A group of 30 senators are urging the Department of Health and Human Services to update the Health Insurance Portability and Accountability Act to take proactive measures to bolster patient privacy protections for reproductive health information under new state of abortion laws.
Led by Sen. Patty Murray, D-Wash., the senators ask HHS Secretary Xavier Becerra to initiate the rulemaking process for updating HIPAA to “broadly restrict entities from sharing individuals’ reproductive health information without explicit consent, particularly for law enforcement, civil, or criminal proceedings premised on the provision of abortion care.”
Sens. Michael Bennet, D-Colo., and Catherine Cortez Masto, D-Nev., previously asked HHS to modify the HIPAA rule in early July. Following the Supreme Court’s Dobbs decision, HHS took actions to clarify privacy protections and issued further HIPAA guidance to address concerns.
But widespread confusion remains within the healthcare space, particularly around when providers are required to “turn over” patient health information to state or local law enforcement. The senators have heard providers are uncertain about HIPAA requirements for these specific scenarios, whether it’s either permitted or even required by the privacy rule.
“In other cases, providers did not know that certain disclosures are actually impermissible,” the senators explained. There have also been clashes between providers and healthcare system administrators on whether certain information must be shared.”
Will misconceptions of HIPAA requirements worsen after Supreme Court ruling?
It appears as if many of the ongoing issues stem from misconceptions of HIPAA requirements, which the senators believe will only worsen as state lawmakers continue to enact a patchwork of state laws restricting abortion access and limiting some reproductive health services.
The senators cited the long list of concerns privacy stakeholders have raised amid the abortion debacle, such as pregnant women avoiding care out of concern their reproductive health data will be used against them: combined with the HIPAA misconceptions and concrete privacy risks, HHS should use its authority to protect the safety and privacy of women.
HIPAA has protected health information for more than 20 years and includes specific examples of when health information may or may not be shared without a patient’s consent. But as Kayte Spector-Bagdady recently told SC Media, there are limitations to these protections.
“There are almost no protections under HIPAA or any other data privacy regulation in the U.S. to protect against a state law enforcement, subpoenaing, or discovery requests or any other kind of law enforcement technique to gather information because there are huge exceptions in HIPAA for criminal law enforcement requests,” Spector-Bagdady, associate director at the University of Michigan Medical School's Center for Bioethics and Social Sciences in Medicine, previously explained.
HHS and stakeholders have long recognized stronger protections are needed for HIPAA. The agency is currently working toward modifying the rule to reflect interoperability and info blocking rules, but the senators stressed there is more to be done.
As HHS moves ahead with the rulemaking, Becerra’s team should work to improve awareness and bolster current enforcement of privacy protections outlined in HIPAA. For one, HHS should work to educate the broader healthcare community about HIPAA obligations, particularly around “the difference between permissible and required disclosures.”
The agency should also support providers with educating patients on their privacy rights, as well as how HIPAA works with state laws and the legal consequences that can be incurred for HIPAA violations.
HHS should engage the full range of healthcare personnel, from providers and senior executives to pharmacists and compliance leaders, providing additional guidance, listening sessions, specific examples, webinars, and other educational avenues.
The senators also believe HHS should expand these educational efforts to reach patients on their HIPAA rights, specifically around when their data is allowed to be shared without their consent and their right “to request additional restrictions or corrections, and how to file a complaint with HHS.”
“HHS should ensure cases involving reproductive health information receive timely, appropriate attention for compliance and enforcement activities,” the senators added. “It’s critical HHS take all available action to fully protect women’s privacy and their ability to safely and confidentially seek medical care.”