Listen
to
this
post
On
April
12,
2023,
the
U.S.
Department
of
Health
and
Human
Services
(“HHS”)
issued
a
Notice
of
Proposed
Rulemaking
(“NPRM”)
to
modify
protections
under
the
Health
Insurance
Portability
and
Accountability
Act
of
1996
(“HIPAA”)
to
strengthen
reproductive
health
care
privacy.
The
NPRM
comes
after
President
Biden
in
a
July
2022
executive
order
directed
HHS
to
consider
taking
actions,
including
under
HIPAA,
to
better
protect
reproductive
health
care
information
in
the
wake
of
the
Supreme
Court’s
decision
in
Dobbs
v.
Jackson
Women’s
Health
Organization.
The
NPRM
proposes
to
modify
the
HIPAA
Privacy
Rule
by
prohibiting
covered
entities
and
their
business
associates
from
using
or
disclosing
protected
health
information
(“PHI”)
where
the
PHI
would
be
used
for:
-
a
criminal,
civil
or
administrative
investigation
into
or
proceeding
against
any
“person”
(i.e.,
under
HIPAA,
a
covered
entity,
business
associate,
the
individual
data
subject,
or
any
other
person
or
entity)
in
connection
with
seeking,
obtaining,
providing
or
facilitating
lawful
reproductive
health
care;
or -
identifying
any
person
for
the
purpose
of
initiating
such
an
investigation
or
proceeding.
The
NPRM
would
continue
to
allow
the
use
or
disclosure
of
PHI
for
purposes
otherwise
permitted
under
HIPAA
where
the
request
for
PHI
“is
not
made
primarily
for
the
purpose
of
investigating
or
imposing
liability
on
any
person
for
the
mere
act
of
seeking,
obtaining,
providing
or
facilitating
reproductive
health
care
that
is
lawful
under
the
circumstances
in
which
it
is
provided.”
To
implement
the
prohibition,
the
NPRM
would
require
a
regulated
entity,
when
it
receives
a
request
for
PHI
potentially
related
to
reproductive
health
care,
to
obtain
a
signed
attestation
that
the
use
or
disclosure
is
not
for
a
prohibited
purpose.
Public
comments
on
the
NPRM
will
be
due
60
days
after
publication
of
the
NPRM
in
the
Federal
Register,
which
occurred
on
April
17,
2023.