New HIPAA Rules Limit The Use And Disclosure Of PHI Related To Reproductive Health Care And Revise Notice Of Privacy Practices Requirements – Healthcare

On April 26, 2024, the Department of Health and Human Services
(“HHS”) published a Final Rule to amend the HIPAA regulations.
Among other things, HIPAA protects the privacy of individuals’
protected health information (“PHI”) and sets parameters
and restrictions on the use and disclosure of PHI.

Health plans and business associates must comply with the new
restrictions on the use and disclosure of PHI by December 23, 2024,
and the new HIPAA notice of privacy practices requirements by
February 16, 2026.

The Supreme Court decision in Dobbs v. Jackson Women’s
Health Organization (“Dobbs”)

In Dobbs, the Supreme Court overturned a federally
protected right to abortion and declared it to be a state issue.
Our prior Client Alert discusses how Dobbs
affects group health plans. In the wake of Dobbs,
individual states have placed various restrictions on abortion
procedures, with some placing criminal liability upon individuals
and physicians for receiving or administering the procedure. HHS
believes the Dobbs decision and these state laws
restricting abortion create a risk that an individual’s PHI may
be used or disclosed in ways that cause harm to individuals and
deter them from accessing medical care. HHS’s particular
concern is that individuals’ PHI may be used to investigate or
impose liability upon individuals related to abortions, thereby
discouraging individuals from seeking abortions or from providing
pertinent past treatment information to current health care
providers.

Amending the Privacy Rule to Prohibit the Disclosure of Certain
PHI to Law Enforcement

Under its statutory authority to administer and enforce HIPAA,
HHS may modify the HIPAA regulations as needed. The Final Rule adds
a new prohibition on the use and disclosure of PHI. Specifically,
the Final Rule:

The Final Rule defines “reproductive health care” as
“health care that affects the health of the individual in all
matters relating to the reproductive system and to its functions
and processes.” HHS provided a non-exhaustive list of examples
in the preamble including contraception, fertility or
infertility-related care, and pregnancy-related care. HHS clarified
that the Final Rule’s new prohibition does not eliminate a
group health plan’s ability to use or disclose an
individual’s PHI with a valid HIPAA authorization.
Additionally, HHS clarified that the Final Rule does not prohibit
the disclosure of PHI about reproductive health care that was
unlawfully provided. It will be important for employers, group
health plans, and business associates to understand what is lawful
versus unlawful in various jurisdictions.

Adding a New Provision Requiring an Attestation for
Requests

Although the Final Rule requires a covered entity to collect an
attestation from requesters of PHI potentially related to
reproductive health care, HHS makes clear that group health plans
and business associates cannot rely on the attestation and must
make an independent determination on the use or disclosure of PHI.
HHS intends on providing a model attestation form. The attestation
will include: the types of PHI being requested, the name of the
individual whose PHI is being requested, and that the use or
disclosure is not for the new prohibited purpose. The attestation
will be limited to the specific use or disclosure, so each use or
disclosure request will require its own attestation.

The Final Rule includes an enforcement provision to hold both
group health plans and business associates directly liable for
compliance with the attestation requirement. This allows HHS to
take enforcement action directly against them.

Changes to HIPAA Notice of Privacy Practices

The Final Rule revises the requirements for notices of privacy
practices (“NPP”). It adds new requirements to address
certain substance use and disorder treatment records. Additionally,
the NPP must include a description and at least one example of the
types of uses and disclosures of reproductive health care PHI that
are prohibited. It must also include a description and example of
the types of uses and disclosures of PHI that require an
attestation. The NPP must include a statement to put individuals on
notice of the potential for information disclosed pursuant to the
HIPAA Privacy Rule to be redisclosed by the recipient and that the
information will no longer be protected by HIPAA.

Important Action Items

These modifications to the HIPAA regulations will likely require
revisions to existing business associate agreements and HIPAA
policies and procedures. As a result, we recommend that employers
and business associates:

• Review and revise HIPAA policies and procedures to address the
  requirements in the Final Rule. Among other things, they should
  address the process for reviewing and processing requests for
  records that include reproductive health care PHI and
  attestations.




• Revise and distribute new HIPAA notices of privacy
  practices.




• Provide training on the revised HIPAA policies and procedures,
  especially for individuals processing requests for PHI and
  attestations.




• Review plan communications to ensure all HIPAA references are
  current to reflect these modifications.




• Review business associate agreements that may permit business
  associates to engage in activities that are no longer permitted and
  revise as necessary.




• Revise business associate agreements to ensure responsibility,
  liability, and indemnification provisions encompass these new
  requirements.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.