On April 26, 2024, the U.S. Department of Health and Human
Services (HHS) Office for Civil Rights (OCR) published the HIPAA Privacy Rule to Support Reproductive Health
Care Privacy Final Rule (Final Rule) modifying the HIPAA
Privacy Rule. The Final Rule is effective June 25, 2024. Covered
entities and business associates must be compliant with the Final
Rule by Dec. 23, 2024.
For context, in response to the June 24, 2022, U.S. Supreme
Court decision in Dobbs v. Jackson Women’s Health
Organization (Dobbs), OCR issued a Notice of Proposed Rule Making April 17, 2023,
to modify the Health Insurance Portability and Accountability Act
(HIPAA) Privacy Rule in order to better support the privacy of
protected health information (PHI) related to reproductive health
care (Proposed Rule). In light of Dobbs, OCR expressed
concern that the confidentiality of reproductive health care
information could be compromised or otherwise impacted by those who
wished to use a person’s reproductive health care information
to conduct criminal, civil, or administrative investigations or to
impose criminal, civil, or administrative liabilities on a person
for the “mere act of seeking, obtaining, providing, or
facilitating reproductive health care that is lawful under the
circumstances in which it is provided.”1 OCR states
that the Final Rule is intended to promote trust between
individuals and health care providers and to support greater access
to reproductive health care.
New Definitions
The Final Rule adopts several key definitions around
reproductive health care.
- A “person” is defined as a legal entity or a
“human being who is born alive,” thereby excluding
fertilized eggs, embryos, and fetuses. - “Public health,” for the purposes of the HIPAA
Privacy Rule, means population-level activities to prevent disease
in and promote the health of populations. Expressly carved out from
the definition of “public health” is conducting criminal,
civil, or administrative investigation or imposing criminal, civil,
or administrative liability on any person for the act of seeking,
obtaining, providing, or facilitating health care. - “Reproductive health care” is defined as health care
“that affects the health of an individual in all matters
relating to the reproductive system and to its functions and
processes.”2 Importantly, the new HIPAA definition
of “reproductive health care” expressly provides that it
shall not be construed to set forth a standard of care for
reproductive health care.
Purpose-Based Prohibition
As originally set forth in the Proposed Rule, the Final Rule
imposes a “purpose-based prohibition” on certain uses and
disclosures of PHI related to reproductive health care. Covered
entities and business associates are now prohibited from using or
disclosing PHI for certain “Prohibited Purposes”:
- To conduct criminal, civil, or administrative investigations
into a person or to impose criminal, civil, or administrative
liabilities on a person “for the mere act of seeking,
obtaining, providing, or facilitating reproductive health care
;”3 and - To identify any person for any purpose described above.
These purpose-based prohibitions apply either when the
reproductive health care is lawful in the state where it is
provided or when the care is “protected, required, or
authorized by Federal law, including the United States
Constitution.” The Final Rule also imposes a presumption that
all reproductive health care is lawful in a state unless the
covered entity or business associate has (i) actual knowledge that
the care was not lawful “under the circumstances in which it
was provided”; or (ii) received factual information from the
person requesting the use or disclosure of the information that
demonstrates a substantial factual basis that the care was not
lawful “under the specific circumstances in which it was
provided.”
Attestations
In order facilitate compliance with this new purpose-based
prohibition, OCR has conditioned a regulated entity’s use or
disclosure of reproductive health care PHI on its receipt of an
attestation by the requesting party that the use or disclosure of
the information is for a permissible or Prohibited Purpose.
Attestations will be required when a request is made relative to
health oversight activities, judicial and administrative
proceedings, law enforcement purposes, and disclosure to coroners
or medical examiners.
OCR is clear that failure to comply with the new requirement
could result in an enforcement action. Requesting parties may be
subject to criminal liabilities if they knowingly obtain
reproductive health care PHI in violation of HIPAA. Covered
entities and business associates that permit the use or disclosure
of reproductive health care PHI based on a defective attestation
will also be viewed as having violated the HIPAA Privacy Rule. In
terms of on-the-ground efforts to achieve compliance, regulated
entities should take note that OCR will view compound attestations
as defective and noncompliant.
Notice of Privacy Practices (NPPs)
The Final Rule also changes the HIPAA NPP requirements. These
changes were previewed in February 2024, when HHS published the Confidentiality of Substance Use Disorder Patient
Records Final Rule, which implemented changes to 42 C.F.R. Part
2 (Part 2) and reserved Part 2-related modifications of the HIPAA
NPP requirement to this Final Rule.
Specifically, the Final Rule implements the following changes to
the HIPAA NPP relating to reproductive health care
PHI4:
- The NPP must describe the types of uses and disclosures for
which a reproductive health care PHI attestation is required, and
provide an example; - The NPP must describe the types of uses and disclosures that
are not permitted due to their Prohibited Purposes, and provide an
example; and - The NPP must provide a statement notifying an individual that
PHI disclosed pursuant to the HIPAA Privacy Rule may be redisclosed
and no longer protected by the HIPAA Privacy Rule (akin to the
existing HIPAA authorization content requirement).
Personal Representative Treatment
The Final Rule also broadens a covered entity’s discretion
in deciding to treat someone as an individual’s personal
representative if, in the covered entity’s professional
judgment, such treatment is not in the best interests of the
individual. HIPAA has long permitted covered entities to take such
action upon a reasonable belief that someone could endanger the
individual or that the individual has been or may be subjected to
violence, abuse, or neglect by the person. The Final Rule limits
covered entity discretion by stating that a covered entity does not
have a reasonable belief for these purposes “if the basis for
their belief is the provision or facilitation of reproductive
health care by such person for and at the request of the
individual.”5 In other words, OCR has determined
that the HIPAA Privacy Rule will not support a covered entity’s
decision in this regard if such decision is founded on equating a
personal representative’s potential decisions regarding
reproductive health treatment with subjecting the individual to
abuse.
Footnotes
1. 89 FR 32976, 32997 (April 26, 2024).
2. 45 CFR § 160.103 definition of “reproductive
health care.”
3. Seeking, obtaining, providing, or facilitating
reproductive health care includes but is not limited to expressing
interest in, using, performing, furnishing, paying for,
disseminating information about, arranging, insuring,
administering, authorizing, providing coverage for, approving,
counseling about, assisting, or otherwise taking action to engage
in reproductive health care; or attempting any of the same. 45
C.F.R. § 164.502(a)(5)(D).
4. The Final Rule also enacted Part 2-related NPP
modifications applicable to Part 2 Programs. For more information
on the Final Rule Confidentiality of Substance Use Disorder Patient
Records Final Rule, please see Greenberg Traurig’s March 2024 Behavioral
Health Law Ledger.
5. 45 CFR §164.402(g)(5)(ii).
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
#HHS #OCR #Amends #HIPAA #Privacy #Rule #Protect #Reproductive #Health #Care #Privacy #Healthcare
