2 minute read
HHS Proposes HIPAA Changes to Protect
the purpose of initiating such an investigation or proceeding against an individual, a healthcare provider or other person in connection with obtaining or providing reproductive healthcare that is lawful under the circumstances in which it is provided.
Under the HIPAA Privacy Rule, as it currently stands, the law permits but does not require certain disclosures to law enforcement and others, subject to specific conditions, and which are referred to as “required by law” disclosures. In 2022, OCR published clarifying guidance on the HIPAA Privacy Rule’s requirements around sharing PHI with law enforcement. OCR explained that disclosures for non-healthcare purposes, such as disclosures to law enforcement officials, are permitted only in narrow circumstances tailored to protect the individual’s privacy and support their access to healthcare.
Takeaways
The definition and scope of RHI encompasses a wide range of healthcare providers and business associates and includes over-the-counter medications. State laws that are contrary to the proposed regulations will be preempted by HIPAA.
The Proposed Rule would prohibit disclosure of RHI related to interstate reproductive healthcare services if the services are received in a state where it is lawful to receive such care.
If the reproductive health services sought or obtained are illegal under state law in which the services are provided, there is no protection against disclosure –except in situations where there are federal requirements to provide services (i.e., under the Emergency Medical Treatment and Active Labor Act (EMTALA) or services provided by the U.S. Department of Veterans Affairs). Assuming law enforcement subpoenas or requests for information are otherwise permissible, disclosures of this information would also be permitted. This means that PHI could potentially be disclosed for patients receiving reproductive healthcare in states where the procedure is illegal when the procedure is performed in that state.
If a request is received for PHI that is potentially related to reproductive healthcare, the covered entity or business associate will be required to obtain a signed attestation that the use or disclosure is not for a prohibited purpose. This will likely be an administrative burden on healthcare providers to obtain and verify information contained in an attestation. Furthermore, if a healthcare provider becomes aware of an attestation that has been falsified or misrepresented, the healthcare provider may be required to report it as a data breach to the individual and OCR.
The Proposed Rules apply to only HIPAA-covered entities and business associates and do not apply to healthcare apps or products that fall outside of the scope of HIPAA; therefore, direct-toconsumer female technology (FemTech) apps or products may not have the same restrictions with respect to sharing information for law enforcement purposes.
Direct-to-consumer health apps and products not offered on behalf of a covered entity are subject to oversight by the Federal Trade Commission (FTC). The FTC has also recognized that informa- tion related to personal reproductive matters is “particularly sensitive.” The FTC has published its own guidance indicating that it will pursue enforcement against any unauthorized disclosure made in violation of federal or state law or contrary to the statements made in public privacy notices.
