h/t to Samantha Holvey's concise and timely weekly Whealth Care newsletter for addressing a question that is probably on every HIPAA-savvy reader's mind of late: "Can State Attorneys General just randomly scan out of state health records to see whether one of their residents may have committed a health care 'crime'?" This might apply to potentially pregnant patients seeking reproductive diagnosis and treatment, or parents of transgender minors seeking gender-affirming care not available at home.
Having been engaged with HIPAA since its earliest days, I was prepared to repeat my customary, reassuring, "HIPAA is better privacy protection than we had before" speech, but I quickly realized that this time, I was not so sure. See, when we were implementing the three pillars of HIPAA (Privacy | Security | Transactions and Code Sets), back in the aughts, people were most concerned about organizations within the industry misusing the data, or letting it leak out for commercial exploitation.
Very few were worried about a malevolent government. The pre-HIPAA government guardrails that had been erected were still in place, and HIPAA itself was relatively neutral on the matter. Or at least, we implementers were relatively complacent. We thought that, occasional abuse aside, law enforcement organizations would go through existing legal channels to obtain patient records in pursuit of fraud, theft, controlled substance misappropriation, or malpractice.
Now, state after state is passing laws that not only criminalize healthcare procedures that have been common practice for decades, they extend that criminality to procedures performed in states whose own laws preserves their legality. Private citizens can earn bounties by revealing someone has crossed a state line to pursue such treatment. Or even helped fund such an excursion.
And while CMS has published regulatory guidance that explains what sorts of inquiries are already unacceptable under HIPAA, they have also released a Notice of Proposed Rulemaking (NPRM) to tighten the federal regulations against potential state governmental fishing expeditions. The comment period on the NPRM has closed. Can federal regulations be far behind? HIPAA history says not to be too confidents. Some NPRMs were allowed to languish for years. Other draft regulations were never formalized into a Final Rule.