Compliance News | May 16, 2024
The Department of Health and Human Services (HHS) recently issued a final rule that strengthens privacy protections for Protected Health Information (PHI) related to lawful reproductive healthcare. The rule requires covered entities, including group health plans, to modify privacy policies and procedures and prepare new Notices of Privacy Practices reflecting the changes.
The effective date is June 25, 2024, with a general compliance deadline of December 23, 2024. Privacy notices must be updated by February 16, 2026.
Share this page
The final rule was issued as a result of developments in federal law concerning state abilities to restrict access to reproductive health services, including abortion, after the U.S. Supreme Court decision in Dobbs v. Jackson Women’s Health Organization, 597 U.S. 215 (2022). In light of the state laws that can restrict access or impose criminal penalties for accessing abortion services, HHS is concerned that individuals may fear that their right to protection of their private health information may no longer be secure. Individuals may fear that law enforcement agencies may request and use PHI to identify persons who seek, obtain, provide or facilitate lawful reproductive healthcare, and take legal action against them.
HHS also states that the scope of concern is not limited to states where abortion is restricted but extends to individuals who travel out-of-state to obtain lawful reproductive healthcare. These individuals may be reluctant to disclose information for lawful healthcare purposes if they cannot be certain whether it will be protected.
To address these concerns, the final rule restricts covered entities (such as health plans healthcare clearinghouses or healthcare providers) and business associates from using or disclosing an individual’s PHI for the purpose of conducting a criminal, civil or administrative investigation into or to impose criminal, civil or administrative liability on any person for the mere act of seeking, obtaining, providing or facilitating lawful reproductive healthcare. The final rule also restricts them from using PHI to identify any person for the purpose of conducting such investigation or imposing such liability.
For purposes of the final rule, lawful means either lawful under the circumstances in which such healthcare is provided and in the state in which it is provided or protected, required or authorized by federal law, including the United States Constitution, regardless of the state in which such healthcare is provided. There is a presumption under the final rule that reproductive healthcare provided by another person is lawful unless the covered entity has actual knowledge or factual information (such as a statement from the individual) that it is unlawful.
The final rule defines reproductive healthcare as healthcare that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes. This includes, but is not limited to, lawfully obtained contraception, including emergency contraception; management of pregnancy and pregnancy-related conditions including miscarriage and pregnancy termination; fertility or infertility diagnosis and treatment, assistive reproductive technology, and other diagnoses, treatment and care that affect the reproductive system. Reproductive healthcare activities include, but are not limited to, any of the following: expressing an interest in using, performing, furnishing, paying for, disseminating information about, arranging, insurance administering, authorizing, providing coverage for, approving, counseling about, assisting or otherwise taking action to engage in reproductive healthcare or attempting any of the same. The final rule also slightly modifies the definition of “personal representative” to be consistent with the new requirements concerning reproductive healthcare.
When covered entities and business associates receive a request for PHI potentially related to reproductive healthcare, the final rule requires them obtain a signed written attestation from the person requesting the PHI that the use or disclosure is not for a prohibited purpose. The attestation must meet the criteria set forth under the final rule and is not valid if the covered entity or business associate has actual knowledge that it is false or a reasonable person in the same position would not believe that the attestation is true. The attestation may be electronic if it meets certain criteria. The attestation rule applies even if the requesting entity has issued a subpoena or warrant for the PHI. However, if a person requesting the use or disclosure of PHI provides sufficient information, separate and distinct from the attestation itself, which substantiates that the reproductive healthcare was not lawful, the presumption would be overcome and the Privacy Rule would permit, but would not require, disclosure of the PHI in response to the subpoena.
Covered entities must also amend Notices of Privacy Practices to include descriptions of the types of uses and disclosures prohibited under the final rule in sufficient detail for an individual to understand the rule. Notices must also include a description of when an attestation is required. Both descriptions must be accompanied by at least one example. The final rule also requires revisions to Notices of Privacy Practices to address requirements under the Part 2 Rule for the Confidentiality of Substance Use Disorder Patient Records, published on February 16, 2024.
Self-insured group health plan sponsors must incorporate the terms of the new final rule into their HIPAA privacy compliance program. This involves several actions, including amending policies and procedures, particularly those addressing use and disclosure and authorization policies; implementing compliant attestation forms; amending Notices of Privacy Practices; and training staff and business associates on the new policies. Plan sponsors will need to have policies and training in place no later than December 23, 2024, so it may be appropriate to amend Notices of Privacy Policies as well, even though the effective date for Notices is in 2026 (because of additional rules on substance use privacy protections applicable to some covered entities).
Fully insured group health plans have more limited responsibilities, as their policies and procedures are maintained by the insurer. However, they will need to train staff as necessary and have Notices updated accordingly if they have access to PHI.
While HHS has issued a model Notice of Privacy Practices, it has not been updated since 2014, so it is unclear whether new models will be published. HHS did state it intends to publish model attestation language before the compliance deadline of December 23, 2024.
Health, Compliance, Multiemployer Plans, Public Sector, Healthcare Industry, Higher Education, Architecture Engineering & Construction, Corporate, Mental Health
Compliance, Health, Multiemployer Plans, Public Sector, Healthcare Industry, Higher Education, Architecture Engineering & Construction, Corporate, Pharmaceutical
Health, Multiemployer Plans, Public Sector, Healthcare Industry, Higher Education, Architecture Engineering & Construction, Corporate, Retirement, Compliance
This page is for informational purposes only and does not constitute legal, tax or investment advice. You are encouraged to discuss the issues raised here with your legal, tax and other advisors before determining how the issues apply to your specific situations.
© 2024 by The Segal Group, Inc.Terms & Conditions Privacy Policy California Residents Sitemap Disclosure of Compensation Required Notices
We use cookies to collect information about how you use segalco.com.
We use this information to make the website work as well as possible and improve our offering to you.