Reproductive Privacy Rule Brings New Responsibilities for HI Professionals

Health information (HI) professionals will be working on several fronts to comply with a new federal rule that affords patients and healthcare providers additional protection from investigations related to reproductive healthcare services.

Responding to the Dobbs v. Jackson decision that eliminated a woman’s federal right to an abortion, the Biden-Harris Administration, through the Office for Civil Rights (OCR) at the US Department of Health and Human Services (HHS), issued a final rule in April to shield health information potentially related to reproductive healthcare contained in medical records from law enforcement seeking to use it against a patient or provider.

“The provider-patient trust relationship is crucial for patients to receive the best care possible. When patients aren’t able to trust their provider with the most sensitive health details, it ultimately damages that relationship,” said Andrew Tomlinson, senior director of regulatory and international affairs for AHIMA.

AHIMA members play a key role in protecting a patient's sensitive data, Tomlinson continued. “This new OCR rule is going to change how they protect that data and the internal processes related to consent and release.”

Specifically, health information technology (IT) professionals will be tasked with developing new procedures to require attestations, or proof, for certain requests, says Adam Greene, a partner with Davis Wright Tremaine LLP in Washington, DC. This includes requests for law enforcement purposes, health oversight activities, judicial and administrative proceedings, and from coroners and medical examiners.

Regulated entities will need to create additional training of HI and other staff and some modest costs to comply with the rule, which broadens the definition of reproductive care.

Broad Definitions Present New Challenges

The rule strengthens the Health Insurance Portability and Accountability Act of 1996 (HIPAA), protecting the privacy of individuals in states where such reproductive healthcare services are legal.

According to the recently released rule, “reproductive healthcare services” may include:

• Contraception, including emergency contraception; preconception screening, and counseling;
• Management of pregnancy and pregnancy-related conditions such as pregnancy screening, prenatal care, miscarriage management, treatment for preeclampsia, hypertension during pregnancy, gestational diabetes, molar or ectopic pregnancy, and pregnancy termination;
• Fertility and infertility diagnosis and treatment, including assisted reproductive technology and in vitro fertilization;
• Diagnosis and treatment of conditions that affect the reproductive system such as perimenopause, menopause, endometriosis and adenomyosis; and
• Care, services and supplies used for diagnosing and treating conditions related to the reproductive system such as mammography, pregnancy-related nutrition services, and postpartum care products.

The rule also shields providers in states where abortion is restricted when a patient seeks such services out of state.

“This Final Rule will bolster patient-provider confidentiality and help promote trust and open communication between individuals and their healthcare providers or health plans, which is essential for high-quality healthcare,” OCR said in a statement provided to the Journal of AHIMA.

HI professionals will have an important role in ensuring that HIPAA-covered entities and business associates do not use or disclose protected health information (PHI) for a purpose that is prohibited by this new rule, according to OCR.

Personal health information needs to be protected irrespective of whether it's reproductive rights, reproductive care, or any other type of health information, says Tom Leary, MA, CAE, FHIMSS, senior vice president and head of government relations with the Healthcare Information and Management Systems Society (HIMSS).

Because HI professionals are on the front lines to protect this information, the first thing they’ll need to do is confer with their legal counsel and compliance teams to ensure that the rule’s new amendments are woven into their practices, Leary says.

Several provisions in the rule will directly affect HI professionals.

HHS, for example, modified the definition of reproductive healthcare to include care “that affects the health of the individual in all matters relating to the reproductive system and to its functions and processes.”

The new definition, which covers not just pregnancy and abortion, but contraception, emergency contraception, fertility, and other related services, introduces potential confusion as to the exact scope of information subject to the new definition, says Matthew Fisher, legal counsel for Hancock Daniel law firm, which has offices in Virginia, South Carolina, and Tennessee.

“As pointed out by HHS in the regulatory preamble, the definition was intentionally written broadly and covers a large swath of information that at first blush would only seem tangentially related to reproductive healthcare,” Fisher says.

For this reason, HI professionals will have to proceed carefully in how they restructure databases to recode data, he says.

Additional Work Means Documentation, Creation of Forms

One important task will be creating a new pathway for responding to requests for information that include reproductive healthcare information, Fisher says. “While responsiveness to such requests is arguably not where it needs to be at a baseline, the time needed for a response may increase, now that further vetting of the requestor and potential separation of data will be necessary.”

The rule directs healthcare providers, plans, clearinghouses, or their business associates to seek a signed attestation that certain requests for PHI possibly related to reproductive healthcare is not for use or disclosure when it’s sought to investigate or impose liability on providers or patients. 

Attestation applies when PHI is requested for health oversight activities, disclosures to coroners and medical examiners, judicial and administrative proceedings, and law enforcement purposes.

IT staff may be asked to create a web-based attestation form or template that organizations can send to requesters. This calls for a process within the organization to collect that information and review it, says Leary. 

For example, Leary says HI professionals should create a checklist with compliance officers and the legal department on how the attestation process should unfold, should the health system receive a request for PHI.

It may also be beneficial to do test runs of responding to such requests “so that staff can become accustomed to the new operational pathways and identify how to improve now as opposed to when pressure is being applied from outside the organization,” Fisher says.

To assist covered entities with this process, HHS plans on issuing a model attestation to advise covered entities on what the form should include.

Regulated entities must also modify their Notice of Privacy Practices (NPP) to support reproductive healthcare privacy. HI professionals may be called upon to include all new provisions that covered entities post on their websites.

“Updating the NPP is a massive undertaking for organizations large and small. This is further complicated by OCR proposing multiple revisions of the NPP across rulemaking,” said Tomlinson. For that reason, “AHIMA was thrilled to see they responded to our feedback on lessening cost and time burden on providers by condensing all the NPP updates into one omnibus,” he added.

Training Staff Members on the Rule

HI professionals will need training on how to confirm that attestations meet all content requirements and that the information is reliable, says Greene. An example of this is what are the appropriate steps to take if there is information suggesting that the attestation may be untruthful. “A law enforcement official may attest that the requested PHI will not be used to investigate a healthcare provider’s provision of reproductive healthcare, but news stories about law enforcement’s recent investigations may force the health information professional to question whether the attestation is entirely reliable,” Greene says.

Another scenario is HI professionals may get stuck in the middle if a healthcare provider refuses to provide PHI to government agencies in certain circumstances, even with a court order.

For example, if a healthcare professional believes they lawfully performed an abortion but a licensing board seeks PHI to investigate, the healthcare professional could be faced with violating HIPAA by disclosing the PHI or jeopardizing licensure by refusing.

“The health system and the healthcare professional might even have different views on the appropriate course of action. Health information management may be in the middle, as they will be involved in refusing or granting the request for PHI,” Greene says.

He advises HI professionals to work closely with their organization’s legal counsel to understand when they must refuse to disclose PHI to government agencies, and how to respond in time-sensitive situations.

“AHIMA continues to maintain a focus on helping HI professionals comply with new policy and are currently examining how best to empower our members to lead these types of activities in their organization,” said Tomlinson.

Jennifer Lubell is a freelance healthcare and medical writer based in the Washington, DC, area.