HIPAA Privacy Rule to Support Reproductive Health Care Privacy - Bim Group

HIPAA Privacy Rule to Support Reproductive Health Care Privacy

READ TIME: 6 MINUTES

Following the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization, which overturned Roe v. Wade and its constitutional protection of abortion, many states adopted extreme abortion bans and other restrictions on reproductive health care. Along with these new laws came concerns from both patients and providers that protected health information (PHI) could be used to expose them to both civil and criminal liability under the new state laws. On April 22, 2024, the Department of Health and Human Services (HHS) finalized new regulations aiming to protect PHI relating to reproductive health care. This final rule aims to allay fears of these patients and providers by prohibiting the use and disclosure of PHI related to lawful reproductive health care under certain circumstances.

HIPAA Privacy Rule Refresher

The HIPAA Privacy Rule (the “Privacy Rule”) serves to protect an individual’s PHI. The Privacy Rule applies to “covered entities” which include health care providers, health plans, and health care clearinghouses and their business associates (collectively, “regulated entities”). The rule generally prohibits regulated entities from using or disclosing PHI and sets limits on how PHI can be used or disclosed without an individual’s express authorization. The rule also gives individuals the right to examine their own health records, direct a covered entity to transmit their records to a third party, and request corrections to their records.

Prohibitions

This new rule focuses on patient confidentiality and the prevention of the use of PHI against an individual or their provider for seeking, obtaining, or providing lawful reproductive health care. The final rule defines reproductive health care to mean health care “that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes.” This includes, but is not limited to contraception, preconception screening and counseling, management of pregnancy and related conditions, prenatal care, miscarriage management, pregnancy termination, fertility and infertility diagnosis and treatment, and treatment of conditions that affect the reproductive system.

The final rule prohibits regulated entities from using or disclosing PHI:

  • To investigate or penalize, in the civil, criminal, or administrative context, an individual seeking, obtaining, or providing lawful reproductive healthcare.
  • To identify any person for the purposes of investigating or imposing such criminal, civil, or administrative

The prohibition applies where a regulated entity has reasonably determined that:

  • The reproductive health care is lawful in the state in which it was
  • The reproductive health care is protected, authorized, or required by federal
  • The reproductive health care was provided by a person other than the regulated entity that received the request for PHI and the presumption of lawful reproductive health care applies.

Presumption

The final rule includes a presumption that reproductive health care provided by a person other than the regulated entity who receives a request for PHI was lawful. The presumption that such reproductive health care was lawful may be rebutted if:

  • The regulated entity knows the care was unlawful, or
  • The regulated entity receives factual information, forming a “substantial factual basis,” from the individual making the request that the reproductive health care was unlawful in the circumstances in which it was
  • Where a request for PHI is made to the regulated entity that provided the reproductive health care, it is up to that entity to determine whether such health care was lawful and thus if disclosure is

New Attestation Requirements

The final rule creates a new requirement for regulated entities who receive a request for PHI potentially related to reproductive health care to obtain a written and signed attestation that the use and disclosure is not for a prohibited purpose.

An attestation is required when a request is made for:

  • Health oversight activities
  • Judicial and administrative proceedings
  • Law enforcement purposes
  • Disclosures to coroners and medical examiners A valid attestation must include:
  • The name of the individual whose PHI is sought
  • The name of the person requesting the PHI
  • The name of the person to whom the disclosure is to be made
  • The clear statement that the PHI is not for a prohibited purpose
  • A statement that a person who knowingly and in violation of HIPAA obtains or discloses individually identifiable health information may be subject to criminal penalties

HHS plans to publish sample attestation language before the compliance date of this final rule.

Notice of Privacy Practices

Under the current Privacy Rule, covered entities are generally required to provide a Notice of Privacy Practice (NPP) to individuals to inform them how a covered entity may use or disclose their PHI and explain their individual rights under the Privacy Rule. Covered entities must now revise their NPPs to explain to individuals how their PHI related to reproductive health care may be used or disclosed under the newly issued final regulations. NPPs must be updated and revised by February 16, 2026.

Employer Action Items

While employers are not regulated by HIPAA directly, employers who provide health benefits or who handle health information in any capacity should stay informed of the implications of this rule. To best navigate the complicated and rapidly changing landscape of state and federal reproductive health law, employers should:

  1. Stay up to date on guidance released from HHS concerning the updates to the Privacy
  2. Update NPPs and ensure employees are provided with updated
  3. Consult with legal counsel should you receive a request for information potentially related to an employee’s PHI or their reproductive health care.

 

 

This information has been prepared for UBA by Fisher & Phillips LLP. It is general information and provided for educational purposes only. It is not intended to provide legal advice. You should not act on this information without consulting legal counsel or other knowledgeable advisors.

Recent Insights

July 9, 2024
News, Webinar

Webinar: Keep it Classy – Identifying Employees Properly

Tuesday, August 13, 2024 1 – 2PM CST Register Now Registration Code:UBA410EW   Attend this month’s webinar to learn how to properly classify employees for benefit eligibility. ​ Gain insights into:​​ Allowable employment-based classifications for benefits and contributions Risks arising from misclassifying or discriminating against employees Offering benefits to 1099 employees and related tax implications […]
Read more
July 9, 2024
News

EEOC Issues Final Regulations for the Pregnant Workers Fairness Act

READ TIME: 6 MINUTES The Equal Employment Opportunity Commission (EEOC) has recently released extensive final regulations under the Pregnant Workers Fairness Act (PWFA). The regulations were published in the federal register on April 19, 2024, and will take effect on June 18, 2024. Here’s what employers need to know. Overview of PWFA The PWFA took […]
Read more
July 9, 2024
News

Group Health Plan Fiduciaries are the Subject of New ERISA Class Actions

READ TIME: 5 MINUTES Retirement plan fiduciaries are no stranger to ERISA class action lawsuits. These lawsuits typically allege that imprudent processes and lack of oversight led to excessive fees for investment options, recordkeeping services, and investment management services. Similar class actions are beginning to find their way to group health plan fiduciaries thanks to […]
Read more
June 26, 2024
News

HIPAA Privacy Rule to Support Reproductive Health Care Privacy

READ TIME: 6 MINUTES Following the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization, which overturned Roe v. Wade and its constitutional protection of abortion, many states adopted extreme abortion bans and other restrictions on reproductive health care. Along with these new laws came concerns from both patients and providers that protected health […]
Read more