Earlier we discussed the Office for Civil Rights (“OCR”) of the US Department of Health and Human Services final rules relating to reproductive health care information (the “Final Rules”). In our prior blog we discussed that OCR intended to issue a model attestation form to be used when requesting reproductive health care information from covered entities and their business associates. OCR recently issued the model attestation form.

Background

Health care providers, health plans and their business associates are prohibited from using or disclosing PHI when the PHI is requested to conduct a criminal, civil, or administrative investigation into or impose criminal, civil, or administrative liability on any person for the act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances, or to identify any person relating to those activities (referred to as “Prohibited Purposes”).

When a covered entity or business associate receives a request for protected health information potentially related to reproductive health care, it must obtain a signed attestation that clearly states the requested use or disclosure is not for Prohibited Purposes, where the request is for PHI for any of the following –

Health oversight activities,

Judicial or administrative proceedings,

Law enforcement, or

Disclosures to coroners and medical examiners regarding decedents.

Model Attestation Form

OCR issued a model attestation form to use when requesting reproductive health information for the above purposes. The attestation form is only a model and is not legally required. Similar to a HIPAA authorization, attestations for reproductive health care information can be obtained and executed electronically.

An attestation must include the following elements –

A description of the information requested that identifies the information in a specific fashion,

The name or other specific identification of the persons, or class of persons, who are requested to make the use or disclosure,

The name or other specific identification of the persons, or class of persons, to whom the covered entity is to make the requested use or disclosure,

A clear statement that the use or disclosure is not for a Prohibited Purpose,

A statement that a person may be subject to criminal penalties if that person knowingly and in violation of HIPAA obtains individually identifiable health information relating to an individual or discloses individually identifiable health information to another person, and

The signature of the person requesting the protected health information, which may be an electronic signature, and date.

A covered entity or business associate is not permitted to rely on a completed attestation if --

It is missing any required element or statement or contains other content that is not required,

It is combined with other documents, except for documents provided to support the attestation,

Any material information in the attestation is known to be false, or

A reasonable covered entity or business associate in the same position would not believe the requestor’s statement that the use or disclosure is not for a prohibited purpose.

A new attestation for each specific use or disclosure request must be provided, and the covered entity or business associate must maintain a written copy of the completed attestation and any relevant supporting documents.

Key Takeaways

Compliance with the Final Rules and the attestation requirement commences on December 23, 2024. The Final Rules contain many unanswered questions and are vague and complex. Covered entities and business associates should review the Final Rules and create a compliance plan with respect to updating their policies and procedures, health plan documents, business associate agreements and privacy notices.