On April 22, 2024, the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) issued a Final Rule, entitled “HIPAA Privacy Rule to Support Reproductive Health Care Privacy.”
As OCR noted in a Fact Sheet explaining the HIPAA Reproductive Healthcare Privacy Rule, the rule “strengthens privacy protections by prohibiting the use or disclosure of protected health information (PHI) by a covered health care provider, health plan, or health care clearinghouse—or their business associate—” for the following activities:
- “To conduct a criminal, civil, or administrative investigation into or impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive healthcare, where such health care is lawful under the circumstances in which it is provided.”
- “The identification of any person for the purpose of conducting such investigation or imposing such liability.”
The HIPAA Reproductive Healthcare Privacy Rule became official (went on the books) on June 25, 2024. Enforcement of this Final Rule is set to start on December 23, 2024.
On September 4, 2024, the state of Texas filed a lawsuit in federal District Court seeking a declaration from a District Court judge that the Final Rule should be declared illegal – stricken from the law books – because, as Texas claims, no legal authority gave HHS the right to issue the Final Rule in the first place.
Why Does Texas Seek Invalidation of the HIPAA Reproductive Healthcare Privacy Rule?
In this lawsuit against the United States, Texas makes two, interrelated arguments in support of its conclusion that the HIPAA Reproductive Healthcare Privacy Rule should be declared invalid.
The first legal argument is a federalism argument. Federalism is a political and legal doctrine whose proponents claim that the federal government’s authority to regulate the states is, and should be, limited and narrow.
Consider what the HIPAA Reproductive Healthcare Privacy Rule requires. It requires that providers who receive a request for reproductive healthcare-related PHI (PHI related to, for example, contraceptive care, abortion-related care, or miscarriage treatment) may not use or disclose that PHI for any of the following activities:
- To conduct a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care.
- To impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care.
- To identify any person for any purpose described in paragraphs (1) or (2) above.
The following scenario, then, might play out in the real world – A physician in a state where provision of abortion care is legal, receives a subpoena from Texas, which bans abortion at all stages of pregnancy (save for certain circumstances). The patient who received the abortion care is a resident of Texas, and traveled to the other state to lawfully receive the abortion care from the physician. In the subpoena, Texas demands that the physician disclose details of the procedure – when it was performed, what the outcome was, and who (including any Texas residents) assisted in the performing of the care or transporting the patient to where the care was provided.
Under principles of federalism, Texas argues that the federal government cannot, through the Final Rule, block its ability to have the subpoena enforced. In other words, Texas argues that the federal government cannot prohibit Texas from conducting a criminal investigation into violations of that state’s own laws (which prohibit not only abortion, but what Texas calls “aiding and abetting” of it), by requiring providers to refuse to disclose PHI in response to the subpoena.
The current Texas Attorney General, Ken Paxton, claims HIPAA does not give the HHS the authority to order providers to refuse to cooperate with state investigations into its residents’ medical procedures. “The federal government is attempting to undermine Texas’s law enforcement capabilities, and I will not allow this to happen.” HHS may counter this argument by arguing that Texas lacks the power to enforce its laws extraterritorially – that is, to conduct that occurs outside of its borders.
Texas’ second argument, a more legalesey one, is that the text of the HIPAA statute itself does not actually state that providers are prohibited from complying with state law enforcement investigations. In other words, Texas argues, the HIPAA regulations are an attempt to expand the scope of the HIPAA statute, to prohibit activity the law does not actually prohibit.
*Statutes are laws passed by Congress and signed by the President. Regulations are issued by the administrative agencies tasked with enforcing the laws.
A regulation may not, as Texas notes, add to what a law requires; only Congress can expand upon a law, either by amending it or by passing a new law. (HHS may counter this argument by stating that it is impossible for a law to spell out every conceivable detail of how the law is to be enforced, and that it is the role of agencies, including HHS, to fill in “regulatory gaps,” within reasonable limits).
Texas also argues that the Privacy Rule initially published in 2000 contains a similar improper “expand the scope” defect, as that Rule, too, limits the circumstances under which providers could disclose PHI for law enforcement investigation purposes; HHS may counter that this argument against the 2000 Rule is barred by the 6-year statute of limitations within which an entity (one that existed when a regulation was in effect) has to bring a lawsuit challenging a federal government regulation.
What Happens Next with the Lawsuit to Invalidate the HIPAA Reproductive Healthcare Privacy Rule?
The case has been assigned to U.S. District Judge James Wesley Hendrix. There is no specific timeline by which Judge Hendrix must issue a decision. Compliancy Group will monitor developments in the litigation and will post updates about those developments as they occur.