HIPAA Privacy Final Rule: Landmark Changes Related to Reproductive Health Care Information

Polsinelli
Contact

Polsinelli

The U.S. Department of Health and Human Services (“HHS”), and Office for Civil Rights (“OCR”) issued a “Final Rule,” HIPAA Privacy Rule to Support Reproductive Health Care Privacy, which was published in the Federal Register on April 26, 2024.1

In this Final Rule and landmark publication, OCR, for the first time in history, absent a federal statutory mandate, categorically and explicitly provides special protections and obligations related to particular types of information created, received, transmitted or maintained by a HIPAA covered entity or business associate; in this case, protected health information (“PHI”) about reproductive health care. Notably, the Final Rule restrictions on the use and disclosure of PHI apply to all HIPAA covered entities, including health care providers that conduct standard transactions, health plans, and health care clearinghouses, as well as to all HIPAA business associates (collectively “Regulated Entities”) and not specifically to certain types of providers or to providers that provide reproductive health care services only.

The Final Rule defines “reproductive health care” as “health care... that affects the health of an individual in matters relating to the reproductive system and its functions and processes.” The commentary to the Final Rule includes a non-exhaustive list of services that constitute reproductive health care: contraception, including emergency contraception; preconception screening and counseling; management of pregnancy and pregnancy-related conditions, including pregnancy screening, prenatal care, miscarriage management, treatment for preeclampsia, hypertension during pregnancy, gestational diabetes, molar or ectopic pregnancy and pregnancy termination; fertility and infertility diagnosis and treatment, including assisted reproductive technology and its components (e.g., in vitro fertilization (IVF)); diagnosis and treatment of conditions that affect the reproductive system (e.g., perimenopause, menopause, endometriosis, adenomyosis); and other types of care, services, and supplies used for the diagnosis and treatment of conditions related to the reproductive system (e.g., mammography, pregnancy related nutrition services, postpartum care products). Such services are not exclusive to those with only X chromosomes, or of any particular sex or gender, and would also seemingly include any type of service related to sterilization and fertility, including vasectomies, male hormone therapy and erectile dysfunction treatments.

Due to this broad regulatory definition of “reproductive health care,” the Final Rule requirements apply broadly to a wide scope of PHI, which Regulated Entities, including Business Associates, likely create and maintain in non-structured formats in many different systems and applications, such that automating the identification and tagging of PHI about “reproductive health care” will not be feasible.

Prohibition on Using and Disclosing PHI Related to Reproductive Health Care For Certain Purposes:

The Final Rule prohibits a Regulated Entity from using or disclosing PHI for either of the following purposes:2

  1. To conduct a criminal, civil, or administrative investigation into or impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided.
  2. The identification of any person for the purpose of conducting such investigation or imposing such liability.

Obligations of Regulated Entities Related to Reproductive Health Care PHI

In order to comply with the Final Rule prohibition on the use and disclosure of PHI related to reproductive health care for certain purposes, Regulated Entities must, upon receiving a request for PHI potentially related to reproductive health care for health oversight activities, judicial and administrative proceedings, law enforcement purposes and authorized duties and activities of coroners and medical examiners (which would otherwise be permitted pursuant to the applicable provisions of 45 C.F.R. § 164.512), obtain a signed, written attestation from the person or entity requesting the PHI that the intended use or disclosure of the requested PHI is not for one of the above described prohibited purposes. Such attestation must be in writing, generally a standalone document, and meet all the other delineated content requirements set forth in the Final Rule. OCR indicated that it will release a model form of attestation in the future prior to the effective date of the Final Rule.

Other than as described above and below related specifically to disclosures to law enforcement, the Final Rule does not impose any additional prohibitions or limitations on a Regulated Entity’s use or disclosure of PHI related to (or potentially related to) reproductive health care, provided that such use or disclosure would otherwise be permitted by the HIPAA Privacy Rule.

Required Changes to the HIPAA Notice of Privacy Practices

The Final Rule finalized certain changes to the content requirements of the HIPAA Notice of Privacy Practices (“NPPs”) that HIPAA Covered Entities must provide to individuals and publicly post on their websites and at all physical locations. Such changes include both provisions related to the privacy of PHI related to reproductive health care but also changes that were proposed related to substance use disorder records subject to 42 C.F.R. Part 2, as described in a separate Notice of Proposed Rulemaking.3

Permitted Disclosures to Law Enforcement in Response to Administrative Requests Clarified

Related to disclosures of all PHI, not just that related to reproductive health care, the Final Rule clarified the permissible disclosure exception for disclosing PHI to law enforcement in response to an administrative request, as set forth at 45 C.F.R. § 164.512(f)(1)(ii)(C). Pursuant to the Final Rule, to make a disclosure based on this permission, the administrative request must now be one for which a response is required by law, not simply an administrative request or investigative demand within the law enforcement official’s authority.

Recommended Action Items

In response to the Final Rule changes, all Regulated Entities should consider taking the following steps:

  • Identify where the Regulated Entity creates, maintains, and transmits (particularly automatically) PHI potentially related to reproductive health care and evaluate whether operational and/or technical changes are necessary to help promote compliance with the Final Rule changes;
  • Review privacy policies and procedures for compliance with the Final Rule changes and make revisions to the same, as necessary, including creating appropriate operational workflows for obtaining signed attestations, when required;
  • For HIPAA Covered Entities, review and revise the NPP to include all modifications and content required by the Final Rule; and
  • Train and document training of all workforce members of the Regulated Entities on the Final Rule requirements and corresponding changes to the specific Regulated Entity’s policies and procedures.

Effective Dates for Compliance

This Final Rule is effective on June 25, 2024 (“Effective Date”). Regulated Entities will have 180 days beyond the Effective Date to comply with the Final Rule, with the exception of the required NPP modifications.4 For NPP modification compliance, HIPAA covered entities will have until February 16, 2026.


[1] HIPAA Privacy Rule To Support Reproductive Health Care Privacy, 89 Fed. Reg. 32,976 (Apr. 26, 2024) (to be codified at 45 C.F.R. pts. 160 and 164).

[2] These prohibitions apply unless the Regulated Entity has actual knowledge that the reproductive health care was not lawfully provided in the state where it was received or under applicable Federal law or received “factual information” from the person requesting the PHI that “demonstrates a substantial factual basis” that the reproductive health care was not lawfully provided in the state where it was received or under applicable Federal law. Applicable Federal law includes when Federal law preempts applicable state law.

[3] 87 Fed. Reg. 74216, 74237 (Dec. 2, 2022). HHS combined modifications to the NPP from both rulemakings into a single final rule because 45 C.F.R. § 164.104 limits the Secretary to making modifications to a standard or implementation specification no more than once every 12 months.

[4] Id.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Polsinelli

Written by:

Polsinelli
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Polsinelli on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide