On April 26, 2024, the Office of Civil Rights (OCR) within the Department of Health and Human Services (HHS) announced a significant update to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. This new Final Rule, which took effect on June 25, 2024, aims to strengthen the privacy of reproductive health care information in response to the heightened concerns following the Supreme Court’s 2022 decision in Dobbs v. Jackson Women’s Health Organization.
The Dobbs decision, which resulted in 21 states imposing abortion bans and other restrictions on reproductive freedom, sparked fears about the potential misuse of reproductive health information. In response, the OCR’s Final Rule introduces critical amendments to the HIPAA Privacy Rule, prohibiting covered entities and their business associates from using or disclosing protected health information (PHI) for criminal, civil, or administrative investigations related to lawful reproductive health care. Compliance with the Final Rule is required by December 22, 2024.
Key Provisions of the Final Rule
- Purpose-Based Prohibition
The new regulations specifically prohibit using or disclosing PHI for the purpose of conducting investigations or imposing liability on individuals seeking, obtaining, providing, or facilitating lawful reproductive health care. - Attestation Requirement
To ensure compliance, covered entities must obtain a valid attestation from anyone requesting reproductive health information, affirming that the use or disclosure is not for a prohibited purpose. This attestation must be clear, in plain language, and separate from other documents. - Updating the Notice of Privacy Practices (NPP)
HIPAA-covered entities are required to revise their NPPs to incorporate detailed descriptions of the new protections, including examples of prohibited uses and disclosures, and information about the attestation requirement. - Compliance and Enforcement
The Final Rule mandates compliance by December 22, 2024, with specific provisions for updating NPPs requiring compliance by February 16, 2026. Entities failing to adhere to these new requirements may face severe civil and criminal penalties. - Preparing for Implementation
Healthcare providers, health plans, and business associates can begin preparing for these changes by updating their policies, training staff, and ensuring all requests for reproductive health information are carefully reviewed for compliance. The OCR has committed to providing additional resources to assist entities in this transition.
Conclusion
The OCR’s Final Rule represents a significant step in safeguarding the privacy of reproductive health information. By preventing the misuse of PHI in investigations and legal proceedings related to lawful reproductive health care, these new regulations aim to foster trust between patients and healthcare providers and ensure continued access to essential health services.
If you have questions about the OCR’s Final Rule or would like assistance handling the complex regulatory landscape surrounding healthcare data privacy and security, please contact Holly Little at hlittle@outsidegc.com.
Holly Little is a seasoned healthcare and life sciences attorney, handling a wide range of contracts, reimbursement issues, healthcare management, and HIPAA compliance issues. She has significant experience working with healthcare providers, insurance companies, and health tech firms to ensure their practices adhere to HIPAA regulations, including conducting risk assessments, developing compliance programs, and responding to data breaches.