Client Alert: The Department of Health and Human Services Issues HIPAA Final Rule Providing Additional Reproductive Health Safeguards

Maliha Ikram, Michelle Kallen, Michael Najjarpour, Matt Renaud
Jenner & Block
Contact
LinkedIn
Facebook
X
Send
Embed

Jenner & Block

On April 26, 2024, the Department of Health and Human Services (HHS) published the final HIPAA Privacy Rule to Support Reproductive Health Care Privacy (Final Rule). The Final Rule became effective June 25, 2024.

The Final Rule modifies the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule to provide additional protections by prohibiting the use or disclosure of protected health information (PHI) by HIPAA covered entities or their business associates in response to certain reproductive health-related requests. The Final Rule originated in response to the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization and the state abortion bans that followed. The Final Rule seeks to address the privacy concerns of those who seek, obtain, or provide reproductive health care.

Covered entities and business associates must comply with much of the Final Rule by December 22, 2024, but have until February 16, 2026 to update their Notice of Privacy Practices.

Protections of PHI

Under the Final Rule, the use or disclosure of PHI is prohibited for the following activities:

  • To conduct a criminal, civil, or administrative investigation into or impose a criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided.
  • The identification of any person for the purpose of conducting such investigation or imposing such liability.

The prohibitions are imposed on HIPAA covered entities—health plans, health care providers, and health care clearinghouses—and their business associates. The above prohibition on sharing PHI exists where the covered entity or business associate has “reasonably determined” that one of the following exists:

  • The reproductive health care is lawful in the state in which the health care is provided under the circumstances in which it is provided.
    • For example, where the resident of a state travels to another state to receive reproductive health care, such as an abortion, that is lawful in the state where the health care is provided.
  • The reproductive health care is protected, required, or authorized by federal law, including the US Constitution, regardless of the state in which such health care is provided.
  • The reproductive health care was provided by a person other than the covered entity or business associate that receives the request for PHI. There is a presumption that the health care provided was lawful unless the covered entity or business associate has:
      • actual knowledge that the reproductive health care was not lawful under the circumstances in which it was provided, or
      • receives factual information from the person making the request for PHI that demonstrates a substantial factual basis that the reproductive health care was not lawful under the circumstances in which it was provided.

The Final Rule also defined “reproductive health care” to mean health care that affects the health of an individual in all matters relating to the reproductive system (including its functions and processes). This includes contraception (e.g., emergency contraception and preconception screening and counseling), management of pregnancy and pregnancy-related conditions (e.g., prenatal care and miscarriage management), and other types of care, services, and supplies used for the diagnosis and treatment of conditions related to the reproductive system (e.g., mammography and pregnancy-related nutrition services).

Attestation

The Final Rule introduces a new attestation requirement on covered entities and business associates that receive a request for PHI that may be related to reproductive health care. The attestation will help ease the burden on entities that receive a request for PHI to identify which requests fall under the prohibition because it relates to reproductive health care.

When a covered entity or business associate receives a request for PHI that is potentially related to reproductive health care, it must obtain a signed and dated attestation that the use or disclosure is not for a prohibited purpose discussed above. An attestation is required when PHI is requested for: health oversight activities, judicial and administrative proceedings, law enforcement purposes, or disclosures to coroners and medical examiners.

The attestation requirements include a specific description of the information requested, a statement that the use or disclosure is not for a prohibited purpose, and a statement that the person may be subject to criminal penalties if they knowingly violate HIPAA through their request of prohibited information.

The attestation gives a covered entity or business associate an opportunity to obtain a written representation from the requestor of the PHI that the request is not for a prohibited purpose.

HHS has published a model attestation that can be used to comply with the requirement which can be accessed here.

Notice of Privacy Practices

The Final Rule requires covered entities to revise their Notice of Privacy Practices (NPPs) to reflect the strengthening of reproductive health care privacy protections. This will include reflecting the prohibitions on the use and disclosure of PHI discussed above. As mentioned above, compliance with this requirement will be mandatory effective February 16, 2026.

Next Steps

Covered entities should take steps now to prepare for compliance in late December of this year:

  • Policies and Procedures: Review and revise HIPAA policies and procedures to reflect the changes and attestation discussed in the Final Rule.
  • HIPAA Training: Revise HIPAA training materials to reflect the changes and attestation discussed in the Final Rule.
  • Attestation: Although HHS has provided a model attestation, covered entities will need to develop and implement a process to solicit attestations where necessary.

Additionally, with the overturning of Chevron deference this past Supreme Court Term in Loper Bright Enterprises v. Raimondo and Relentless, Inc. v. Department of Commerce, any challenge to the Final Rule may be viewed with less deference to HHS than was accorded under Chevron. A court facing such a challenge will likely look to HIPAA and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) to evaluate whether HHS adopted the best interpretation of these statutes.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Jenner & Block

Written by:

Jenner & Block
Jenner & Block
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Jenner & Block on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide