There are many reasons health data has long been undisputed as one of the most sensitive categories of personal information. Our health is a deeply intimate aspect of our selves. Health decisions can have irreversible impacts on our lived experience, our lifestyle, and even life itself. Adverse or unwanted health outcomes resonate with emotional significance. They can be a source of stress, of sorrow, or of shame.

Our health status, decisions and outcomes are so intimate that, at times, only two people in the world are aware of them: a doctor and her patient. Maintaining the sanctity of this relationship of trust is a cornerstone of the medical profession. Yet good health care outcomes also rely on good data, including detailed and accurate health records.

For almost 30 years, resolving this tension has been part of the promise and challenge embodied in the Health Insurance Portability and Accountability Act and ongoing updates to the HIPAA Privacy Rule.

At times, the sanctity of the doctor-patient relationship has been tested by government intervention. Whether in the context of laws that criminalize consensual sexual activity, physician-assisted suicide, abortions, or heinous crimes, health records can become a matter of prosecutorial interest. In the months since the Dobbs decision, as states have moved quickly to protect or criminalize certain reproductive health care decisions and actions, awareness about law enforcement access to health data has resurfaced. In particular, concerns about interstate prosecutions of abortion care, using health records or other data have led to calls from Congress and the White House for enhanced federal privacy protections.

This week, the Office for Civil Rights of the U.S. Department of Health and Human Services answered with a Notice of Proposed Rulemaking that would update the HIPAA Privacy Rule to implement federal protections for the privacy of information about reproductive health.

As it has done previously in the context of psychological records, HHS would create a new category of protected health information deserving of heightened protections. Specifically, the rule would prohibit "the use or disclosure of PHI for the criminal, civil, or administrative investigation of or proceeding against an individual, regulated entity, or other person for seeking, obtaining, providing, or facilitating reproductive health care, as well as the identification of any person for the purpose of initiating such an investigation or proceeding.

"Such disclosures of PHI would be prohibited when the reproductive health care:

1. is provided outside of the state where the investigation or proceeding is authorized and where such health care is lawfully provided;

2. is protected, required, or authorized by Federal law, regardless of the state in which such health care is provided; or

3. is provided in the state in which the investigation or proceeding is authorized and that is permitted by the law of that state."

These are consequential changes. In contrast, general PHI under HIPAA can sometimes be disclosed for some non-health care purposes, including law enforcement purposes, without the individual's authorization, at the discretion of the covered entity. The new categorization of reproductive health data as highly sensitive is in line with recent Federal Trade Commission activity and guidance, and would arm health care providers and other covered entities with the legal clarity they need to navigate the complex thicket of shifting state requirements.

HHS's reasoning behind the proposal reiterates the importance of doctor-patient trust as an essential component of the health care system, which the federal government has a strong interest in maintaining. As the agency explains:

"If individuals do not trust that the sensitive information they disclose to their health care providers will be kept private, they may be deterred from seeking or obtaining needed health care or withhold information from their health care providers, compromising the quality of the health care they receive. Similarly, if a health care provider does not trust that the information they include in an individual's medical records will not be kept private, the health care provider might leave gaps or include inaccuracies when preparing medical records, creating a risk that ongoing or future health care would be compromised."

Entities not subject to HIPAA are not covered by the HHS rule, but they may be subject to new state rules. In the state of Washington, a broad and creatively restrictive health privacy bill, known as the My Health My Data Act, is expected to pass before the end of the month. Some of its provisions, including prohibitions on geofencing for certain purposes, may go into effect as soon as 90 days from enactment. Similarly, after the comment period ends, the new HIPAA rule will be effective 60 days after publication, with a compliance deadline 180 days after that.

Standards covering health-related data are evolving at a fast pace, but in a predictable direction: toward treating knowledge about health information—and reproductive health in particular — as an intimate privilege that must be protected, whether from unexpected uses, third-party access, or even law enforcement.

Here's what else I’m thinking about:

  • Accountability for AI systems is the focus of a new request for comment from the National Telecommunications and Information Administration. The request seeks input from all stakeholders on "self-regulatory, regulatory, and other measures and policies that are designed to provide assurance that AI systems are legal, effective, ethical, safe, and otherwise trustworthy." The deadline for comments is 12 June.
  • Meanwhile, Senate Majority Leader Chuck Schumer, D-N.Y., announced he will soon introduce an AI accountability "framework." Reportedly, the senator’s office is in the process of refining the proposal in consultation with stakeholders, but it will include both legislative and government oversight components. The announcement confirmed that top-of-mind for Schumer is a requirement for independent review and testing before AI-powered systems are deployed.
  • The House Energy and Commerce Committee assigned TikTok a deadline of 27 April to answer outstanding questions from last month’s high-profile hearing with the company’s CEO. Among other concerns, the letter reiterates detailed questions about the personal data practices of the app, including questions related to health and geolocation data. It may be a productive thought experiment for privacy pros at other companies to consider how they would respond to such questions.
  • Soon we will go from 6 to 8 U.S. states with some level of comprehensive data privacy protections for their residents, as Indiana and Tennessee are expected to finalize passage of their respective laws in the coming days.

Upcoming happenings 

  • 18 April at 10:00 EDT, the Innovation, Data, and Commerce Subcommittee of the House Energy & Commerce Committee hosts a hearing on the "Fiscal Year 2024 Federal Trade Commission Budget" (hybrid).
  • 18 April at 15:00 EDT, R Street hosts a webinar on "The Intersection of Privacy and Law Enforcement."
  • 19 April at 14:00 EDT, the Oversight and Investigations Subcommittee of the House Energy and Commerce Committee hosts a hearing on "Role of Data Brokers in the Digital Economy" (hybrid).
  • 21 April at 12:00 EDT, the IAPP Baltimore, Northern Virginia and Washington, D.C. KnowledgeNet Chapters host a webinar titled "Are the Kids Alright? A Discussion on EdTech and K-12 Privacy."

Please send feedback, updates and doctors’ orders to cobun@iapp.org.