How to Prepare Now for Proposed Changes to HIPAA to Protect Confidentiality Around Reproductive Health Care*
On April 12, 2023, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a notice of proposed rulemaking regarding proposed changes to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. As proposed, the modified Privacy Rule would prohibit the use and disclosure of PHI related to lawful reproductive health care in any criminal, civil, or administrative investigation against patients, providers, or others involved in the provision of reproductive health care.
Specifically, OCR seeks to protect this sensitive PHI by prohibiting its use and disclosure when an investigation involves reproductive health care that was:
(1) Provided outside of the state where the investigation or proceeding is pending, and where such health care was lawfully provided;
(2) Protected, required, or authorized by federal law, regardless of the state in which such health care was provided; or
(3) Provided in the state in which the investigation or proceeding is pending, and the health care was permitted by the laws of that state.
Through the Proposed Rule, OCR presents “reproductive health care,” as a new subcategory to “health care,” to be defined broadly as “care, services, or supplies related to the reproductive health of the individual.” OCR recognizes the interests of the federal government and states in protecting the privacy of individuals who seek, obtain, provide, or facilitate lawful reproductive care. OCR asserts that in these circumstances, states lack a substantial interest for obtaining this information, and any state laws that might conflict with the proposed rules are preempted by the Privacy Rule.
To implement this prohibition, OCR places the burden on Covered Entities to obtain a signed attestation from the individual requesting the PHI that the information requested will not be used for an investigation relating to the provision of reproductive health care.
Specific requirements related to the attestation requirement include:
- An attestation cannot be combined with another document; it must be clearly labeled and separate from the surrounding text.
- An attestation can be attached to another document, but must be clearly labeled as such.
- Even with an attestation, the minimum necessary standard would apply to any use or disclosure.
- Providers may rely on any attestation provided unless such reliance is not objectively reasonable.
While HHS has not yet issued a final rule regarding the use and disclosure of reproductive health PHI, providers should begin determining what impact the proposed rules would have on their operations, particularly around release of information. There appears to be a substantial operational impact of having to determine (1) when a record includes PHI related to reproductive health; (2) whether the request relates to an investigation; and (3) whether an attestation is required or valid. Providers should familiarize themselves with the proposed changes and bring together appropriate legal, compliance, and medical records stakeholders in order to prepare for necessary policy, training, and workflow changes.
Click here for a Fact Sheet published by OCR with additional information on the Proposed Rule.
*Young Moore attorney David Senter would like to thank summer clerk Sofia Gomez–Ayala, a 2L at Campbell University School of Law, for her assistance in researching and preparing this post.
For additional information on this or other topics, or for questions about your entity’s own compliance with HIPAA generally, please contact Young Moore healthcare attorney, David Senter.