HIPAA Privacy Rule Notice of Proposed Rulemaking to Support Reproductive Health Care Privacy Fact Sheet

On April 12, 2023, the Office for Civil Rights (OCR) at the U.S. Department of Health & Human Services (HHS) issued a Notice of Proposed Rulemaking (NPRM) to modify the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule to strengthen reproductive health care privacy. OCR administers and enforces the Privacy Rule, which establishes requirements with respect to the use, disclosure, and protection of protected health information (PHI) by HIPAA covered entities (health plans, health care clearinghouses, and most health care providers) and, where applicable, by their business associates.

The proposed rulemaking is one of many actions taken by HHS in support of President Biden’s two Executive Orders (EOs), issued in the weeks after the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization, to protect access to reproductive care, including abortion. Under EO 14076, President Biden directed HHS to consider taking additional actions, including under HIPAA, to better protect sensitive information related to reproductive health care and bolster patient-provider confidentiality.

This NPRM proposes to strengthen privacy protections by prohibiting the use or disclosure of PHI by a regulated entity for either of the following purposes:

• A criminal, civil, or administrative investigation into or proceeding against any person in connection with seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided.
• The identification of any person for the purpose of initiating such investigations or proceedings.

Under the proposal, the prohibition would apply where the relevant criminal, civil, or administrative investigation or proceeding is in connection with one of the following:

• Reproductive health care that is sought, obtained, provided, or facilitated in a state where the health care is lawful and outside of the state where the investigation or proceeding is authorized.
  • For example, if a resident of one state traveled to another state to receive reproductive health care, such as an abortion, that is lawful in the state where such health care was provided.
• Reproductive health care that is protected, required, or expressly authorized by federal law, regardless of the state in which such health care is provided.
  • For example, if the reproductive health care, such as miscarriage management, is required under the Emergency Medical Treatment and Labor Act (EMTALA) to stabilize the health of the pregnant individual.
• Reproductive health care that is provided in the state where the investigation or proceeding is authorized and is permitted by the law of the state in which such health care is provided.
  • For example, if a resident of a state receives reproductive health care, such as a pregnancy test or treatment for an ectopic pregnancy, in the state where they reside, and that reproductive health care is lawful in that state.

The proposed rule would continue to allow a regulated entity to use or disclose PHI for purposes otherwise permitted under the Privacy Rule where the request for PHI is not made primarily for the purpose of investigating or imposing liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care. For example:

• A covered health care provider could continue to use or disclose PHI to defend themselves in an investigation or proceeding related to professional misconduct or negligence where the alleged professional misconduct or negligence involved reproductive health care.
• A regulated entity could continue to use or disclose PHI to defend any person in a criminal, civil, or administrative proceeding where liability could be imposed on that person for providing reproductive health care.
• A regulated entity could continue to use or disclose PHI to an Inspector General where the PHI is sought to conduct an audit for health oversight purposes.

To implement the proposed prohibition, the NPRM would require a regulated entity, when it receives a request for PHI potentially related to reproductive health care, to obtain a signed attestation that the use or disclosure is not for a prohibited purpose. This attestation requirement would apply when the request is for PHI in any of the following circumstances:

• Health oversight activities.
• Judicial and administrative proceedings.
• Law enforcement purposes.
• Disclosures to coroners and medical examiners.

The proposed requirement to obtain a signed attestation would give regulated entities a way of confirming in writing that requests for PHI are not for a prohibited purpose.

While the Department is undertaking this rulemaking, the current Privacy Rule remains in effect. As explained in OCR guidance, the existing Privacy Rule permits, but does not require, certain disclosures to law enforcement and others, subject to specific conditions.

HHS encourages all stakeholders, including patients and their families, health plans, health care providers, health care professional associations, consumer advocates, and government entities, to submit comments through regulations.gov.

Public comments on the NPRM are due 60 days after publication of the NPRM in the Federal Register. The Department will also be conducting a Tribal consultation meeting on May 17, 2023, from 2:00 p.m. to 3:30 p.m. Eastern Daylight Time. To participate, you must register in advance at https://www.zoomgov.com/meeting/register/vJItf-2hqD8jHfdtmYaUoWidy9odBZMYQ4Q.

The NPRM may be viewed or downloaded at: https://www.federalregister.gov/public-inspection/2023-07517/health-insurance-portability-and-accountability-act-privacy-rule-to-support-reproductive-health-care.