Beware: Compliance Deadline for HIPAA Reproductive Health Care Rule Fast Approaches
October 1, 2024
By: Alaina N. Crislip, Neil C. Brown, and Stephanie R. Weber
On April 26, 2024, the Office for Civil Rights (“OCR”) and the Office of the Secretary in the U.S. Department of Health and Human Services (“HHS”) issued a final rule entitled “HIPAA Privacy Rule to Support Reproductive Health Care Privacy” (“Final Rule”). The Final Rule strengthens the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule[1] by prohibiting the disclosure of protected health information (“PHI”)[2] related to lawful reproductive health care under certain circumstances.[3] The compliance deadline for some of the Final Rule’s requirements is December 23, 2024.
Background and General Rule
Under the Final Rule, “reproductive health care” broadly refers to health care that affects an individual’s health “in all matters relating to the reproductive system and to its functions and processes.”[4] This means reproductive health care incorporates instances where an individual (as well as instances where the health care is prescribed by a provider) determines the reproductive health care that the individual receives, such as over-the-counter contraceptives.[5]
The Final Rule generally prohibits a HIPAA covered entity[6] or its business associate to use or disclose PHI for certain activities related to the “mere act of seeking, obtaining, providing, or facilitating reproductive health care” including: (1) conducting a criminal, civil, or administrative investigation into any person; (2) imposing criminal, civil, or administrative liability on any person; or (3) identifying any person for purposes of either of the foregoing activities in (1) or (2).[7] The Final Rule’s prohibition applies where a covered entity has reasonably determined that the reproductive health care is lawful or otherwise legally protected.
The Final Rule continues to allow covered entities to use or disclose PHI for purposes otherwise permitted under the HIPAA Privacy Rule. For instance, a covered entity could continue to use or disclose PHI to defend itself in an investigation or proceeding related to professional misconduct or negligence where the alleged professional misconduct or negligence involved the provision of reproductive health care.
The Attestation Requirement
The Final Rule implements a new attestation requirement for certain uses and disclosures to persons other than covered entities or business associates. This new Privacy Rule section requires a covered entity to obtain a signed attestation from a requestor of PHI prior to using or disclosing PHI in the following instances: health oversight activities; judicial/administrative proceedings; law enforcement purposes; and uses and disclosures pertaining to decedents.[8] There are various explicit requirements that such attestations must meet. In order to facilitate compliance, OCR has issued a Model Attestation for covered entities to consider utilizing.[9]
Future Compliance Deadlines after December 23, 2024
The Final Rule contains other requirements which have a compliance date after December 23, 2024. For example, the Final Rule requires that notices of privacy practices (NPPs) include a description (including at least one example) of the types of uses and disclosures relating to reproductive health that: (1) are prohibited by the Final Rule; and (2) require an attestation.[10] The the compliance date for the Final Rule’s NPP requirements takes effect on February 16, 2026.[11]
[1] See 45 C.F.R. pts. 160 and 164, subparts A and E.
[2] See 45 C.F.R. 160.103 for the definition of PHI.
[3] See 89 Fed. Reg. 32976 at 33063.
[4] See id. at 33063.
[5] See id.
[6] 45 C.F.R. § 160.1013 defines a “covered entity” as (1) a health plan; (2) a health care clearinghouse; or
(3) a health care provider who transmits any health information in electronic form in connection with a transaction under HIPAA.
[7] See 89 Fed. Reg. 32976 at 32990–32991, 33063.
[8] Id. at 33063. See also 45 C.F.R. §§ 164.512(d), (e), (f), (g)(1).
[9] The Model Attestation may be found on HHS’ website at: https://www.hhs.gov/sites/default/files/model-attestation.pdf.
[10] See 89 Fed. Reg. 32976 at 33064–66.
[11] See 89 Fed. Reg. 32976 at 33064–66.