backBackground
On June 25, 2024, the Office for Civil Rights and the U.S. Department of Health and Human Services issued the HIPAA Privacy Rule To Support Reproductive Health Care (the “HIPAA Final Rule”) aimed at strengthening privacy protections for Protected Health Information (“PHI”) related to lawful reproductive healthcare that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes (“Reproductive Healthcare”). A list of examples of Reproductive Healthcare under the HIPAA Final Rule is available here. The move comes in response to Presidential Executive Order 14076, which followed the U.S. Supreme Court’s ruling in Dobbs v. Jackson Women’s Health Organization (overturning prior Supreme Court decisions in Roe v. Wade and Planned Parenthood of Southeastern Pennsylvania v. Casey).
Action Required by December 23, 2024
Under the HIPAA Final Rule, healthcare providers, health plans and healthcare clearinghouses (“Covered Entities”) and their business associates are prohibiting from using or disclosing PHI relating to Reproductive Healthcare for any of the following:
- Conducting a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing or facilitating Reproductive Healthcare;
- Imposing criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing or facilitating Reproductive Healthcare; or
- Identifying any person for either of the above purposes (collectively, “Prohibited Purposes”).
Covered Entities and their business associates must comply with the requirements under the HIPAA Final Rule by December 23, 2024. In addition, the required changes to Notice of Privacy Practices (“NPP”) – discussed further below – must be implemented by February 16, 2026.
Attestation
The HIPAA Final Rule requires Covered Entities or their business associates to obtain a written attestation that the PHI is not for a Prohibited Purpose before the PHI potentially related to Reproductive Healthcare can be used or disclosed. A valid attestation must contain a description of the information requested, be in plain language, be signed by the requester and clearly state that the PHI related to Reproductive Healthcare is not for “criminal, civil, or administrative investigation into or proceeding against any person in connection with seeking, obtaining, providing, or facilitating reproductive healthcare.” A copy of the model attestation language from the Department of Health and Human Services is available here.
Notice of Privacy Practices
The HIPAA Final Rule requires Covered Entities to update their NPPs to reflect heightened protections for PHI related to Reproductive Healthcare. The NPP must include a description and an example of the type of use and disclosure of PHI that is prohibited and the type of use and disclosure of PHI for which an attestation is required. Covered Entities are also required to amend their NPPs to reflect PHI redisclosure and provide information about substance use disorder records. Covered Entities will need to update their NPPs no later than February 16, 2026. The degree of responsibility for group health plans will vary depending on whether the plan is self-insured or fully-insured: the latter will have more limited responsibilities, since the policies and procedures are maintained by the insurer.
