Regulatory Initiatives

HIPAA Privacy Rule and Reproductive Health Care

On April 12, 2023, OCR issued a Notice of Proposed Rulemaking (NPRM) to strengthen the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule protections by prohibiting the use or disclosure of protected health information (PHI) to identify, investigate, prosecute, or sue patients, providers and others involved in the provision of legal reproductive health care, including abortion. HHS has heard from patients, providers, and organizations representing thousands of individuals that this change was needed to protect patient-provider confidentiality and prevent private medical records from being used against them merely for seeking, obtaining, providing, or facilitating lawful reproductive health care. Today’s announcement coincides with the convening of President Biden’s Task Force on Reproductive Health Care, aimed at protecting reproductive rights, including access to abortion care, following the Supreme Court’s decision overturning Roe v. Wade.

Protecting patient health information and privacy has taken on critical importance, and in the wake of unprecedented attacks against women’s reproductive rights. Following the Supreme Court decision, President Biden signed Executive Order 14076, directing HHS to consider ways to strengthen the protection of sensitive information related to reproductive health care services and bolster patient-provider confidentiality. This proposed rule is a result of that directive:

• Read the Press Release
• Read the Fact Sheet
• Lea la hoja informativa en español
• Read the NPRM

HIPAA and Part 2

On November 28, 2022, the U.S. Department of Health & Human Services, through the Office for Civil Rights (OCR) in coordination with the Substance Abuse and Mental Health Services Administration (SAMHSA), issued a Notice of Proposed Rulemaking to revise the Confidentiality of Substance Use Disorder Patient Records regulations. The regulations at 42 CFR part 2 (“Part 2”) protect the confidentiality of substance use disorder (SUD) treatment records. Part 2 protects “records of the identity, diagnosis, prognosis, or treatment of any patient which are maintained in connection with the performance of any program or activity relating to substance abuse education prevention, training, treatment, rehabilitation, or research, which is conducted, regulated, or directly or indirectly assisted by any department or agency of the United States.” Confidentiality protections help address concerns that discrimination and fear of prosecution deter people from entering treatment for SUD.

Section 3221 of the Coronavirus Aid, Relief, and Economic Security (CARES) Act (enacted March 27, 2020) requires the Secretary to align certain aspects of Part 2 with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Rules and the Health Information Technology for Economic and Clinical Health (HITECH) Act. Section 3221 of the CARES Act also requires the Secretary to update the HIPAA Privacy Rule Notice of Privacy Practices requirements to address Part 2 protections and individual rights.

• Read the Press Release
• Read the Fact Sheet
• Read the NPRM

HITECH RFI

On April 6, OCR published a Request for Information (RFI) seeking input from the public on two requirements of the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act), as amended in 2021. These two requirements are:

• Recognized Security Practices. Section 13412 of the HITECH Act requires HHS to take into consideration certain recognized security practices of covered entities (health plans, health care clearinghouses, and most health care providers) and business associates when determining potential fines, audit results, or other remedies for resolving potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule pursuant to an investigation, compliance review, or audit.
• Civil Money Penalty (CMP) and Settlement Sharing. Section 13410(c)(3) of the HITECH Act requires HHS to establish by regulation a methodology under which an individual harmed by a potential violation of the HIPAA Privacy, Security, and/or Breach Notification Rules may receive a percentage of any CMP or monetary settlement collected with respect to such offense.

For more information on the HITECH RFI and how to submit a public comment, visit here

Privacy Rule NPRM

On January 21, 2021, OCR published a Notice of Proposed Rulemaking (NPRM) to modify the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule to support individuals' engagement in their health care, remove barriers to coordinated care, and decrease regulatory burdens on the health care industry, while continuing to protect individuals' health information privacy interests.

For more information on the Privacy Rule NPRM, visit here