HHS Will Seek HIPAA Changes for Reproductive Health DataWhat Kinds of New Privacy Protections Under HIPAA Stand a Chance?
The Biden administration is actively reviewing a proposed rule strengthening federal privacy rules for reproductive health data as activists vow to expand restrictions on abortion beyond the dozen states where it has been illegal since last summer.
See Also: Why Metadata Isn't Enough
The text is not yet public. The Department of Health and Human Service's Office of Civil Rights, which wrote it, did not immediately respond to Information Security Media Group's request for comment.
President Joe Biden in July signed an executive order aimed at protecting individuals' access to reproductive healthcare service just weeks after the Supreme Court struck down a constitutional right to abortion embodied by the five-decade-old precedent, Roe v. Wade (see: Biden Order Seeks to Protect Reproductive Data Privacy).
Abortion is now illegal in 12 U.S. states and restricted with varying degrees of strictness in more than another dozen states. Some patients - and clinics - have responded by changing their location, which has provoked concerns that medical practices might be forced to share reproductive health patient information with law enforcement.
Those worries could become even more magnified pending the outcome of a lawsuit in Texas federal court seeking a ruling with nationwide effect that would revoke Food and Drug Administration approval of mifepristone, a prescription drug used to medically induce abortions. A group of Democratic senators earlier this month introduced a bill that would prohibit medical providers from disclosing health information related to abortion or pregnancy loss without explicit patient consent.
It's possible that the regulations under review at OIRA could be part of a larger package of changes to the HIPAA Privacy Rule expected for later this year, says privacy attorney David Holtzman of the consulting firm HITprivacy.
"It is important to remember: The HIPAA statute limits the frequency with which HHS can issue modifications to the Privacy Rule," he says. The proposed changes to provide additional protections to reproductive healthcare protected health information "would catch up to the rule-making already wending its way toward final adoption," he says, referring to a set of changes first proposed during the Trump administration that would strengthen individuals' rights to access their own health information.
The Biden administration last year issued guidance about the application of the HIPAA Privacy Rule to information about reproductive health, soon after the Supreme Court's overturning of Roe.
The existing guidance clarifies when clinics can legally withhold patient information about abortion from law enforcement officials and other third parties (see: HHS Tackles Data Privacy Concerns Linked to Abortion Ruling).
But guidance is not necessarily lasting, since a different administration could chose to modify or revoke it.
"There clearly is a lot of interest in the Biden administration on providing more protections in connection with reproductive health. They have been exploring all of the relevant avenues - and there do seem to be a lot of them," says privacy attorney Kirk Nahra of the law firm WilmerHale.
It is feasible path for the Biden administration to make certain changes to the provisions of the HIPAA Privacy Rule, Nahra says. "Most of the substance of that rule was created initially by regulation without any statutory provisions, so it can be changed by regulation. The main exception to what can be changed by regulation is to the scope of who is covered by the rule."
HHS can make changes that are specific to particular kinds of health information. "That hasn’t been the regulatory choice to date, but there is no reason that can’t change," Nahra says.
Nonetheless, he says it is very challenging to consider all of the implications of certain HIPAA privacy rule changes in the healthcare system.
"By making changes to the general consent approach for a particular set of data, that creates a meaningful risk of a waterfall of other implications," he says. "It may be worth it in this context, but I do hope that the administration is giving full consideration to all of those downstream implications."
Some privacy experts are unconvinced that certain modifications to the HIPAA privacy rule would substantively change how the regulations work currently.
"A HIPAA authorization - individual consent - is already required before HIPAA-covered entities or business associates disclose any protected health information, including about reproductive health, in any circumstances not specifically permitted by the HIPAA Privacy Rule," says privacy attorney Iliana Peters of the law firm Polsinelli.
Additionally, under HIPAA's law enforcement exception, even when a covered entity receives a “subpoena, discovery request, or other lawful process" that is not accompanied by a court order, the covered entity must obtain assurances that the party seeking the patient's health information has given notice to the individual about the records request, says regulatory attorney Rachel Rose.