24 State Attorneys General Confirm Support for Stronger HIPAA Protections for Reproductive Health Data
A coalition of 24 state attorneys general has written to the Department of Health and Human Services (HHS) to confirm their support for the proposed update to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule to strengthen reproductive health information privacy.
Background
The decision of the Supreme Court in Dobbs v. Jackson Women’s Health Organization in June 2022 overturned Roe v. Wade and removed the federal right to abortion. Many states introduced their own laws banning or severely restricting abortions in their respective states, and those laws permit criminal or civil penalties for anyone that seeks, provides, or assists with the provision of an abortion. Currently, 15 states have introduced almost total bans on abortions and several others have restricted abortions or are in the process of introducing bans or restrictions. Idaho has also recently enacted an abortion trafficking law, which aims to restrict the ability of state residents to travel out of state to receive abortion care.
Following the Supreme Court decision, the HHS’ Office for Civil Rights (OCR) issued guidance to HIPAA-regulated entities on the HIPAA Privacy Rule and how it permits but does not require disclosures of reproductive health information if the disclosure is required by law or is for law enforcement purposes. OCR confirmed that if a patient in a state that has banned abortions informs their healthcare provider that they are seeking an abortion in a state where abortion is legal, the HIPAA Privacy Rule would not permit the healthcare provider to disclose that information to law enforcement in order to prevent the abortion.
OCR subsequently issued a notice of proposed rulemaking (NPRM) about a planned update to the HIPAA Privacy Rule to strengthen reproductive health data privacy further, which would make it illegal to share a patient’s PHI if that information is being sought for certain criminal, civil, and administrative investigations or proceedings against a patient in connection with a legal abortion or other reproductive care.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
In response to the NPRM, a coalition of 24 state attorneys general recently wrote to the HHS’ Secretary, Xavier Becerra, and OCR Director, Melanie Fontes Rainer, to confirm their support for the proposed HIPAA Privacy Rule changes. The coalition is led by New York Attorney General, Leticia James, and the letter was signed by the state Attorneys General in Arizona, California, Colorado, Connecticut, Delaware, Hawaii, Illinois, Maine, Maryland, Massachusetts, Michigan, Minnesota, Nevada, New Jersey, New York, New Mexico, North Carolina, Oregon, Pennsylvania, Rhode Island, Vermont, Washington, Wisconsin, and Washington D.C. The state AGs requested the HHS “move expeditiously to issue [the proposed rule] and apply the standard compliance date of 180 days after the effective date of the final rule.”
“No one should have to worry about whether their health care information will be kept private when they go to the doctor to get the care they need,” said Attorney General James. “While anti-choice state legislatures across the nation are stripping away our reproductive freedom and seeking access to health care data, it is imperative that we take every measure to safeguard Americans’ privacy. I will always fight to defend abortion and ensure no one’s private right to choose can be used against them.”
Recommendations to Further Strengthen Reproductive Health Information Privacy
In addition to confirming their support, comment has been provided on areas where the protections stated in the proposed rule can be strengthened further. The proposed Privacy Rule update adopts a broad definition of “reproductive health care” as a subcategory of health care; however, the state AGs recommend also creating a separate definition of “reproductive health,” to make it clear that the update not only applies to providers of gynecological and/or fertility-related care but also to other HIPAA covered entities. This would help to avoid any possible ambiguities about the types of health care covered by the proposed rule and they recommend that examples of reproductive health care are incorporated into the regulatory text of the final rule.
The state AGs also call for the HHS to define “birth” and “death” separately, in order to clarify that termination of pregnancy is not a public health reporting event and is therefore not subject to the HIPAA Privacy Rule reporting requirements. They also call for tightening up of the language in the proposed rule, which prohibits “use or disclosure “primarily for the purpose of investigating or imposing liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care.” There is concern that a different primary purpose may be manufactured as a pretext for obtaining PHI for a prohibited purpose. This potential loophole could be closed by dropping the word ‘primary’.
Among the other recommendations are for the HHS to ensure that requesters and providers receive adequate guidance on the attestation requirement of the proposed rule, which requires attestation that the request is not being made to obtain reproductive health information to take legal action against an individual, and for the HHS to create a nationally available, online platform to provide patients with accurate and clear information on reproductive care and privacy rights, and to conduct a public awareness campaign to promote the website.
