As a result of the overturning of Roe v. Wade, the Department of Health and Human Services (HHS) released final rules aimed at ensuring the privacy of protected health information (PHI) related to lawful reproductive health care. Under the new rule, HIPAA-covered entities will be required to obtain signed attestation that the request for reproductive health care PHI is not for a prohibited purpose prior to disclosing the information.
Per the final rule, “reproductive health care” is described as “health care that affects the health of the individual in all matters relating to the reproductive system and to its functions and processes.” The rule does not hinder a health plan’s ability to use or disclose an individual’s PHI with a valid HIPAA authorization, nor does it prohibit the disclosure of reproductive health care PHI that was unlawfully provided. For the use or disclosure to be lawful, the request cannot be made to “for the purpose of criminally, civilly, and/or administratively investigating or imposing liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care.”
Attestation Requirement
One of the major changes resulting from the final rule is the implementation of the attestation requirement. The requirement applies when the request for PHI is for health oversight activities, judicial and administrative proceedings, law enforcement purposes, and/or disclosures to coroners and medical examiners. This attestation must be completed and signed by the person(s) requesting the reproductive health care PHI and will provide the HIPAA-covered entity and/or business associate with written representation that the request is not for a prohibited purpose, i.e., for the purpose of investigating or imposing liability on the individual. Since the attestation is limited to the specific use or disclosure, each request will require its own attestation.
Employer Action Items:
- December 23, 2024:
By December 23, 2024, HIPAA-covered entities and business associates must be prepared to comply with the new restrictions by doing the following:- Update HIPAA Policies and Procedures and Business Associate Agreements to address the new requirements.
- Review and amend Business Associate Agreements to ensure liability and indemnification is properly addressed, if necessary.
- Implement attestation process. HHS has provided a Model Attestation for covered entities and business associates to use.
- Inform employees and provide training on revised HIPAA Policies and Procedures.
- February 16, 2025:
By February 16, 2025, HIPAA regulated entities will need to revise and redistribute their Notice of Privacy Practices to reflect the changes.
If you are a HIPAA – covered entity or business associate, it is imperative that you review your policies and procedures to ensure you are prepared to comply with the deadlines.
