Healthcare Law Alert: UPDATE: Office for Civil Rights Publishes Guidance on Final HIPAA Rule Restricting Disclosure of Reproductive Health Information and Finalizing Changes to the HIPAA Notice of Privacy Practices

Update:

On June 27, 2024, the Office for Civil Rights (“OCR”) published additional resources for covered entities and business associates to implement the April 26, 2024 final rule enhancing protections for reproductive health information. A list of compiled resources is available from OCR’s website, and includes a model attestation promised by the final rule. The attestation is required for any use or disclosure of PHI potentially related to reproductive health care for the following purposes: health oversight activities; judicial and administrative proceedings; law enforcement purposes; and coroners and medical examiners. The attestation requirement should help covered entities and business associates identify requests for PHI most likely to implicate the new prohibition on disclosure of reproductive health information as required under the final rule.

_____________________________________________________________________________________________________________________________

On April 26, 2024, the Department of Health and Human Services’ Office for Civil Rights (“OCR”) published a final HIPAA rule enhancing protections for reproductive health information and finalizing proposed changes to the HIPAA Notice of Privacy Practices (the “Final Rule”). The Final Rule implements OCR’s April 2023 notice of proposed rulemaking following the US Supreme Court decision in Dobbs v. Jackson Women’s Health Organization, and finalizes changes to the Notice of Privacy Practices (“NPP”) previously announced in the April 2023 proposed rule and a February 2024 final rule modifying Confidentiality of Substance Use Disorder (SUD) Patient Records regulations at 42 CFR part 2 (“Part 2”) . Covered Entities and Business Associates have until December 23, 2024 to comply with new limitations on disclosure of reproductive health information, and until February 16, 2026 to comply with changes to the NPP.

Limits on Use and Disclosure of Reproductive Health Information

OCR’s Final Rule creates a “Purpose-Based Prohibition” on certain uses and disclosures of reproductive health information. Reproductive health care is broadly defined under the Final Rule to mean “health care”, as defined under HIPAA, “that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes.” The Final Rule prohibits Covered Entities and Business Associates from using or disclosing PHI for either of the following activities:

  • To conduct a criminal, civil, or administrative investigation into or impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided, or
  • The identification of any person for the purpose of conducting such investigation or imposing such liability.

The Purpose-Based Prohibition applies only where the relevant activity is in connection with any person seeking, obtaining, providing, or facilitating reproductive health care, and the Covered Entity or Business Associate that received the request for PHI has reasonably determined that one of the following conditions exists:

  • The reproductive health care is lawful under the law of the state in which such health care is provided under the circumstances in which it is provided, or
  • The reproductive health care is protected, required, or authorized by Federal law, including the United States Constitution, under the circumstances in which such health care is provided, regardless of the state in which it is provided.

With respect to requests for PHI maintained by a Covered Entity or Business Associate that was received from a third party, there is a presumption under the rule that such care was lawful under the circumstances, unless the presumption is overcome by actual knowledge that the care was not lawful, or as demonstrated by factual information submitted by the requester.

To aid Covered Entities and Business Associates in identifying requests for PHI most likely to implicate the Purpose-Based Prohibition, OCR instituted a new attestation requirement in the Final Rule. An attestation is required for any use or disclosure of PHI potentially related to reproductive health care for the following purposes:

  • 45 CFR § 164.512(d) (health oversight activities),
  • 45 CFR § 164.512(e) (judicial and administrative proceedings),
  • 45 CFR § 164.512(f) (law enforcement purposes), or
  • 45 CFR § 164.512(g)(1) (coroners and medical examiners).

The attestation must include statements informing the requester that use or disclosure of PHI requested is not for a prohibited purpose and that violations of the prohibition are subject to criminal penalty. OCR will publish a model attestation prior to the December 2024 compliance date, but also cautions that recipients of requests for which attestation is required must consider the “totality of the circumstances” underlying the request; therefore, a recipient may still reject a request even if an attestation appears to be valid on its face.

Changes to the NPP

The Final Rule will require Covered Entities to update the NPP to inform individuals about the new protections for reproductive health information, and requires additional updates for Covered Entities that create or maintain records subject to Part 2.

The NPP must describe uses and disclosures of reproductive health information subject to the new prohibition on disclosure and describe circumstances where an attestation is required.

Covered Entities that create or maintain records subject to Part 2 must include language in the NPP describing limitations on disclosure of Part 2 records, or testimony related to such records, in civil, criminal, administrative or legislative proceedings against the individual. The NPP should further describe the need for written consent or a court order to compel such disclosure, and explain that a court order authorizing such use or disclosure must be accompanied by a subpoena or other legal requirement compelling disclosure. The NPP must also include clear and conspicuous language informing individuals of the right to opt out of fundraising uses of their Part 2 information if the Covered Entity intends to use such information for a fundraising purpose.

This communication is for informational purposes and is not intended as legal advice.