HHS Supports Reproductive Health Care Privacy by Modifying the HIPAA Privacy Rule
The Department of Health and Human Services' (HHS) Office for Civil Rights recently published a final rule (the Final Rule) which provides additional privacy protections related to the use and disclosure of reproductive health care information. Covered entities (e.g., health plans) and their business associates must comply with all of the provisions of the Final Rule by December 22, 2024, except for the requirement to update their Notice of Privacy Practices, which must be updated by February 16, 2026.
At a high level, the Final Rule amended the privacy regulations promulgated under HIPAA (the Privacy Rule) to:
- Prohibit the use or disclosure of protected health information (PHI) when it is requested to identify, investigate, or impose liability on individuals who seek, obtain, provide, or facilitate reproductive health care that is lawful under the circumstances in which the health care is provided.
- Require that covered entities and business associates obtain a valid attestation from the person or entity requesting PHI that is potentially related to reproductive health care if the request is for: (a) health care activities, (b) judicial and administrative proceedings, (c) law enforcement purposes, and (d) disclosures to coroners and medical examiners.
- Require covered entities to modify their Notice of Privacy Practices to implement the changes made to reproductive health care privacy.
KEY TAKEAWAYS RELATED TO THE FINAL RULE
Presumption of Lawful Health Care – Reproductive health care is presumed to be lawful unless the covered entity or business associate either (a) has actual knowledge that the care was unlawful, or (b) receives information from the person requesting the use or disclosure of PHI and the information provides a substantial factual basis that the care was unlawful.
Attestation Requirement – The attestation may not be combined with any other document. While covered entities and business associates can develop their own attestation form, the HHS has indicated that it will publish a model attestation form prior to the compliance date.
Compliance Considerations for Covered Entities and Business Associates – If you are a covered entity or business associate, you should take the following steps to remain HIPAA compliant after the Final Rule's compliance dates:
- HIPAA Policies and Procedures: Review and update your HIPAA policies and procedures regarding the use and disclosure of PHI related to reproductive health care.
- Attestation: Develop an attestation form, or use the HHS's model attestation form, which should be published prior to the compliance date.
- Workforce Training: Update workforce training materials and provide workforce training to describe the limitations on the use and disclosure of PHI related to reproductive health care and the new attestation requirement.
- Notice of Privacy Practices: Update the Notice of Privacy Practices to include the new Final Rule requirements no later than February 16, 2026.
For more information on this HIPPA privacy rule, please contact Thomas Dowling, Lisa Rippey or the Stinson LLP contact with whom you regularly work.