[co-author: Briana Blair]
On April 26, 2024, the U.S. Department of Health and Human Services (HHS) published the Reproductive Health Care Rule. This final rule enhances the HIPAA privacy protections for protected health information (PHI) relating to reproductive health care. While the Rule is effective June 25, 2024, all covered entities, including group health plans, have until December 23, 2024 to comply with the new requirements with the exception that HIPAA Notice of Privacy Practices must be updated by February 16, 2026.
What is the Reproductive Health Care Rule?
The Reproductive Health Care Rule (“Rule”) prohibits the use and disclosure of PHI relating to an individual’s reproductive health care for the following purposes:
- To conduct a criminal, civil, or administrative investigation into the mere act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided;
- To impose a criminal, civil, or administrative liability on any person; or
- To identify any person for the purpose of conducting such investigation or imposing such liability.
The Rule applies only when the reproductive health care is lawful. It is lawful when it is permitted under the state law in which such health care is provided, or when it is authorized by federal law. Unless the group health plan has actual knowledge or factual information that the health care was unlawful, the plan must assume it was lawful. If the HIPAA Privacy Officer determines the health care was unlawful, the plan is permitted to disclose the health care information in accordance with HIPAA’s normal privacy and security requirements.
What is Reproductive Health Care Information?
Reproductive health care is defined as “health care that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes.”
The Rule also provides a non-exhaustive list of the types of health care that are encompassed by this definition, including:
- Contraception;
- Pregnancy-related health care;
- Fertility or infertility related health care; or
- Other types of care, services, or supplies used for the diagnosis and treatment of conditions related to the reproductive system.
Attestation Requirement
In addition to the new prohibitions on the use and disclosure of PHI relating to reproductive health care, the Rule also requires that covered entities and business associates who receive requests for PHI that is related to reproductive health care obtain an attestation form from the person or entity requesting the information. A written, signed, and dated attestation form is required when the PHI request is related to any of the following:
- Health care oversight activities;
- Judicial or administrative proceedings;
- Law enforcement purposes; or
- Disclosures to coroners and medical examiners.
A valid attestation must include a description of the specific information requested, a statement that the use or disclosure is not for a prohibited purpose, and a statement explaining the criminal penalties for violating HIPAA’s privacy or security rules. HHS has issued a model attestation form.
Next Steps for Employers
To ensure that your group health care plans are in compliance with the Rule, consider these potential next steps:
- Policies and Procedures: Review and update HIPAA policies and procedures to include the new prohibitions that apply to reproductive health care PHI.
- Notice of Privacy Practices: Update Notice of Privacy Practices to include the new prohibitions regarding uses and disclosures of an individuals’ reproductive health care PHI and the attestation rule, including examples.
- Business Associate Agreements: Review and update business associate agreements to ensure compliance with the Rule.
- Training: Train employees responsible for managing health plan information or responding to PHI requests about the requirements of the Rule, including the new prohibitions and obtaining attestation forms.
- Attestation: Create an attestation form.
[View source.]
