The U.S. Department of Health & Human Services’ Office for Civil Rights (OCR) issued a Final Rule, entitled HIPAA Privacy Rule to Support Reproductive Health Care Privacy, amending the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule to strengthen protections for reproductive health care.
The Final Rule prohibits the use or disclosure of protected health information (PHI) by covered entities and their business associates, ensuring that individuals seeking, providing, or facilitating lawful reproductive health care are not subject to investigations or legal actions based solely on these activities.
Prohibited Disclosures
The Final Rule prohibits the use or disclosure of PHI in two key scenarios:
- To conduct investigations or impose liability on individuals solely for seeking, obtaining, providing, or facilitating lawful reproductive health care.
- To identify individuals for such investigations or legal actions related to reproductive health care.
These protections prevent individuals from being penalized or investigated for engaging in legally protected reproductive health care activities.
Scope of the Rule and Applicability
The Final Rule applies to covered entities (health care providers, health plans, clearinghouses) and their business associates. These entities must comply with the PHI prohibition when reproductive health care is lawful under state law or protected by federal law, including cases where individuals travel between states for legal care.
Permitted Disclosures
The Final Rule does not prevent covered entities or business associates from using or disclosing PHI for other legal purposes permitted under the Privacy Rule, such as defending against claims of professional misconduct or negligence related to reproductive health care.
Required Updates to BAAs and Privacy Policies Under the Final Rule
Under the Final Rule, covered entities will be required to update their Business Associate Agreements (BAAs) and Privacy Policies to align with new reproductive health care privacy protections.
Covered entities must revise their BAAs to prohibit the use or disclosure of PHI related to investigations into individuals seeking, obtaining, or providing lawful reproductive health care and add an attestation requirement.
If a Covered Entity or Business Associate receives a request for PHI related to reproductive health care for purposes like health oversight, legal proceedings, law enforcement, or disclosures to coroners, a signed attestation is required. The signed attestation must include two key points: that the request is not related to any prohibited reproductive health care purpose, and that the requesting party understands the potential criminal penalties under HIPAA for improper use or disclosure of reproductive health care PHI.
Privacy Policies must be updated to clearly state the conditions under which reproductive health care PHI can be disclosed, prohibiting disclosures related to reproductive health care investigations. The HIPAA Notice of Privacy Practices should also be updated to inform individuals of their enhanced privacy protections. These updates ensure compliance with the Final Rule and safeguard individuals’ reproductive health care privacy.
Summary
The Final Rule strengthens privacy protections for those seeking, obtaining, or providing reproductive health care by limiting PHI use and disclosure in investigations or legal actions based on these activities. It also requires updates to BAAs and Privacy Policies to ensure compliance, while safeguarding reproductive health care under both state and federal law. While each BAA should be reviewed and modified as appropriate for the specific situation, some same language appropriate for consideration in drafting follows:
1. Prohibition of Use or Disclosure of PHI for Reproductive Health Care. Covered Entity and Business Associate agree that neither party shall use or disclose any individual’s PHI for the purpose of conducting a criminal, civil, or administrative investigation into or impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances, or for the identification of any person for the purpose of conducting such investigation or imposing such liability.
1.1 Presumption of Lawfulness. Both parties agree that reproductive health care provided by a person other than the parties is presumed lawful under the circumstances in which it was provided, unless the Covered Entity or Business Associate has actual knowledge that the care was unlawful or receives factual information from the requesting party demonstrating a substantial basis that the care was not lawful. Neither party shall use or disclose PHI related to reproductive health care based on the presumption of lawfulness unless one of these conditions is met.
1.2 Attestation. If Covered Entity or Business Associate receives a request for PHI for any of the following purposes—health oversight activities, judicial and administrative proceedings, law enforcement purposes, or disclosures to coroners and medical examiners—and the request may involve PHI related to reproductive health care, a signed attestation must be obtained from the requesting party confirming that the use or disclosure is not for a prohibited reproductive health care purpose. The signed attestation must confirm that the requested PHI will not be used or disclosed for any purpose related to reproductive health care, as prohibited by the HIPAA Privacy Rule. The attestation must include the following representations: The request for PHI is not for a prohibited purpose related to reproductive health care; the requesting party is aware of and understands the potential criminal penalties for obtaining or disclosing individually identifiable health information relating to an individual for prohibited purposes under HIPAA.