Proposed New HIPAA Regulations
In response to the White House recommendation, on April 14, 2023, the HHS Office of Civil Rights – HHS’ HIPAA enforcement arm – published proposed regulations which modifies the Privacy Rule and aims to strengthen reproductive health data protection. In line with EO 14076, the proposed regulations protect patients against potential legal repercussions of seeking an abortion by limiting the proper use and disclosure of personal health information. HHS also proposes harmonized or clarifying definitions of key phrases or terms related to reproductive healthcare. The comment period is currently open until June 16, 2023, for the public to provide feedback on the proposed regulations.
Below are some highlights of the proposed regulations.
Definition of “Person”
- Currently, HIPAA does not provide an explicit definition of the term “person,” “natural person,” “child,” or “individual.”
- To ensure consistence, HHS clarified that the appropriate definition is that provided by 1 U.S.C. 8, which defines the terms to mean “every infant member of the species homo sapiens who is born alive at any stage of development.”
Definition of “Public health surveillance, investigation, or intervention”
- While this term is not specifically defined under HIPAA, HIPAA’s Privacy Rule allows for a regulated entity to use or disclose personal health information to conduct “public health surveillance, investigation, or intervention” in connection with disease control or prevention, injury, or disability.
- The proposed regulation would define “public health surveillance, investigation, or intervention” to mean population-based activities to prevent disease and promote health of populations. notably, however, the definition does not mean personal health information can be used and disclosed “for criminal, civil, or administrative investigation into or proceeding against any person in connection with seeking, obtaining, providing, or facilitating reproductive health care, or to identify any person for the purpose of initiating such an investigation or proceeding.”
- HHS declined to explicitly define “surveillance,” “investigation,” and “intervention” but invites the public to provide comments on whether it would be helpful to provide definitions.
Definition of “Reproductive Health Care”
- HIPAA currently provides a broad definition of “health care,” which is a non-exhaustive list of possible health care services that encompasses physical health, mental health, and health supplies.
- HHS proposes to provide a definition of “reproductive health care” as a sub-category within “health care.” Reproductive health care would be defined as “care, services, or supplies related to the reproductive health of the individual.” The definition is intended to be broad and encompass care, services, prescriptive and non-prescriptive supplies related to reproductive health regardless of where the service is provided.
Non-Permitted Use and Disclosure
- HHS proposes to prohibit regulated entities from using or disclosing personal health information “against any individual, regulated entity, or other person for the purpose of a criminal, civil, or administrative investigation into or proceeding against such person in connection with seeking, obtaining, providing, or facilitating reproductive health care that is lawful under the circumstances in which it is provided.”
- HHS proposes to prohibit the use or disclosure of personal health information to identify “an individual, a regulated entity, or other person for the purpose of initiating such an investigation or proceeding.”
- HHS explicitly states that the current permitted use and disclosure of personal health information that does not require explicit consent or agreement of a patient does not circumvent the proposed non-permitted use and disclosure.
Looking Ahead
Going forward a key issue that will need to be addressed is how the proposed HIPAA regulations will pre-empt and interact with states’ health data privacy legislations. Numerous states have either passed new health data privacy bills, such as Washington’s My Health, My Data Act, or introduced bills addressing health data privacy, such as New York and Massachusetts.