Q4 Considerations: New HIPAA Privacy Considerations

Earlier this year, the Department of Health and Human Services (HHS) issued a Final Rule titled HIPAA Privacy Rule to Support Reproductive Health Care Privacy. The HHS guidance  directs HIPAA-covered entities, such as an employer sponsored health plan or its business associate, that if they receive a request for protected health information (PHI) that is  potentially related to reproductive healthcare, it must obtain a signed attestation from the requesting party that clearly states that the requested use or disclosure of PHI is not for any of the following prohibited purposes: 

1. To conduct a criminal, civil or administrative investigation into any person for the mere act of seeking, obtaining, providing or facilitating lawful reproductive healthcare;

2. To impose criminal, civil or administrative liability on any person for the mere act of seeking, obtaining, providing or facilitating lawful reproductive healthcare; 

3. To identify any person for any purpose described in 1 or 2.

Plan sponsors and their health plans also need to revise their Notice of Privacy Practices (NPP) provided to plan participants to make sure the NPP supports reproductive healthcare privacy, in addition to updating their Business Associate Agreements (BAAs) to reflect these new protections. Read more about the new rules here: https://aleragroup.com/insights/legal-alert-hipaa-privacy-rules-amended-require-protection-reproductive-healthcare.