By: Kelli C. Fleming
On April 12, 2023, the Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) announced proposed changes to HIPAA’s Privacy Rule with regard to reproductive health information. The proposed changes are set out in a Notice of Proposed Rulemaking (“NPRM”) and are part of HHS’s broader goal to strengthen the privacy protections concerning individuals’ reproductive information. Comments on the NPRM must be filed by June 16, 2023.
In the NPRM, HHS proposes to limit the use and disclosure of protected health information (“PHI”) in certain circumstances. Particularly, the NPRM proposes to limit the use and disclosure of PHI in (i) a criminal, civil, or administrative investigation into or (ii) proceeding against an individual seeking or obtaining reproductive health care or a HIPAA-regulated covered entity providing or facilitating reproductive health care, where such care is lawful under the circumstances in which it is provided. The NPRM further proposes to limit the use and disclosure of PHI to identify any person for the purpose of initiating such an investigation or proceeding. However, the NPRM does not impact a covered entity’s ability to use or disclose such information for purposes otherwise permitted by the Privacy Rule where the use or disclosure is not made primarily for the purpose of investigating or imposing liability on any person for the act of seeking, obtaining, providing, or facilitating reproductive health care.
Reproductive health care involves care, services, or supplies related to the reproductive health of the individual, including but not limited to prenatal care, abortion, miscarriage management, infertility treatment, contraception use, and treatment of reproductive-related conditions. “Seeking, obtaining, providing or facilitating” includes “expressing interest in, inducing, using, performing, furnishing, paying for, disseminating information about, arranging, insuring, assisting, or otherwise taking action to engage in reproductive health care.”
In scenarios where the request for PHI relates to reproductive health care, the NPRM proposes changes that would require covered entities to obtain an attestation from the person requesting the PHI that the use or disclosure is not for a prohibited purpose. The attestation would need to include confirmation regarding the types of PHI requested and the identity of the person whose information is being requested, if practicable. The attestation is designed, in part, to help covered entities assess whether the request is prohibited.
The NPRM also proposes changes to the information covered entities would need to include in their Notice of Privacy Practices (“NPP”). The proposed changes would require the NPPs to include information regarding the prohibition on the use and disclosure of reproductive health information. These proposed changes are based on HHS’s concern that NPPs, as currently written, focus on the permitted uses and discloses of PHI and do not provide adequate assurances to individuals that their reproductive health information is protected.
After the Supreme Court overturned Roe v. Wade, President Biden signed an executive order directing HHS to consider ways to strengthen the protection of information related to reproductive health care services. This NPRM is consistent with such directive. The NPRM is aimed to increase privacy protections related to reproductive health information in order to prevent negative outcomes such as the deterioration of the physician-patient relationship.
While HHS has stated that the proposed modifications are intended to provide additional protection of reproductive health information, the proposed changes do present some concerns and tensions among stakeholders. Accordingly, all stakeholders, including patients, families of patients, health plans, health care providers, health care professional associations, and consumer advocates are encouraged to participate in the public comment and feedback process. Stakeholders must submit their comments by June 16, 2023. Until a Final Rule is published and takes effect, the current HIPAA Privacy Rule remains in effect.