Back to Blog>> How is OCR handling Women’s Reproductive Healthcare challenges as relates to PHI?

How is OCR handling Women’s Reproductive Healthcare challenges as relates to PHI?

OCR PHI and reproductive health

With every new headline about women’s reproductive health, providers and patients have been left wondering what’s next legally. Will they be protected or prosecuted? The answer could be down to interpretation of HIPAA’s Privacy Rule. To that end, OCR’s taken the position of clarification and strengthening PHI protections from the HIPAA perspective.

On April 12, 2023, OCR issued a Notice of Proposed Rule Making (NPRM) to strengthen the HIPAA Privacy Rule protections by prohibiting the use or disclosure of protected health information (PHI) to identify, investigate, prosecute, or sue patients, providers and others involved in the provision of legal reproductive health care, including abortion.

Definition changes and additions helped clarify in the following ways:

  • The definition of “person” is revised to include the clarification that for purposes of the HIPAA Rules the word Person means a human being who is born alive.   
  • A definition of “reproductive health care” is added and defined as care, services or supplies related to an individual’s reproductive health. 
  • A definition of “public health” is added.  The definition states that public health means population-level activities to prevent disease and promote health.  The definition goes on to explicitly state that public health does not include uses and disclosures for the criminal, civil, or administrative investigation into or proceeding against a person in connection with obtaining, providing, or facilitating reproductive health care, or for the identification of any person in connection with a criminal, civil, or administrative investigation into or proceeding against a person in connection with obtaining, providing, or facilitating reproductive health care. 

Privacy Rule Additions & Amendments for PHI Uses & Disclosures

45 CFR §164.502 of the Privacy Rule, which deals with the General Rules for Uses and Disclosures of PHI is amended.  The amendment adds language that prohibits regulated entities (covered entities and business associates) from using or disclosing PHI where the PHI would be used for a criminal, civil, or administrative investigation into or proceeding against any person in connection with seeking, obtaining, providing, or facilitating lawful reproductive health care, or identifying any person for the purpose of initiating such an investigation or proceeding. 

Next up is an all-new Privacy Rule section – 164.509, Uses and Disclosures for which an Attestation Is Required. The section defines required content of the Attestation. 

So what is an Attestation? 
An Attestation allows a covered entity to use or disclose PHI that is potentially related to reproductive health care for purposes of disclosures for:
  • Health oversight activities
  • Judicial and administrative proceedings
  • Law enforcement purposes
  • A Coroner or medical examiner

But this can only happen after the covered entity has received an attestation from the organization seeking the PHI that includes a “clear statement” that the PHI will not be used for a criminal, civil, or administrative investigation into or proceeding against any person in connection with seeking, obtaining, providing, or facilitating lawful reproductive health care, or identifying any person for the purpose of initiating such an investigation or proceeding.  

There’s an additional clarification that PHI cannot be disclosed for victims of abuse, neglect or domestic violence if the report is based primarily on the provision of reproductive health care.  There’s also a requirement that a description of the uses and disclosures of reproductive health care, and at least one example, be added to the Notice of Privacy Practices. 

Preempting State Law Disclosure Requirement

There’s a section of the HIPAA Rule (Subpart B – Preemption of State Law) that establishes the HIPAA Rules as the national “floor” for privacy and security standards. 

So, State law can apply but only in circumstances where the State law is “more stringent” than the HIPAA Privacy Rule (45 CFR §160.203(b)).  “More stringent” means that the State law supplies the individual with greater privacy of PHI, or with greater access to PHI (45 CFR §160.202). 

Making the “floor” for the HIPAA Privacy Rule as relates to PHI use and disclosure prohibition that’s potentially about reproductive healthcare preempts any and all State law that would require its disclosure.  So while, the door is left open for legitimate disclosure for health oversight, judicial and administrative proceedings and for law enforcement, it’s only when the government or other administrative agency attests in writing in advance of the disclosure that the PHI will not be used for civil, criminal, or administrative investigation into the person (or people) who are the subjects of the PHI.

What does all this OCR & HIPAA activity mean for Covered Entities?

Develop policies and procedures related to reproductive health care and to attestations along with a required change to your NPP and all that entails.  You will need to:

  • Amend your P&Ps that deal with use and disclosure related to health oversight; judicial and administrative proceedings; law enforcement and to coroners and medical
  • Educate your staff, and maybe your state and local agencies as well.
  • Make sure that your ROI vendors are correctly adhering to the new prohibitions, including receipt of attestations prior to disclosure.
  • And last but not least, make sure that your business associates understand their need to adhere to the new prohibition as well.

As of this writing (March 3, 2024), the NPRM that was issued almost a year ago has not moved to final rulemaking.  The effective date of any Final Rule will be 60 days after publication.  In the NPRM, HHS stated its intention to set a compliance date of no more than 180 days after Final Rule publication.  Final piece of advice – stay tuned!

Julia Huddleston, CIPP, CIPM, CCSFP, Principal Consultant, works with Apgar & Associates’ clients on certification readiness, compliance assessments, security risk analysis and policy and procedure review and implementation