Office for Civil Rights Announces Final Rule to Protect Reproductive Healthcare Data Privacy

On April 22, 2024, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) finalized its rule, HIPAA Privacy Rule to Support Reproductive Health Care Privacy.

The rule aims to improve patient data protections around lawful reproductive health care services, thereby encouraging patients to seek these services when necessary and improve patient trust in the healthcare system.

HIMSS strongly supports the overall goals of this rule, which specifically “prohibits uses and disclosures of protected health information (PHI) for criminal, civil, or administrative investigations or proceedings against individuals” for seeking, obtaining, providing or facilitating reproductive healthcare that is lawful under the circumstances in which it was provided. 

HIMSS applauds OCR’s decisions to properly educate covered entities about this rule, to provide a model attestation in advance of the rule’s compliance date of December 23, 2024, and to educate patients through, for example, requiring the patient’s Notice of Privacy Protections form to be made available in multiple languages. HIMSS continues to encourage OCR to explore health IT solutions for delivering the Notice of Privacy Protections and other privacy education resources to patients in culturally inclusive ways.

HIMSS anticipates that several provisions of the final rule may present challenges for ubiquitous information exchange in a manner that also provides the appropriate protections for patients. In a public comment letter responding to the proposed rule from June 16, 2023, HIMSS called on OCR to expand these protections to patients receiving all forms of healthcare. HIMSS believes that healthcare information should not be used unfairly against patients and determining who has access and reasons for access should be the same for all healthcare interventions, not only for reproductive health care services. OCR did not adopt HIMSS’s recommendation, however HIMSS will continue to advocate for these protections for patients in future public comment opportunities.

HIMSS also raised concerns about the challenges to parse out reproductive health data and protect those data in a different manner than other healthcare data, as required in the Final Rule. Healthcare organizations report significant operational challenges segregating certain types of personal health information (PHI) from other PHI. OCR acknowledges this challenge, however, asserts that this is critical to improve patient protections for reproductive health, as this specific type of data may unfairly target patients in the current US political landscape. OCR broadly defined reproductive health services, with a non-exhaustive list of examples of services, which aims to make this process easier. OCR also asserts that this rule should not increase data segmentation concerns beyond those that already exist. HIMSS recommends continued work at ONC to improve data sharing and segmentation standards to reduce unnecessary administrative burden and costs on health systems.

Overall, HIMSS is highly pleased with OCR’s final rule and recognizes the importance of protecting reproductive health data, which would improve patient trust and willingness to receive lawful reproductive health care services. HIMSS regularly analyzes and seeks comments on federal regulations. HIMSS members interested in contributing to comment letters, please reach out to policy@himss.org. Visit HIMSS’s Public Policy Center for more information.