Written by Joanne Byron, BS, LPN, CCA, CHA, CHCO, CHBS, CHCM, CIFHA, CMDP, OHCC, ICDCT-CM/PCS of the American Institute of Healthcare Compliance (AIHC), a non-profit healthcare education organization.
The effective date of the Final Rule was June 25, 2024 with a compliance date of December 23, 2024. Affected organizations must implement a new Attestation Form by the compliance date and update their Notice of Privacy Practices (NPP or NOPP) by February 16, 2026. This article provides guidance regarding the Final Rule with links to additional information to support your organization’s compliance efforts.
What is this Final Rule?
The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and Disclosures of Information Relating to Reproductive Health Care, aka Final Rule became effective June, 2024.
The Final Rule applies to Protected Health Information (PHI) related to lawful reproductive health care, including care that is protected by federal law, such as the Emergency Medical Treatment and Active Labor Act (EMTALA) or the U.S. Constitution. The rule also applies when care is provided by someone other than the recipient of the request.
As stated by the Office of Civil Rights (OCR), the government HIPAA enforcement agency, access to comprehensive reproductive health care services, including abortion care and other sexual and reproductive care, is essential to individual health and well-being.
Defining Reproductive Health Care
The 2024 HIPAA Final Rule defines reproductive health care as "health care that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes". This definition is broad and intentional, and may include services related to sterilization and fertility, such as vasectomies, male hormone therapy, and erectile dysfunction treatments.
The rule specifically states: “Reproductive Health Care means health care, as defined in this section, that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes. This definition shall not be construed to set forth a standard of care for or regulate what constitutes clinically appropriate reproductive health care.”
Who is Required to Comply with the Final Rule?
Regulated entities are required to comply, which are better known as HIPAA Covered Entities and their Business Associates, such as:
- Health plans;
- Health care clearinghouses;
- Most health care providers; and
- Their business associates
What are the Deadlines for Compliance?
- Published at the Federal Register on April 26, 2024.
- Effective date is June 25, 2024.
- Compliance date, the date persons subject to this regulation must comply with the applicable requirements of this final Rule, is December 23, 2024, except for the Notice of Privacy Practices.
- Compliance date for the Notice of Privacy Practices is February 16, 2026.
The rule became effective on June 25, 2024, and those subject to the regulation must comply by December 23, 2024, except for the applicable requirements of the Notice of Privacy Practices (NPP) for Protected Health Information 45 CFR 164.520 in this final rule. The Final Rule requires covered health care providers, health plans, and health care clearinghouses to revise their NPPs to support reproductive health care privacy.
Persons subject to providing an NPP to patients and subject to this regulation, are required to comply with the applicable requirements of 45 CFR 164.520 in this final rule by February 16, 2026.
What are the Key Provisions to the Rule?
It applies to the protection of reproductive health care information which encompasses abortion, birth control, and in vitro fertilization with the goal of strengthening patient-provider confidentiality and promoting trust between individuals and their health care providers. There are several provisions to the Final Rule which are, in short:
- Presumption of lawfulness - The rule presumes that reproductive health care provided by someone other than the regulated entity is lawful, unless the recipient has actual knowledge that it is not or the requestor can demonstrate unlawfulness.
- Prohibition on use or disclosure - The rule prohibits covered health care providers, health plans, and health care clearinghouses from using or disclosing protected health information (PHI) to investigate or impose liability on people for seeking, obtaining, providing, or facilitating lawful reproductive health care.
- Attestation requirement - The rule requires regulated entities to obtain an attestation from the requestor that a requested use or disclosure of PHI is not for a prohibited purpose.
Please reference § 164.512 Uses and disclosures for which an authorization or opportunity to agree or object is not required and review the summary provided below. This summary is taken from the Office for Civil Rights (OCR) “HIPAA Privacy Rule Final Rule to Support Reproductive Health Care Privacy: Fact Sheet”
What Specific Types of Use & Disclosures are Prohibited?
The Final Rule prohibitions of use/disclosure of reproductive PHI applies to either of the following activities:
- To conduct a criminal, civil, or administrative investigation into or impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided.
- The identification of any person for the purpose of conducting such investigation or imposing such liability.
Under the Final Rule, the prohibition applies where a covered health care provider, health plan, or health care clearinghouse (covered entities) or business associate (collectively, “regulated entities”) has reasonably determined that one or more of the following conditions exists:
- The reproductive health care is lawful under the law of the state in which such health care is provided under the circumstances in which it is provided.
- For example, if a resident of one state traveled to another state to receive reproductive health care, such as an abortion, that is lawful in the state where such health care was provided.
- The reproductive health care is protected, required, or authorized by Federal law, including the U.S. Constitution, regardless of the state in which such health care is provided.
- For example, if use of the reproductive health care, such as contraception, is protected by the Constitution.
- The reproductive health care was provided by a person other than the covered health care provider, health plan, or health care clearinghouse (or business associates) that receives the request for PHI and the presumption described below applies.
The Final Rule continues to permit regulated entities to use or disclose PHI for purposes otherwise permitted under the Privacy Rule where the request for the use or disclosure of PHI is not made to investigate or impose liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care. OCR provides the following examples - a regulated entity:
- Is permitted to continue to use or disclose PHI to defend themselves in an investigation or proceeding related to professional misconduct or negligence where the alleged professional misconduct or negligence involved the provision of reproductive health care.
- Could continue to use or disclose PHI to defend any person in a criminal, civil, or administrative proceeding where liability could be imposed on that person for providing reproductive health care.
- Could continue to use or disclose PHI to an Inspector General where the PHI is sought to conduct an audit for health oversight purposes.
Rule of Applicability
The prohibition applies:
- Where the relevant activity is in connection with any person seeking, obtaining, providing, or facilitating reproductive health care and
- The regulated entity that received the request for PHI has reasonably determined that one or more of the following conditions exists:
- The reproductive health care is lawful under the law of the state in which such health care is provided under the circumstances in which it is provided.
- The reproductive health care is protected, required, or authorized by Federal law, including the U.S. Constitution, under the circumstances in which such health care is provided, regardless of the state in which it is provided.
- When the Presumption applies.
Presumption - Care Provided was Lawful
The Final Rule includes a presumption that the reproductive health care provided by a person other than the regulated entity receiving the request was lawful. In such cases, the reproductive health care is presumed to be lawful under the circumstances in which it was provided unless one of the following conditions are met:
- The covered health care provider, health plan, or clearinghouse (or business associates) has actual knowledge that the reproductive health care was not lawful under the circumstances in which it was provided.
- For example, an individual discloses to their doctor that they obtained reproductive health care from an unlicensed person and the doctor knows that the specific reproductive health care must be provided by a licensed health care provider.
- The covered health care provider, health plan, or health care clearinghouse (or business associates) receives factual information from the person making the request for the use or disclosure of PHI that demonstrates a substantial factual basis that the reproductive health care was not lawful under the circumstances in which it was provided.
- For example, a law enforcement official provides a health plan with evidence that the information being requested is reproductive health care that was provided by an unlicensed person where the law requires that such health care be provided by a licensed health care provider.
What is the New Form Requirement About?
Regulated Entities Must Obtain a Signed Attestation from the Requester Now
- OCR has provided a “Model Attestation” for requested use or disclosure of PHI related to reproductive health care. Download a copy of the model attestation from OCR.
About the implementation of the Attestation Form - To implement the prohibition, the Final Rule requires when the regulated entity receives a request for PHI potentially related to reproductive health care, that the regulated entity obtain a signed attestation that the use or disclosure is not for a prohibited purpose. This attestation requirement applies when the request is for PHI for any of the following:
- Health oversight activities.
- Judicial and administrative proceedings.
- Law enforcement purposes.
- Disclosures to coroners and medical examiners.
Are There Penalties if the Requester Isn’t Compliant?
The requirement to obtain a signed attestation gives the regulated entity a way of obtaining written representations from persons requesting PHI that the request is not for a prohibited purpose. This also creates a situation of putting the requester “on notice” of the potential criminal penalties for those who knowingly are in violation of HIPAA. As of October 2023, the criminal penalties for violating HIPAA rules can include jail time and fines:
Tier 1: Reasonable cause or no knowledge of violation, up to 1 year in jail
Tier 2: Obtaining PHI under false pretenses, up to 5 years in jail
Tier 3: Obtaining PHI for personal gain or with malicious intent, up to 10 years in jail
Disclosures to Law Enforcement
The Privacy Rule permits uses or disclosures of PHI without an individual’s authorization only where such uses or disclosures are expressly permitted or required by the Privacy Rule
The Privacy Rule permits, but does not require, certain disclosures to law enforcement and others, subject to specific conditions. Thus, regulated entities such as covered health care providers, health plans, and health care clearinghouses and their business associates, including their workforce members, are only permitted to disclose PHI for law enforcement purposes where they suspect an individual of obtaining reproductive health care (lawful or otherwise) if the covered entity or business associate is required by law to do so and all applicable conditions are met.
Accordingly, under the Final Rule, such disclosure is only permitted where all three of the following conditions are met:
- The disclosure is not subject to the prohibition.
- The disclosure is required by law.
- The disclosure meets all applicable conditions of the Privacy Rule permission to use or disclose PHI as required by law.
45 CFR 164.512(f)(1)(ii) states:
Permitted disclosures: Pursuant to process and as otherwise required by law. A covered entity may disclose protected health information:
(i) As required by law including laws that require the reporting of certain types of wounds or other physical injuries, except for laws subject to paragraph (b)(1)(ii) or (c)(1)(i) of this section; or
(ii) In compliance with and as limited by the relevant requirements of:
(B) A grand jury subpoena; or
(C) An administrative request for which response is required by law, including an administrative subpoena or summons, a civil or an authorized investigative demand, or similar process authorized under law, provided that:
(1) The information sought is relevant and material to a legitimate law enforcement inquiry;
(2) The request is specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought; and
(3) De-identified information could not reasonably be used.
According to OCR, examples would be:
- A law enforcement official goes to a reproductive health care clinic and requests records of abortions performed at the clinic. If the request is not accompanied by a court order or other mandate enforceable in a court of law, the Privacy Rule would not permit the clinic to disclose PHI in response to the request. Therefore, such a disclosure would be impermissible and constitute a breach of unsecured PHI requiring notification to HHS and the individual affected.
- A law enforcement official presents a reproductive health care clinic with a court order requiring the clinic to produce PHI about an individual who has obtained an abortion. Because a court order is enforceable in a court of law, the Privacy Rule would permit but not require the clinic to disclose the requested PHI. The clinic may disclose only the PHI expressly authorized by the court order.
Disclosures to Avert a Serious Threat to Health or Safety
The Privacy Rule permits but does not require a covered entity, consistent with applicable law and standards of ethical conduct, to disclose PHI if the covered entity, in good faith, believes the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public, and the disclosure is to a person or persons who are reasonably able to prevent or lessen the threat.
According to major professional societies, including the American Medical Association and American College of Obstetricians and Gynecologists, it would be inconsistent with professional standards of ethical conduct to make such a disclosure of PHI to law enforcement or others regarding an individual’s interest, intent, or prior experience with reproductive health care.
Example:
A pregnant individual in a state that bans abortion informs their health care provider that they intend to seek an abortion in another state where abortion is legal. The provider wants to report the statement to law enforcement to attempt to prevent the abortion from taking place. However, the Privacy Rule would not permit this disclosure of PHI to law enforcement under this permission for several reasons, including:
- A statement indicating an individual’s intent to get a legal abortion, or any other care tied to pregnancy loss, ectopic pregnancy, or other complications related to or involving a pregnancy does not qualify as a “serious and imminent threat to the health or safety of a person or the public”.
- It generally would be inconsistent with professional ethical standards as it compromises the integrity of the patient–physician relationship and may increase the risk of harm to the individual.
Therefore, such a disclosure would be impermissible and constitute a breach of unsecured PHI requiring notification to HHS and the individual affected.
Consult with Legal Counsel & Malpractice Carrier
Due to the complexities of complying to the 2024 Final Rule, it is advised that regulated entities seek legal counsel and guidance regarding policies and procedures from your Risk Attorney through your malpractice insurance company.
About the Author, Joanne Byron
This article is sponsored by the American Institute of Healthcare Compliance (AIHC), a non-profit healthcare compliance training organization. Joanne serves as Board Chair for AIHC and oversees the Volunteer Education Committee.
Copyright © 2024 American Institute of Healthcare Compliance All Rights Reserved