Healthcare , HIPAA/HITECH , Industry Specific
Texas AG Hopes to Upend HIPAA Rules to Investigate Abortions
State Says HHS Erred by Shielding Reproductive Health Info From Law EnforcementTexas Attorney General Ken Paxton is suing the Biden administration, alleging that "unlawful" HIPAA Privacy Rule regulations are hindering the state's law enforcement investigations into abortion cases and other reproductive health care cases.
See Also: The Healthcare CISO’s Guide to Medical IoT Security
Paxton says the U.S. Department of Health and Human Services overstepped its authority in asking a federal judge to not only vacate the 2024 update to the HIPAA Privacy Rule - enacted to restrict disclosures of protected health information related to reproductive health care information - but also the 24-year-old HIPAA Privacy Rule.
The attorney general claims HHS did not have the authority to promulgate the HIPAA Privacy Rule because of another federal law - the Administrative Procedure Act, a 1946 federal law that regulates how federal agencies create and issue rules.
The complaint alleges "HHS has not and cannot point to any authority that allows it to promulgate the 2000 Privacy Rule or the 2024 Privacy Rule" and that "the rules violate the APA."
"The original HIPAA statute as written by the U.S. Congress explicitly preserves the investigative authority of state law enforcement, and the law in no way gives HHS the authority to allow HIPAA-regulated institutions to refuse to cooperate with state investigations," Paxton's office said in its statement.
Both HHS Secretary Xavier Becerra and HHS Office for Civil Rights Director Melanie Fontes Rainer are named as defendants in the Texas lawsuit.
HHS in a statement to Information Security Media Group declined comment on the lawsuit because it is a pending litigation matter, but it defended the HIPAA rule.
"This rule stands on its own. The Biden-Harris Administration remains committed to protecting reproductive health privacy and ensuring that no woman’s medical records are used against her, her doctor or her loved one simply because she got the lawful reproductive care she needed," the HHS statement says.
HHS' 291-page final HIPAA Privacy Rule to Support Reproductive Health Care Privacy, which was published in April and went into effect in June, prohibits the use or disclosure of PHI when it is sought to investigate or impose liability on individuals, healthcare providers, or others who seek, obtain, provide or facilitate reproductive healthcare that is lawful under the circumstances in which such healthcare is provided (see: HHS Beefs Up Privacy Protection for Reproductive Health Info).
The 2024 updated HIPAA Privacy Rule also requires a regulated healthcare provider, health plan, clearinghouse or their business associates to obtain a signed attestation that certain requests for PHI potentially related to reproductive healthcare are not for purposes prohibited under the rule.
HHS' OCR issued the 2024 HIPAA Privacy Rule update after the U.S. Supreme Court in the 2022 Dobbs decision overturned Roe v. Wade, a legal precedent that guaranteed the nationwide right to an abortion for more than 50 years.
The Texas lawsuit alleges that the scope of reproductive healthcare that falls under the HHS rule not only includes abortion, but also "hormone and drug therapy for gender dysphoria, surgical procedures related to gender dysphoria, and gender experimentation."
The HHS rule does not specifically mention any type of reproductive healthcare service besides abortion.
"In sum, the 2024 Privacy Rule restricts state officials and law enforcement from obtaining evidence of a crime or other potential violation of state law," the Texas lawsuit alleges.
The Texas attorney general's office did not immediately respond to ISMG's request for comment on its lawsuit.
A Danger to Patient Privacy?
Privacy experts said the move by Texas asking the federal court to nullify the HIPAA Privacy Rules is not only shocking but could be potentially devastating to patient privacy rights.
"This is one of the broadest attacks on the HIPAA Privacy Rule that we have seen since HHS first promulgated the rule in 2000," said privacy attorney Adam Greene of the law firm Davis Wright Tremaine.
"If the suit is successful, it could fundamentally alter the protection of health information in the U.S. and potentially invalidate the Privacy Rule’s limitations on disclosures to law enforcement or the Privacy Rule more generally," he said.
Privacy attorney Kirk Nahra of the law firm WilmerHale offered a similar assessment.
"It's a pretty surprising challenge, at least as far as it looks to reject the Privacy Rule written in 2000, which has been in effect since 2003 - and issued in final form by the Bush administration," Nahra said. "I would be curious what Texas consumers would think if their health privacy rights were eliminated as a result of this lawsuit."
If the courts rule in Texas' favor, then, at a minimum, this would seemingly limit the ability of HHS to regulate disclosures to law enforcement absent additional statutory authority, Greene said.
"While the complaint focuses on disclosures to law enforcement, though, Texas broadly asks the court to vacate and set aside all of the Privacy Rule," he said.
"Accordingly, if Texas were to win, then two big questions would be: whether the court strikes down portions of the Privacy Rule beyond those related to law enforcement and the extent that the decision would be applied nationally," Greene said.
But winning the lawsuit is not a slam dunk for the state.
"The argument does not address the statutory grant of authority that is the basis of the Privacy Rule," he said. Section 264(c)(1) of HIPAA states "that, if Congress fails to enact privacy standards in three years - which Congress failed to do - then HHS must promulgate privacy regulations that address the uses and disclosures of individually identifiable health information that should be authorized or required," Greene said.
The complaint brought by the attorney general of Texas gives short shrift to idea that the HIPAA rules were the product of the mandate from Congress to "promulgate" standards for the privacy of patient health information, said privacy attorney David Holtzman of the consulting firm HITprivacy LLC.
"A cynical view would be that a craven, politically motivated state attorney general has crafted a lawsuit that was purposely filed in a federal district court friendly to those who disdain the exercise of federal agency action," he said.
The Texas lawsuit also appears to follow a growing trend in litigation by states challenging federal authority, said regulatory attorney Paul Hales of the Hales Law Group.
"Red states passed anti-abortion laws following the Dobbs decision. Concurrently, they filed lawsuits attacking HHS rule-making authority regarding reproductive rights and other topics," Hales said.
On top of that, a Supreme Court decision in June abolishing the long-standing Chevron judicial doctrine of deferring to government agencies' interpretation of statutes, has encouraged "attacks on unpopular administrative regulations," Hales said (see: Experts Warn of Cyber Regulatory Chaos Post-Chevron Overturn).
"The new Texas lawsuit is far and away the boldest attack on a federal agency. The attempt to invalidate the entire HIPAA Privacy Rule would have been unthinkable before Chevron and before recent decisions by the Fifth Circuit Court of Appeals, which covers Texas federal courts," Hales said.
The Texas lawsuit against HHS "is ostensibly about the Administrative Procedure Act, but it really is about the current emotional and political climate in our country. I expect more to come," he said.
Full Circle
The Administrative Simplification provisions incorporated into the Omnibus HIPAA Act more than a decade ago sought to facilitate the use of electronic information systems in the healthcare industry, Holtzman said.
"But Congress was wary that the federal government could misuse data it collected to develop an electronic dossier containing the health records of every American unless there were protections for the use and disclosure of patient health information," he said.
"The Texas lawsuit that seeks to undermine these same patient privacy protections now brings us full circle to confront the governmental overreach Congress sought to prevent," he said.
The Paxton suit is one of two major challenges to HHS HIPAA rules being heard in Texas. The American Hospital Association and other groups sued HHS over its rule that web tracking tools potentially violated the HIPAA Privacy Rule. HHS dropped its appeal of a Texas federal court ruling that found that HHS OCR exceeded its authority in certain provisions of HIPAA guidance related to the use of web trackers (see: HHS OCR Drops Appeal of Court's Web Tracker Ruling).