Texas’ Reproductive Health Privacy Rule Lawsuit: Potential Federal-State Challenges Artwork

AHLA's Speaking of Health Law

The American Health Law Association (AHLA) is the largest nonprofit, nonpartisan educational organization devoted to legal issues in the health care field with nearly 14,000 members. As part of its educational mission, AHLA's Speaking of Health Law podcasts offer thoughtful analysis and insightful commentary on the legal and policy issues affecting the health care system. AHLA is committed to ensuring equitable access to our educational content. We are continually improving the user experience for everyone and applying the relevant accessibility standards. If you experience accessibility issues, please contact accessibility@americanhealthlaw.org.

All Episodes

AHLA's Speaking of Health Law

Texas’ Reproductive Health Privacy Rule Lawsuit: Potential Federal-State Challenges

October 25, 2024 • AHLA Podcasts

Texas recently filed a lawsuit against the U.S. Department of Health and Human Services challenging both the HIPAA Final Rule to Support Reproductive Health Care Privacy and the HIPAA Privacy Rule, with potential implications for the balance of power between federal health privacy regulations and states’ authority to investigate potential legal violations, particularly in the context of reproductive health care. Andrew Mahler, Vice President of Privacy & Compliance Services, Clearwater, speaks with Marti Arvin, Chief Compliance & Privacy Officer, Erlanger Health, about the power play that may be developing and the potential for future challenges to federal regulations that limit state investigative powers. Sponsored by Clearwater.

To learn more about AHLA and the educational resources available to the health law community, visit americanhealthlaw.org.

Speaker 1: 0:14

Support for A HLA comes from Clearwater. As the healthcare industry's largest pure play provider of cybersecurity and compliance solutions, Clearwater helps organizations across the healthcare ecosystem move to a more secure, compliant and resilient state so they can achieve their mission. The company provides a deep pool of experts across a broad range of cybersecurity, privacy, and compliance domains. Purpose-built software that enables efficient identification and management of cybersecurity and compliance risks. And the tech enabled twenty four seven three hundred and sixty five security operation center with managed threat detection and response capabilities . For more information, visit clearwater security.com.

Speaker 2: 1:02

Everybody , uh, welcome. Uh, today I'm here with , uh, Marty Arvin , uh, to talk about a recent , uh, lawsuit in Texas involving , uh, the HIPAA privacy role . Uh , my name is Andrew Mahler . I, I lead privacy and compliance services here at Clearwater , uh, where we help organizations across the healthcare ecosystem move to a more secure, compliant and resilient state. Um, good afternoon, Marty. How are you ?

Speaker 3: 1:30

I'm well, thank you, Andrew. Andrew for the audience. Um, my name is Marty Arvin. As Andrew mentioned, I'm the Chief compliance and privacy officer for earlier health in Chattanooga, Tennessee. We're a six hospital system, and we have about a 500 , um, member provider practice that I oversee as well as doing a small amount of research.

Speaker 2: 1:53

Great. Thanks, Marty. Well, I , I'm really happy to be speaking with you about this important topic today. I mean, you , those of you who, who know, you, know your history, I mean, you've, you have a, a very lengthy long career as , uh, as a chief compliance officer, privacy officer. Um, you've done , uh, just a whole lot in the healthcare space and, and really looking forward to your, your insights around this , uh, this lawsuit. So for those of you, you know, joining us today , uh, early last month, so almost actually about a month ago , uh, the state of Texas filed a lawsuit , uh, in the US District Court , uh, Northern District of Texas against HHS , um, challenging, both really challenging the, the HIPAA final rule to support reproductive healthcare privacy, which was issued , uh, earlier this year with an effective date , uh, in December of this year . Uh, but they also bring the HIPAA privacy rule , uh, as issued in in year 2000 into the discussion as well. Um, and we will talk more about this, Marty, but you know, while you know, obviously Texas taking the primary aim at the, at the new HIPAA final world of support reproductive healthcare privacy really goes further by asking the court to vacate and set aside , uh, both of those rules and permanently enjoin HHS for enforcing them. Um, and just sort of an interesting note here , uh, it's a different judge, but same district, northern district of Texas , uh, which also recently vacated , uh, OCR R'S bulletin on the use of online tracking technologies. Um, so again, really great to be talking with you Marty. And just curious, you know, having read through this, this lawsuit, what, what are your initial thoughts on the legal arguments here and, and the basis for the lawsuit?

Speaker 3: 3:41

Well , I think it's an interesting challenge because, you know, part of the argument is that the original statute , uh, did not put in place provisions around law enforcement explicitly. And there's some language in the original statute that talks about not intending to prohibit a number of functions related to health oversight activities. But I think as we all know, when you look at what a statute says, and then what ultimately ends up being the regulations promulgated on how to actually implement and, and make that statute functional, they often do have some pretty broad variety. And there's a lot of instances where things I would say are not expressly stated in the statute , but you still have very legitimate regulations promulgated under that statute. So I, I think it's, in my personal opinion, a a bit of a stretch in what they're saying, but I do at least see the premise of their argument in trying to argue that the, the statute, I'm sorry, the regulations exceed the statutory authority. Um, don't take that as I necessarily agree with them , but I can at least see where they based their argument.

Speaker 2: 5:04

Mm-Hmm, <affirmative> , and are you , are you thinking both the, the new privacy rule as well as the 2000 privacy rule?

Speaker 3: 5:13

No, I apologize. I was really focusing more on the part of the argument that was tied to the 2000 privacy rule. Um, I think that the current rule, if you, if you take their argument and, and believe that it's accurate for the 2000 rule, that I think there is a little more substance to the argument for the, the rule in 2024. But I also have to say that , uh, uh, you know, it seems just a bit disingenuous in my opinion that they are trying to say that it, it prohibits law enforcement from pursuing their role and enforcing the law. Um, their argument obviously in the 2024 law is that it, they're trying to base it on leaving it up to the covered entity to determine whether the , the request receipt or , um, activity associated with reproductive health is unlawful or not. And I think my take of their argument is they're trying to say whether something is unlawful or not should be left under up to law enforcement. Um, I would argue that actually should be left up to the courts, and I think it's perfectly acceptable for covered entities to be able to look at a request from law enforcement and determine, you know, what types of services they may have provided to the patient and whether those services they believe are legal in their state, their location, their context.

Speaker 2: 6:47

Mm-Hmm, <affirmative> . Yeah, and I , I thought, I mean, sort of going a little bit off what , what you're talking about, I, I , I thought it was interesting that, you know, Texas and it's, it's a fairly, I mean, I , I don't know if we'd say it's a fairly lengthy complaint, but it's, it's probably what 16 or so pages , um, really only able to cite to at least in one instance, you know, one case where they, they felt that there had been , um, you know, where somebody had not provided information to law enforcement in a way that the state of Texas felt would be appropriate. Um, so I I thought that was interesting too, in the sense that, you know, this is obviously a bigger fight , uh, for Texas, probably around ideological lines than , uh, than anything else. But I, I just thought that was sort of an interesting note as well. I , I don't know, is there anything else that sort of stuck out to you as being interesting or particularly unique about this lawsuit?

Speaker 3: 7:49

Um , no , I think as we look at how HIPAA has evolved, the , the , the regulations have evolved since, you know, 2000 we see that I, I think HHS tried to be very , um, cognizant of making healthcare data available when appropriate, but also putting guardrails around and intending to protect the privacy of the patient. But as you've heard me say, and many people know, there are only two instances under HIPAA where you may not share information. All of the other provisions of HIPAA are permissible methods by which you can share information, but they don't require a covered entity to share it. And you look to other laws that tie into when it may be required, you know, like under the required by law provision or under the , uh, healthcare oversight provisions. And , you know , if you think about that , I don't really believe there's any instance where law enforcement could not get the information from a covered entity that they are lawfully seeking. When I review the reproductive health provisions that got promulgated this year, I look at those as instances where there seems to be concern, at least on ocr r's part, that law enforcement will overstep and overreach. And so they're simply asking law enforcement to, to attest that they don't intend to use the data to try to pursue individuals who have sought and or received reproductive healthcare that is perfectly within the legal bounds of , again, that state, that location or that context.

Speaker 2: 9:46

Mm-Hmm, <affirmative> . Yeah. I, I, I , you know, I, I agree. Um, I've heard, you know, some people say that this new final rule, you know, feels a little bit more like, you know, it's, it's a , I don't know, almost more like some additional information that already exists in the privacy rule with the addition of, you know , the attestation as well as potentially updating, you know, notices of privacy practices. But I think to your point, it , it's, you know, probably in, in many, if not all of the instances where law enforcement is , uh, is properly a , you know, asking , requesting, demanding , um, PHI , uh, the privacy rule certainly permits that, you know, even prior to , uh, prior to this final rule this year. Um, of course, assuming that that certain conditions are met under, under the privacy rule. Um, you know, something I forgot to mention earlier too, Mar Marty, and you know, I, I know that you also were, you know, an attorney, a lawyer, you worked in the Indiana, you know, attorney general's office as well. Um, you know, interested, you know, what , what do you think could happen if Texas prevails? You know, let , let's just say for example that, you know, this judge , uh, takes a similar perspective as, as you know, his colleague and says, you know, there's an argument here and you know, we're gonna enjoin HHS from enforcing these rules. What , what does that, what does that world look like?

Speaker 3: 11:19

Uh , I think that will be a bit interesting if , if that is the ultimate outcome to see what a court would do with it. And I say that because in the prayer for relief in the complaint, they seem to be asking the court to invalidate the entire privacy rule. Mm-hmm , <affirmative> , um, it , it's seems to me the , the argument they're utilizing is really to tie to just a couple provisions of the rule. But the prayer for relief doesn't really specify just those particular components of the rule. It seems to be the entire privacy rule. Uh, which again, I , I don't know that I would see a court necessarily doing that. Um, the court could potentially agree with the Texas Ag and say that the particular provisions they tend to reference in the complaint were exceeding statutory authority, were arbitrary and capricious. Um, so if that happens, obviously I think we all see this being appealed , um, if it would happen to happen. But if you're looking at it, then it would really tie into how we share information with law enforcement and, you know, when they look to issue a subpoena, again, I don't think there's anybody out there that , um, I'm aware of that has restricted law enforcement in any significant way as long as they fit the exception of the rule. So do I think, again, as I mentioned earlier, there's some basis for their , uh, their argument that , um, HHS exceeded its statutory authority by putting in place some of the provisions around law enforcement. I , I , I don't think it's a completely laughable argument. I do think it's a stretch, and I do find it interesting that, you know, we're 24 years into hipaa, the, the final rule being promulgated and, you know, 22 year, 20, 21 years into it being enforced, and this has never been brought up until we got the rule around reproductive health. So I agree with your comments earlier that I think they're really trying to eliminate the additional provisions for reproductive health, but promising it on the exceeding statutory authority and arbitrary and capricious provisions tied to the original rule, what it'll mean for healthcare is it , you know, we'll just have to adjust how we share information with law enforcement should Texas ultimately be successful. Uh , but I don't know that it will change substantially. You know, we know the provision to get attestations related to reproductive health goes into place on the 23rd of December of this year. So I don't see this case playing out before then. I think all healthcare entities are gonna have to prepare to be compliant with that rule until we do get something in this case. And then it'll be interesting to see if the court enjoins HHS from enforcing those provisions of the rule, whether that gets potentially stayed until a final resolution of the case. So we may be sometime before we actually know what the true implications of this is gonna be for covered entities.

Speaker 2: 14:52

Yeah, and you , you sort of anticipated my next question, just as we think a bit about the operational , um, effects of this. Um, you know, as you mentioned this, this does go into effect December, I think it's December 23rd of this year. Um, and , uh, I I think that that makes sense to me that it's, you know, likely that we were not going to get , uh, a resolution prior to, to that point. So interested, you know, as, as you know, chief compliance officer at Erlanger have , have there, has there been anything that, you know, steps that, you know, you've taken, you feel comfortable sharing, you know, around what sort of initiatives, if any, you know, the off your , your office is doing to, to comply with this? Has it changed anything? Is it changing anything? I'm just curious for, you know, other compliance officers listening.

Speaker 3: 15:47

Not really, because, you know, for, for two reasons. One is we don't know what the outcome of this lawsuit's gonna be. We haven't, I , I at least I haven't seen the government's response to the complaint yet , uh, and what they're arguing, and , uh, as we all know, these court cases can take some time. I don't necessarily see a basis for them to really expedite it. Uh , as you pointed out though, it is, it is, you know, in the Texas and court, and I think that ruling could potentially get fast tracked as a result of that. But again, we'll have to wait and see on that. We are moving forward as though we have to be compliant with the reproductive health rule and be ready to obtain attestations as of December 23rd. But we are keeping a very close eye on this related to the election in November, because I think that depending on the outcome of that election , uh, we may or may not have the reproductive health rule in place come January 20th or shortly thereafter. I think that's at least a possibility, but that doesn't preclude the fact that we, under the current rules and regulations have to be compliant by December 23rd. So at least anything between that date and the end of January, we have to be ready to get the attestations. But I will say we are also thinking about the idea, that idea how long we'll have to be doing that could definitely be driven by the outcome of the election.

Speaker 2: 17:27

Yeah, yeah, that makes, makes sense to me. I mean, we've seen, you know, guidance before that's, that HHS has put out that's, you know, been rescinded with the new administration or , um, we certainly certainly saw that , uh, 20 20 16. Um, and so it'll be , um, I think to your point, I I , I think there will be a lot of things hinging, you know, hinging on what happens in, in November or once we, you know, have a sense of what , what happened in November. Um, you know, I , I'm ano another sort of operational question for you. Um, I don't know if you have any advice or thoughts, and I know this, you know, we're not giving legal advice, anything like that, but just from a , your position as a compliance officer advice, you know, that you'd give to a covered entity that , um, you know, that's trying to figure out how to develop a policy or a practice around , uh, around receiving subpoenas. You know, what, what sort of risks do you think are, are things that need to be top of mind for people? And , um, I, I say subpoena, but of course, I mean, you know, requests from law enforcement. Um, yeah, just interested to hear from you, you know, what, what risks do you see? What, what sort of advice, guidance would you give people that are , uh, trying to operationalize this, this kind of communication?

Speaker 3: 18:52

When I think about sharing information with law enforcement, I always tell people, just go back to the rule and read the rule and read the exception and, you know, how does it fit within the exception? And when you think about one of the exceptions for law enforcement is, you know, related to an ongoing investigation, you know, from my perspective, if a law enforcement officer comes in and says, I'm investigating and, you know, tells us what it is, and it ties into that health information then and , and we're limiting it to just what they're requesting and we meet the other provisions of the exception, that's a pretty and open-ended method for them to get information when they're investigating issues, in my opinion. Um, now when you talk about a subpoena, you have to determine is the subpoena the equivalent of a court order? Because if it is, then it's compulsory to comply with it. Um, if it's not, and depending on who issued it and where it came from, it may not be, then you obviously have to go through the process of the reasonable assurances. But I always tell people, go back to the rule and read the rule and read what the exception language requires for you to be able to share the information and make sure you meet that. And I've tend to have tended to have a pretty good relationship with the local law enforcement officials in the organizations I've worked in. And I think that's another important piece. Reach out to them beforehand. Don't wait until somebody's walking into your ED demanding that you tell them if somebody's there , um, reach out to them so that they kind of understand your position and what your views are and your guardrails are. Because I do think there are different ways to interpret some of the provisions of the rules. And some people have done that interpretation in what I would call very conservative approach and others have been less conservative. Um, but you also need to train your staff because, you know, your frontline staff are often the people who are dealing with this in the moment. When you get the subpoena, you can work with your legal counsel and your compliance officer and your HIM folks to figure out what you're gonna do in response to that. But when law enforcement walks into the emergency room and, you know, starts making demands, you need to make sure your frontline staff are, you know, empowered enough to understand the basics, but also to know when they need to reach out to get that support from compliance and legal and others. But like anything, be prepared, prepare in advance, don't wait till the issue comes to the forefront before somebody says, wait a second, how, how do we handle this? Uh , because, you know , I, as you mentioned, I, you know, litigated cases for the Indiana Attorney General and one of the , um, agencies that I defended were the state police. So I defended these police officers and realized they are trained to be aggressive, and that's part of what helps them get their job done. But you also need to understand that you can push back and, you know, that can be okay, but it can be very scary for your frontline staff. So help them be prepared and empowered and know what they can and can't do, or they, the guardrails they need to work within. And if they're not comfortable with that, who they can reach out to to get support so that we do give the right answer. But again, the organizations I've worked in , uh, and many of the compliance officers I talked to, it's not actually that common that they deny law enforcement the information they're requesting.

Speaker 2: 22:47

Yeah, I, you know, I had a couple thoughts and, and I'm really glad you touched on the, the relationship component of this. Um, I was meeting with a group of privacy officers a couple weeks ago and, you know, this issue came up around building these relationships with , uh, with local law enforcement. You know, whether, you know, it's, it's, you know, city, state, county, you know, federal, you know who you have access to, who you can have access to , um, from a relationship perspective. And, and some of these privacy officers were mentioning that, you know, they have regular meetings and I don't know if it was every month or every quarter , um, but, but they're actually will go and, and speak to a group of local, you know, law enforcement officers. And part of that conversation could be, you know, here's what we can and can't do, and we just wanna un , you know, we wanna let you know that, you know, we want to get you the information, here are the steps we have to go through. But also part of that may also be, you know, hey, you, you might be interacting with somebody that is a frontline staff person who might be intimidated and, you know, may not know what to do, and, and we just wanna , you know, we wanna assure you that we're giving them training that they need. But, you know, we want to continue to develop these good relationships. And, and part of that is, you know, how, how we sort of ask questions and, and how we sort of engage , uh, each other when there's a, you know, when there's an urgent issue or a challenging issue. Um, because you're right, it can be, it can be pretty intimidating for, you know, people that you know, are, are sitting at a , you know, the admitting desk and the intake desk and, and see somebody come in , um, with a badge. So thank you for sharing that. Um, in terms of, you know, I I , and I think probably we've covered a lot here. I, I don't know, you know, how much more there , how much deeper we can go. I'm sure people will, you know, teach law courses on this in the future. Um, but I I also really just wanna reflect back, you know, your advice to go back to the rule. Um, and I, I think something that is helpful about some of the provisions in the privacy rule is that you do often, or you do sometimes get , uh, some , uh, a , a bit of a prescription about how to do this. And, and the , certainly the permitted disclosures for, for law enforcement purposes is one of those areas where you can, you know, almost build a policy and procedure right around the rule , uh, itself. Um, and then of course, you know, making sure people have training, making sure people have templates , uh, if they need to have scripts, you know, to help support that. Um, you know, the more that you know, I think you can give , uh, to the frontline people and to, and to your staff, the more the better equipped you'll be and, and the organization will be to, to navigate some of these issues. I don't know if you have any closing thoughts, Marty, just around, you know, whether it's a, you know, question for the future or, or a thought or an encouraging word. Um, love to turn it back over to you for sort of the final thought.

Speaker 3: 25:50

I , I think it's something that's you've alluded to, to, to be closely watched because , you know, bringing the allegation that this, that CMS operated , uh, or HHS operated beyond its statutory authority and that the regulations are ar arbitrary and capricious for the 2020 rule. I'm sorry, the , the 2000 rule is I find somewhat interesting. And if that was really the case, why wasn't this brought much, much, much sooner? Um , if that was truly it. I , to your comment earlier, I think it really is triggered by the provisions of the reproductive health rule that was passed this year . Um, and I think in my personal opinion is if law enforcement is doing something that they should be doing to enforce the laws because they truly believe there was unlawful conduct, there shouldn't be anything in either the 2000 rule or the 2024 rule that pre precludes them from getting that information. Uh, I do think, you know, the comments they made in the complaint about covered entities, having the, you know, being given the right to decide whether something is lawful or unlawful , um, is an interesting argument. But I don't think that necessarily is different than the 2000 rule because there's, you know, a number of provisions where the covered entity has to make decisions and determinations about whether they're permitted to share the information. So , um, you know, we all know this is gonna be an on to ongoing topic of debate and concern. And, you know, again, what happens in November I think can be very triggering as far as how all of this proceeds, because depending on the way the election goes, I think there's some chance that this rule could go away. But I also think there's some chance that we could potentially have national laws associated to some of the issues around reproductive health, and that could make much of this go away because many of those individual state laws then may no longer be relevant. And you know, what is now, excuse me, now, unlawful in, in a particular state may not be unlawful a year from now, two years from now. Um , but we live in very, very interesting times. And, you know, this is gonna continue to be an issue I anticipate for the next several years, at least.

Speaker 2: 28:30

I agree. Well , Marty, thank you very much for, for joining me today. Uh, hopefully, you know, we'll have a chance to circle back at some point, you know, if there's more clarity around this in the future. But , um, again, thanks so much for your time and thanks everybody for listening.

Speaker 3: 28:45

Thank you.

Speaker 1: 28:53

Thank you for listening. If you enjoyed this episode, be sure to subscribe to a HLA speaking of health law wherever you get your podcasts. To learn more about a HLA and the educational resources available to the health law community, visit American health law.org.