Reproductive Rights at Center of HIPAA Privacy Rule Compliance Changes

5.9.2024

The Department of Health and Human Services (“HHS”) published a final rule on April 26, 2024 modifying the Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”) under the Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”). HHS is modifying the protections set forth in the Privacy Rule primarily to address questions on the use and disclosure of an individual’s protected health information (“PHI”) in light of the 2022 decision by the Supreme Court of the United States removing reproductive health as a Constitutionally-protected fundamental right. Specifically, the modifications strengthen protections surrounding reproductive health care information in the wake of state laws criminalizing abortion. Covered entities (including health care providers, clearinghouses, group health plans, and health insurers) should review and possibly revise several documents mandated by the Privacy Rule in response to the new protections.

What Restrictions on Use and Disclosure of PHI Will Apply to Reproductive Health Care?

Starting on December 23, 2024, a covered entity (including any business associate) may not use or disclose PHI:

  • To conduct a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating lawful or otherwise protected reproductive health care provided by another person;
  • To impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating lawful or otherwise protected reproductive health care provided by another person; and
  • To identify any person for any purpose described above.

When Must a Covered Entity and Business Associate Obtain an Attestation?

Starting on December 23, 2024, a covered entity (including any business associates) must obtain a valid attestation from a requester in the following circumstances if the requested use or disclosure potentially relates to reproductive health care:

  • For judicial and administrative proceedings;
  • To a law enforcement officer for law enforcement purposes;
  • To a health oversight agency for health oversight activities; and
  • To a coroner or medical examiner.

How Is an Attestation Valid?

To be valid, the attestation must:

  • Verify the use or disclosure is not prohibited reproductive health care PHI;
  • Be in writing (which may be electronic);
  • Include only the following elements and statements (and no others) in plain language:
    • A description of the information requested that identifies the information in a specific fashion;
    • The name or other specific identification of the person, or class of persons, who are requested to make the use or disclosure;
    • The name or other specific identification of the person(s), or class of persons, to whom the Plan is to make the requested use or disclosure;
    • A clear statement that the use or disclosure is not for a prohibited reproductive health care purpose;
    • A statement that a person may be subject to criminal penalties if that person knowingly and in violation of HIPAA obtains individually identifiable health information relating to an individual or discloses individually identifiable health information to another person; and
    • A signature of the person requesting the PHI (which may be an electronic signature and date). If the attestation is signed by a representative of the person requesting the information, a description of the representative’s authority to act for the person must be included.
  • The covered entity (including any business associate) may not have either:
    • Active knowledge that the material information in the attestation is false; or
    • A reasonable person in the same position would not believe that the material information in the attestation is true.
    • The attestation is not combined with any other document (except where needed to comply with the modifications to the Privacy Rule).

What Must Covered Entities Do?

While there is a likelihood of litigation challenging the propriety of the modification to the Privacy Rule, covered entities should at least revisit all documents on file and practices related to the Privacy Rule in advance of the compliance deadlines so as to be ready in the event the modifications take hold. For example:

  • The Notice of Privacy Practices will need to be revised by February 16, 2026 to address the restrictions on uses and disclosures of PHI with respect to reproductive health care as set forth in the modifications to the Privacy Rule, along with other revisions relating to redisclose and substance use treatment records.
  • Covered entities should review (and revise where necessary) their documented policies governing internal HIPAA procedures to ensure compliance with the restrictions on uses and disclosures of PHI with respect to reproductive health, as well as to set forth rules for obtaining attestations when required.
  • Covered entities should contact their business associates to verify that the business associates are updating internal controls to restrict the uses and disclosures of PHI with respect to reproductive health and to obtain attestations when required. Where necessary, covered entities should confirm (and amend where necessary) that business associate agreements are consistent with the new rules by December 23, 2024.
  • Covered entities should provide updated workforce training consistent with the modifications to the Privacy Rule.

Please contact your Butzel attorney, or the author of this Client Alert, if you have any questions or would like more information.

Mark Jane
734.213.3617
jane@butzel.com

Related People

Related Services

What's Trending

Follow us on social media

Jump to Page

By using this site, you agree to our updated Privacy Policy and our Terms of Use.