Just Say No!  HIPAA and Requests for Reproductive Health Information

Jacquie Abbott, of counsel in the Vorys Houston office, co-authored an article for the Health Law Section of the American Bar Association's (ABA) eSource titled "Just Say No!  HIPAA and Requests for Reproductive Health Information."

The full text of the article is included below with permission from the ABA. 

Just Say No!  HIPAA and Requests for Reproductive Health Information

On April 22, 2024, the Office of Civil Rights issued a Final Rule titled HIPAA Privacy Rule to Support Reproductive Health Care Privacy (2024 Final Privacy Rule).¹ The 2024 Final Privacy Rule is a narrowing of the general Health Insurance Portability and Accountability Act (HIPAA) disclosure rule that allows covered entities to disclose protected health information (PHI) in specified instances. Although other laws may require additional disclosures, to comply with the 2024 Final Privacy Rule, a covered entity is only required to disclose PHI to the individual the PHI belongs to and to the individual’s personal representative. All other disclosures are permissive. This Final Rule is one of many actions taken by the U.S. Department of Health and Human Services (HHS) to protect access to and privacy of reproductive healthcare after the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization that has led to state abortion bans and other restrictions.

This article proposes that covered entities only make the required HIPAA disclosures and discusses compliance hurdles that covered entities may face when refusing to provide requested information in permissive circumstances. This discussion and the suggestions are restricted to the context of reproductive healthcare.

Protecting Patient Privacy Relating to Reproductive Health Services

Two weeks after, and in response to, the Dobbs decision, President Biden signed Executive Order 14076, Protecting Access to Reproductive Healthcare Services.² The Executive Order set forth a plan for the federal government to “protect healthcare service delivery and promote access to critical reproductive healthcare services, including abortion,” in line with the Biden Administration’s pro-choice policy.³ In addition to protecting access itself, one of the components of the Executive Order was the protection of privacy, safety, and security, including patient data related to reproductive healthcare services.⁴

The Executive Order directed the Secretary of HHS and the Director of the Gender Policy Council to create an Interagency Task Force on Reproductive Healthcare Access in furtherance of the goals presented.⁵ One of the steps taken to “protect and strengthen access to contraception” was the modification of HIPAA to strengthen privacy protections by prohibiting physicians, other providers, and health plans from using or disclosing individuals’ PHI related to lawful reproductive healthcare.⁶

The 2024 Final Privacy Rule amended 45 CFR 164.512 (and other provisions on the use and disclosure of PHI) by:

• Applying the prohibition and attestation condition to certain permitted uses and disclosures
• Clarifying that providing or facilitating reproductive health care is not abuse, neglect, or domestic violence
• Clarifying the permission for disclosures based on administrative processes; and
• Applying the attestation to a request for information on current processes for receiving and addressing requests pursuant to 164.512(d) through (g)(1).⁷

State Abortion Bans

Since Dobbs v. Jackson Women’s Health Organization overturned Roe v. Wade in 2022, 22 states have enacted abortion bans or restrictions.⁸ In 14 of those states, abortion is banned in almost all circumstances.⁹ The remaining seven states have gestational limits, banning abortion after a designated number of weeks of pregnancy.¹⁰ The most restrictive of these, Florida,¹¹ Georgia,¹² Iowa,¹³ and South Carolina,¹⁴ all enforce six-week gestational limits. Nebraska¹⁵ and North Carolina¹⁶ prohibit abortions after 12 weeks of pregnancy, Arizona¹⁷ after 15 weeks, and Utah after 18 weeks.¹⁸

These bans impose significant criminal liabilities and civil penalties. For example, Texas’s Human Life Protection Act makes the performance, inducement, or attempt of an abortion a felony of either the second degree (if the fetus survives) or the first degree (if the abortion is completed); violators are subject to a civil penalty of not less than $100,000 for each violation as well as attorney’s fees and costs; and the appropriate licensing authority shall revoke the license of the abortion provider who violated the ban.¹⁹

In addition to criminalizing abortion and creating civil penalties that can be brought by state attorneys general, Texas has created a private right of action for individual citizens to sue abortion providers and individuals who assist patients seeking an unlawful abortion.²⁰ Civil liability extends to those who “knowingly engag[e] in conduct that aids or abets the performance or inducement of an abortion, including paying for or reimbursing the costs of an abortion through insurance or otherwise.”²¹ If the claimant wins their suit, they are awarded injunctive relief to prevent future violations by the defendant, statutory damages not less than $10,000 for each abortion performed or aided by the defendant, and costs and attorney’s fees.²² The statute provides two affirmative defenses, limited only to individuals accused of aiding or abetting who reasonably believed that the abortion provider had or would comply with the subchapter.²³ There are no affirmative defenses for the providers themselves, and arguments on the constitutionality of the law are explicitly not defenses since state officials are not directly or indirectly involved in the law’s enforcement.²⁴

Required Disclosure of Protected Health Information

Under 45 CFR 164.524, the HIPAA Privacy Rule, individuals and their personal representatives have access to PHI.²⁵ Healthcare facilities and other covered entities are required to provide such information within 30 days of receiving a request from an individual. On August 1, 2022, HHS announced the imposition of a civil monetary penalty of $115,200 for failure to provide timely access to patient records.²⁶ This civil monetary penalty marks the Office of Civil Rights’ (OCR) 49th HIPAA right of access enforcement action.²⁷

There are two categories of information that are expressly excluded from an individual’s right of access. These are:

• Psychotherapy notes, which are the personal notes of a mental healthcare provider documenting or analyzing the contents of a counseling session, that are maintained separate from the rest of the patient’s medical record.²⁸
• Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.²⁹

This right of access is extended to “personal representatives” of the individual. If a personal representative requests the information, the 30-day time limit also applies to such request. In addition, the 30-day limit is not tolled while the covered entity reviews the validity of the claim of being a personal representative. An individual’s personal representative is a person with authority under applicable state law to make healthcare decisions for the individual.³⁰

Permitted Disclosures of PHI

In addition to being required to disclose PHI to individuals and personal representatives, the privacy rule permits covered entities to disclose PHI without the individual’s written authorization or an opportunity to agree or object under specified circumstances.³¹ This article only discusses those permitted instances that relate to law enforcement or judicial processes.

Under 45 CFR 164.512:

• “A covered entity may use or disclose protected health information to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law;”³²
• “a covered entity may disclose protected health information about an individual whom the covered entity reasonably believes to be a victim of abuse, neglect, or domestic violence to a government authority;”³³
• “A covered entity may disclose protected health information in the course of any judicial or administrative proceeding:
• (i) In response to an order of a court or administrative tribunal, provided that the covered entity discloses only the protected health information expressly authorized by such order; or
• (ii) In response to a subpoena, discovery request, or other lawful process, that is not accompanied by an order of a court or administrative tribunal.”³⁴

Unlike the required disclosure to the individual and the individual’s personal representatives, this provision of the HIPAA Privacy Rule is permissive, and the healthcare facility or covered entity is not required by HIPAA to disclose the information.

Attestation Required

Under the 2024 Final Privacy Rule, prior to providing information to an individual’s personal representative or under any of the permissive provisions of 45 CFR 164.512, the covered entity is required to obtain an attestation that the PHI that is sought is not for the purposes of investigating or imposing liability on individuals merely for seeking, obtaining, providing, or facilitating lawful reproductive healthcare.

At the end of July, HHS OCR provided a Model Attestation Form for the Requested Use of Protected Health Information Potentially Related to Reproductive Health Care.³⁵ The attestation reminds the person signing it that federal law prohibits any individual from improperly obtaining PHI. Knowingly obtaining PHI under false pretenses could result in a penalty of up to $100,000 and five years in prison.³⁶

Just Say No

A covered entity should adopt a policy to only provide PHI related to reproductive healthcare when required in response to a request from the individual to whom the PHI relates or a personal representative.³⁷ The covered entity will be required to obtain a signed attestation form that is either the model or one that meets the requirements of the model to disclose the information to the personal representative but not to the individual. When requested to provide the information in the three permissive categories (cases of abuse, judicial or administrative proceeding or as required by law), the covered entity may refuse even with the completed attestation. What does that mean if the covered entity receives the request as part of a judicial or administrative proceeding?

Judicial or Administrative Proceedings

The HIPAA Privacy Rule prohibits covered entities and their business associates from disclosing PHI in response to judicial and other administrative proceedings unless certain conditions are satisfied.³⁸

What does that mean when the covered entity receives a court order or a subpoena?³⁹ Under the 2024 HIPAA Privacy Rule, a covered entity is not required to provide PHI that relates to seeking, obtaining, providing, or facilitating lawful reproductive healthcare. Providing that PHI is permissive when responding to a subpoena or court order. The 2024 Final Privacy Rule requires that the covered entity obtain an attestation that the PHI that is sought is not for the purposes of investigating or imposing liability on individuals merely for seeking, obtaining, providing, or facilitating lawful reproductive healthcare.

What should the covered entity do when receiving a subpoena or court order? If the covered entity is named as a party to the litigation (e.g., that plaintiff or defendant), the covered entity should notify its attorney. PHI may be disclosed during litigation subject to the “minimum necessary rules” of HIPAA.⁴⁰ If the covered entity is not a party, then the attorney for the covered entity should determine if the court or agency has jurisdiction over the covered entity. For example, if an individual who is a resident of Texas seeks an abortion in California, a subpoena or court order issued from Texas to the California provider would not have jurisdiction over that provider. If the subpoena or court order is issued to a health plan sponsored by an employer with offices in Texas, then a Texas court may have jurisdiction over that health plan. If it is determined that there is jurisdiction, then the covered entity may not ignore the subpoena or court order without risk of contempt even though HIPAA limits such disclosure without the attestation.

If the request for PHI is for the purposes of investigating or imposing liability on Texas individuals for seeking, obtaining, providing, or facilitating lawful reproductive healthcare and the attestation is not provided, then the covered entity may petition the court for a protective order or move to quash the subpoena or court order.⁴¹ The covered entity should contact an attorney immediately if the PHI is requested and the required attestation is not provided. The attorney may recommend that the covered entity seek a protective order.

Challenge to the Validity of the 2024 Final Privacy Rule

On September 4, the State of Texas filed an action seeking declaratory and injunctive relief again enforcement of the 2024 Final Privacy Rule.⁴² In addition, the suit seeks to challenge the portion of the original HIPAA privacy rule (the 2000 Privacy Rule) that limits disclosures to state investigators.⁴³ The 2024 Final Privacy Rule cites 45 CFR 160.104 as the authority to adopt Part 164. Under that provision, the Secretary has the right to adopt modifications to a standard or implementation specification adopted under subchapter C (Administrative Data Standards and Related Requirements). The statutory basis for the Part 164 (Security and Privacy) is enumerated in 45 CFR 164.102.⁴⁴ Part C of title XI of the Act, section 264 of Public Law 104-191 requires that HHS promulgate final regulations containing standards and the expectation was that these would have been submitted to Congress and also that the Secretary would have consulted with the National Committee on Vital and Health Statistics and the attorney general.⁴⁵

The Texas suit claims that the HIPAA statute explicitly preserved state investigative authority and did not give the defendants any authority to “promulgate how regulated entities may share information with State governments.” Texas requests that the court invalidate both the 2024 Final Privacy Rule and the 2000 Privacy Rule on the basis that the rules “significantly harm the State of Texas’s investigative abilities because covered entities frequently cite the 2000 Privacy Rule as a reason that they cannot comply with a valid investigative subpoena for documents and have already begun invoking the 2024 Privacy Rule for similar purposes.”⁴⁶

Conclusion and Next Steps

To ensure compliance with the 2024 Final Privacy Rule’s heightened privacy protections over reproductive healthcare information, covered entities should limit disclosure of such reproductive healthcare PHI to required disclosures and stop making permissive disclosures. Covered entities will need to review and amend their internal HIPAA policies and procedures related to providing reproductive healthcare information with and without authorizations. Covered entities and business associates should review the 2024 Final Privacy Rule and create a compliance plan with respect to updating policies and procedures, health plan documents, business associate agreements, and privacy notices. Staff must receive training on the new requirements. If a covered entity adopts the recommendation to not provide PHI in response to those above listed permissive categories even with a signed attestation, the covered entity will need to engage counsel if there is a challenge.

--

1. The 2024 Final Privacy Rule became effective June 25, 2024. The compliance date, the date persons subject to this regulation must comply with the applicable requirements of this Final Rule, is December 23, 2024, except for the Notice of Privacy Practices. The compliance date for amending the Notice of Privacy Practices is February 16, 2026; HIPAA Privacy Rule to Support Reproductive Health Care Privacy, 45 CFR Parts 160, 164, Apr. 26, 2024.
2. Exec. Order No. 14,076, 87 Fed. Reg. 42,053 (July 8, 2022); THE WHITE HOUSE, Executive Order on Protecting Access to Reproductive Healthcare Services, July 8, 2022, https://www.whitehouse.gov/briefing-room/presidential-actions/2022/07/08/executive-order-on-protecting-access-to-reproductive-healthcare-services/.
3. Id. at Sec. 1.
4. Id. at Sec. 4.
5. Id. at Sec. 5.
6. THE WHITE HOUSE, Executive Order on Strengthening Access to Affordable, High-Quality Contraception and Family Planning Services, June 23, 2023, https://www.whitehouse.gov/briefing-room/presidential-actions/2023/06/23/executive-order-on-strengthening-access-to-affordable-high-quality-contraception-and-family-planning-services/. When this Executive Order was issued, the HIPAA modification was in the Notice of Proposed Rulemaking stage. As noted, the 2024 Final Privacy Rule was issued in April 2024 and became effective June 25, 2024; Exec. Order supra n. 1.
7. HIPPA Privacy Rule, supra 1. For a complete discussion of the 2024 HIPAA Privacy Rule, see “HHS Finalizes Amendments to HIPAA Privacy Rule to Strengthen Privacy Protections for Reproductive Health Information Post-Dobbs” by Andrea Frey and Rachel Zacharias, THE HEALTH LAWYER, June 2024, https://www.americanbar.org/groups/health_law/publications/health_lawyer_home/june-2024/hhs-finalizes-amendments-to-hipaa-privacy-rule-to-strengthen-privacy-protections-for-reproductive-health-information-post-dobbs/?login.
8. See Tracking Abortion Bans Across the Country, N.Y. TIMES, May 1, 2024, https://www.ncom/interactive/2024/us/abortion-laws-roe-v-wade.html for an overview of state abortion laws across the country.
9. Alabama, see Code § 26-23H-4; Arkansas, see Ark. Code Ann. §§ 5-61-301 – 5-61-304;

   Idaho, see Idaho Code § 18-622; Indiana, see S.B. 1, 122nd Leg., 1st Spec. Sess. (Ind. 2022); Kentucky, see Ky. Rev. Stat. § 311.772; Louisiana, see La. Stat. Ann. § 40:1061; Mississippi, see Miss. Code Ann. § 41-41-45; Missouri, see Mo. Ann. Stat. § 188.017; North Dakota, see N.D. Cent. Code Ann. §§ 12.1-19.1-02 (West); Oklahoma, see S.B. 1555, 58th Leg., 2nd Reg. Sess. (Ok. 2022); South Dakota, see S.B. 1555, 58th Leg., 2nd Reg. Sess. (Ok. 2022); Tennessee, see Tenn. Code Ann. § 39-15-213; Texas, see Tex. Health & Safety Code Ann. § 170A; and West Virginia, see W. Va. Code Ann. § 16-2R-3 (West).

   Most of these states provide some exceptions to the ban, such as Idaho’s Defense of Life Act, which allows narrow exceptions for cases of rape and incest and when necessary to prevent the death of the pregnant person. Idaho Code § 18-622(2).

10. Supra n. 8.
11. Fla. Stat. § 390.0111; U.S. ABORTION LAWS POST DOBBS: A 50 STATE SURVEY 31 (Ellee Cochran Ed., 2024).
12. State of Georgia v. SisterSong Women of Color Reprod. Just. Collective, Case No. S23A0421 (Ga. Oct. 24, 2022) rev’d SisterSong Women of Color Reprod. Just. Collective v. Kemp, 2022-CV-367796 (Sup. Ct. Fulton Cnty. Nov. 15, 2022) (overturning injunction of six-week ban).
13. Iowa Code § 146E.2; Cochran supra 11, p. 50.
14. S. 474, 125th Gen. Assemb., Spec. Sess. (S.C. 2023).
15. L.B. 574, 108th Leg., 1st Reg. Sess. (Neb. 2023).
16. N.C. Gen. Stat. § 90-21.81B(2)
17. Ariz. Rev. Stat. § 36-232-36-2326; Cochran supra n. 11, p. 8.
18. Utah Code Ann. § 76-7-302.5; Cochran supra 11, p. 133.
19. Tex. Health & Safety Code Ann. § 170A.004–007.
20. Tex. Health & Safety Code Ann. § 171.208. (The Texas Heartbeat Act).
21. Tex. Health & Safety Code Ann. § 171.208(a)(2).
22. Tex. Health & Safety Code Ann. § 171.208(b).
23. Tex. Health & Safety Code Ann. § 171.208(f).
24. Tex. Health & Safety Code Ann. § 171.208(e).
25. See Individuals’ Right under HIPAA to Access their Health Information, U.S. DEP’T OF HEALTH AND HUMAN SVCS., Jan. 5, 2024, https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html.
26. See HHS Office for Civil Rights Imposes a Civil Monetary Penalty of $115,200 Against American Medical Response for Failure to Provide Timely Access to Patient Records, U.S. DEP’T OF HEALTH AND HUMAN SVCS., Aug. 1, 2024, https://www.hhs.gov/about/news/2024/08/01/hhs-ocr-imposes-civil-monetary-penalty-115200-against-american-medical-response-failure-provide-timely-access-patient-records.html.
27. SEC v. Jarskey, 603 U.S. ___ (2024) may significantly impact how HHS must handle civil penalties against covered entities.
28. See 45 CFR 164.524(a)(1)(i) and 164.501.
29. See 45 CFR 164.524(a)(1)(ii).
30. See 45 CFR 164.502(g) and Personal Representatives, U.S. DEP’T OF HEALTH AND HUMAN SVCS., Jan. 5, 2024, https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/personal-representatives/index.html for more information about the rights that can be exercised by personal representatives.
31. 45 CFR 164.512 - Uses and disclosures for which an authorization or opportunity to agree or object is not required.
32. 45 CFR 164.512(a).
33. 45 CFR 164.512(c).
34. 45 CFR 164.512(e).
35. Model Attestation for a Requested Use or Disclosure of Protected Health Information Potentially Related to Reproductive Health Care, U.S. DEP’T OF HEALTH AND HUMAN SVCS., https://www.hhs.gov/sites/default/files/model-attestation.pdf.
36. 42 USC 1320d-6.
37. This is similar to the corporate policies adopted by insurance companies that state that the insurance company will not provide PHI to a plan sponsor, and further, that it will only provide PHI to the a fully insured group health plan representative when the participant is present or pursuant to a written authorization.
38. To the extent there is a more restrictive state or federal law that applies in a particular case, the more restrictive law will usually control.
39. Subpoenas and court orders are two different means of demanding information, with differing levels of enforcement. A subpoena is a lawyer’s assertion that she/he is entitled to the requested information, while a court order determines that the lawyer is in fact entitled to it. A court order typically has “order” typed on it and is signed by a judge or magistrate; Court Orders and Subpoenas, U.S. DEP’T OF HEALTH AND HUMAN SVCS., Nov. 2, 2020, https://www.hhs.gov/hipaa/for-individuals/court-orders-subpoenas/index.html.
40. See 45 CFR 164.506 and 164.501, definition of “healthcare operations”.
41. 45 CFR § 164.512(e).
42. State of Texas v. U.S.Dep’t of Health and Human Services et al, 5:24cv204, N.D. Texas, Sept. 4, 2024.
43. 45 CFR §164/512(f)(1)(ii)(C)/
44. Statutory basis. The provisions of this part are adopted pursuant to the Secretary’s authority to prescribe standards, requirements, and implementation specifications under part C of title XI of the Act, section 264 of Public Law 104-191 (Health Insurance Portability and Accountability Act of 1996, August 21, 1996), and sections 13400-13424 of Public Law 111-5 (American Recovery and Reinvestment Act of 2009, February 17, 2009).
45. Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 101-194, https://www.ggov/content/pkg/PLAW-104publ191/pdf/PLAW-104publ191.pdf
46. State of Texas et al. v. Becerra et al., no. 6:24-cv-00211 (E.D. Tex. filed Sept. 4, 2024).