Department’s Civil Rights Office Seeks to Strengthen HIPAA Privacy Rule

Today, the U.S. Department of Health and Human Services (HHS), through its Office of Civil Rights, issued a Notice of Proposed Rulemaking (NPRM) to strengthen the privacy rule protections of Health Insurance Portability and Accountability Act (HIPAA) by prohibiting the use or disclosure of protected health information (PHI) to investigate or prosecute patients, providers, and others involved in the provision of reproductive health care legal, including abortion care. HHS has heard from patients, providers, and organizations representing thousands of people that this change is necessary to protect patient and provider privacy and prevent private health records from being used against individuals simply to seek, obtain, provide or facilitate lawful reproductive health care.

Since the Supreme Court ruling overturning Roe vs. Wade, the protection of patient health information and privacy has become critically important. As a result of that decision, President Biden signed Executive Order 14076, directing HHS to consider ways to strengthen the protection of sensitive information related to reproductive health care services and enhance patient-provider confidentiality. Today’s announcement is consistent with that executive order and coincides with the third convening of President Biden’s Task Force on Access to Reproductive Health Care – a task force aimed at protecting women’s access to reproductive health care.

“When the Supreme Court struck down Roe vs. Wade, nearly half a century of precedent changed overnight,” Secretary Xavier Becerra said. “The Biden-Harris administration is committed to protecting women’s legal access to reproductive health care, including abortion care. President Biden signed not one but two executive orders calling on HHS to take action to respond to this moment and we wasted no time in doing so. Today’s action is another important step taken by HHS to protect patients accessing critical care.

“I met doctors across the country who shared their stories,” said OCR Director Melanie Fontes Rainer. “These providers expressed fear, anger and sadness that they or their patients could end up in jail for providing or obtaining evidence-based and medically appropriate care. Trust is essential in the patient-doctor relationship and medical mistrust can damage and chill patients’ relationship with their providers, putting patient health at risk. Today’s proposed rule aims to preserve that trust in the patient-provider relationship and to ensure that when you go to the doctor, your private medical records will not be disclosed and used against you to obtain legal care. It’s a real problem that we hear and see, and we’ve developed the proposed rule today to help fill that gap and provide clarity for our healthcare providers and patients.

The OCR, which administers and enforces the Privacy Policy, sets requirements for the use, disclosure, and protection of PHI by healthcare providers, health insurance companies, and other HIPAA-regulated entities. (collectively, “HIPAA Regulated Entities”). The HIPAA Privacy Rule supports access to health care by giving individuals the assurance that their PHI, including reproductive health care information, will remain confidential.

Today’s NPRM proposes to extend additional privacy protections to providers, insurers, patients and others to protect PHIs when such information would otherwise be disclosed or used to identify, investigate, prosecute or prosecute someone for seeking, obtaining, providing or facilitating legal reproductive health. care. Reproductive health care would be defined to include, but is not limited to, prenatal care, abortion, management of miscarriages, treatment of infertility, use of contraception, and treatment of related conditions to reproduction such as ovarian cancer.

While the Department undertakes this rule development, the current confidentiality rule remains in effect. As explained in the OCR guidelines, the existing confidentiality rule allows, but does not require, certain disclosures to law enforcement and others, subject to specific conditions.

OCR is committed to applying HIPAA rules that protect the privacy and security of people’s health information. If you believe that the privacy or civil rights of your or another person’s health information have been violated, you may file a complaint with OCR at: https://www.hhs.gov/ocr/complaints /index.html

The NPRM can be viewed in the Federal Register at: https://www.federalregister.gov/public-inspection/current

A fact sheet on the NPRM is available in English at: https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/hipaa-reproductive-health-fact-sheet/index.html