At the end of April, the U.S. Department of Health & Human Services (HHS), through the Office for Civil Rights (OCR), issued a Final Rule to modify the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule to support reproductive health care privacy.[1] This is one of many actions taken by HHS in response to the Supreme Court’s decision in Dobbs. This update comes at a critical time when reproductive rights are under intense scrutiny and varying state laws create a complex landscape for patients and providers.
Prohibited Disclosures
The Final Rule introduces increased protections for reproductive health information of patients, particularly focusing on the following areas:
- Prohibiting Disclosures: The rule prohibits the use or disclosure of protected health information (PHI) by covered entities for investigations or actions related to the lawful provision or receipt of reproductive health care.
- Supporting Federal Law: It ensures that reproductive health care that is lawful under state law or protected by federal law, including the U.S. Constitution, is not subject to unauthorized disclosures.
- Enhancing Patient-Provider Trust: By safeguarding privacy, the rule aims to maintain and improve the trust between patients and providers, which is essential for high-quality health care.
The Final Rule strengthens protections that prohibit the use or disclosure of PHI by a covered health care provider, health plan, or health care clearing house (or their business associate) for either of the following inquiries:
- To conduct a criminal, civil, or administrative investigation into or impose criminal, civil, or administrative liability on any person for the act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided; or
- The identification of any person for the purpose of conducting such investigation or imposing such liability.
Attestations and Notice of Privacy Practices
The Final Rule requires that the covered health care provider obtain a signed attestation from the entity or person seeking such PHI that states that the use of disclosure is not for a prohibited purpose. The attestation serves the purpose of, to some degree, protecting the provider or health care entity, as well as putting the requestor on notice of potential criminal penalties if the acquired PHI is used for a prohibited purpose.
The Final Rule also requires that providers and entities revise their Notice of Privacy Practices to support reproductive health care privacy.
Implications for Health Care Providers and Patients
While patients seeking such care can feel more at ease that their privacy is being protected, the Final Rule creates a new burden on the health care providers, who must now navigate these new regulations and ensure compliance while continuing to offer essential services.
The Final Rule becomes effective on June 25, 2024.[2]
The Sandberg Phoenix Health Care Regulatory & Compliance Team regularly consults on contract, security, privacy, licensure and risk management matters.
[1] https://www.hhs.gov/hipaa/for-professionals/special-topics/reproductive-health/final-rule-fact-sheet/index.html
[2] https://www.federalregister.gov/documents/2024/04/26/2024-08503/hipaa-privacy-rule-to-support-reproductive-health-care-privacy