Search
Close this search box.
Search
Close this search box.
Insights
Publications Events

Policy Changes Required Under New HIPAA Reproductive Health Rule

Publisher: Day Pitney Alert
May 10, 2024
Day Pitney Co-author(s) William J. Roberts, Colton J. Kopcik, Phoebe A. Roth, Susan R. Huntington

Background

On April 22, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services announced and issued a final rule, titled HIPAA Privacy Rule to Support Reproductive Health Care Privacy (the Final Rule). The Final Rule modifies certain provisions of the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (HIPAA) to support reproductive healthcare privacy. In April 2023, following the U.S. Supreme Court's ruling in Dobbs v. Jackson Women's Health Organization (holding that the U.S. Constitution does not confer a right to abortion), the OCR issued a notice of proposed rulemaking. The Final Rule makes minor changes to the proposed rule after the OCR reviewed extensive public commentary.

The Final Rule brings significant changes for healthcare providers, health plans, healthcare clearinghouses, and business associates (referred to collectively as Regulated Entities). Compliance deadlines are set for late 2024 and early 2026, by which time Regulated Entities are required to obtain attestations from requesters of reproductive health information in specific situations. As the interplay between relevant federal and state laws continues to expand in the area of reproductive health, there will continue to be ambiguity about what disclosures are permitted and when this Final Rule and its attestation requirements apply. If you are a Regulated Entity, it may be important to take action in advance of the Final Rule taking effect on June 25 and the rule's compliance date of December 22.

The final rule

The Final Rule updates HIPAA's privacy rule to restrict the use or disclosure of an individual's protected health information (PHI) related to reproductive healthcare for non-healthcare purposes, especially when there is risk of harm to the patient's privacy.

The Final Rule prohibits Regulated Entities from using or disclosing PHI for either of the following reasons:

  • To conduct a criminal, civil, or administrative investigation into or to impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive healthcare where such healthcare is lawful under the circumstances in which it is provided
  • The identification of any person for the purpose of conducting such investigation or imposing such liability

The prohibition applies when a Regulated Entity has reasonably determined at least one of the following conditions exists:

  • The reproductive healthcare is lawful under the law of the state in which such healthcare is provided and under the circumstances in which it is provided.
  • The reproductive healthcare is protected, required, or authorized by federal law, including the U.S. Constitution, regardless of the state in which such healthcare is provided.
  • The reproductive healthcare was provided by a person other than the Regulated Entity that receives the request for PHI.

The Final Rule includes a presumption that the reproductive healthcare provided by a person other than a Regulated Entity receiving the request was lawful.

Considering the above, the Final Rule would prevent the disclosure of reproductive PHI for the purposes of a criminal investigation by a state that has outlawed abortion procedures if the patient traveled to a neighboring state, where such practice is legal, to obtain the procedure.

Requirements of regulated entities

Attestation

The Final Rule requires a Regulated Entity, when it receives a request for PHI potentially related to reproductive healthcare, to obtain a signed and dated attestation that the use or disclosure is not for a prohibited purpose. This attestation requirement applies to requests for PHI for the following:

  • Health oversight activities
  • Judicial and administrative proceedings
  • Law enforcement purposes
  • Disclosures to coroners and medical examiners

Notice of Privacy Practices

The Final Rule requires HIPAA-covered entities to revise their notices of privacy practices (NPPs) to support reproductive healthcare privacy by February 16, 2026. The OCR has aligned this date with the compliance date under the 2024 Part 2 Rule.

Takeaways for regulated entities

  • Beginning December 22, you must obtain an attestation from a party requesting PHI containing reproductive healthcare information that use of the PHI is not for a prohibited purpose.
  • No later than February 16, 2026, covered entities must revise their NPPs.
  • Business associate agreements may also need to be revised to address the process for responding to requests for disclosure of reproductive healthcare information.
  • Regulated Entities must revise and update their HIPAA training policies and materials to account for the new rule.

For more information on the Final Rule or assistance in complying with its requirements, please contact the authors or another member of Day Pitney's Healthcare or Privacy teams.

Recommended

Attorneys 'On the Move'
November 4, 2024

The arrival of Day Pitney Counsel Laura Land Himelstein was featured in the New York Law Journal's Attorneys 'On the Move' column.

HHS Litigation Round-Up: Legal Challenges to HHS Guidance on Web Tracking and Reproductive Health Rule
September 23, 2024

Day Pitney Cybersecurity, Healthcare and Technology (C.H.A.T.) Newsletter – September

FTC's Noncompete Rule: Status Update for Healthcare Industry Employers
September 23, 2024

Day Pitney Cybersecurity, Healthcare and Technology (C.H.A.T.) Newsletter – September

Supreme Court Opens Window To Challenge Federal Healthcare Rules
July 15, 2024

Day Pitney Cybersecurity, Healthcare and Technology (C.H.A.T.) Newsletter –  July 2024

Here's How to Avoid Common Pitfalls When Managing Charitable Assets
July 8, 2024

Day Pitney Tax Partner Ryan Leichsenring authored an article for the Hartford Business Journal titled, "Here's How to Avoid Common Pitfalls When Managing Charitable Assets."

The Daily Docket Industry Moves
June 27, 2024

The news of Ryan Leichsenring joining Day Pitney as a partner in the firm's Tax practice was featured in Thomson Reuters' The Daily Docket Industry Moves column.

A Review of Part 2: Consider a More Flexible Compliance Program in the Wake of the Revised Rules
June 24, 2024

Day Pitney Data Privacy Associate Stephanie M. Gomes-Ganhão authored the article "A Review of Part 2: Consider a More Flexible Compliance Program in the Wake of the Revised Rules," for the Journal of Health Care Compliance.

Valuable OIG Compliance Advice for New Healthcare Entrants
May 31, 2024

Hartford-based healthcare attorneys Stephanie Gomes-Ganhão and Phoebe Roth authored the article, "Valuable OIG Compliance Advice for New Healthcare Entrants," in the May edition of The Health Care Compliance Association's (HCCA) monthly magazine Compliance Today.

Certain ASCs Face New Prior Authorization Payment Requirements from CMS
April 25, 2024

Day Pitney Cybersecurity, Healthcare and Technology (C.H.A.T.) Newsletter –  April 2024

Generative Artificial Intelligence Representations and Warranties Emerge in Venture Financing Transactions
April 25, 2024

Day Pitney Cybersecurity, Healthcare and Technology (C.H.A.T.) Newsletter –  April 2024

Related Professionals

Copyright © 2024 Day Pitney LLP, all rights reserved.

LexMundi Member
Facebook-f Instagram Linkedin-in