August 15, 2024
Deemed necessary by the Department of Health and Human Services (HHS) following the U.S. Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization and its aftermath of state-level abortion laws, HHS has issued a HIPAA Privacy Rule to Support Reproductive Health Care Privacy (the “2024 Privacy Rule”). The 2024 Privacy Rule amends the HIPAA privacy rule to afford greater protection to protected health information (PHI) that is related to reproductive health care, with the goal of maintaining the necessary trust between patient and healthcare provider. The 2024 Privacy Rule also supports President Biden’s Executive Order on protecting access to reproductive health care, and specifically directing HHS to consider additional actions, including under HIPAA, to enhance protection for information related to reproductive health care.
The primary purpose of the 2024 Privacy Rule is to further restrict the use or disclosure of PHI related to reproductive health care. Previously, HIPAA-regulated entities (i.e., covered entities and business associates) were generally permitted to disclose PHI for certain public policy-related reasons, including law enforcement. The 2024 Privacy Rule further restricts this permission by prohibiting such entities from disclosing PHI related to lawful reproductive health care in certain situations. To support this effort, the 2024 Privacy Rule adds and clarifies a couple definitions, imposes a new attestation requirement to be used upon receipt of a request for PHI potentially related to reproductive health care, and requires covered entities to make changes to their Notice of Privacy Practices.
Previously, the term “person” was defined by the HIPAA rules as “a natural person, trust or estate, partnership, corporation, professional association or corporation, or other entity, public or private.” This definition has been clarified under the 2024 Privacy Rule to mean “a natural person (meaning a human being who is born alive), trust or estate, partnership, corporation, professional association or corporation, or other entity, public or private.”
A new term, “reproductive health care,” has been added as a subset of the term “health care,” to mean health care “that affects the health of the individual in all matters relating to the reproductive system and to its functions and processes.” This definition would include, but is not limited to:
A new definition of “public health” in the context of surveillance, investigation, or intervention will refer to “population-level activities to prevent disease and promote the health of populations,” to be clearly distinguished from a criminal investigation.
Under certain conditions described below, HIPAA-regulated entities will be prohibited from using or disclosing PHI for the following purposes:
The use or disclosure of PHI for one of the above purposes will be prohibited if the HIPAA-regulated entity that receives the request for PHI can reasonably determine that one or more of the following three conditions exists:
The presumption under the 2024 Privacy Rule is that reproductive health care provided by a person other than the HIPAA-regulated entity receiving the request for PHI was lawful unless the HIPAA-regulated entity has actual knowledge that the reproductive health care was not lawful under the circumstances in which it was provided; or the HIPAA-regulated entity receives factual information from the person making the request for the use or disclosure of PHI that demonstrates a substantial factual basis that the reproductive health care was not lawful under the circumstances in which it was provided.
When a HIPAA-regulated entity receives a request for PHI potentially related to reproductive health care, the entity must first obtain a signed attestation from the person requesting the information that the use or disclosure is not for a prohibited purpose. The requirement for an attestation will apply when the request for PHI is for any of the following reasons: health oversight activities; judicial and administrative proceedings; law enforcement purposes; and disclosures to coroners and medical examiners.
A valid attestation must include a clear statement that the use or disclosure of PHI is not for a prohibited purpose as well as a statement that a person may be subject to criminal penalties for knowingly obtaining or disclosing PHI in violation of HIPAA. The attestation must be written in plain language and cannot be combined with any other document (though other additional supporting documentation may be provided).
It is a violation of HIPAA rules to rely on a defective attestation in the use or disclosure of PHI – a defective attestation includes one that contains an element or statement that is not required by the 2024 Privacy Rule (i.e., that goes above and beyond what is required). The attestation is also defective if the HIPAA-regulated entity has actual knowledge that material information in the attestation is false, or when a reasonable entity in the same position would not believe that the attestation is true. In considering whether an attestation is true, an entity must consider the “totality of the circumstances surrounding the attestation,” including who the requestor is and the permission upon which the requestor relies.
HHS has provided a model attestation form that covered entities and business associates may use for this requirement: www.hhs.gov/sites/default/files/model-attestation.pdf
Compliance with the above amendments to the HIPAA Privacy Rule is required by December 22, 2024. While employers are unlikely to be the primary target of PHI requests subject to these new rules, employers should nevertheless plan to adjust their HIPAA policies and procedures and required HIPAA training for their workforce members that have access to PHI to satisfy these new rules.
The 2024 Privacy Rule also requires covered entities to make changes to their Notice of Privacy Practices that address both the new prohibited purposes of use or disclosure of PHI related to reproductive health care and the confidentiality of substance use disorder patient records that were originally addressed in a separate final rule that was released on February 16, 2024 (the Part 2 Final Rule).
Compliance with the changes to the Notice of Privacy Practices is expected by February 16, 2026. An updated model Notice of Privacy Practices is expected to be released by that time.
In complying with the 2024 Privacy Rule, employers will need to revise their HIPAA policies and procedures to account for the new category of prohibited use or disclosure of PHI as well as update their HIPAA training provided to any employees with access to PHI by December 22, 2024. That said, we are expecting further guidance from HHS, including a model attestation form to comply with the 2024 Privacy Rule.
Finally, employers will also need to update their Notice of Privacy Practices by February 16, 2026, though we do expect an updated model Notice of Privacy Practices to be issued by that time.
The views and opinions expressed within are those of the author(s) and do not necessarily reflect the official policy or position of Parker, Smith & Feek. While every effort has been taken in compiling this information to ensure that its contents are totally accurate, neither the publisher nor the author can accept liability for any inaccuracies or changed circumstances of any information herein or for the consequences of any reliance placed upon it.