The U.S. Department of Health and Human Services (HHS), through its Office for Civil Rights (OCR), issued a proposed rule (and an accompanying Fact Sheet) designed to strengthen the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule protections for legal reproductive healthcare, including abortion care.
The proposed changes would block health plans and providers from disclosing protected health information (PHI) regarding a patient’s reproductive care, as well as prohibit them from disclosing information that could be used to identify, investigate, prosecute or sue someone involved in seeking reproductive health services in states where the services are legal. PHI could still be disclosed for patients receiving such services, including abortion care, in states where the services are illegal.
As explained in OCR guidance, the existing HIPAA Privacy Rule, which remains in effect, permits but does not require certain disclosures to law enforcement and others, under certain conditions.
Comments on the proposed rule are due by June 16, 2023.
The proposal would prohibit HIPAA covered entities (including health plans, healthcare clearing houses and most healthcare providers) from using or disclosing PHI for either of the following:
Reproductive healthcare would be defined to include contraception, including emergency contraception; pregnancy-related healthcare; fertility or infertility-related healthcare; and other types of care, services or supplies used to diagnose and treat conditions related to the reproductive system. This would include, for example, prenatal care, abortion, miscarriage management, infertility treatment, contraception use, and diagnosis and treatment for reproductive-related conditions such as ovarian cancer.
Under the proposed rule, law enforcement and other regulated entities would not be allowed to use or disclose PHI to investigate any of the following circumstances (note, all three prongs require the reproductive healthcare to be provided lawfully):
The proposal would require a health plan or provider to get a signed statement from anyone requesting PHI attesting that the request is not for a prohibited purpose. The signed attestation would be required for PHI in any of the following circumstances:
OCR is considering developing a model attestation for group health plans and providers to use when developing their own templates. The proposal explicitly states that the attestation could be an electronic document and electronically signed. The attestation would need to be provided on a stand-alone basis, separate from any other documents.
Note, the proposed rule would continue to allow HIPAA covered entities to use or disclose PHI for purposes otherwise permitted under the Privacy Rule, including: 1) to defend themselves in an investigation or proceeding related to professional misconduct or negligence involving reproductive healthcare; 2) to defend any person in a criminal, civil or administrative proceeding where liability could be imposed on that person for providing reproductive healthcare; and 3) to provide to an Inspector General as part of an audit for health oversight purposes.
Under the proposed rule:
Title | File Type | File Size |
---|---|---|
Insider April 2023 | .2 MB |