WANAN YOSSINGKUM/istock via Gett
HHS Proposes Rule to Strengthen HIPAA Protections For Reproductive Healthcare Data
HHS issued a Notice of Proposed Rulemaking aimed at strengthening HIPAA Privacy Rule protections by prohibiting the use of PHI to investigate or prosecute patients and providers involved in the provision of reproductive healthcare.
The HHS Office for Civil Rights (OCR) issued a Notice of Proposed Rulemaking (NPRM) with the goal of strengthening HIPAA Privacy Rule protections for those seeking and delivering reproductive healthcare.
This NPRM would prohibit the use or disclosure of protected health information (PHI) for the purposes of investigating or prosecuting patients, providers, and others involved in the provision of legal reproductive healthcare, including abortions.
In the aftermath of the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization, lawmakers, providers, and patients raised concerns about how reproductive health data could be used in legal proceedings.
Under Executive Order 14076, President Biden directed HHS to consider updating HIPAA to better protect sensitive reproductive healthcare information. The NPRM is HHS’ direct response to President Biden’s two executive orders surrounding reproductive healthcare.
“When the Supreme Court overturned Roe v. Wade, nearly half a century of precedent changed overnight,” HHS Secretary Xavier Becerra said. “The Biden-Harris Administration is committed to protecting women’s lawful access to reproductive health care, including abortion care. President Biden signed not one but two executive orders calling on HHS to take action to meet this moment and we have wasted no time in doing so. Today’s action is yet another important step HHS is taking to protect patients accessing critical care.”
Specifically, the NPRM would prohibit the use or disclosure of PHI by a regulated entity for the purposes of a criminal, civil, or administrative investigation against “any person in connection with seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided,” HHS’ fact sheet on the matter stated. The NPRM would still allow covered entities to disclose PHI for other purposes.
Additionally, the NPRM would require a covered entity to obtain a signed attestation that a request for PHI is not related to a previously mentioned prohibited purpose. The attestation requirement would only apply if the request for PHI was tied to health oversight activities disclosures to coroners and medical examiners, law enforcement purposes, and judicial and administrative proceedings.
“I have met with doctors across the country who have shared their stories. These providers have expressed fear, anger, and sadness that they or their patients may end up in jail for providing or obtaining evidence-based and medically appropriate care,” said OCR Director Melanie Fontes Rainer.
“Trust is critical in the patient-doctor relationship and medical mistrust can damage and chill patients’ relationship with their providers, imperiling patient health. Today’s proposed rule is about safeguarding this trust in the patient-provider relationship, and ensuring that when you go to the doctor, your private medical records will not be disclosed and used against you for seeking lawful care. This is a real problem we are hearing and seeing, and we developed today’s proposed rule to help address this gap and provide clarity to our health care providers and patients.”
In the meantime, the current HIPAA Privacy Rule as written remains in effect. The comment period for the NPRM will remain open for 60 days after the NPRM is published in the Federal Register. HHS encouraged key stakeholders to submit comments, including patients and providers.