Proposed HIPAA Rule Would Restrict Law Enforcement Access to Abortion, Reproductive Health Data Across State Lines

New proposed regulations surrounding reproductive health care data could strengthen privacy protections for patients as the nation’s legal landscape threatens patient privacy for select reproductive treatments, specifically abortions. 

The U.S. Department of Health and Human Services is set to publish a proposed rule on April 17 that would update patient privacy provisions in the federal Health Insurance Portability and Accountability Act, commonly known as HIPAA.

Citing recent legal developments in the judicial system as well as differing state laws, HHS said that it may need to fortify existing health care privacy laws to ensure patients have safe, confidential access to legal healthcare treatments.

“Based on information the department has received in recent months, we believe it may be necessary to modify the privacy rule to avoid the circumstance where an existing provision of the privacy rule is used to request the use or disclosure of an individual’s PHI [protected health information] as a pretext for obtaining PHI related to reproductive health care for a non-health care purpose where such use or disclosure would be detrimental to any person,” the rule reads. 

Previous regulations within HIPAA’s privacy rule worked to balance a patient’s PHI confidentiality while allowing certain disclosures on the basis of legal needs. The modifications suggested in this recently proposed rule amend the privacy law to strengthen protection surrounding the usage of PHI in criminal and civil investigations on the basis of seeking or providing abortion access.

“Based on the longstanding purposes of HIPAA, there is a compelling need to provide additional protections to this especially sensitive category of information,” the rule says. “The Department believes it is necessary to provide heightened protections for … PHI sought for the purposes of conducting a criminal, civil, or administrative investigation into or proceeding against any person in connection with seeking, obtaining, providing, or facilitating reproductive health care that is lawful under the circumstances in which it is provided.”

This major step in codifying protections for reproductive data privacy follows the landmark Supreme Court case Dobbs vs. Jackson, which ruled in 2022 that there is no right derived from the U.S. Constitution to guarantee an abortion, subsequently overturning the longstanding abortion access case Roe v. Wade.

Concern then mounted over data privacy for people seeking any type of reproductive health care, ranging from abortion to contraception. The question of whether or not law enforcement agencies in states with limited access to legal abortions could utilize PHI and other data—such as GPS and search histories—was also raised in the aftermath of the Supreme Court’s ruling.

In response, President Biden signed an executive order strengthening reproductive data privacy, and tech companies like Google began safeguarding and deleting user location history to prevent law enforcement from abusing private user information.  

HHS leadership hinted at strengthening protections surrounding PHI privacy in mid to late 2022, following the Court’s ruling. HHS Secretary Xavier Bercerras condemned the Supreme Court’s ruling, with the agency’s Office of Civil Rights Director Melanie Fontes Rainer telling Nextgov that “all options are on the table” to protect patient rights and confidentiality.

“Those developments have made information related to reproductive health care, which has long been considered highly sensitive, more likely to be of interest for punitive non-health care purposes, and thus more likely to be disclosed if sought for a purpose permitted under the privacy rule today,” HHS said in the rule.

The new proposed rule limits access to reproductive PHI for criminal and civil proceedings specifically if the investigation is being conducted outside of the state the procedure occurred in; that is, states that do not allow abortions are not able to investigate a resident’s health care that occurred in a separate state where the procedure is legal. 

In a corresponding press release, Fontes Rainer clarified that the proposed rule change also works to help health care providers continue giving care.

“I have met with doctors across the country who have shared their stories,” said Fontes Rainer. “These providers have expressed fear, anger, and sadness that they or their patients may end up in jail for providing or obtaining evidence-based and medically appropriate care. Today’s proposed rule is about safeguarding this trust in the patient-provider relationship, and ensuring that when you go to the doctor, your private medical records will not be disclosed and used against you for seeking lawful care.”