Specifically, the proposed rule would prohibit the use or disclosure of PHI for a criminal, civil, or administrative investigation or proceeding against any person in connection with seeking, obtaining, providing, or facilitating reproductive health care1 or to identify a person for the purpose of initiating such investigation or proceeding (the “Prohibited Purposes”), including investigations or proceedings against individuals seeking or receiving reproductive health care and those performing, providing, or insuring it. These restrictions apply where the reproductive health care was lawful or where such care is “protected, authorized or required” by Federal law. This means, for example, that PHI regarding lawful reproductive care obtained in New York may not be disclosed for purposes of an investigation in Texas.
The proposed rule would require that a HIPAA regulated entity obtain a signed attestation that a request for PHI is not related to the prohibited purposes set out. The attestation requirement would apply only if the request for PHI was tied to law enforcement purposes, judicial and administrative proceedings, health oversight activities or disclosures to coroners and medical examiners. The agency makes clear that knowingly falsely attesting could result in criminal penalties under HIPAA. HHS states that each use and disclosure requires a new attestation—a single attestation cannot support continued uses and disclosures of PHI.
To prevent attempts at circumventing the new prohibitions through other HIPAA provisions that allow the use or disclosure of PHI, HHS proposes a number of changes, including the following:
Authorization. As with the use of genetic information for underwriting purposes, HHS proposes to prohibit the use of a HIPAA authorization to enable a HIPAA-regulated entity to use or disclose PHI for the Prohibited Purposes. In other words, an authorization may not be used to override the prohibition on prohibited uses and disclosures. This ensures an individual is not coerced into signing an authorization.
Adding Definition of Public Health. A definition of “public health” makes clear that such activities, including those related to public health surveillance, investigation and intervention, are population-level activities, and thus public health reporting could not be used to justify disclosures for a Prohibited Purpose.
Abuse, Neglect and Domestic Violence. HIPAA-regulated entities would be required to treat a person as an individual’s personal representative, and could not assert the individual was or may be the victim of abuse, neglect or domestic violence, where such belief is based primarily on the facilitation or provision of reproductive health care by such person for, and at the request of, the individual. The NPRM also prohibits a HIPAA-regulated entity from disclosing PHI to report abuse, neglect or domestic violence when such is based primarily on the provision of reproductive health care.
HHS also added a requirement that covered entities include in their Notices of Privacy Practices a description and an example of the types of uses and disclosures that require an attestation and the Prohibited Purposes with sufficient detail for an individual to understand the prohibition.
Stakeholders should review the proposed requirements to determine if they wish to submit comments. Comments are due June 16, 2023.
Authored by Marcy Wilder, Melissa Bianchi, and Melissa Levine.
1 “Seeking, obtaining, providing, or facilitating reproductive health care” includes “expressing interest in, inducing, using, performing, furnishing, paying for, disseminating information about, arranging, insuring, assisting, or otherwise taking action to engage in reproductive health care; or attempting any of the same.” The NPRM also defines “reproductive health care” as care, services, or supplies related to the reproductive health of the individual. HHS states that the Department would interpret “reproductive health care” to include, but not be limited to: contraception, including emergency contraception; pregnancy-related health care; fertility or infertility-related health care; and other types of care, services, or supplies used for the diagnosis and treatment of conditions related to the reproductive system. Pregnancy-related health care includes, but is not limited to, miscarriage management, molar or ectopic pregnancy treatment, pregnancy termination, pregnancy screening, products related to pregnancy, prenatal care, and similar or related care. Other types of care, services, or supplies used for the diagnosis and treatment of conditions related to the reproductive system includes health care related to reproductive organs, regardless of whether the health care is related to an individual’s pregnancy or whether the individual is of reproductive age.