The Privacy of Reproductive Health Care Data: A Critical Health Insurance Portability and Accountability Act of 1996 Update

Abstract

On April 26, 2024, the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) issued a Final Rule titled “HIPAA Privacy Rule to Support Reproductive Health Care Privacy.”¹ As per the attendant Federal Register, the Final Rule was to become effective on June 25, 2024.¹ In so doing, HHS was complying with President Biden’s Executive Order 14076 the sole focus of which was “Securing Access to Reproductive and Other Healthcare Services.”² The newly (announced Final Rule bolsters the Health Insurance Portability and Accountability Act of 1996 [HIPAA; Public Law No: 104–191) which “provides penalties” for “wrongful disclosure of individually identifiable health information.”¹ Among its leading objectives, the Final Rule seeks to protect women who cross state lines in search of an abortion.¹ Data reported by the Guttmacher Institute suggest that nearly one in five abortion patients sought out-of-state care during the first 6 months of 2023, a two-fold increase when compared with the same period in 2020.³ The Final Rule also protects those who provide or facilitate lawful reproductive health care who might otherwise be targeted by state prosecutors with criminal probes or lawsuits in mind.¹ The administration and enforcement of the newly issued Final Rule will be the designated responsibility of the OCR.¹ In a clear reference to Dobbs v. Jackson Women’s Health Organization, HHS Secretary Xavier Becerra made note of the reality that “with reproductive health under attack by some lawmakers, these protections are more important than ever.”⁴ It is the objective of this Commentary to review the multiple facets of the reproductive privacy imperative and the projected oversight thereof.

Among its leading recommendations, the “HIPAA Privacy Rule to Support Reproductive Health Care Privacy” prohibits the use or disclosure of Personal Health Information (PHI) that is sought with an eye “to investigate or impose liability on the individual or the health care provider.”¹ In addition, the Final Rule requires “regulated entities” such as healthcare providers, health plans, or claims clearinghouses and their business associates to “obtain an attestation in certain circumstances from the person requesting the use or disclosure stating that the use or disclosure is not for a prohibited purpose.”¹ Failure to do so may give rise to civil penalties.¹ Note is also made of the fact that “the large number of covered entities that are subject to this final rule and the large number of individuals with health plan coverage” will require the modification of the Notice of Privacy Practices (NPP) with an eye towards supporting reproductive healthcare privacy.¹ All told, the Final Rule stands to enhance patient-provider confidentiality while advancing trust and communication between patients, their providers, and their health plans. Future legal challenges to the Final Rule, should such transpire, are likely to argue that the Health Insurance Portability and Accountability Act of 1996 (HIPAA) was not designed to address healthcare privacy.

Looking ahead, enforcement of the Final Rule may also be exercised by the Federal Trade Commission (FTC), inclusive of the monitoring of mobile health applications.⁵ Empowered by the American Recovery and Reinvestment Act of 2009 (Public Law No: 111-5), the FTC is to be apprised “of a breach of security of identifiable health information in a personal health record.”⁵ In compliance with the aforementioned law, the FTC issued the Health Breach Notification Rule (HBNR), the role of which is to require vendors of health records to notify consumers, the FTC, and prominent media outlets of data breaches that transpire in the absence of consumer authorization.⁵ It is of note that the HBNR was “specifically designed to govern entities that are not covered by HIPAA and thereby ensure that they face accountability for health information breaches.”⁵ Armed with the aforementioned tools, the FTC took enforcement action against GoodRx Holdings, Inc. (a telehealth and prescription drug discount provider) and Easy Healthcare Corporation (a fertility app vendor) in the course of 2023.⁵

Not to be outdone, the United States Congress displayed a growing interest in the prospect of HIPAA modification. As early as 2022, the chairs of the House Committee on Oversight and Reform, (Carolyn B. Maloney [Rep.-D-NY-12]) and of the House Subcommittee on Economic and Consumer Policy (Subramanian Raja Krishnamoorthi [Rep.-D-IL-8]) took to writing to five data broker companies and five personal health application companies regarding the collection and sale of personal reproductive health data.⁶ The letter made note of the fact that improper data practices “pose serious threats” by “facilitating intrusive government surveillance, but also by putting people at risk of harassment, intimidation, and even violence.”⁶ Not long thereafter, Senators Michael F. Bennet (D-CO) and Catherine Cortez Masto (D-NV) urged HHS to amend HIPAA’s Privacy Rule to better protect the data of individuals seeking reproductive health care.⁷ By 2023, Senators Ron L. Wyden(D-OR) and Patty L. Murray (D-WA), along with Rep. Sara J. Jacobs (D-CA-51), led a bicameral effort to urge the Biden Administration to protect reproductive and all other health records against warrantless law enforcement access.⁸ Note is also made of three unenacted bills that were introduced during the 118th Congress but have not been enacted. SAFER Health Act of 2023, co-sponsored by Rep. Anna G. Eshoo (D-CA-16) and Sen. Mazie K. Hirono (D-HI), set out to prohibit “health care providers and insurance plans from disclosing in a legal proceeding an individual’s PHI related to an abortion or pregnancy without the individual’s valid authorization.” Similarly minded bills, My Body, My Data Act of 2023, sponsored by Rep. Sara J. Jacobs (D-CA-51) and Sen. Mazie K. Hirono (D-HI), and the Reproductive Data Privacy and Protection Act, sponsored by Ted Lieu (D-CA-36), followed suit. More recently, on February 21, 2024, Sen. Bill M. Cassidy (R-LA), Ranking Member of the Senate Health, Education, Labor, and Pensions Committee, issued a policy report with an eye towards reforming the HIPAA framework and ensuring privacy protections for health data and information.⁹

States have also been loci of action in this space. Following the example of the states of Maryland, Washington, Vermont, and Connecticut, California Governor Gavin C. Newsom has recently signed Assembly bills 254 and 352 into law on September 27, 2023.¹⁰ Both bills amend the state’s privacy law governing medical information.¹⁰ Sponsored by Assemblymember Rebecca Beth Bauer-Kahan (D-Orinda), Assembly Bill 254 (Confidentiality of Medical Information Act: reproductive or sexual health application information) protects reproductive and sexual health digital data that are included in personal health tracking applications.¹⁰ Assembly Bill 352 (Health information), for its part, enhances privacy protections for electronic medical records related to abortion, gender-affirming care, pregnancy loss, and other sensitive services that are meant in large measure for those who are traveling to California to receive abortion and gender-affirming care.¹⁰

The recent efforts to protect the privacy of reproductive health care data at the federal and state levels are meant to serve as a legal shield from otherwise unwarranted law enforcement action. Patients whose reproductive health care information was obtained unlawfully or used against them will henceforth be empowered to file a complaint with the Office for Civil Rights (OCR). Patients whose reproductive health care information was obtained unlawfully or used against them will henceforth be empowered to file a complaint with the OCR.

Footnotes

Author Disclosure Statement

Professors E.Y.A. and D.P.O’M. declare no conflict of interest. IG.C. is a member of the ethics advisory board for Illumina and the Bayer Bioethics Council. He was also compensated for speaking at events organized by Philips with the Washington Post, attending the Transformational Therapeutics Leadership Forum organized by Galen Atlantica, and retained as an expert in health privacy and reproductive technology lawsuits.

Funding Information

No funding was received for this article.

References

Federal Register/Vol. 89, No. 82. Department of Health and Human Services. Office of the Secretary. HIPAA Privacy Rule to Support Reproductive Health Care Privacy. April 26, 2024. Available from: https://www.govinfo.gov/content/pkg/FR-2024-04-26/pdf/2024-08503.pdf

The White House. Executive Order on Securing Access to Reproductive and Other Health care Services. August 3, 2022. Available from: https://www.federalregister.gov/documents/2022/08/11/2022-17420/securing-access-to-reproductive-and-other-healthcare-services#:∼:text=On%20July%208%2C%202022%2C%20following,Access%20to%20Reproductive%20Healthcare%20Services

Guttmacher Institute. New data show that interstate travel for abortion care in the United States Has doubled since 2020. December 7, 2023. Available from: https://www.guttmacher.org/news-release/2023/new-data-show-interstate-travel-abortion-care-united-states-has-doubled-2020

U.S. Department of Health and Human Services. HHS press office. The Biden-Harris administration issues new rule to support reproductive health care privacy under HIPAA. April 22, 2024. Available from: https://www.hhs.gov/about/news/2024/04/22/biden-harris-administration-issues-new-rule-support-reproductive-health-care-privacy-under-hipaa.html

Shachar

, Cohen

, Adashi

. Beyond HIPAA: The FTC’s increasing focus on protecting health data. Health Affairs Forefront. August 31, 2023. Available from: https://www.healthaffairs.org/content/forefront/beyond-hipaa-ftc-s-increasing-focus-protecting-health-data

Committee on Oversight and Accountability. Maloney, Krishnamoorthi, and Jacobs launch probe of reproductive health data privacy. July 8, 2022. Available from: https://oversightdemocrats.house.gov/news/press-releases/maloney-krishnamoorthi-and-jacobs-launch-probe-of-reproductive-health-data

Michael Bennet. U.S. Senator for Colorado. Press releases. Bennet, Cortez Masto Call on HHS to update HIPAA privacy rule to protect reproductive rights. July 1, 2022. Available from: https://www.bennet.senate.gov/public/index.cfm/2022/7/bennet-cortez-masto-call-on-hhs-to-update-hipaa-privacy-rule-to-protect-reproductive-rights

Ron Wyden. U.S. Senator for Oregon. Wyden, Murray, Jacobs lead bicameral effort urging Biden administration to protect reproductive and all other health records against warrantless law enforcement access. July 18, 2023. Available from: https://www.wyden.senate.gov/news/press-releases/wyden-murray-jacobs-lead-bicameral-effort-urging-biden-administration-to-protect-reproductive-and-all-other-health-records-against-warrantless-law-enforcement-access

U.S. Senate Committee on health, Education, Labor & Pensions. Ranking member cassidy outlines proposals to improve Americans’ health data privacy in new report. February 21, 2024. Available from: https://www.help.senate.gov/ranking/newsroom/press/ranking-member-cassidy-outlines-proposals-to-improve-americans-health-data-privacy-in-new-report

10.

CA.GOV. Office of the Governor. Gavin Newsom. California expands access and protections for reproductive health care. September 27, 2023. Available from: https://www.gov.ca.gov/2023/09/27/california-expands-access-and-protections-for-reproductive-health-care/