Model Bill: Reproductive Health Patient and Provider Privacy Law

This bill shall be known as “Reproductive Health Patient and Provider Privacy Law”

WHEREAS, the residents of  [ STATE]  regard their privacy as a fundamental right and an essential element of their individual freedom. Fundamental privacy rights have long been and continue to be integral to protecting the people of [ STATE]  and to safeguarding our democratic republic.

WHEREAS, information related to an individual’s health conditions or attempts to obtain healthcare services is among the most personal and sensitive categories of data collected.  The people of [STATE]  expect that their health data is protected under laws like the Health Insurance Portability and Accountability Act of 1996 (HIPAA). However, HIPAA only covers health data collected by specific healthcare entities, including most healthcare providers. Health data collected by noncovered entities, including certain applications and websites, are not afforded the same protections.

WHEREAS, the legislature further finds that attempts by outside states to obtain healthcare is especially problematic for anyone seeking or providing abortion care in  [STATE].  The legislature believes that this not only infringe on a person’s privacy rights, but also may inhibit access to safe abortion and gender-affirming care.  The legislature believes that anyone accessing reproductive healthcare in [ STATE] should not be subject to such violations of their civil rights and liberties. The legislature has determined that comprehensive action to protect a patient and provider’s privacy is necessary to prevent the unnecessary surveillance and criminalization.

WHEREAS, All major experts in public health and medicine, such as the American Medical Association, American Public Health Association, American Academy of Pediatrics, American Society of Addiction Medicine, and American College of Obstetricians and Gynecologists, oppose the criminalization of pregnancy outcomes because the threat of being subject to investigation or punishment through the criminal legal system when seeking healthcare threatens pregnant people’s lives and undermines public health by deterring people from seeking care for obstetrical emergencies.

Accordingly, the purpose of this Act are as follows:

1. To protect people’s ability to make decisions about their bodies, medical care, family, and life’s course.
2. To eliminate unwarranted requests of a patient’s private health records
3. To protect the privacy and dignity of reproductive healthcare providers and their patients.

1. “Electronic patient record system” means a system used to process, store and maintain the patient records of individuals, including an individual’s healthcare information;
2. “Gender-affirming healthcare” means all medical care related to the treatment of gender dysphoria as set forth in the most recent edition of the American Psychiatric Association’s “Diagnostic and Statistical Manual of Mental Disorders” and gender incongruence, as defined in the most recent revision of the “International Statistical Classification of Diseases and Related Health Problems”. “Gender affirming healthcare services” does not include “conversion therapy” as defined in section [CITE STATE STATUTE IF APPLICABLE].
3. “Governmental agency” means all agencies, authorities,boards, commissions, departments, institutions, offices, and any other bodies politic and corporate of this State created by the constitution or statute, whether in the executive, judicial, or legislative branch; all units and corporate, outgrowths created by executive order of the Governor or any constitutional officer, by the Supreme Court, or by resolution of the General Assembly; or agencies, authorities, boards,commissions, departments, institutions, offices, and any other bodies politic and corporate of a unit of local government, or school district.
4. “Healthcare information” means any information, whether oral or recorded in any form or medium, related to the past, present or future physical or mental health or condition of an individual or the provision of healthcare to an individual and includes the individual’s patient records, healthcare claims and records of payments for healthcare or other administrative data from a provider, healthcare service plan or pharmaceutical company;
5. “Healthcare provider”  means a person who is licensed, certified or otherwise authorized by the laws of this State to administer healthcare in the ordinary course of business or practice of a profession;
6. “Healthcare service plan” means a plan that arranges for the provision of healthcare services to subscribers or enrollees, or to pay for or to reimburse any part of the cost for those services, in return for a prepaid or periodic charge paid by or on behalf of the subscribers or enrollees and includes a contractor or an employee of the healthcare service plan;
7. “Home address” means a permanent residence of the healthcare provider and any secondary residences affirmatively identified by the healthcare provider.
8. “Identified or identifiable individual”, an individual who can be readily identified directly or indirectly;
9. “Immediate family” means a spouse, child, parent, or any blood relative of the healthcare provider or the spouse of the healthcare representative who lives in the same residence.
10. “Medication Abortion Prescription Drugs” means substances used in the course of medical treatment intended to induce the termination of a pregnancy including, but not limited to, mifepristone and misoprostol;
11. “Personal information” means a home address, home telephone number, mobile telephone number, pager number, personal email address, social security number, federal tax identification number, checking and savings account numbers, credit card numbers, marital status, and identity of children under the age of 18.
12. “Publicly available content” means any written, printed,or electronic document or record that provides information or that serves as a document or record maintained, controlled, or in the possession of a governmental agency that may be obtained by any person or entity, from the Internet, from a governmental agency upon request free of charge or for a fee, or in response to a request under the Freedom of Information Act.
13. “Publicly post” or “publicly display” means to communicate to another or otherwise make available to the general public.
14. “Reproductive healthcare”, means all healthcare matters relating to pregnancy, including, without limitation, prenatal care, childbirth, postpartum care, birth control, vasectomy, tubal ligation, abortion, abortion care, management  of  a miscarriage and infertility care; and not limited to, any such service or product rendered or provided concerning:
    1. (A) an individual health condition, status, disease, diagnosis, diagnostic test or treatment,
    2. a social, psychological, behavioral or medical intervention,
    3. a surgery or procedure, including, but not limited to, an abortion,
    4. a use or purchase of a medication, including, but not limited to, a medication used or purchased for the purposes of an abortion,
    5. a bodily function, vital sign or symptom,
    6. a measurement of a bodily function, vital sign or symptom, or
    7. an abortion, including, but not limited to, medical or nonmedical services, products, diagnostics, counseling or follow-up services for an abortion;

“Written request” means written notice signed by a healthcare provider requesting a governmental agency, person,business, or association to refrain from posting or displaying publicly available content that includes the personal information of the healthcare provider.

1. A health information exchange or electronic patient record system operating in the state that electronically stores or maintains medical information, electronic patient records, personal health records, healthcare claims, payments or other administrative data on behalf of a provider, healthcare service plan, pharmaceutical company, contractor or employer shall:
   1. segregate an individual’s healthcare information related to reproductive healthcare, gender- affirming healthcare, mental healthcare, alcohol or substance use treatment and any other similar healthcare or healthcare service as deemed appropriate for record segregation by the healthcare authority;
   2. limit user access privileges to an individual’s segregated healthcare information to persons or entities to whom the individual has provided written authorization for access;
   3. provide a process for an individual to provide written authorization to disable access to the individual’s segregated healthcare information by persons or entities in another state; and
   4. notify an individual whose segregated healthcare information is the subject of a civil, criminal or regulatory inquiry, investigation, subpoena or summons for the release of the individual’s segregated healthcare information and notify each provider that rendered healthcare as documented in the individual’s segregated healthcare information at least 30 days prior to complying with the civil, criminal or regulatory inquiry, investigation, subpoena or summons for release of the individual’s segregated healthcare information.

Section [CITE STATE MEDICAL RECORDS PRIVACY STATUTE] is amended to read:

Notwithstanding any other law, a physician or other healthcare provider who provides healthcare services to a patient who experienced a miscarriage or obtained an abortion or who the physician or provider suspects may have experienced a miscarriage or obtained an abortion is prohibited from reporting or disclosing that information to a peace officer or law enforcement agency.

Section  [CITE STATE MEDICAL RECORDS PRIVACY STATUTE] is amended to read:

Every person has a right to inspect public records of this state except:

1. records containing personal identifying information or sensitive information related to the practice of a medical provider employed by a public body who performs medical services related to reproductive healthcare and gender-affirming care;

Subdivision [CITE RELEVANT STATE STATUTE REFERENCING HEALTHCARE PROFESSIONS AND OCCUPATIONS] is amended to read as follows:

1. The [STATE/GOVERNOR] shall decline to enforce an extradition warrant, subpoena, or other legal proceeding related to a healthcare provider licensed in another state with a shield law and who is accused of providing abortion services from within their licensing state.
2. The [STATE/GOVERNOR] shall facilitate the return of the provider to their home state to resolve any such legal matter, ensuring they may travel without interference, harassment, or risk of detention.
3. A healthcare provider may not disclose healthcare service records under section [CITE STATE STATUTE DEFINING REPRODUCTIVE HEALTHCARE] if the records are sought in an investigation of a healthcare provider for a healthcare service that is unlawful in another state but is lawful in [STATE].

CITE EXEMPTION SECTION IN YOUR STATE PHARMACY OR CONTROLLED SUBSTANCES STATUTE] is amended to read as follows:

1. a pharmacist may, at their discretion, dispense brand name or generic mifepristone or any drug used for medication abortion without the name of the patient, the name of the prescriber, and the name and address of the pharmacy if the prescription is labeled with a prescription number or other means of identifying the prescription

1. A healthcare provider who provides reproductive health or gender-affirming care, may submit to any governmental agency, person, business, or association a written request that the governmental agency, person, business, or association refrain from disclosing any personal information about the healthcare provider.
2. A representative from the healthcare provider’s employer may submit a written request on behalf of the healthcare provider, if:
   1. the healthcare provider gives written consent to the representative; and
   2. the representative agrees to furnish a copy of that consent when a written request is made.
3. The representative shall submit the written request directly to a governmental agency, person,business or association. A written request is valid if the healthcare provider, or representative of the healthcare provider’s employer, sends a written request directly to a governmental agency, person, business, or association. The written request shall specify: what personal information of the healthcare provider shall be maintained private;
   1. if a healthcare provider wishes to identify a secondary residence as a home address, the designation of such; and
   2.  the identity of any immediate family, and any personal information of those persons that shall be excluded to the extent that it could reasonably be expected to reveal the personal information of the healthcare provider. A written request is valid until the healthcare provider provides the governmental agency, person, business, or association with written permission to release the personal information. Otherwise, a written request from a healthcare provider expires on death.
4. If a governmental agency receives a written request from a healthcare provider in accordance with this Section the governmental agency shall not publicly post or display publicly available content that includes any personal information of the healthcare provider.
5. After receipt of the request, the governmental agency shall remove any personal information of the healthcare provider from the publicly available content within 5 business days, and shall not publicly post or display the personal information unless the healthcare provider has given the governmental agency written permission to release the personal information as required under this Section.
6. The personal information of the healthcare provider is exempt from the Freedom of Information Act unless the governmental agency receives consent from the healthcare provider to make the personal information available to the public.
7. No governmental agency, person, business, or association shall be found to have violated any provision of this Section if the healthcare provider fails to submit a written request calling for the protection of the personal information of the healthcare provider.
8. If a governmental agency fails to comply with a written request under this Section the healthcare provider may bring an action seeking injunctive or declaratory relief in any court of competent jurisdiction.
9. This Section and any rules adopted to implement this Section shall be construed broadly to favor the protection of the personal information of a healthcare provider.

1. It is unlawful for any person to knowingly and publicly post on the Internet the personal information of a healthcare provider or healthcare provider’s immediate family if the person knows that publicly posting the personal information poses an imminent and serious threat to the health and safety of the healthcare provider or healthcare provider’s immediate family, and the violation is a proximate cause of bodily injury or death of the healthcare provider or healthcare provider’s immediate family member.
2. No person, business, or association shall solicit, sell, or trade on the Internet any personal information of the healthcare provider with the intent to post an imminent or serious threat to the health and safety of the healthcare provider or the healthcare provider’s immediate family.
3. A healthcare provider whose personal information is made public as a result of a violation of this Section may bring an action seeking injunctive or declaratory relief in any court of competent jurisdiction. A court shall award a prevailing healthcare provider costs and reasonable attorney’s fees.
4. This Section and any rules adopted to implement this Section shall be construed broadly to favor the protection of the personal information of a healthcare provider.

This law shall become effective on MONTH DATE YEAR.