chevron-down Created with Sketch Beta.

ARTICLE

HHS Proposes HIPAA Rulemaking to Strengthen Reproductive Health Data Protection

Kewa Jiang

HHS Proposes HIPAA Rulemaking to Strengthen Reproductive Health Data Protection
Linda Epstein via Getty Images

Background: White House Executive Order 14706 Post-Dobbs Decision

Nearly a year ago, on June 24, 2022, the Supreme Court of the United States ended national legal access to abortion in the Dobbs v. Jackson Women's Health Organization decision. In the initial aftermath, numerous federal agencies, such as the Federal Trade Commission (FTC) and the Department of Health and Human Services (HHS), and private companies affirmed their commitment to protecting consumer reproductive health data.

On July 8, 2022, the White House issued executive order 14076, which directed the FTC and HHS to take “action to protect healthcare service delivery and promote access to critical reproductive healthcare services, including abortion.” The executive order specifically addressed the need to protect consumer reproductive health data. The White House urged the HHS to consider providing guidance under the Health Insurance Portability and Accountability Act (HIPAA) to better protect health information, patient access to reproductive health services, and maintain confidence in patient-provider confidentiality.

Proposed New HIPAA Regulations

In response to the White House recommendation, on April 14, 2023, the HHS Office of Civil Rights – HHS’ HIPAA enforcement arm – published proposed regulations which modifies the Privacy Rule and aims to strengthen reproductive health data protection. In line with EO 14076, the proposed regulations protect patients against potential legal repercussions of seeking an abortion by limiting the proper use and disclosure of personal health information. HHS also proposes harmonized or clarifying definitions of key phrases or terms related to reproductive healthcare. The comment period is currently open until June 16, 2023, for the public to provide feedback on the proposed regulations.

Below are some highlights of the proposed regulations.

Definition of “Person”

  • Currently, HIPAA does not provide an explicit definition of the term “person,” “natural person,” “child,” or “individual.”
  • To ensure consistence, HHS clarified that the appropriate definition is that provided by 1 U.S.C. 8, which defines the terms to mean “every infant member of the species homo sapiens who is born alive at any stage of development.”

Definition of “Public health surveillance, investigation, or intervention”

  • While this term is not specifically defined under HIPAA, HIPAA’s Privacy Rule allows for a regulated entity to use or disclose personal health information to conduct “public health surveillance, investigation, or intervention” in connection with disease control or prevention, injury, or disability.
  • The proposed regulation would define “public health surveillance, investigation, or intervention” to mean population-based activities to prevent disease and promote health of populations. notably, however, the definition does not mean personal health information can be used and disclosed “for criminal, civil, or administrative investigation into or proceeding against any person in connection with seeking, obtaining, providing, or facilitating reproductive health care, or to identify any person for the purpose of initiating such an investigation or proceeding.”
  • HHS declined to explicitly define “surveillance,” “investigation,” and “intervention” but invites the public to provide comments on whether it would be helpful to provide definitions.

Definition of “Reproductive Health Care”

  • HIPAA currently provides a broad definition of “health care,” which is a non-exhaustive list of possible health care services that encompasses physical health, mental health, and health supplies.
  • HHS proposes to provide a definition of “reproductive health care” as a sub-category within “health care.” Reproductive health care would be defined as “care, services, or supplies related to the reproductive health of the individual.” The definition is intended to be broad and encompass care, services, prescriptive and non-prescriptive supplies related to reproductive health regardless of where the service is provided.

Non-Permitted Use and Disclosure

  • HHS proposes to prohibit regulated entities from using or disclosing personal health information “against any individual, regulated entity, or other person for the purpose of a criminal, civil, or administrative investigation into or proceeding against such person in connection with seeking, obtaining, providing, or facilitating reproductive health care that is lawful under the circumstances in which it is provided.”
  • HHS proposes to prohibit the use or disclosure of personal health information to identify “an individual, a regulated entity, or other person for the purpose of initiating such an investigation or proceeding.”
  • HHS explicitly states that the current permitted use and disclosure of personal health information that does not require explicit consent or agreement of a patient does not circumvent the proposed non-permitted use and disclosure.

Looking Ahead

Going forward a key issue that will need to be addressed is how the proposed HIPAA regulations will pre-empt and interact with states’ health data privacy legislations. Numerous states have either passed new health data privacy bills, such as Washington’s My Health, My Data Act, or introduced bills addressing health data privacy, such as New York and Massachusetts.

This article was prepared by the Antitrust Law Section's Privacy and Information Security Committee.

    Authors