New HIPAA Reproductive Health Care Privacy Rule

On April 26, 2024, the Department of Health and Human Services (HHS) published the HIPAA Privacy Rule to Support Reproductive Health Care Privacy. HHS states that the Privacy Rule was first promulgated, and continues to be enforced, to ensure that individuals are not afraid to seek health care or share important information with their healthcare providers because of a concern that their sensitive information will be disclosed outside of their relationship with their healthcare provider.

The new rule prohibits PHI from being used or disclosed for purposes of identifying, investigating, or imposing criminal, civil, or administrative liability on any person for the act of seeking, obtaining, providing, or facilitating reproductive health care.

This regulatory change will require covered entities to modify their PHI disclosure policies to prohibit certain disclosures for:

  • healthcare oversight
  • judicial and administrative (legal) proceedings
  • law enforcement
  • to coroners and medical examiners regarding decedents.

In addition, covered entities must require a valid attestation from requestors even when all other Privacy Rule conditions are met for the disclosure. A valid attestation will include several required elements including a statement signifying that the requesting party will not use or disclose the PHI for prohibited purposes (e.g., investigating or imposing liability on any person), and a statement that the requesting party may be subject to criminal penalties if they obtain or disclose PHI in violation of HIPAA rules. The attestation must not include any other element or statement that is not specifically required and may not be combined with any other form.

Employee training will also be necessary to ensure that all workforce members avoid violating the new rules and resulting enforcement action. If a covered entity becomes aware that PHI was disclosed based upon a falsified attestation or in absence of a required attestation, notification of a breach to the individual, the Secretary of HHS, and in some cases, the media, will be required.

The date by which covered entities must comply with the majority of the final rule’s provisions is December 23, 2024 — apart from a requirement to revise the Notice of Privacy Practices with additional information, which must be completed by February 16, 2026.

If you would like to view the final rule as published in the Federal Register, please visit: https://www.federalregister.gov/documents/ 2024/04/26/2024-08503/hipaa-privacy-ruleto-support-reproductive-health-care-privacy

HIPAA Compliance System subscribers will be provided policy revisions for their HIPAA Manual and related forms before September 1, 2024. Updated Privacy Rule training, including the new reproductive healthcare privacy requirements, will be published on the normal schedule in November 2024.