Newly Proposed HIPAA Privacy Rule Changes May Affect Disclosure Terms in Business Associate Agreements

The recent Supreme Court decision of Dobbs v. Jackson Women’s Health Organization regarding the legality of state restrictions on abortions has raised both Health Insurance Portability and Accountability Act (“HIPAA”) and data privacy concerns. Covered Entities and Business Associates that may encounter Protected Health Information (“PHI”) that is related in any way to reproductive health may want to pay keen attention to the Privacy Rule changes related to the Dobbs decision and ensure that their Business Associate Agreements (“BAAs”) do not provide disclosure rights that may violate the upcoming rule changes. This article will not delve into the substance of Dobbs nor take any position on the matter as it relates to the Supreme Court decision. Rather, this article will briefly address some practical results of the recent proposed HIPAA Privacy Rule changes that are directly in response to the Dobbs decision.

After Dobbs was decided, many patients and employees of Covered Entities (healthcare providers) involved in any way with providing abortions face an increased risk of civil and criminal penalties in states that have implemented or are planning to implement laws that will be protected by the Dobbs decision. In response, HIPAA-rulemaking officials are proposing changes to the HIPAA Privacy Rule to address the privacy of those individuals seeking reproductive healthcare, namely abortion-related care.

The proposed changes to the Privacy Rule include prohibiting the disclosure of PHI that relates to a person seeking, obtaining, providing, or facilitating reproductive health care outside of the state where an investigation or proceeding is authorized and where the reproductive health care is lawful in the state in which it is being performed. As a recent Law360 article proposed as an example of how the rule changes may affect healthcare businesses, it would violate HIPAA for a Washington state hospital to disclose PHI about a legally-obtained abortion to an Idaho court that is seeking to enforce a recently passed Idaho law that prohibits helping a minor obtain an abortion out of state. This prohibition on disclosure includes any dissemination to law enforcement, courts, or third parties. In other words, if there is a criminal investigation into the lawfulness of an abortion, so long as the abortion was not federally illegal, and done in a state that permitted the abortion, the requesting state whose laws were allegedly violated, will not be permitted to request the PHI related to the underlying facts of the investigation if it involves reproductive health data. This includes civil lawsuits as well.

BAAs, which are required contracts between Covered Entities and their service providers and contractors who interact with, use, process or receive PHI, may require modifications after these Privacy Rule changes take effect. Typical BAAs often provide the ability of the Business Associate (“BA”) to disclose PHI to “carry out its legal responsibilities.” In fact, Health and Human Services has a standard BAA template that provides a “Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR 164.502(j)(1) (whistleblower protections for violations of law, professional or clinical standards).” This provision would likely run afoul of HHS’s own rule changes.

Also of note, the Privacy Rule changes have further clarified that HIPAA does not apply, and therefore these new changes won’t apply to nor affect, reproductive health care information that is stored on consumer devices and consumer health-related apps when such health care information or apps are not managed and collected by a Covered Entity or Business Associate pursuant to health care treatment or any other “covered” activity by a “covered entity” under HIPAA. This means that although the new rules will protect the reproductive PHI collected by Covered Entities, if an individual discloses reproductive health through a technology channel that is not pursuant to “covered” healthcare activities by a covered entity, these new rule changes will not prevent the disclosure of such reproductive healthcare information.

If you have any questions about the newly proposed HIPAA Privacy Rule changes and what it could mean for disclosure terms for business associate agreements, please contact James K. Paulick at jpaulick@leechtishman.com or 424.738.4400. Jim is Counsel with Leech Tishman and a member of the Corporate Group, where he leads the Data Privacy & Cybersecurity Group.

Leech Tishman’s Facebook Page: https://www.facebook.com/leechtishman

Leech Tishman’s Twitter: https://twitter.com/LeechTishman

Leech Tishman’s Company Page on LinkedIn: https://www.linkedin.com/company/leech-tishman

Leech Tishman Fuscaldo & Lampl, Inc. is a national, full-service law firm dedicated to assisting individuals, businesses, and institutions. Leech Tishman offers legal services in business restructuring & insolvency, construction, corporate matters, employment & labor, estates & trusts, intellectual property, litigation & alternative dispute resolution, and real estate. In addition, the firm offers a wide range of legal services to clients in the aviation & aerospace, cannabis, emerging cyber technologies, energy & natural resources, entertainment & sports, healthcare, hospitality, and life sciences industries. With offices in Los Angeles, Leech Tishman also has offices in Chicago, Philadelphia, Pittsburgh, Sarasota, Washington, D.C., and Wilmington, DE.