HIPAA Privacy Rule and Reproductive Health Care
On April 12, 2023, OCR issued a Notice of Proposed Rulemaking (NPRM) to strengthen the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule protections by prohibiting the use or disclosure of protected health information (PHI) to identify, investigate, prosecute, or sue patients, providers and others involved in the provision of legal reproductive health care, including abortion. HHS has heard from patients, providers, and organizations representing thousands of individuals that this change was needed to protect patient-provider confidentiality and prevent private medical records from being used against them merely for seeking, obtaining, providing, or facilitating lawful reproductive health care. Today’s announcement coincides with the convening of President Biden’s Task Force on Reproductive Health Care, aimed at protecting reproductive rights, including access to abortion care, following the Supreme Court’s decision overturning Roe v. Wade.
Protecting patient health information and privacy has taken on critical importance, and in the wake of unprecedented attacks against women’s reproductive rights. Following the Supreme Court decision, President Biden signed Executive Order 14076, directing HHS to consider ways to strengthen the protection of sensitive information related to reproductive health care services and bolster patient-provider confidentiality. This proposed rule is a result of that directive:
HITECH RFI
On April 6, OCR published a Request for Information (RFI) seeking input from the public on two requirements of the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act), as amended in 2021. These two requirements are:
- Recognized Security Practices. Section 13412 of the HITECH Act requires HHS to take into consideration certain recognized security practices of covered entities (health plans, health care clearinghouses, and most health care providers) and business associates when determining potential fines, audit results, or other remedies for resolving potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule pursuant to an investigation, compliance review, or audit.
- Civil Money Penalty (CMP) and Settlement Sharing. Section 13410(c)(3) of the HITECH Act requires HHS to establish by regulation a methodology under which an individual harmed by a potential violation of the HIPAA Privacy, Security, and/or Breach Notification Rules may receive a percentage of any CMP or monetary settlement collected with respect to such offense.
For more information on the HITECH RFI and how to submit a public comment, visit here
Privacy Rule NPRM
On January 21, 2021, OCR published a Notice of Proposed Rulemaking (NPRM) to modify the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule to support individuals' engagement in their health care, remove barriers to coordinated care, and decrease regulatory burdens on the health care industry, while continuing to protect individuals' health information privacy interests.
For more information on the Privacy Rule NPRM, visit here