Privacy & Cybersecurity Law Blog

On April 12, 2023, the U.S. Department of Health and Human Services (“HHS”) issued a Notice of Proposed Rulemaking (“NPRM”) to modify protections under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) to strengthen reproductive health care privacy.

The NPRM comes after President Biden in a July 2022 executive order directed HHS to consider taking actions, including under HIPAA, to better protect reproductive health care information in the wake of the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization.

The NPRM proposes to modify the HIPAA Privacy Rule by prohibiting covered entities and their business associates from using or disclosing protected health information (“PHI”) where the PHI would be used for:

• a criminal, civil or administrative investigation into or proceeding against any “person” (i.e., under HIPAA, a covered entity, business associate, the individual data subject, or any other person or entity) in connection with seeking, obtaining, providing or facilitating lawful reproductive health care; or
• identifying any person for the purpose of initiating such an investigation or proceeding.

The NPRM would continue to allow the use or disclosure of PHI for purposes otherwise permitted under HIPAA where the request for PHI “is not made primarily for the purpose of investigating or imposing liability on any person for the mere act of seeking, obtaining, providing or facilitating reproductive health care that is lawful under the circumstances in which it is provided.”

To implement the prohibition, the NPRM would require a regulated entity, when it receives a request for PHI potentially related to reproductive health care, to obtain a signed attestation that the use or disclosure is not for a prohibited purpose.

Public comments on the NPRM will be due 60 days after publication of the NPRM in the Federal Register, which occurred on April 17, 2023.