The U.S. Supreme Court last year overturned Roe v. Wade, which raised extreme concerns around health outcomes, equity and data privacy.
On June 16, HIMSS issued recommendations to the Health and Human Services Office of Civil Rights to strengthen data privacy surrounding reproductive healthcare in response to the agency’s proposed rule.
The HHS Office for Civil Rights (OCR) proposed the HIPAA Privacy Rule To Support Reproductive Health Care Privacy, which aims to improve data privacy and protect patients around lawful reproductive healthcare. In its June 16 letter, HIMSS strongly supported the overall goals of this proposed rule, which “prohibits uses and disclosures of protected health information (PHI) for criminal, civil, or administrative investigations or proceedings against individuals” for seeking, obtaining, providing or facilitating reproductive healthcare that is lawful under the circumstances in which it was provided.
Once finalized, the rule will promote access to lawful, safe healthcare services, while ensuring patient information remains private within an interoperable health ecosystem. Consistent with our position on protection of all patient data, HIMSS believes it is critical to support the establishment of policies that ensure privacy, data protection, and secure information exchange and to eliminate the potential misuse of patient information. Advancing the state of information privacy across the health sector should be supported to protect the confidentiality, integrity, and availability of patient information and ensure the continued and effective delivery of safe, secure, and coordinated patient care.
HIMSS recommendations include:
- Expand the proposal to apply to all healthcare services, rather than limiting it to reproductive care. Healthcare information should not be used unfairly against the patient or individuals coordinating with the patient. Determining who has access and the reasons they have access to data should be the same, irrespective of the types of data.
- HIPAA should not be amended to prohibit or limit uses or disclosures of “highly sensitive protected health information (PHI)”. This is highly burdensome and sometimes operationally impossible to segregate the “highly sensitive PHI” from other PHI.
- Define “reproductive healthcare” in a consistent, broad manner and include specific examples. The definition should also include data associated with gender affirming care for transgender individuals.
- Provide substantial education around the proposal for covered entities, including the requirement for covered entities to obtain a signed attestation that the health information will not be used to investigate or punish patients seeking or obtaining reproductive health services.
- Clarify the actions that a covered entity or business associate may take within 30 days of discovering an erroneous disclosure of information relating to reproductive healthcare information so that the entity will be deemed to have corrected the violation.
- Provide transparency and education to the patient community around the rule to improve trust and increase the willingness to seek care.