HHS Final Rule Introduces HIPAA Compliance Changes for Reproductive Healthcare Information
On April 26, 2024, the Department of Health and Human Services (HHS) published a Final Rule introducing compliance changes for reproductive healthcare information under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. Titled “HIPAA Privacy Rule to Support Reproductive Health Care Privacy,” the Final Rule prohibits disclosure of protected health information (PHI) related to lawful reproductive healthcare under certain circumstances. HIPAA-covered entities will also be required to update their Notices of Privacy Practices (NPPs), obtain attestations in connection with certain requests for reproductive healthcare information, and update their HIPAA policies and training.
The Final Rule prohibits uses or disclosure of PHI to investigate or impose liability on individuals, healthcare providers, or others who seek, obtain, provide, or facilitate reproductive healthcare that is lawful under the circumstances under which it is provided, or to identify persons for such activities. Notably, the Final Rule includes a presumption, with certain exceptions, that the reproductive healthcare provided by a person other than the covered entity receiving the request was lawful. Covered entities are required to obtain a signed attestation from certain requestors that they do not seek PHI for these prohibited purposes. This requirement applies when PHI is requested for health oversight activities, judicial and administrative proceedings, law enforcement purposes, and disclosure to coroners and medical examiners. The HHS Office for Civil Rights (OCR) has stated that it intends to publish model attestation language. Additionally, covered entities are required to modify their NPPs to support reproductive healthcare privacy.
The Final Rule continues to allow covered healthcare providers to use or disclose PHI for purposes otherwise permitted under the Privacy Rule where the request for the use or disclosure of PHI is not made to investigate or impose liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive healthcare. The Final Rule will become effective on June 25, 2024, with a compliance date of December 23, 2024, except for certain requirements pertaining to Notices of Privacy Practices. Covered entities must comply with the NPP provisions of the Final Rule by February 16, 2026.