On April 22, 2024, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a final rule (the Final Rule) to modify certain provisions of the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (collectively, HIPAA) to support reproductive health care privacy. The Final Rule strengthens privacy protections for highly sensitive Protective Health Information (PHI) about the reproductive health care of an individual to ensure that persons are not deterred from seeking, obtaining, providing, or facilitating reproductive health care where such health care is lawful under the circumstances where such health care services are sought or provided.
The Final Rule goes into effect on June 25, 2024. HIPAA-regulated entities, including covered health care providers, health plans, health care clearinghouses, and their business associates (Regulated Entities), must comply with most provisions of the Final Rule by December 22, 2024.
I. Changes to HIPAA.
A. Clarified Definition of “Person” and New Definition of Reproductive Health Care.
The Final Rule clarifies the definition of “person” to mean, in part, a “natural person” (meaning a human being who is born alive).1 Additionally, an “individual,” “child,” or “victim” (e.g., a victim of crime) under the HIPAA Rules must be a natural person and, for the purposes of applying the HIPAA privacy regulation, such terms exclude a fertilized egg, embryo, or fetus.2
The Final Rule also adopts the new term “reproductive health care,” which would be a subset of the term “health care,” as it is defined in HIPAA.3 HHS specifies that the term is to be construed broadly, and means health care “that affects the health of the individual in all matters relating to the reproductive system and to its functions and processes,” including, without limitation, contraception; preconception screening and counseling; management of pregnancy and pregnancy-related conditions; prenatal care; miscarriage management; fertility and infertility diagnosis and treatment; diagnosis and treatment of conditions that affect the reproductive system; and other types of care or services such as mammography, pregnancy-related nutrition services, postpartum care products.4
B. Enhanced Protection of PHI Related to Reproductive Health Care.
The Final Rule modifies the Privacy Rule to strengthen privacy protections for individuals' PHI by adding a new category of prohibited uses and disclosures of PHI. Specifically, the Final Rule explicitly prohibits the use or disclosure of PHI by a Regulated Entity for the following activities:
- To conduct a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care where such health care is lawful under the circumstances in which it is provided;
- To impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided; and
- The identification of any person for the purpose of conducting such investigation or imposing such liability.5
The Final Rule preempts state or other laws that may mandate the use or disclosure of PHI pursuant to a court order or other legal process if it falls under a prohibited purpose stated above.6 Conversely, the prohibition is only applicable when a Regulated Entity reasonably determines that at least one of the following conditions exists:
- The reproductive health care is lawful under the law of the state in which such health care is provided under the circumstances in which it is provided. For example, a resident of one state travels to another state to receive an abortion which is lawful in the state where such health care was provided;
- The reproductive health care is protected, required, or authorized by federal law, including the U.S. Constitution, regardless of the state in which such health care is provided. For example, the use of contraception is protected by the U.S. Constitution.
- The reproductive health care was provided by a person other than the Regulated Entity that receives the request for PHI, and the presumption is that the care provided was lawful.7
The Final Rule vests the determination of whether the reproductive health care was lawful under the circumstances it was provided with the Regulated Entity that receives the request for PHI and requires that such determination be reasonable.8
C. Attestation.
The Final Rule additionally requires that when a Regulated Entity receives a request for PHI potentially related to reproductive health care, it obtains a signed attestation from the requestor that the use or disclosure is not for a prohibited purpose in certain circumstances.9 Notably, the Final Rule makes both covered entities and business associates directly liable for compliance with the attestation requirement, regardless of whether compliance is explicitly included in a Business Associate Agreement (BAA).10
II. Compliance Considerations and Updates.
Regulated Entities and other stakeholders should consider the following when complying with the new requirements under the Final Rule:
- Revise HIPAA Policies and Procedures; Compliance Training. Each Regulated Entity will need to adopt new policies and procedures that address how to respond to requests for the use or disclosure of PHI and when an attestation is required. Each Regulated Entity will also need to modify or update existing policies based on other clarifications brought by the Final Rule. To this end, each Regulated Entity must update its HIPAA training for workforce members to reflect these updates to its policies and procedures.
- Revise Business Associate Agreements. The modifications in the Final Rule may require Regulated Entities to revise existing BAAs where such agreements permit a party to engage in activities that are no longer permitted under the revised Privacy Rule. Additionally, BAAs will likely need to be updated to reflect a determination made by parties about their respective responsibilities when either party receives requests for disclosures of PHI regarding an individual’s reproductive health care. For example, each of the parties to the business associate agreement may need to notify the other party when they have knowledge that a request is for an unlawful purpose and allocate their respective responsibilities for handling these requests. Valid BAAs must be in place by December 22, 2024.
- Update and Publish Notice of Privacy Practices (NPPs). The Privacy Rule generally requires that a covered entity provide individuals with an NPP to ensure that they understand how a covered entity may use and disclose their PHI.11 The Final Rule requires modifications to covered entities' NPPs to inform individuals that their PHI may not be used or disclosed for a purpose prohibited under the Final Rule and that in certain circumstances, a Regulated Entity must obtain an attestation from a person requesting the PHI that affirms that the use or disclosure is not for a prohibited purpose.12
- Prepare HIPAA-Compliant Attestation Forms. As stated, the Final Rule requires that, in certain circumstances, regulated entities must obtain an attestation that a requested use or disclosure is not for a prohibited purpose.13 Regulated Entities must adopt a HIPAA-compliant attestation form as required by HIPAA and implement a process for workforce members to administer the attestation form in accordance with the Final Rule.14 HHS is clear that failure to comply with the attestation requirement or using and disclosing reproductive health care PHI based on a defective attestation could result in an enforcement action.15
- Reasonableness Determinations; Requests for Reproductive Health Care PHI. The Final Rule requires that a Regulated Entity that receives a request for PHI make a reasonable determination about the lawfulness of the reproductive health care in the circumstances in which such health care was provided.16 Thus, a Regulated Entity that receives the request for PHI must decide and document whether it would be reasonable for a similarly situated regulated entity to determine that reproductive health care is lawful under the circumstances in which such health care is provided.17 Healthcare Attorneys at Morris, Manning & Martin, LLP are well-situated to assist Regulated Entities in reviewing requests for PHI and evaluating the facts and circumstances under which the reproductive health care was provided to make such reasonableness determination.
Please feel free to contact the authors of this post or their colleagues in Morris, Manning & Martin, LLP’s Healthcare Team with further questions regarding this update to the Privacy Rule and its implications on Regulated Entities.
