HIPAA Privacy Rule to Support Reproductive Health Care Privacy - Bim Group

HIPAA Privacy Rule to Support Reproductive Health Care Privacy

READ TIME: 6 MINUTES

Following the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization, which overturned Roe v. Wade and its constitutional protection of abortion, many states adopted extreme abortion bans and other restrictions on reproductive health care. Along with these new laws came concerns from both patients and providers that protected health information (PHI) could be used to expose them to both civil and criminal liability under the new state laws. On April 22, 2024, the Department of Health and Human Services (HHS) finalized new regulations aiming to protect PHI relating to reproductive health care. This final rule aims to allay fears of these patients and providers by prohibiting the use and disclosure of PHI related to lawful reproductive health care under certain circumstances.

HIPAA Privacy Rule Refresher

The HIPAA Privacy Rule (the “Privacy Rule”) serves to protect an individual’s PHI. The Privacy Rule applies to “covered entities” which include health care providers, health plans, and health care clearinghouses and their business associates (collectively, “regulated entities”). The rule generally prohibits regulated entities from using or disclosing PHI and sets limits on how PHI can be used or disclosed without an individual’s express authorization. The rule also gives individuals the right to examine their own health records, direct a covered entity to transmit their records to a third party, and request corrections to their records.

Prohibitions

This new rule focuses on patient confidentiality and the prevention of the use of PHI against an individual or their provider for seeking, obtaining, or providing lawful reproductive health care. The final rule defines reproductive health care to mean health care “that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes.” This includes, but is not limited to contraception, preconception screening and counseling, management of pregnancy and related conditions, prenatal care, miscarriage management, pregnancy termination, fertility and infertility diagnosis and treatment, and treatment of conditions that affect the reproductive system.

The final rule prohibits regulated entities from using or disclosing PHI:

  • To investigate or penalize, in the civil, criminal, or administrative context, an individual seeking, obtaining, or providing lawful reproductive healthcare.
  • To identify any person for the purposes of investigating or imposing such criminal, civil, or administrative

The prohibition applies where a regulated entity has reasonably determined that:

  • The reproductive health care is lawful in the state in which it was
  • The reproductive health care is protected, authorized, or required by federal
  • The reproductive health care was provided by a person other than the regulated entity that received the request for PHI and the presumption of lawful reproductive health care applies.

Presumption

The final rule includes a presumption that reproductive health care provided by a person other than the regulated entity who receives a request for PHI was lawful. The presumption that such reproductive health care was lawful may be rebutted if:

  • The regulated entity knows the care was unlawful, or
  • The regulated entity receives factual information, forming a “substantial factual basis,” from the individual making the request that the reproductive health care was unlawful in the circumstances in which it was
  • Where a request for PHI is made to the regulated entity that provided the reproductive health care, it is up to that entity to determine whether such health care was lawful and thus if disclosure is

New Attestation Requirements

The final rule creates a new requirement for regulated entities who receive a request for PHI potentially related to reproductive health care to obtain a written and signed attestation that the use and disclosure is not for a prohibited purpose.

An attestation is required when a request is made for:

  • Health oversight activities
  • Judicial and administrative proceedings
  • Law enforcement purposes
  • Disclosures to coroners and medical examiners A valid attestation must include:
  • The name of the individual whose PHI is sought
  • The name of the person requesting the PHI
  • The name of the person to whom the disclosure is to be made
  • The clear statement that the PHI is not for a prohibited purpose
  • A statement that a person who knowingly and in violation of HIPAA obtains or discloses individually identifiable health information may be subject to criminal penalties

HHS plans to publish sample attestation language before the compliance date of this final rule.

Notice of Privacy Practices

Under the current Privacy Rule, covered entities are generally required to provide a Notice of Privacy Practice (NPP) to individuals to inform them how a covered entity may use or disclose their PHI and explain their individual rights under the Privacy Rule. Covered entities must now revise their NPPs to explain to individuals how their PHI related to reproductive health care may be used or disclosed under the newly issued final regulations. NPPs must be updated and revised by February 16, 2026.

Employer Action Items

While employers are not regulated by HIPAA directly, employers who provide health benefits or who handle health information in any capacity should stay informed of the implications of this rule. To best navigate the complicated and rapidly changing landscape of state and federal reproductive health law, employers should:

  1. Stay up to date on guidance released from HHS concerning the updates to the Privacy
  2. Update NPPs and ensure employees are provided with updated
  3. Consult with legal counsel should you receive a request for information potentially related to an employee’s PHI or their reproductive health care.

 

 

This information has been prepared for UBA by Fisher & Phillips LLP. It is general information and provided for educational purposes only. It is not intended to provide legal advice. You should not act on this information without consulting legal counsel or other knowledgeable advisors.

Recent Insights

September 26, 2024
News

IRS Releases 2025 Limits for HDHPs and HSAs

Read Time: 5 MINUTES The IRS recently issued Revenue Procedure 2024-25 to announce the 2025 inflation-adjusted amounts that apply to health savings accounts (HSAs), excepted benefit health reimbursement arrangements (EBHRAs), and high-deductible health plans (HDHPs). The newly announced figures result in increases in the applicable limits for 2025, including the maximum contribution limit for an […]
Read more
September 12, 2024
News

IRS Answers Questions Regarding Tax- Favored Educational Assistance Programs

READ TIME: 4 MINUTES Employers can leverage educational assistance programs to enhance their workforce’s skills while providing tax benefits. On June 17, 2024, the IRS answered frequently asked questions related to educational assistance programs. Overview of Educational Assistance Programs An educational assistance program (EAP) is a written benefits plan provided by an employer to offer […]
Read more
September 12, 2024
Compliance Alert

August 2024 Compliance Recap

READ TIME: 7 MINUTES In August, the FTC ban on non-compete agreements was struck down by a court stating that the FTC did not have the power to implement the ban and that its application was too broad. The FDA approved new and updated COVID-19 vaccines for adults and children as part of the preventive […]
Read more
August 21, 2024
News

The Importance of a Wrap Plan

READ TIME: 3 MINUTES Section 402 of the Employee Retirement Income Security Act (ERISA) requires that every health and welfare plan must have a written plan document. A wrap plan is a document that bundles or “wraps” ERISA health and welfare benefits (medical, dental, and vision, for example) into a single plan. It is an […]
Read more