In April, the Office for Civil Rights (OCR) of the U.S. Department of Health & Human Services (HHS) issued the HIPAA Privacy Rule To Support Reproductive Health Care Privacy (Final Rule) modifying the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. In June 2022, in response to the U.S. Supreme Court’s ruling in Dobbs v. Jackson Women’s Health Organization, HHS issued guidance related to the HIPAA permitted use and disclosure of protected health information (PHI) for Public Interest and Benefit Activities Disclosures and, in April 2022, issued a Notice of Proposed Rule Making for the HIPAA Privacy Rule to Support Reproductive Health Care Privacy. OCR responded with the Final Rule, which strengthens reproductive health care privacy.
Download this FYI as a printable PDF.
HIPAA Privacy Rule
The HIPAA Privacy Rule focuses primarily on a covered entity’s (health plans, health care clearing house, and most health care providers) compliance with an individual’s rights, the appropriate processes to use and disclose information on behalf of a health plan, and breach response. Under the Privacy Rule, there are both required and permitted uses and disclosures of PHI. Health information is “used” when it is shared within an entity that holds the information (i.e., when it is shared internally). In contrast, health information is “disclosed” when it is shared outside the entity (i.e., when it is shared externally).
The Privacy Rule requires group health plans to disclose PHI only in four instances.
- To the individual who is the subject of the PHI when the individual requests it;
- To individuals (or their personal representatives) when requesting an accounting of disclosures of their PHI;
- When individuals request amendments to their designated record sets1; and
- To HHS when it is undertaking a compliance investigation or review, or enforcement action.
A group health plan is prohibited from “using” or “disclosing” PHI except:
- With written authorization from the individual who is the subject of the PHI; or
- As required by the Privacy Rule (e.g., to an individual requesting access to his or her own PHI); or
- As otherwise explicitly permitted by the Privacy Rule (e.g., for treatment, payment, and healthcare operations, when the individual has an opportunity to agree or object, or pursuant to process and as otherwise required by law, including incident to judicial and administrative proceedings and for law enforcement purposes).
Final Rule
Additional prohibited use and disclosure
As noted above, the Privacy Rule permits use and disclosure of PHI in judicial and administrative proceedings and for law enforcement purposes. The Final Rule strengthens the protections of the Privacy Rule by prohibiting the use or disclosure of PHI by a covered entity for the following purposes.
- To conduct criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care.
- To impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive care.
- The identification of any person for the purpose of initiating such investigation or proceeding.
The Final Rule applies when the subject criminal, civil, or administrative investigation or proceeding is related to reproductive health care that is:
- Provided in a state where the health care is lawful under the circumstances in which it is provided, and is
- Protected, required, or expressly authorized by federal law under the circumstances in which it is provided.
Attestation requirement
When a covered entity receives a request for PHI that is potentially related to reproductive health care, the request must be accompanied by a signed and dated attestation from the requesting party that the use or disclosure is not for a prohibited purpose. The attestation may be electronic but may not be combined with any other document. HHS will create a model attestation that covered entities may use for this purpose prior to the compliance deadline.
Notice of privacy practices
The Final Rule also requires updates to the Notice of Privacy Practices (NPP) that covered entities must issue. NPPs will need to include, among other things, the ways in which the covered entity may use and disclose an individual’s records, a description, with an example, of a prohibited disclosure of information related to reproductive health care, and a description of the type of use and disclosure that requires an attestation.
There are currently model NPPs on HHS’ website, but they have not been updated to reflect the changes required by the Final Rule.
Effective date
The Final Rule is effective 60 days after its publication in the Federal Register, or June 25, 2024, and covered entities must comply with it by December 23, 2024. However, HHS provided covered entities until February 16, 2026 — over a year later — to issue the updated NPP, which is typically required to be disclosed within 60 days after a material change.
Action items
Employers and plan administrators must:
- Revise their plans’ HIPAA privacy policies and procedures;
- Adopt an attestation form and create and document a process for administering the attestation;
- Update their plans’ NPP related to the privacy of reproductive health care information and post and distribute the updated notice, and
- Ensure that their plans’ HIPAA workforce members are trained on the Final Rule’s protections for reproductive health care information and the related attestation.
1 A “designated record set” is defined at 45 CFR 164.501 as a group of records maintained by or for a covered entity that comprises the:
- Medical records and billing records about individuals maintained by or for a covered health care provider;
- Enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
- Other records that are used, in whole or in part, by or for the covered entity to make decisions about individuals. This last category includes records that are used to make decisions about any individuals, whether or not the records have been used to make a decision about the particular individual requesting access.
Volume 47 | Issue 14