The deadline for compliance with the Department of Health and Human Services Office of Civil Rights’ (“OCR”) recent update to the HIPAA Privacy Rule is December 22, 2024 -- less than thirty days away. Last spring, OCR published the HIPAA Privacy Rule to Support Reproductive Health Care Privacy (the “Final Rule”)[1], which requires Covered Entities and Business Associates (the “Regulated Entities”) to adopt additional safeguards related to the use and disclosure of Protected Health Information (“PHI”) concerning reproductive health care.
Importantly, Regulated Entities must update the following to comply with the Final Rule:
- HIPAA privacy policies and procedures, including disclosure policies;
- Workforce trainings;
- Noncompliant Business Associate Agreements; and
- Notices of Privacy Practices.
Updates must reflect that Regulated Entities are prohibited from using or disclosing PHI to conduct investigations into, or impose liability on individuals and entities for seeking, obtaining, providing or facilitating reproductive health care[2] that is lawful under the circumstances in which it is provided. The prohibition applies where a Regulated Entity has reasonably determined that one or more of the following conditions exist:
- Reproductive health care is lawful under the law of the state in which such health care is provided under the circumstances in which it is provided;
- Reproductive health care is protected, required or authorized by Federal law, regardless of the state in which such health care is provided; and/or
- Reproductive health care was provided by a person other than the Regulated Entity that receives the request for PHI and such reproductive health care is presumed lawful.[3]
Care is presumed to be lawful unless the Regulated Entity has actual knowledge that the reproductive health care was not lawful, or when the Regulated Entity receives factual information from the person requesting the PHI that demonstrates a substantial factual basis that the reproductive health care was unlawful.[4]
The Final Rule further requires Regulated Entities to obtain signed attestations that the use or disclosure of PHI concerning reproductive care is not for a prohibited purpose. This requirement applies when the request for PHI is for health oversight activities, judicial and administrative proceedings, law enforcement purposes and disclosures to coroners and medical examiners.[5] Among other things, the attestation must include a statement that the recipient will not use or disclose PHI for a prohibited purpose. The Final Rule requires strict compliance with the attestation rule and an attestation may be considered invalid if it contains more or less information than needed.
The Final Rule has been subject to recent litigation, which Dinsmore attorneys continue to monitor. Providers are advised to contact their Dinsmore attorney with any questions regarding compliance with the Final Rule and for assistance modifying current policies and procedures.