Proposed HIPAA rule would strengthen privacy for reproductive care

The U.S. Department of Health and Human Services (HHS), through its Office for Civil Rights (OCR), issued a proposed rule (and an accompanying Fact Sheet) designed to strengthen the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule protections for legal reproductive healthcare, including abortion care.

The proposed changes would block health plans and providers from disclosing protected health information (PHI) regarding a patient’s reproductive care, as well as prohibit them from disclosing information that could be used to identify, investigate, prosecute or sue someone involved in seeking reproductive health services in states where the services are legal. PHI could still be disclosed for patients receiving such services, including abortion care, in states where the services are illegal.

As explained in OCR guidance, the existing HIPAA Privacy Rule, which remains in effect, permits but does not require certain disclosures to law enforcement and others, under certain conditions.

Comments on the proposed rule are due by June 16, 2023.

Proposed rule on reproductive privacy

The proposal would prohibit HIPAA covered entities (including health plans, healthcare clearing houses and most healthcare providers) from using or disclosing PHI for either of the following:

• An investigation into or proceeding against any person in connection with seeking, obtaining, providing or facilitating reproductive healthcare where it is illegal
• The identification of any person to initiate such an investigation or proceeding

Reproductive healthcare would be defined to include contraception, including emergency contraception; pregnancy-related healthcare; fertility or infertility-related healthcare; and other types of care, services or supplies used to diagnose and treat conditions related to the reproductive system. This would include, for example, prenatal care, abortion, miscarriage management, infertility treatment, contraception use, and diagnosis and treatment for reproductive-related conditions such as ovarian cancer.

Proposed prohibited uses for PHI

Under the proposed rule, law enforcement and other regulated entities would not be allowed to use or disclose PHI to investigate any of the following circumstances (note, all three prongs require the reproductive healthcare to be provided lawfully):

1. Reproductive healthcare that is sought, obtained, provided or facilitated in a state where the healthcare is lawful and outside of the state where the investigation or proceeding is authorized
2. Reproductive healthcare that is protected, required or expressly authorized by federal law (e.g., the Emergency Medical Treatment and Labor Act), regardless of the state in which such healthcare is provided
3. Reproductive healthcare that is provided in the state where the investigation or proceeding is authorized and is permitted by the law of the state in which such healthcare is provided

Signed attestation

The proposal would require a health plan or provider to get a signed statement from anyone requesting PHI attesting that the request is not for a prohibited purpose. The signed attestation would be required for PHI in any of the following circumstances:

• Health oversight activities
• Judicial and administrative proceedings
• Law enforcement purposes
• Disclosures to coroners and medical examiners

OCR is considering developing a model attestation for group health plans and providers to use when developing their own templates. The proposal explicitly states that the attestation could be an electronic document and electronically signed. The attestation would need to be provided on a stand-alone basis, separate from any other documents.

Note, the proposed rule would continue to allow HIPAA covered entities to use or disclose PHI for purposes otherwise permitted under the Privacy Rule, including: 1) to defend themselves in an investigation or proceeding related to professional misconduct or negligence involving reproductive healthcare; 2) to defend any person in a criminal, civil or administrative proceeding where liability could be imposed on that person for providing reproductive healthcare; and 3) to provide to an Inspector General as part of an audit for health oversight purposes.

Going forward

Under the proposed rule:

• Group health plans and providers in states where abortion is legal would be prohibited from sharing a patient’s relevant PHI with out-of-state law enforcement, regardless of where the patient lives.
• Group health plans would be required to add elements to their notices of privacy practices addressing the new requirements.
• Group health plan sponsors would need to adopt an attestation process, including a procedure to identify when an attestation would be required, steps to get the attestation signed and collected, and procedures for maintaining related records.