| | | |

RFI HIPAA Privacy Rule

Requst For Information OCR HIPAA


On April 12th, the Office of Health and Human Services (HHS) published a Notice of Proposed Rule Making (NPRM) to seek comments regarding modifications to the HIPAA Privacy Rule ‘to support reproductive healthcare and privacy.’ Don’t let the misleading intentions lead you to believe this is a positive move for healthcare, much less for reproductive healthcare. The proposed changes will bring about sweeping restrictions, as well as a great deal of confusion. You can read the full 155 page document here.

“The Department of Health and Human Services (HHS or “Department”) is issuing
this notice of proposed rulemaking (NPRM) to solicit comment on its proposal to modify the
Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”) under the
Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health
Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act).

The proposal would modify existing standards permitting uses and disclosures of protected health
information (PHI) by limiting uses and disclosures of PHI for certain purposes where the use or
disclosure of information is about reproductive health care that is lawful under the circumstances
in which such health care is provided.

The proposal would modify existing standards by prohibiting uses and disclosures of PHI for criminal, civil, or administrative investigations or proceedings against individuals, covered entities or their business associates (collectively, “regulated entities”), or other persons for seeking, obtaining, providing, or facilitating
reproductive health care that is lawful under the circumstances in which it is provided.”

This NPRM proposes to strengthen privacy protections by prohibiting the use or disclosure of PHI by a regulated entity for either of the following purposes:

  • A criminal, civil, or administrative investigation into or proceeding against any person in connection with seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided.
  • The identification of any person for the purpose of initiating such investigations or proceedings.

Under the proposal, the prohibition would apply where the relevant criminal, civil, or administrative investigation or proceeding is in connection with one of the following:

  • Reproductive health care that is sought, obtained, provided, or facilitated in a state where the health care is lawful and outside of the state where the investigation or proceeding is authorized.

    • For example, if a resident of one state traveled to another state to receive reproductive health care, such as an abortion, that is lawful in the state where such health care was provided.

  • Reproductive health care that is protected, required, or expressly authorized by federal law, regardless of the state in which such health care is provided.

    • For example, if the reproductive health care, such as miscarriage management, is required under the Emergency Medical Treatment and Labor Act (EMTALA) to stabilize the health of the pregnant individual.

  • Reproductive health care that is provided in the state where the investigation or proceeding is authorized and is permitted by the law of the state in which such health care is provided.

    • For example, if a resident of a state receives reproductive health care, such as a pregnancy test or treatment for an ectopic pregnancy, in the state where they reside, and that reproductive health care is lawful in that state.

The proposed rule would continue to allow a regulated entity to use or disclose PHI for purposes otherwise permitted under the Privacy Rule where the request for PHI is not made primarily for the purpose of investigating or imposing liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care. For example:

  • A covered health care provider could continue to use or disclose PHI to defend themselves in an investigation or proceeding related to professional misconduct or negligence where the alleged professional misconduct or negligence involved reproductive health care.
  • A regulated entity could continue to use or disclose PHI to defend any person in a criminal, civil, or administrative proceeding where liability could be imposed on that person for providing reproductive health care.
  • A regulated entity could continue to use or disclose PHI to an Inspector General where the PHI is sought to conduct an audit for health oversight purposes.

To implement the proposed prohibition, the NPRM would require a regulated entity, when it receives a request for PHI potentially related to reproductive health care, to obtain a signed attestation that the use or disclosure is not for a prohibited purpose. This attestation requirement would apply when the request is for PHI in any of the following circumstances:

  • Health oversight activities.
  • Judicial and administrative proceedings.
  • Law enforcement purposes.
  • Disclosures to coroners and medical examiners.

The proposed requirement to obtain a signed attestation would give regulated entities a way of confirming in writing that requests for PHI are not for a prohibited purpose.

While the Department is undertaking this rulemaking, the current Privacy Rule remains in effect. As explained in OCR guidance, the existing Privacy Rule permits, but does not require, certain disclosures to law enforcement and others, subject to specific conditions.

HHS encourages all stakeholders, including patients and their families, health plans, health care providers, health care professional associations, consumer advocates, and government entities, to submit comments through regulations.gov.

Public comments on the NPRM are due 60 days after publication of the NPRM in the Federal Register.

The fact sheet on the NPRM can be found here.

Leave a Reply