The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

OCR Proposes HIPAA Privacy Rule Update to Bolster Reproductive Health Care Privacy

Posted By on Apr 12, 2023

The HHS’ Office for Civil Rights has published a Notice of Proposed Rulemaking (NPRM) about an update to the HIPAA Privacy Rule to strengthen privacy protections for reproductive health information. The proposed update is in response to the Supreme Court decision in Dobbs v. Jackson Women’s Health Organization and the overturning of Roe v. Wade, which removed the federal right to abortion that has been in place for almost half a century.

Since that decision in 2022, states have been scrambling to enact abortion laws. 18 states have introduced full or partial bans on abortions in their states, and a further 4 states are due to introduce full or partial bans. There is concern that those states will attempt to prosecute state residents that seek abortions out of state and will request the health data of individuals from healthcare providers who provide reproductive health services or facilitate reproductive health care.

“When the Supreme Court overturned Roe v. Wade, nearly half a century of precedent changed overnight,” said Secretary Xavier Becerra in an announcement about the NPRM. “The Biden-Harris Administration is committed to protecting women’s lawful access to reproductive health care, including abortion care. President Biden signed not one but two executive orders calling on HHS to take action to meet this moment and we have wasted no time in doing so. Today’s action is yet another important step HHS is taking to protect patients accessing critical care.”

Currently, the HIPAA Privacy Rule permits but does not require HIPAA-covered entities to provide reproductive health information to law enforcement. OCR has released guidance on disclosures of reproductive health information and has clarified the circumstances when reproductive health information can be legally disclosed. OCR has also stated that noncompliance with the HIPAA Rules with respect to reproductive health care is an enforcement priority for OCR.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Today’s announcement is intended to enhance privacy protections and strengthen patient-provider confidentiality by prohibiting disclosures of reproductive health information to investigate or prosecute patients, providers, and others involved in the provision of legal reproductive health care, including abortion care.

Specifically, the proposed HIPAA Privacy Rule update will prohibit disclosures of reproductive health care information for:

  • Criminal, civil, or administrative investigations into or proceeding against any person in connection with seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided.
  • The identification of any person for the purpose of initiating such investigations or proceedings.

These restrictions will apply in the following situations:

  • Reproductive health care is sought, obtained, provided, or facilitated in a state where the health care is lawful and outside of the state where the investigation or proceeding is authorized.
  • Reproductive health care that is protected, required, or expressly authorized by federal law, regardless of the state in which such health care is provided.
  • Reproductive health care that is provided in the state where the investigation or proceeding is authorized and is permitted by the law of the state in which such health care is provided.

Reproductive health care is defined as including, but not limited to, prenatal care, abortion, miscarriage management, infertility treatment, contraception use, and treatment for reproductive-related conditions such as ovarian cancer.

Under the proposed rule, if a request is received for protected health information that is potentially related to reproductive health care, a regulated entity will be required to obtain a signed attestation that the use or disclosure is not for a prohibited purpose. The attestations will be required for health oversight activities, judicial and administrative proceedings, law enforcement purposes, and disclosures to coroners and medical examiners.

“I have met with doctors across the country who have shared their stories,” said OCR Director Melanie Fontes Rainer. “These providers have expressed fear, anger, and sadness that they or their patients may end up in jail for providing or obtaining evidence-based and medically appropriate care. Trust is critical in the patient-doctor relationship and medical mistrust can damage and chill patients’ relationship with their providers, imperiling patient health, “added Fontes Rainer. “Today’s proposed rule is about safeguarding this trust in the patient-provider relationship, and ensuring that when you go to the doctor, your private medical records will not be disclosed and used against you for seeking lawful care.”

OCR will be accepting comment on the proposed rule for 60 days from the date of publication in the Federal Register.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist