On April 22, 2024, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) announced a Final Rule entitled HIPAA Privacy Rule to Support Reproductive Health Care Privacy. This Final Rule not only bolsters the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (collectively, HIPAA) by prohibiting the disclosure of protected health information (PHI) related to lawful reproductive health care in certain circumstances, but also requires HIPAA covered entities (health care providers, health plans, and health care clearinghouses) to amend their Notices of Privacy Practices (NPPs).
HIPAA and Reproductive Health Care Privacy
HHS is issuing this Final Rule because of concerns that officials in states with more extreme abortion bans, like Kentucky, will seek medical records from states where abortion is legal (or even from their own states) in order to prosecute individuals who cross state lines to seek an abortion. To prevent those medical records from being used against people for providing or obtaining lawful reproductive health care, the Final Rule prohibits the use or disclosure of PHI by a covered entity—or their business associate—for the following activities:
- To conduct a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided;
- To impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided; or
- The identification of any person for the purpose of conducting such investigation or imposing such liability.
The covered entity or business associate must reasonably determine the reproductive health care is lawful under the law of the state in which such health care is provided or otherwise protected by federal law. In certain circumstances, covered entities and business associates may presume that the care provided was lawful.
Covered entities and business associates must demand and receive a valid attestation in order to process a request for PHI potentially related to reproductive health care that will be used for health oversight activities, judicial or administrative proceedings, law enforcement purposes, or disclosures to coroner and medical examiners. This valid attestation must be written in plain language and contain, among other things, the name of the person requesting the information, an attestation that the use or disclosure is not for a prohibited purpose, and a statement putting the requestor on notice that they may be subject to criminal penalties pursuant to 42 U.S.C. 1320d-6 if that person knowingly and in violation of HIPAA obtains or discloses individually identifiable health information. Fortunately, OCR intends to publish model attestation language before the compliance date, which will aid covered entities in adopting that new form.
In a Fact Sheet accompanying the Final Rule, HHS reminds covered entities (and business associates) that HIPAA permits, but does not require, certain disclosures to law enforcement and then only when all conditions are met. Referring to previous OCR guidance, HHS explains that covered entities (and business associates) are “only permitted to disclose PHI for law enforcement purposes where they suspect an individual of obtaining reproductive health care (lawful or otherwise) if the covered entity or business associate is required by law to do so and all applicable conditions are met.” Under this Final Rule, HHS cautions that a disclosure to law enforcement is only permitted where all three of the following conditions are met:
- The disclosure is not subject to the prohibition,
- The disclosure is required (not simply permitted) by law, and
- The disclosure meets all applicable conditions of the HIPAA exception for permission to use or disclose PHI as required by law set forth in 45 CFR 164.512(a).
In light of these changes in the Final Rule, covered entities and business associates will need to adopt an Attestation form, revise policies and procedures relating to the disclosure of PHI to address these new restrictions on disclosures of PHI containing information about reproductive health care, and consider appropriate revisions to their Business Associate Agreements. Affected members of the workforce will also need to be trained in these new procedures.
The Notice of Privacy Practices (NPP) will need to be amended
Covered entities will also need to revise their NPPs pursuant to the Final Rule’s modification of 45 C.F.R. 164.520. This modification will require covered entities to amend their NPPs not only as to reproductive health care privacy but also to address the confidentiality of substance use disorder (SUD) patient records, as required by the Coronavirus Aid, Relief, and Economic Security (CARES) Act of 2020.
Reproductive Health Care Records. Per the Final Rule, covered entities must provide individuals with additional information about how their PHI may or may not be disclosed for purposes related to reproductive health care. Specifically, covered entities must modify their NPPs to inform individuals that their PHI may not be used or disclosed for a purpose prohibited under the Final Rule, including at least one example of the types of uses and disclosures prohibited under new 45 CFR 164.502(a)(5)(iii) in sufficient detail for an individual to understand the prohibition. The NPP must also contain a description, including at least one example of the types of uses and disclosures for which an attestation is required under new 45 CFR 164.509.
The NPP must include a statement to place the individual on adequate notice of the potential for information disclosed pursuant to HIPAA to be subject to redisclosure by the recipient and no longer protected by HIPAA. This change will afford transparency and assist covered entities in explaining the limitations of HIPAA to individuals.
Part 2 Substance Use Disorder Records. The Final Rule also includes changes to align NPP requirements for HIPAA covered entities with similar requirements for programs that provide SUD treatment under 42 U.S.C. 290dd-2 (Part 2). Currently, Part 2 programs must provide a written confidentiality notice to patients (the Patient Notice), while covered entities must provide individuals with their NPP. HHS has now revised both these confidentiality requirements that will allow a combined Patient Notice and NPP. On February 16, 2024, HHS released a final rule entitled Confidentiality of Substance Use Disorder (SUD) Patient Records (“2024 Part 2 Rule”) finalizing confidentiality requirements for SUD patient records under Part 2 consistent with the CARES Act to align the requirements for the Patient Notice as closely as possible with the NPP requirements. Now this Final Rule similarly amends the NPP requirements, allowing covered entities to combine the Patient Notice and NPP. They may continue to provide separate documents if desired.
The Final Rule requires covered entities that create or maintain PHI that is also a record of SUD treatment provided by a Part 2 program, i.e., covered entities that are Part 2 programs and covered entities that receive Part 2 records from a Part 2 program, to provide notice to individuals of the ways in which those covered entities may use and disclose such records, and of the individual’s rights and the covered entities’ responsibilities with respect to such records. A covered entity that receives or maintains records subject to Part 2 must supply an NPP written in plain language and containing the elements required.
Consistent with the CARES Act, where NPP’s descriptions of uses or disclosures that are permitted for treatment, payment, and operations (TPO) or without an authorization must reflect “other applicable law” that is more stringent than HIPAA, note that other applicable law includes Part 2. Likewise, Part 2 is specifically included in the “other applicable law” referenced in the requirement to describe uses and disclosures that are permitted for TPO or without an authorization sufficient to place an individual on notice of the uses and disclosures that are permitted or required by HIPAA and other applicable law.
Covered entities must provide notice to individuals that a Part 2 record, or testimony relaying the content of such record, may not be used or disclosed in a civil, criminal, administrative, or legislative proceeding against the individual absent written consent from the individual or a court order, consistent with the requirements of 42 CFR Part 2.
Covered entities must provide individuals with a clear and conspicuous opportunity to elect not to receive any fundraising communications before using Part 2 records for fundraising purposes for the benefit of the covered entity.
OCR clarifies that although separate covered entities that participate in an organized health care arrangement (OHCA) may issue a joint NPP for the OHCA, Part 2 requirements continue to apply to the Part 2 records maintained by covered entities that are part of OHCAs and individuals who are the subjects of such records maintain all rights under Part 2.
While making these required changes, it is also a good time for a covered entity to review its NPP in its entirety to see if other changes are necessary and to ensure that it remains current and adequately describes how the covered entity uses and discloses PHI as well as how individuals may access their records.
Effective Dates and Compliance Dates
Mercifully, OCR extended the compliance date for amending the NPP until February 16, 2026, substantially later than the compliance date for most of this Final Rule. This extension aligns the compliance date with the compliance date in the 2024 Part 2 Rule and recognizes the considerable time and effort required for compliance with these new rules. It allows covered entities regulated under both this Final Rule and the 2024 Part 2 Rule to implement all changes to their NPPs at the same time.
Looking for assistance with your organization’s privacy policies? We work with clients in the preparation and updating of privacy policies and procedures to comply with the HIPAA Privacy Rule and more. Such policies are essential to meet patients’ expectations surrounding the protection of their privacy as well as the expectations of regulatory enforcement agencies such as the HHS Office for Civil Rights. If you are looking for assistance in this area, or to learn more about Wyatt’s data privacy and cyber security practice, visit the Wyatt Data Privacy & Cyber Security webpage.
If you need additional information, please contact: Margaret Young Levi, mlevi@wyattfirm.com, at 859.288.7469.
wyatthitechlaw.com 