HIPAA reproductive rights shield: Your info, your choice

In late April, the Office of Civil Rights (OCR) issued a final rule designed to strengthen protections around the personal health information (PHI) of people seeking lawful reproductive healthcare in a national environment where access to these services is under attack.

The new rule strengthens the Health Insurance Portability Act of 1996 (HIPAA) Privacy Rule by explicitly prohibiting the disclosure of PHI related to reproductive health issues to further enhance patient confidentiality and prevent medical data from being used against people who seek certain services.

“Since the fall of Roe v. Wade, providers have shared concerns that when patients travel to their clinics for lawful care, their patients’ records will be sought, including when the patient goes home. Patients and providers are scared, and it impedes their ability to get and to provide accurate information and access safe and legal health care,” said OCR Director Melanie Fontes Rainer.

“[This] rule prohibits the use of protected health information for seeking or providing lawful reproductive health care and helps maintain and improve patient-provider trust that will lead to improved health outcomes and protect patient privacy.”

Specifically, the rule prohibits the use or disclosure of PHI when it’s being sought as part of an investigation or to impose liability on patients, providers, or others who seek or provide lawful reproductive healthcare, and requires providers, plans, clearinghouses, or other business associates (BAs) to obtain a signed attestation that certain requests for PHI potentially related to reproductive health care are not for these prohibited purposes. HIPAA-covered entities must also modify their Notice of Privacy Practices to support reproductive health care privacy.

Getting explicit about these protections is a sadly necessary step for people engaging in reproductive care. However, these additional provisions might add to the confusion around information blocking for healthcare providers and health plans, notes the Office of the National Coordinator (ONC).

In a recent post on the HealthITBuzz blog, National Coordinator Micky Tripathi offers four important reminders about how HIPAA privacy protections and information blocking regulations can coexist, starting with a strong statement that complying with this new federal rule will not result in a determination of information blocking under ONC’s regulations.

“The information blocking regulations are designed to consider applicable law, including HIPAA rules”

All of the ONC’s moves on information blocking are carefully calculated to take the complexity of HIPAA and other privacy rules into account, Tripathi reiterated.

The ONC is fully aware that its definition of information blocking (IB) actors overlaps significantly with the HIPAA-covered community, and that these stakeholders are responsible for compliance with a number of different federal, state, or tribal laws.

Healthcare providers, plans, clearinghouses, and other entities can be confident that the ONC has done its best to consider these overlapping relationships when defining information blocking parameters.

“When sharing electronic health information (EHI) would violate another law that applies to an IB actor, it is not information blocking when the IB actor follows that law and does not share the EHI.”

The second reminder is that federal and state law, including statutes, regulations, court orders, and binding administrative decisions or settlements, and tribal laws, always come first. IB actors are required to comply with these laws and will not be held liable for information blocking when doing so.

This includes compliance with a prohibition on using or disclosing EHI for a particular purpose, the ONC says, such as the prohibitions newly put in place by the HIPAA reproductive care final rule.

“On (and after) June 25, 2024, a HIPAA covered entity’s or business associate’s practice of refusing to make any prohibited use or disclosure of PHI will be excluded from the information blocking definition, because that practice will be required by law,” the ONC explains. “Therefore, the practice will not need to be covered by any information blocking exception because it is not considered information blocking to begin with.”

In other words, covered entities can feel confident in their ability to adhere to the new HIPAA reproductive health privacy requirements without running afoul of the ONC’s information blocking rules.

“When a law that applies to an IB actor permits the IB actor to share EHI only if specific requirements are met first, then information blocking regulations allow for the IB actor to take reasonable and necessary steps to ensure it shares EHI only when those requirements are met”

In situations where a specific use of EHI is not expressly prohibited, privacy rules are usually framed in terms of “preconditions” that need to be satisfied in order for the transaction to be permissible.

If those preconditions are satisfied, but the entity does not release the information as required, they could be accused of information blocking. However, when the preconditions are not met, entities may have the right to withhold the information.

The new HIPAA rule requires regulated entities to obtain a signed attestation when someone requests PHI related to reproductive healthcare stating that the information will not be used for certain prohibited purposes. This counts as a precondition for EHI release, the ONC says.

Entities that are unable to secure this signed attestation after a good faith effort will not be held liable for information blocking when they do not release the EHI, Tripathi says.

“When laws that limit EHI sharing to protect patient privacy change, the information blocking regulations are built to automatically accommodate IB actors’ needs to comply with applicable laws’ updated requirements”

The information privacy landscape is constantly changing as new scenarios arise, and the ONC is committed to being as responsive as possible to this fact, Tripathi concluded.

“Federal, state, and tribal laws restricting health information sharing to protect individuals’ privacy are likely to continue to evolve in step with the technology and policy landscapes,” he wrote. “The information blocking regulations are built to accommodate that evolution without requiring the information blocking regulations to be updated every time any privacy law is updated.”

Thus far, the ONC has been very proactive with providing detailed interpretations of existing regulations to clarify thorny information blocking situations, and the agency is likely to continue engaging with industry to make sure that healthcare providers, health plans, and other partners can appropriately exchange information in an increasingly complex environment.

Staying abreast of the latest developments in data privacy and security will be essential to help avoid confusion around the interplay between HIPAA, ONC regulations, and other applicable rules and laws governing the movement of electronic health information across the healthcare ecosystem.

Jennifer Bresnick is a journalist and freelance content creator with a decade of experience in the health IT industry.  Her work has focused on leveraging innovative technology tools to create value, improve health equity, and achieve the promises of the learning health system.  She can be reached at jennifer@inklesscreative.com.