DMC Law’s Comments on Proposed HIPAA Changes to Protect Reproductive Health Information

VIA Electronic Submission at www.regulations.gov

RE:  HIPAA Privacy Rule to Support Reproductive Health Care Privacy, NPRM, RIN 0945-AA20

Dear Department of Health and Human Services,

Thank you for the opportunity to submit comments on the Notice of Proposed Rule Making regarding proposed modifications to the HIPAA Privacy Rule to Support Reproductive Health Care Privacy (NPRM).  I am a privacy and healthcare attorney.  Most of my clients are healthcare providers including Federally Qualified Health Centers and private medical and behavioral health practices that range in size from solo practitioners to organizations that serve thousands of patients.

After the Department of Health and Human Services (the Department) issued its NPRM in April 2023, I reached out to clients to collect feedback on the proposed changes.  The comments below reflect my clients’ feedback as well as my own.

Introductory Comments

As a healthcare and privacy lawyer, I spend a lot of time reading proposed and final rules and often I write blog posts to keep my clients informed.  In my blog post regarding this NPRM, I wrote the following:

OCR’s Notice of Proposed Rule Making (NPRM) is one of the best-written, well-reasoned and thoughtfully considered proposed rules I have ever read.  The agency considered all relevant issues, including operational burdens on healthcare providers, who have been left to shoulder the burden of protecting patients’ information after Dobbs.  It also considered the true efficacy of the proposal as well as potential legal challenges.  OCR laid out the reasons for its approach and the reasons it rejected other approaches.  The NPRM is thorough and clear.

Rarely do my blog posts contain praise, but here it was warranted. I am truly grateful for the extraordinary effort that went into this NPRM.

Except as noted below, I support the proposals in the NPRM.  There is no perfect solution to this challenging issue of protecting reproductive health information, but I believe that the Department’s proposed approach makes a lot of sense.

 IV.B.4(j) and (l) Uses and Disclosures of PHI: General Rules

The Department proposes to prohibit the use and disclosure of an individual’s PHI for the purposes described in section IV.B.2 with a valid authorization.  While I appreciate (and share) the Department’s concern about coercion, I question the efficacy of the proposed prohibition, the additional operational burden and conflict with state law.

First, in the NPRM, the Department emphasizes that a patient retains their right to access their record at any time and that the NPRM has no effect on that right.  Part of that right includes the right to direct the healthcare provider to send records to a third party under the right of access rules.  The issue of coercion is no greater with an authorization than with a directed request under the right of access.

Second, for many healthcare providers, medical records department personnel act on an authorization based on the validity of the document.  It would be virtually impossible for medical records personnel to know with certainty whether the requested records are for a prohibited purpose.  Most authorizations say something as limited as “for a legal proceeding” or “for an investigation.”  To carry out the authorization rule as proposed, medical records clerks would need to play detective to investigate the purpose behind the authorization, which is unrealistic.

Finally, not allowing a patient to consent to the release through an authorization could conflict with recently passed state laws.  For example, Connecticut passed the Reproductive Freedom Act last year, which offers similar purpose-driven protections of reproductive health information unless the patient provides express written consent.  See Connecticut’s Reproductive Freedom Act, PA 22-19, sec. 2(a).

In response to the Department’s request for comments:

(j) Yes, I believe that the Department should permit the use of an authorization.

(j)(i) When the authorization is for disclosure to law enforcement or indicates use in any type of investigation or legal proceeding, then the party providing the authorization would need to provide a compliant attestation.  See my comments regarding the attestation provision.

(j)(ii) Similar to above, where an individual directs a healthcare provider to transmit records to a third party under the right of access rules, healthcare providers should have the discretion to rely on the individual’s request regarding their own records or require an attestation from the receiving party if the healthcare provider has concerns that the disclosure is for an improper purpose.

(l) It would be challenging for many healthcare providers, especially smaller practitioners with less sophisticated electronic health record (EHR) systems, to differentiate between PHI and highly sensitive data.  For example, under the current rules, many providers struggle to separately maintain psychotherapy notes due to lack of functionality in some EHRs.

IV.C.3(u) Uses and Disclosures for Which an Attestation Is Required

A model attestation would be incredibly useful for regulated entities.  In fact, it would be immensely helpful if the Department could create a universal attestation form and cover sheet explaining the attestation requirement.  Healthcare providers could decide whether to create their own attestation form or use the Department’s universal form.

Healthcare providers often struggle with attorneys and others unfamiliar with HIPAA.  Many question the provider’s understanding of the HIPAA rules and demand action that is contrary to the regulations.  A Department-approved form with a short explanation of the legal basis for the required attestation would greatly reduce the burden on healthcare providers and staff.  Further, it would facilitate and streamline compliance.

Other Comments

The NPRM does not address health information exchanges (HIEs).  HIEs serve a critically important role in coordination and continuity of care.  On the flip side, HIEs make it more difficult to safeguard sensitive information like reproductive health information.  There are many HIEs that share information across state lines, which makes it much easier to access information in a manner that garners little attention.

I wish I had a solution to offer, but at this point, I can offer only my concern.  I encourage the Department to work with the Office of the National Coordinator for Health Information Technology, as it often does, to find a balance between the ease of access to information and the protection of data like reproductive health information.

Again, I thank the Department for its work on the NPRM and the opportunity to submit comments.  Please feel free to contact me with any questions.