New HIPAA Rules Limit the Use and Disclosure of PHI Related to Reproductive Health Care and Revise Notice of Privacy Practices Requirements
Publications - Client Alert | April 30, 2024Click here to download a PDF version of this Client Alert.
On April 26, 2024, the Department of Health and Human Services (“HHS”) published a Final Rule to amend the HIPAA regulations. Among other things, HIPAA protects the privacy of individuals’ protected health information (“PHI”) and sets parameters and restrictions on the use and disclosure of PHI.
Health plans and business associates must comply with the new restrictions on the use and disclosure of PHI by December 23, 2024, and the new HIPAA notice of privacy practices requirements by February 16, 2026.
The Supreme Court decision in Dobbs v. Jackson Women’s Health Organization (“Dobbs”)
In Dobbs, the Supreme Court overturned a federally protected right to abortion and declared it to be a state issue. Our prior Client Alert discusses how Dobbs affects group health plans. In the wake of Dobbs, individual states have placed various restrictions on abortion procedures, with some placing criminal liability upon individuals and physicians for receiving or administering the procedure. HHS believes the Dobbs decision and these state laws restricting abortion create a risk that an individual’s PHI may be used or disclosed in ways that cause harm to individuals and deter them from accessing medical care. HHS’s particular concern is that individuals’ PHI may be used to investigate or impose liability upon individuals related to abortions, thereby discouraging individuals from seeking abortions or from providing pertinent past treatment information to current health care providers.
Amending the Privacy Rule to Prohibit the Disclosure of Certain PHI to Law Enforcement
Under its statutory authority to administer and enforce HIPAA, HHS may modify the HIPAA regulations as needed. The Final Rule adds a new prohibition on the use and disclosure of PHI. Specifically, the Final Rule:
prohibits a regulated entity from using or disclosing an individual’s PHI for the purpose of conducting a criminal, civil, or administrative investigation into, or imposing criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care that is lawful under the circumstances in which it is provided; meaning that it is either: (1) lawful under the circumstances in which such health care is provided and in the state in which it is provided; or (2) protected, required, or authorized by Federal law, including the United States Constitution, regardless of the state in which such health care is provided.
The Final Rule defines “reproductive health care” as “health care that affects the health of the individual in all matters relating to the reproductive system and to its functions and processes.” HHS provided a non-exhaustive list of examples in the preamble including contraception, fertility or infertility-related care, and pregnancy-related care. HHS clarified that the Final Rule’s new prohibition does not eliminate a group health plan’s ability to use or disclose an individual’s PHI with a valid HIPAA authorization. Additionally, HHS clarified that the Final Rule does not prohibit the disclosure of PHI about reproductive health care that was unlawfully provided. It will be important for employers, group health plans, and business associates to understand what is lawful versus unlawful in various jurisdictions.
Adding a New Provision Requiring an Attestation for Requests
Although the Final Rule requires a covered entity to collect an attestation from requesters of PHI potentially related to reproductive health care, HHS makes clear that group health plans and business associates cannot rely on the attestation and must make an independent determination on the use or disclosure of PHI. HHS intends on providing a model attestation form. The attestation will include: the types of PHI being requested, the name of the individual whose PHI is being requested, and that the use or disclosure is not for the new prohibited purpose. The attestation will be limited to the specific use or disclosure, so each use or disclosure request will require its own attestation.
The Final Rule includes an enforcement provision to hold both group health plans and business associates directly liable for compliance with the attestation requirement. This allows HHS to take enforcement action directly against them.
Changes to HIPAA Notice of Privacy Practices
The Final Rule revises the requirements for notices of privacy practices (“NPP”). It adds new requirements to address certain substance use and disorder treatment records. Additionally, the NPP must include a description and at least one example of the types of uses and disclosures of reproductive health care PHI that are prohibited. It must also include a description and example of the types of uses and disclosures of PHI that require an attestation. The NPP must include a statement to put individuals on notice of the potential for information disclosed pursuant to the HIPAA Privacy Rule to be redisclosed by the recipient and that the information will no longer be protected by HIPAA.
Important Action Items
These modifications to the HIPAA regulations will likely require revisions to existing business associate agreements and HIPAA policies and procedures. As a result, we recommend that employers and business associates:
- Review and revise HIPAA policies and procedures to address the requirements in the Final Rule. Among other things, they should address the process for reviewing and processing requests for records that include reproductive health care PHI and attestations.
- Revise and distribute new HIPAA notices of privacy practices.
- Provide training on the revised HIPAA policies and procedures, especially for individuals processing requests for PHI and attestations.
- Review plan communications to ensure all HIPAA references are current to reflect these modifications.
- Review business associate agreements that may permit business associates to engage in activities that are no longer permitted and revise as necessary.
- Revise business associate agreements to ensure responsibility, liability, and indemnification provisions encompass these new requirements.
If you have questions about fiduciary matters or these action items, please contact a member of Kutak Rock’s Employee Benefits and Executive Compensation practice group.