As the December 23, 2024, compliance date approaches for the HIPAA Privacy Rule to Support Reproductive Health Care Privacy Final Rule ("Final Rule"), below are three areas where HIPAA covered entities, including health centers and behavioral health care providers, should focus:
- Identify the protected health information (PHI) related to reproductive health care in your organization: The Final Rule requires covered entities and business associates ("HIPAA regulated entities") to obtain an attestation when they receive a request for PHI potentially related to reproductive health care when the care is lawful and when the request is for certain purposes (described below in more detail). The Final Rule defines reproductive health care as "health care...that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes" (45 C.F.R. 160.103). Covered entities should identify the PHI they consider to be related to reproductive health care. Such PHI might be identified by ICD-10 code (encounters for contraceptive management, general counseling and advice on contraception, etc.), by provider type (OBGYN) or by the type of visit (gender affirming care).
- Understand reproductive health care that is legal in
your state and develop a procedure for tracking changes at the
state and federal level: Under the Final Rule, HIPAA
regulated entities are prohibited from using and disclosing PHI
related to reproductive health care for investigations and imposing
liability when the reproductive health care:
- Is lawful under the law of the state in which the health care is provided;
- Is protected, required or authorized by Federal law, including the U.S. Constitution; or
- Was provided by another provider and fits within the presumption of lawfulness.
For multiple reasons, covered entities should provide clear guidance to staff on the types of reproductive health care that are legal in your state and on the federal level (for example, contraception) and designate a process for tracking changes and challenges to the lawfulness of such care. Changes may come through state and federal law and regulation, and challenges may come through lawsuits at the state and federal levels.
- Attestation requirement: HIPAA regulated entities are required to obtain an attestation when they receive a request for PHI potentially related to reproductive health care when the request is for the purposes of health oversight activities, judicial and administrative proceedings, law enforcement purposes, and disclosures to coroners and medical examiners. To comply with this requirement, HIPAA regulated entities should develop an attestation form and procedure. Earlier this year, the Office for Civil Rights (OCR) released a model attestation. The procedure may be part of a separate policy and procedure or may be incorporated into current procedures on disclosures for health oversight activities, judicial and administrative proceedings, law enforcement purposes, and disclosures to coroners and medical examiners
In early December, OCR sent an email reminding HIPAA regulated entities about the compliance date for most provisions of the Final Rule. It is not yet clear whether the Final Rule will survive the current legal challenges (see State of Texas v. United States Department of Health and Human Services, et. al.) or how it will be modified by the incoming Trump Administration. HIPAA regulated entities should stay tuned for updates from OCR via their webpage on HIPAA and Reproductive Health.
To support health centers in meeting their compliance requirements, the Confidentiality for Health Centers Toolkit has been updated to include the following:
- New document:
- Attestation for Use and Disclosure of PHI Potentially Related to Reproductive Health: Sample Policy and Procedure
- Revised documents:
- Disclosures about Victims of Abuse, Neglect or Domestic Violence: Sample Policy and Procedure
- Uses and Disclosures for Health Oversight Activities: Sample Policy and Procedure
- Disclosures for Judicial and Administrative Proceedings: Sample Policy and Procedure
- Disclosures for Law Enforcement Purposes: Sample Policy and Procedure
- Uses and Disclosures about Decedents: Sample Policy and Procedure
- Designation and Authority of Personal Representatives: Sample Policy and Procedure
- Contents of the Notice of Privacy Practices: Sample Policy and Procedure
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.