Effective December 23, 2024, HIPAA-covered entities and their business associates will be required to comply with new restrictions on how protected health information may be used and disclosed for certain purposes relating to lawful reproductive health care. Specifically, revisions to the HIPAA privacy rule finalized by HHS earlier this year prohibit HIPAA-covered entities and their business associates from using or disclosing protected health information for any of the following:
- To investigate a person for the mere act of seeking, obtaining, providing or facilitating lawful reproductive health care.
- To impose liability on a person for the mere act of seeking, obtaining, providing or facilitating lawful reproductive health care.
- To identify a person for the purposes of investigating or imposing liability on them for the mere act of seeking, obtaining, providing or facilitating lawful reproductive health care.
Please see Podcast here.
“Seeking, obtaining, providing, or facilitating reproductive health care” includes, but is not limited to, expressing interest in, using, performing, furnishing, paying for, disseminating information about, arranging, insuring, administering, authorizing, providing coverage for, approving, counseling about, assisting or otherwise taking action to engage in reproductive health care; or attempting any the same. “Reproductive health care” is broadly defined as health care that affects the health of an individual in all matters relating to the reproductive system and its functions and processes.
The rule also imposes the burden of determining whether reproductive health care is “lawful” on the covered entity or business associate from whom the protected health information is sought. If the covered entity or business associate provided the reproductive health care at issue, it must consider the reproductive health care lawful if (i) the care was lawful in the state in which it was provided; or (ii) if the care is protected, required, or authorized by Federal law, including the United States Constitution under the circumstances in which such health care is provided regardless of the state in which it was provided.
If the covered entity or business associate did not provide the reproductive health care at issue, it must presume the reproductive health care provided was lawful unless it has actual knowledge that the reproductive health care was not lawful under the circumstances it was provided, or factual information supplied by requestor demonstrates a substantial factual basis that the reproductive healthcare was not lawful under the specific circumstances in which it was provided.
Because covered entities and business associates may not know for what purpose the health information at issue is being requested, the new rule requires covered entities and business associates to get a signed attestation statement from the requestor when the health information being requested is potentially related to reproductive health care and the permitted use or disclosure is for any of the following: (i) health oversight activities; (ii) law enforcement; (iii) judicial or administrative proceedings; and (iv) coroners and medical examiners. The attestation is only valid if it contains:
- The name of the person or class of persons to receive the requested protected health information.
- The name or class of persons from who the protected health information is being requested.
- Description of the specific health information requested, including the person or class of persons whose information is being requested.
- An attestation that the use or disclosure of protected health information being requested is not for a purpose prohibited by the HIPAA Privacy Rule at 45 CFR 164.502(a)(5)(iii) because of one of the following:
- The purpose of the use or disclosure of protected health information is not to investigate or impose liability on any person for the mere act of seeking, obtaining, providing or facilitating reproductive health care or to identify any person for such purposes.
- The purpose of the use or disclosure of protected health information is to investigate or impose liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, or to identify any person for such purposes, but the reproductive health care at issue was not lawful under the circumstances in which it was provided.
- A statement that the requestor understands he or she may be subject to criminal penalties pursuant to 42 USC 1320d-6 if they are knowingly and in violation of HIPAA obtain individually identifiable health information relating to individually identifiable health information relating to an individual or disclose individually identifiable health information to another person.
- Signed and dated by the requestor.
HHS has a model attestation form covered entities and business associates may use here.
In connection with the new rule, HHS is requiring covered entities to update their Notice of Privacy Practices to include a description and at least one example of the types of uses and disclosures prohibited by this new rule as well as a description, including at least one example of the types of uses and disclosures for which an attestation is required under the new rule. HHS is giving covered entities until February 16, 2026, to update their notice of privacy practices.
Covered entities and business associates must update their policies and train their staff to comply with the new rule effective December 23, 2024. Get our sample policy below and listen to this week’s podcast for implementation tips.
Ep 37 Sample HIPAA policy re Reproductive Health Care
