0945-AA20 202310 The Regulatory Plan and the Unified Agenda of Federal Regulatory and Deregulatory Actions 0945 Office for Civil Rights OCR 0900 Department of Health and Human Services HHS Proposed Modifications to the HIPAA Privacy Rule to Support Reproductive Health Care Privacy

This final rule will modify the Standards for Privacy of Individually Identifiable Health Information (Privacy Rule) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act). These modifications will modify existing standards permitting uses and disclosures of protected health information (PHI) by limiting uses and disclosures of PHI for certain purposes.

]]> Section 3(f)(1) Significant Previously Published in The Unified Agenda Final Rule Stage Yes No 45 CFR 160 45 CFR 164 Health Insurance Portability and Accountability Act (PL 104-191) Executive Order 14076, Protecting Access to Reproductive Healthcare Services Yes

HIPAA and the HIPAA Rules promote access to health care by establishing standards for the privacy of PHI to protect the confidentiality of individuals’ health information. These protections promote the development and maintenance of confidence and trust between individuals and covered entities, and help to improve the completeness and accuracy of individual medical records. The Privacy Rule, as it has been amended over time, carefully balances the interests of individuals and society in identifiable health information by establishing when and how such information may be used and disclosed, with and without the individual’s permission. The Department has received communications from members of Congress and the public and reviewed media reports indicating concerns and confusion regarding the role of the Privacy Rule in protecting the privacy of individual’s health information, given the evolution of state law in the area of reproductive health care.

]]>

The current HIPAA Privacy Rule has not been updated to reflect the evolution in state law that undermines the privacy of individuals’ protected health information, particularly for use in investigations into or legal proceedings against persons in connection with reproductive health care. The final rule is consistent with Executive Order 14076, which directed the Secretary of Health and Human Services to consider actions to strengthen the protection of sensitive information related to reproductive healthcare services and bolster patient-provider confidentiality.

]]>

HHS considered whether these policy changes could be implemented through guidance. However, the Department determined that this would be insufficient to address the concerns that have arisen in the wake of the recent evolution in state law pertaining to reproductive health care that has jeopardize the privacy of individuals’ protected health information and affected individuals’ relationship with their health care providers and the U.S. health care system. Revisions to the existing HIPAA Privacy Rule are necessary to reestablish that trust and to ensure the privacy of individuals’ protected health information.

]]>

HHS estimates that the effects of the requirements for regulated entities would result in new costs of $611,831,396 within 12 months of implementing the final rule, followed by approximately $67,831,396 of recurring annual costs in years two through five. The Department anticipates that this rulemaking will result in significant benefits that are difficult to quantify because the area of health care the proposed rule addresses is among the most sensitive for patients and providers if privacy is violated. Additionally, the value of privacy, which cannot be recovered once lost, and trust that privacy will be protected by others, is difficult to quantify fully. The rule would prevent or reduce numerous harms, resulting in non-quantifiable benefits to patient and providers.

]]>

To be determined.

]]> NPRM 04/17/2023 88 FR 23506 NPRM Comment Period End 06/16/2023 Final Action 03/00/2024 Undetermined Businesses Governmental Jurisdictions Organizations Federal Local State Tribal Yes No No No Marissa Gordon-Nguyen Senior Advisor for Health Information Privacy, Data, and Cybersecurity Policy 0945 Office for Civil Rights OCR 800 368-1019 800 537-7697 ocrprivacy@hhs.gov 200 Independence Avenue SW, Washington DC 20201