
- The disclosure is required by another law. Example: A state may adopt a law requiring hospitals to report individuals seeking an abortion after six weeks to law enforcement.
- The disclosure is for law enforcement purposes “pursuant to process and as otherwise required by law.” Example: A police officer in a state where abortion limits apply could get a court order demanding a reproductive healthcare clinic to turn over records of all abortions performed at the clinic.
- The provider believes, in good faith, that the disclosure is necessary to prevent or reduce a serious and imminent threat to health or safety, and the disclosure is to a person who’s reasonably able to prevent or lessen the threat. Example: A pregnant patient in a state that bans abortion tells her doctor that she plans to get an abortion in another state where abortion is legal.
Question 2. Why Did OCR Issue the Proposed Rule?
Answer: The purpose of the NPR is to set a higher standard for using or disclosing reproductive health care PHI when law enforcement is investigating lawfully provided reproductive health care. HHS argues that the changes are needed so individuals can “maintain a relationship of trust” with their providers, as well as to safeguard pregnant individuals’ mental health and support victims of rape, incest, and sex trafficking. In the preamble to the proposed rule, the OCR expresses concern that the disclosures the current HIPAA Privacy Rule allows to law enforcement could “chill individuals’ willingness to seek lawful treatment or to provide full information to their healthcare providers when obtaining that treatment.”2
Some experts have questioned OCR’s reasoning since the current HIPAA rules already allow disclosures to law enforcement for lawful services, notes Ryan Meade, a law professor at the University of Oxford. “The NPR proposals do not protect information associated with unlawful services just as HIPAA currently does not protect information associated with unlawful activity.”
Question 3. Whom Does the Proposed Rule Cover?
Answer: The proposed rule would apply to HIPAA “covered entities” and their “business associates.” The former includes medical labs that provide testing or other services to patients. As the NPR notes, the rule wouldn’t apply to individuals’ health information in the possession of a person that’s not a covered entity or business associate, such as a friend or family member, or information that’s stored on a personal cellphone or tablet.
Question 4. What Does the Proposed Rule Cover?
Answer: Current HIPAA protections apply to health care, which the HIPAA Privacy Rule defines as “care, services, or supplies related to the health of an individual.”3 OCR wants to add a new form of protected sensitive health information for “reproductive health care,” covering “care, services or supplies related to the reproductive health of the individual.”2 Meade—an expert in bioethics, healthcare policy, and US administrative law and regulatory compliance—says that a key problem with the NPR is that this definition is circular and, in essence, not a definition at all. OCR acknowledges that the definition of reproductive health care is a work in progress and intends for it to be broad in scope, potentially covering:
- contraception and emergency contraception;
- pregnancy-related care, including but not limited to miscarriage management, molar or ectopic pregnancy treatment, pregnancy termination, pregnancy screening, products related to pregnancy, prenatal care, and similar or related care;
- fertility or infertility-related care; and
- other forms of care, services, or supplies used for the diagnosis and treatment of conditions related to the reproductive system or organs, “regardless of whether the health care is related to an individual’s pregnancy or whether the individual is of reproductive age.”2
Based on this definition, the regulation would likely affect labs that perform any form of pregnancy and prenatal testing, as well as testing related to infertility and pregnancy loss, cancers, and infections of the reproductive tract.
Question 5. What Are the New Disclosure Limits?
Answer: The NPR bans not only the disclosure but also the use of reproductive healthcare PHI requested by law enforcement officials who are investigating lawful reproductive health care, unless the patient signs a HIPAA authorization. The addition of “use” extends the restriction to the internal flow of PHI within an organization, notes Meade. Specifically, under the NPR, it would be illegal for labs and other covered entities and their business associates to use and disclose PHI:2
- for a “criminal, civil, or administrative investigation into or proceeding against any person in connection with seeking, obtaining, providing, or facilitating reproductive health care,” or
- to identify any person for purposes of initiating any such action described in the first bullet.
Meade notes that a critical feature of the proposed rule is that the prohibition would apply only when law enforcement is investigating a reproductive healthcare service that is, according to the proposed rule, “lawful in the state in which it is provided” or “protected, required, or authorized by federal law,” or when any other acts that are “authorized and…permitted by the law of that state” are being investigated.2
In other words, the NPR does not—and is not intended to—preempt state laws restricting abortion rights. Uses and disclosures of reproductive healthcare service PHI without a patient authorization would still be permitted where those uses and disclosures are required by the state’s law for law enforcement investigations, third-party investigations in civil proceedings, state licensure proceedings, criminal prosecutions, and family law proceedings. Of course, those activities may involve inquiries about illegally obtaining reproductive healthcare services.
Bottom Line: “The proposed regulations are complex and narrow and generally don’t give reproductive healthcare PHI special protections unless very specific circumstances occur,” says Meade.
Question 6. What Are the New Attestation Rules?
Answer: The other significant change to the HIPAA Privacy Rule in the NPR is a new requirement that labs and other covered entities asked to provide PHI related to reproductive health care must get a signed attestation from the individual requesting the PHI confirming that they won’t use or disclose the information for a prohibited purpose. Making a knowingly false attestation to obtain an individual’s reproductive healthcare PHI would be deemed a HIPAA violation carrying the risk of civil and criminal penalties. Attestations would be required for uses and disclosures involving:2
- health oversight activities,
- court and administrative proceedings,
- law enforcement purposes, or
- disclosures to coroners and medical examiners.
OCR indicates it will use the HIPAA authorization as a model for the attestation and that it might even develop a model form.
Question 7. What Is the Status of the New NPR?
Answer: The new HIPAA rules for reproductive healthcare PHI are not currently in effect. Public comments on the NPR closed on June 16, 2023. Now, it’s up to the OCR to issue a final rule. If that happens, the final rule would go into effect 60 days after publication. Covered entities and business associates would then likely have at least 180 days to comply.
According to Meade, it’s hard to say when or even if the HHS will move forward with a final rule, considering the problems with the language and definitions. Meade adds that the HHS has a history of letting proposed rules sit for many years without publishing anything final or withdrawing the proposed rule.
“As more time passes, HHS is also probably wondering whether the amendments are even needed,” Meade adds. “It may be very rare for a healthcare organization to receive a law enforcement request from out of state for PHI reflecting services that are legal in the covered entity’s state but not legal in the requesting state.”
Question 8. What Will Labs Have to Do to Comply?
Answer: If OCR finalizes the NPR, labs and other providers will have to modify their HIPAA Notice of Privacy Practices (NPP) to incorporate the new reproductive health information authorization and attestation requirements. For now, Meade advises providers to wait to see if OCR finalizes the NPR and, if so, what that rule says before taking any action. After all, without a true definition of reproductive health care and clarification of the types of information that may be used or disclosed during law enforcement investigations, covered entities and their business associates won’t know what to include in their NPPs. “If the definitions aren’t revised, it’s going to be a challenge to add anything meaningful to the NPP in sufficient detail for an individual to understand the reproductive health use and disclosure prohibition,” says Meade.
Subscribe to view Essential
Start a Free Trial for immediate access to this article