The Supreme Court’s 2022 ruling is Dobbs v. Jackson Women’s Health Organization The federal Constitution’s repeal of the right to abortion continues to change the legal landscape across the United States. On April 26, 2024, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) published the “HIPAA Privacy Rule to Support Reproductive Health Care Privacy” (“Final Rule().
Final Rule – Privacy Standards for Personally Identifiable Health Information under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act (“Privacy Amendments to the HITECH Act of 2009 (HITECH Act) – Strengthens privacy protections related to the use and disclosure of reproductive health care information. The HIPAA Privacy Rule limits the disclosure of protected health information (PHI) so that patients are not afraid to seek care from their health care providers or share sensitive information with their health care providers. It’s part of her HHS efforts to
Final rules:
- Prohibits the use or disclosure of PHI to investigate or hold accountable an individual, health care provider, or other person who seeks, obtains, provides, or facilitates reproductive health care that is lawful under the circumstances in which the reproductive health care is provided, or to identify an individual for such activities.
- Requires covered entities and business partners to obtain signed certification that certain requests for PHI that may relate to reproductive health care are not for these prohibited purposes. I oblige.
- Requires covered entities to modify their NPPs to support reproductive health care privacy.
“From autumn Roe v. Wade“Health care providers are concerned that patient records will be requested when a patient visits a clinic for legitimate treatment, even after the patient goes home,” said Melanie OCR, director of OCR. Fontes Reiner said. news release. OCR administers privacy regulations that require most health care providers, health insurance plans, health information exchanges (“covered entities”) and business associates to protect the privacy of her PHI.
Commenters to previous notices of proposed rulemaking (“2023 NPRM”) raised concerns that PHI related to reproductive health care could be used and disclosed to expose them to investigation and liability under the state’s abortion laws, particularly the newly reinstated law. This final rule is intended to prohibit disclosure of PHI related to: legal Reproductive health care—a change from current privacy rules that generally permit, but do not require, disclosure of relevant material information in a legitimate law enforcement investigation.
Important points
New categories of protected health information. The final rule modifies the HIPAA Privacy Rule by defining new categories of protected health information, adds new “prohibitions on uses and disclosures” to the HIPAA Privacy Rule at 45 CFR 164.502, and provides a Requires business associates not to use or disclose it. Phi:
- Conduct criminal, civil, or administrative investigations against any person for the mere act of seeking, obtaining, providing, or facilitating “reproductive health care.”
- Imposing criminal, civil, or administrative liability on any Person solely for seeking, obtaining, providing, or promoting reproductive health care;
- To identify an “individual” for any of the purposes listed above.
Ban. Under the final rule, HIPAA-covered entities and business associates who receive requests for protected health information must reasonably determine that one or more of the following conditions exist:
- Reproductive health care may be legal in the state in which such health care is provided, depending on the circumstances in which such health care is provided (e.g., if a resident of a state (if you travel to another state to receive medical care) is legal in the state where such medical care is provided).
- Reproductive health care is protected, mandated, or authorized by federal law, including the U.S. Constitution, regardless of the state in which such health care is provided (e.g., reproductive health care, such as contraception, is protected by the Constitution). It has been).
Estimate. Such accommodations are presumed to be lawful unless the HIPAA-covered entity or business associate:
- had actual knowledge that the reproductive care was not lawful under the circumstances in which it was provided; or
- Factual information provided by the claimant demonstrating substantial factual evidence that reproductive health care was not lawful under the particular circumstances in which it was provided.
Certificate requirements. The final rule adds 45 CFR § 164.509(c), which requires a covered entity or business associate to receive a request for PHI that may relate to reproductive health care., Obtain a signed certificate from the requester. However, obtaining certification does not relieve a covered entity or business associate from the responsibility of determining whether the reproductive health care that is the subject of the requested information was lawful. The certificate must contain the following elements:
- A description of the information requested that identifies the information in a particular way. Contains one of the following:
- If available, the name of the individual about whom protected health information is asked to be provided.
- If such name is not practicable, the name or other specific identifying information of the person or class of persons requested to be used or disclosed.
- The name or other specific identifying information of the person or class of persons to whom the covered entity will make the requested use or disclosure.
- A clear statement that the use or disclosure is not for a purpose prohibited by 45 CFR § 164.502(a)(5)(iii) (i.e., identifying an individual under the newly added prohibitions).
- A statement that improper use or disclosure of reproductive health information may subject you to criminal penalties.
- Must be written in plain language and include the elements specified in 45 CFR § 164.509(c) (inclusion of other elements not specified in 45 CFR § 164.509(c) is prohibited). ).and
- Must be signed by the person requesting the disclosure (may be in electronic form).
The final rule prohibits “combining” a certificate with other documents (with the exception of any additional supporting information or documents required in the request filed with the certificate (e.g., a clearly labeled summons). Although covered entities may create their own certification forms, HHS plans to publish a model certification form prior to the compliance date to ease the compliance burden.
Policy Practice Notice. The new process for the use and disclosure of reproductive health information requires covered entities to update their Notice of Privacy Practices (NPP) as required under the following provisions: 45 CFR § 164.520. For purposes of this final rule, NPP updates must specifically describe the types of disclosures and uses of PHI that are prohibited by 45 CFR 164.502(a)(5)(iii). The notification must also include a description of the uses and disclosures that require authorization under new 45 CFR § 164.509. Additionally, the Office of Information and Regulatory Affairs of the Office of Management and Budget (OMB) has determined that this final rule meets the following criteria: 5 USC § 804(2) This is considered an important rule because the annualized impact is expected to exceed $100 million based on the number of covered entities and trading partners that will need to implement these changes.
Practical Impact for HIPAA Covered Entities and Business Partners
Given the significant changes introduced by this final rule, there is no better time for covered entities and business partners to consider the compliance implications of new categories of PHI on existing HIPAA policies and procedures. there is no. In addition to creating and/or obtaining new authorization forms, making reasonable determinations of the legality of reproductive health care, and updating our Notice of Privacy Practices, Privacy and Security Officers will ensure that these changes reflect the policies governing data. may need to be evaluated. Dissemination processes and procedures may change as well. Targeted companies and trading partners may also wish to incorporate these changes into training for employees involved in these activities.
The final rule will become effective on June 25, 2024, with a compliance date of December 23, 2024. However, the NPP requirements will go into effect on February 16, 2026, consistent with OCR’s 42 CFR Part 2 regulations. February 16, 2024This will allow covered entities regulated under both rules to implement changes to the NPP simultaneously.
HIPAA-covered entities and business partners should consider the context and framework of the HIPAA Privacy Rule and these new amendments when considering third-party requests for PHI that may include reproductive health information. need to do it (The current HIPAA Privacy Rule is in effect until the new rule becomes effective). Even if the new reproductive health prohibition does not apply, HIPAA-covered entities do not require HIPAA to disclose PHI under most of the HIPAA exceptions contained in 45 CFR § 164.512. You need to take into account the fact that it is not. Therefore, HIPAA provides covered companies with the ability to protect patient privacy interests, especially in the current climate. post dobbs environment.
Covered entities and business associates face the challenge of implementing these new requirements and training employees on how to analyze and respond to requests involving reproductive health information. Questions remain regarding the responsibility of covered entities or business associates to determine whether reproductive care provided to individuals was in fact lawful. For example, if a complaint occurs, does the covered entity have to explain the information disclosed? The final rule is gender-neutral, but how likely is it to apply to men? In any case, we will continue to monitor developments., This includes how HIPAA and other privacy concerns interact with reproductive health care. dobbsFor more information on this topic, please see our previous blog on the 2023 Proposed Rule.
Ann W. Parks contributed to this article.