Changes to HIPAA Privacy Rule to Support Reproductive Health
May 20, 2024
On April 26, 2024, the U.S. Department of Health and Human Services Office for Civil Rights (“HHS-OCR”) published a final rule (the “Rule”), which amends the HIPAA Privacy Rule to afford greater reproductive health care privacy protection. Highlights of the new Rule that will have a practical impact on entities regulated under HIPAA are as follows:
New Prohibitions on Uses and Disclosures
The Rule modifies the Privacy Rule to add a new category of prohibited uses and disclosures of protected health information (“PHI”) related to an individual’s reproductive health care for certain non-health care purposes. Specifically, the Rule prohibits regulated entities from using or disclosing an individual’s PHI for the following purposes:
1. Conducting a criminal, civil, or administrative investigation into or imposing criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided; and
2. Identifying any person for the purpose of initiating such investigation or proceeding.
This prohibition is also subject to a Rule of Applicability where HHS-OCR has provided a framework by which regulated entities can determine whether the reproductive health care at issue is “lawful under the circumstances in which it is provided.” The Rule of Applicability applies where the regulated entity has reasonably determined that one of three specified conditions set forth in the Rule exists. Additionally, under the Rule, the reproductive health care is presumed to be lawful if the care was provided by a person other than the regulated entity receiving the request.
Attestation
In addition to the new categorical prohibition, the Rule adds an attestation requirement for regulated entities in certain situations. Specifically, a covered entity or business associate may not use or disclose PHI potentially related to reproductive health care without first obtaining a signed attestation that the use or disclosure is not for a prohibited purpose. This attestation requirement applies when the request is for:
1. Health care oversight activities.
2.Judicial and administrative proceedings.
3. Law enforcement purposes and disclosures to coroners and medical examiners.
The Rule also sets forth standard content requirements that an attestation must contain to be considered valid. However, in the commentary to the Rule, HHS-OCR intends to publish a model attestation for use by regulated entities prior to the applicable compliance date.
Notice of Privacy Practices
Lastly, the Rule requires covered entities to revise their Notice of Privacy Practices (“NPPs”) to support reproductive health care privacy, as well as to address changes in the Notice of Proposed Rulemaking for the Confidentiality of Substance Use Disorder Patient Records – which were finalized in connection with this Rule.
Next Steps
Although the new Rule is effective June 25, 2024, compliance with the new Rule is not required until December 23, 2024, except for the requirements applicable to the NPP provisions – which requires regulated entities to comply by February 16, 2026. Entities subject to the Rule should act now, by reviewing policies, procedures, and operations that may need to be modified, especially in light of the attestation and NPP revision requirements.
For questions regarding your compliance efforts, please contact Christopher J. Kulik or your regular Krieg DeVault Health Care Practice attorney.
Disclaimer. The contents of this article should not be construed as legal advice or a legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult with counsel concerning your situation and specific legal questions you may have.
Practices
Industries
May 20, 2024
On April 26, 2024, the U.S. Department of Health and Human Services Office for Civil Rights (“HHS-OCR”) published a final rule (the “Rule”), which amends the HIPAA Privacy Rule to afford greater reproductive health care privacy protection. Highlights of the new Rule that will have a practical impact on entities regulated under HIPAA are as follows:
New Prohibitions on Uses and Disclosures
The Rule modifies the Privacy Rule to add a new category of prohibited uses and disclosures of protected health information (“PHI”) related to an individual’s reproductive health care for certain non-health care purposes. Specifically, the Rule prohibits regulated entities from using or disclosing an individual’s PHI for the following purposes:
1. Conducting a criminal, civil, or administrative investigation into or imposing criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided; and
2. Identifying any person for the purpose of initiating such investigation or proceeding.
This prohibition is also subject to a Rule of Applicability where HHS-OCR has provided a framework by which regulated entities can determine whether the reproductive health care at issue is “lawful under the circumstances in which it is provided.” The Rule of Applicability applies where the regulated entity has reasonably determined that one of three specified conditions set forth in the Rule exists. Additionally, under the Rule, the reproductive health care is presumed to be lawful if the care was provided by a person other than the regulated entity receiving the request.
Attestation
In addition to the new categorical prohibition, the Rule adds an attestation requirement for regulated entities in certain situations. Specifically, a covered entity or business associate may not use or disclose PHI potentially related to reproductive health care without first obtaining a signed attestation that the use or disclosure is not for a prohibited purpose. This attestation requirement applies when the request is for:
1. Health care oversight activities.
2.Judicial and administrative proceedings.
3. Law enforcement purposes and disclosures to coroners and medical examiners.
The Rule also sets forth standard content requirements that an attestation must contain to be considered valid. However, in the commentary to the Rule, HHS-OCR intends to publish a model attestation for use by regulated entities prior to the applicable compliance date.
Notice of Privacy Practices
Lastly, the Rule requires covered entities to revise their Notice of Privacy Practices (“NPPs”) to support reproductive health care privacy, as well as to address changes in the Notice of Proposed Rulemaking for the Confidentiality of Substance Use Disorder Patient Records – which were finalized in connection with this Rule.
Next Steps
Although the new Rule is effective June 25, 2024, compliance with the new Rule is not required until December 23, 2024, except for the requirements applicable to the NPP provisions – which requires regulated entities to comply by February 16, 2026. Entities subject to the Rule should act now, by reviewing policies, procedures, and operations that may need to be modified, especially in light of the attestation and NPP revision requirements.
For questions regarding your compliance efforts, please contact Christopher J. Kulik or your regular Krieg DeVault Health Care Practice attorney.
Disclaimer. The contents of this article should not be construed as legal advice or a legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult with counsel concerning your situation and specific legal questions you may have.