Governance & Risk Management
,
HIPAA/HITECH
,
Privacy
Some Associations Want Certain Privacy Protections Stretched Even Further
Major healthcare industry associations are urging federal regulators to finalize proposed changes to the HIPAA privacy rule that would bolster protections over reproductive healthcare data. In some cases, the groups are suggesting that regulators go even further in stretching privacy safeguards.
See Also: OnDemand Webinar | Learn Why CISOs Are Embracing These Top ASM Use Cases Now
The Department of Health and Human Services’ Office for Civil Rights received about 65 comments during a 60-day public feedback period that ended Friday over a mid-April notice of proposed rule-making.
Biden administration modifications to the HIPAA privacy rule would prohibit the use or disclosure of protected health information to investigate or prosecute patients, providers and others involved in the delivery of lawful reproductive healthcare, including abortions (see: HHS Wants HIPAA Changes to Protect Reproductive Health Info).
The American Academy of Family Physicians in its comments said it “applauds” HHS for its rule-making effort to uphold privacy standards for reproductive healthcare. The AAFP went further, asking HHS OCR to extend the privacy changes to other “highly sensitive PHI,” such as gender-affirming care.
The group urged HHS to work with electronic health record vendors “to modernize the functionality of healthcare data management platforms to comply with this proposed rule without cost to the physician or their practice.”
Under the proposals, a HIPAA-regulated entity receiving a request for PHI potentially related to reproductive healthcare would be required to obtain a signed attestation that the use or disclosure of that information is not for a prohibited purpose. Prohibited purposes include criminal, civil or administrative investigations related to the patient, a healthcare provider or other individuals in connection with seeking, obtaining, providing or facilitating reproductive healthcare.
The proposed changes to the HIPAA privacy rule are part of the administration’s effort to use executive branch powers to strengthen access to reproductive healthcare following the Supreme Court’s June 2022 decision that struck down a constitutional right to abortion embodied by the five-decade-old precedent of Roe v. Wade.
Abortion is currently illegal in 14 U.S. states and restricted with varying degrees of strictness in a dozen other states. Some clinics and patients have migrated to states where abortion is legal, provoking concerns that law enforcement in states where it is outlawed would attempt to obtain medical records from those providers.
The Network for Public Health Law in its comments also supported HHS OCR’s proposed changes, but it suggested additional modifications pertaining to prohibited uses or disclosure of reproductive healthcare information involving health oversight agencies, such as offices of the inspector general and similar agencies.
“An investigation into potential fraud and abuse, for example, could potentially uncover activity unrelated to fraud or abuse that is nevertheless contrary to state law, such as laws relating to reproductive health,” the group wrote.
“We believe HHS should consider expressly stating that the definition of health oversight does not include investigations and prosecutions relating to reproductive health,” the group said. Such an amendment would help ensure that health oversight agencies “do not misuse their investigatory powers.”
At least one group commenting on HHS OCR’s proposed HIPAA privacy rule-making used the opportunity to also complain about some of the agency’s other recent policies.
The American Hospital Association, which said it supports HHS OCR’s proposed changes to protect reproductive health data, took issue with the agency’s December guidance warning of potential HIPAA violations involving covered entities’ use of online tracking technologies to collect and disclose certain patient identifiers, such as IP addresses (see: AHA Tells HHS to ‘Amend or Suspend’ Web Tracking Guidance).
“This guidance – ostensibly issued with the same worthy goal in mind as the proposed rule – is too broad and will result in significant adverse consequences for hospitals, patients and the public at large,” the AHA wrote.
“In particular, by treating a mere IP address as protected health information under HIPAA, the online tracking guidance will reduce public access to credible health information.”
HHS in its notice of proposed rule-making said that once its final rule is in effect, it expects to apply “the standard” 180-day compliance deadline.