HIPAA prevents the use of reproductive health information in investigations aimed at penalizing individuals for legally obtaining reproductive healthcare. This is except when needed for defending against claims of professional misconduct or for health oversight purposes.
The Dobbs v. Jackson Women's Health Organization decision in 2022 had implications for how reproductive health information is handled. By determining that the Constitution does not confer a right to abortion and returning authority to regulate abortion to individual states, Dobbs has increased the variability of reproductive rights across the U.S.
In response to these changes and the potential for increased inquiries and investigations into reproductive health actions, the Biden-Harris Administration updated the HIPAA Privacy Rule to strengthen protections for this type of information.
The updated HIPAA rules prohibit the use or disclosure of protected health information (PHI) by healthcare providers, plans, and clearinghouses for purposes related to investigating or prosecuting individuals based on their reproductive health decisions where such healthcare is legally obtained.
This means that if a patient receives reproductive care in a state where it is legal, their PHI cannot be disclosed for the purpose of investigations or legal actions against them in states where such care may be restricted or illegal. This is a direct countermeasure to the increased risks posed by the varied state regulations following the Dobbs decision.
The HHS provides how the amendment governs the way PHI is handled during an investigation, specifically: “The Final Rule strengthens privacy protections by prohibiting the use or disclosure of protected health information (PHI) by a covered health care provider, health plan, or health care clearinghouse—or their business associate—for either of the following activities:
To conduct a criminal, civil, or administrative investigation into or impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided.
The identification of any person for the purpose of conducting such investigation or imposing such liability.”
These modifications make it clear that healthcare providers, insurance plans, and other covered entities are prohibited from using or disclosing PHI for the purpose of conducting or aiding in criminal, civil, or administrative investigations or proceedings that aim to penalize individuals for seeking or obtaining legal reproductive health services. This includes situations where a patient may travel between states to receive care that is legal in the state of provision but not in their home state.
The amendments also introduce a new requirement for entities that request PHI related to reproductive health care. They must now provide a signed attestation stating that the information will not be used for investigating or prosecuting individuals based on their reproductive health decisions. This layer of verification serves to further protect patient privacy and deter misuse of PHI.
See also: The HIPAA Privacy Rule to Support Reproductive Health Care Privacy
While the Rule tightens the restrictions on using or disclosing PHI for purposes related to investigating or prosecuting individuals for their reproductive health decisions, it still permits the use or disclosure of PHI in certain other circumstances.
For example, a healthcare provider is allowed to use or disclose PHI to defend themselves in legal proceedings involving allegations of professional misconduct or negligence, where such proceedings are related to the provision of reproductive health care.
PHI can be disclosed to comply with health oversight audits or inspections conducted by entities like the Inspector General, provided these disclosures are not for the purpose of pursuing criminal or civil actions against patients for obtaining reproductive health care.
See also: HIPAA Compliant Email: The Definitive Guide
Healthcare providers must understand local laws or consult legal experts to ensure that the reproductive health care they provide or handle complies with the legal standards in their specific jurisdictions.
Patients can file complaints with the HHS if they believe their PHI has been handled improperly, which can trigger an investigation by the Office for Civil Rights (OCR).
The rule requires that any request for reproductive PHI for certain purposes, such as law enforcement or judicial proceedings, must be accompanied by a signed attestation from the requester that the information will not be used for prohibited purposes.