Privacy, Identity, Supply chain

HIPAA change would ban use of reproductive health data for legal means

Share
A person holds a flag that reads "Pro Roe 1973" in front of the US Supreme Court.

As states and federal courts continue to limit abortion access, the Department of Health and Human Services is proposing a change to the Health Insurance Portability and Accountability Act to prohibit the use or disclosure of health data for legal means when tied to legal reproductive healthcare.

HHS Office for Civil Rights issued a Notice of Proposed Rulemaking on April 12 in an effort to protect patient privacy, as well as providers and supporting individuals, over growing concerns private medical records could be used to target those seeking or providing reproductive care.

The proposal stems from the Biden administration’s executive order 14076 directing HHS to find a way to strengthen protections for patient data tied to reproductive health care services and to strengthen patient-provider confidentiality. 

After the leaked Supreme Court documents showed the likely overturn of Roe v. Wade, privacy advocates and congressional Democrats raised concerns over potential healthcare privacy and security risks, in addition to loss of access to reproductive care.

Among the privacy concerns was the possible criminalization of abortion care. Given the prevalence of tracking tools and geolocation tracking, privacy advocates were concerned the data could be targeted by extremist prosecutors to identify those seeking abortions.

Indeed, a September report found nearly all abortion clinic webpages use third-party trackers and transfer user data. These trackers could lead to the exposure of individuals' digital identity, thus tying them to reproductive care services.

One example provided in a letter sent to Google by a group of congressional Democrats in May warned that “law enforcement officials routinely obtain court orders forcing Google to turn over its customers' location information. This includes dragnet ‘geofence’ orders demanding data about everyone who was near a particular location at a given time.” Google received 11,554 geofence warrants in 2020.

OCR Director Melanie Fontes Rainer warned that it’s no longer just a hypothetical issue. She’s met with doctors across the country who’ve “expressed fear, anger, and sadness that they or their patients may end up in jail for providing or obtaining evidence-based and medically appropriate care.”

After Roe v. Wade was officially overturned, states ramped up efforts to limit abortion access and further criminalize the healthcare service.

“This is a real problem we are hearing and seeing, and we developed today’s proposed rule to help address this gap and provide clarity to our health care providers and patients,” Rainer said in a statement. 

HIPAA rule change safeguards patient-provider relationships

HHS is proposing a ban on the use of protected health information for these purposes. The shift stems from calls to HHS by “patients, providers, and organizations representing thousands of individuals,” which confirmed that a change to HIPAA was needed to protect these individuals.

“Today’s proposed rule is about safeguarding this trust in the patient-provider relationship, and ensuring that when you go to the doctor, your private medical records will not be disclosed and used against you for seeking lawful care,” Rainer added.

Under the proposal, HIPAA would be extended to include privacy protections for providers, insurers, patients, and other individuals that would protect health data from use or disclosure when it could be used to identify, investigate, sue, or prosecute those seeking or providing lawful reproductive healthcare.

Reproductive care may include prenatal care, abortion, miscarriage management, infertility treatment, contraception use, and treatment for reproductive-related conditions, including ovarian cancer.

Until a final determination is made, HIPAA remains in its current state. That means “the existing privacy rule permits, but does not require, certain disclosures to law enforcement and others, subject to specific conditions.”

The announcement coincides with Biden’s Task Force on Reproductive Healthcare Access, which aims to protect access to reproductive healthcare.

“When the Supreme Court overturned Roe v. Wade, nearly half a century of precedent changed overnight,” said Secretary Xavier Becerra, in a statement. “President [Joe] Biden signed not one but two executive orders calling on HHS to take action to meet this moment, and we have wasted no time in doing so.”

An In-Depth Guide to Identity

Get essential knowledge and practical strategies to fortify your identity security.
Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.