CDT Submits Comments to HHS Supporting Its Proposed Rule Limiting Law Enforcement Access to Reproductive Health Records

Also contributed to by CDT Intern Sydney Brinker

In the wake of the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization and subsequent state laws that criminalize abortion, patients are at heightened risk that their health care providers will turn over sensitive reproductive health information to law enforcement for abortion-related investigations.

In response to this risk, the Department of Health and Human Services’ (HHS) Office of Civil Rights is proposing new rules to limit law enforcement access to patient health data. The proposed changes are designed to prohibit the use and disclosure of people’s reproductive health records for criminal, civil, or administrative investigations or proceedings against people for seeking, obtaining, providing, or facilitating reproductive health care that is lawful under the circumstances in which it is provided.

CDT commends HHS for undertaking this important and critically necessary work and supports the proposed rule. Without these changes, patients’ private medical records can be used in abortion-related prosecutions.

CDT’s comment suggests several ways in which the proposal could be further strengthened:

Ensure all Reproductive Health Data is Captured by the Rule

CDT’s comment calls for a broad definition of “reproductive health care.” While the NPRM includes a strong definition, it should be made broader. Data need not be explicitly reproductive health data to be probative or provide insights into a person’s reproductive health. To better capture the universe of data that could reveal a person’s reproductive health conditions, HHS should expand the definition. Additionally, HHS should include gender-affirming care in this definition. Just like anti-abortion laws, laws that ban or restrict gender-affirming care ultimately criminalize medical providers, lead to inadequate to completely inaccessible health care, reinforce inequality, and deprive people of human rights.

Limit the Sharing of Health Data

CDT is calling on HHS to further limit when health providers may share PHI with law enforcement. Second, in the limited instances when sharing patient data with law enforcement is permitted under any new rule, HHS should amend the existing Privacy Rule to ensure that any request for patient data is narrowly tailored and explicitly state the specific elements within a health record that are necessary to their investigation. Finally, HHS should ensure that whenever patient health data is shared, it is not used for purposes beyond the specific investigation. Any new rule must not create unintended backdoors for data to be repurposed and used in reproductive health prosecutions.

Strengthen the Rule’s Attestation Requirement

CDT supports requiring attestations from law enforcement agencies seeking patient data related to reproductive health care. However, additional provisions regarding monitoring and enforcement are necessary to ensure the attestations’ efficacy. To ensure that attentations are truthful, CDT calls on HHS to require any attestation made pursuant to the rule include a signed declaration made under penalty of perjury. Such an inclusion can deter false attestations and also prohibit evidence obtained through such a system from being admissible in any legal proceeding. HHS should also consider ways to audit attestations to ensure law enforcement upholds their promise not to use data contrary to the rule. Moreover, HHS should require law enforcement attestations to include a commitment from the requester that they will retain PHI only for the duration of the specific, articulated investigation and any prosecution and appeals.

Educate Everyone about the New Rule

CDT is calling on HHS to invest in robust education efforts to ensure that law enforcement departments and HIPAA covered entities know the contours and limitations of any new rule.

Read the full comments here.