What Are the Changes?
On April 26, 2024, the U.S. Department of Health and Human Services (“HHS”) issued a final rule (the “Final Rule”) along with guidance updating the Health Insurance Portability and Accountability Act (“HIPAA”) regulations at 45 C.F.R. Parts 160 and 164 (the “Privacy Rule”). The Final Rule prohibits the use or disclosure of protected health information (“PHI”) for the purpose of (1) conducting criminal, civil, or administrative investigations into, or (2) imposing criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care that is legal when provided. The Final Rule also prohibits the use or disclosure of PHI in order to (3) identify any person for any of those purposes (the “Prohibition”).[1]
Even if the use or disclosure of PHI would not violate the Prohibition, the Final Rule also imposes a new documentation requirement if the PHI is to be used or disclosed to a third party for health care oversight activities, judicial and administrative proceedings, law enforcement purposes, or to coroners and medical examiners. In these circumstances, the disclosing entity must obtain a valid attestation from the third party that the PHI will not be used or disclosed in violation of the Prohibition (a “Valid Attestation”).[2]
What is the Scope of the Prohibition?
The Prohibition applies only where the relevant activity (i.e., one of the purposes for disclosure discussed above) is in connection with seeking, obtaining, providing, or facilitating reproductive health care that is legal under the circumstances in which it was provided.[3] HHS defines reproductive health care broadly to mean health care that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes. Covered entities and business associates should presume that the reproductive health care was lawful unless they (1) have actual knowledge or (2) are supplied factual information by the person requesting the PHI that the reproductive health care was not lawful under the circumstances.[4]
What Do Covered Entities and Business Associates Need to Do?
Both covered entities and business associates must assess requests for PHI to determine if the request would violate the Prohibition and if not, whether a Valid Attestation from the requester is required. Covered entities must also notify patients of both the Prohibition and Valid Attestation requirements in their Notice of Privacy Practices (“NPP”).[5]
When is the Final Rule Effective?
The Final Rule is effective beginning June 25, 2024.[6]
Does the Final Rule Include Other New Requirements?
Yes, the Final Rule also changes the content requirements of the NPP and the handling of PHI subject to 42 C.F.R. Part 2 regarding the confidentiality of substance use disorder patient records.
To learn more about recent changes to 42 C.F.R. Part 2, please see our recent article here and check out our Healthcare Law Insights and Byte Back blogs. For more information or assistance with complying with these new HIPAA Final Rule requirements, please contact Taylor Crossley, Ashton Harris, Noreen Vergara, or your trusted Husch Blackwell health care regulatory counsel.
[1] 45 C.F.R. § 164.502(a)(5)(iii).
[3] 45 C.F.R. § 164.502(a)(5)(iii)(A).
[4] 45 C.F.R. § 164.502(a)(5)(iii)(C).