The U.S. Department of Health and Human Services Office for Civil Rights has proposed an amendment to the HIPAA Privacy Rule. The proposed changes aim to strengthen federal privacy protections for Protected Health Information relating to reproductive healthcare. A prohibition on the use and disclosure of specific information in criminal, civil, or administrative proceedings is one of the amendments, along with additional attestation requirements and modifications to the Notice of Privacy Practices. The proposed amendment also modifies standards for personal representatives and clarifies the law enforcement exception, potentially complicating compliance with the Privacy Rule.
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has issued a Notice of Proposed Rulemaking (NPRM) to amend the HIPAA Privacy Rule to strengthen federal privacy protections for Protected Health Information (PHI) related to reproductive health care. The proposed changes would prohibit the use and disclosure of such PHI in certain criminal, civil, or administrative proceedings, impose new attestation requirements for certain uses and disclosures of PHI, require Notice of Privacy Practices (NPP) changes, and revise the law enforcement exception.
The proposed changes are a response to the Supreme Court of the United States’ decision in Dobbs v. Jackson Women’s Health Organization, which could affect state-level prosecution and law enforcement actions related to the provision of reproductive health care. The proposed changes would have a broad impact based on the definition of “reproductive health care,” which includes contraception, pregnancy-related health care, and fertility- or infertility-related health care.
Proposed Prohibitions on the Use and Disclosure of Reproductive Health Care-Related PHI
The proposed changes would prohibit covered entities and business associates from identifying any person or using or disclosing PHI for investigations and prosecutions related to seeking, obtaining, providing, or facilitating reproductive health care that is either lawfully provided according to the state’s law or federally protected, required, or authorized. These uses and disclosures would be prohibited even with an individual’s authorization. Covered entities would be required to carefully review requests that could be viewed as investigative or related to law enforcement to confirm the medical records at issue do not relate to a Restricted Disclosure.
New Attestation Requirement as a Condition for Certain Uses and Disclosures
The NPRM would prohibit a covered entity from using or disclosing PHI potentially related to reproductive health care under the health oversight exception, the judicial/administrative proceedings exception, the law enforcement exception, or the exception for disclosure of PHI regarding deceased individuals to coroners or medical examiners unless the covered entity first obtains from the requestor an attestation that the purpose of the request is not a Restricted Disclosure. The NPRM also prescribes content requirements for a valid attestation, which are modeled after the requirements of a compliant general authorization under HIPAA.
Expanding the Required Content of a Notice of Privacy Practices
The proposed changes would require covered entities to update and add content to their NPPs. An NPP must separately describe the Restricted Disclosures and the attestation requirement. The changes would limit a covered entity’s ability to apply the terms of an updated NPP to PHI held by the covered entity before the updates.
Modifying Standards for Personal Representatives
The proposed changes would not permit a covered entity to deny personal representative status to a person when the primary basis for denying that authority was the fact that the person has facilitated or provided, or is facilitating or providing, reproductive health care for the patient.
Clarification of OCR’s Interpretation of the Law Enforcement Exception
OCR seeks to narrow the part of the law enforcement exception that permits disclosure of PHI according to an administrative request, such as a civil investigative demand or similar process authorized by law. OCR takes the position that the administrative request portion of the law enforcement exception only applies to requests for which a covered entity is required by law to respond.
Information Blocking and Interoperability Considerations
The proposed changes potentially conflict with other efforts of HHS to promote the exchange of PHI and interoperability, including the recent growth in participation in Health Information Exchanges (HIEs). HIEs typically promote automated exchanges of PHI without the opportunity to review requested information line-by-line for potential reproductive health care information. OCR’s HIPAA proposals arguably do not consider the practical challenges faced by covered entities in distinguishing between reproductive health care records and other PHI.
