On April 22, 2024, the Health and Human Services’ Office for Civil Rights (OCR) issued the HIPAA Privacy Rule to Support Reproductive Health Care Privacy Final Rule. The final rule limits the sharing of protected health information (PHI) related to reproductive healthcare for certain purposes outside of treatment, payment, and healthcare operations.
New privacy protection
While PHI related to reproductive healthcare can still be used to facilitate treatment, payment, and healthcare operations, the final rule prohibits the use or disclosure of an individual’s PHI related to reproductive healthcare when the request is made for the purposes of investigating or imposing liability on an individual for the mere act of seeking, obtaining, providing, or facilitating reproductive healthcare that is lawful under the circumstances in which it is provided.
What this means to you
Beginning December 23, 2024, HIPAA-regulated entities and their business associates must obtain an attestation when reproductive healthcare PHI is requested for (1) health oversight activities, (2) disclosures for judicial and administrative proceedings, (3) disclosures for law enforcement purposes, and (4) disclosures about decedents to coroners and medical examiners.
The attestation must contain:
- Who is making the request
- Who is receiving the request
- The protected health information being requested
- A statement affirming that the information is not being sought for a prohibited purpose
OCR has provided a model form here.
Moreover, HIPAA-regulated entities must update their policies, procedures, and business associate agreements to comply with the final rule. In particular, existing BAAs must be updated to address the new limitations on sharing reproductive health information where such agreements permit the sharing of information that is no longer permitted. Entities must also ensure staff and business associates are aware of the updates made to their policies, procedures, and business associate agreements; provide adequate training on the changes; and maintain records of all such communications. The date for compliance with the new rule was December 23, 2024, while notices of privacy practices must be updated to reflect this new rule by February 16, 2026.
[View source.]
