On April 26, 2024, the U.S. Department of Health and Human Services (HHS) issued a Final Rule updating certain Health Insurance Portability and Accountability Act (HIPAA) privacy rules with respect to the disclosure of protected health information (PHI) related to reproductive health care. Essentially, the Final Rule prohibits a covered entity from using or disclosing PHI to conduct criminal, civil or administrative investigations, or to impose corresponding liability on a person seeking or providing lawful reproductive health care.
Reproductive health care is broadly defined as “health care that affects the health of the individual in all matters relating to the reproductive system and to its functions and processes.” The preamble provides a non-exhaustive list of examples, including contraception, fertility and infertility treatments, and pregnancy-related care.
This restriction is purpose based, meaning it doesn’t prohibit the use and disclosure of this type of PHI for all purposes, but instead prohibits uses and disclosures for the limited purposes of identifying an individual for criminal or civil liability or administrative investigation. Covered entities can still use and disclose this information for other permitted purposes, subject to the general HIPAA Privacy Rule requirements.
The Final Rule requires that covered entities collect a written attestation from requesters of PHI that is “potentially related” to reproductive health care to explicitly confirm such use or disclosure is not for the prohibited purposes outlined in this Final Rule, when the requested information is for:
- Health oversight activities.
- Judicial and administrative proceedings.
- Law enforcement purposes.
- Disclosures to coroners and medical examiners.
However, as noted in the preamble, covered entities cannot entirely rely on such attestation, and must also make an independent determination that the PHI will not be used for these prohibited purposes. Model attestation language can be found here.
The Final Rule also describes new HIPAA notice requirements that include a description and at least one example of the types of uses and disclosures of reproductive health care PHI that are prohibited, and a description and at least one example of the types of uses and disclosures of such PHI that would require an attestation.
The new restrictions imposed by the Final Rule become effective on December 23, 2024 (and February 16, 2026, for the accompanying new HIPAA notice requirements).
In light of the Final Rule, plan sponsors will want to renew and update their HIPAA policies and procedures, privacy notices, training materials, etc. Plan sponsors also will want to review all business associate agreements (BAAs) currently in place with business associates to evaluate whether additional terms are needed related to compliance with the Final Rule. A Faegre Drinker attorney can assist with this review.
The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.