HIPAA and Reproductive Health

OCR has issued a notice of proposed rulemaking and guidance on the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule (Privacy Rule) and the privacy of individuals’ protected health Information (PHI) relating to abortion and other sexual and reproductive health care.

Notice of Proposed Rulemaking on the HIPAA Privacy Rule and Reproductive Health Care

On April 12, 2023, OCR issued a Notice of Proposed Rulemaking (NPRM) to strengthen the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule protections by prohibiting the use or disclosure of protected health information (PHI) to identify, investigate, prosecute, or sue patients, providers and others involved in the provision of legal reproductive health care, including abortion. HHS has heard from patients, providers, and organizations representing thousands of individuals that this change was needed to protect patient-provider confidentiality and prevent private medical records from being used against them merely for seeking, obtaining, providing, or facilitating lawful reproductive health care. Today’s announcement coincides with the convening of President Biden’s Task Force on Reproductive Health Care, aimed at protecting reproductive rights, including access to abortion care, following the Supreme Court’s decision overturning Roe v. Wade.

Protecting patient health information and privacy has taken on critical importance, and in the wake of unprecedented attacks against women’s reproductive rights. Following the Supreme Court decision, President Biden signed Executive Order 14076, directing HHS to consider ways to strengthen the protection of sensitive information related to reproductive health care services and bolster patient-provider confidentiality. This proposed rule is a result of that directive:

• Read the Press Release
• Read the Fact Sheet
• Lea la hoja informativa en español
• Read the NPRM

Guidance on the HIPAA Privacy Rule and Disclosures of Information Relating to Reproductive Health Care

OCR issued guidance explaining how the Privacy Rule permissions for disclosing PHI without an individual’s authorization for purposes not related to health care, such as disclosures to law enforcement officials, are narrowly tailored to protect the individual’s privacy and support their access to health care, including abortion care.  This Guidance:

• Reminds HIPAA covered entities and business associates that they can use and disclose PHI, without an individual’s signed authorization, only as expressly permitted or required by the Privacy Rule.
• Explains the Privacy Rule’s restrictions on disclosures of PHI when required by law, for law enforcement purposes, and to avert a serious threat to health or safety.
• Read the Guidance

Protecting the Privacy and Security of Your Health Information When Using Your Personal Cell Phone or Tablet

OCR issued guidance for individuals about protecting the privacy and security of their health information when using their personal cell phone or tablet.  This guidance explains that, in most cases, the HIPAA Privacy, Security, and Breach Notification Rules do not protect the privacy or security of individuals’ health information when they access or store the information on personal cell phones or tablets. This guidance also provides tips about steps an individual can take to decrease how their cell phone or tablet collects and shares their health and other personal information without the individual’s knowledge.  This Guidance:

• Explains how to turn off the location services on Apple and Android devices.
• Identifies best practices for selecting apps, browsers, and search engines that are recognized as supporting increased privacy and security.
• Read the guidance