Everyone, including us, had to take a crash course in HIPAA’s privacy provisions after the Supreme Court’s 2022 decision in Dobbs v. Jackson Women’s Health Organization, which reversed Roe v. Wade.
What we learned last year: HIPAA requires group health plans, business associates, hospitals, and healthcare providers to protect employees’ personal health information, unless courts or law-enforcement agencies subpoena HIPAA-protected medical records. Crucially, HIPAA doesn’t override state criminal laws and doesn’t protect non-health-care information retrieved from cell phones, like maps, texts, or call logs.
So what would these proposed regulations change? Let’s dive in and take a look.
More health data would be protected
Proposed regulations issued April 17 by the Department of Health and Human Services would extend the scope of HIPAA’s privacy protections specifically to women who travel to other states to receive reproductive healthcare services where those services are legal and would apply to almost all judicial or administrative proceedings related to this care.
Under the regs, HIPAA-covered entities would be prohibited from disclosing PHI for these purposes:
- A criminal, civil, or administrative investigation into or proceeding against any person in connection with seeking, obtaining, providing, or facilitating reproductive health care, where these health-care services are lawful in the state provided.
- Identifying any person for the purpose of initiating investigations or proceedings.
In addition, the regs would apply HIPAA’s privacy protections when reproductive healthcare services are protected, required, or expressly authorized by federal law, regardless of the state where the healthcare services are provided. The regs provide the example of a woman who is experiencing a miscarriage and seeks emergency care.
To enforce these new privacy protections, parties requesting PHI would be required to provide HIPAA-covered entities with a signed attestation that the use or disclosure would not be for a prohibited purpose. Attestations would be required when the request for PHI is for any of the following reasons:
- Health oversight activities.
- Judicial and administrative proceedings.
- Law-enforcement purposes.
- Disclosures to coroners and medical examiners.
HIPAA-covered entities could still disclose PHI, provided the request to disclose isn’t made primarily for the purpose of investigating or imposing liability on any person for seeking, obtaining, providing, or facilitating reproductive health care.
HIPAA throws its protective cloak over any entity coming in contact with employees’ PHI. It does this by categorizing entities as business associates and trading partners, for example. The rules regarding what can and can’t be disclosed and to whom are complicated.
To help you untangle this web, the Centers for Medicare and Medicaid created this four-page overview; point your browser here for the PDF.