New HIPAA Rules for Reproductive Health

System AdministratorTue, 29 Oct 2024 15:00:00 GMT 0
In April 2024, the Office for Civil Rights (OCR) and the Department of Health and Human Services (HHS) published a Final Rule aimed at strengthening the HIPAA Privacy Rule as it relates to reproductive health data. There are three key takeaways for employers:
 

  1. Covered Entities are prohibited from disclosing protected health information (PHI) related to lawful reproductive health care in certain circumstances. 

  2. Health plans and Business Associates must obtain a signed attestation that PHI requests potentially related to reproductive healthcare will not be used for prohibited, non-healthcare purposes.

  3. Covered Entities must update their HIPAA Privacy Notice to reflect the new reproductive health care provisions.

 

Background on Dobbs

In 2022, the Supreme Court overturned the federally protected right to abortion in Dobbs v. Jackson Women’s Health Organization (Dobbs). The Court declared abortion an issue to be controlled by the states. In the wake of the Dobbs decision, a number of states enacted legislation that restricts abortion procedures, with some placing criminal liability upon individuals and physicians for receiving or administering the procedure.

In response to the Biden administration’s request to do what they could to protect women’s health and privacy, in April 2023, the HHS issued proposed modifications to the HIPAA Privacy Rule addressing these concerns. The rule changes intend to address the concern that individuals’ PHI might be used to investigate or impose liability upon individuals related to abortions, thereby discouraging individuals from seeking abortions or from providing pertinent past treatment information to current health care providers. In April 2024, the agency finalized those rules.
 

Takeaway #1 - New Prohibition on Disclosure

New Rule: The Final Rule is intended to provide privacy protection for individuals seeking legal abortion-related services. The rule expressly prohibits the use or disclosure of Protected Health Information (PHI) sought for the following purpose:
 

  • To conduct a criminal, civil, or administrative investigation into any person for seeking, obtaining, providing, or facilitating reproductive health care that is lawful under the circumstances in which it is provided

  • To impose criminal, civil, or administrative liability on any person seeking, obtaining, providing, or facilitating reproductive health care

  • To identify any person for the purpose of conducting such an investigation or imposing such a liability.


Definitions: A new definition of Reproductive Health Care is “health care that affects the health of the individual in all matters relating to the reproductive system and to its functions and processes.” A new definition of Person is “a human being who is born alive.” 

Lawful Reproductive Care: The prohibition on the use or disclosure of PHI applies where that health care is lawful under federal law or the laws of the state in which it is provided. The HHS makes clear that the Final Rule is intended to cover the situation where a person travels from a state which bans abortion to a state where abortion is legal to access care. If the abortion is legal where it is performed, the Final Rule prohibits the use or disclosure of that person’s PHI for the purpose of her home state investigating whether she received an abortion that would have arguably violated the law of the home state, had the abortion care been provided in the home state.

Regular HIPAA Disclosure Rules Still Apply: HIPAA allows PHI to be used or disclosed for a host of specific reasons listed in the Privacy Rule. The Final Rule provides that Covered Entities and their Business Associates may continue to use or disclose PHI for those permitted purposes, providing the use or disclosure is not prohibited by one of the new prohibitions described above.
 

Takeaway #2 - New Attestation Rule

The Final Rule requires Covered Entities and Business Associates to obtain a signed attestation from any entity that requests PHI that is potentially related to reproductive health care.

The attestation must provide assurances that the use or disclosure is not for a prohibited, non-healthcare purpose. Even so, group health plans and business associates cannot rely on the attestation alone and must make an independent determination on the use or disclosure of PHI. In addition, under the new rule, both group health plans and business associates can be held directly liable for compliance with the attestation requirement.

HHS has indicated that it will provide model language for the required attestation. The form may be signed electronically.
 

Takeaway #3 - Changes to HIPAA Privacy Notice

Covered Entities must update their Privacy Notice to address two new requirements:
 

  1. Reproductive Health Care: New rules require that the Privacy Notice include a description and at least one example of the types of uses and disclosures of reproductive health care PHI that are prohibited. It must also include a description and example of the types of uses and disclosures of PHI that require an attestation. Lastly, the notice must include a statement to put individuals on notice of the potential for information disclosed pursuant to the HIPAA Privacy Rule to be redisclosed by the recipient and that the information will no longer be protected by HIPAA.

  2. Substance Use Disorder: New requirements regarding PHI related to substance use and disorder treatment records.

 

Effective Date

The rule is effective June 25, 2024 (60 days after publication), and Covered Entities and Business Associates have until December 23, 2024, to comply with the provisions. The effective date for providing the revised Privacy Notice is delayed until February 16, 2026.
 

Employer Action Items

Fully Insured Plans: Neither PHI in general nor reproductive health care PHI specifically is typically held by group health plans. However, group health plan HIPAA documentation must still be updated to reflect the new rules as follows:
 

  1. Review and revise HIPAA policies and procedures to address the new requirements.

  2. Update and distribute new HIPAA notices of privacy practices.

  3. Revise business associate agreements that may permit business associates to engage in activities that are no longer permitted and revise, as necessary.

  4. Revise business associate agreements to ensure responsibility, liability, and indemnification provisions encompass these new requirements.

  5. Re-inventory existing Business Associate Agreements (BAAs) concurrently with updating all BAAs.


Self-Funded Plans: Plans must take specific action to maintain compliance.
 

  1. Review and revise HIPAA policies and procedures to address the new requirements, specifically to address the process for reviewing and processing requests for records that include reproductive health care PHI and attestations.

  2. Revise and distribute new HIPAA notices of privacy practices.

  3. Review BAAs that may permit business associates to engage in activities no longer permitted and revise as needed.

  4. Revise business associate agreements to ensure responsibility, liability, and indemnification provisions encompass these new requirements.

  5. Re-inventory existing BAAs in the process of updating all BAAs.

  6. Implement the use of the attestation form.

  7. Provide training to employees with access to PHI or who have responsibility for processing PHI requests and new attestation forms.

 

PHI Reminders

The Final Rule’s new prohibition does not eliminate a group health plan’s ability to use or disclose an individual’s PHI with a valid HIPAA authorization. Additionally, HHS clarified that the Final Rule does not prohibit the disclosure of PHI about reproductive health care that was unlawfully provided. It will be important for employers, group health plans, and business associates to understand what is lawful versus unlawful in various jurisdictions. 
 

Vita Actions

Vita has updated the Privacy Notice provided for distribution as part of your group health plan HIPAA Compliance Program and the version appended to the Summary Plan Description (SPD). In addition, an updated Business Associate Agreement template will be provided, which will include the new provisions.
 

References

HHS Final Rule


 
Post a comment

The Vita Blog

Options

Blog Home Feed

Archive

November 2024 1 October 2024 5 September 2024 1 June 2024 1 May 2024 3 March 2024 4 February 2024 1 January 2024 4 December 2023 1 November 2023 7 October 2023 6 September 2023 5 June 2023 1 May 2023 5 April 2023 7 March 2023 1 February 2023 6 January 2023 1 November 2022 1 October 2022 1 September 2022 1 August 2022 4 May 2022 2 March 2022 1 February 2022 3 January 2022 1 December 2021 1 November 2021 2 September 2021 1 August 2021 2 July 2021 1 June 2021 2 May 2021 2 April 2021 1 March 2021 3 February 2021 1 December 2020 4 November 2020 3 October 2020 2 September 2020 1 June 2020 3 May 2020 1 April 2020 2 March 2020 3 February 2020 1 December 2019 2 November 2019 2 October 2019 2 September 2019 1 August 2019 1 July 2019 1 June 2019 2 March 2019 2 February 2019 1 December 2018 1 November 2018 4 October 2018 3 August 2018 2 May 2018 1 April 2018 3 March 2018 4 February 2018 5 January 2018 6 December 2017 2 November 2017 1 October 2017 3 September 2017 2 August 2017 2 July 2017 2 May 2017 1 March 2017 1 February 2017 4 January 2017 4 December 2016 1 November 2016 4 September 2016 4 July 2016 2 May 2016 2 April 2016 1 March 2016 3 February 2016 2 September 2015 1 August 2015 1 June 2015 2 April 2015 1 February 2015 1 January 2015 1 November 2014 1 September 2014 1