The U.S. Department of Health and Human Services (“HHS”), and Office for Civil Rights (“OCR”) issued a “Final Rule,” HIPAA Privacy Rule to Support Reproductive Health Care Privacy, which was published in the Federal Register on April 26, 2024.1
In this Final Rule and landmark publication, OCR, for the first time in history, absent a federal statutory mandate, categorically and explicitly provides special protections and obligations related to particular types of information created, received, transmitted or maintained by a HIPAA covered entity or business associate; in this case, protected health information (“PHI”) about reproductive health care. Notably, the Final Rule restrictions on the use and disclosure of PHI apply to all HIPAA covered entities, including health care providers that conduct standard transactions, health plans, and health care clearinghouses, as well as to all HIPAA business associates (collectively “Regulated Entities”) and not specifically to certain types of providers or to providers that provide reproductive health care services only.
The Final Rule defines “reproductive health care” as “health care... that affects the health of an individual in matters relating to the reproductive system and its functions and processes.” The commentary to the Final Rule includes a non-exhaustive list of services that constitute reproductive health care: contraception, including emergency contraception; preconception screening and counseling; management of pregnancy and pregnancy-related conditions, including pregnancy screening, prenatal care, miscarriage management, treatment for preeclampsia, hypertension during pregnancy, gestational diabetes, molar or ectopic pregnancy and pregnancy termination; fertility and infertility diagnosis and treatment, including assisted reproductive technology and its components (e.g., in vitro fertilization (IVF)); diagnosis and treatment of conditions that affect the reproductive system (e.g., perimenopause, menopause, endometriosis, adenomyosis); and other types of care, services, and supplies used for the diagnosis and treatment of conditions related to the reproductive system (e.g., mammography, pregnancy related nutrition services, postpartum care products). Such services are not exclusive to those with only X chromosomes, or of any particular sex or gender, and would also seemingly include any type of service related to sterilization and fertility, including vasectomies, male hormone therapy and erectile dysfunction treatments.
Due to this broad regulatory definition of “reproductive health care,” the Final Rule requirements apply broadly to a wide scope of PHI, which Regulated Entities, including Business Associates, likely create and maintain in non-structured formats in many different systems and applications, such that automating the identification and tagging of PHI about “reproductive health care” will not be feasible.
Prohibition on Using and Disclosing PHI Related to Reproductive Health Care For Certain Purposes:
The Final Rule prohibits a Regulated Entity from using or disclosing PHI for either of the following purposes:2
- To conduct a criminal, civil, or administrative investigation into or impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided.
- The identification of any person for the purpose of conducting such investigation or imposing such liability.
Obligations of Regulated Entities Related to Reproductive Health Care PHI
In order to comply with the Final Rule prohibition on the use and disclosure of PHI related to reproductive health care for certain purposes, Regulated Entities must, upon receiving a request for PHI potentially related to reproductive health care for health oversight activities, judicial and administrative proceedings, law enforcement purposes and authorized duties and activities of coroners and medical examiners (which would otherwise be permitted pursuant to the applicable provisions of 45 C.F.R. § 164.512), obtain a signed, written attestation from the person or entity requesting the PHI that the intended use or disclosure of the requested PHI is not for one of the above described prohibited purposes. Such attestation must be in writing, generally a standalone document, and meet all the other delineated content requirements set forth in the Final Rule. OCR indicated that it will release a model form of attestation in the future prior to the effective date of the Final Rule.
Other than as described above and below related specifically to disclosures to law enforcement, the Final Rule does not impose any additional prohibitions or limitations on a Regulated Entity’s use or disclosure of PHI related to (or potentially related to) reproductive health care, provided that such use or disclosure would otherwise be permitted by the HIPAA Privacy Rule.
Required Changes to the HIPAA Notice of Privacy Practices
The Final Rule finalized certain changes to the content requirements of the HIPAA Notice of Privacy Practices (“NPPs”) that HIPAA Covered Entities must provide to individuals and publicly post on their websites and at all physical locations. Such changes include both provisions related to the privacy of PHI related to reproductive health care but also changes that were proposed related to substance use disorder records subject to 42 C.F.R. Part 2, as described in a separate Notice of Proposed Rulemaking.3
Permitted Disclosures to Law Enforcement in Response to Administrative Requests Clarified
Related to disclosures of all PHI, not just that related to reproductive health care, the Final Rule clarified the permissible disclosure exception for disclosing PHI to law enforcement in response to an administrative request, as set forth at 45 C.F.R. § 164.512(f)(1)(ii)(C). Pursuant to the Final Rule, to make a disclosure based on this permission, the administrative request must now be one for which a response is required by law, not simply an administrative request or investigative demand within the law enforcement official’s authority.
Recommended Action Items
In response to the Final Rule changes, all Regulated Entities should consider taking the following steps:
- Identify where the Regulated Entity creates, maintains, and transmits (particularly automatically) PHI potentially related to reproductive health care and evaluate whether operational and/or technical changes are necessary to help promote compliance with the Final Rule changes;
- Review privacy policies and procedures for compliance with the Final Rule changes and make revisions to the same, as necessary, including creating appropriate operational workflows for obtaining signed attestations, when required;
- For HIPAA Covered Entities, review and revise the NPP to include all modifications and content required by the Final Rule; and
- Train and document training of all workforce members of the Regulated Entities on the Final Rule requirements and corresponding changes to the specific Regulated Entity’s policies and procedures.
Effective Dates for Compliance
This Final Rule is effective on June 25, 2024 (“Effective Date”). Regulated Entities will have 180 days beyond the Effective Date to comply with the Final Rule, with the exception of the required NPP modifications.4 For NPP modification compliance, HIPAA covered entities will have until February 16, 2026.