Getty Images

Lawmakers Ask HHS to Expand Proposed HIPAA Rule, Require Warrant For PHI

Lawmakers urged the Biden administration to require law enforcement to obtain a warrant before forcing providers to turn over patient PHI.

Spearheaded by United States Senators Ron Wyden (D-OR) and Patty Murray (D-WA), and US Representative Sara Jacobs (D-CA), lawmakers sent a letter to HHS Secretary Xavier Beccera urging the administration to consider expanding its proposed update of privacy regulations under HIPAA.

In April 2023, HHS issued a Notice of Proposed Rulemaking (NPRM) aimed at strengthening HIPAA Privacy Rule protections by prohibiting the use of PHI to investigate or prosecute patients and providers involved in the provision of reproductive healthcare. The NPRM would still allow covered entities to disclose PHI for other purposes.

Lawmakers have long been pushing for updates to HIPAA, and the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization further catalyzed these requests. However, the latest letter suggests that the NPRM issued in April doesn’t fulfill lawmakers’ goals for protecting patient privacy under HIPAA.

The lawmakers are now asking HHS to take the NPRM a step further by ensuring that all protected health information (PHI) is afforded the same protections as location data, emails, and texts, all of which require law enforcement agencies to obtain a warrant before gaining access to them.

Lawmakers proposed that HHS require that law enforcement agencies obtain a warrant before forcing healthcare providers to turn over patient PHI as well.

“Americans expect their PHI to be at least as private as their email and text messages, phone calls and location data. While federal and state courts around the country have recognized the importance of protecting Americans’ medical privacy, HHS’ regulations have lagged behind,” the lawmakers wrote. 

“HHS should update the HIPAA regulations to meaningfully protect the privacy of Americans’ PHI by requiring a warrant for disclosures to law enforcement agencies. Instead of limiting this higher standard to narrow categories of records, HHS should apply this protection across the board, regardless of the illness, disease, or medical issue.”

Additionally, the group of lawmakers urged the administration to require that warrants for PHI prohibit sharing the requested records with other law enforcement agencies, with the exception of furthering a particular investigation. The lawmakers also suggested that patients should be notified when their PHI is disclosed to law enforcement agencies.

“HHS already requires that health providers give patients who request it a list of all prior disclosures of their health records to third parties, including law enforcement disclosures. But very few patients routinely request such information,” the letter explained.

“HHS should require providers to proactively notify patients about law enforcement disclosures, either at the time of the disclosure, or on a delayed basis if prompt notice would disrupt an active investigation. Such a change in practices would be consistent with Congressionally-enacted notice requirements for wiretaps and bank subpoenas.”

The lawmakers commended the administration’s efforts to strengthen HIPAA and to investigate HIPAA violations via the Office for Civil Rights (OCR) and suggested that Congress provide greater investment in OCR to respond to data breaches under HIPAA.

Next Steps

Dig Deeper on HIPAA compliance and regulation