New Reproductive Health Care Privacy Final Rule: Key Compliance Steps and Dates

Susan Bilbro, Catherine Simpson, David Thornton
Bass, Berry & Sims PLC
Contact
LinkedIn
Facebook
X
Send
Embed

Bass, Berry & Sims PLC

In the wake of the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization and subsequent state abortion bans, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services issued a Final Rule (Final Rule) modifying the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule in order to support reproductive health care privacy. As with prior HIPAA rules, the Final Rule applies to covered healthcare providers, health plans, or healthcare clearing houses (each, a Covered Entity) and their business associates.

The Final Rule seeks to strengthen protections concerning the use and disclosure of “reproductive health care” information. For purposes of the Final Rule, “reproductive health care” includes services such as receipt of contraception, management of pregnancy and pregnancy-related conditions, miscarriage management, pregnancy termination, and infertility diagnosis and treatment. 

The protections under the Final Rule include:

  • A prohibition on the use or disclosure of protected health information (PHI) by a Covered Entity or their business associate(s) to conduct a criminal, civil, or administrative investigation into or impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating lawful reproductive health care, or to identify any person for the purpose of conducting such an investigation.
    • Reproductive health care is considered lawful under the Final Rule if a Covered Entity reasonably determines either of the following
      • It is lawful under the law of the state in which such healthcare is provided under the circumstances in which it is provided.
      • The reproductive health care is protected, required, or authorized by federal law, including the U.S. Constitution, regardless of the state in which such healthcare is provided.
  • A presumption that the reproductive health care provided by a person other than the Covered Entity (or business associate) receiving the request was lawful unless the Covered Entity has actual knowledge or factual information that it was unlawful.
  • A requirement that Covered Entities and business associates obtain a signed and dated attestation when receiving a request for PHI potentially related to reproductive health care. The attestation is required when the request is for PHI for any of the following:
    • Health oversight activities.
    • Judicial and administrative proceedings.
    • Law enforcement purposes.
    • Disclosures to coroners and medical examiners.

The attestation must state that the requested use and disclosure of PHI is not for a prohibited purpose, and it puts persons making requests for the use and disclosure of PHI on notice of the potential criminal penalties for knowingly violating the Final Rule. OCR has published a model attestation for use.

Key Compliance Steps and Dates

Due by December 23, 2024   

Revise HIPAA Policies and Procedures

Covered Entities will need to revise their HIPAA policies and procedures to incorporate the Final Rule, including to ensure that an attestation is provided under the appropriate circumstances.

Conduct Compliance Training

All workforce members must be trained on the revised HIPAA policies and procedures to ensure compliance with the Final Rule, including the attestation requirement and other considerations when responding to a request for the use or disclosure of PHI potentially related to reproductive health care.

Update Business Associate Agreements (BAAs)

Covered Entities should review and update their BAAs to the extent the Final Rule is not addressed or if the BAAs do not adequately address their respective responsibilities for requests for uses or disclosures of PHI related to reproductive health care.

Due by February 16, 2026

Update Notice of Privacy Practices (NPPs)

Covered Entities will be required to revise their NPPs to reflect the new protections under the Final Rule. Covered Entities will need to revise their NPPs further to address proposals made in the Notice of Proposed Rulemaking for the Confidentiality of Substance Use Disorder (SUD) Patient Records. Because these required changes are extensive, the deadline for revising NPPs is not until February 2026. 

Takeaways

Covered Entities (and business associates), particularly employers sponsoring self-funded health plans, should take steps now to ensure compliance with the Final Rule by the end of the year. 

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Bass, Berry & Sims PLC

Written by:

Bass, Berry & Sims PLC
Bass, Berry & Sims PLC
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Bass, Berry & Sims PLC on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide