Governance & Risk Management , Healthcare , HIPAA/HITECH
HHS Wants HIPAA Changes to Protect Reproductive Health InfoProposed Rule Would Prohibit Certain PHI Disclosures, Uses for Law Enforcement
U.S. regulators proposed changes Wednesday aimed at bolstering protections for reproductive health care by prohibiting organizations from disclosing to law enforcement patient information related to obtaining or providing an abortion.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
The Department of Health and Human Services' Office for Civil Rights said walling off reproductive healthcare information from criminal, civil or administrative investigations is necessary for public health. Unless patients and providers alike are confident that procedures such as abortions are private, individuals and doctors could omit information from records, the department said in its notice of proposed rule-making.
The rule is part of a Biden administration effort to use executive branch powers to buttress access to reproductive health following the Supreme Court's June 2022 decision that struck down a constitutional right to abortion embodied by the five-decade-old precedent of Roe v. Wade.
Abortion is now illegal in 12 U.S. states and restricted with varying degrees of strictness in more than one dozen other states. Some clinics and patients have migrated to states where abortion is legal, provoking concerns that law enforcement in states where it is outlawed would attempt to obtain medical records from providers.
Clinicians "have expressed fear, anger, and sadness that they or their patients may end up in jail for providing or obtaining evidence-based and medically appropriate care," said Melanie Fontes Rainer, director of the HHS Office of Civil Rights, in a statement.
"Today's proposed rule is about safeguarding this trust in the patient-provider relationship, and ensuring that when you go to the doctor, your private medical records will not be disclosed and used against you for seeking lawful care," she said.
The department will seek public comment on the proposed rule for 60 days after its official publication on Monday (see: HHS Will Seek HIPAA Changes for Reproductive Health Data).
'Trust Is Critical'
HHS wrote that the primary reasons for issuing the proposed rule-making "are the risks to privacy, patient trust, and healthcare quality" that occur when an individual's act of obtaining healthcare subjects the patient to an investigation or proceeding.
The criminalization of certain types of reproductive health and pregnancy-related care in some states "raises unique privacy issues - and HIPAA, as a federal privacy law that preempts less protective state laws, needs to be strengthened to assure that the delivery of care that is lawful in the setting where it is delivered can continue," privacy attorney Deven McGraw, who leads data stewardship and data sharing at genetic testing firm Invitae, told Information Security Media Group.
McGraw, a former HHS OCR official, said she "applauds" the department for issuing the proposed rule and using its authorities under HIPAA "to address the threats to privacy and confidentiality - as well as threats to the delivery of legal reproductive health services that have emerged in the aftermath of the Supreme Court's decision."
Privacy attorney Kirk Nahra of the law firm WilmerHale characterized the proposal as highly targeted rather than as a sweeping regulatory change that might have been more challenging for the sector to implement.
"HHS intentionally chose a narrow approach - addressing these kinds of law enforcement disclosures - rather than going more broadly into overall consent for regular treatment, payment, and operations activities" under HIPAA, he said.
"Some broader possibilities that existed might have had more adverse consequences - for example, if HHS had changed the overall approach to consent in the HIPAA ecosystem."
The Biden administration, especially HHS, has been looking at way to improve protections for reproductive rights information overall, Nahra said. "HIPAA is an important element of that, but the administration has always known that HIPAA wasn't all of that issue. Even within HIPAA, this notice of proposed rule-making involves a relatively limited - but still very important - issue," he said.
In addition to today's proposal, OCR last June issued two HIPAA guidance documents pertaining to reproductive healthcare information. They included guidance stating that disclosures of personal health information without an individual's authorization for purposes not related to healthcare, such as disclosures to law enforcement officials, are narrowly tailored to protect the individual's privacy and support their access to health services.
The other guidance document provides patients with tips to increase the privacy of medical, location and other sensitive information when using personal mobile devices, such as smartphones and tablets.