Reproductive Health Care Privacy Rule – Attestation

0 Comments read eagle associates staff
Reproductive Health Care Privacy Rule – Attestation

The June issue of the Advisor® included an introductory article on HIPAA’s Reproductive Health Care Privacy Rule. The Rule’s prohibition on certain uses and disclosures of PHI related to reproductive health care was discussed. This article will provide more detail regarding the new requirement for covered entities to obtain an attestation from a person requesting use or disclosure of PHI potentially related to reproductive health care in certain circumstances.

Prohibition on Use or Disclosure

To understand when an attestation is required, it is essential to understand the new prohibition on use or disclosure of PHI to investigate or impose liability on any person for seeking, obtaining, providing or facilitating reproductive healthcare. The prohibition and attestation requirements apply only to a requested use or disclosure of PHI potentially related to reproductive health care that is for purposes of: health oversight, judicial and administrative proceedings, law enforcement, and about decedents to coroners and medical examiners. These types of disclosures do not require a patient’s authorization or an opportunity to agree or object to the disclosure.

The prohibition applies if one or more of the following conditions exists:

  • the reproductive healthcare is lawful under the law of the state in which it is provided, under the circumstances in which it is provided;
  • the reproductive healthcare is protected, required, or authorized by Federal law, under the circumstances in which such health care is provided, regardless of the state in which it is provided; or
  • the presumption of lawfulness applies (see below).

 

For example, if a covered entity received a request from a law enforcement agency for PHI that is potentially related to reproductive health care, the covered entity must ensure that it will not be used for a prohibited purpose, such as investigating a patient, and obtain a valid attestation to that effect.

Presumption

A covered entity may presume that reproductive health care provided by another person is lawful unless the covered entity or business associate has any of the following:

  • Actual knowledge that the reproductive health care was not lawful under the circumstances in which it was provided, or

  • Information supplied by the person requesting the use or disclosure of PHI that demonstrates a substantial factual basis that the reproductive healthcare was not lawful under the specific circumstances in which it was provided.

If the requesting entity provides information that demonstrates a substantial factual basis that the reproductive health care was unlawful, they still must provide a valid attestation signifying that the purpose of the request is not one that is prohibited (i.e., that the purpose of the use or disclosure is not to investigate or impose liability on any person for the lawful provision of reproductive health care).

Required Elements and Other Obligations

A valid attestation must be written in plain language and contain the following elements:

  • A specific description of the information requested, including one of the following:

– The name of any individual(s) whose protected health information is sought, if practicable.

– If including the name(s) of any individual(s) whose PHI is sought is not practicable, a description of the class of individuals whose PHI is sought.

– The name or other specific identification of the person(s), or class of persons, who are requested to make the use or disclosure.

  • A clear statement that the use or disclosure is not for a purpose prohibited under §CFR 164.502(a)(5)(iii) (see Prohibition on Use or Disclosure section above).
  • A statement that a person may be subject to criminal penalties if that person knowingly and in violation of HIPAA obtains individually identifiable health information relating to an individual or discloses such information to another person.
  • Signature of the person requesting the PHI, which may be an electronic signature, and date. If the attestation is signed by a representative of the person requesting the information, a description of such representative’s authority to act for the person must also be provided.

A valid attestation may be electronic, provided it meets the above requirements.

Defective Attestations

An attestation is not valid if the document has any of the following defects:

  • The attestation lacks a required element or statement (see list above).
  • The attestation contains an element or statement that is not required (see list above).
  • The attestation is combined with another document (except where another document is needed to reverse the presumption of lawfulness).
  • The covered entity or business associate has actual knowledge that material information in the attestation is false.
  • A reasonable covered entity or business associate in the same position would not believe that the attestation is true.

 

If additional documentation is necessary to support the statement that the disclosure is not for a prohibited purpose or to demonstrate that reproductive care was unlawful, it must not replace or substitute for any of the attestation’s required elements. The attestation itself must be clearly labeled, distinct from any surrounding text, and completed in its entirety. Additional documents may only be appended to the attestation.

A covered entity or business associate that uses or discloses PHI potentially related to reproductive health care for purposes of health oversight, judicial and administrative proceedings, law enforcement, and to coroners and medical examiners based upon a defective attestation is not in compliance.

If a covered entity or business associate discovers while using or disclosing PHI that any representation made in the attestation is materially false, leading to a use or disclosure that is prohibited, it must cease such use or disclosure. In addition, if a disclosure is made based on an attestation that contains misrepresentations or a defective attestation, this will be considered an impermissible disclosure and must be treated as a privacy breach. Notification of affected patient(s) and the Department of Health and Human Services (HHS) will most likely be required.

 

Other Requirements

Any conditions for disclosure that existed prior to the new final rule will still apply, in addition to the attestation requirement. For example, disclosures in response to a subpoena have always required that the covered entity receive satisfactory assurances that the requestor:

  • has made reasonable efforts to ensure the individual who is the subject of the information has been given sufficient notice of the request; or
  • has secured a qualified protective order that will guard the confidentiality of the information.

This type of disclosure will now also require the requesting person to provide a valid attestation if the PHI that is requested is potentially related to reproductive health care. The deadline for compliance with the attestation requirements is December 23, 2024.

HIPAA Compliance System Subscribers: Eagle Associates will provide a compliant attestation form along with HIPAA Manual policy revisions by September 1, 2024.

You May Also Like

Updated Guidance for COVID-19 Infection Control Updated Guidance for COVID-19 Infection Control OIG Exclusion Search Tips OIG Exclusion Search Tips Hazard Communication Changes Part II Hazard Communication Changes Part II