Proposed HIPAA Change on Reproductive Care Could Be Significant
By Greg Freeman
If a newly proposed Office for Civil Rights (OCR) rule involving reproductive privacy rights is finalized, covered entities might need to significantly revise their HIPAA policies and procedures.
The proposed rule would modify HIPAA to create stricter privacy standards for reproductive healthcare records. Alisa L. Chestler, JD, CIPP/US, shareholder with Baker Donelson in Nashville, TN, says covered entities would need to evaluate their practices surrounding, and interactions with, reproductive healthcare information. That includes creating a process by which they can determine the lawfulness of any reproductive healthcare for which they possess protected health information (PHI). Healthcare entities also must create HIPAA compliance attestations for those disclosures that OCR believes could be used to conduct proceedings against patients or providers who seek or facilitate lawful reproductive healthcare.1
The rule would require substantial revisions to a healthcare organization’s practices, Chestler notes. Covered entities would benefit from evaluating what steps are needed to bring their HIPAA programs into compliance with the requirements of this rule so that future modifications will be easier to organize and implement.
The changes will put a renewed focus on not only updating policies and procedures but potentially significant programming changes to electronic medical records and other systems with access to information, Chestler says. This work will take time, so she recommends operations and compliance start to consider what the changes would mean.
“HIPAA is no longer just in the hands of the compliance team. If the proposed rule goes through, there must be careful thought on how to ensure this information is protected at every twist and turn within the health system, their business associates, and any others who might obtain the sensitive information,” Chestler says. “In a post-Dobbs world, the improper use or dissemination of this information could mean real liability for the organization. Compliance officers need to spend time considering all aspects, operations, privacy, and information security controls.”
Failing to follow the law also could mean significant bad press and attention if a woman’s reproductive medical history improperly obtained from a covered entity was used to enforce a state’s anti-abortion law, Chestler warns.
Addressing Stricter Abortion Laws
OCR is trying to address concerns after some states restricted access to abortion after the Dobbs v. Jackson Women’s Health ruling, says Catherine E. David, JD, an associate with Reed Smith in Philadelphia. They are afraid women will not seek necessary care for fear their personal information or access to the care will be disclosed to someone who would use it for criminal, civil, or administrative investigations. OCR also is concerned providers with similar fear on behalf of the patient might not be forthcoming in entering information in a patient’s medical record.
“OCR says that they’re afraid providers might omit certain information in order to potentially protect the patient or the provider from potential investigation. OCR is afraid that this kind of lack of fulsome medical records can lead to lower quality of care just because if you don’t have the complete medical picture of someone, you might not provide the best care,” David explains. “The third concern that OCR is trying to address is that healthcare providers might not provide all or best-of-the-best recommendations to a patient for fear that even the most sensible recommendation could lead to prosecution and recommendations might be tied back to healthcare providers.”
The proposed rule includes a prohibition on covered entities disclosing PHI related to reproductive healthcare if the request is made for the primary purpose of identifying a patient, investigating a patient, or imposing liability on a patient merely for the act of seeking medications or care, David notes.
If the rule is finalized, covered entities would have 180 days to comply. David agrees covered entities would be well advised to start reviewing the implications of the rule. Covered entities should determine if they provide or facilitate services that fall within the new definition of reproductive healthcare, which has been expanded in the proposed rule. If so, it will be important to understand the status of state law regarding reproductive healthcare in both the entity’s home state and in nearby states where patients might travel from to obtain services.
Upon finalization of the rule, covered entities must develop or update policies that reflect when reproductive health PHI can be released. David suggests designating one or two people, or a department, to receive and address such requests uniformly.
Entities also must develop an intake process for requests that fall into this bucket, choosing a centralized person or department to handle and review them. David notes OCR’s requirement that the receiver of the PHI sign an attestation stating they are using the information for permitted purposes is new to HIPAA, so it will require creating a new form.
“To develop the attestation, you will have to update your Notice of Privacy Practices. You will need to educate your work force on what to do with this request,” David advises. “The Business Associate Agreement will need to be revised to include certain things about what the covered entity will do and what the business associate will not do.”
REFERENCE
1. Office for Civil Rights. HIPAA Privacy Rule to support reproductive health care privacy. Federal Register. April 17, 2023.
SOURCES
• Alisa L. Chestler, JD, CIPP/US, Shareholder, Baker Donelson, Nashville, TN. Phone: (615) 726-5589. Email: [email protected].
• Catherine E. David, JD, Reed Smith, Philadelphia. Phone: (215) 241-7913. Email: [email protected].
If finalized, the rule would modify HIPAA to create stricter privacy standards for reproductive healthcare records. Covered entities would need to evaluate their practices surrounding, and interactions with, reproductive healthcare information. That includes creating a process by which they can determine the lawfulness of any reproductive healthcare for which they possess protected health information.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.