HHS Proposes Measures to Bolster Patient-Provider Confidentiality Around Reproductive Health Care

The Department’s Office for Civil Rights seeks to strengthen HIPAA privacy rule 

Today, the U.S. Department of Health & Human Services (HHS), through its Office for Civil Rights, issued a Notice of Proposed Rulemaking (NPRM) to strengthen Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule protections by prohibiting the use or disclosure of protected health information (PHI) to investigate, or prosecute patients, providers, and others involved in the provision of legal reproductive health care, including abortion care. HHS has heard from patients, providers, and organizations representing thousands of individuals that this change is needed to protect patient-provider confidentiality and prevent private medical records from being used against people for merely seeking, obtaining, providing, or facilitating lawful reproductive health care.

Since the Supreme Court decision overturning Roe v. Wade, protecting patient health information and privacy has taken on critical importance. Following the decision, President Biden signed Executive Order 14076, directing HHS to consider ways to strengthen the protection of sensitive information related to reproductive health care services and bolster patient-provider confidentiality. Today’s announcement is consistent with that Executive Order and coincides with the third convening of President Biden’s Task Force on Reproductive Healthcare Access – a task force aimed at protecting women’s access to reproductive health care.

“When the Supreme Court overturned Roe v. Wade, nearly half a century of precedent changed overnight,” said Secretary Xavier Becerra. “The Biden-Harris Administration is committed to protecting women’s lawful access to reproductive health care, including abortion care. President Biden signed not one but two executive orders calling on HHS to take action to meet this moment and we have wasted no time in doing so. Today’s action is yet another important step HHS is taking to protect patients accessing critical care.”

“I have met with doctors across the country who have shared their stories,” said OCR Director Melanie Fontes Rainer. “These providers have expressed fear, anger, and sadness that they or their patients may end up in jail for providing or obtaining evidence-based and medically appropriate care. Trust is critical in the patient-doctor relationship and medical mistrust can damage and chill patients’ relationship with their providers, imperiling patient health. Today’s proposed rule is about safeguarding this trust in the patient-provider relationship, and ensuring that when you go to the doctor, your private medical records will not be disclosed and used against you for seeking lawful care.  This is a real problem we are hearing and seeing, and we developed today’s proposed rule to help address this gap and provide clarity to our health care providers and patients.”

OCR, which administers and enforces the Privacy Rule, sets requirements for the use, disclosure, and protection of PHI by health care providers, health insurance companies and other entities that are regulated by HIPAA (collectively, “HIPPA regulated entities”). The HIPAA Privacy Rule supports access to health care by giving individuals confidence that their PHI, including information relating to reproductive health care, will be kept private.

Today’s NPRM proposes to extend additional privacy protections for providers, insurers, patients and others to safeguard PHI when that information otherwise would be disclosed or used to identify, investigate, sue, or prosecute someone for seeking, obtaining, providing, or facilitating lawful reproductive health care. Reproductive health care would be defined to include, but not be limited to, prenatal care, abortion, miscarriage management, infertility treatment, contraception use, and treatment for reproductive-related conditions such as ovarian cancer.

While the Department is undertaking this rulemaking, the current Privacy Rule remains in effect. As explained in OCR guidance, the existing Privacy Rule permits, but does not require, certain disclosures to law enforcement and others, subject to specific conditions.

OCR is committed to enforcing the HIPAA Rules that protect the privacy and security of peoples’ health information. If you believe that your or another person’s health information privacy or civil rights have been violated, you can file a complaint with OCR at: https://www.hhs.gov/ocr/complaints/index.html.

The NPRM can be viewed at the Federal Register at: https://www.federalregister.gov/public-inspection/current.

A fact sheet on the NPRM is available in English at: https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/hipaa-reproductive-health-fact-sheet/index.html.