On April 22, 2024, the U.S. Department of Health & Human Services (“HHS”) Office for Civil Rights (“OCR”) announced a final rule to support reproductive health care privacy (the “Reproductive Rule”). According to the HHS OCR press release, the Reproductive Rule, “is one of many actions taken by HHS to protect access to and privacy of reproductive health care after the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization that has led to extreme state abortion bans and other restrictions on reproductive freedom in 21 states.”
What You Need to Know:
- HHS OCR final rule brings federal uniformity to address patchwork of different state laws.
- Health care providers will need to take steps to ensure compliance prior to the effective date of the final rule.
- Reproductive health care issues remain a legal, policy and political issue and health care providers are at the intersection.
HHS noted the Reproductive Rule strengthens HIPAA privacy protections. Once the Reproductive Rule goes into effect, it will prohibit the use or disclosure of protected health information (PHI) by a covered health care provider, health plan, or health care clearinghouse – or their business associate – for either of these two (2) activities:
- to conduct a criminal, civil, or administrative investigation into or impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided; or
- the identification of any person for the purpose of conducting such investigation or imposing such liability.
The preamble to the Reproductive Rule frames the necessity of the issue as one of trust between individuals and their health care providers. The preamble noted, “The goal of a functioning health care system is to provide high-quality health care that results in the best possible outcomes for individuals. To achieve that goal, a functioning health care system depends in part on individuals trusting health care providers.”
The Reproductive Rule includes a new defined term, reproductive health care. Importantly, the Reproductive Rule presumes that the reproductive health care was lawfully provided with certain limited exceptions.
Action items for HIPAA-covered entities and business associates to ensure compliance with the Reproductive Rule include:
- a new attestation process;
- update to notice of privacy practices (“NPP”); and
- staff training to ensure compliant conduct.
When a covered entity and/or a business associate receives a request for reproductive health care information, the party must obtain a signed attestation from the requestor that the intended use or disclosure of the information is not for a ‘prohibited purpose’. The attestation applies when the PHI request is for: law enforcement purposes; judicial and administrative proceedings; health oversight activities; or, disclosures to coroners and medical examiners. The Reproductive Rule includes required elements for a valid attestation. HHS stated it will provide a template attestation form prior to the effective date of the Reproductive Rule. Importantly, a person that falsifies an attestation to obtain an individual’s reproductive health care information could face criminal penalties.
Each covered entity must update its NPP to support its reproductive health care policy. This includes a requirement that the NPP address the confidentiality requirements for so-called Part 2 records.
Finally, covered entities and business associates will need to update their HIPAA policies and procedures and provide staff training to ensure compliance with the elements of the Reproductive Rule.
The Supreme Court’s Dobbs decision continues to have ramifications for health care providers. From a public policy perspective, HHS OCR noted: “Health care providers base their treatment recommendations on PHI contained within existing medical records, as well as information shared with them directly by the individual. Thus, where individuals withhold information from their health care providers about lawful health care, health care providers may not be in possession of all of the necessary information to make an informed recommendation for an appropriate treatment plan, which may result in negative health outcomes at both the individual and population level.”
HIPAA-covered entities and business associates should start preparing in advance of the effective date of the Reproductive Rule, which is 240 days following its publication in the Federal Register. The authors and members of the Saul Ewing healthcare industry group regularly assist covered entities and business associates with HIPAA compliance issues and breach investigations.
