A group of 24 state attorneys general has written a letter to the Department of Health and Human Services (HHS). In the letter, they express their support for the proposed revision to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. This change aims to reinforce the privacy of reproductive health data.
The Supreme Court’s verdict in Dobbs v. Jackson Women’s Health Organization in June 2022 overturned Roe v. Wade, effectively eliminating the federal right to abortion. As a result, many states have enacted their own laws that either ban or drastically limit abortions within their jurisdictions. These laws could potentially impose criminal or civil penalties on individuals seeking, providing, or assisting with abortions. Currently, nearly total abortion bans are in place in 15 states, with several others introducing restrictive measures or contemplating bans. Idaho recently implemented an abortion trafficking law aimed at curtailing its residents’ ability to travel out-of-state for abortion services.
Following the Supreme Court ruling, the HHS’ OCR offered Privacy Rule guidance to HIPAA-regulated entities. OCR clarified that if a patient in a state that has outlawed abortions reveals their intention to seek an abortion in a legal state to their healthcare provider. The HIPAA Privacy Rule would not permit the provider to disclose this information to law enforcement to prevent the abortion.
Subsequently, OCR issued a notice of proposed rulemaking (NPRM) regarding an intended update to the HIPAA Privacy Rule. This update enhances reproductive health data privacy by prohibiting the sharing of a patient’s PHI. The PHI cannot be shared for specific investigations pertaining to legal abortion or other reproductive care.
Suggestions to Enhance the Privacy of Reproductive Health Data Even Further
In addition to expressing their support, the 24 state attorneys general have offered feedback on areas where the protections in the proposed rule could be further fortified. While the proposed Privacy Rule update broadly defines “reproductive health care” as a subset of health care, the attorneys general suggest crafting a separate definition for “reproductive health.” This would clarify that the update applies not only to providers of gynecological and fertility-related care but also to other entities covered by HIPAA. Incorporating examples of reproductive health care into the regulatory text of the final rule would help eliminate any potential confusion about the types of health care the proposed rule covers.
The attorneys general also urge the HHS to separately define “birth” and “death” to clarify that pregnancy termination is not a public health reporting event and thus not subject to HIPAA Privacy Rule reporting requirements. They recommend tightening the language in the proposed rule that forbids the “use or disclosure primarily for the purpose of investigating or imposing liability on any person for simply seeking, obtaining, providing, or facilitating reproductive health care.” The worry is that a false primary purpose could be used to illicitly obtain PHI.This potential loophole could be closed by eliminating the word ‘primary’.
Other recommendations include ensuring that both requesters and providers receive sufficient guidance on the attestation requirement of the proposed rule. This rule requires confirming that the request isn’t to get reproductive health info for legal action against someone. The attorneys general recommend that the HHS create a nationally accessible online platform. This platform should provide patients with accurate and clear information on reproductive care and privacy rights. They also suggest conducting a public awareness campaign to promote the website.
