Proposed Rule: HIPAA Privacy Rule To Support Reproductive Health Care Privacy, 45 CFR Parts 160 and 164, 88 Fed. Reg. 23506 (Apr. 17, 2023); HIPAA Privacy Rule Notice of Proposed Rulemaking to Support Reproductive Health Care Privacy Fact Sheet (Apr. 12, 2023)
In response to the U.S. Supreme Court’s ruling in Dobbs v. Jackson Women’s Health Organization, which concluded that the Constitution does not prohibit states from regulating or banning abortion (see our Checkpoint article), HHS’s Office for Civil Rights (OCR) has proposed regulations to modify the HIPAA privacy rule to prohibit certain uses and disclosures of information about reproductive health care. OCR, which administers and enforces the privacy rule, sets requirements for the use and disclosure of protected health information (PHI) by covered entities and business associates (together “regulated entities”). Following the Dobbs decision, OCR issued guidance emphasizing that the existing privacy rule permits, but does not require, certain disclosures to law enforcement and others, subject to specific conditions (see our Checkpoint article).
The proposed regulations would prohibit the use or disclosure of PHI by a regulated entity for a criminal, civil, or administrative investigation into or proceeding against a person in connection with seeking, obtaining, providing, or facilitating reproductive health care, where the health care is lawful under the circumstances in which it is provided. The proposal would also prohibit the identification of any person for the purpose of initiating such investigations or proceedings. Reproductive health care would be interpreted broadly to include prenatal care, abortion, miscarriage management, infertility treatment, contraception use, and treatment for reproductive-related conditions such as ovarian cancer. To implement the prohibition, the proposed regulations would require a regulated entity, when it receives a request for PHI potentially related to reproductive health care, to obtain a signed attestation that the use or disclosure is not for a prohibited purpose. While OCR is undertaking this rulemaking, the current privacy rule remains in place.
EBIA Comment: OCR has specifically requested comments on whether the proposed prohibition on the use or disclosure of PHI related to reproductive health care that is lawful under the circumstances in which it is provided would affect the disclosure of PHI between health care providers or between health care providers and health plans for treatment purposes. A plan’s use and disclosure policies must be disclosed in its Notice of Privacy Practices; this would be an opportune time for health plans to review their Notices for accuracy and completeness. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XXIII (“How the Privacy and Security Rules Affect Group Health Plans and Plan Sponsors”) and XXVI (“Core Privacy Requirement #1: Use and Disclosure Rules”).
Contributing Editors: EBIA Staff.