On April 17, 2023, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published its proposed rules to modify the Health Insurance Portability and Accountability Act (HIPAA). The proposed changes impact HIPAA’s Privacy Rule and are intended to further safeguard the disclosure of protected health information (PHI) as it pertains to the privacy of reproductive health care information.
Prohibited Disclosures
The Proposed Rule proposes to increase privacy protections by prohibiting the use or disclosure of PHI by a regulated entity for either of the following purposes:
- A criminal, civil, or administrative investigation into or proceeding against any person in connection with seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided (“Investigation”).
- The identification of any person for the purpose of initiating such investigations or proceedings.
The Proposed Rule would apply when the investigation is in connection with:[1]
- Reproductive health care that is sought, obtained, provided, or facilitated in a state where the health care is lawful and outside of the state where the investigation or proceeding is authorized.
- For example, if a resident of one state traveled to another state to receive reproductive health care, such as an abortion, that is lawful in the state where such health care was provided.
- Reproductive health care that is protected, required, or expressly authorized by federal law, regardless of the state in which such health care is provided.
- For example, if the reproductive health care, such as miscarriage management, is required under the Emergency Medical Treatment and Labor Act (EMTALA) to stabilize the health of the pregnant individual.
- Reproductive health care that is provided in the state where the investigation or proceeding is authorized and is permitted by the law of the state in which such health care is provided.
- For example, if a resident of a state receives reproductive health care, such as a pregnancy test or treatment for an ectopic pregnancy, in the state where they reside, and that reproductive health care is lawful in that state.
Attestation Requirements
To implement the proposed prohibition, the Proposed Rule would require a regulated entity, when it receives a request for PHI potentially related to reproductive health care, to obtain a signed attestation that the use or disclosure is not for a prohibited purpose. This attestation requirement would apply to requests in the following circumstances:
- Health oversight activities
- Judicial and administrative proceedings
- Law enforcement purposes
- Disclosures to coroners and medical examiners
Notice of Privacy Practices (NPP)
The Proposed Rule also seeks to add two requirements to the uses and disclosures that entities must include in the notices of privacy practices. Namely, the NPP must include:
- a description, including at least one example, of the types of uses and disclosures prohibited by the Proposed Rule in sufficient detail for an individual to understand the prohibition, and
- a description, including at least one example, of the types of uses and disclosures for which an attestation is required.
Law Enforcement Requests
The Proposed Rule will also clarify current language regarding disclosures for administrative processes. Under current rules, a regulated entity may disclose PHI pursuant to an administrative request, provided that: (1) the information sought is relevant and material to a legitimate law enforcement inquiry; (2) the request is specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought; and (3) de-identified information could not reasonably be used. Examples of administrative requests include administrative subpoena or summons, a civil or an authorized investigative demand, or similar process authorized under law. OCR seeks through the Proposed Rule to clarify that the administrative processes that give rise to a permitted disclosure include only those that, by law, require a regulated entity to respond.[2]
Public Comment and Compliance
OCR is seeking public comment on these proposed changes until June 16, 2023, before publishing the final rule. The final rule will become effective 60 days after publication and OCR has proposed a “compliance date” of 180 days after the effective date for covered parties to establish and implement policies and practices to achieve compliance with new standards.
How Frier Levitt Can Help
Regulated entities should consider providing comments to this Proposed Rule and must remain apprised of the status of any changes that must be incorporated into their business practices after the final rule becomes effective. Providers and other stakeholders interested in providing comment(s) to help shape the final regulations must act quickly. Contact Frier Levitt for assistance in preparing and submitting comments on the proposed HIPAA rules or to discuss how proposed changes may impact your organization’s compliance procedures.
[1] https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/hipaa-reproductive-health-fact-sheet/index.html
