On April 12, 2023, the U.S. Department of Health and Human Services (HHS), through its Office for Civil Rights (OCR), issued a notice of proposed rulemaking (NPRM) that would modify the Standards for Privacy of Individually Identifiable Health Information (Privacy Rule) under the Health Insurance Portability and Accountability Act (HIPAA). The NPRM seeks to prohibit uses and disclosures of reproductive health care information for criminal, civil, or administrative proceedings against individuals seeking, obtaining, delivering, or facilitating access to and provision of reproductive health care services provided through lawful means.
In strengthening the privacy protections for an individual’s reproductive health information, HHS is seeking to support access to and quality of health care services and an individual’s trust in their health care provider. HHS has indicated that, without additional privacy protections, there is a risk of adverse events, including (1) the deterioration of the physician-patient relationship, (2) the withholding of pertinent medical information by patients, and (3) the withholding of potentially sensitive information from medical records by physicians, which together could negatively impact medical outcomes. In the NPRM preamble, HHS articulates that communities already facing significant health care disparities are likely to bear the most risk.
The Supreme Court of the United States’ (SCOTUS’) decision in Roe v. Wade (Roe) granted individuals a fundamental right to privacy under the Due Process Clause of the Fourteenth Amendment. On June 24, 2022, SCOTUS overturned Roe in Dobbs v. Jackson Women’s Health Organization (Dobbs), stating that the right to an abortion was not rooted in the country’s history or tradition since it was not considered at the time the Due Process Clause was ratified in 1868. As a result of the Dobbs decision, for the first time since 1973, individual states control access to abortion services.
Certain states that previously enacted “trigger laws” banning abortion saw those laws take effect post-Dobbs, while others have drafted and are currently trying to pass legislation to limit or curtail abortion. In states where abortion bans are in place, the likelihood of highly sensitive reproductive health information being disclosed under circumstances that did not exist pre-Dobbs has increased significantly. While the Privacy Rule permits but does not require protected health information (PHI) disclosures to law enforcement, to avert serious health or safety threats, or those that are required by law, covered entities risk sanctions or other legal action if they fail to produce legally required or compelled information.
The preamble to the NPRM notes that since Dobbs, HHS has been contacted by numerous regulated entities, members of Congress, and others regarding privacy protections. In conjunction with the Federal Trade Commission and Department of Defense, HHS has determined that reproductive health care information is especially sensitive and requires additional protections, which spurred HHS to issue this NPRM.
HIPAA Privacy Rule
The health care and technological landscape have evolved significantly since HIPAA’s inception in 1996, but one thing that has remained steadfast is HIPAA’s focus on the safeguarding of health information. While the current Privacy Rule allows PHI to be disclosed for certain non-health care purposes, such as certain criminal, civil, and administrative investigations and proceedings, the post-Dobbs climate alters the impact of these disclosures. The interest in protecting personal health information and engaging in a trusting relationship with health care provider is now pitted against the interests of those who wish to use reproductive health information for purposes of criminal, civil, and administrative investigations, or proceedings. To prevent this information from being targeted, HHS hopes to restore the balance by prohibiting PHI disclosures in certain situations involving reproductive health care, as discussed further below.
Individual Privacy vs. Non-Health Care Uses and Disclosures
HHS explains that maintaining the balance of individual privacy with the interests of society occasionally requires affording special protections to certain types of health care. For example, special protections are afforded to psychotherapy notes under the Privacy Rule because of the especially sensitive information contained in those notes. Without the promise of strict confidentiality in a psychotherapist-patient relationship, it is unlikely that treatment will be successful. Because of this, psychotherapy notes may only be disclosed in certain situations, such as when there is an immediate threat to health or safety. These circumstances preclude disclosure for judicial and administrative proceedings and law enforcement purposes unless the disclosure is deemed necessary to prevent or lessen the threat or safety of an individual or the public. In the preamble to the NPRM, HHS likens reproductive health PHI to psychotherapy notes in that it contains particularly sensitive information and can potentially put individuals at risk of stigmatization or political controversy.
As a result of Dobbs, some states have enacted legislation that may threaten the privacy of an individual’s PHI as established under the HIPAA Privacy Rule. HHS has received reports of law enforcement and other individuals extending beyond their own state’s borders to investigate allegations of abortions being performed in states in which such health care services are legal. Under the current Privacy Rule, there is concern that regulated entities may be compelled to use or disclose reproductive health PHI to law enforcement or others for “punitive, non-health care purposes” so that they may investigate an individual, a regulated entity, or others who have assisted in providing legally permitted care.
HHS describes that considerable consequences adversely impacting health outcomes have emerged directly from the Dobbs decision, including an erosion in individuals’ trust of health care providers and an increased risk of incomplete or inaccurate medical records. HHS views this distrust as especially prevalent in states where the right to obtain an abortion has been significantly reduced. With recent state legislation putting individuals and health care practitioners at risk of civil or criminal actions, regardless of whether the reproductive health care is legally obtained or performed, individuals are less likely to disclose sensitive information to health care providers, and the lack of these details for future health services could put them at risk. In addition to fear and distrust, HHS sees general confusion among individuals and practitioners as to what health information is protected. For example, many health care providers are hesitant to prescribe, and many pharmacists are hesitant to fill medications that induce abortions. HHS sees this as having the potential to impact the individual’s quality of life. HHS also describes how having to provide additional PHI as justification for the medication under a permissible state law purpose unnecessarily opens that PHI to increased risk when it may not otherwise need to be disclosed. The NPRM preamble describes how this privacy risk disproportionately impacts women and historically marginalized communities. HHS raises a concern that these historically marginalized individuals are more likely to be the targets of investigations and proceedings and are unlikely to have adequate legal representation, thereby reinforcing the historical mistrust between members of underserved communities and the health care system.
Proposed Modifications to the Privacy Rule
Prohibited Uses and Disclosures
In the NPRM, HHS proposes to establish a new prohibition on uses and disclosures of PHI in limited circumstances, specifically prohibiting the use or disclosure of PHI for the criminal, civil, or administrative investigation of or for a proceeding against an individual, HIPAA-regulated entity, or other person related to the individual seeking or obtaining or to another person providing or facilitating reproductive health care. The proposed disclosure prohibition also would prohibit using or disclosing PHI to identify any person for the purpose of initiating such an investigation or proceeding. HHS is proposing that “seeking, obtaining, providing, or facilitating” would include, but not be limited to, “expressing interest in, inducing, using, performing, furnishing, paying for, disseminating information about, arranging, insuring, assisting, or otherwise taking action to engage in reproductive health care, as well as attempting to engage in any of the same.”
The NPRM clarifies that these PHI disclosures would be prohibited in three circumstances: (1) when the reproductive health care is provided lawfully outside of the state where the investigation or proceeding is authorized; (2) when the reproductive care is protected, required, or authorized by federal law, notwithstanding the state in which the care is provided; and (3) when the reproductive care is provided in the state in which the investigation or proceeding is authorized and when the care is permitted under that state’s laws. This includes a suit brought against an individual who received a lawful abortion or an investigation into the lawful disposal of an embryo. In each of these scenarios, HHS views the state as lacking a substantial interest in pursuing the disclosure of this PHI.
When requested PHI may relate to reproductive health care, the proposed rule outlines a process whereby covered entities will be required to obtain an attestation from the person requesting the PHI that the use or disclosure of the information is not for a prohibited purpose. For example, if the purpose of the request is a law enforcement investigation of sexual assault or an investigation into reproductive health care that was not lawfully provided, the requester would provide the covered entity with a signed and dated written statement that the request is not for the prohibited purposes described above. The attestation also requires the requestor to confirm the types of PHI requested and to identify the name of the individual whose PHI is requested or, if not practicable, the class of individuals. The attestation would help ease the burden on covered entities as they assess whether they have a legal obligation to fulfill a request or whether it falls within the proposed rule’s category of prohibited uses and disclosures. The requester would provide the attestation in addition to any subpoena, court order, or other document request.
The NPRM also clarifies that the Privacy Rule would not permit disclosures regarding victims of abuse, neglect, or domestic violence when the report is “based primarily on the provision of reproductive health care” and the disclosure would be prohibited under the new requirements described above.
The proposed rule also clarifies a number of definitions. It updates the definition of “person” to align to the statutory definition in 1 U.S.C. § 8, which includes a natural person, corporation, trust or estate, partnership, association, or other entity; “person” would not include a fertilized egg, embryo or fetus. HHS proposes a new definition of “public health,” related to references to “public health surveillance,” “public health investigation,” and “public health intervention” (although those specific terms are not separately defined). HHS proposes that “public health” means “population-based activities to prevent disease and promote health of populations,” clarifying that uses or disclosures for investigations or proceedings against a person in connection with seeking, obtaining, providing, or facilitating reproductive health care fall outside the scope of public health activities.
The NPRM also provides a new definition of “reproductive health care” as a subcategory of the existing defined term “health care.” HHS proposes to define “reproductive health care” as “care, services, or supplies related to the reproductive health of the individual” (the preamble to the NPRM acknowledges that HHS is not proposing to separately define “reproductive health”). HHS clarifies its intent for this definition to cover care provided by a clinician and prescriptions as well as care, services, and supplies connected to the individual’s reproductive health, irrespective of any co-relation to pregnancy or reproductive age, and care furnished by non-clinicians.
Recognition of Personal Representative
In the preamble, HHS raises a concern that covered entities may refuse to recognize a person as an individual’s personal representative if the person makes a reproductive health care decision on behalf of the individual with which the covered entity disagrees. HHS proposes to modify the Privacy Rule to state that a covered entity is not permitted to decline to recognize a person as a personal representative if the person otherwise would meet the requirements to be a personal representative under state and other applicable laws, solely because the person provides or facilitates reproductive health care to the individual. The proposed rule also clarifies that state laws that require an entity to use or disclose highly sensitive PHI for non-public health purposes, such as criminal, civil, or administrative investigations or proceedings related to a person seeking, obtaining, providing, or facilitating reproductive health care, are not exempt from HIPAA preemption.
Notice of Privacy Practices
In the NPRM preamble, HHS expresses concern that the currently required contents of a covered entity’s Notice of Privacy Practices (NPP) focus on permitted uses and disclosures and that the NPP does not provide “adequate assurances” that individuals’ PHI would not be used or disclosed in certain scenarios involving reproductive health. HHS proposes that covered entities modify their NPPs to explain the prohibition on the use and disclosure of reproductive PHI outlined in the NPRM, describing the prohibition, providing at least one example, and describing when an attestation is required and providing at least one example.
As Americans continue to navigate an uncertain legal landscape post-Dobbs, HHS recognizes the need to restore the balance to individual privacy protections against the need to use or disclose sensitive information for non-health care purposes. By enacting these “purpose-based prohibitions” on certain uses and disclosures of PHI, HHS believes that individuals will be able to maintain trust in their clinicians without fear of sensitive information being disclosed. Similarly, HHS argues that clinicians will be able to maintain accurate medical records without fear of being compelled to disclose their patients’ sensitive reproductive PHI. Both are necessary to achieve more accurate medical diagnoses and positive health outcomes.
Request for Comments
HHS requests comments on many of their proposed modifications to the Privacy Rule, as well as on certain areas that HHS is not proposing to specifically clarify. Comments can be submitted through regulations.gov. Public comments on the NPRM are due June 16, 2023.
*The authors wish to acknowledge the contributions of Ally Bremer, Loyola University Chicago School of Law, J.D. candidate, 2023.
 HIPAA Privacy Rule to Support Reproductive Health Care Privacy, 88 Fed. Reg. 23506 (Apr. 17, 2023).
 See U.S. Dep’t of Health & Human Servs., HHS Proposes Measures to Bolster Patient-Provider Confidentiality Around Reproductive Health Care (Apr. 12, 2023), https://www.hhs.gov/about/news/2023/04/12/hhs-proposes-measures-bolster-patient-provider-confidentiality-around-reproductive-health-care.html.
 Roe v. Wade, 410 U.S. 113 (1973).
 Dobbs v. Jackson Women's Health Org., 142 S. Ct. 2228 (2022).
 Ctr. for Reproductive Rights, https://reproductiverights.org/maps/abortion-laws-by-state/ (last accessed April 14, 2023).