View Rule

This final rule will modify the Standards for Privacy of Individually Identifiable Health Information (Privacy Rule) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act). These modifications will modify existing standards permitting uses and disclosures of protected health information (PHI) by limiting uses and disclosures of PHI for certain purposes.

Statement of Need:

HIPAA and the HIPAA Rules promote access to health care by establishing standards for the privacy of PHI to protect the confidentiality of individuals’ health information. These protections promote the development and maintenance of confidence and trust between individuals and covered entities, and help to improve the completeness and accuracy of individual medical records. The Privacy Rule, as it has been amended over time, carefully balances the interests of individuals and society in identifiable health information by establishing when and how such information may be used and disclosed, with and without the individual’s permission. The Department has received communications from members of Congress and the public and reviewed media reports indicating concerns and confusion regarding the role of the Privacy Rule in protecting the privacy of individual’s health information, given the evolution of state law in the area of reproductive health care.

Summary of the Legal Basis:

The current HIPAA Privacy Rule has not been updated to reflect the evolution in state law that undermines the privacy of individuals’ protected health information, particularly for use in investigations into or legal proceedings against persons in connection with reproductive health care. The final rule is consistent with Executive Order 14076, which directed the Secretary of Health and Human Services to consider actions to strengthen the protection of sensitive information related to reproductive healthcare services and bolster patient-provider confidentiality.

Alternatives:

HHS considered whether these policy changes could be implemented through guidance. However, the Department determined that this would be insufficient to address the concerns that have arisen in the wake of the recent evolution in state law pertaining to reproductive health care that has jeopardize the privacy of individuals’ protected health information and affected individuals’ relationship with their health care providers and the U.S. health care system. Revisions to the existing HIPAA Privacy Rule are necessary to reestablish that trust and to ensure the privacy of individuals’ protected health information.

Anticipated Costs and Benefits:

HHS estimates that the effects of the requirements for regulated entities would result in new costs of $611,831,396 within 12 months of implementing the final rule, followed by approximately $67,831,396 of recurring annual costs in years two through five. The Department anticipates that this rulemaking will result in significant benefits that are difficult to quantify because the area of health care the proposed rule addresses is among the most sensitive for patients and providers if privacy is violated. Additionally, the value of privacy, which cannot be recovered once lost, and trust that privacy will be protected by others, is difficult to quantify fully. The rule would prevent or reduce numerous harms, resulting in non-quantifiable benefits to patient and providers.

Risks:

To be determined.