Office for Civil Rights Announces Proposed Modifications to HIPAA to Protect Reproductive Health Data
May 24, 2023
Overview
A notice of proposed changes to the HIPAA Privacy Rule was recently issued to bolster the privacy of protected health information (PHI) relating to reproductive health care. The proposed changes are the latest in a series of steps by the Biden administration addressing privacy of reproductive health information following the Supreme Court’s Dobbs v. Jackson Women’s Health Organization decision last summer. This post takes a closer look at the proposed changes to HIPAA.
The Office for Civil Rights—the federal agency charged with enforcing the Health Insurance Portability and Accountability Act (HIPAA)—has issued a notice of proposed changes to the HIPAA Privacy Rule to bolster the privacy of protected health information (PHI) relating to reproductive health care. The proposed changes are the latest in a series of steps by the Biden administration addressing privacy of reproductive health information following the United States Supreme Court decision in Dobbs v. Jackson Women’s Health Organization last summer. That decision rolled back the court’s previous rulings on abortion rights under the U.S. Constitution.
Background
Under the current Privacy Rule, PHI relating to reproductive health care is treated as any other PHI. The Privacy Rule generally requires an individual’s authorization before a covered entity may use or disclose his/her/their PHI. However, since it was finalized, the rule has carved out certain permitted uses and disclosures of PHI that do not require an authorization or opportunity for the individual to agree or object. These exceptions include disclosures for law enforcement, health oversight and public health purposes, when certain conditions are met. Over the last year, there have been considerable concerns that investigators and prosecutors may take advantage of these provisions to obtain PHI for the purpose of investigating or prosecuting individuals simply for seeking, obtaining, or providing reproductive health care. As a result, several jurisdictions have passed new laws adding additional privacy protections to reproductive health information.
The Office of Civil Rights states the changes to the Privacy Rule would prohibit certain disclosures of PHI for investigations and legal proceedings relating to reproductive health, “in circumstances in which the state lacks any substantial interest in seeking the disclosure.” The main reasons for the proposed changes, it says, “are the risks to privacy, patient trust, and health care quality that occur when it is the very act of obtaining health care that subjects an individual to an investigation or proceeding.”
Proposed Changes to HIPAA
Among other things, the proposed changes to HIPAA include:
- Generally prohibiting use and disclosure of PHI for
- investigations and legal proceedings against any person relating to obtaining or providing reproductive health care; and
- identifying an individual or a regulated entity for the purpose of starting such an investigation or proceeding.
This general prohibition would apply in three different contexts, including when the reproductive health care takes place outside the state in which the investigation is conducted, in a state in which the reproductive health care is lawful. The proposed changes would also bar the use of an authorization to circumvent the general prohibition stated above.
The proposed changes to HIPAA further include:
- Adding clarifying language that currently-permitted uses and disclosures for public health investigations, interventions and surveillance do not include such investigations and proceedings connected to obtaining, providing, or facilitating reproductive health care or identification of any person relating to an investigation or proceeding relating to reproductive health care.
- Adding an entirely new section to the Privacy Rule requiring a valid attestation for certain uses and disclosures potentially involving reproductive health care to persons other than covered entities. A valid attestation would:
- be required for a use or disclosure for health oversight, judicial and administrative proceedings, law enforcement or to a coroner or medical examiner—all currently permitted when certain conditions are met;verify that the use or disclosure is not for a purpose prohibited under the general prohibition above; and
- be written in plain language and not be combined with another document, as is currently the case for authorizations to release PHI.
- Clarifying that where the Privacy Rule currently permits a disclosure of PHI to law enforcement in response to “an administrative request,” the administrative request must be one to which a response is required by law.
- Requiring that the notice of privacy practices required by the Privacy Rule contain a description and at least one example of uses and disclosures:
Comment Period
The notice of proposed changes to the Privacy Rule was published in the Federal Register on April 17, 2023, and comments must be submitted by June 16, 2023. Anyone can submit comments on the proposed changes and comments may be submitted electronically at http://www.regulations.gov by searching for the Docket ID number HHS–OCR–0945–AA20.
Post by Stephen Murphy, J.D., Deputy Director – Mid-States Region Office, Network for Public Health Law.
The Network for Public Health Law provides information and technical assistance on issues related to public health. The legal information and assistance provided in this document do not constitute legal advice or legal representation. For legal advice, readers should consult a lawyer in their state.
Support for the Network is provided by the Robert Wood Johnson Foundation (RWJF). The views expressed in this post do not represent the views of (and should not be attributed to) RWJF.