Skip to Main Content

December 12, 2024

Compliance Deadline for HIPAA Reproductive Health Care Privacy Rule Looms While Uncertainty over Future Remains

This Bulletin is brought to you by AHLA’s Health Information and Technology Practice Group.
  • December 12, 2024
  • Jennifer Kreick , Haynes and Boone LLP
  • Thomas Tanabe , Haynes and Boone LLP
Share this:

The Final Rule to modify the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule to support reproductive health care privacy (2024 Privacy Rule) requires covered entities and business associates (Regulated Entities) to comply with many provisions beginning December 23, 2024.[1] Complying with the 2024 Privacy Rule will require Regulated Entities to review and update their policies and procedures and ensure personnel are properly trained on the new requirements. However, recent events have made the future of the 2024 Privacy Rule and its enforcement unclear.

2024 Privacy Rule Background

On April 26, 2024, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued the 2024 Privacy Rule to modify the Standards for Privacy of Individually Identifiable Health Information (2000 Privacy Rule)[2] issued pursuant to HIPAA to protect the access to and privacy of reproductive health care.[3] The 2024 Privacy Rule was issued as a response to the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization[4] to address concerns that an individual’s protected health information (PHI) related to lawful reproductive health care may be disclosed and used for non-health care purposes, such as conducting investigations against, or to impose liability upon, an individual, health care provider, or another person.[5]

Key Elements of the 2024 Privacy Rule

The 2024 Privacy Rule defines “reproductive health care” broadly to include health care as it “affects the health of an individual in all matters relating to the reproductive system and to its functions and processes.” This could potentially include information not only related to pregnancy and abortion care but related to medications (such as hormone replacement therapy, birth control, or erectile dysfunction medication), procedures (such as mastectomies or hysterectomies), or notes related to the reproductive system (such as date of last period). This information is not easily identified and may be found in various locations in a medical record, including in notes obtained from other providers, which makes compliance difficult for Regulated Entities who likely do not have the resources to manually review each record for PHI related to lawful reproductive health care.

Compliance with the 2024 Privacy rule requires the following:[6]

Prohibits Uses and Disclosures of PHI for Reproductive Health Care[7]

  • The 2024 Privacy Rule includes a purpose-based prohibition that prohibits Regulated Entities from using or disclosing PHI for any of the following activities:
    • To conduct a criminal, civil, or administrative investigation into or impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care.[8]
    • To identify any person for any purpose described above.
  • The prohibition only applies where the relevant activity is in connection with any person seeking, obtaining, providing, or facilitating reproductive health care, and the Regulated Entity that received the request for PHI has reasonably determined that one or more of the following conditions exists:
    • The reproductive health care is lawful under the state law in which such health care is provided and under the circumstances in which it is provided.
    • The reproductive health care is protected, required, or authorized by Federal law, including the United States Constitution, under the circumstances in which such health care is provided, regardless of the state in which it is provided.
  • The 2024 Privacy Rule applies a “presumption” that reproductive health care provided by another person is presumed lawful unless a Regulated Entity has either (1) actual knowledge that the reproductive health care was not lawful under the circumstances in which it was provided, or (2) factual information supplied by the person requesting the use or disclosure of PHI that demonstrates a substantial factual basis that the reproductive health care was not lawful under the specific circumstances in which it was provided.

Requires a Valid Attestation for Certain Uses and Disclosures of PHI[9]

  • Regulated entities may not use or disclose PHI potentially related to reproductive health care for (1) health oversight activities, (2) judicial and administrative proceedings, (3) law enforcement purposes, or (4) to coroners and medical examiners as related to decedents, without obtaining a valid attestation from a requestor.
  • The 2024 Privacy Rule outlines the requirements for a valid attestation including requiring clear statements that (1) the use or disclosure is not for a prohibited purpose, and (2) a person may be subject to criminal penalties for knowingly obtaining or disclosing individually identifiable health information in violation of HIPAA.[10]
  • A Regulated Entity is not in compliance with the attestation requirements if the attestation is defective. The 2024 Privacy Rule provides several examples of what constitutes a defective attestation including:
    • An attestation lacking a required element or statement, containing an element or statement that is not required, or combining the attestation with other documents that are not required to satisfy the attestation requirements.
    • A Regulated Entity having actual knowledge that material information in the attestation is false.
    • A Reasonable Regulated entity in the same position would not believe that the attestation is true that the use or disclosure is not for prohibited purpose.
  • If a Regulated Entity discovers information reasonably showing that any representation made in the attestation was materially false while using or disclosing PHI, the Regulated Entity must cease the use or disclosure.

Compliance and Enforcement of the 2024 Privacy Rule

Compliance with the 2024 Privacy Rule’s requirements related to the use and disclosure of PHI related to reproductive health care described above commences on December 23, 2024. Failing to comply with the 2024 Privacy Rule may result in civil penalties and criminal liability under HIPAA.[11] For example, on November 26, 2024, OCR announced a settlement with a Pennsylvania hospital concerning an alleged violation of the HIPAA Privacy Rule due to an impermissible disclosure of PHI including information related to reproductive health care.[12] The hospital, allegedly, impermissibly disclosed a female patient’s full medical record (including the patient’s surgical history, gynecological history, obstetric history, and other sensitive health information concerning reproductive health care) to the patient’s prospective employer when the patient only authorized one specific test result unrelated to the patient’s reproductive health to be released.[13] As part of its press release, OCR states that it is “committed to ensuring the privacy of lawful reproductive health care” and “enforces the HIPAA Rules that protect the privacy and security of peoples’ health information.”[14] Although the enforcement action relied on the 2000 Privacy Rule, it indicates OCR’s intent to protect PHI related to reproductive health care and potentially its willingness to enforce the 2024 Privacy Rule. Yet the 2024 Privacy Rule poses significant compliance challenges given the broad definition of reproductive health care.[15]

Recent Events’ Potential Impact on the Future of the 2024 Privacy Rule and Its Enforcement

Lawsuits Challenging HIPAA Privacy Rules

Two pending lawsuits in the US District Court for the Northern District of Texas are challenging the 2024 Privacy Rule.

On September 4, 2024, Texas Attorney General Ken Paxton filed a lawsuit against HHS challenging both the 2000 Privacy Rule and the 2024 Privacy Rule.[16] In the suit, Texas alleges that both privacy rules unlawfully prevent states from using their investigative authority, violate the Administrative Procedure Act, and exceed the authority granted by Congress.[17] The complaint further references at least one instance where a covered entity cited to the 2024 Privacy Rule as a reason for not complying with a Texas subpoena.[18] As relief, Texas is asking the court to invalidate both the 2000 Privacy Rule and the 2024 Privacy Rule.[19]

On October 21, 2024, Alliance Defending Freedom (ADF), on behalf of a Texas physician and her practice, filed a similar lawsuit against HHS challenging the 2024 Privacy Rule.[20] The ADF argues in the complaint that the 2024 Privacy Rule interferes with a doctor’s legal obligations to comply with state law and report suspected child abuse.[21] In both the ADF’s complaint and subsequent motion for preliminary injunction, the ADF asks the court to issue a preliminary injunction and enjoin the 2024 Privacy Rule before its compliance date on December 23, 2024.[22]

Both lawsuits create uncertainty regarding the 2024 Privacy Rule’s future implementation. If the court sides with the plaintiffs in either case, the 2024 Privacy Rule could be invalidated or its enforcement enjoined.

Potential Impact of Change in Administration

With President-elect Donald Trump’s upcoming inauguration in January 2025, there is uncertainty of whether the 2024 Privacy Rule will survive under his second administration. President Trump’s first administration featured numerous actions aimed at curbing access to certain reproductive health care, including the appointment of conservative federal judges who helped pave the way for the Dobbs decision. Additionally, former officials in President Trump’s first administration have publicly attacked the 2024 Privacy Rule.[23] Looking towards Trump’s second term, Trump and his administration could begin rolling back the 2024 Privacy Rule by taking actions such as repealing or revising the rule, issuing an executive order instructing OCR not to enforce the rule, or not defend the rule as it is challenged in the courts.

Moving Forward, What’s Next?

While the 2024 Privacy Rule represents ongoing efforts to protect the privacy of reproductive health care, its future remains uncertain amidst recent challenges and potential changes in policy perspective. The ADF’s lawsuit could stop the 2024 Privacy Rule from taking effect prior to its compliance date, while Paxton’s lawsuit or potential actions taken by Trump’s administration after his inauguration in January could lead to a short compliance period. Nevertheless, there is still risk for failing to comply, as OCR or state attorneys general could potentially enforce the 2024 Privacy Rule if it is not enjoined. Further, state laws may impose restrictions on the use or disclosure of information related to reproductive health care. Regulated Entities must remain vigilant, monitor developments closely, and should be prepared to comply with the applicable provisions of the rule starting December 23, 2024.

 

[1] 89 Fed. Reg. 32976 (Apr. 26, 2024). The compliance date for revisions to Notices of Privacy Practices is delayed until February 16, 2026 because of the significant changes required for compliance.

[2] 65 Fed. Reg. 82462 (Dec. 28, 2000).

[3] 89 Fed. Reg. 32976.

[4] 597 U.S. 215 (2022).

[5] 89 Fed. Reg. 32976. The 2024 Final Rule also supports President Biden’s Executive Order 14076 directing HHS to consider actions to strengthen the protection of sensitive information related to reproductive health care services and bolster patient-provider confidentiality. Exec. Order No. 14076, 87 Fed. Reg. 42053 (Jul. 8, 2022), https://www.federalregister.gov/documents/2022/07/13/2022-15138/protecting-access-to-reproductive-healthcare-services.

[6] This list is non-exhaustive of all the changes the 2024 Privacy Rule brings to HIPAA. See 89 Fed. Reg. 32976.

[7] 45 C.F.R. § 164.502(a)(5)(iii).

[8] Seeking, obtaining, providing, or facilitating reproductive health care includes, but is not limited to expressing interest in, using, performing, furnishing, paying for, disseminating information about, arranging, insuring, administering, authorizing, providing coverage for, approving, counseling about, assisting, or otherwise taking action to engage in reproductive health care, or attempting any of the same. 45 C.F.R. § 164.502(a)(5)(iii)(D).

[9] 45 C.F.R. § 164.509.

[10] HHS has made a model attestation to comply with 2024 Privacy Rule available at

https://www.hhs.gov/sites/default/files/model-attestation.pdf.

[11] 89 Fed. Reg. 32976; see also 42 U.S.C. §§ 1320d-5 to -6.

[12] The Pennsylvania hospital agreed to pay $35,581 and implement a corrective action plan that identifies several steps the hospital will take to comply with HIPAA Rules over the course of two years. See HHS, HHS Office for Civil Rights Settles with Holy Redeemer Hospital Over Disclosure of Patient’s Protected Health Information, Including Reproductive Health Information (Nov. 26, 2024), https://www.hhs.gov/about/news/2024/11/26/hhs-office-civil-rights-settles-holy-redeemer-hospital-disclosure-patients-protected-health-information-including-reproductive-health-information.html.

[13] Id.

[14] Id.

[15] For example, Regulated Entities may struggle with whether to forego trying to identify records that may contain PHI related to reproductive health care and instead require an attestation for any disclosure that may implicate one of the four purposes, particularly when law enforcement or government entities may be unwilling to provide the attestation or when such requirement could potentially implicate information blocking rules.

[16] Tex.’s Original Compl. ¶¶ 1-3, Texas v. U.S. Dep’t of Health and Human Servs., No. 5:24-cv-00204-H (N.D. Tex. Sept. 4, 2024), https://www.texasattorneygeneral.gov/sites/default/files/images/press/HHS%20HIPAA%20Rule%20Complaint%20Filed.pdf.

[17] Id. at ¶¶ 8, 65-74.

[18] Id. at ¶ 88.

[19] Id. at ¶ 9.

[20] Compl. ¶¶1-9, Purl v. U.S. Dep’t of Health and Human Servs., No. 2:24-cv-00228-Z (N.D. Tex. Oct. 21, 2024), https://adfmedialegalfiles.blob.core.windows.net/files/PurlComplaint.pdf.

[21] Id. at ¶¶ 77-98.

[22] Id. at ¶ 9; Plaintiff’s Motion for Preliminary Injunction and Brief in Support at 24, Purl v. U.S. Dep’t of Health and Human Servs., No. 2:24-cv-00228-Z (N.D. Tex. Nov. 12, 2024), https://adflegal.org/wp-content/uploads/2024/11/purl-v-us-hhs-2024-11-12-plaintiffs-mpi-and-brief-in-support.pdf.

[23] For example, Roger Severino, former Director of OCR during Trump’s first administration, publicly attacked the 2024 Privacy Rule during its Notice of Proposed Rulemaking period. Heritage Foundation, Heritage VP: HHS Should Not Make It Harder to Investigate Crimes (Jun. 21, 2023), https://www.heritage.org/press/heritage-vp-hhs-should-not-make-it-harder-investigate-crimes.

ARTICLE TAGS