July 19, 2024

Changes to the HIPAA Privacy Rules – A Primer for Self-Insured Group Health Plans

Kilpatrick

+ Follow Contact

Send

Embed

Kilpatrick

The Office for Civil Rights (“OCR”) of the US Department of Health and Human Services recently released a final rule (“Final Rule”) to update the HIPAA Privacy Rules for reproductive health care information. The Final Rule also updates the Notice of Privacy Practices for both reproductive health care information and for the final rules published earlier this year for the Confidentiality of Substance use Disorder Patient Records – otherwise known as the “Part 2 Rules.”

Compliance with the Final Rule is required by December 23, 2024, except for the changes to the Notice of Privacy Practices, the compliance for which is required by February 16, 2026 (which is meant to coincide with the compliance date for the Part 2 Rules).

Additional Prohibitions on Reproductive Health Care Information

Health care providers, health plans and their business associates are now prohibited from using or disclosing PHI when the PHI is requested to conduct a criminal, civil, or administrative investigation into or impose criminal, civil, or administrative liability on any person for the act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances, or to identify any person relating to those activities.

The above prohibition applies where a health care provider, health plan or business associate has reasonably determined that one or more of the following conditions exists –

The reproductive health care is lawful under the law of the state in which such health care is provided under the circumstances in which it is provided.

The reproductive health care is protected, required, or authorized by Federal law, including the U.S. Constitution, regardless of the state in which such health care is provided.

If the reproductive health care was not provided by the health care provider, health plan or business associate that receives the request for PHI, the provider, plan or business associate can assume that the health care is lawful unless it (1) has actual knowledge that the reproductive health care was not lawful under the circumstances in which it was provided or (2) receives factual information from the person making the request for the use or disclosure of PHI that demonstrates a substantial factual basis that the reproductive health care was not lawful under the circumstances in which it was provided.

The Final Rule continues to permit health care providers, health plans and business associates to use or disclose PHI for purposes otherwise permitted under the HIPAA Privacy Rule where the request for the use or disclosure of PHI is not made to investigate or impose liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care. For example, a covered entity or business associate could use or disclose PHI to defend itself in an investigation, proceeding or lawsuit involving the provision of reproductive health care.

The Final Rule also permits a covered entity or business associate to decline to recognize a person as an individual’s personal representative in domestic violence or endangerment situations.

New Attestation Rules for Reproductive Health Care

In addition to the current authorization rules, the Final Rule adds new attestation rules with respect to reproductive health care. Before using or disclosing PHI that is potentially related to reproductive health care, the health care provider, health plan or business associate must receive a valid attestation from the person requesting the use or disclosure, if the use or disclosure is related to any of the following –

Health oversight activities

Judicial and administrative proceedings

Law enforcement

Coroners or medical examinations

A valid attestation must include the following elements –

The name of any individual(s) whose PHI is sought, if practicable; or if not practicable, a description of the class of individuals whose PHI is sought.

The name or other specific identification of the person(s), or class of persons, who are requested to make the use or disclosure.

The name or other specific identification of the person(s), or class of persons, to whom the covered entity is to make the requested use or disclosure.

A clear statement that the use or disclosure is not for a prohibited purpose (e.g., is not for a criminal, civil, or administrative investigation into any person for the act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances).

A statement that a person may be subject to criminal penalties if that person knowingly and in violation of HIPAA obtains individually identifiable health information relating to an individual or discloses individually identifiable health information to another person.

Signature and date of the person requesting the PHI, which may be electronic.

Similar to the authorization rules, the attestation rules also include a plain language requirement, set forth rules on compound attestations, and set forth rules on defective attestations. OCR also intends to publish model attestation language before December 23, 2024.

Notice of Privacy Practices

The Final Rule requires covered entities to significantly revise their Notices of Privacy Practices to reflect the changes related to reproductive health care privacy. For example, the privacy notice will have to describe and provide at least one example of the new prohibitions that relate to reproductive health care. In addition, the notice will have to describe the uses and disclosures for which an attestation is required and provide at least one example, The Final Rule also requires revisions to the Notice of Privacy Practices for the Part 2 Rules. Compliance is not required until February 16, 2026.

Key Takeaways for Self-Insured Group Health Plans

As noted in our prior blog post concerning the Part 2 Rules, a number of documentation updates may be needed to comply with the Part 2 Rules. Similar changes are also required with respect to the Final Rule by December 23, 2024, as follows –

Vendor Contracts. Plan sponsors as well as vendors may need to review their agreements to determine if changes are necessary.

Business Associate Agreements. For vendors that are subject to both the Part 2 Rules and the HIPAA Privacy Rules, plan sponsors should review their business associate agreements to determine if revisions are necessary for the Part 2 Rules and/or the Final Rule. For vendors that are only subject to the HIPAA Privacy Rules, depending on the wording of the business associate agreement, updates may be needed for the Final Rule.

HIPAA Policies and Procedures Manual. A self-insured health plan sponsor is liable for all compliance with HIPAA even though sponsors delegate most administration to vendors. These delegations should be set forth in the vendor contracts and BAAs. But, they also should be set forth in the health plan’s policies and procedures manual, which will need to be updated for both the Part 2 Rules and the Final Rule.

HIPAA Health Plan Document Provisions. The HIPAA language in the health plan document will need to be updated for both the Part 2 Rules and the Final Rule.

HIPAA Notice of Privacy Practices. While an updated notice is required, the compliance date is extended to Feburaty 16, 2026.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.