In a significant move to safeguard patient privacy and enhance confidentiality, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has proposed a set of special rules under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.
These proposed HIPAA privacy rules aim to provide stronger privacy protections for reproductive health care information. Healthcare organizations must be aware of these changes to protect reproductive health care and ensure HIPAA compliance.
Table of Contents
Background of the Proposed HIPAA Privacy Rule
In the wake of ongoing concerns following the Dobbs v. Jackson Women’s Health Organization decision, protecting sensitive reproductive health information has become a pressing issue. According to the HHS’ Proposed Rule published in the Federal Register, the aftermath of the Dobbs decision has raised concerns about the potential misuse of PHI obtained from healthcare providers and technology vendors. Such information, when related to lawful reproductive healthcare, has increasingly become a target for punitive purposes outside the scope of healthcare. The OCR acknowledges the need for additional privacy protections to mitigate these risks and prevent inaccurate or incomplete documentation of medical records.
Holland and Knight mentions that in a recently filed lawsuit, the OCR highlighted a concerning incident involving an out-of-state healthcare provider. The provider decided to describe a plaintiff’s condition using a term other than “abortion,” even though the procedure was legally performed in the state where it took place. The healthcare provider’s choice to deviate from accurate documentation stemmed from concerns about potential ramifications associated with labeling the healthcare provided as an abortion. This example underscores the need for improved privacy protections for reproductive health information, as healthcare professionals may feel compelled to alter medical records due to apprehensions regarding disclosing and using such information.
Updated HIPAA Privacy Rules for Reproductive Health Care
The HHS wants to introduce a new term called “reproductive health care” under the broader category of “health care.” This term includes services and supplies related to reproductive health, such as contraception, pregnancy-related care, fertility treatments, and diagnosis and treatment of reproductive system conditions. The HHS aims to define reproductive health care broadly and make it easier for covered entities to understand and implement.
While Congress and the HHS have defined similar terms like “reproductive health services,” the Department prefers using “reproductive health care” to encompass a broader range of services, including non-prescription supplies. They have not proposed a specific definition for “reproductive health” but welcome comments on the matter.
Using and disclosing PHI for reproductive health care
If someone seeks, receives, or helps with reproductive health care, their personal health information (PHI) cannot be shared for criminal, civil, or administrative investigations or legal proceedings under certain circumstances. These circumstances include:
- Any health care received outside of the state where the investigation is happening
- When it is protected by federal law
- When it is provided in the state where the investigation is taking place and is allowed by state law
Let’s say a patient named Sarah lives in State A, where certain reproductive health services are restricted. However, Sarah travels to State B, where those services are legally provided, to seek the necessary care. Under the Proposed Rule, if Sarah shares her health information with her healthcare provider in State A after returning from State B, that information cannot be used against her or her healthcare provider in any punitive investigations or legal proceedings. The proposed HIPAA privacy rule protects the privacy and confidentiality of individuals like Sarah, who seek reproductive health services, allowing them to access necessary care without fear of negative consequences.
Changing disclosures about victims of abuse, neglect, or domestic violence
The HHS is concerned that recent state actions might make healthcare providers think they can disclose PHI when they believe that individuals involved in providing or facilitating reproductive health care are perpetrators of abuse, neglect, or domestic violence.
The HHS wants to clarify that providing or facilitating access to reproductive health care is not considered abuse, neglect, or domestic violence. The proposal includes adding a new paragraph to the regulations stating that the permissions in this section do not permit the use or disclosure of PHI to provide or facilitate reproductive health care. This protects individuals’ privacy and prevents claims that disclosing their health information is justified because they are receiving reproductive care. According to the proposal, this update is not meant to obstruct oversight or legal proceedings related to professional conduct or where PHI pertaining to reproductive health care is needed.
Additional limitations on the use and disclosure of reproductive health care information
According to the Network for Public Health Law, the proposed changes to HIPAA include several important modifications:
- Clarifying Public Health Investigations: Reproductive health care information cannot be used or disclosed for public health investigations, interventions, and surveillance or to identify individuals involved in reproductive health care investigations or proceedings.
- Introduction of Attestation Requirement: The update mandates a valid attestation for certain uses and disclosures involving reproductive health care intended for parties other than covered entities. This attestation verifies that the use or disclosure does not violate the general prohibition mentioned earlier. It also needs to be written in plain language and presented as a standalone document.
- Enhanced Clarity for Law Enforcement Disclosures: The proposed changes clarify that if the Privacy Rule currently allows the disclosure of protected health information (PHI) to law enforcement in response to an “administrative request,” such request must be one that legally requires a response.
- Updated Notice of Privacy Practices: The proposed changes require that the Notice of Privacy Practices, which informs individuals of their privacy rights, include a description and at least one example of uses and disclosures generally prohibited under the proposed modifications. Additionally, it should outline the attestation requirement for specific uses and disclosures under the proposed changes.
Costs and Benefits of the Proposed HIPAA Rule
While the proposed HIPAA Privacy Rules for reproductive health care introduce additional responsibilities for healthcare providers, it also offers numerous benefits. For one, the proposed rule encourages the complete and accurate sharing of medical records by strengthening patient-provider confidentiality and enhancing privacy protections for reproductive health information. This, in turn, promotes the availability and quality of legal reproductive healthcare services.