HIPAA Privacy Rule to Support Reproductive Health Care Privacy – Final Rule
April 24, 2024
On April 22, 2024, the U.S. Department of Health & Human Services, Office for Civil Rights (OCR) announced a final rule, titled HIPAA Privacy Rule to Support Reproductive Health Care Privacy (Final Rule). The rule will become effective 60 days after formal publication in the Federal Register, with a final compliance deadline of 240 days after publication, except for certain requirements that must be complied with by February 16, 2026. The Final Rule was instituted in direct response to the U.S. Supreme Court’s 2022 decision in Dobbs v. Jackson Women’s Health Organization overturning precedent that protected a constitutional right to abortion, thus altering the legal and health care landscape in the United States. The rule also supports President Biden’s Executive Orders, including EO 14076, on protecting access to reproductive health care.
Strengthening of Privacy Protections
The Final Rule prohibits the use or disclosure of protected health information (PHI) by covered entities or their business associates for either of the following activities:
- To conduct a criminal, civil, or administrative investigation into or impose criminal, civil, or administrative liability on any person for the act of seeking, obtaining, providing, or facilitating lawful reproductive health care.
- The identification of any person for the purpose of conducting such investigation or imposing such liability.
The rule also requires covered entities and their business associates to obtain a signed attestation stating that certain requests for PHI potentially related to reproductive health care are not for any of the above prohibited purposes. The attestation requirement applies when the request for PHI is for:
- Health oversight activities
- Judicial and administrative proceedings
- Law enforcement purposes
- Disclosures to coroners and medical examiners.
For example, reproductive health care information could be obtained by public health entities, auditors, and certain others so long as the information will not be used for prohibited purposes and an attestation to such effect is provided by such requestors. The OCR states that it intends to publish model attestation language before the compliance date of the Final Rule.
However, disclosures of PHI to law enforcement are permitted under the Final Rule only if all of the following conditions are met:
- The disclosure is not subject to the prohibition
- The disclosure is required by law, as defined under HIPAA
- The disclosure meets all applicable conditions of the HIPAA Privacy Rule permission to use or disclose PHI as required by law.
Changes to Notice of Privacy Practices
Each covered entity will need to modify its Notice of Privacy Practices to support reproductive health care privacy in compliance with the Final Rule. The Final Rule requires that, in addition to addressing the requirements of the rule in such revised notices, covered entities will be obligated to address changes to such notice as required under federal regulations governing the confidentiality of patient identifying information of substance use disorder treatment facilities found at 42 CFR Part 2. OCR matched the compliance date under the Final Rule with the compliance date in 42 CFR Part 2 concerning changes to the notices required under each respective set of regulations. In this regard, covered entities must incorporate required changes under both the Final Rule and 42 CFR Part 2 by February 16, 2026.
Changes to HIPAA Policies and Procedures
Covered entities and their business associates will need to amend their HIPAA policies and procedures to incorporate the changes made by the Final Rule and provide workforce training to ensure compliance.
Links to Rule and Fact Sheet
The Final Rule may be viewed here. The Final Rule Fact Sheet may be viewed here.
For additional information or assistance with your privacy and security program, contact:
Lani M. Dornfeld, Esq., CHPC, Member, Healthcare Practice Group, at ldornfeld@bracheichler.com or (973) 403-3136