Connecticut’s Attorney General William Tong joined the attorneys general of 23 other states in signing a letter urging U.S. Department of Health and Human Services (DHHS) director Xavier Becerra and DHHS Office for Civil Rights director Melanie Fontes Rainer to adopt proposed amendments to the Health Insurance Portability and Accountability Act (HIPAA).
Title II of HIPAA, first signed into law in 1996, contains a privacy rule that prevents personally identifiable health information from being disclosed by a covered entity, such as a doctor’s office or insurance carrier, without a patient’s express written authorization.
Following the Supreme Court’s June 2022 decision in Dobbs v. Jackson Women’s Health Organization, which overturned Roe v. Wade and Planned Parenthood v. Casey and their holdings that the U.S. Constitution guarantees a right to abortion, President Joe Biden signed an executive order directing DHHS to submit a report identifying potential actions it could take to “protect and expand access to abortion care” and to “otherwise protect and expand access to the full range of reproductive healthcare services.”
In response, DHHS issued a notice of proposed rulemaking to strengthen HIPAA’s privacy rule by “prohibiting the use or disclosure of protected health information (PHI) to identify, investigate, prosecute, or sue patients, providers, and others involved in the provision of legal reproductive health care, including abortion” on April 17.
According to DHHS’ Office for Civil Rights (OCR), which enforces HIPAA’s privacy rule, under the privacy rule, regulated entities can use or disclose PHIA without individual authorization for purposes not related to health care. Those purposes include disclosures to law enforcement when disclosure requires compliance with another law. OCR specifies that the privacy rule permits but does not require covered entities to do so.
According to the notice of proposed rulemaking, laws enacted or effective in a number of states raised the prospect that highly sensitive PHI would be disclosed under circumstances that did not exist before the Supreme Court’s decision, generating significant confusion for individuals, health care providers, family, friends, and caregivers regarding their ability to privately seek, obtain, provide, or facilitate health care.”
The proposed changes would restrict the use or disclosure of reproductive care-related PHI for non-healthcare purposes, something DHHS acknowledges it has not done before.
“Give the particularly sensitive nature of information related to an individual’s reproductive health, [DHHS] is proposing to create new, special safeguards for this information.” the notice states.
But it also acknowledges that reproductive health information is not easily defined because it may not initially appear to be related to reproductive health. As an example, the notice lists a high blood pressure reading, which can be evidence of preeclampsia in pregnancy.
The proposal would modify the privacy rule to prohibit a regulated entity from “using or disclosing an individual’s PHI for the purpose of conducting a criminal, civil, or administrative investigation into or proceeding against the individual, a health care provider, or another person in connection with seeking, obtaining, providing or facilitating reproductive health care” if it is provided outside the state where the investigation is authorized and if the health care is legal in that state or occurs in a state where that health care is legal, or if the health care is protected by federal law.
It would also clarify some language within HIPAA, including the definition of “natural person.” It would also add a definition of reproductive health care to HIPAA, defined as “care, services, or supplies related to the reproductive health of the individual.”
Tong joined the attorneys general of twenty-three other states, including Massachusetts, Maine, Rhode Island, and Vermont, in signing a letter of support of the proposed rules. “[I]t is critical that additional guardrails be added to the Privacy Rule to protect against the disclosure of reproductive health information, and that pregnant people be made fully aware of the ways in which their PHI may be used and disclosed to third-parties that are not covered entities.” the letter states.
The letter also included recommendations for clarifying and strengthening DHHS’ proposed recommendations. The states ask DHHS to consider providing a separate definition of “reproductive health,” as they believe including the term as defined would signal “that most covered entities—rather than only providers of gynecological or fertility-related care—would be required to implement changes in order to be in compliance.”
They also suggest that the proposed definition of reproductive health care include additional examples in its preamble, as well as a “specific, non-exhaustive list of examples of reproductive health care in the regulatory text in order to clarify the Department’s intent.” The signer’s state that examples would help clarify DHHS’ intent to include care, services and supplies even when unrelated to pregnancy and worry the current definition would exclude gender-affirming care and assisted reproduction.
Additionally, the states urge DHHS to expand the proposed prohibition on disclosure of PHI more broadly, arguing that it should include gender-affirming care as treatment can affect reproduction and that “many of the same clinics that provide abortion also provide gender-affirming care and would presumably be subject to invasive requests for PHI.”
The signers also suggest the final rule limit the prohibition on PHI disclosure to instances where health care is lawful under state or federal law. Other concerns relate to language governing the disclosure of PHI when not primarily for the purpose of investigation, as well as provider requests to authorize prohibited disclosures.
The comment period for the proposed rule closed on June 16. DHHS will consider comments before issuing a final rule.
At the state level, Connecticut has also taken steps to safeguard reproductive health data. A bill that establishes standards for accessing and sharing consumer health data was passed during the recent legislative session. It defined consumer health data as any personal data used by a controller, who processes personal data, to identify a consumer’s physical or mental health condition or diagnosis. The bill specifically noted this includes gender-affirming, reproductive, and sexual health.
It defined gender-affirming health data as “any personal data about a consumer’s effort to seek, or receiving, gender-affirming health care services. It also defined reproductive or sexual health data to include any health service or product that concerns a consumer’s reproductive health or sexual well-being and listed specific tests, treatments, and other services that were covered.
The bill also generally prohibits anyone from providing an employee or contractor with consumer health data and from providing a processor with consumer health data unless the person and processor comply with specific existing requirements. Additionally, the bill prohibits the use of geofences to set virtual boundaries within 1,750 feet of mental health, reproductive, or sexual health facilities in order to identify, track, or collect data from consumers.
Further, it prohibits the selling of consumer health data without the consumer’s consent. The bill was passed by the Senate on May 11 and by the House of Representatives on June 2. It was transmitted to the governor on June 14 and has not yet been signed.
Republish our articles for free, online or in print, under a Creative Commons license.
