HIPAA Rule Strengthening the Privacy of Reproductive Health Care Services Takes Effect December 23rd

On April 22, 2024, the U.S. Department of Health and Human Services, Office for Civil Rights announced its final rule entitled “HIPAA Privacy Rule to Support Reproductive Health Care Privacy” (the “Reproductive Health Care Privacy Rule” or “the Rule”). The Rule goes into effect on December 23, 2024.

The following is a summary of the Reproductive Health Care Privacy Rule as it relates to strengthening privacy protections for reproductive health services (including abortion):

• Covered health care providers, health plans and health care clearinghouses (“Covered Entities”) and their Business Associates are prohibited from disclosure of protected health information (“PHI”) for either: (i) conducting a criminal, civil, or administrative investigation into or imposing criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided; or (ii) the identification of any person for the purpose of conducting such investigation or imposing such liability.
• The prohibition on disclosure applies where the Covered Entity or Business Associate has reasonably determined that one or more of the following conditions exist: (i) the reproductive health care is legal in the state where it is provided; (ii) the reproductive health care is protected or authorized by Federal law, the U.S. Constitution regardless of the state law in which the health care is provided; or (iii) the reproductive health care was provided by a person other than the Covered Entity and the Covered Entity has no knowledge that the reproductive health care was unlawful (e.g., it would be unlawful for a service to be provided by an unlicensed person).
• Covered Entities and Business Associates, when receiving a request for PHI related to reproductive health care, must obtain a signed attestation that the use or disclosure is not for one of the prohibited purposes described above. The attestation requirement applies when the request is for:
  
  • Health oversight activities;
  • Judicial and administrative proceedings;
  • Law enforcement purposes;
  • Disclosures to coroners or medical examiners.

The attestation puts the requestor on notice of the potential criminal penalties. A model attestation can be found at https://www.hhs.gov/sites/default/files/model-attestation.pdf.

Covered Entities must revise their Notice of Privacy Practices (“NPP”) to address the privacy protections for reproductive health care services. Please also note that providers who create or maintain Substance Use Disorder treatment records subject to 42 C.F.R. Part 2 are also required to revise their NPPs to align their privacy practices with HIPAA under the Part 2 Final Rule published earlier this year.

Disclosures to law enforcement as currently set forth in HIPAA have not changed. However, such disclosures are permissive and not mandated. Consequently, such disclosures to law enforcement where the individual is suspected of having obtained reproductive health care services are only permitted when all three of the following conditions are met:

• The disclosure is not subject to the prohibition discussed herein;
• The disclosure is required by law; and
• The disclosure meets all applicable conditions of HIPAA.

If a Covered Entity is making a disclosure required by law, the law must compel the Covered Entity to make a disclosure. For example, when law enforcement has a court order requiring the Covered Entity to produce PHI regarding reproductive health care services, HIPAA permits - but does not require - the Covered Entity to disclose PHI. However, if the Covered Entity does disclose PHI, it must be limited to what is expressly authorized by the court order.

While the Reproductive Health Care Privacy Rule permits Covered Entities to disclose PHI when necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public, Covered Entities should proceed with caution. According to the American Medical Association and American College of Obstetricians and Gynecologists, it would be inconsistent with professional standards of ethical conduct to make such a disclosure of PHI to law enforcement or others regarding an individual’s interest, intent, or prior experience with reproductive health care.Ultimately, the issue of disclosure will require a factual and legal analysis and for that reason, consultation with counsel is recommended.

If you believe that someone’s health privacy rights have been violated, you can file a complaint in the OCR complaint portal at https://ocrportal.hhs.gov/ocr/smartscreen/main.jsf.