On April 12, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released a notice of proposed rulemaking entitled “HIPAA Privacy Rule to Support Reproductive Health Care Privacy.” The rule proposes revisions to the Health Insurance Portability and Accountability Act of 1996 (HIPAA, P.L. 104-91) regulations to expressly protect the privacy of information regarding lawful reproductive health care.
Specifically, the OCR proposed to prohibit the use or disclosure of protected health information (PHI) by covered entities for either a criminal, civil, or administrative investigation into or proceeding against any person in connection with “seeking, obtaining, providing, or facilitating” lawful reproductive health care or the identification of any person for the purpose of initiating such investigations or proceedings.
The proposed rule describes three cases where the proposed prohibition would apply to reproductive health care. The first is where care is sought, obtained, provided, or facilitated in a state where the care is lawful and outside of the state where the investigation or proceeding is initiated, regardless of whether the individual is a resident of the state where the investigation or proceeding is authorized. The second is where the reproductive health care is “protected, required, or authorized by federal law, regardless of the state in which such health care is provided.” For example, this would include care provided as required under the Emergency Medical Treatment and Labor Act (commonly referred to as EMTALA) to stabilize the health of a pregnant individual. Finally, the OCR described a scenario where reproductive care is provided in a state where the investigation or proceeding is authorized and the care is permitted by the law of that state. As an example, this could apply where a patient receives a pregnancy test from their provider.
Under the proposed rule, covered entities could use or disclose PHI for permitted purposes under the Privacy Rule so long as the request for PHI is not primarily for the purposes of investigating or imposing liability on any person for seeking, obtaining, providing, or facilitating reproductive health care.
The OCR also proposed to require regulated entities to obtain a signed attestation that the use or disclosure of PHI is not for a prohibited purpose where the request for PHI is potentially related to reproductive health care.
In announcing the proposed rule, OCR Director Melanie Fontes Rainer said, “Trust is critical in the patient-doctor relationship and medical mistrust can damage and chill patients’ relationship with their providers, imperiling patient health. Today’s proposed rule is about safeguarding this trust in the patient-provider relationship, and ensuring that when you go to the doctor, your private medical records will not be disclosed and used against you for seeking lawful care.”
Comments are due 60 days from formal publication of the proposed rule in the Federal Register, which is scheduled for April 17. The AAMC intends to comment.