June 16, 2023
Melanie Fontes Rainer Director, Office for Civil Rights
Department of Health and Human Services 200 Independence Ave SW
Washington, D.C. 20201
Re: Health Insurance Portability and Accountability Act Privacy Rule to Support Reproductive Health Care Privacy (RIN 0945-AA20)
Dear Director Fontes Rainer:
On behalf of the Connecting for Better Health coalition, we write in response to the Office for Civil Rights’ (OCR) proposed rule “Health Insurance Portability and Accountability Act Privacy Rule to Support Reproductive Health Care Privacy,” published on April 17, 2023. We are generally supportive of the proposed rule and welcome the opportunity to provide comment and recommendations.
Connecting for Better Health is a coalition representing diverse health care organizations and leaders including consumers, providers, and health plans, that supports the advancement of health data exchange policy in California. Our vision is that every Californian and their care team have the information and insights they need to make health care seamless, high quality, and affordable. Central to that work is ensuring the appropriate safeguards are in place to engender patient and provider trust in our health system, and that their information is used to benefit their care.
We respectfully provide the following comments to OCR:
The proposed rule provides reasonable protections for reproductive health care information.
OCR notes in the proposed rule that the holding in Dobbs v. Jackson Women’s Health Center eroded trust in the health system, such that many people no longer feel that their information is protected. This claim is substantiated by reports that some entities are attempting to reach beyond state borders to investigate reproductive health care information sought in other states to bring criminal or civil penalties against individuals related to obtaining such care in a state where such services are legal.
OCR’s purpose-based approach strikes the appropriate balance between ensuring critical information is shared to support patient care and ensuring that such information is not used to criminalize patients seeking reproductive health care.
In the proposed rule, OCR proposes prohibiting uses and disclosures for criminal, civil or administration investigations or proceedings in connection with seeking, obtaining, providing, or facilitating lawful reproductive health care or other highly sensitive care, or identifying a person for the purpose of initiating such an investigation or proceeding, even with a valid authorization from the patient. This purpose-driven approach balances the need to prohibit these disclosures and uses that pose harm to patients, while still allowing for uses and disclosures for other purposes, such as other treatment, payment and operations use cases where sharing these data can continue to support patient care management, reimbursement for reproductive services rendered, and for other activities like quality improvement. Removing the ability for Covered Entities and Business Associates to use and disclose such information with a valid written authorization also removes any potential for coercive actions to be taken against patients where law enforcement or other entities seek patient authorization to obtain health information that can be used against a provider or patient in a legal proceeding. Furthermore, utilizing a purpose- based approach versus an intent-based approach provides more clarity to Covered Entities and Business Associates for compliance purposes by providing a blanket prohibition that does not require that the holder of such information determine whether the requester actually intends to, for example, bring charges against an individual.
OCR should provide guidance in the final rule, and in subsequent sub-regulatory guidance related to regulatory definitions and permitted responses to requests for disclosures.
OCR has included proposals to define terms such as “reproductive health care” and to require that requesters provide attestation that their information request is for a lawful purpose. OCR should provide further definition to “reproductive health care.” Without a definition, the regulations leave too much room for dispute and vulnerability to a provider if law enforcement or other agency from another state interprets differently. For example, OCR could look to California’s definition of “reproductive and sexual health care services” as defined in California Health and Safety Code section 1367.31.
OCR should also provide examples both in the final rule and in sub-regulatory guidance illustrating instances where services and supplies fit under the definition of “reproductive health care” and instances where use or disclosure of such information would be permissible under the rule. OCR should provide a standard template for stakeholders that can be included in requests for reproductive health information to provide stakeholders assurances that the language used in their attestations complies with the law. Lastly, OCR should conduct trainings for Covered Entities and Business Associates to understand the rule and implications for their organizations. These additional activities will assist OCR in ensuring that entities continue to share information for lawful purposes that can benefit the patient and their care teams while still complying with HIPAA.
OCR should work with ONC to develop a model for an appropriate approach to data segmentation for reproductive health care.
In its recently published proposed rule, “Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing,” the Office of the National Coordinator for Health Information Technology (ONC) reminds stakeholders that in the 2015 Edition Final Rule, ONC incorporated by reference the HL7 Data Segmentation for Privacy (DS4P) Implementation Guide and proposes to adapt this standard in recognition of “patient requested restrictions.” Given the proposal in this rule, and emerging state legislation such as California’s proposed Assembly Bill 352 (Bauer-Kahan) that look to add additional restrictions on certain usess and disclosure of reproductive health care and other sensitive services information, OCR should work with ONC to further develop the vocabulary necessary to appropriately identify and flag reproductive health care information in certified EHR technology to ensure that such information is flagged as such consistently across actors and systems, and that such vocabulary mirrors OCR guidance. For instance, based on the final rule, OCR could provide ONC with an enumerated list of services and supplies that would constitute reproductive health care, such that ONC could then work with stakeholders to identify the data in patient health records that should be flagged as requiring compliance with this final rule. This consistency in technical approaches to implement this rule may engender trust in patients and providers, knowing that certified technology vendors’ products can adequately support providers and other organizations in complying with this rule, and in protecting these data.
We appreciate the opportunity to submit these comments. If you have any questions, please contact Robby Franceschini, Director of Policy at BluePath Health, at firstname.lastname@example.org.
Director, Connecting for Better Health Founder and President, BluePath Health