New Privacy Requirements Imposed on Providers by Reproductive Healthcare Rule

The HIPAA Privacy Rule just got a significant upgrade, especially when it comes to safeguarding reproductive health information. Now, anyone handling this sensitive data needs to get up to speed with the latest changes. These include stricter rules on how PHI can be used and shared, a new requirement for official statements, and updates to privacy notices. If you're part of a covered entity or a business associate, you'll need to overhaul your policies and procedures to stay compliant. It might also be an excellent time to review and possibly update your current agreements with business associates.

Starting December 2024, the HIPAA Privacy Rule Final Rule will strictly ban the use or sharing of protected health information (PHI) if it's requested to investigate or penalise anyone for merely seeking, obtaining, providing, or facilitating lawful reproductive health care. This includes identifying individuals involved in such activities, whether it's for civil, criminal, or administrative reasons. Reproductive health care Privacy spans all related treatments, including medications and devices. The new rule becomes effective on June 25, 2024, but entities must fully comply by December 23, 2024. An extended deadline for privacy notice compliance is set for February 16, 2026.

 

HIPAA Privacy Rule to Strengthen Reproductive Health Care Privacy

On April 26, 2024, the U.S. Department of Health and Human Services (HHS) published a final rule in the Federal Register aimed at enhancing privacy in reproductive health care. This rule is designed to reinforce the confidentiality between patients and their healthcare providers or plans, fostering trust and open communication.

The changes are deemed urgent following the Supreme Court's decision in Dobbs v. Jackson Women’s Health Organization, which significantly altered the legal and healthcare landscape with broad implications for reproductive health care. HHS voiced concerns that the risk of PHI disclosure for investigations or liabilities might prevent individuals from seeking lawful healthcare and discourage providers from offering such care, thus hindering overall healthcare access and quality. They concluded that the evolving environment necessitates these extra privacy measures to maintain the balance between individual and societal interests.

 

The final rule has three key components:

• A ban on specific uses and disclosures of PHI.
• A requirement for official statements (attestations).
• Mandatory updates to privacy practices.
• These new requirements apply directly to covered entities and business associates, necessitating updates to existing policies and possibly revising current business associate agreements.

 

Purpose-Based Ban on PHI Use and Disclosure

The PHI request aims to investigate or hold someone accountable simply for seeking, obtaining, providing, or facilitating lawful reproductive health care, or to identify someone involved in such activities—whether it's for civil, criminal, or administrative purposes. If a patient gets a lawful abortion in another state and returns to a state where it’s illegal, the new rules apply to the PHI held by both the out-of-state provider and the patient’s local providers.

The entity or associate handling the PHI reasonably believes reproductive health care is legal under the circumstances.

The legality of the care can be assumed if:

• It complied with state law where it was provided.
• It was protected, required, or authorised by federal law, regardless of state law.
• If another party provided reproductive health care, the handling entity can presume it was lawful unless they have actual knowledge or substantial evidence that it wasn’t. This means entities don't need to dig into the legality of care provided by others—they're not expected to research, analyse PHI, consult lawyers, or assess legality in these cases. If the presumption holds, the Privacy Rule allows (but doesn’t require) PHI disclosure.

Attestation Requirement

Before responding to PHI requests related to reproductive health care, entities must get a signed attestation from the requester affirming the PHI isn't for a prohibited purpose. This applies to PHI requests for health oversight, judicial/admin proceedings, law enforcement, and medical examiner purposes not for requests from other covered entities or associates.

Given the difficulty in determining if a PHI request is for a permitted or prohibited purpose, the attestation must meet specific criteria and include essential statements. If any required elements are missing or additional elements are included, the attestation is invalid. Failure to secure a valid attestation where needed can result in civil penalties.

 

Privacy Notice Updates

Healthcare providers must update their privacy notices to highlight reproductive healthcare privacy protections, including examples of prohibited uses/disclosures, detailed enough for individuals to understand. HHS also mandates privacy notice updates related to 42 CFR Part 2 (covering substance use disorder records confidentiality). The extended compliance timeline for these updates reflects the time needed for entities to make necessary revisions. The Office for Civil Rights (OCR) regularly investigates improper PHI disclosures. Remember, state laws on reproductive health care privacy  must comply with HIPAA’s preemption provisions.