We are saddened to share news of the passing of our co-founder Gerald (Jerry) Caplan.…
HHS modifies HIPAA effective June 2024 to support Reproductive Health Care Privacy
Effective June 25, 2024, the U.S. Department of Health and Human Services, Office for Civil Rights modified the HIPAA Privacy Rule to support and enhance reproductive health care privacy. Covered entities and their contracted business associates who are subject to HIPAA must comply with most aspects of this update to the Privacy Rule no later than December 23, 2024. Further, regulated entities must comply with additional required changes to their Notice of Privacy Practices by February 16, 2026.
HIPAA Privacy Rule Modifications: Protected Health Information
The new Privacy Rule modification strengthens HIPAA privacy protections by prohibiting the use and disclosure of protected health information (PHI) for non-health care purposes in certain circumstances related to reproductive health care. Specifically, the Final Rule makes three major changes to HIPAA requirements.
First, the new Rule prohibits covered entities and business associates from using or disclosing PHI when such information is sought to investigate or impose civil or criminal liability on health care providers, individuals, or others who seek, obtain, provide, or facilitate lawful reproductive health care, and further prohibits identifying persons for the purpose of conducting such investigations or imposing such liability.
Second, the new Rule requires covered entities (and business associates) in certain circumstances, when they receive requests for PHI potentially related to reproductive health care, to obtain a signed attestation that the use or disclosure is not for a prohibited purpose. The requirement to first obtain a signed attestation before disclosing applies when the request is for PHI for any of the following: (a) health oversight activities, (b) judicial and administrative proceedings, (c) law enforcement purposes, and (d) disclosures to coroners and medical examiners.
Third, the new Rule requires covered entities by February 16, 2026, to revise their Notice of Privacy Practices to support reproductive health care privacy (for instance noting that the covered entity must obtain an attestation from a person requesting PHI that the request is not for a prohibited purpose). Additionally, to align with the 2022 Part 2 Notice of Proposed Rule Making, the new Rule requires revisions to Notice of Privacy Practices for covered entities that create, receive, or maintain “Part 2” (42 U.S.C. 290dd-2) substance use disorder (SUD) records.
Protected Health Information Disclosure Prohibitions: Reproductive Health Care
As noted above, the modification to the HIPAA Privacy Rule makes it unlawful for a covered entity or business associate to use or disclose PHI when it is sought to investigate or impose liability on persons engaging in lawful reproductive medicine. This prohibition applies when regulated entities have reasonably determined one of the following conditions is present: (a) the reproductive health care is lawful in the state in which the care is being provided and under the circumstances in which it is being provided, (b) the reproductive health care is required, protected, or authorized by federal law, and/or (c) the reproductive health care was actually performed by a person other than the regulated entity receiving the request for PHI, in which case there is a presumption the reproductive health care was lawful unless the regulated entity has actual knowledge that the health care was unlawful or the person making the PHI request provides substantial factual basis proving the health care was unlawful. Regulated entities may still use or disclose PHI for purposes otherwise permitted by the Privacy Rule, even if that PHI relates to reproductive health care. The Department of Health and Human Services has published information and guidance about the Privacy Rule modification on its website.
Key deadlines to note:
- Compliance with most aspects of the new rule is required by December 23, 2024.
- Updates to your Notice of Privacy Practices must be completed by February 16, 2026.
Our health law attorneys closely follow developments in privacy and data security laws and are available to assist and advise health care entities and professionals with implementation and compliance with HIPAA and the changes to the Privacy Rule.