Key Changes to HIPAA Privacy Requirements
Prohibits Certain Uses and Disclosures of Reproductive Health Care Information
The final rule prohibits the use or disclosure of PHI to support the investigation, imposition of liability on, or identification of, individuals who seek, obtain, provide, or facilitate lawful reproductive health care1 (the “Prohibited Purposes”). Our prior post outlined key proposed changes in the notice of proposed rulemaking (“NPRM”), following the rise of uncertainty around reproductive health care as a result of the U.S. Supreme Court’s 2022 decision in Dobbs v. Jackson Women’s Health Organization.
Presumes that Care Provided was Lawful
The final rule includes a presumption that reproductive health care was lawful, unless certain conditions are met. These include the recipient of the request having actual knowledge that the care was not lawful, or where factual information is presented by the requestor that provides a substantial factual basis that the care was not lawful.
Requires a Signed Attestation
In certain cases, the final rule requires that when HIPAA-regulated entities receive requests for reproductive health care information, they must obtain a signed attestation from the requestor that the intended use or disclosure of that information is not for a Prohibited Purpose. The attestation requirement applies only if the request is for (1) law enforcement purposes, (2) judicial and administrative proceedings, (3) health oversight activities, or (4) disclosures to coroners and medical examiners. The final rule includes required elements for a valid attestation and HHS intends to publish model attestation language before the compliance date of the final rule.
Imposes Mandatory Updates to Notice of Privacy Practices
The final rule requires HIPAA-regulated entities to revise their Notices of Privacy Practices (“NPPs”) to include a description and an example of the Prohibited Purposes with sufficient detail for an individual to understand the prohibition and the types of uses and disclosures of PHI that require an attestation. The final rule also includes requirements for entities that create or maintain Substance Use Disorder (“SUD”) patient records (i.e., “Part 2” records) to update their NPPs to reflect permitted and prohibited uses and disclosures of such records. We discussed HHS’s final rule regarding Part 2 records in this previous post.
To prevent attempts to use other HIPAA provisions to justify uses and disclosures of reproductive health information for Prohibited Purposes, the final rule clarified the scope of certain provisions, including:
-
Uses and disclosures of PHI for public health activities. The final rule adopts a new definition of “public health” that makes clear that permissible public health activities are population-level activities and do not include uses of PHI to conduct an investigation, impose liability on, or identify any person for seeking, obtaining, providing, or facilitating health care.
-
Disclosures of PHI to report cases of abuse or neglect. The final rule prohibits regulated entities from using or disclosing PHI to report abuse or neglect when the sole basis for the report is the provision or facilitation of reproductive health care. This provision differs from the proposed rule, where disclosure of PHI for reporting abuse was prohibited when the report is based primarily on the provision of reproductive health care.
Penalties
A person who knowingly and in violation of HIPAA falsifies an attestation (e.g., makes a material misrepresentation about the intended uses of the PHI requested) to obtain (or cause to be disclosed) an individual’s reproductive health care information could be subject to criminal penalties.
Compliance Timeline and Next Steps
The effective date of the rule is June 25, 2024. The compliance date is December 23, 2024, except for the applicable requirements for the NPPs which entities must implement by February 16, 2026. The phased roll out allows organizations to evaluate how the new requirements may impact their operations, identify what public-facing and internal materials may be affected, and update accordingly.
Steps organizations can take now include:
-
assessing what information and activities may be in scope for these requirements;
-
confirming what processes are needed to provide additional safeguards for reproductive health care information in light of the new requirements;
-
identifying and updating internal policies, procedures, and practices for responding to law enforcement and certain other third-party requests for PHI, data handling, and permitted/prohibited uses and disclosures that may include reproductive health care information;
-
revising their Notices of Privacy Practices, making it available in accordance with the HIPAA Privacy Rule;
-
drafting applicable forms, including attestation templates, and response procedures for responding to requests; and
-
training workforce members on the new requirements and updated processes.
Authored by Marcy Wilder, Melissa Bianchi, Melissa Levine, Donald DePass, Alyssa Golay, and Fleur Oké.
References
1 “Reproductive health care” is defined as health care, under HIPAA, that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes.” HHS provides a non-exhaustive list of examples of what is included in “reproductive health care”: contraception, including emergency contraception; preconception screening and counseling; management of pregnancy and pregnancy-related conditions, including pregnancy screening, prenatal care, miscarriage management, treatment for preeclampsia, hypertension during pregnancy, gestational diabetes, molar or ectopic pregnancy, and pregnancy termination; fertility and infertility diagnosis and treatment, including assisted reproductive technology and its components (e.g., in vitro fertilization (IVF)); diagnosis and treatment of conditions that affect the reproductive system (e.g., perimenopause, menopause, endometriosis, adenomyosis); and other types of care, services, and supplies used for the diagnosis and treatment of conditions related to the reproductive system (e.g., mammography, pregnancy-related nutrition services, postpartum care products).
