ARTICLE
30 December 2024

Client Alert: Compliance Date Approaches For HIPAA Reproductive Health Care Privacy Final Rule

As the December 23, 2024, compliance date approaches for the HIPAA Privacy Rule to Support Reproductive Health Care Privacy Final Rule ("Final Rule")...
United States Food, Drugs, Healthcare, Life Sciences

As the December 23, 2024, compliance date approaches for the HIPAA Privacy Rule to Support Reproductive Health Care Privacy Final Rule ("Final Rule"), below are three areas where HIPAA covered entities, including health centers and behavioral health care providers, should focus:

  1. Identify the protected health information (PHI) related to reproductive health care in your organization: The Final Rule requires covered entities and business associates ("HIPAA regulated entities") to obtain an attestation when they receive a request for PHI potentially related to reproductive health care when the care is lawful and when the request is for certain purposes (described below in more detail). The Final Rule defines reproductive health care as "health care...that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes" (45 C.F.R. 160.103). Covered entities should identify the PHI they consider to be related to reproductive health care. Such PHI might be identified by ICD-10 code (encounters for contraceptive management, general counseling and advice on contraception, etc.), by provider type (OBGYN) or by the type of visit (gender affirming care).
  2. Understand reproductive health care that is legal in your state and develop a procedure for tracking changes at the state and federal level: Under the Final Rule, HIPAA regulated entities are prohibited from using and disclosing PHI related to reproductive health care for investigations and imposing liability when the reproductive health care:
    • Is lawful under the law of the state in which the health care is provided;
    • Is protected, required or authorized by Federal law, including the U.S. Constitution; or
    • Was provided by another provider and fits within the presumption of lawfulness.

For multiple reasons, covered entities should provide clear guidance to staff on the types of reproductive health care that are legal in your state and on the federal level (for example, contraception) and designate a process for tracking changes and challenges to the lawfulness of such care. Changes may come through state and federal law and regulation, and challenges may come through lawsuits at the state and federal levels.

  1. Attestation requirement: HIPAA regulated entities are required to obtain an attestation when they receive a request for PHI potentially related to reproductive health care when the request is for the purposes of health oversight activities, judicial and administrative proceedings, law enforcement purposes, and disclosures to coroners and medical examiners. To comply with this requirement, HIPAA regulated entities should develop an attestation form and procedure. Earlier this year, the Office for Civil Rights (OCR) released a model attestation. The procedure may be part of a separate policy and procedure or may be incorporated into current procedures on disclosures for health oversight activities, judicial and administrative proceedings, law enforcement purposes, and disclosures to coroners and medical examiners

In early December, OCR sent an email reminding HIPAA regulated entities about the compliance date for most provisions of the Final Rule. It is not yet clear whether the Final Rule will survive the current legal challenges (see State of Texas v. United States Department of Health and Human Services, et. al.) or how it will be modified by the incoming Trump Administration. HIPAA regulated entities should stay tuned for updates from OCR via their webpage on HIPAA and Reproductive Health.

To support health centers in meeting their compliance requirements, the Confidentiality for Health Centers Toolkit has been updated to include the following:

  • New document:
    • Attestation for Use and Disclosure of PHI Potentially Related to Reproductive Health: Sample Policy and Procedure
  • Revised documents:
    • Disclosures about Victims of Abuse, Neglect or Domestic Violence: Sample Policy and Procedure
    • Uses and Disclosures for Health Oversight Activities: Sample Policy and Procedure
    • Disclosures for Judicial and Administrative Proceedings: Sample Policy and Procedure
    • Disclosures for Law Enforcement Purposes: Sample Policy and Procedure
    • Uses and Disclosures about Decedents: Sample Policy and Procedure
    • Designation and Authority of Personal Representatives: Sample Policy and Procedure
    • Contents of the Notice of Privacy Practices: Sample Policy and Procedure

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More