Expansion of HIPAA Privacy Rule for Reproductive Health Care
May 11, 2023
On April 17, 2023, the Department of Health and Human Services (the “Department”) issued a Notice of Proposed Rulemaking (“NPRM”) proposing to expand protections afforded by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule following recent legal events involving reproductive health care.
This NPRM aims to strengthen the Privacy Rule protections by prohibiting the use or disclosure of protected health information (PHI) to investigate, or prosecute patients, providers, and others involved in the provision of legal reproductive health care. Reproductive health care is defined to include, but is not limited to, prenatal care, abortion, miscarriage management, infertility treatment, contraception use, and treatment for reproductive-related conditions, such as ovarian cancer.
Relevant to this NPRM, the Privacy Rule permits covered entities to disclose protected health information in a judicial or administrative proceeding if the request for the information is through an order from a court or administrative tribunal, in response to a subpoena or another lawful process, if certain assurances regarding notice to the individual or a protective order are provided. The Privacy Rule further permits covered entities to disclose protected health information to law enforcement officials for law enforcement purposes under the following six circumstances: (1) as required by law (including court orders, court-ordered warrants, subpoenas) and administrative requests; (2) to identify or locate a suspect, fugitive, material witness, or missing person; (3) in response to a law enforcement official's request for information about a victim or suspected victim of a crime; (4) to alert law enforcement of a person's death, if the covered entity suspects that criminal activity caused the death; (5) when a covered entity believes that protected health information is evidence of a crime that occurred on its premises; and (6) by a covered health care provider in a medical emergency not occurring on its premises, when necessary to inform law enforcement about the commission and nature of a crime, the location of the crime or crime victims, and the perpetrator of the crime.
This NPRM proposes to strengthen privacy protections by prohibiting the use or disclosure of PHI by a covered entity for either of the following purposes: (1) a criminal, civil, or administrative investigation into or proceeding against any person in connection with seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided; and (2) the identification of any person for the purpose of initiating such investigations or proceedings. The prohibition on disclosure would apply where the relevant criminal, civil, or administrative investigation or proceeding is in connection with one of the following: (1) reproductive health care that is sought, obtained, provided, or facilitated in a state where the health care is lawful and outside of the state where the investigation or proceeding is authorized; (2) reproductive health care that is protected, required, or expressly authorized by federal law, regardless of the state in which such health care is provided; or (3) reproductive health care that is provided in the state where the investigation or proceeding is authorized and is permitted by the law of the state in which such health care is provided. This NPRM would continue to allow a covered entity to use or disclose PHI for purposes otherwise permitted under the Privacy Rule where the request for PHI is not made primarily for the purpose of investigating or imposing liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care.
To illustrate, this NPRM would offer additional protections in the following instances:
- If a resident of one state traveled to another state to receive reproductive health care, such as an abortion, that is lawful in the state where such health care was provided.
- If the reproductive health care, such as miscarriage management, is required under the Emergency Medical Treatment and Labor Act (EMTALA) to stabilize the health of the pregnant individual.
- If a resident of a state receives reproductive health care, such as a pregnancy test or treatment for an ectopic pregnancy, in the state where they reside, and that reproductive health care is lawful in that state.
To ensure compliance with this NPRM, the Department proposes a requirement that covered entities obtain a signed attestation that the use or disclosure is not for a prohibited purpose when a request for PHI potentially related to reproductive health care is received by the covered entity. This attestation requirement would apply when the request is for PHI in any of the following circumstances: (a) health oversight activities; (b) judicial and administrative proceedings; (c) law enforcement purposes; or (d) disclosures to coroners and medical examiners.
This NPRM is open for public comment until June 16, 2023. Once comments are reviewed and the language of the rule finalized, the rule will become effective 60 days after its final publication by the Department. Covered entities will then have until 180 days after the effective date (the “compliance date”) to establish and implement policies and practices to achieve compliance with any new or modified standards. However, the compliance date is subject to change if the final rule sets forth an alternative compliance date.