OCR adds updates that support privacy in reproductive healthcare. As legal wrangling continues over the intersection between privacy, the law, and reproductive healthcare almost two years out from the Dobbs decision, the feds offer fresh HIPAA guidance and a few Privacy Rule revisions. Background: In 2022, the U.S. Supreme Court overturned Roe vs. Wade with its decision in the Dobbs vs. Jackson Women’s Health Organization ruling. In the aftermath, arguments popped up across the nation and court battles ensued over state laws, particularly in states where patients’ rights to privacy and safe healthcare were at risk. The Department of Health and Human Services (HHS) reminded providers of their EMTALA responsibilities post-Dobbs, and the HHS Office for Civil Rights also suggested revising HIPAA in a notice of proposed rulemaking (NPRM) (see Medicare Compliance & Reimbursement, Vol. 49, No. 11 and Vol. 50, No. 3). Now: On April 26, OCR published a final rule in the Federal Register titled “HIPAA Privacy Rule to Support Reproductive Health Care Privacy,” which modifies the provision, safeguards protected health information (PHI), and better promotes medical records’ confidentiality for reproductive healthcare patients. “Since the fall of Roe v. Wade, providers have shared concerns that when patients travel to their clinics for lawful care, their patients’ records will be sought, including when the patient goes home. Patients and providers are scared, and it impedes their ability to get and to provide accurate information and access safe and legal health care,” said OCR Director Melanie Fontes Rainer in a release on the rule. “Today’s rule prohibits the use of protected health information for seeking or providing lawful reproductive health care and helps maintain and improve patient-provider trust that will lead to improved health outcomes and protect patient privacy.”
Know How the Rule Came to Fruition First, it’s important to remember that PHI is best defined as “all ‘individually identifiable health information’ held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral,” according to OCR guidance on the HIPAA Privacy Rule. Furthermore, any personal information that can identify the patient and is associated with the medical record is also protected data. In fact, federal guidance lists 18 categories of “personal identifiers” that must be secured by covered entities (CEs) and business associates (BAs). Healthcare providers, payers, and BAs are tasked with protecting this critical data, and they must also set parameters on how the PHI is used and disclosed. Additionally, CEs and BAs must ensure that patients have ready access to their data and that rights to privacy aren’t violated. But the diverse state laws after the Dobbs ruling and the divisive legal landscape caused HIPAA-related issues. “Even with these protections, the OCR observed several concerns relating to the use and disclosure of certain PHI related to reproductive healthcare,” explains attorney Joseph J. Lazzarotti with law firm Jackson Lewis in online legal analysis. “These include potential harm caused by disclosing such information for non-health care purposes, such as to conduct an investigation against, or to impose liability upon, an individual or another person who receives or delivers reproductive healthcare.” OCR then published an NPRM in 2023 and received more than 30,000 comments. Healthcare providers and organizations weighed in on the proposals. For example, “many health care providers and individuals emphasized the importance of trusting relationships between individuals and their health care providers,” and that includes protecting “sensitive and difficult conversations with their health care providers” without fear of repercussions, the final rule says. Additionally, “an organization commented that privacy has long been a ‘hallmark’ of medical care and agreed with the Department that Congress recognized this principle when it enacted HIPAA,” the rule expounds. “Some organizations commented that the HIPAA framework of law and rules provides individuals with the necessary trust and confidence to seek reproductive health care without fear of being prosecuted or targeted by law enforcement, including in medical emergencies,” the rule continues.
Pocket These Takeaways The final rule is broken down into categories and lists new measures and requirements for “regulated entities,” — providers, health plans, health clearinghouses, and BAs — within the reproductive healthcare space. Those categories include the following: prohibition; presumption; attestation; notices of privacy practices (NPP); disclosures to law enforcement; and how to file a complaint. Here are the top actions to know, according to a fact sheet on the rule: Timeline: Many commenters asked OCR to move swiftly on implementing a final rule on HIPAA and reproductive health. The final rule goes into effect on June 25, 2024, and impacted parties have until Dec. 23, 2024 to comply with the applicable requirements, OCR says.