The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released the HIPAA Privacy Rule to Support Reproductive Health Care Privacy proposed rule on April 12, 2023 aimed at providing additional requirements around the sharing of protected health information (PHI) relating to patient initiated and provider administered reproductive health care. OCR has released a fact sheet on the proposed rule. Comments are due on or before Friday, June 16, 2023.
OCR notes, while the agency is undergoing rulemaking, current HIPAA Privacy Rule requirements placed on covered entities remain in effect. Providers looking for additional information on what is currently required under the HIPAA Privacy Rule should review OCR’s guidance on those requirements and work with their internal compliance teams to ensure full compliance with existing regulations.
Key Provisions of the Proposed Rule Include:
- Prohibiting the disclosure of PHI by a covered entity for:
- A criminal, civil, or administrative investigation into, or proceeding against, any person in connection with seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which provided; and
- The identification of any person for the purpose of initiating such investigations or
- Conditions for this prohibition include:
- The reproductive health care services were sought or obtained in a state where the services are lawful and outside of the state where the investigation or proceeding is authorized;
- The reproductive health care service is protected, required, or expressly authorized by federal law; and
- Reproductive health care services are provided in the state where the investigation or proceeding is authorized and is permitted by the law of the state where the care is
- PHI used for purposes otherwise permitted under the HIPAA Privacy Rule are not subject to the above prohibitions.
- Requiring covered entities to obtain a signed attestation that the use or disclosure of the PHI is not for a prohibited The attestation requirement would apply when the request is for:
- Health oversight activities;
- Judicial and administrative proceedings;
- Law enforcement purposes; or
- Disclosures to coroners and medical
- Any violation of the above requirements would result in a breach notification process, unless a covered entity can fully prove that no PHI was inappropriately released or accessed.
- Updates to the definition of “person” and “natural”
- Defining “Reproductive Health Care” as including, but not limited to, “prenatal care, abortion, miscarriage management, infertility treatment, contraception use, and treatment for reproductive-related conditions such as ovarian cancer.”
- Updates to the HIPAA Notice of Privacy Practices to encompass the above proposed
If you have questions, please contact Jim Potter at jpotter@cohealthcom.org.