HHS official provides updates on privacy and civil rights enforcement

Biden administration priorities on reproductive privacy and HIPAA were among the topics addressed by Melanie Fontes Rainer, director of the Office for Civil Rights for the U.S. Department of Health and Human Services in her keynote address at the 20th anniversary of the Health Law Section’s Washington Health Law Summit on Dec. 11.

The office’s portfolio includes enforcing:

• Federal civil rights laws to protect people of every race, color and national origin from discrimination in HHS-funded programs

• Laws and regulations that prohibit discrimination on the basis of disability in programs, services, activities and facilities funded and conducted by HHS

• Laws and regulations that prohibit discrimination on the basis of age and/or sex

Rainer, who said the Office of Civil Rights uniquely covers issues of privacy as well as civil rights, offered updates on the status of a number of areas they’re working on, including:

—Reproductive Privacy Rule

President Joe Biden has signed an unprecedented three executive orders related to reproductive health care. One of them, Rainer said, instructed HHS to talk to stakeholders in the community about federal laws, including civil rights and privacy. Rainer said she’s been to 13 states that have banned abortion procedures and has heard from doctors who feel they can’t talk to their patients due to the lack of clarity about what’s allowed.

She discussed the proposed HIPAA Privacy Rule on permissible disclosures. HIPAA currently requires turning over information in two instances:

• If there’s a security breach you must file a report to HHS

• If an individual seeks their own medical records they are entitled to them in “a reasonable amount of time.”

The rule allows for “permissible disclosures,” such as a state law or with evidence of child abuse, and there is some discretion.

“We went further than that and actually prohibited the use and disclosure of data related to reproductive health care in various contexts because [of] what we’re seeing,” Rainer said.  When individuals go from one state “where the care is banned, to another state where the care is not banned,” upon their return home “we’re seeing the banned state try to go into the non-banned state, go after those providers, clinics, patient records.” In addition, when the person returns home, they may “go after the person, the provider, the records,” she said. The new proposed rule prohibits that use of disclosure by providers, data clearing houses and insurance companies, “so it’s a pretty far-reach,” Rainer said.

Rainer foresees something similar playing out regarding gender-affirming care bans.

—HIPAA

OCR received 51,000 privacy complaints last year, of which two-thirds were HIPAA-related, she said. Although the number of security breach reports are about the same as last year, “the number of affected individuals continues to climb,” Rainer said. Last year about 89 million people were affected by breaches, and this year is already at more than 100 million “because the breaches are getting bigger.”

In one instance, after an OCR investigation, LA Care Health Plan paid OCR $1.3 million in fines due to violations including the lack of a risk plan, failure to perform a periodic technical evaluation and failure to implement mechanisms that record and examine activity.