On April 26, the Office of Civil Rights (“OCR”) within the U.S. Department of Health and Human Services issued changes to the HIPAA Privacy Rule to create additional protections for information about reproductive health care. The OCR made these changes in response to both (i) the U.S. Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization to eliminate the constitutional right to an abortion under Roe v. Wade, and (ii) demands for reproductive health records made by government agencies and private parties to reproductive health services providers both within their own states and in other states that have not restricted access to reproductive care services.
The changes became effective on June 25, 2024, but the date for HIPAA covered entities and business associates to comply with these changes is December 23, 2024.
These enhanced protections apply to information about “reproductive health care.” This newly defined term in the Privacy Rule encompasses more than abortion services – it covers “health care . . . that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes.” The OCR intended to include all types of reproductive health care within this definition, including contraception, pregnancy-related care, and infertility services.
Under these changes, covered entities and business associates may not disclose PHI for the purposes of a criminal, civil, or administrative investigation or to impose liability on a person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care where such care was lawful in the state where it was provided. The prohibition applies if the covered entity or business associate reasonably determines that:
The reproductive health care was lawful in the state where it was provided;
The care is protected, required, or authorized under federal law; or
The care was rendered by a different provider than the entity that received the request for records and the care is presumed to have been lawful. The presumption can be rebutted if there is a factual basis to believe the care provided was unlawful.
Thus, covered entities and business associates may be called upon to make legal determinations about whether the care at issue was lawfully provided before disclosing these records.
To implement these protections, covered entities and business associates must obtain a signed attestation from the requestor when the request for PHI is potentially related to reproductive health care. The attestation must be obtained if the request is for: health oversight activities, judicial or administrative proceedings, law enforcement purposes, or medical examiner duties. The attestation must include specific information and statements. It must also require the requestor to make representations about the purpose of the request.
Covered entities and business associates are encouraged to start taking steps to ensure compliance with these changes before December 23, 2024. However, they may choose to comply with the changes now. These steps should include:
Revising policies and procedures on disclosing PHI related to reproductive health care;
Developing procedures to respond to requests for such information and obtaining required attestations;
Developing a process to review records that could implicate these new rules to determine whether the PHI potentially relates to reproductive health care;
Updating Notices of Privacy Practices to include a description, including at least one example, of the types of uses and disclosures prohibited under these new rules; and
Implementing a process for consulting with legal counsel to assist with determining whether the reproductive health care subject to the records request was lawfully provided.
If you have questions about these changes to the HIPAA Privacy Rule and how your organization should implement them, we encourage you to contact a Kozak & Gayer attorney.
Comments