The US Department of Health and Human Services, Office for Civil Rights (OCR) published its Final Rule titled HIPAA Privacy Rule to Support Reproductive Health Care Privacy in the Federal Register on April 26, 2024.
The Final Rule modifies the HIPAA Privacy Rule and adds additional safeguards around the use and disclosure of certain protected health information (PHI) to address the growing privacy concerns associated with obtaining or providing reproductive health care post Dobbs v. Jackson Women’s Health Organization. The Final Rule becomes effective on June 25, 2024, and the compliance date is December 22, 2024.
In this post, we dive into the key modifications to the HIPAA Privacy Rule.
Prohibited Use and Disclosure of PHI Related to Reproductive Health Care
Covered entities and business associates cannot use or disclose PHI where the information is sought to investigate or impose liability on individuals, health care providers, or others who seek, obtain, provide, or facilitate reproductive health care that is lawful under the circumstances in which such health care is provided, or to identify persons for such activities.
The prohibition applies only in situations where a covered entity or business associate receives a request for PHI connected to reproductive health care and reasonably determines that one of the following circumstances applies:
- The reproductive health care is lawful under the law of the state in which such health care is provided under the circumstances in which it is provided
- The reproductive health care is protected, required, or authorized by federal law, including the US Constitution, under the circumstances in which such health care is provided, regardless of the state in which it is provided
- The reproductive health care was not provided by the covered entity or business associate, unless the covered entity or business associate has (1) actual knowledge that the reproductive health care was not lawful or (2) factual information provided by the person requesting the information that demonstrates a substantial factual basis that the reproductive health care was not lawful under the specific circumstances in which it was provided; this is referred to as the “presumption” under the Final Rule
Covered entities and business associates are still permitted to disclose PHI related to reproductive health care with authorization from the individual or their personal representative. However, the Final Rule permits covered entities to decline to disclose PHI to a person claiming to be an individual’s personal representative if the individual has been or may be subjected to domestic violence, abuse, or neglect or if the covered entity reasonably believes that disclosure to the personal representative could endanger the individual.
Attestation Required for Certain Uses and Disclosures
A covered entity or business associate must receive a valid attestation before using or disclosing PHI potentially related to reproductive health care if the PHI is to be used for any of the following purposes:
- Health oversight activities
- Judicial and administrative proceedings
- Law enforcement
- Coroners and medical examiners
The attestation must include the following elements:
- A description of the information requested
- The name of any individual(s) or a description of the class of individuals whose PHI is being sought
- The identity of the person(s) or class of persons being asked to disclose the PHI
- The identity of the person(s) or class of persons asking for the PHI
- A clear statement that the recipient will not use or disclose the PHI for a prohibited purpose
- A statement that a person may be subject to penalties pursuant to 42 USC 1320d-6 if that person knowingly and in violation of HIPAA obtains individually identifiable health information relating to an individual or discloses individually identifiable health information to another person
The attestation must also be written in plain language and may not be combined with any other document, such as a general authorization form.
The Final Rule requires strict compliance with the attestation rules. An attestation may be deemed invalid if it contains less or more information than what is required. OCR notes that it intends to publish a model attestation form prior to the Final Rule’s compliance date.
Notice of Privacy Practices
Covered entities must revise their Notice of Privacy Practices to include, among other things, information regarding the types of uses and disclosures prohibited by the Final Rule, as well as the scenarios in which an attestation will be required. Covered entities have until February 16, 2026 to comply with the updated Notice of Privacy Practices requirements.
Other Changes
The Final Rule includes several other changes, including new and revised definitions of who and what are covered by the rules.
Action Items for Group Health Plan Sponsors
The Final Rule requires covered entities to do the following:
- Update HIPAA Privacy Policies and Procedures to comply with the Final Rule by the December 22, 2024 compliance date
- Update HIPAA Notice of Privacy Practice to comply with the Final Rule and the recent 42 CFR Part 2 regulations addressing substance use disorder benefits by the February 16, 2026 compliance date
- Provide updated workforce training by the December 22, 2024 compliance date
For questions on the HIPAA Privacy Rule, please contact one of the authors of this blog post or another Morgan Lewis contact.