After Roe v. Wade was overturned in 2022, the Office for Civil Rights (OCR) released a notice of proposed rulemaking to strengthen HIPAA privacy protections in reproductive healthcare. Now, Attorney Generals across the country are showing support and guidance.
The Department of Health and Human Services (HHS) continues to respond after the Supreme Court decision on Dobbs v. Jackson resulted in restrictions to abortion access for millions of Americans.
According to the HHS, the current HIPAA Privacy rule permits disclosure of reproductive health information if it is required by law or for enforcement purposes but does not require it.
Under current HIPAA protections, reproductive healthcare is generally protected, but there are a number of circumstances that may allow health information to be disclosed, potentially resulting in legal action or prevention of abortion access.
A notice of proposed rulemaking (NPRM) was issued by the HHS in April, aiming to strengthen protections for reproductive healthcare by explicitly prohibiting the use of protected health information (PHI) for the purposes of criminal, civil, or administrative investigation. The NPRM also outlines other privacy protections designed to protect reproductive healthcare privacy.
Now, Attorney Generals in 24 states (Arizona, California, Colorado, Connecticut, Delaware, Hawaii, Illinois, Maine, Maryland, Massachusetts, Michigan, Minnesota, Nevada, New Jersey, New York, New Mexico, North Carolina, Oregon, Pennsylvania, Rhode Island, Vermont, Washington, Wisconsin, and Washington D.C.) have released a letter in support of the proposed rulemaking.
According to the signatory states, the Supreme Court's decision to overturn Roe v. Wade has created uncertainty in reproductive health care throughout the country and coincides with technological advances that current privacy protections have not kept up with.
By signing the letter, and offering further guidance, the attorney generals are signaling significant support and outlining their individual state efforts to protect individuals' reproductive healthcare privacy.
The attorney generals also challenged the use of "primarily" in the NPRM, which stated that PHI may be disclosed if the purpose is not primarily to investigate or impose liability on a person seeking reproductive healthcare.
According to the statement, the signers said, "The hostile and fragmented reproductive health care landscape heavily burdens patients in need of health care."
The letter also urged "the Department to move expeditiously to issue [the proposed rule] and apply the standard compliance date of 180 days after the effective date of the final rule." The attorney generals argue that the new ruling "would give individuals confidence that their protected information will be kept private."
The attorney generals also offered several recommendations for the NPRM, including:
Other recommendations from the attorney generals can be found in their letter.
As states continue to react to the NPRM, it will provide a greater understanding of how HIPAA may evolve to account for the overturning of Roe v. Wade and the continued technological changes that affect privacy laws.
In the coming months, it should be made clear if any of the attorney generals' suggestions are incorporated into the final amended HIPAA regulation as it relates to reproductive healthcare.