HHS final rule requires HIPAA compliance changes for reproductive health care information – Technologist

Key Changes to HIPAA Privacy Requirements

Prohibits Certain Disclosures of Reproductive Health Care Information to Law Enforcement

The final rule prohibits the use or disclosure of PHI to support the investigation, prosecution or identification of individuals who seek, obtain, provide or facilitate lawful reproductive health care¹ (the “Prohibited Purposes”). Our prior post outlined key proposed changes in the notice of proposed rulemaking (“NPRM”), following the rise of uncertainty around reproductive health care as a result of the U.S. Supreme Court’s 2022 decision in Dobbs v. Jackson Women’s Health Organization.

Presumes that Care Provided was Lawful

The final rule includes a presumption that reproductive health care was lawful, unless certain conditions are met. These include the recipient of the request having actual knowledge that the care was not lawful, or where factual information is presented by the requestor that provides a substantial factual basis that the care was not lawful.

Requires a Signed Attestation

The final rule requires that when HIPAA-regulated entities receive requests for reproductive health care information, they must obtain a signed attestation from the requestor that the intended use or disclosure of that information is not for a Prohibited Purpose. The attestation requirement applies only if the request is for (1) law enforcement purposes, (2) judicial and administrative proceedings, (3) health oversight activities, or (4) disclosures to coroners and medical examiners. An attestation will be limited to the specific use or disclosure, therefore, each use or disclosure request for reproductive health care information will require a new attestation. The final rule includes required elements for a valid attestation and HHS intends to publish model attestation language before the compliance date of the final rule.

Imposes Mandatory Updates to Notice of Privacy Practices

The final rule requires HIPAA-regulated entities to revise their Notices of Privacy Practices (“NPPs”) to support reproductive health care privacy. Specifically, NPPs must be updated to include a description and an example of the Prohibited Purposes with sufficient detail for an individual to understand the prohibition and the types of uses and disclosures of PHI that require an attestation. The final rule also includes requirements for entities that create or maintain Substance Use Disorder (“SUD”) patient records (i.e., “Part 2” records) to update their NPPs to reflect permitted and prohibited uses and disclosures of such records. We discussed HHS’s final rule regarding Part 2 records in this previous post.  

To prevent attempts to use other HIPAA provisions that allow the use or disclosure of PHI to justify uses and disclosures of reproductive health information for Prohibited Purposes, the final rule clarified the scope of certain permitted purposes, including:

• Uses and disclosures of PHI for public health activities. The final rule adopts a new definition of “public health” that makes clear that permissible public health activities are population-level activities and do not include uses of PHI to conduct an investigation, impose liability on, or identify any person for seeking, obtaining, providing, or facilitating health care.

• Disclosures of PHI to report cases of abuse or neglect. The final rule prohibits regulated entities from using or disclosing PHI to report abuse or neglect when the sole basis for the report is the provision or facilitation of reproductive health care. This provision differs from the proposed rule, where disclosure of PHI for reporting abuse was prohibited when the report is based primarily on the provision of reproductive health care.

Penalties

A person who knowingly and in violation of HIPAA falsifies an attestation (e.g., makes a material misrepresentation about the intended uses of the PHI requested) to obtain (or cause to be disclosed) an individual’s reproductive health care information could be subject to criminal penalties.

Compliance Timeline and Next Steps

The effective date of the rule is 60 days after the date of publication in the federal register, which is scheduled to be April 26, 2024. The compliance date is 240 days after the date of publication in the federal register, except for the applicable requirements for the NPPs which go into effect on February 16, 2026. The phased roll out allows organizations to evaluate how the new requirements may impact their operations, identify what public-facing and internal materials may be affected, and update accordingly.

Steps organizations can take now include:

• assessing what information and activities may be in scope for these requirements;

• confirming what processes are needed to provide additional safeguards for reproductive health care information in light of the new requirements;

• identifying and updating internal policies, procedures, and practices for responding to law enforcement or third-party requests for PHI, data handling, and permitted/prohibited uses and disclosures that may include reproductive health care information;

• revising their Notices of Privacy Practices;

• drafting applicable forms, including attestation templates, and response procedures for responding to requests; and

• training workforce members on the new requirements and updated process.

Authored by Marcy Wilder, Melissa Bianchi, Melissa Levine, Donald DePass, Alyssa Golay, and Fleur Oké.

References

1 “Reproductive health care” is defined as health care, under HIPAA, that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes.”  In line with the NPRM, HHS states that it would interpret “reproductive health care” to include, but not be limited to: contraception, including emergency contraception; preconception screening and counseling; management of pregnancy and pregnancy-related conditions, including pregnancy screening, prenatal care, miscarriage management, treatment for preeclampsia, hypertension during pregnancy, gestational diabetes, molar or ectopic pregnancy, and pregnancy termination; fertility and infertility diagnosis and treatment, including assisted reproductive technology and its components (e.g., in vitro fertilization (IVF)); diagnosis and treatment of conditions that affect the reproductive system (e.g., perimenopause, menopause, endometriosis, adenomyosis); and other types of care, services, and supplies used for the diagnosis and treatment of conditions related to the reproductive system (e.g., mammography, pregnancy-related nutrition services, postpartum care products).