Actions Needed to Get Your Health Plan in Compliance With the New HIPAA Rules
Benefits Insights
,

On April 26, 2024, the U.S. Department of Health and Human Services (HHS) published the Reproductive Health Care Rule. This final rule enhances the HIPAA privacy protections for protected health information (PHI) relating to reproductive health care. While the Rule is effective June 25, 2024, all covered entities, including group health plans, have until December 23, 2024 to comply with the new requirements with the exception that HIPAA Notice of Privacy Practices must be updated by February 16, 2026. 

What is the Reproductive Health Care Rule?

The Reproductive Health Care Rule (“Rule”) prohibits the use and disclosure of PHI relating to an individual’s reproductive health care for the following purposes:

  • To conduct a criminal, civil, or administrative investigation into the mere act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided;
  • To impose a criminal, civil, or administrative liability on any person; or
  • To identify any person for the purpose of conducting such investigation or imposing such liability.

The Rule applies only when the reproductive health care is lawful. It is lawful when it is permitted under the state law in which such health care is provided, or when it is authorized by federal law. Unless the group health plan has actual knowledge or factual information that the health care was unlawful, the plan must assume it was lawful. If the HIPAA Privacy Officer determines the health care was unlawful, the plan is permitted to disclose the health care information in accordance with HIPAA’s normal privacy and security requirements.

What is Reproductive Health Care Information?

Reproductive health care is defined as “health care that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes.”

The Rule also provides a non-exhaustive list of the types of health care that are encompassed by this definition, including:

  • Contraception;
  • Pregnancy-related health care;
  • Fertility or infertility related health care; or
  • Other types of care, services, or supplies used for the diagnosis and treatment of conditions related to the reproductive system.

Attestation Requirement

In addition to the new prohibitions on the use and disclosure of PHI relating to reproductive health care, the Rule also requires that covered entities and business associates who receive requests for PHI that is related to reproductive health care obtain an attestation form from the person or entity requesting the information. A written, signed, and dated attestation form is required when the PHI request is related to any of the following:

  • Health care oversight activities;
  • Judicial or administrative proceedings;
  • Law enforcement purposes; or
  • Disclosures to coroners and medical examiners.

A valid attestation must include a description of the specific information requested, a statement that the use or disclosure is not for a prohibited purpose, and a statement explaining the criminal penalties for violating HIPAA’s privacy or security rules. HHS has issued a model attestation form

Next Steps for Employers

To ensure that your group health care plans are in compliance with the Rule, consider these potential next steps:

  1. Policies and Procedures: Review and update HIPAA policies and procedures to include the new prohibitions that apply to reproductive health care PHI.
  2. Notice of Privacy Practices: Update Notice of Privacy Practices to include the new prohibitions regarding uses and disclosures of an individuals’ reproductive health care PHI and the attestation rule, including examples.
  3. Business Associate Agreements: Review and update business associate agreements to ensure compliance with the Rule.
  4. Training: Train employees responsible for managing health plan information or responding to PHI requests about the requirements of the Rule, including the new prohibitions and obtaining attestation forms.
  5. Attestation: Create an attestation form.

If we prepared your HIPAA policies and procedures, we will be reaching out to you about next steps. If you have any questions about the new HIPAA Reproductive Health Care Rule, please reach out to any of the attorneys on our Employee Benefits team or HIPAA team.

*Briana Blair is a Law Clerk and not licensed to practice law.

Search this Blog

Media Contact

Authors

Recent Posts

Jump to Page

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.