As we settle into spooky season, let’s take a minute to consider a recent development in health care privacy as we ask ourselves, is this a trick or a treat?The Texas Attorney General (AG) recently filed a lawsuit against the U.S. Department of Health and Human Services (HHS), the Secretary of HHS, and the Director of HHS alleging that HHS exceeded its statutory authority when issuing the HIPAA Privacy Rule to Support Reproductive Health Care Privacy Final Rule in April (“2024 Reproductive Privacy Rule,” 89 Fed. Reg. 32976). In asking for remedies, the Texas AG challenges all of the 2000 HIPAA Privacy Rule (65 Fed. Reg. 82462), although elsewhere in the complaint the AG indicates an intent to more narrowly challenge only the portion of the rule that addresses disclosures to state investigators.1The Texas AG is asking the court to declare that the 2000 Privacy Rule and the 2024 Reproductive Privacy Rule violate the Administrative Procedures Act and to vacate, set aside, and enjoin enforcement of the Rules. Did a black cat just walk under a ladder, or is this all a bunch of hocus pocus?2024 Reproductive Privacy Rule Earlier this year, the Quarles privacy webinar discussed the 2024 Reproductive Privacy Rule and we include a high-level summary of key points as background:In June, the 2024 Reproductive Privacy Rule went into effect, prohibiting the use or disclosure of protected health information to conduct an investigation or to impose liability (or to identify any person for those reasons) if for the mere

y/privacy-security-enforcement.16 45CFR §§ 164.308(a)(2) and 164.530(a).17 45CFR part 164, subpart E (§§ 164.500-164.534).18 45CFR part 164, subpart C (§§ 164.302-164.318).19 45CFR §164.502, Subpart D (§§ 164.400-414).20 45CFR §164.50221 45CFR §§164.506 and 164.522(a).22See 45CFR § 164.510.23 45CFR § 164.512.24 45CFR §§ 164.502(b) and 164.514(d).25 45CFR § 164.514(h).26 45CFR § 164.522(a).27 45CFR § 164.522(b).28 45CFR § 164.524.29 45CFR § 164.526.30 45CFR § 164.528.31See, e.g., https://www.hhs.gov/about/news/2024/04/01/hhs-office-civil-rights-imposes-civil-monetary-penalty-new-jersey-nursing-facility-failing-provide-timely-access-patient-records.html.32https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html.33 45CFR §§ 164.316(a), 164.404(a), and 164.530(f).34See 75 FR 48078-79.35See Press Release at https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/rite-aid/index.html.36 75 FR 40878 (7/14/10)37 45CFR § 164.508(c).38 45CFR § 164.520.39 89 FR 32976 (4/26/24).40 89 FR 12472 (2/16/24).41 45CFR §§ 164.308(b) and 164.502(e).42 45CFR § 160.103.43 45CFR § 160.103.44 45CFR § 164.504(e)(1).45 45CFR § 160.402(c).46 78 FR 5581.47 45CFR § 164.103.48 45CFR § 164.308(a)(1).49See Press Release at http://www.hhs.gov/news/press/2013pres/12/20131226a.html.50 45CFR § 164.502(a)(1); see Guidance at http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/incidentalusesanddisclosures.html.51 45CFR §§ 164.308 to 164.316 and AppendixA to 45CFR part 164, subpart C.52 45CFR § 164.530(c).53 45CFR § 164.530(b); see also 45CFR §§ 164.308(a)(5) and 164.414(a).54 45CFR § 164.530(b).55 75 FR 40879.56 45CFR § 164.530(d)-(f).57 45CFR §§164.314(a)(2) and 164.504(e)(2).58 45CFR § 164.402.59 45CFR § 160.410.60 45CFR § 164.404.61 45CFR § 164.408(c).62 45CFR § 164.408(b).63 45CFR § 164.406.64 45CFR § 164.404(c)-(d).65 45CFR §§ 164.316(b), 164.414(a), and 164.530(j).66 45CFR § 160.203.67 45CFR § 160.202.68 86 FR 6446 (1/21/21).

n the request is made by health or law enforcement officials, for judicial or administrative proceedings, or by coroners and medical examiners.Requiring modifications to covered entities’ HIPAA privacy policies and Notice of Privacy Practices to conform to the Rule.Compliance with the rule is required by December 23, 2024, which means that employers who sponsor self-insured group health plans, and other covered entities, must amend their HIPAA privacy and security policies and operations. Covered entities subject to the Rule are not, however, required to amend their Notice of Privacy Practices until February 16, 2026.Notably, the Rule incorporates modifications related to the use and disclosure of substance use disorder information under the Confidentiality of Substance Use Disorder (“SUD”) Patient Records final rule. Inevitably, this means that covered entities must incorporate the recent changes under the SUD final rule.HIPAA Privacy Rule to support Reproductive Health Care Privacy, 89 F.R. 32976 (April 26, 2024); Confidentiality of Substance Use Disorder (SUD) Patient Records, 89 F.R. 12472 (February 16, 2024).

usiness associate agreements.Specifically, beginning in December 2024, the Privacy Rule will prohibit uses or disclosures of PHI if the request for PHI is made to investigate or impose liability for the mere act of seeking, obtaining, providing, or facilitating lawful reproductive health care, or to identify any person as part of conducting such activities (whether civil, criminal, or administrative). The term “reproductive health care” covers the full range of health care related to reproductive health, including the provision of medications and devices.The final rule is effective June 25, 2024, with a compliance date of December 23, 2024 (except for the requirements related to privacy notices, which require compliance by February 16, 2026).HIPAA Privacy Rule to Support Reproductive Health Care PrivacyOn April 26, 2024, the U.S. Department of Health and Human Services (HHS) published a final rule in the Federal Register: HIPAA Privacy Rule to Support Reproductive Health Care Privacy (89 FR 32976). The final rule is intended to bolster patient-provider confidentiality and help promote trust and open communication between individuals and their health care providers or health plans.HHS described the changes as having “particular urgency” given the recent Supreme Court decision in Dobbs v. Jackson Women’s Health Organization, which “altered the legal and health care landscape,” and had “far-reaching implications for reproductive health care.” HHS expressed concern that the threat of disclosure of PHI to investigate, or impose liability on, an individual could chill an individual’s willingness to seek lawful health care treatment and impact the willingness of health care providers to provide such care, ultimately undermining access to and quality of health care generally. HHS concluded that the “changed environment” requires additional privacy protections to “help restore the Privacy Rule’s carefully-struck balance between individual and societal interests.”There are three main co