Warning: December 23, 2024, Deadline for Compliance with Reproductive Healthcare Privacy Final Rule

HIPAA Privacy Rule and Reproductive Healthcare Privacy Rule - hipaaguide.net

The HIPAA Privacy Rule Final Rule to Support Reproductive Health Care Privacy was issued on April 22, 2024, and took effect on June 25, 2024; however, HIPAA-regulated entities were given 6 months to comply with the provisions of the Final Rule. The compliance deadline for all but the Notice of Privacy Practices requirement of the Final Rule is December 23, 2024. HIPAA-regulated entities have until February 16, 2026, to comply with the Notice of Privacy Practices requirement.

The Final Rule was issued by OCR in response to the Supreme Courtโ€™s decision in Dobbs v. Jackson Womenโ€™s Health Organization and the overturning of Roe v. Wade, which removed the constitutional right to an abortion. The Supreme Court’s decision allowed states to set their own laws on abortion care and more than a dozen states have implemented bans on abortions, with many more placing strict gestational time limits on abortions.

As a consequence of those state laws, pregnant people in states with restrictions on abortion have to travel out of state to more permissive states to legally receive the care they need. The Final Rule was implemented to strengthen reproductive health information privacy by prohibiting healthcare providers, health plans, healthcare clearinghouses, and business associates of those entities from disclosing protected health information (PHI) in certain circumstances. Protected health information must not be disclosed for any of the following purposes:

  1. To conduct a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided.
  2. To impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating lawful reproductive health care.
  3. โ€œTo identify any person for any purpose described in (1) or (2).

If a HIPAA-regulated entity receives a request for PHI that is potentially related to reproductive health care, before any information may be disclosed, a signed attestation must be obtained that the information requested is not for a prohibited purpose.ย The signed attestation is required for any request for PHI that is for:

  • Health oversight activities.
  • Judicial and administrative proceedings.
  • Law enforcement purposes.
  • Disclosures to coroners and medical examiners.

Signed attestations must be retained by HIPAA-regulated entities as proof of compliance with the Final Rule. The attestation requirement also notifies any person requesting PHI that they are at risk of potential criminal penalties if they use the PHI for a prohibited purpose.

It is important to be aware that signed attestations are required from law enforcement, although PHI may be disclosed to law enforcement under the HIPAA Privacy Rule provided:

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Download Free Checklist
  • The disclosure is not subject to the prohibition.
  • The disclosure is required by law.
  • The disclosure meets all applicable conditions of the Privacy Rule permission to use or disclose PHI as required by law.

OCR has recently published a model attestation form that can be used by HIPAA-regulated entities. The model form does not have to be used, but it is HIPAA-compliant and contains all of the required information, so it is recommended that the text is used.

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/