Smith + Malek
info@smithmalek.com (208) 473-7009 (509) 606-1500
Healthcare Smith + Malek

2024 HIPAA Final Rule: Changes to HIPAA Privacy Rule Limiting Use and Disclosure of Reproductive Health Care Records

Jun 18, 2024

In April 2024, the Department of Health and Human Services (“HHS”) issued a final rule (“2024 Final Rule”) modifying the HIPAA Privacy Rule. The goal behind the modification is to protect access to and the privacy of legal reproductive health care records in light of the U.S. Supreme Court decision in Dobbs v. Jackson Women’s Health Organization, which quashed the constitutional right to abortion and placed the power to regulate abortion in the hands of the states. Since Dobbs was decided in 2022, many states—but not all—have passed abortion-restricting legislation. The result is that abortions and other reproductive health care is legal in some states, and illegal in others.

The 2024 Final Rule creates a new category of prohibited purposes for which patients’ protected health information (“PHI”) cannot be used or disclosed. All HIPAA-regulated entities (i.e., covered entities and their business associates) must comply with the 2024 Final Rule.

 

New Category of “Prohibited Purposes”

The 2024 Final Rule prohibits HIPAA-regulated entities from using or disclosing PHI for the following “prohibited purposes:” to conduct a criminal, civil, or administrative investigation or impose criminal, civil or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating “reproductive health care,” where such health care is lawful under the circumstances in which it is provided, or to identify any person for such purposes.

How would the regulated entity determine if a patient’s reproductive health care was “lawful under the circumstances in which it [was] provided”? The 2024 Final Rule answers this question as follows: The prohibition of releasing PHI is applicable when the regulated entity has determined that one (or more) of the following situations exist:

  • the reproductive health care is lawful in the state which the care was or is provided (g., if a resident of a state traveled to a neighboring state to receive a lawful abortion);
  • the reproductive health care is protected, required, or authorized by federal law, including the U.S. Constitution (g., the patient is using contraception, which is protected by the U.S. Constitution); and/or
  • the reproductive health care was provided by a person other than the entity that received the request for PHI, with a presumption that the care provided by the other was lawful.

The difference between the first two bullet points and the third bullet point is crucial. Under the first two bullet points, the recipient of the request itself performed the reproductive health care subject to the records request. Therefore, the recipient is responsible for determining whether that care was lawful by, for example, reviewing all available relevant evidence bearing on whether the reproductive health care was lawful under the circumstances in which it was provided.

Under the third bullet point, the recipient of the request did not perform the reproductive health care at issue. In that situation, the rule provides that the recipient can presume that the care was lawful by default. The recipient is not expected to research other states’ laws to determine whether that care was lawful under the circumstances in which it was provided, nor is it expected to consult with an attorney to do the same. However, that presumption falls away if one of the following exceptions apply: 1) the recipient has actual knowledge that the care received from another was not lawful, or 2) the recipient receives information, from the person requesting the PHI, that shows a substantial factual basis that the care was not lawful. HHS describes that a requestor might provide a “substantial factual basis” that the reproductive health care was unlawful with sworn affidavits from third-party complainants that describe the circumstances under which the reproductive health care was provided. By contrast, an anonymous report is likely insufficient to overcome the presumption that the care was lawful, nor is the requestor’s bare statement that “the request is not made for a prohibited purpose” or “that the underlying reproductive health care was unlawful.”

 

Definition of “Reproductive Health Care”

The 2024 Final Rule defines “reproductive health care” as any health care that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes. To clarify what is included in “reproductive health care” for regulated entities, HHS provided a non-exclusive list of examples that fit within the definition:

  • Contraception, including emergency contraception
  • Preconception screening and counseling
  • Management of pregnancy and pregnancy-related conditions, including pregnancy screening, prenatal care, miscarriage management, treatment for preeclampsia, hypertension during pregnancy, gestational diabetes, molar or ectopic pregnancy, and pregnancy termination
  • Fertility and infertility diagnosis and treatment, including assisted reproductive technology and its components (g., in vitro fertilization (IVF))
  • Diagnosis and treatment of conditions that affect the reproductive system (g., perimenopause, menopause, endometriosis, adenomyosis)
  • Other types of care, services, and supplies used for the diagnosis and treatment of conditions related to the reproductive system (g., mammography, pregnancy-related nutrition services, postpartum care products)

 

Attestation Requirement

To implement the prohibition, the 2024 Final Rule requires HIPAA-regulated entities to obtain a signed “attestation” when it receives a request for PHI that is potentially related to reproductive health care—specifically when the request is for PHI for any of the following:

  • Health oversight activities.
  • Judicial and administrative proceedings.
  • Law enforcement purposes.
  • Disclosures to coroners and medical examiners.

When one of these requests are received, the covered entity must obtain a signed attestation from the requestor that the use or disclosure of the PHI is not for a “prohibited purpose.” The attestation provides covered entities written representations that the release of PHI is not prohibited, and also gives notice to the person requesting PHI of the potential criminal penalties for violation of this rule.

A valid attestation must be written in plain language, may be in electronic format, limited to the specific use or disclosure, and include:

  • A description of the information requested
  • The identification of the individual(s) whose PHI is benign requested or the description of the class of individuals whose PHI is being requested
  • The identification of the person(s) who are being asked to for the PHI
  • The identification of the person(s) who are asking for the PHI
  • A clear statement that the use or disclosure is not for a prohibited purpose under the final regulations
  • Statement that a person may be subject to criminal penalties (under 42 U.S.C. Section 1320d-6) if the person knowingly and in violation of HIPAA either obtains the individually identifiable health information relating to an individual or discloses that information to another person
  • Signature of the person requesting the PHI and the date

HHS intends to release a model attestation prior to the compliance date.

 

Required Revisions to Your Notices of Privacy Practices

Another notable change made by the 2024 Final Rule is its modifications to the contents of covered entities’ Notices of Privacy Practices (“NPP”). Under the 2024 Final Rule, NPPs must be updated to include information about the new prohibition on reproductive health care PHI as described above, the privacy of 42 CFR Part 2 records, and other statements. Covered entities must update their NPPs by February 16, 2026.

 

Compliance Dates

The 2024 Final Rule will go into effect on June 25, 2024, But HIPAA-regulated entities (covered entities and business associates) are not expected to comply with the changes until 180 days after the effective date, which is December 23, 2024. However, as mentioned previously, the required revisions to covered entities’ NPPs have a later compliance date of February 16, 2026 to give adequate time to make the significant changes required.

 

Action Items for Covered Entities

For health care providers, this 2024 Final Rule will change the way that you process medical records requests. If you receive a request for records that include a patient’s reproductive health care, this 2024 Final Rule may prohibit you from releasing those records, or require that you jump through a few hoops before releasing them.

By December 23, 2024, covered entities should:

  • Revise their internal policies and procedures concerning the processing of medical records requests to incorporate changes made by 2024 Final Rule
  • Train their workforce on 2024 Final Rule changes
  • Create and adopt a standard attestation form
  • Revise existing Business Associate Agreements to incorporate new obligations occasioned by the 2024 Final Rule

By February 16, 2026, covered entities should:

  • Revise their Notice of Privacy Practices forms

 

Related Articles

Celebrating Community Health Centers

National Health Center Week, observed from August 4-10, 2024, spotlights the essential role community health centers (CHCs) play in providing accessible, affordable, and high-quality healthcare to underserved populations across...

Read more