HIPAA Privacy Rule Revisions Address Reproductive Protected Health Information
The Department of Health and Human Services (the “HHS”) recently issued a final rule (the “Final Rule”) amending the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule. Among other things, the Final Rule affords individuals greater protection on the use and disclosure of their reproductive health care information. Covered entities and business associates should take particular note of the new administrative responsibilities imposed by the attestation and notice requirements of the Final Rule. Additionally, health plans will need to revise their HIPAA Notices of Privacy Practices (“NPPs”) to reflect certain aspects of the Final Rule.
The Final Rule
The Final Rule expands existing prohibitions on the use or disclosure of protected health information (“PHI”) related to reproductive health care. In particular, the Final Rule prohibits the use or disclosure of reproductive health care PHI to:
- Conduct a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care;
- Impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care; or
- Identify any person for any purpose described above.
The Final Rule defines “reproductive health care” broadly, so as to include all health care of an individual that affects matters relating to the reproductive system and its functions and processes.
Exception to the Final Rule’s Prohibition
A covered entity or business associate may be permitted to use or disclose reproductive PHI if it has actual knowledge or factual information indicating that the underlying reproductive health care was unlawful. Although the Final Rule allows covered entities and business associates to presume that most reproductive health care is lawful, the Final Rule does not protect PHI in connection with reproductive health care that the covered entity or business associate knows is unlawful. Thus, in each instance, covered entities and business associates will be required to determine whether the underlying reproductive health care was (i) lawful at the state level or (ii) protected, required, or authorized at the Federal level. Covered entities and business associates will need to consider putting in place procedures to facilitate compliance with these provisions of the Final Rule before their December 23, 2024 compliance date.
Attestations
In connection with the prohibition on the use of reproductive health care PHI for certain purposes, covered entities and business associates are required to obtain a signed attestation that the use or disclosure of protected reproductive health care information is not for a prohibited purpose. The attestation process also makes the requesting person potentially liable for criminal or civil penalties for requests for reproductive health care PHI in violation of the Final Rule. Covered entities and business associates may comply with requests for reproductive health care PHI in connection with certain health oversight activities, judicial or administrative proceedings, law enforcement purposes, and coroners’ or medical examiners’ purposes when accompanied by a valid attestation.
Among other requirements, valid attestations must include:
- A specific description of the requested information;
- A clear statement that the use or disclosure is not for a prohibited purpose;
- A statement that a person may be subject to criminal penalties for knowingly obtaining or disclosing individually identifiable PHI in violation of HIPAA;
- The name of individuals, or a description of the class, whose PHI is sought;
- The name or other identification of any person or class requested to make the use or disclosure;
- The name or other identification of any person or class to whom the covered entity is to make the use or disclosure; and
- The signature of the person requesting the PHI.
The HHS recently provided a model attestation for use by covered entities and business associates receiving requests for the use or disclosure of PHI potentially related to reproductive health care.
Notices of Privacy Practices
Covered entities’ NPPs will need to be updated to include the following:
- Description of the types of uses and disclosures of reproductive health PHI prohibited under the Final Rule and an example of a prohibited use or disclosure;
- Description of the types of uses and disclosures of reproductive health PHI for which an attestation is required under the Final Rule, and an example of a use or disclosure for which is attestation is required; and
- Statement regarding the possibility that PHI disclosed to another person or entity may be redisclosed by that person or entity to other persons and entities.
Covered entities in possession of certain substance abuse disorder treatment records are subject to additional detailed notice requirements under the Final Rule, including that an individual may elect that a covered entity not use the individual’s substance abuse disorder records in connection with the individual receiving fundraising communications.
The NPP provisions of the Final Rule require compliance by February 16, 2026. Covered entities should take care to put in place procedures to facilitate compliance with the Final Rule before that compliance date and may need to consider sending the updated NPP with open enrollment materials.
Certain Other Changes
Other changes implemented by the Final Rule include a new standard for assessing personal representatives. Under the Final Rule’s new standard regarding personal representatives, covered entities may not use the provision or facilitation of reproductive health care as a reason to disregard an individual’s personal representative’s directives. Similarly, the Final Rule does not allow covered entities to use the provision or facilitation of reproductive health care as a justification for a report of abuse, neglect, or domestic violence that would otherwise allow the covered entity to use or disclose reproductive PHI without the individual’s consent.
Questions
If you have any questions regarding this new rule or other HIPAA compliance issues, please contact a member of Kelley Drye’s Employee Benefits and Executive Compensation Practice Group.