New HIPAA Privacy Regulations Strengthen Privacy for Reproductive Health Care 

September 16, 2024

The U.S. Department of Health and Human Services recently introduced changes to the privacy rule under the Health Insurance Portability and Accountability Act (HIPAA Privacy Rule), aimed at bolstering the privacy of reproductive health care information (the Final Rule). These changes come in response to growing concerns about the confidentiality of reproductive health services following the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization to return the legislation of abortion to the states, which has led to varying state laws on the legality of abortion.

Key Changes to the HIPAA Privacy Rule

The Final Rule includes several significant updates:

Redefines Person

The Final Rule redefines person to provide that a natural person means a human being who is born alive. This is significant because it means that a fetus or embryo is not a protected person under the HIPAA Privacy Rule and, thereby, removes any confusion about who is to be protected under the Final Rule.

Redefines Various Public Health Activities

The Final Rule redefines various public health activities by stating that they refer to population-level activities to prevent disease in and promote the health of populations. The Final Rule also specifically provides that public health activities do not include activities that have the purpose of:

  1. Conducting a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating health care;
  2. Imposing criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating health care; or
  3. Identifying any person for the activities described (1) or (2).

This is significant because it prevents any inconsistency in the HIPAA Privacy Rule with the new prohibitions on use and disclosure of reproductive health care information.

Defines Reproductive Health Care

The Final Rule defines Reproductive Health Care to mean health care that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes. This is generally read to include things such as contraception, pregnancy management, miscarriage management, and fertility treatments.

Prohibition on Use and Disclosure

The Final Rule prohibits the use or disclosure of protected health information (PHI) by covered entities (i.e., health care providers, health care clearinghouses, or health plans) and their business associates for the purpose of investigating, prosecuting, or imposing liability on individuals seeking, obtaining, providing, or facilitating lawful reproductive health care.

Signed Attestation Requirement

In certain situations, before using or disclosing PHI related to reproductive health care, covered entities must get a signed statement from the person requesting the PHI that verifies that the use or disclosure of the PHI is not for a purpose that would violate the Final Rule.

What Covered Entities Need to Do and When

Covered entities need to take the following actions to comply with the Final Rule:

Update Notice of Privacy Practices

Covered entities are required to update their Notice of Privacy Practices to reflect these new protections. This Notice must clearly inform individuals about their rights and the new privacy safeguards in place for reproductive health care information.

Training and Awareness

Covered entities should conduct training sessions for employees who work on their behalf to ensure they understand the new regulations and how to appropriately use and disclose PHI related to reproductive health care.

Revise HIPAA Privacy Policies and Procedures

HIPAA privacy policies and procedures must be updated to align with the new requirements. This includes ensuring that any uses and disclosures of reproductive health care PHI are compliant with the Final Rule.

Compliance Deadlines

The Final Rule is effective June 25, 2024, with compliance required by December 23, 2024. However, covered entities have until February 16, 2026 to update their Notice of Privacy Practices.

 

Share on LinkedIn

Authors

Lynn Krisay Brehm

Member

lbrehm@cozen.com

(704) 348-3460

Jenna Schaffer

Associate

jschaffer@cozen.com

(215) 665-4679

Related Practices


For more information on the Final Rule and how the Final Rule may affect your organization, reach out to a member of the Cozen O’Connor Employee Benefits Practice today.