The U.S. Department of Health & Human Services (HHS), Office for Civil Rights (OCR), recently issued a Notice of Proposed Rulemaking (NPRM) that would prohibit the use or disclosure of protected health information (PHI) to investigate and prosecute patients, providers, and others involved in the provision of reproductive health care. The proposed rule is intended to strengthen HIPAA’s Privacy Rule to protect patient-provider confidentiality and prevent private medical records from being used against people seeking or providing lawful reproductive health care.
The NPRM follows in the aftermath of the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization which overturned its ruling in Roe v. Wade. After the Dobbs decision, President Biden signed Executive Order 14076, directing HHS to consider taking action to further protect sensitive reproductive health care information and patient-provider confidentiality. The proposed changes to HIPAA’s Privacy Rule would only apply where the disclosure is “primarily for the purpose” of investigating or imposing liability with respect to reproductive health care in states where such health care is lawful or protected by Federal law, regardless of whether the investigation or proceeding arises in the same or a different state. In all other situations, covered entities would still be permitted to use and disclose PHI as permitted by HIPAA.
OCR’s proposed rule would extend additional privacy protections for providers, insurers, patients, and others to safeguard PHI when that information otherwise would be disclosed or used to identify, investigate, sue, or prosecute someone for seeking, obtaining, providing, or facilitating lawful reproductive health care. Under the proposed rule, reproductive health care includes but is not limited to prenatal care, abortion, miscarriage management, infertility treatment, contraception use, and treatment for reproductive-related conditions such as ovarian cancer.
The requirements in the NPRM, if finalized, would require covered entities to obtain attestations from those requesting reproductive health care information. Under the proposed rules, covered entities will be required to obtain signed attestations from the requestors of PHI related to reproductive health care for health oversight activities, for judicial and administrative proceedings, for law enforcement purposes, or to coroners and medical examiners before using or disclosing the PHI to the requesting party. The attestations must verify that the use or disclosure is not for a prohibited purpose. Where a covered entity determines that the attestation was materially false, they are required to terminate the use or disclosure of the PHI. Covered entities would also need to revise and redistribute their Notices of Privacy Practices to include information on prohibited uses and disclosures.
Covered entities should review the NPRM and submit comments on the proposal to HHS during the 60-day comment period. In the meantime, the current HIPAA Privacy Rule remains in effect, and the existing Privacy Rule permits, but does not require, certain disclosures to law enforcement and others, subject to specific conditions.