HHS issues final rule to expand HIPAA coverage for reproductive data
The rule comes in response to health data security concerns arising out of the 2022 overturn of abortion protections established by Roe v. Wade.
The Department of Health and Human Services released a final rule on the data privacy provisions for reproductive health care information deemed individually identifiable on Monday, finalizing the initiative to further protect this information in the wake of the Supreme Court’s 2022 overturn of the 1973 landmark court decision in Roe v. Wade.
HHS first took steps to codify the safeguarding of protected health indicators — or PHI — at the digital level in 2023 with a proposed rule. Today’s final rule will extend the Health Insurance Portability and Accountability Act of 1996 Privacy Rule to protect patient confidentiality and access to reproductive data unless authorized in select cases.
After receiving over 30,000 comments on the draft rule, HHS highlighted three areas now included in the final rule: prohibiting the use or disclosure of PHI in law enforcement investigations into lawful reproductive care; requiring certain health care providers to obtain signed attestations in requests for reproductive PHIs prior to disclosures; and requiring health care providers and related entities to update their Notice of Privacy Practices to support reproductive health care privacy.
“Many Americans are scared their private medical information will be being shared, misused, and disclosed without permission. This has a chilling effect on women visiting a doctor, picking up a prescription from a pharmacy, or taking other necessary actions to support their health,” said HHS Secretary Xavier Becerra in the press release. “The Biden-Harris Administration is providing stronger protections to people seeking lawful reproductive health care regardless of whether the care is in their home state or if they must cross state lines to get it.”
Safeguarding privacy law between healthcare providers and patients aims to strengthen the U.S. medical infrastructure and encourage patients to seek treatment by preventing the misuse of sensitive data on any type of reproductive care, spanning abortion, contraception and fertility-related care.
Under the rule, PHI disclosures to law enforcement will only be permitted in response to legal authorities, namely administrative subpoenas or summons, a civil summons, a civil or an authorized investigative demand or other legal processes.
Given the patchwork of changing laws that vary depending on jurisdictions, the final rule also protects a patient and their medical records — and providers — from having their travel policed when pursuing lawful care, Fontes Rainer said during a press conference on Monday.
The rule is expressly designed to put some checks on the ability of law enforcement officials in states that restrict or ban abortion to obtain health records on residents who may have obtained abortions or covered reproductive care in other states.
"This does not foreclose the ability of state officials to investigate the circumstances surrounding the provision of…reproductive health care, including through the collection of information from sources that are not regulated under HIPAA, to determine whether a health care provider or other person may have acted unlawfully," the rule states. "Rather, this final rule prohibits the use or disclosure of PHI when it is being used to investigate or impose liability on a person for the mere act of seeking, obtaining, providing, or facilitating lawful reproductive health care, or to identify any person to initiate such activities."
In late September 2022, Fontes Rainer previously spoke with Nextgov/FCW about HHS’s response to the fears stoked by the overturning of Roe v Wade, noting that securing digital PHI, such as menstruation and fertility information many users store on cell phone applications, was left uncovered by HIPAA protections.
In July 2022, President Joe Biden signed an executive order to help combat the potential digital surveillance and inappropriate access of PHI stored on personal tech devices by directing HHS to issue guidance on how consumers can secure their personal data.
The new rule still does not protect PHI and other health or personal data stored on commercial and personal tech products.