Proposed Rule Looks to Ramp up HIPAA Privacy Protections for Reproductive Health Information
- April 14, 2023
The Department of Health and Human Services Office for Civil Rights (OCR) issued April 12 a proposed rule aimed at better protecting sensitive information related to reproductive health care, including abortion, under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.
The proposed rule, which is slated for publication in the April 17 Federal Register, would prohibit the use or disclosure of protected health information (PHI) to investigate or prosecute “patients, providers, and others involved in the provision of legal reproductive health care, including abortion care,” a press release said.
Reproductive health care is defined to include “prenatal care, abortion, miscarriage management, infertility treatment, contraception use, and treatment for reproductive-related conditions such as ovarian cancer.”
The proposed rule is part of the administration’s ongoing efforts to ensure access to reproductive health care in the wake of the Supreme Court’s ruling last summer in Dobbs v. Jackson Women’s Health Organization, which overturned Roe v. Wade.
Specifically, the proposed rule would prohibit regulated entities from disclosing PHI involving reproductive health care for either (1) a criminal, civil, or administrative investigation into or proceedings against any person in connection with care that is lawfully provided; and (2) the identification of any person for the purpose of initiating such investigations or proceedings, according to the fact sheet.
The proposal looks to help address concerns that patients, providers, and others could face criminal or civil liability in states with abortion bans even when the care is performed in a state where the procedure is lawful.
“Trust is critical in the patient-doctor relationship and medical mistrust can damage and chill patients’ relationship with their providers, imperiling patient health. Today’s proposed rule is about safeguarding this trust in the patient-provider relationship, and ensuring that when you go to the doctor, your private medical records will not be disclosed and used against you for seeking lawful care,” said OCR Director Melanie Fontes Rainer.
OCR offered several examples for how the prohibition would apply in practice, including where a resident of a state with an abortion ban, travels out of state for the care. In that scenario, regulated entities would be prohibited from disclosing the patient’s PHI to law enforcement under the proposed rule.
The prohibition also would apply to reproductive health care that is protected or required by federal law (for example, under the Emergency Medical Treatment and Labor Act), regardless of the state where the care is provided.
Regulated entities could continue to use or disclose PHI for purposes otherwise permitted under the Privacy Rule that do not involve investigating or prosecuting “any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care,” OCR said.
Under the proposed rule, regulated entities would be required to obtain a signed attestation that the use or disclosure of PHI potentially related to reproductive health care is not for a prohibited purpose.
The proposed rule builds on earlier guidance issued by OCR in June 2022, which some argued did not go far enough to protect PHI related to reproductive health care. Senate Democrats urged HHS in September 2022 to update the HIPAA Privacy Rule and to take additional steps, including strengthening education on, and enforcement of, federal health privacy protections.
Comments on the proposed rule are due May 17.