Cybersecurity

HHS Beefs Up Privacy Protection for Reproductive Health Info

Healthcare , HIPAA/HITECH , Industry Specific

Finalizes HIPAA Privacy Rule Changes Involving PHI Related to Reproductive Care

HHS Beefs Up Privacy Protection for Reproductive Health Info
Image: HHS

Doctors, clinics and other providers are prohibited from disclosing protected health information related to lawful reproductive healthcare, according to a final rule released Monday by federal regulators to “strengthen” HIPAA privacy. The rule is designed to protect women who cross state lines seeking an abortion and their providers.

See Also: Panel Discussion | Accelerate HITRUST certification for faster time-to-market and improved ROI

The regulations aim “to bolster patient-provider confidentiality and help promote trust and open communication between individuals and their healthcare providers or health plans, which is essential for high-quality healthcare,” the Department of Health and Human Services said in a statement Monday.

The Supreme Court decision in Dobbs v. Jackson Women’s Health Organization in 2022 that overturned the nationwide right to abortion “altered the legal and healthcare landscape, increasing the likelihood that an individual’s PHI may be disclosed in ways that cause harm to the interests that HIPAA seeks to protect, including the trust of individuals in healthcare providers and the healthcare system,” HHS said. Fourteen states have put strict abortion bans in place since the Dobbs ruling, prompting fears that women and healthcare providers could be held liable for abortions performed in other states.

“Many Americans are scared their private medical information will be shared, misused and disclosed without permission. This has a chilling effect on women visiting a doctor, picking up a prescription from a pharmacy, or taking other necessary actions to support their health,” said HHS Secretary Xavier Becerra in the statement.

The final rule provides “stronger protections to people seeking lawful reproductive healthcare regardless of whether the care is in their home state or if they must cross state lines to get it,” he said.

The new 291-page regulations, which become effective 60 days upon its publication this week in the Federal Register, provide several key provisions, including:

  • Prohibiting the use or disclosure of PHI when it is sought to investigate or impose liability on individuals, healthcare providers, or others who seek, obtain, provide or facilitate reproductive healthcare that is lawful under the circumstances in which such healthcare is provided;
  • Requiring a regulated healthcare provider, health plan, clearinghouse or their business associates to obtain a signed attestation that certain requests for PHI potentially related to reproductive healthcare are not for purposes prohibited under the rule;
  • Requiring regulated covered entities, including healthcare providers, health plans and clearinghouses to modify their notice of privacy practices to support reproductive healthcare privacy.

HHS said the final rule takes into account the more than 30,000 public comments received on its proposed rule, which was issued a year ago (see: HHS Wants HIPAA Changes to Protect Reproductive Health Info).

Some legal experts said their first impression of the final rule is that HHS appears to have exercised some restraint in making changes.

“They targeted a narrower range of issues than they possibly could have but that they focused on specific issues and did a really good job of addressing those particular issues,” said privacy attorney Kirk Nahra of the law firm WilmerHale.

“They also chose not to address some broader issues that I think would have had broader negative implications on the broader healthcare ecosystem, so I think it made sense that they did not get into those topics.”

For example, HHS did not in either its proposed rule of final rule address a major change to the consent rules for reproductive rights information, Nahra said. “That would have disrupted too much of the broader healthcare ecosystem that the HIPAA rules are designed to facilitate.”

Nonetheless, he said, some of the provisions of the final rule will likely require HIPAA-regulated entities to do some heavy lifting.

The rule’s provision requiring healthcare providers, health plans and clearinghouses to modify their privacy practice notices to reflect the changes is an example, Nahra said.

“Revising every privacy notice is much more difficult than OCR seems to recognize. It’s a major obligation, not simply a bureaucratic obligation.”

Some reproductive health advocacy groups were quick to support the final rule.

“Too many people continue to fear being reported to law enforcement for their reproductive healthcare decisions and pregnancy outcomes. This final rule decreases the chances of healthcare providers reporting patients to law enforcement, protects people who are forced to travel to receive care, and promotes deeper trust between patients and providers,” said Jocelyn Frye, president of the National Partnership for Women & Families, in a statement.

“Providers should never be forced to police and report on the patients who entrust them with their care,” she said.