06/11/2024

HIPAA Privacy Rule Change To Support Reproductive Health Care Privacy

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) recently issued a Final Rule protecting reproductive health information under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. The Final Rule prohibits covered entities and their business associates from using or disclosing an individual’s protected health information (PHI) for the purpose of conducting a criminal, civil or administrative investigation into or imposing liability on any person for the seeking, obtaining, providing or facilitating reproductive health care that is or was lawful under the circumstances it was provided.

After the Supreme Court’s decision regarding abortion rights in Dobbs v. Jackson Women’s Health Organization, and in response to some state legislatures enacting or resurrecting state laws that regulate abortions and impose civil and criminal liability in connection therewith, OCR expressed concern that individuals may no longer feel that their private reproductive health information is safe from disclosure, and that the confidentiality of this information may be impacted by those who wish to use such information to initiate criminal, civil, and administrative investigations or proceedings. As a result, President Biden issued Executive Order 14076 directing HHS to take action under HIPAA to ensure protection of information related to reproductive health care and to support the confidentiality of information exchanged between a patient and their provider. The amendments to the Privacy Rule will become effective June 25, 2024, and the first compliance deadline is December 23, 2024.

The Final Rule applies to all covered entities and business associates, not just those healthcare providers who provide reproductive health care services. While employers themselves are not covered entities, the group health plans sponsored by employers are covered entities regulated by HIPAA, and the employer sponsoring the group health plan is responsible for ensuring the group health plan’s compliance. With compliance deadlines set at the end of 2024, covered entities, business associates, and health plan sponsors should start planning now for the necessary updates.

What is reproductive health care under the Final Rule?

The Final Rule defines “reproductive health care” as health care that “affects the health of an individual in all matters relating to the reproductive system and to its functions and processes.” This definition is broad, and examples include lawfully obtained contraception, management of pregnancy and pregnancy-related conditions (e.g., pregnancy screening, prenatal care, miscarriage management), fertility or infertility diagnosis or treatment, and medications and devices.

What is prohibited under the Final Rule?

The Final Rule strengthens privacy protections by prohibiting covered entities and business associates from using or disclosing PHI for:

• Conducting a criminal, civil, or administrative investigation into any person for seeking, obtaining, providing, or facilitating reproductive health care if such health care was lawfully provided.
• Imposing criminal, civil, or administrative liability on any person for seeking, obtaining, providing, or facilitating reproductive health care if such health care was lawfully provided.
• The identification of any person for the purposes of conducting such investigation or imposing such liability.

Reproductive health care is lawfully provided if it is lawful in the state in which it was provided, or protected, required or authorized by Federal law, including the U.S. Constitution. The Final Rule includes a presumption that reproductive health care provided is lawful unless the covered entity or business associate has (i) actual knowledge that such health care was provided unlawfully, or (ii) receives information from the person requesting the use or disclosure of the PHI with a substantial factual basis that it was unlawful.

Required Steps and Potential Action Items for Compliance:

Covered entities and business associates are expected to be in full compliance by December 23, 2024 (other than with respect to the NPP changes discussed below, which have an extended compliance deadline of February 16, 2026). Consider the following action items below:

1.  Obtain Signed Attestation.

Covered entities and business associates who receive a request for reproductive health care PHI are required to obtain a signed attestation from the requesting party that their request is not for a prohibited purpose. An attestation must be obtained when PHI related to reproductive health services is requested in connection with health oversight activities, judicial and administrative proceedings, responding to subpoenas and warrants, law enforcement purposes, and when requested by coroners and medical examiners.

HHS intends to publish a model attestation before the compliance date of the Final Rule.

2.  Revise Notice of Privacy Practices (NPPs).

Covered entities must revise their NPPs to include a description and examples of the types of prohibited uses and disclosures of PHI and the types of uses and disclosures that would require an attestation. Along with a few new requirements related to what are known as the “Part 2” rules (related to substance abuse records), there will also need to be a new statement explaining to individuals that PHI disclosed pursuant to the Privacy Rule may be redisclosed, at which point, it would no longer be protected by HIPAA.

3.  Update HIPAA Privacy Compliance Programs.

Covered entities must incorporate into their HIPAA privacy compliance program the terms of the Final Rule. This includes amending policies and procedures, drafting and implementing compliant attestation forms, revising their NPP as required under the Final Rule (see item 2 above), and training staff and business associates. In addition, business associate agreements (BAAs) should be reviewed to determine whether any updates are needed to adequately address the requirements of the Final Rule.

McGrath North’s Privacy and Cybersecurity and Employee Benefits teams are equipped to guide entities through every step of Final Rule compliance, from revising privacy policies and procedures to updating your NPP and helping to ensure your staff is properly trained. We offer comprehensive support to help your organization understand and implement the new requirements, ensuring that you are fully prepared to meet the compliance deadlines.