At the time when HHS enacted the Privacy Rule it was seeking to establish clear rules for when identifiable health information could be used and disclosed to allow for the functioning of the healthcare system, while still preserving privacy rights for patients. With increased adoption by healthcare providers of electronic medical record systems, PHI is increasingly digital, which is even easier to share. Law enforcement possesses a host of tools to seek evidence for legitimate investigations, including procedures outlined in the Privacy Rule for obtaining PHI. For example, the Privacy Rule permits entities to share information with law enforcement about a crime committed on the premises of a health care facility. The Dobbs decision has now inserted tension and ambiguity into situations when law enforcement seeks PHI about reproductive health care. This tension and ambiguity are especially heightened when law enforcement seeks reproductive health PHI for treatments and procedures that are legal in the jurisdiction in which they are provided and received.
Actions to Strengthen the Privacy Rule post-Dobbs
The Privacy Rule doesn’t require data sharing with public officials, including law enforcement. However, the Privacy Rule’s permissive sharing provisions mean that the Privacy Rule does not provide much of a shield. State laws that provide greater protections for health data are not preempted by HIPAA; but absent specific state law protections for reproductive health data, PHI generated out of the delivery of lawful reproductive care could be vulnerable to being disclosed to advance legal actions taken in states with abortion bans or significant restrictions.
In the aftermath of the Dobbs decision, HHS initially issued guidance on June 19, 2022 suggesting that disclosures of reproductive health PHI could only occur where required by law or by court order. However, the guidance could not on its own change the more expansive permissions in the regulation; regulatory changes can only occur through processes set forth in the Administrative Procedures Act.
Consequently, on April 17, 2023, the HHS Office for Civil Rights (OCR), which oversees policy and enforcement of HIPAA privacy-related regulations, published a set of proposed modifications to the Privacy Rule intended to strengthen protections for reproductive health data. Those modifications, the Privacy Rule Reproductive Data Protections, were finalized on April 26, 2024 and went into effect on June 25, 2024. Most aspects of the Protections are subject to enforcement by December 23, 2024.
In proposing the Privacy Rule Reproductive Data Protections, OCR recognized that the Dobbs decision “makes it more likely than before that individuals’ PHI may be disclosed in ways that cause harm to the interests that HIPAA seeks to protect,” emphasizing in particular the impact of the decision on “access to lawful health care and full communication between individuals and health care providers.” Consequently, HHS chose to preserve the ability of regulated entities to still share reproductive health data to treat patients, to be paid for the delivery of reproductive health care, to facilitate public health reporting, and for all other legitimate functions of the health care system informed by patient medical records. Instead, HHS sought to directly address the problem—use of health information against a patient or their medical provider merely for the delivery of a lawful health care service.
Specifically, the Privacy Rule Reproductive Data Protections now prohibit regulated entities from using or disclosing PHI for either:
- Criminal, civil, or administrative investigations—or the imposition of criminal, civil, or administrative liability—of any person “for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided,” or
- the identification of a person for the above purposes.
For example, if a patient lives in a state that restricts abortion care and travels to another state to obtain a legal abortion, the reproductive health data generated from that care episode could not be used or disclosed for any of the prohibited purposes. The prohibition also prevents the use or disclosure of records related to care that is protected, required, or authorized by federal law, including the U.S. Constitution, regardless of the state where the care is provided. This would include contraceptive care, which is protected by the Constitution under Griswold v. Connecticut.
The Privacy Rule still permits PHI to be used or disclosed for the permitted purposes in the Rule so long as the use or disclosure is not to investigate or bring an action against (either criminal, civil or administrative) a person for the “mere act” of performing, receiving, or helping to facilitate a lawful service. For example, a covered entity provider could still access PHI for defense of a malpractice action or to seek reimbursement for care, or where PHI is sought by a regulator seeking to substantiate that services were delivered consistent with program requirements.
The use or disclosure prohibition applies even if the reproductive health data was not created by the regulated entity. Since 2009, billions of taxpayer dollars have been spent, and policies have been enacted, promoting the interoperability of health information, to break down the silos of patient data to enable patients to receive quality care wherever they need services and facilitate uses of data across the health care system to improve population and public health. Consequently, PHI generated from a lawful service delivered in one state could travel for legitimate purposes to a state where that care is illegal—but the regulated entities in that state would still be prohibited from using or disclosing that data for criminal, civil or administrative proceedings that relate to the mere act of seeking or receiving that care. The Privacy Rule Reproductive Data Protections create a presumption that reproductive health care was lawfully delivered unless the regulated entity receiving the request for use or disclosure of data has actual knowledge that the care delivered was not lawful, or receives sufficient factual information from the requester that “demonstrates a substantial factual basis” that the care was not lawful (for example, the entity has knowledge that the service was required to be provided by a licensed professional and the person providing the care did not have the required license).
To operationalize these prohibitions, the Privacy Rule requires regulated entities, when they receive a request for PHI “potentially related to reproductive health care,” to obtain a signed attestation that the use or disclosure is not for a prohibited purpose. This attestation requirement applies only to requests for, or access to, PHI for health oversight activities, for judicial and administrative proceedings, for law enforcement purposes, and for disclosure to or use by coroners or medical examiners. The signed attestations must be in plain English, must include specific provisions—for example, a description of the information requested, the names of individuals (or the class of individuals) whose information is being sought; the name(s) of the requesting person(s), and a clear statement that the use or disclosure is not for a prohibited purpose. The attestation cannot be combined with any other document or contain extraneous information. The attestation must also include a statement that access to information from a regulated entity in violation of this prohibition could be subject to criminal penalties.
The Privacy Rule also provides that regulated entities are not in compliance with the new rule if they use or disclose reproductive health data in reliance on a defective attestation. An attestation is considered to be defective if it lacks a required element, contains additional information that is not a required element, or the regulated entity has actual knowledge that the attestation is false or a “reasonable” regulated entity in the same position would not believe the attestation is true that the use or disclosure is not for a prohibited purpose. HHS has created a model attestation form that regulated entities may choose to use; entities are also welcome to use their own forms.
The HIPAA Privacy Rule has always required covered entities to provide a notice of privacy practices (“NPP”) to patients (in the case of health care providers) and beneficiaries (in the case of health plans). The Privacy Rule Reproductive Data Protections now require covered entities to include a provision in their NPPs that describes and includes at least one example of the types of uses and disclosures under the new prohibition “in sufficient detail for an individual to understand [the privacy practices]”. Entities do not have to comply with this particular change to the Privacy Rule until February 16, 2026; HHS also had recently finalized changes to the NPP provisions regarding data covered by federal protections for substance abuse treatment data, and wanted to give covered entities more time to make all of the required changes and comply with distribution requirements.
HHS took further steps to help assure that the permissive provisions of the Privacy Rule could not be further leveraged for investigations or pursuit of penalties for the mere act of delivering or receiving reproductive health care services. For example, they modified the definition of “person” to make clear that it refers to a “natural person (meaning a human being who is born alive).” This is intended to assure that language in the Privacy Rule permitting reports to relevant authorities for purposes of preventing harm to a “person” could not be interpreted to permit the release of reproductive health data in violation of the Privacy Rule Reproductive Data Protections’ prohibitions. They also made clear that the prohibitions apply even to access to PHI by public health agencies or entities acting on their behalf, even when acting within the scope of their authority.
Finally, the new rule does not change the penalties that can be levied for violations of the Privacy Rule. Regulated entities can be subject to a corrective action order (which is typically imposed in settlement of an enforcement case) or civil monetary penalties of between $100—$50,000 per violation, depending on the level of culpability, with a maximum of $1.5 million annual cap for repeated violations of the same provision. But only regulated entities can be penalized under HIPAA’s civil penalty provisions; requesters of reproductive health data who are not also regulated entities are beyond the reach of the civil penalty provisions. Although most state public health departments are not HIPAA covered entities, as explained in more detail below, persons outside of HIPAA coverage can be held criminally responsible for obtaining PHI in violation of HIPAA.
Concerns about the Privacy Rule Reproductive Data Protections
In the Privacy Rule Reproductive Data Protections, HHS promulgated a targeted rule intended, on the one hand, to better protect reproductive health data from being used to investigate or bring an action against an individual or a medical provider or health plan, while, on the other, still allowing that data to be shared to provide care to the individual or to facilitate the functioning of the health care system. Nonetheless the rule will still be challenging to implement, and its protections will have some limits.
Broad definition of “reproductive health data”
A regulated entity is required to obtain an attestation that the requested PHI will not be used for a prohibited purpose before disclosing PHI that is “potentially related to” reproductive health data. The definition of reproductive health data is purposefully broad and is “health care . . . that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes.” Because this definition is not limited to abortion, contraception, or pregnancy-related care, and is not defined solely with respect to individuals with female reproductive organs, regulated entities have expressed concerns about inadvertently disclosing PHI that meets this definition without first requesting the attestation. Consequently, entities are considering requiring submission of attestations for all types of requests that would trigger an attestation requirement if reproductive health data were involved, regardless of whether such data is contained in the records. The breadth of the definition also makes it difficult to segment the data falling into the definition of “reproductive health data” from other data that might be lawful to share (although segmentation of sensitive data from non-sensitive data has always been a technical and policy challenge).
Limitations on reach due to HIPAA’s coverage limitations
Traditionally, and as noted above, one of the shortcomings of HIPAA’s privacy protections is that only regulated entities are required to comply with the rules. The protections do not follow the data, so if a regulated entity legitimately discloses data to an entity not regulated by HIPAA, HIPAA’s rules would not apply. As an example, if a regulated entity shares reproductive health data with a researcher who has received a waiver of consent from an Institutional Review Board (which is permitted by the Privacy Rule), and that researcher then uses or discloses this data to facilitate a prohibited purpose, the civil penalty provisions of HIPAA could not be leveraged to hold the researcher accountable (and the regulated entity would not have been required by HIPAA to have obtained an attestation prior to disclosing the data).
The criminal penalty provisions initially enacted as part of HIPAA and amended by Congress in the Health Information Technology for Economic and Clinical Health Act in 2009 may help close this gap. A “person” who knowingly and in violation of HIPAA obtains any individually identifiable health information from a covered entity relating to an individual or discloses individually identifiable health information to another person could be subject to criminal penalties, which vary by level of culpability. A person who knowingly obtains or discloses individually identifiable health information in violation of the Privacy Rule may face a criminal penalty of up to $50,000 and up to one-year imprisonment. The criminal penalties increase to $100,000 and up to five years imprisonment if the wrongful conduct involves false pretenses, and to $250,000 and up to 10 years imprisonment if the wrongful conduct involves the intent to sell, transfer, or use identifiable health information for commercial advantage, personal gain, or malicious harm. These provisions apply to the Privacy Rule Reproductive Data Protections as well. The Department of Justice is responsible for criminal prosecutions under the Privacy Rule.
Potential Penalties for Accepting a Deficient Attestation
Regulated entities are concerned about their potential liability under the Privacy Rule for making a disclosure based on an attestation that turns out to be defective. An attestation is defective if the regulated entity has “actual knowledge” that material information in the attestation is false, or, of greater concern, a “reasonable covered entity or business associate in the same position would not believe that the attestation is true with respect to” whether the requested use or disclosure is for a purpose that is not prohibited by the new rule. What constitutes a “reasonable covered entity or business associate in the same position” requires subjective judgment, leaving regulated entities concerned about getting it wrong in the eyes of regulators. The Privacy Rule Reproductive Data Protections also require regulated entities to cease any use or disclosure if they discover information showing that any information in the facially valid attestation they relied on to make the use or disclose was materially false, and failure to do so would constitute a HIPAA violation.
Limit on Types of Requests Requiring the Attestation
Regulated entities are required to obtain attestations only when requests for PHI potentially containing reproductive health data are submitted for purposes of health oversight, for judicial and administrative proceedings, for law enforcement, and for disclosures to coroners and medical examiners. But reproductive health data could be released for other purposes—such as for treatment, or research, or any of the other permitted purposes—and the recipient, if the recipient is not a regulated entity would not be subject to the prohibition in terms of its further use and disclosure of the information. For example, a covered entity physician may disclose PHI to a medical researcher pursuant to the research provisions of the Privacy Rule, but many researchers are not regulated entities (for example, researchers working in private research institutions or for pharmaceutical companies). However, the requestor could face criminal liability under the provisions discussed previously. Nevertheless, some regulated entities have discussed requesting attestations in any circumstance where reproductive health data could potentially be used or disclosed as a way of assuring protections for this data. At the same time, regulated entities that are also covered by the federal Information Blocking Rules, promulgated by the HHS Office of the National Coordinator for Health IT pursuant to the 21st Century Cures Act, could be subject to penalties for creating obstacles to the sharing of electronic health information in circumstances where it is otherwise lawful to share. The concern of these dual-regulated entities is that they could be penalized under the Information Blocking Rules for requiring attestations for the sharing of data for purposes for which an attestation is not required.
Of note, regulated entities are still permitted to disclose reproductive health data for public health purposes, and there is no requirement for an attestation for public health requests. However, under the new provisions, it is not a legitimate public health activity if the reproductive health data is to be used for one of the prohibited purposes. But public health agencies are typically not HIPAA regulated entities; consequently, if they receive reproductive health data within the scope of their authority and then subsequently use or disclose that data for a purpose that would be prohibited if they were a regulated entity, it is not clear that the disclosing would be in violation of HIPAA for having made that disclosure.
Rule Doesn’t Preempt State Laws Requiring Disclosure of Abortion Data
Some advocates for comprehensive reproductive health care have expressed concerns that HHS didn’t go far enough in protecting reproductive health data. In the HIPAA statute, Congress gave HHS broad authority to enact privacy protections for individually identifiable health information transmitted among health care providers and health plans (i.e., covered entities), and provided that these standards, largely adopted through regulation, would preempt state laws that were less stringent—i.e., provided fewer privacy protections. Should HHS have utilized these preemption provisions to go further—for example, by enacting new HIPAA privacy provisions that restricted the use or disclosure of reproductive health data for purposes of pursuing any civil, criminal or administration action for the mere act of receiving a health care service, even if that service was not lawful in the setting in which it was delivered? For reasons that are not shared in the regulatory materials, HHS instead chose to focus only on protecting the privacy of data generated out of lawfully delivered care and not to test the strength of this broad preemption authority against the plethora of abortion restrictions and new penalties in the post-Dobbs era.
HIPAA Doesn’t Apply to De-Identified Data
HIPAA covers only identifiable health information; consequently, HHS’s authority to promulgate privacy rules extends only to identifiable health information (i.e., PHI). The Privacy Rule establishes a legal standard for de-identification—no reasonable basis to believe the information can be re-identified—and two acceptable methodologies for de-identifying PHI: a safe harbor method requiring the removal of 18 categories of identifiers and no actual knowledge on the part of the disclosing entity that the data can be re-identified; or an expert or statistical methodology requiring a trained statistician, applying statistical techniques, to certify/attest that the data, in the hands of an anticipated recipient(s), would have a very low probability of being re-identified. Although there are few published instances of HIPAA de-identified data having been successfully re-identified, much has been written about the vulnerability of PHI de-identified under HHS’s safe harbor methodology, given the increasing amounts of data available for re-identification. Nonetheless, de-identified reproductive health data is not covered by the rules. Further, there is no federal prohibition against re-identifying HIPAA-deidentified data, although any de-identified data collected by a regulated entity would be subject to HIPAA’s rules, including the new prohibitions once it meets the definition of PHI. As a result, a recipient of HIPAA de-identified reproductive health data who is not covered by HIPAA and who re-identifies the data—and subsequently uses it for a purpose that otherwise would have been prohibited by the new rules—likely cannot be found to have violated HIPAA, either civilly or criminally. The vulnerability of PHI to re-identification leaves a hole in the protections otherwise extended by this new rule.
Prospects of Legal Challenge
The State of Texas has already filed a legal challenge to block the Privacy Rule Reproductive Data Protections, and it is likely there will be more. While it is too soon to know how many and which challenges may or may not have merit, several rationales could be advanced as possible challenges. For example, states with laws that penalize individuals for seeking or facilitating abortion care outside of the state could challenge the law as posing a barrier to enforcement of their duly enacted laws. However, this rationale runs against the long-recognized federal right to travel between states under the Privileges and Immunities Clause of the U.S. Constitution.
Another core consideration underlying many potential legal challenges to the Privacy Rule Reproductive Data Protections is standing. Specifically, who has suffered an injury such that they would have standing to challenge the Protections? Any potential litigant seeking to challenge the rule would need to show that elements of injury, causation, and redressability existed at the outset of the lawsuit, and continue to exist, for each claim and for each form of relief sought. Depending on the specifics of each case, it may be difficult for states to establish all the elements of standing to successfully challenge the rule.
Additionally, the Supreme Court’s recent decision in Loper Bright Enterprises v. Raimondo overturning the Chevron doctrine and possibly the Court’s 2022 decision in West Virginia v. EPA addressing the Major Questions Doctrine may add to the likelihood of legal challenges. Specifically, in the absence of Chevron deference, agency actions, especially those that address divisive issues like abortion, may prove to be priority targets for litigants seeking to challenge executive agency rulemaking under a theory that agency rules exceed Congress’ statutory direction to a federal agency. The Privacy Rule Reproductive Data Protections may be vulnerable to such a challenge. Although an Administrative Procedure Act challenge to the original HIPAA regulations was rejected in 2003 by the 4th Circuit in S.C. Med. Ass’n v. Thompson, a more recent District Court case rejecting previous HHS amendments to HIPAA that relied on the original grant of HIPAA rulemaking authority from 1996 reasoned, in dicta, that the original grant of authority was now “too old” for HHS to rely on in making further amendments to HIPAA.
In sum, there are a lot of unknowns when it comes to weighing the merits of potential challenges to the new HIPAA rule. Recent Supreme Court actions have dramatically impacted agency litigation and action and until there is further case law in the post-Chevron era, it is difficult to predict whether HHS authority to promulgate this rule would be upheld, or whether a different Administration would spend the resources to vigorously defend HHS’ actions. Moreover, additional federalism and standing questions are likely to persist until they have worked their way through the courts. And of course, changing political winds in either the Administration or Congress could result in overturning or paring back these rules.
Health Data Privacy Threats Outside of HIPAA
Health data enjoy fewer privacy protections when held by entities outside of the scope of HIPAA. This article has focused on the threats of new and existing state laws banning or restricting abortion care on the privacy of health information governed by HIPAA and actions being taken by HHS to change the Privacy Rule to try to mitigate those threats. However, vast amounts of individuals’ health data (indeed in some instances the same records) exist and are held by entities beyond HIPAA’s limited scope and jurisdiction.
Search queries, browsing history, the contents of communications, and a person’s location data can all reveal private health-related information, despite not typically being thought of as sources of “medical” or health-related data. These types of data can reveal sensitive information about a person’s health and healthcare choices, regardless of whether the company collecting it provides health-related services. People’s online searches and browsing history have already been used in abortion-related prosecutions, and investigative reporters have shown that location data can be purchased revealing where visitors to an abortion clinic went immediately before and after their visits, which can be highly revealing of a person’s identity—those locations are likely either their workplace or home.
In our digitally connected world, given the growing prevalence of medication abortion—and ability to receive reproductive health services from telemedicine—enforcement of anti-abortion laws may increasingly rely on digital and electronic information. Moreover, the popularity of health tracking apps and IoT (internet of things) devices create ever-growing stores of health data that can be very insightful, revealing health conditions, including reproductive status, care, and treatments. For example, a connected scale tracks weight gain and loss over time, and a connected refrigerator can detect items added to its shelves that were purchased at the grocery store.
At the federal level, the FTC has authority to regulate and protect health data not covered by HIPAA. The FTC has and continues to utilize existing rulemaking and enforcement authorities to address health privacy concerns for non-HIPAA covered entities. For example, on May 30, 2024, the FTC published the final version of changes to the Health Breach Notification Rule (HBNR), which sets forth the protocol in the case of a breach of health data. Specifically, the HBNR requires vendors of personal health records (PHR) and related entities that are not covered by HIPAA to notify individuals, the FTC, and, in some cases, the media of a breach of unsecured personally identifiable health data. It also requires third party service providers to vendors of PHRs and PHR related entities to notify such vendors and PHR related entities following the discovery of a breach. Since the FTC enacted its initial HBNR in 2009, the number of health tracking apps has dramatically increased, and Dobbs has created new health privacy risks, motivating the FTC to expand the HBNR to cover newer types of data collection. The final rule requires entities that manage personal health records (but are not subject to HIPAA) to notify the FTC, the consumer, and in some cases the media following a breach of personally identifiable health data. The update of the rule clarifies its applicability to health apps and strengthens the notification mechanisms in this space.
Although to date Congress has failed to enact comprehensive federal privacy protections for health data that sits outside of HIPAA, states including Washington, Connecticut, and California have enacted data privacy protections that either include or specifically address sensitive health data—as well as other forms of sensitive data that may be used to determine health status and activities.
Conclusion
Health information privacy has always been critical to assuring that individuals can receive care for potentially stigmatizing health conditions. The Dobbs decision amplified concerns about the use of health information against individuals (or persons who assist them, including medical providers) and is likely to have far reaching consequences for the delivery of health care for certain conditions or populations. Time will tell whether current efforts by federal and some state regulators to shore up the privacy of reproductive health information will have the desired effect of extending greater protections for this information and, consequently, for access to care.