On April 26, 2024, the Workplace for Civil Rights (“OCR”) on the U.S. Division of Well being & Human Providers (“HHS”) revealed a final rule to amend the HIPAA Privateness Guidelines to help reproductive well being care privateness (the “Reproductive Well being Care Guidelines”). The Company additionally issued a Press Release, Fact Sheet, and Message from the Director of OCR. Listed below are 5 vital takeaways:
- The Reproductive Well being Care Guidelines restrict when a bunch well being plan can disclose reproductive well being care protected well being info (“PHI”) for non-health care functions. Extra particularly a bunch well being plan could not disclose such PHI: (a) to conduct a felony, civil, or administrative investigation into any particular person for the mere act of in search of, acquiring, offering, or facilitating reproductive well being care; (b) to impose felony, civil, or administrative legal responsibility on any particular person for the mere act of in search of, acquiring, offering, or facilitating reproductive well being care; or (c) to determine any particular person for such functions.
- The Reproductive Well being Care Guidelines’ protections solely apply when the reproductive well being care is lawful. Reproductive well being care is well being care that impacts the well being of a person in all issues regarding the reproductive system and to its features and processes. It’s lawful when it’s permitted underneath the state regulation by which such well being care is supplied, or when it’s licensed by Federal regulation. A gaggle well being plan should assume reproductive well being care is lawful until it has precise information or factual info from the particular person requesting the knowledge that it isn’t.
- A gaggle well being plan should obtain an attestation for sure makes use of or disclosures of PHI that doubtlessly relate to reproductive well being care. Current HIPAA Privateness Guidelines enable a bunch well being plan to: (a) use and disclose PHI for well being oversight actions; (b) disclose PHI for judicial and administrative proceedings; (c) disclose PHI for regulation enforcement functions; and (d) use and disclose PHI about decedents to coroners and medical experts. Nonetheless, underneath the Reproductive Well being Care Guidelines, a bunch well being plan can’t use or disclose PHI doubtlessly associated to reproductive well being take care of these functions until it obtains a legitimate attestation from the requester. The Reproductive Well being Care Guidelines specify the knowledge a legitimate attestation will need to have, and HHS indicated that it intends to publish mannequin attestation language. A person who falsifies an attestation can be topic to potential felony legal responsibility and a bunch well being plan that fails to acquire a legitimate attestation earlier than disclosing such PHI can be topic to potential civil penalties.
- The Reproductive Well being Care Guidelines make clear when a bunch well being plan could disclose reproductive well being care PHI pursuant to an administrative request (e.g., an administrative subpoena or summons). Current HIPAA Privateness Guidelines enable a bunch well being plan to reveal PHI pursuant to an administrative course of if: (a) the knowledge sought is related and materials to a legit regulation enforcement inquiry; (b) the request is restricted and restricted in scope; and (c) de-identified info couldn’t moderately be used. The Reproductive Well being Care Guidelines moreover present that such disclosures should be required by regulation and never in any other case topic to the prohibition outlined in takeaway #1 above.
- A gaggle well being plan should take actions to adjust to the Reproductive Well being Care Guidelines. Efficient December 23, 2024, a bunch well being plan could need to contemplate taking the next actions to adjust to the Reproductive Well being Care Guidelines: (a) adopting a normal attestation type to make use of when the group well being plan receives requests for reproductive well being care PHI; (b) reviewing and revising their HIPAA privateness insurance policies and procedures to make sure compliance with the Reproductive Well being Care Guidelines; (c) offering up to date coaching to workforce members with entry to PHI that deal with new necessities underneath the Reproductive Well being Care Guidelines; and (d) reviewing and revising enterprise affiliate agreements to make sure such agreements deal with the Reproductive Well being Care Guidelines. Efficient February 16, 2026, a bunch well being plan should replace its Discover of Privateness Practices to help reproductive well being care privateness rights and deal with confidentiality of substance use dysfunction affected person data as required underneath the CARES Act of 2020.