OCR: Rule Halts Disclosures Under ‘Presumption of Lawfulness,’ Shares Model Attestation Form

Health Care Compliance Association (HCCA)
Contact

Health Care Compliance Association (HCCA)

Report on Patient Privacy 24, no. 7 (July, 2024)

Attestations are at the heart of permissible disclosures under the HHS Office for Civil Rights’ (OCR) new reproductive health privacy rule—and OCR wants covered entities (CEs) and business associates (BA) to use them now. The rule took effect June 25, although compliance won’t be mandatory until three days before Christmas for most of the requirements, with the exception of changes to notices of privacy practices. The compliance date for those isn’t until Feb. 16.[1]

When the rule was published in April, HHS promised to share model attestation language before the compliance date. But on June 25, OCR surprised the compliance community by issuing its attestation form uncharacteristically early.[2] Moreover, the agency urged its adoption—and full compliance with the rule.

“Patients deserve to have these privacy protections in place as soon as possible,” OCR Director Melanie Fontes Rainer said in an email to the agency’s privacy and security listservs. “OCR encourages HIPAA covered entities and business associates to begin implementing the new Privacy Rule requirements today.”

The rule seeks to protect patients and providers legally complying with their state’s abortion laws, which may be more liberal than those of neighboring states, in the wake of the Supreme Court decision in Dobbs v. Jackson Women's Health Organization two years ago. Dobbs “overturned precedent that protected a constitutional right to abortion and altered the legal and health care landscape,” HHS said in the preamble to the rule.[3]

As the rule explains, HHS has imposed a “purpose-based prohibition against certain uses and disclosures” to further safeguard protected health information (PHI) about “reproductive health care and the interests of society in an effective health care system by enabling individuals and licensed health care professionals to make decisions about reproductive health care based on a complete medical record, while balancing those interests with other interests of society in obtaining PHI for certain non-health care purposes.”

Specifically, the rule “prohibits the use or disclosure of PHI when it is sought to investigate or impose liability on individuals, health care providers, or others who seek, obtain, provide, or facilitate reproductive health care that is lawful under the circumstances in which such health care is provided, or to identify persons for such activities,” HHS said in an April 22 news release.[4]

Regarding attestations, the rule “requires covered entities or business associates to obtain a signed attestation that certain requests (health oversight activities, judicial and administrative proceedings, law enforcement purposes, and disclosures about decedents to coroners and medical examiners) for PHI potentially related to reproductive health care are not for these prohibited purposes,” OCR said in the listserv email.

Earlier in June, Timothy Noonan, OCR deputy director for health information privacy, data and cybersecurity, addressed compliance with the new rule, honing in on attestations, during a webinar posted on YouTube.[5]

The rule presumes that the health care in question was lawful, Noonan explained. Thus, “the person requesting the use or disclosure must provide the regulated entity with information such that it would constitute actual knowledge or that demonstrates to the regulated entity a substantial factual basis that the reproductive health care was not lawful under the specific circumstances in which such health care was provided,” he said.

Entities Must Make Own Determination

Before responding to a request, “the regulated entity should review the relevant protected health information in its possession and other related information to determine whether the reproductive health care was lawful under the circumstances in which it was provided,” Noonan said.

“In responding to a request that requires an attestation, it would not be reasonable for a regulated entity to automatically rely on a representation made by a person requesting the use or disclosure of protected health information about whether the reproductive health care is lawful,” he said. “Rather, the regulated entity must review the individual’s protected health information to consider the circumstances under which it provided the reproductive health care to determine whether such reliance is reasonable.”

He pointed out that, “if the regulated entity, based on the information in its possession, reasonably determines that the health care it provided was lawful, and the regulated entity may not disclose the requested protected health information in response to that request.”

The rule requires a CE or BA to “obtain certain assurances from the person requesting the protected health information potentially related to reproductive health care before the protected health information is used or disclosed. [The assurance] would be in the form of a signed and dated written statement attesting that the use or disclosure would not be for a prohibited purpose,” he said.

This is applicable to requests related to “oversight activities, for judicial and administrative proceedings, for law enforcement purposes, or about decedents to coroners and medical examiners,” he added.

BAs Now ‘Directly Liable’

The attestation requirement in the regulation has some changes from the proposed rule, Noonan said. “BAs are now directly liable for compliance with the attestation requirement. Covered entities and business associates [both] process requests for protected health information and the Privacy Rule permits regulated entities to determine whether a business associate can respond to such requests or whether they are required to defer to the covered entity,” he said. “Thus, we determined that it’s appropriate to hold both covered entities and business associates directly liable.”

Unchanged from the proposed rule is applicability to only PHI “related to reproductive health care,” he noted. “This will limit the number of requests that require an attestation, and, therefore, the burden of the attestation requirement on regulated entities and persons requesting protected health information by narrowing the scope of the attestation.”

Obtaining an attestation “will not unnecessarily interfere with or delay law enforcement investigations that do not involve protected health information potentially related to reproductive health care,” Noonan said.

Agency officials revised a provision in the proposed rule “to clarify that the use or disclosure of protected health information based on a defective attestation does not meet the attestation requirement,” he said.

They also “modified the proposed rule to prohibit inclusion in the attestation of any elements that are not specifically required,” Noonan said. “This was to address concerns that regulated entities might require persons requesting protected health information to provide information beyond that which is required under the final rule.”

Under the rule, regulated entities cannot require that a requestor use their attestation form exclusively; requestors can use a different one “as long as the attestation provided is compliant with the attestation requirements,” he said.

‘Clearly Label’ Attestation Among Other Documents

“Additionally, we modified the proposed prohibition on compound attestations,” Noonan said. The rule “prohibits the attestation from being combined with any other document. We clarify that, while an attestation may not be combined with other forms, additional documentation to support the information provided in the attestation may be submitted.”

However, “this additional documentation may not replace or substitute for any of the attestation’s required elements,” he said.

CEs and BAs need to ensure that the attestation is “clearly labeled [and] distinct from any surrounding text and completed in its entirety,” said Noonan. “Documentation to support the attestation may be appended to the attestation.”

As an example, it would be permissible to attach a subpoena to an attestation “provided that the attestation is clearly labeled as such,” he said. The same principle applies if the attestation is submitted electronically. An attestation could be “on the same screen as the other document, again, provided that the attestation is clearly and distinctly labeled as such.”

Requirements pertaining to content of the attestation are unchanged from the proposed rule, Noonan said.

“An attestation must include that the person requesting the disclosure confirms the types of protected health information that they’re requesting; clearly identify the name of the individual whose protected health information is being requested, if practicable; or if not practicable, the class of individuals whose protected health information is being requested; and confirm, in writing, that the use or disclosure is not for a purpose prohibited by the new prohibition,” Noonan explained.

Regarding a request that relates to a class of individuals, “we clarified that the requesting entity may describe such a class in general terms,” Noonan added. “For example, as all individuals who were treated by a health care provider, who submitted claims or all individuals that had a certain procedure, or all individuals [with] certain health insurance coverage.”

Moreover, the attestation “must include a clear statement that the use or disclosure is not for a…purpose [prohibited] by the new rule,” Noonan said. “This requirement can be satisfied with a series of checkboxes that identif[y] why the use or disclosure is not prohibited.”

The attestation “must include a statement that the attestation is signed with the understanding that a person who, knowingly and in violation of HIPAA, obtains or discloses individually identifiable health information relating to another individual or discloses individually identifiable health information to another person, may be subject to criminal liability,” Noonan said. “We believe that adding this language satisfies the intent” that he said had led the agency to consider including that penalties for perjury could be applied.

“Including [this] statement in the attestation ensures that such persons are on notice and acknowledge the consequences of making such requests under false pretenses,” Noonan said. He added that the attestation “must be written in plain language.”

Minimum Necessary, Investigation Part of Rule

The attestation may be in an electronic format and electronically signed by the person requesting disclosure in states where electronic signatures are valid.

Of note, the attestation is limited to “the specific use or disclosure,” Noonan said. This means that “each use or disclosure request for protected health information will require a new attestation.”

CEs and BAs also need to be mindful that the minimum necessary standard still applies, so a “regulated entity will have to limit a use or disclosure to the minimum necessary when providing a response,” Noonan said. When a regulated entity is making that request, “that person will also need to make reasonable efforts to limit their request to the minimum necessary to accomplish the intended purpose of the use-disclosure request.”

He noted that the rule does not require a regulated entity “to investigate the validity of an attestation. Rather, the regulated entity is generally permitted to rely on the attestation—if, under the circumstances, the regulated entity reasonably determines that the request is not for investigating or imposing liability for the mere act of seeking, obtaining, providing or facilitating allegedly unlawful reproductive health care.”

Conversely, “if such reliance is not reasonable, then the regulated entity may not rely on that attestation for requests involving allegedly unlawful reproductive health care,” Noonan said. The entity could then presumably deny the request.

In some instances, the regulated entity may not have been the one providing the reproductive health care, so it would decline the request.

Saying ‘No’ to Law Enforcement

Noonan offered the following example and pointed out that a compliance mistake might be a reportable breach.

“A regulated entity receives an attestation from a law enforcement official, along with a court-ordered warrant demanding protected health information potentially related to reproductive health care. The law enforcement official represents that the request is about reproductive health care that was not lawful, but the official will not divulge more information because they alleged that doing so would jeopardize an ongoing criminal investigation,” Noonan said.

In this case, the entity cannot disclose the request PHI “absent additional factual information because the official requesting the protected health information has not provided sufficient information to overcome the presumption of lawfulness,” he said.

Should a CE or BA discover that it inappropriately released PHI via an attestation, due to any “representations in the attestation” being “materially incorrect” or containing a “material misrepresentation,” it must “cease” the use or disclosure of the PHI, Noonan added. Moreover, the disclosure would be then deemed “impermissible” under HIPAA, and the entity should begin the breach notification process, he said, which includes contacting the patient and OCR.

 


1 Jane Anderson, “OCR Finalizes Reproductive Care Regulation; Attestations, Privacy Policy Changes Required,” Report on Patient Privacy 24, no. 5 (May 2024), https://bit.ly/3zaZvh1.

2 “OCR Model Attestation for a Requested Use or Disclosure of Protected Health Information Potentially Related to Reproductive Health Care,” Report on Patient Privacy 24, no. 7 (July 2024).

3 HIPAA Privacy Rule To Support Reproductive Health Care Privacy, 89 Fed. Reg. 32,976 (April 26, 2024), https://bit.ly/3WktpZE.

4 U.S. Department of Health and Human Services, “The Biden-Harris Administration Issues New Rule to Support Reproductive Health Care Privacy Under HIPAA,” news release, April 22, 2024, https://bit.ly/3zwlIGh.

5 “OCR Briefing on HIPAA Privacy Rule to Support Reproductive Healthcare Privacy,” YouTube video, 1:00:38, June 20, 2024, https://bit.ly/4bybmDd.

[View source.]

Written by:

Health Care Compliance Association (HCCA)
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Health Care Compliance Association (HCCA) on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide