Insights
Thought Leadership
May 10, 2024
Policy Changes Required Under New HIPAA Reproductive Health Rule
Background
On April 22, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services announced and issued a final rule, titled HIPAA Privacy Rule to Support Reproductive Health Care Privacy (the Final Rule). The Final Rule modifies certain provisions of the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (HIPAA) to support reproductive healthcare privacy. In April 2023, following the U.S. Supreme Court's ruling in Dobbs v. Jackson Women's Health Organization (holding that the U.S. Constitution does not confer a right to abortion), the OCR issued a notice of proposed rulemaking. The Final Rule makes minor changes to the proposed rule after the OCR reviewed extensive public commentary. The Final Rule brings significant changes for healthcare providers, health plans, healthcare clearinghouses, and business associates (referred to collectively as Regulated Entities). Compliance deadlines are set for late 2024 and early 2026, by which time Regulated Entities are required to obtain attestations from requesters of reproductive health information in specific situations. As the interplay between relevant federal and state laws continues to expand in the area of reproductive health, there will continue to be ambiguity about what disclosures are permitted and when this Final Rule and its attestation requirements apply. If you are a Regulated Entity, it may be important to take action in advance of the Final Rule taking effect on June 25 and the rule's compliance date of December 22.The final rule
The Final Rule updates HIPAA's privacy rule to restrict the use or disclosure of an individual's protected health information (PHI) related to reproductive healthcare for non-healthcare purposes, especially when there is risk of harm to the patient's privacy. The Final Rule prohibits Regulated Entities from using or disclosing PHI for either of the following reasons:- To conduct a criminal, civil, or administrative investigation into or to impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive healthcare where such healthcare is lawful under the circumstances in which it is provided
- The identification of any person for the purpose of conducting such investigation or imposing such liability
- The reproductive healthcare is lawful under the law of the state in which such healthcare is provided and under the circumstances in which it is provided.
- The reproductive healthcare is protected, required, or authorized by federal law, including the U.S. Constitution, regardless of the state in which such healthcare is provided.
- The reproductive healthcare was provided by a person other than the Regulated Entity that receives the request for PHI.
Requirements of regulated entities
Attestation The Final Rule requires a Regulated Entity, when it receives a request for PHI potentially related to reproductive healthcare, to obtain a signed and dated attestation that the use or disclosure is not for a prohibited purpose. This attestation requirement applies to requests for PHI for the following:- Health oversight activities
- Judicial and administrative proceedings
- Law enforcement purposes
- Disclosures to coroners and medical examiners
Takeaways for regulated entities
- Beginning December 22, you must obtain an attestation from a party requesting PHI containing reproductive healthcare information that use of the PHI is not for a prohibited purpose.
- No later than February 16, 2026, covered entities must revise their NPPs.
- Business associate agreements may also need to be revised to address the process for responding to requests for disclosure of reproductive healthcare information.
- Regulated Entities must revise and update their HIPAA training policies and materials to account for the new rule.