Hogan Lovells 2024 Election Impact and Congressional Outlook Report
The HIPAA Privacy Rule has been modified by the US Department of Health and Human Services (“HHS”) to increase privacy protections for reproductive health care information. These updates will prohibit the use and disclosure of reproductive health care information to conduct an investigation into, impose liability on, or identify individuals who obtain or provide legal reproductive health care. HIPAA-regulated entities will also be required to update their Notices of Privacy Practices and obtain attestations in connection with certain requests for reproductive health care information. These new requirements also may necessitate updates to entities’ HIPAA policies and training.
The final rule prohibits the use or disclosure of PHI to support the investigation, imposition of liability on, or identification of, individuals who seek, obtain, provide, or facilitate lawful reproductive health care1 (the “Prohibited Purposes”). Our prior post outlined key proposed changes in the notice of proposed rulemaking (“NPRM”), following the rise of uncertainty around reproductive health care as a result of the U.S. Supreme Court’s 2022 decision in Dobbs v. Jackson Women’s Health Organization.
The final rule includes a presumption that reproductive health care was lawful, unless certain conditions are met. These include the recipient of the request having actual knowledge that the care was not lawful, or where factual information is presented by the requestor that provides a substantial factual basis that the care was not lawful.
In certain cases, the final rule requires that when HIPAA-regulated entities receive requests for reproductive health care information, they must obtain a signed attestation from the requestor that the intended use or disclosure of that information is not for a Prohibited Purpose. The attestation requirement applies only if the request is for (1) law enforcement purposes, (2) judicial and administrative proceedings, (3) health oversight activities, or (4) disclosures to coroners and medical examiners. The final rule includes required elements for a valid attestation and HHS intends to publish model attestation language before the compliance date of the final rule.
The final rule requires HIPAA-regulated entities to revise their Notices of Privacy Practices (“NPPs”) to include a description and an example of the Prohibited Purposes with sufficient detail for an individual to understand the prohibition and the types of uses and disclosures of PHI that require an attestation. The final rule also includes requirements for entities that create or maintain Substance Use Disorder (“SUD”) patient records (i.e., “Part 2” records) to update their NPPs to reflect permitted and prohibited uses and disclosures of such records. We discussed HHS’s final rule regarding Part 2 records in this previous post.
To prevent attempts to use other HIPAA provisions to justify uses and disclosures of reproductive health information for Prohibited Purposes, the final rule clarified the scope of certain provisions, including:
Uses and disclosures of PHI for public health activities. The final rule adopts a new definition of “public health” that makes clear that permissible public health activities are population-level activities and do not include uses of PHI to conduct an investigation, impose liability on, or identify any person for seeking, obtaining, providing, or facilitating health care.
Disclosures of PHI to report cases of abuse or neglect. The final rule prohibits regulated entities from using or disclosing PHI to report abuse or neglect when the sole basis for the report is the provision or facilitation of reproductive health care. This provision differs from the proposed rule, where disclosure of PHI for reporting abuse was prohibited when the report is based primarily on the provision of reproductive health care.
A person who knowingly and in violation of HIPAA falsifies an attestation (e.g., makes a material misrepresentation about the intended uses of the PHI requested) to obtain (or cause to be disclosed) an individual’s reproductive health care information could be subject to criminal penalties.
The effective date of the rule is June 25, 2024. The compliance date is December 23, 2024, except for the applicable requirements for the NPPs which entities must implement by February 16, 2026. The phased roll out allows organizations to evaluate how the new requirements may impact their operations, identify what public-facing and internal materials may be affected, and update accordingly.
Steps organizations can take now include:
assessing what information and activities may be in scope for these requirements;
confirming what processes are needed to provide additional safeguards for reproductive health care information in light of the new requirements;
identifying and updating internal policies, procedures, and practices for responding to law enforcement and certain other third-party requests for PHI, data handling, and permitted/prohibited uses and disclosures that may include reproductive health care information;
revising their Notices of Privacy Practices, making it available in accordance with the HIPAA Privacy Rule;
drafting applicable forms, including attestation templates, and response procedures for responding to requests; and
training workforce members on the new requirements and updated processes.
Authored by Marcy Wilder, Melissa Bianchi, Melissa Levine, Donald DePass, Alyssa Golay, and Fleur Oké.