Legal Alert: HIPAA Privacy Rules Amended to Require Protection of Reproductive Healthcare Information

May 15, 2024

Legal Alert: HIPAA Privacy Rules Amended to Require Protection of Reproductive Healthcare Information

On April 26, 2024, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (“HHS”) issued a Final Rule amending the HIPAA Privacy Rule to protect the ability of individuals to receive reproductive healthcare when the care is provided lawfully under the circumstances without risk of an individual’s identity or health information being disclosed for purposes of state criminal, civil or administrative investigations (or for imposing liability related to lawfully providing or obtaining reproductive healthcare). Among other things, the Final Rule is intended to protect this information to combat state officials/regulators who, after the U.S. Supreme Court’s decision in Dobbs, pledged to pursue individuals who travel to another state to receive reproductive healthcare, such as an abortion or other contraceptive care, when that care is legal in the state where it is provided. 

 

Summary of the Final Rule

The Final Rule prohibits the use or disclosure of protected health information (PHI) by group health plans, healthcare providers, or healthcare clearinghouses (collectively, “Covered Entities”) or their business associates to, (1) conduct a criminal, civil or administrative investigation into or impose criminal, civil or administrative liability on any person for the mere act of seeking, obtaining, providing or facilitating reproductive healthcare, where such healthcare is lawful under the circumstances in which it is provided, or (2) identify any person for the purpose of conducting such investigation or imposing such liability, when the Covered Entity or business associate reasonably determines that one or more of the following exists:

  • The reproductive healthcare is lawful under the law of the state in which such healthcare is provided under the circumstances in which it is provided (e.g., if a resident of one state travels to another state to receive reproductive healthcare, such as an abortion, that is lawful in the state where such healthcare is provided);
  • The reproductive healthcare is protected, required or authorized by Federal law, including the U.S. Constitution, regardless of the state in which such healthcare is provided (e.g., if use of the reproductive healthcare, such as contraception, is protected by the Constitution); or
  • The reproductive healthcare is provided by a person other than the Covered Entity that receives the request for PHI and is presumed to have been legally provided care. The care is presumed to be lawfully provided unless the Covered Entity:
    • Has actual knowledge that reproductive healthcare was not lawfully provided under the circumstances in which it was provided (such as receiving care from an unlicensed provider); or
    • Receives factual information from the person making the request for the use or disclosure of PHI that evidences substantial factual bases that the reproductive healthcare provided was not lawfully provided under the circumstances in which it was provided (such as law enforcement providing evidence that care was provided by an unlicensed healthcare provider).

The Final Rule does not prohibit Covered Entities from using or disclosing PHI for purposes otherwise permitted under the Privacy Rule where the request for PHI is not made for purposes of investigating or imposing liability on any person for seeking, obtaining, providing or facilitating reproductive healthcare. For example, a Covered Entity or business associate could still use or disclose the PHI if it is being used to defend a provider in a professional negligence or misconduct claim or in a health oversight audit.


Effective Date of the Final Rule
The Final Rule, which is effective on June 25, 2024, requires Covered Entities and their business associates to comply with these requirements by December 23, 2024. Moreover, an updated Notice of Privacy Practices will need to be provided to participants by February 16, 2026. 


This means that Covered Entities, including employers and sponsors of self-funded group health plans, will need to update their Notice of Privacy Practices by February 16, 2026 to address these new protections. Carriers of fully insured plans should be updating their Notices of Privacy Practices accordingly, though plan sponsors may wish to consult with their carriers to ensure they will be making these updates. HHS intends to publish updated model Notices of Privacy Practices in advance of the February 16, 2026 compliance date. 


In addition, covered entities, including sponsors of self-funded group health plans, will need to update their HIPAA Privacy Policies and Procedures to reflect these changes no later than December 23, 2024, which includes updating the Privacy Policies and Procedures to ensure that the Covered Entity obtains a signed, written attestation from the requester related to any request for use or disclosure of PHI potentially related to reproductive healthcare requested for health oversight, judicial or administrative proceedings, law enforcement purposes or disclosures to coroners or medical examiners. HHS intends to publish model attestation language in advance of the December 23, 2024 compliance date. Further, HIPAA staff should be made aware of these changes by December 23, 2024 and understand how to identify and respond to any requests that may potentially relate to reproductive healthcare.

 

Finally, Covered Entities should review their Business Associate Agreements (“BAAs”) to ensure their BAAs compel business associates to comply with all aspects of the Privacy Rule, including these new requirements. 
 

-----------------------------------------------------------------------------------------------------------------------

About the Author. This alert was prepared for Alera Group, Inc. by Barrow Weatherhead Lent LLP, a national law firm with recognized experts on the Affordable Care Act. Contact Stacy Barrow or Nicole Quinn-Gato at sbarrow@marbarlaw.com or nquinngato@marbarlaw.com.

 

The information provided in this alert is not, is not intended to be, and shall not be construed to be, either the provision of legal advice or an offer to provide legal services, nor does it necessarily reflect the opinions of the agency, our lawyers, or our clients. This is not legal advice. No client-lawyer relationship between you and our lawyers is or may be created by your use of this information. Rather, the content is intended as a general overview of the subject matter covered. This agency and Barrow Weatherhead Lent LLP are not obligated to provide updates on the information presented herein. Those reading this alert are encouraged to seek direct counsel on legal questions. 

© 2024 Barrow Weatherhead Lent LLP. All Rights Reserved.