New HIPAA Final Rule Imposes Added Protections for Reproductive Health Care Privacy

Joseph Lazzarotti
Jackson Lewis P.C.
Contact
LinkedIn
Facebook
X
Send
Embed

On April 22, 2024, the federal Department of Health and Human Services’ Office for Civil Rights (OCR) announced a final rule enhancing privacy protections relating to reproductive health care. Specifically, the final rule amends the Privacy Rule under the Health Insurance Portability and Accountability Act (HIPAA) to, among other things, establish new limits on the use or disclosure of protected health information (PHI) relating to reproductive health care. Citing the Supreme Court decision in Dobbs v. Jackson Women’s Health Organization and its far-reaching implications for reproductive health care, the OCR asserts that the rule change is necessary in order to ensure, among other things, that individuals are not afraid to seek reproductive health care.

Under HIPAA, the Privacy Rule is one of several rules, collectively known as the HIPAA Rules, that protect the privacy and security of individuals’ protected health information (PHI). The OCR administers and enforces the Privacy Rule, which requires most health care providers, health plans, health care clearinghouses, and business associates (collectively, “regulated entities”) to safeguard the privacy of PHI and sets limits and conditions on the uses and disclosures of such information.  

PHI generally refers to individually identifiable health information transmitted by or maintained in electronic media or any other form or medium. A basic requirement of the Privacy Rule is that PHI may not be used and disclosed except as permitted under HIPAA, and which can be further limited by contrary, more stringent state law. Disclosures of PHI are required only in limited circumstances, such as when required by the Secretary of Health and Human Services to investigate a covered entity’s compliance with the Privacy Rule and to the individual pursuant to the individual’s right of access. In other limited cases, uses and disclosures of PHI may be made (they are permitted, not required) without the authorization of the individual, such as for treatment, payment, or healthcare operations.

Even with these protections, the OCR observed several concerns relating to the use and disclosure of certain PHI related to reproductive healthcare. These include potential harm caused by disclosing such information for non-health care purposes, such as to conduct an investigation against, or to impose liability upon, an individual or another person who receives or delivers reproductive healthcare. According to the OCR, these situations may chill an individual’s willingness to seek lawful healthcare treatment or to provide full information to their health care providers when obtaining that treatment. They also may hamper the willingness of health care providers to provide such care.

OCR received almost 30,000 public comments on the proposed rule. After considering those comments, the OCR’s final rule:

  • Prohibits the use or disclosure of PHI when it is sought to investigate or impose liability on individuals, health care providers, or others who seek, obtain, provide, or facilitate reproductive health care that is lawful under the circumstances in which such health care is provided, or to identify persons for such activities.
  • Requires a regulated health care provider, health plan, clearinghouse, or their business associates, to obtain a signed attestation that certain requests for PHI potentially related to reproductive health care are not for these prohibited purposes.
  • Requires regulated health care providers, health plans, and clearinghouses to modify their Notice of Privacy Practices to support reproductive health care privacy.

The final rule is effective 60 days after publication in the Federal Register, and regulated entities will have 180 days after that to comply. However, the OCR extended the compliance date for required updates to Notices of Privacy Practices (NPP). The agency considered additional changes that are required to NPPs under the 2024 Confidentiality of Substance Use Disorder Patient Records Final Rule (rules seeking to better harmonize HIPAA with rules pertaining to certain federally funded substance abuse treatment programs under 42 USC Part 2). The compliance date for those changes is February 16, 2026. The OCR adopted the same deadline for these changes.

The final rule will have several other implications. For example, some commenters questioned how the rule would affect their current business associate agreements. The OCR noted that the final rule may require regulated entities to revise existing business associate agreements where such agreements permit regulated entities to engage in activities that are no longer permitted under the revised Privacy Rule. Another concern commenters raised is whether minors and legal adults have the same protections under the Privacy Rule and whether this rule would alter existing protections. The OCR assured the commenters that the final rule does not change how the Privacy Rule applies to adults and minors – the protections provided to PHI by this final rule apply equally to adults and minors. For example, under this final rule, a regulated entity is prohibited from using or disclosing a minor’s PHI for the purposes prohibited under the final rule.  

The final rule includes conforming and clarifying changes to the HIPAA Rules, such as:

  • clarifying the definition of “person”;
  • adopting new definitions of “public health” surveillance, investigation, or intervention, and “reproductive health care”;
  • adding a new category of prohibited uses and disclosures;
  • clarifying that a regulated entity may not decline to recognize a person as a personal representative for the purposes of the Privacy Rule because they provide or facilitate reproductive health care for an individual;
  • imposing a new requirement that, in certain circumstances, regulated entities must first obtain an attestation that a requested use or disclosure is not for a prohibited purpose; and
  • requiring modifications to covered entities’ NPPs to inform individuals that their PHI may not be used or disclosed for a purpose prohibited under this final rule.

Regulated entities will need to not only review and update their written policies and procedures, they also will need to ensure that established practices by workforce members are retooled to conform to the new requirements. Training, therefore, will be helpful to ensuring compliance with the new requirements.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Jackson Lewis P.C. | Attorney Advertising

Written by:

Jackson Lewis P.C.
Jackson Lewis P.C.
Contact
more
less

Jackson Lewis P.C. on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide