HIPAA Privacy Rule to Support Reproductive Health Care Privacy - Bim Group

HIPAA Privacy Rule to Support Reproductive Health Care Privacy

READ TIME: 6 MINUTES

Following the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization, which overturned Roe v. Wade and its constitutional protection of abortion, many states adopted extreme abortion bans and other restrictions on reproductive health care. Along with these new laws came concerns from both patients and providers that protected health information (PHI) could be used to expose them to both civil and criminal liability under the new state laws. On April 22, 2024, the Department of Health and Human Services (HHS) finalized new regulations aiming to protect PHI relating to reproductive health care. This final rule aims to allay fears of these patients and providers by prohibiting the use and disclosure of PHI related to lawful reproductive health care under certain circumstances.

HIPAA Privacy Rule Refresher

The HIPAA Privacy Rule (the “Privacy Rule”) serves to protect an individual’s PHI. The Privacy Rule applies to “covered entities” which include health care providers, health plans, and health care clearinghouses and their business associates (collectively, “regulated entities”). The rule generally prohibits regulated entities from using or disclosing PHI and sets limits on how PHI can be used or disclosed without an individual’s express authorization. The rule also gives individuals the right to examine their own health records, direct a covered entity to transmit their records to a third party, and request corrections to their records.

Prohibitions

This new rule focuses on patient confidentiality and the prevention of the use of PHI against an individual or their provider for seeking, obtaining, or providing lawful reproductive health care. The final rule defines reproductive health care to mean health care “that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes.” This includes, but is not limited to contraception, preconception screening and counseling, management of pregnancy and related conditions, prenatal care, miscarriage management, pregnancy termination, fertility and infertility diagnosis and treatment, and treatment of conditions that affect the reproductive system.

The final rule prohibits regulated entities from using or disclosing PHI:

  • To investigate or penalize, in the civil, criminal, or administrative context, an individual seeking, obtaining, or providing lawful reproductive healthcare.
  • To identify any person for the purposes of investigating or imposing such criminal, civil, or administrative

The prohibition applies where a regulated entity has reasonably determined that:

  • The reproductive health care is lawful in the state in which it was
  • The reproductive health care is protected, authorized, or required by federal
  • The reproductive health care was provided by a person other than the regulated entity that received the request for PHI and the presumption of lawful reproductive health care applies.

Presumption

The final rule includes a presumption that reproductive health care provided by a person other than the regulated entity who receives a request for PHI was lawful. The presumption that such reproductive health care was lawful may be rebutted if:

  • The regulated entity knows the care was unlawful, or
  • The regulated entity receives factual information, forming a “substantial factual basis,” from the individual making the request that the reproductive health care was unlawful in the circumstances in which it was
  • Where a request for PHI is made to the regulated entity that provided the reproductive health care, it is up to that entity to determine whether such health care was lawful and thus if disclosure is

New Attestation Requirements

The final rule creates a new requirement for regulated entities who receive a request for PHI potentially related to reproductive health care to obtain a written and signed attestation that the use and disclosure is not for a prohibited purpose.

An attestation is required when a request is made for:

  • Health oversight activities
  • Judicial and administrative proceedings
  • Law enforcement purposes
  • Disclosures to coroners and medical examiners A valid attestation must include:
  • The name of the individual whose PHI is sought
  • The name of the person requesting the PHI
  • The name of the person to whom the disclosure is to be made
  • The clear statement that the PHI is not for a prohibited purpose
  • A statement that a person who knowingly and in violation of HIPAA obtains or discloses individually identifiable health information may be subject to criminal penalties

HHS plans to publish sample attestation language before the compliance date of this final rule.

Notice of Privacy Practices

Under the current Privacy Rule, covered entities are generally required to provide a Notice of Privacy Practice (NPP) to individuals to inform them how a covered entity may use or disclose their PHI and explain their individual rights under the Privacy Rule. Covered entities must now revise their NPPs to explain to individuals how their PHI related to reproductive health care may be used or disclosed under the newly issued final regulations. NPPs must be updated and revised by February 16, 2026.

Employer Action Items

While employers are not regulated by HIPAA directly, employers who provide health benefits or who handle health information in any capacity should stay informed of the implications of this rule. To best navigate the complicated and rapidly changing landscape of state and federal reproductive health law, employers should:

  1. Stay up to date on guidance released from HHS concerning the updates to the Privacy
  2. Update NPPs and ensure employees are provided with updated
  3. Consult with legal counsel should you receive a request for information potentially related to an employee’s PHI or their reproductive health care.

 

 

This information has been prepared for UBA by Fisher & Phillips LLP. It is general information and provided for educational purposes only. It is not intended to provide legal advice. You should not act on this information without consulting legal counsel or other knowledgeable advisors.

Recent Insights

January 10, 2025
Affordable Care Act (PPACA)

ACA Reporting Changes for 2025

On December 23, 2024, President Biden signed into law the Paperwork Burden Reduction Act (PBRA) alleviating some burdens associated with the annual ACA reporting.  Effective for tax years beyond 2023, employers are no longer required to automatically distribute the Forms 1095-B/Cs to employees unless requested.  The Form 1095-B/Cs must still be prepared and electronically filed […]
Read more
January 7, 2025
News

Webinar: Ensuring Your Health Plan is Ready for a Department of Labor Audit

Tuesday, January 14, 2025 1 – 2PM CST Register Now Registration Code:UBA410EW Attend this month’s webinar to learn what triggers a DOL audit and how to prepare. Key takeaways:  Gain insight into the DOL’s enforcement priorities that can trigger an audit, especially regarding compliance with the ACA, Mental Health Parity and Addiction Equity Act, and […]
Read more
January 7, 2025
News

Wellness Programs and Smokers’ Penalties under Scrutiny

READ TIME: 5 MINUTES A recent lawsuit involving Macy’s Inc. and the U.S. Department of Labor (DOL) is bringing attention to the way companies structure their wellness programs—particularly those that impose penalties on employees who smoke. This case highlights the potential risks for employers who charge higher health premiums to smokers and raises questions about […]
Read more
January 7, 2025
News

December 2024 Compliance Recap

READ TIME: 7 MINUTES President Biden stepped away from proposed changes to the birth control opt-out for moral objections. The pre-deductible status of telehealth in HSA plans expired, and the CAA 2024 Gag Clause Attestation submission took effect. Biden Administration Withdraws Proposed Birth Control Benefits regulations The Biden Administration has suspended its efforts to limit […]
Read more