ELIZABETH LOH, June 27, 2024
The Department of Health and Human Services (HHS) has issued a final rule which amends the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rules (the “Final Rule”). HHS issued the Final Rule in the wake of the Supreme Court decision in Dobbs v. Jackson Women’s Health Organization. HHS explains that the Final Rule is meant to support President Biden’s Executive Orders on protecting access to reproductive health care — in particular, by protecting information related to reproductive health care and bolstering patient-provider confidentiality. The new Final Rule will require certain compliance actions by covered entities (e.g., health care providers and group health plans) and their business associates.
Prohibitions on Certain Uses and Disclosures of PHI
The HIPAA Privacy Rules generally provide that covered entities are prohibited from using or disclosing protected health information (PHI), except as permitted by the HIPAA Privacy Rules. The newly issued Final Rule helps strengthen privacy protections by further prohibiting the use or disclosure of PHI by a covered entity or their business associate (“regulated entities”) for any of the following activities:
- Investigations: Conducting a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating lawful reproductive health care.
- Imposing Liability: Imposing criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating lawful reproductive health care.
- Identification: Identifying an individual, health care provider or other person for purposes related to such an investigation or proceeding.
Note: HHS has defined the terms “seeking, obtaining, providing, or facilitating reproductive health care” very broadly to include activities such as “expressing interest in, performing, furnishing, paying for…arranging…insuring…administering…providing coverage for…” Accordingly, entities such as patients, group health plans, and health care providers will have certain protections under these rules.
New Definition of “Reproductive Health Care”
HHS has created a new definition of “reproductive health care” to help regulated entities determine whether a request for the use or disclosure of PHI includes the types of PHI implicated by the Final Rule.
The Final Rule defines the term “reproductive health care” broadly to mean “health care that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes.” The Final Rule provides a list of examples of what is included in the definition of “reproductive health care,” including but not limited to:
- Contraception, including emergency contraception;
- Pregnancy-related health care, including but not limited to miscarriage management, pregnancy termination, pregnancy screening;
- Fertility or infertility-related health care, including services such as assisted reproductive technology (e.g., in vitro fertilization), as well as other care, services, or supplies used for the diagnosis and treatment of infertility;
- Diagnosis and treatment of conditions related to the reproductive system (e.g., perimenopause, menopause, endometriosis, etc.); and
- Other types of care, services and supplies used for the diagnosis and treatment of conditions related to the reproductive system (e.g., mammography, pregnancy-related nutrition services, postpartum care products).
Prohibition Applies Where
Reproductive Health Care Is Lawful
The prohibition against the use or disclosure of PHI about reproductive health care applies where the regulated entity has reasonably determined that one or more of the following conditions exists:
- the reproductive health care is lawful under the law of the state in which such health care is provided under the circumstances in which it was provided. For example, if a resident of one state travels to another state to receive reproductive health care, such as an abortion, which is lawful in the state where such health care was provided;
- the reproductive health care is protected, required, or authorized by Federal law, including the U.S. Constitution, regardless of the state in which such health care is provided. For example, if use of the reproductive health care (e.g., contraception) is protected by the Constitution; or
- the reproductive health care was provided by a person other than the covered health care provider, health plan or business associate that receives the request for PHI and is presumed to be lawful.
Note: Regulated entities that receive a request for PHI must presume that any reproductive health care obtained was lawful under the circumstances under which it was provided. This presumption of lawfulness applies unless the regulated entity has actual or factual knowledge to the contrary; for example, where a law enforcement of ficial provides a health plan with evidence that the information requested concerns reproductive health care provided by an unlicensed person, in a jurisdiction requiring that such care is provided by a licensed provider.
Attestation Requirement
HHS has implemented an attestation requirement to help regulated entities determine whether the use or disclosure of reproductive health care–related PHI is permitted under the Final Rule.
A regulated entity must obtain a signed attestation from the individual requesting PHI if it receives a request for PHI related to reproductive health care, and the request relates to (i) health care oversight activities; (ii) judicial and administrative proceedings; (iii) law enforcement purposes; or (iv) disclosures to coroners and medical examiners. This attestation serves two purposes. First, the attestation provides assurances from the person requesting the PHI that the use or disclosure will not be for a prohibited purpose. In addition, the attestation puts the individual who is making the request for PHI on notice of the potential criminal penalties associated with obtaining PHI in violation of the HIPAA rules.
The attestation must be written in “plain language” and must be provided as a stand-alone document (i.e., the attestation cannot be combined with other documents). Further, the attestation may be provided electronically.
The Final Rule makes clear that an attestation itself is not determinative of whether the use or disclosure is for a prohibited purpose. The regulated entity must consider the totality of the circumstances surrounding the attestation and whether it is reasonable to rely on the attestation in those circumstances. The Final Rule provides an example demonstrating that it may not be reasonable for a regulated entity to rely on an attestation filed by a public of ficial when that public of ficial has publicly stated their interest in investigating or imposing liability on those who seek, obtain, provide or facilitate certain types of lawful reproductive health care.
Note: Regulated entities must comply with this Attestation Requirement by December 23, 2024. HHS is developing a model attestation form that regulated entities can use to comply with this new attestation requirement and intends to publish the model form ahead of the required compliance deadline. Accordingly, a regulated entity may choose to wait for HHS to issue their model attestation form before implementing this attestation requirement.
Updating HIPAA Notice of Privacy Practices
General notice of privacy practices requirements
Under the HIPAA rules, a covered entity (e.g., a group health plan) must generally provide a HIPAA notice of privacy practices to each group health plan participant. This notice must describe the uses and disclosures of PHI that may be made by the covered entity; the participant’s rights; and the covered entity’s legal duties with respect to the PHI.
Employers with self-funded group health plans must provide employees with a notice of privacy practices upon enrollment and within 60 days of a material change to the notice. If an employer sponsors a fully insured group health plan and does not have access to PHI (except for summary health information and enrollment/disenrollment information), it is not required to provide the notice of privacy practices. Instead, the notice obligation rests with the insurance carrier. If an employer sponsors a fully insured group health plan and has access to PHI, then the group health plan must maintain the notice of privacy practices and provide the notice upon request (only). The Final Rule will require covered entities to update their HIPAA Notice of Privacy Practices.
What updates must be made?
Covered Entities must update their HIPAA Notice of Privacy Practices to include the following information:
- a description of the additional privacy safeguards for reproductive health care;
- a description, including at least one example, of the types of uses and disclosures of PHI related to reproductive health care that are prohibited;
- a statement putting the individual on notice that PHI which is disclosed under the HIPAA privacy rule may be redisclosed by the recipient and may no longer be protected;
- a description, and at least one example, of the types of uses and disclosure of PHI for which an attestation is required; and
- an explanation that substance use disorder treatment records, or testimony relaying the content of such records, will not be used or disclosed in civil, criminal, administrative or legislative proceedings against the individual — absent patient consent or a court order.
What is the deadline for making these updates?
Covered entities must update their HIPAA Notice of Privacy Practices by February 16, 2026. Note: While there is an HHS-issued model Notice of Privacy Practices, this model notice has not been updated since 2014, and it is not clear whether HHS will issue a revised model that reflects the Final Rule.
Business Associate Agreements
In response to comments asking HHS to clarify whether business associate agreements will need to be amended to reflect the requirements of the Final Rule, HHS replied that the prohibition for use and disclosures of reproductive health care information applies “directly to all regulated entities; meaning, all HIPAA covered entities and business associates.” Further, under the Final Rule, the attestation requirement now directly applies to business associates. Accordingly, business associates that have access to or hold the PHI of covered entities will be subject to and directly liable under the Final Rule, regardless of whether the requirements of the Final Rule are specified in a business associate agreement. Nevertheless, HHS does anticipate that some business associate agreements will likely need to be updated to reflect the parties’ respective responsibilities when either party receives a request for disclosure of reproductive health care PHI.
Action Items
Both self-funded group health plans and fully insured group health plans that have access to PHI must comply with the Final Rule, including the obligation to take the following actions:
- provide updated HIPAA training to workforce members by December 23, 2024;
- update HIPAA policies and procedures to include these new rules by December 23, 2024;
- draft attestation form and utilize such form in accordance with the new rules by December 23, 2024;
- update HIPAA notice of privacy practices and properly distribute such updated notices by February 16, 2026; and
- review business associate agreements to determine whether any amendments are necessary for compliance with the Final Rule, such as clarifying each party’s respective responsibilities when a request for reproductive health care PHI is received.
If you have any questions regarding compliance with the Final Rule, please contact us.