What Are the Changes?

On April 26, 2024, the U.S. Department of Health and Human Services (“HHS”) issued a final rule (the “Final Rule”) along with guidance updating the Health Insurance Portability and Accountability Act (“HIPAA”) regulations at 45 C.F.R. Parts 160 and 164 (the “Privacy Rule”). The Final Rule prohibits the use or disclosure of protected health information (“PHI”) for the purpose of (1) conducting criminal, civil, or administrative investigations into, or (2) imposing criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care that is legal when provided. The Final Rule also prohibits the use or disclosure of PHI in order to (3) identify any person for any of those purposes (the “Prohibition”).[1]

Even if the use or disclosure of PHI would not violate the Prohibition, the Final Rule also imposes a new documentation requirement if the PHI is to be used or disclosed to a third party for health care oversight activities, judicial and administrative proceedings, law enforcement purposes, or to coroners and medical examiners. In these circumstances, the disclosing entity must obtain a valid attestation from the third party that the PHI will not be used or disclosed in violation of the Prohibition (a “Valid Attestation”).[2]

What is the Scope of the Prohibition?

The Prohibition applies only where the relevant activity (i.e., one of the purposes for disclosure discussed above) is in connection with seeking, obtaining, providing, or facilitating reproductive health care that is legal under the circumstances in which it was provided.[3] HHS defines reproductive health care broadly to mean health care that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes. Covered entities and business associates should presume that the reproductive health care was lawful unless they (1) have actual knowledge or (2) are supplied factual information by the person requesting the PHI that the reproductive health care was not lawful under the circumstances.[4]

What Do Covered Entities and Business Associates Need to Do?

Both covered entities and business associates must assess requests for PHI to determine if the request would violate the Prohibition and if not, whether a Valid Attestation from the requester is required. Covered entities must also notify patients of both the Prohibition and Valid Attestation requirements in their Notice of Privacy Practices (“NPP”).[5]

When is the Final Rule Effective?

The Final Rule is effective beginning June 25, 2024.[6]

Does the Final Rule Include Other New Requirements?

Yes, the Final Rule also changes the content requirements of the NPP and the handling of PHI subject to 42 C.F.R. Part 2 regarding the confidentiality of substance use disorder patient records.

To learn more about recent changes to 42 C.F.R. Part 2, please see our recent article here and check out our Healthcare Law Insights and Byte Back blogs. For more information or assistance with complying with these new HIPAA Final Rule requirements, please contact Taylor Crossley, Ashton Harris, Noreen Vergara, or your trusted Husch Blackwell health care regulatory counsel.


[1] 45 C.F.R. § 164.502(a)(5)(iii).

[2] 45 C.F.R. § 164.509.

[3] 45 C.F.R. § 164.502(a)(5)(iii)(A).

[4] 45 C.F.R. § 164.502(a)(5)(iii)(C).

[5] 45 C.F.R. §§ 164.520(b)(1)(ii)(F) & (G).

[6] 89 FR 32976.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Taylor Crossley Taylor Crossley

Taylor focuses on healthcare regulatory matters. At Husch Blackwell, she focuses on matters such as healthcare privacy, confidentiality, and mental health law (including 42 C.F.R. Part 2, the Mental Health Parity and Addiction Equity Act, the SUPPORT for Patients & Communities Act, and

Taylor focuses on healthcare regulatory matters. At Husch Blackwell, she focuses on matters such as healthcare privacy, confidentiality, and mental health law (including 42 C.F.R. Part 2, the Mental Health Parity and Addiction Equity Act, the SUPPORT for Patients & Communities Act, and emerging therapy). She also assists with issues relating to healthcare quality, including adverse event reporting, licensure and certification questions, and the Health Care Quality Improvement Act.

Photo of Ashton Harris Ashton Harris

Ashton provides regulatory counsel to healthcare providers and industry partners, helping them navigate complex and frequently-changing rules.

Photo of Noreen Vergara Noreen Vergara

As a Healthcare Regulatory Attorney and former executive, Noreen is a transparent communicator and innovative problem solver with a deep background in operations and risk management.

Noreen’s career in healthcare operations, healthcare compliance and executive leadership began as a behavioral health admissions representative

As a Healthcare Regulatory Attorney and former executive, Noreen is a transparent communicator and innovative problem solver with a deep background in operations and risk management.

Noreen’s career in healthcare operations, healthcare compliance and executive leadership began as a behavioral health admissions representative – she understands the day-to-day regulatory hurdles facing healthcare clients. Most recently, Noreen served as Acting CEO, General Counsel and Chief Human Resources Executive for a national managed behavioral health venture with employees across 50 states. In this position, Noreen leveraged her experience in strategic planning, corporate governance, complex contracts, employment law and compliance. Noreen navigated tough decisions including guiding 500 percent growth over 6 years, moving online quickly during COVID-19 and helping secure the largest contract in company history. Earlier in her career, Noreen collaborated in-house at the National Association of Insurance Commissioners (NAIC), where oversight, peer review, best practices and standards are established by state regulators.