The US Department of Health and Human Services (HHS) issued a final rule (Final Rule) on April 26, 2024 amending the privacy regulations (Privacy Rule) promulgated under the Health Insurance Portability and Accountability Act (HIPAA) to provide significant additional protections for protected health information (PHI) relating to reproductive health care. The Final Rule generally prohibits disclosure of PHI in connection with a criminal, civil, or administrative investigation or imposition of liability relating to legal reproductive health care, as well as imposing a new attestation requirement and updates to the Notice of Privacy Practices.

The Final Rule is effective as of June 25, 2024, and persons subject to the new rules must comply by December 23, 2024, with the exception that certain required changes to the Notice of Privacy Practices must be made by February 16, 2026.

Background leading to the Final Rule

Following the Supreme Court’s ruling on abortion rights in Dobbs vs. Jackson Women’s Health Organization, the HHS Office for Civil Rights issued guidance reminding covered entities, including group health plans, that they were permitted, but not required, to disclose PHI (1) to law enforcement entities, (2) as required by law, and (3) to avert a serious threat to health or safety.

The Final Rule expands on the prior HHS guidance and the Notice of Proposed Rulemaking issued on April 12, 2023. In issuing the new rule, HHS cited HIPAA’s intent “to ensure that individuals are not afraid to seek health care from, or share important information with, their health care providers because of a concern that their sensitive information will be disclosed” and stated that without the new rule, the current environment is “likely to chill an individual’s willingness to seek lawful health care treatment or to provide full information to their health care providers.”

Employers who sponsor group health plans should be aware of the following aspects of the Final Rule.

New prohibition against the use or disclosure of PHI for certain investigations or impositions of liabilities

Under the Final Rule, a covered entity (such as a group health plan) or business associate may not use or disclose PHI for the following activities:

1. To conduct a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care.
2. To impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care.
3. To identify any person for any purpose described in paragraphs (1) or (2).

The Final Rule only applies where the covered entity or business associate that received the request has “reasonably determined” that at least one of the following conditions exist:

1. The reproductive health care was lawful in the state in which the health care was provided;
2. The reproductive health care was protected, required, or authorized under Federal law (including the US Constitution); or
3. The reproductive health care was provided by a person other than the covered entity that receives the request for PHI, and the presumption is that the care provided was lawful.

A covered entity should presume the reproductive health care was lawful unless it has actual knowledge that the reproductive health care was not lawful, or it receives factual information from the person requesting the information that demonstrates a “substantial factual basis” that it was not lawful.

Attestation requirement

The Final Rule adds a new attestation requirement that requires covered entities and business associates to receive a valid attestation from the person who is requesting the use or disclosure of PHI relating to reproductive health care for health oversight activities, judicial and administrative proceedings, law enforcement purposes, or to coroners and medical examiners.

If the attestation does not comply with the Final Rule, it is not a valid attestation, and if it is not a valid attestation, then no use or disclosure should be made. It is expected that a sample attestation will be published prior to the Final Rule’s compliance date (December 23, 2024).

Updates to Notice of Privacy Practices (NPPs)

The Final Rule also requires certain changes to health care providers’ NPPs regarding the limitations of uses and disclosure relating to reproductive health, including three new paragraphs:

• A description, including at least one example, of the types of prohibited uses and disclosures in sufficient detail for an individual to understand the prohibition.
• A description, including at least one example, of the types of uses and disclosures for which an attestation is required.
• A statement adequate to put the individual on notice of the potential for information disclosed to be subject to redisclosure by the recipient and no longer protected.

The Final Rule includes other changes to the NPP as well, such as new language regarding the limitations of the use of substance use disorder treatment records.

As mentioned above, the updates to the Notice of Privacy Practices are due by February 16, 2026.

[View source.]