On April 12, 2023, the Department of Health and Human Services (“HHS”), Office for Civil Rights (“OCR”) issued a Notice of Proposed Rulemaking (“Notice” or “NPRM”) to solicit comments on proposed modifications to the HIPAA Privacy Rule related to reproductive health.
In this Notice, HHS OCR requests comments regarding various requirements related to a proposed prohibition on the use or disclosure of protected health information (“PHI”) by a regulated entity: (1) in certain investigations and proceedings against any person in connection with seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided; and (2) for the identification of any person for the purpose of initiating such investigations or proceedings.
What prompted this NPRM?
While HIPAA and health information privacy and security historically have been a bi-partisan effort, the changes proposed in this NPRM arise from HHS’ response to President Biden’s Executive Order 14076. Executive Order 14076 was issued after the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization, overturning Roe v. Wade, and directed HHS to consider taking action to further protect sensitive reproductive health care information and patient-provider confidentiality.
Under what circumstances would these prohibitions apply?
The proposed prohibitions would apply only where the disclosure is “primarily for the purpose” of investigating or imposing liability with respect to reproductive health care. Otherwise, regulated entities would still be permitted to use and disclose PHI as permitted by HIPAA.
In addition, the proposed modifications apply only in connection with investigations or proceedings where:
-
The reproductive health care is provided in a state where such health care is lawful, but the investigation or proceeding arises in a different state.
-
The reproductive health care provided is protected by Federal law, regardless of the state in which such health care is provided.
-
The reproductive health care is provided in a state where such health care is lawful, and the investigation or proceedings arise in the same state.
What should HIPAA regulated entities do now?
Immediately, regulated entities should review the proposed requirements to determine whether they wish to submit comments on the proposal to HHS. The requirements, if finalized, would require regulated entities to obtain attestations from those requesting reproductive health care information.
Specifically, before using or disclosing PHI related to reproductive health care purposes for health oversight activities, for judicial and administrative proceedings, for law enforcement purposes, or to coroners and medical examiners, regulated entities will be required to obtain signed attestations from the requestors of such PHI. These attestations must verify that the use or disclosure is not for a prohibited purpose. Further, where a regulated entity discovers information reasonably showing that the attestation was materially false, the regulated entity is obligated to cease the use or disclosure.
Regulated entities would also need to update their Notices of Privacy Practices to include information on the prohibited uses and disclosures.
What should HIPAA covered entities review particularly in this NPRM?
These proposed changes would add burdens on regulated entities, particularly with regard to the required attestation procedures, the determination as to whether a use or disclosure is primarily for a prohibited purpose, and revisions and redistribution of their Notices of Privacy Practices.
Comments to the NPRM are due sixty days from publication in the Federal Register.