The number of states that have introduced bans or restrictions on abortions has been growing since the Supreme Court overturned Roe v Wade. Currently, 18 states have introduced bans on abortions and that number is expected to grow. Now that the federal right to an abortion has been removed, there are fears that women who live in states with abortion bans will seek reproductive care in more permissive states and that states with abortion bans will look to prosecute those individuals or the healthcare providers that facilitate abortions.
Currently, the HIPAA Privacy Rule permits – but does not require – disclosures of protected health information (PHI) to law enforcement when those disclosures are required by law, such as when a healthcare provider is presented with a court order or court-ordered warrant, or a subpoena or summons, but only if all of the conditions specified in the Privacy Rule relating to law enforcement disclosures of PHI are met. HHS’ Office for Civil Rights (OCR) issued guidance on disclosures of PHI relating to reproductive health care last year and has now moved to introduce further restrictions on uses and disclosures of PHI relating to reproductive health care to strengthen patient-provider confidentiality.
On April 12, 2023, OCR published a Notice of Proposed Rulemaking in the Federal Register that prohibits HIPAA-regulated entities from disclosing PHI for the following purposes:
- A criminal, civil, or administrative investigation into or proceeding against any person in connection with seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided.
- The identification of any person for the purpose of initiating such investigations or proceedings.
The restrictions on disclosures of PHI will apply in specific situations:
- Reproductive health care that is sought, obtained, provided, or facilitated in a state where the health care is lawful and outside of the state where the investigation or proceeding is authorized.
- Reproductive health care that is protected, required, or expressly authorized by federal law, regardless of the state in which such health care is provided.
- Reproductive health care that is provided in the state where the investigation or proceeding is authorized and is permitted by the law of the state in which such health care is provided.
HIPAA-regulated entities will still be permitted to disclose PHI relating to reproductive health care, without patient authorizations, for purposes permitted by the HIPAA Privacy Rule when the request is not made primarily for the purpose of investigating or imposing liability on any person for the act of seeking, obtaining, providing, or facilitating reproductive health care.
Comments are being accepted on the proposed changes for 60 days. The NPRM can be viewed in the Federal Register on this link.