Medicare Compliance & Reimbursement

OCR adds updates that support privacy in reproductive healthcare.

As legal wrangling continues over the intersection between privacy, the law, and reproductive healthcare almost two years out from the Dobbs decision, the feds offer fresh HIPAA guidance and a few Privacy Rule revisions.

Background: In 2022, the U.S. Supreme Court overturned Roe vs. Wade with its decision in the Dobbs vs. Jackson Women’s Health Organization ruling. In the aftermath, arguments popped up across the nation and court battles ensued over state laws, particularly in states where patients’ rights to privacy and safe healthcare were at risk. The Department of Health and Human Services (HHS) reminded providers of their EMTALA responsibilities post-Dobbs, and the HHS Office for Civil Rights also suggested revising HIPAA in a notice of proposed rulemaking (NPRM) (see Medicare Compliance & Reimbursement, Vol. 49, No. 11 and Vol. 50, No. 3).

Now: On April 26, OCR published a final rule in the Federal Register titled “HIPAA Privacy Rule to Support Reproductive Health Care Privacy,” which modifies the provision, safeguards protected health information (PHI), and better promotes medical records’ confidentiality for reproductive healthcare patients.

“Since the fall of Roe v. Wade, providers have shared concerns that when patients travel to their clinics for lawful care, their patients’ records will be sought, including when the patient goes home. Patients and providers are scared, and it impedes their ability to get and to provide accurate information and access safe and legal health care,” said OCR Director Melanie Fontes Rainer in a release on the rule. “Today’s rule prohibits the use of protected health information for seeking or providing lawful reproductive health care and helps maintain and improve patient-provider trust that will lead to improved health outcomes and protect patient privacy.”

Know How the Rule Came to Fruition

First, it’s important to remember that PHI is best defined as “all ‘individually identifiable health information’ held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral,” according to OCR guidance on the HIPAA Privacy Rule. Furthermore, any personal information that can identify the patient and is associated with the medical record is also protected data. In fact, federal guidance lists 18 categories of “personal identifiers” that must be secured by covered entities (CEs) and business associates (BAs).

Healthcare providers, payers, and BAs are tasked with protecting this critical data, and they must also set parameters on how the PHI is used and disclosed. Additionally, CEs and BAs must ensure that patients have ready access to their data and that rights to privacy aren’t violated. But the diverse state laws after the Dobbs ruling and the divisive legal landscape caused HIPAA-related issues.

“Even with these protections, the OCR observed several concerns relating to the use and disclosure of certain PHI related to reproductive healthcare,” explains attorney Joseph J. Lazzarotti with law firm Jackson Lewis in online legal analysis. “These include potential harm caused by disclosing such information for non-health care purposes, such as to conduct an investigation against, or to impose liability upon, an individual or another person who receives or delivers reproductive healthcare.”

OCR then published an NPRM in 2023 and received more than 30,000 comments. Healthcare providers and organizations weighed in on the proposals. For example, “many health care providers and individuals emphasized the importance of trusting relationships between individuals and their health care providers,” and that includes protecting “sensitive and difficult conversations with their health care providers” without fear of repercussions, the final rule says.

Additionally, “an organization commented that privacy has long been a ‘hallmark’ of medical care and agreed with the Department that Congress recognized this principle when it enacted HIPAA,” the rule expounds. “Some organizations commented that the HIPAA framework of law and rules provides individuals with the necessary trust and confidence to seek reproductive health care without fear of being prosecuted or targeted by law enforcement, including in medical emergencies,” the rule continues.

Pocket These Takeaways

The final rule is broken down into categories and lists new measures and requirements for “regulated entities,” — providers, health plans, health clearinghouses, and BAs — within the reproductive healthcare space. Those categories include the following: prohibition; presumption; attestation; notices of privacy practices (NPP); disclosures to law enforcement; and how to file a complaint.

Here are the top actions to know, according to a fact sheet on the rule:

• Prohibit PHI use or disclosure when it’s wanted for investigating individuals, providers, or others attempting to “seek, obtain, provide, or facilitate reproductive health care that is lawful under the circumstances in which such health care is provided, or to identify persons for such activities.”
• Require CEs and BAs to get a signed attestation from persons requesting PHI related to reproductive care that it’s not for reasons that fall under the prohibited list.
• Mandate CEs and BAs revise their NPPs to promote and support reproductive healthcare privacy and security.
• Presume reproductive healthcare is lawful unless it was performed by an unlicensed person.
• Permit use and disclosure of PHI to law enforcement when the request is authorized by the patient and allowed under the HIPAA Privacy Rule provision.

Timeline: Many commenters asked OCR to move swiftly on implementing a final rule on HIPAA and reproductive health. The final rule goes into effect on June 25, 2024, and impacted parties have until Dec. 23, 2024 to comply with the applicable requirements, OCR says.