HIPAA Privacy Rules Amended to Require Protection of Reproductive Health Care Information
On April 26, 2024, the Office of Civil Rights (OCR) at the U.S. Department of Health & Human Services (“HHS”) issued a Final Rule amending the HIPAA Privacy Rule to protect the ability of individuals to receive reproductive health care when the care is provided lawfully under the circumstances without risk of an individual’s identity or health information being disclosed for purposes of state criminal, civil or administrative investigations (or for imposing liability related to lawfully providing or obtaining reproductive healthcare). Among other things, the Final Rule is intended to protect this information to combat state officials/regulators who, after the U.S. Supreme Court’s decision in Dobbs, pledged to pursue individuals who travel to another state to receive reproductive health care, such as an abortion or other contraceptive care, when that care is legal in the state where it is provided.
Summary of the Final Rule
The Final Rule prohibits the use or disclosure of protected health information (PHI) by group health plans, health care providers, or health care clearinghouses (collectively, “Covered Entities”) or their business associate to, (1) conduct a criminal, civil, or administrative investigation into or impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided, or (2) identify any person for the purpose of conducting such investigation or imposing such liability, when the Covered Entity or business associate reasonable determines that one or more of the following exists:
- The reproductive health care is lawful under the law of the state in which such health care is provided under the circumstances in which it is provided (e.g., if a resident of one state travels to another state to receive reproductive health care, such as an abortion, that is lawful in the state where such health care is provided);
- The reproductive health care is protected, required, or authorized by Federal law, including the U.S. Constitution, regardless of the state in which such health care is provided (e.g., if use of the reproductive health care, such as contraception, is protected by the Constitution); or
The reproductive health care is provided by a person other than the Covered Entity that receives the request for PHI and it is presumed to have been legally provided care. The care is presumed to be lawfully provided unless the Covered Entity:
- Has actual knowledge that reproductive health care was not lawfully provided under the circumstances in which it was provided (such as receiving care from an unlicensed provider); or
- Receives factual information from the person making the request for the use or disclosure of PHI that evidences substantial factual bases that the reproductive health care provided was not lawfully provided under the circumstances in which it was provided (such as law enforcement providing evidence that care was provided by an unlicensed health care provider).
The Final Rule does not prohibit Covered Entities from using or disclosing PHI for purposes otherwise permitted under the Privacy Rule where the request for PHI is not made for purposes of investigating or imposing liability on any person for seeking, obtaining, providing, or facilitating reproductive health care. For example, a Covered Entity or business associate could still use or disclose the PHI if it is being used to defend a provider in a professional negligence or misconduct claim or in a health oversight audit.
Effective Date of the Final Rule
The Final Rule, which is effective on June 25, 2024, requires Covered Entities and their business associates to comply with these requirements by December 23, 2024. Moreover, an updated Notice of Privacy Practices will need to be provided to participants by February 16, 2026.
This means, Covered Entities, including employers and sponsors of self-funded group health plans, will need to update their Notice of Privacy Practices by February 16, 2026 to address these new protections. Carriers of fully insured plans should be updating their Notices of Privacy Practices accordingly, though plan sponsors may wish to consult with their carriers to ensure they will be making these updates. HHS intends to publish updated model Notices of Privacy Practices in advance of the February 16, 2026 compliance date. In addition, covered entities, including sponsors of self-funded group health plans, will need to update their HIPAA Privacy Policies and Procedures to reflect these changes no later than December 23, 2024, which includes updating the Privacy Policies and Procedures to ensure that the Covered Entity obtains a signed, written attestation from the requester related to any request for use or disclosure of PHI potentially related to reproductive health care requested for health oversight, judicial or administrative proceedings, law enforcement purposes, or disclosures to coroners or medical examiners. HHS intends to publish model attestation language in advance of the December 23, 2024 compliance date. Further, HIPAA staff should be made aware of these changes by December 23, 2024 and understand how to identify and respond to any requests that may potentially relate to reproductive health care. Finally, Covered Entities should review their Business Associate Agreements (“BAAs”) to ensure their BAAs compel business associates to comply with all aspects of the Privacy Rule, including these new requirements.