Changes to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) will require stakeholders across the health care industry to update their internal policies and procedures—and in some cases their business associate agreements—relating to the use or disclosure of protected health information (PHI) for specific purposes connected to reproductive health. The compliance date for implementing these new requirements under the HIPAA Final Rule to Support Reproductive Health Care Privacy (“Final Rule”) is December 23, 2024. Notices of Privacy Practices (NPPs) must also be revised, and that compliance date is February 16, 2026.
The Final Rule, which took effect on June 25, 2024, was adopted by the U.S. Department of Health and Human Services (HHS) in response to recent changes at the federal and state levels to the legality of providing certain reproductive health care services.
The Final Rule builds on executive actions of the Biden-Harris administration, which had directed HHS to strengthen privacy protections following the Dobbs v. Jackson Women’s Health Organization decision that overturned precedent that protected abortion as a federal constitutional right, including Roe v. Wade. As states likewise continue to modify their reproductive health laws in the post-Roe era, this Final Rule reinforces the confidentiality of reproductive health information at the federal level, aligning with the Biden-Harris administration’s published objectives.
Summary of Final Rule
The Final Rule:
- Prohibits the use or disclosure of PHI for certain purposes;
- Provides limited circumstances in which that prohibition applies; and
- Requires a written attestation in certain circumstances before a covered entity or business associate may use or disclose reproductive health information pursuant to four specific provisions of the HIPAA Privacy Rule.
The Final Rule also adds new definitions for the terms “public health” and “reproductive health care,” and amends the definition of “person” to clarify that “natural person” means a human being born alive. Another new provision broadly defines the scope of “seeking, obtaining, providing or facilitating” reproductive health care. Other provisions related to reporting abuse, neglect or domestic violence and additional minor changes are also included in the Final Rule.
Finally, the Final Rule adds numerous new requirements for NPPs that reflect the provisions outlined above, as well as the confidentiality requirements in HHS’s 2024 Part 2 Rule.
1.) Purpose and Applicability
The Final Rule is a “purpose-based” rule prohibiting the use or disclosure of PHI by a covered entity or business associate when the purpose of that disclosure is any of the following, collectively referred to as the “Prohibited Purpose”:
- To conduct a civil, criminal, or administrative investigation into any person for the mere act of seeking, obtaining, providing or facilitating reproductive health care;
- To impose liability on a person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care; or
- To identify any person for any purpose described in the above two bullet points.
This ban on the use or disclosure of PHI for the Prohibited Purpose applies when one or more of the following is true:
- The reproductive health care is lawful under the law of the state in which such health care is provided under the circumstances in which it is provided;
- The reproductive health care is protected, required, or authorized by Federal law, including the U.S. Constitution, regardless of the state in which such health care is provided; or
- The rebuttable presumption described in the Final Rule (“Presumption”) applies.
The Presumption is triggered when a covered entity or business associate is faced with a lawfulness decision concerning health care provided by another entity. In this case, the health care is presumed to be lawfully provided unless that presumption is rebutted by actual knowledge or factual information.
Unlike psychotherapy notes, which are defined as their own subset of PHI under HIPAA, the Final Rule purposefully does not create a newly defined subset of PHI for reproductive health care. HHS reasoned that it would be difficult for covered entities and business associates to segregate reproductive health care information, as it encompasses a broad swath of data across treatments and providers. The focus of the regulation is instead on the use and disclosure of PHI for the Prohibited Purpose.
2.) Attestation
Requests for uses or disclosures under 45 CFR 164.512 of the HIPAA Privacy Rule (i.e., those “for which an authorization or opportunity to agree or object is not required”) must meet the specific requirements of that section. The Final Rule now requires any requesting party to provide a written attestation meeting detailed specifications (“Attestation”) when use or disclosure requests relate to reproductive health information and are requested under the following subsections of 164.512:
- (d) (Uses and disclosures for health oversight activities),
- (e) (Disclosures for judicial and administrative proceedings),
- (f) (Disclosures for law enforcement purposes) or
- (g)(1) (Uses and disclosures about decedents to coroners and medical examiners).
The elements required to be included in an Attestation are set out in detail in the Final Rule, and HHS will be publishing an example of a valid attestation.
3.) Notices of Privacy Practices
In line with the Final Rule’s emphasis on improving patient trust in health systems, covered entities will be required to revise their NPPs to indicate the newly enacted protections, and to distribute and post these revised NPPs. As noted above, the NPP provision also requires specific NPP revisions related to HHS’s 2024 Part 2 Rule addressing substance use disorder records. Because these required NPP changes are extensive, covered entities will have until February 16, 2026, to comply with the NPP portions of the Final Rule, as compared to the 180-day compliance period for the remainder of the Final Rule.
4.) Compliance Steps Required by December 23, 2024
Policies and Procedures. Compliance with the Final Rule will require that covered entities and business associates revise their policies and procedures for using and disclosing PHI—and responding to requests for those uses and disclosures—when they are for the Prohibited Purpose. Covered entities and business associates are similarly required to revise their policies and procedures for reviewing and responding to a request for a use or disclosure under 42 CFR §164.512 (d), (e), (f) and (g)(1) to ensure that an Attestation is provided under the appropriate circumstances, as set forth in the Final Rule.
Training. With new and revised policies and procedures, covered entities and business associates are required to train their workforce members to ensure compliance with the Final Rule.
Business Associate Contracts. Many covered entities already require their business associates to notify the covered entity in the event of certain or all third-party requests for uses and disclosures. Covered entities and business associates are well-advised to review their business associate agreements to ensure that the responsibility for decisions concerning uses and disclosures for the Prohibited Purpose and the uses and disclosures that require an Attestation are made by the appropriate party. Covered entities may prefer to make those determinations, and business associates may prefer that covered entities do so. The business associate agreement needs to reflect those determinations and ensure proper process and timeliness.
Key Takeaways
The Final Rule is complex. For example, the instances in which an Attestation are required can be nuanced and complicated, and determining the lawfulness of reproductive health care may require legal guidance. Covered entities and business associates will be forced to act with speed and diligence to complete the required changes to policies and procedures, conduct the training, and consider amendments to business associate agreements in time for the December 2024 compliance date.
Frost Brown Todd has an experienced team of health care attorneys poised to help guide businesses through this compliance challenge. Please reach out to the authors of this article or any of our Health Care Innovation team members.