HHS Office for Civil Rights Announces Proposed Rule Increasing HIPAA Privacy Rule Protections for Reproductive Care
On April 12, 2023, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) issued a Notice of Proposed Rulemaking (NPRM), aimed at strengthening the Health Insurance Portability and Accountability Act's (HIPAA) Privacy Rule protections in the wake of the Supreme Court's 2022 overturn of Roe v. Wade. In states where abortion is or may become illegal post-Roe, law enforcement agencies and prosecutors have indicated that they may seek disclosures of protected health information (PHI) from health care providers in order to investigate and prosecute patients seeking, and providers performing, abortion care services. This new NPRM aims to prohibit certain disclosures to law enforcement, which are currently permitted, but not required, under the HIPAA Privacy Rule.
Currently, entities regulated by HIPAA have permission (but are not required) to use or disclose a patient's PHI without a patient-signed authorization under a variety of law enforcement-related purposes. For example, the Privacy Rule permits disclosures without authorization "as required by law", which may be implicated in a state that outlaws abortion and requires providers to report a patient who they suspect has received or attempted to induce an abortion. Providers also may, currently, use or disclose PHI in order to comply with an official law enforcement request, such as a subpoena or warrant, when the request meets the requirements found in the Privacy Rule. While neither of the scenarios discussed above require mandatory disclosures from health care providers, reproductive healthcare advocates have flagged the ability to disclose under the Privacy Rule in such situations as a potential tool to facilitate in the investigation and prosecution of patients and providers alike. Further, it is important to note that although HIPAA does not require disclosure in these instances, providers may face consequences if they fail to make disclosures and therefore may be practically compelled to do so. Patient advocates have expressed concerns that these types of disclosure may have a negative impact on patient relationships with providers and have a chilling effect on patients seeking reproductive care.
The new NPRM seeks to limit the above permissive uses and disclosures of PHI by amending the Privacy Rule to explicitly prohibit uses and disclosure of PHI for the purposes of (1) a criminal, civil, or administrative investigation into or proceeding against any person in connection with seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided; or (2) the identification of any person for the purpose of initiating such investigations or proceedings. These prohibitions would apply in a variety of circumstances, such as where a legal investigation relates to the lawful receipt of abortion care services in a state where abortion is legal, reproductive health care that is required by law, or when a patient receives other, non-abortion reproductive health care services in a state where such treatment is permitted by law. Providers subject to HIPAA would still have the ability to make disclosures of PHI for other law enforcement purposes under the Privacy Rule, but not if the disclosures may relate to investigating or imposing liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care. The NPRM would require providers receiving a legal request for disclosures of reproductive health information to obtain a signed attestation from the issuer that the request is not being made for those purposes prior to making any disclosure.
Interested stakeholders can provide public comment on the NPRM for 60 days following its publication in the Federal Register. If you have questions about the new NPRM or other data privacy and security questions related to the healthcare industry, contract your Quarles attorney or: