Required Disclosure of Protected Health Information
Under 45 CFR 164.524, the HIPAA Privacy Rule, individuals and their personal representatives have access to PHI. Healthcare facilities and other covered entities are required to provide such information within 30 days of receiving a request from an individual. On August 1, 2022, HHS announced the imposition of a civil monetary penalty of $115,200 for failure to provide timely access to patient records. This civil monetary penalty marks the Office of Civil Rights’ (OCR) 49th HIPAA right of access enforcement action.
There are two categories of information that are expressly excluded from an individual’s right of access. These are:
- Psychotherapy notes, which are the personal notes of a mental healthcare provider documenting or analyzing the contents of a counseling session, that are maintained separate from the rest of the patient’s medical record.
- Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.
This right of access is extended to “personal representatives” of the individual. If a personal representative requests the information, the 30-day time limit also applies to such request. In addition, the 30-day limit is not tolled while the covered entity reviews the validity of the claim of being a personal representative. An individual’s personal representative is a person with authority under applicable state law to make healthcare decisions for the individual.
Permitted Disclosures of PHI
In addition to being required to disclose PHI to individuals and personal representatives, the privacy rule permits covered entities to disclose PHI without the individual’s written authorization or an opportunity to agree or object under specified circumstances. This article only discusses those permitted instances that relate to law enforcement or judicial processes.
Under 45 CFR 164.512:
- “A covered entity may use or disclose protected health informationto the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law;”
- “a covered entity may disclose protected health information about an individual whom the covered entity reasonably believes to be a victim of abuse, neglect, or domestic violence to a government authority;”
- “A covered entity may disclose protected health information in the course of any judicial or administrative proceeding:
- (i) In response to an order of a court or administrative tribunal, provided that the covered entity discloses only the protected health information expressly authorized by such order; or
- (ii) In response to a subpoena, discovery request, or other lawful process, that is not accompanied by an order of a court or administrative tribunal.”
Unlike the required disclosure to the individual and the individual’s personal representatives, this provision of the HIPAA Privacy Rule is permissive, and the healthcare facility or covered entity is not required by HIPAA to disclose the information.
Attestation Required
Under the 2024 Final Privacy Rule, prior to providing information to an individual’s personal representative or under any of the permissive provisions of 45 CFR 164.512, the covered entity is required to obtain an attestation that the PHI that is sought is not for the purposes of investigating or imposing liability on individuals merely for seeking, obtaining, providing, or facilitating lawful reproductive healthcare.
At the end of July, HHS OCR provided a Model Attestation Form for the Requested Use of Protected Health Information Potentially Related to Reproductive Health Care. The attestation reminds the person signing it that federal law prohibits any individual from improperly obtaining PHI. Knowingly obtaining PHI under false pretenses could result in a penalty of up to $100,000 and five years in prison.
Just Say No
A covered entity should adopt a policy to only provide PHI related to reproductive healthcare when required in response to a request from the individual to whom the PHI relates or a personal representative. The covered entity will be required to obtain a signed attestation form that is either the model or one that meets the requirements of the model to disclose the information to the personal representative but not to the individual. When requested to provide the information in the three permissive categories (cases of abuse, judicial or administrative proceeding or as required by law), the covered entity may refuse even with the completed attestation. What does that mean if the covered entity receives the request as part of a judicial or administrative proceeding?
Judicial or Administrative Proceedings
The HIPAA Privacy Rule prohibits covered entities and their business associates from disclosing PHI in response to judicial and other administrative proceedings unless certain conditions are satisfied.
What does that mean when the covered entity receives a court order or a subpoena? Under the 2024 HIPAA Privacy Rule, a covered entity is not required to provide PHI that relates to seeking, obtaining, providing, or facilitating lawful reproductive healthcare. Providing that PHI is permissive when responding to a subpoena or court order. The 2024 Final Privacy Rule requires that the covered entity obtain an attestation that the PHI that is sought is not for the purposes of investigating or imposing liability on individuals merely for seeking, obtaining, providing, or facilitating lawful reproductive healthcare.
What should the covered entity do when receiving a subpoena or court order? If the covered entity is named as a party to the litigation (e.g., that plaintiff or defendant), the covered entity should notify its attorney. PHI may be disclosed during litigation subject to the “minimum necessary rules” of HIPAA. If the covered entity is not a party, then the attorney for the covered entity should determine if the court or agency has jurisdiction over the covered entity. For example, if an individual who is a resident of Texas seeks an abortion in California, a subpoena or court order issued from Texas to the California provider would not have jurisdiction over that provider. If the subpoena or court order is issued to a health plan sponsored by an employer with offices in Texas, then a Texas court may have jurisdiction over that health plan. If it is determined that there is jurisdiction, then the covered entity may not ignore the subpoena or court order without risk of contempt even though HIPAA limits such disclosure without the attestation.
If the request for PHI is for the purposes of investigating or imposing liability on Texas individuals for seeking, obtaining, providing, or facilitating lawful reproductive healthcare and the attestation is not provided, then the covered entity may petition the court for a protective order or move to quash the subpoena or court order. The covered entity should contact an attorney immediately if the PHI is requested and the required attestation is not provided. The attorney may recommend that the covered entity seek a protective order.
Challenge to the Validity of the 2024 Final Privacy Rule
On September 4, the State of Texas filed an action seeking declaratory and injunctive relief again enforcement of the 2024 Final Privacy Rule. In addition, the suit seeks to challenge the portion of the original HIPAA privacy rule (the 2000 Privacy Rule) that limits disclosures to state investigators. The 2024 Final Privacy Rule cites 45 CFR 160.104 as the authority to adopt Part 164. Under that provision, the Secretary has the right to adopt modifications to a standard or implementation specification adopted under subchapter C (Administrative Data Standards and Related Requirements). The statutory basis for the Part 164 (Security and Privacy) is enumerated in 45 CFR 164.102. Part C of title XI of the Act, section 264 of Public Law 104-191 requires that HHS promulgate final regulations containing standards and the expectation was that these would have been submitted to Congress and also that the Secretary would have consulted with the National Committee on Vital and Health Statistics and the attorney general.
The Texas suit claims that the HIPAA statute explicitly preserved state investigative authority and did not give the defendants any authority to “promulgate how regulated entities may share information with State governments.” Texas requests that the court invalidate both the 2024 Final Privacy Rule and the 2000 Privacy Rule on the basis that the rules “significantly harm the State of Texas’s investigative abilities because covered entities frequently cite the 2000 Privacy Rule as a reason that they cannot comply with a valid investigative subpoena for documents and have already begun invoking the 2024 Privacy Rule for similar purposes.”
Conclusion and Next Steps
To ensure compliance with the 2024 Final Privacy Rule’s heightened privacy protections over reproductive healthcare information, covered entities should limit disclosure of such reproductive healthcare PHI to required disclosures and stop making permissive disclosures. Covered entities will need to review and amend their internal HIPAA policies and procedures related to providing reproductive healthcare information with and without authorizations. Covered entities and business associates should review the 2024 Final Privacy Rule and create a compliance plan with respect to updating policies and procedures, health plan documents, business associate agreements, and privacy notices. Staff must receive training on the new requirements. If a covered entity adopts the recommendation to not provide PHI in response to those above listed permissive categories even with a signed attestation, the covered entity will need to engage counsel if there is a challenge.