HIPAA Privacy Rule: New Requirements for Reproductive Healthcare Entities

HIPAA Privacy Rule: New Requirements for Reproductive Healthcare Entities

/ Categories Compliance and Regulations / by

In April 2024, the HHS Office for Civil Rights (OCR) released the HIPAA Privacy Rule to assist the Reproductive Healthcare Privacy Final Rule. The new rule became effective on June 23, 2024, but the last day of compliance for everything except the Notice of Privacy Practices requirement is December 23, 2024. The Notice of Privacy Practices compliance is scheduled for February 16, 2026.

Reason for the HIPAA Privacy Rule to Support Reproductive Healthcare Privacy

The creation of the new rule was a result of the Supreme Court’s judgment in Dobbs v. Jackson Women’s Health Organization in 2022. The Court revoked Roe v. Wade decision in 1973 which had protected the constitutional right to getting an abortion. After the Supreme Court’s judgment, individual states had the authority to decide the lawfulness of abortion care. As of December 2024, abortion is banned in 13 U.S. states. Gestational limits from 6 to 12 weeks are observed in 6 states, while gestational limits from 18 to 22 weeks are observed in 4 states.

From the time the Supreme Court overturned its 1973 ruling, healthcare organizations, patients, and other people have been worried that their protected health information (PHI) might be employed to monitor the health care they receive, and many people are concerned that health data may be disclosed to state bureaus, police authorities, and other people for investigating or enforcing liability on people for acquiring, offering, or assisting legal reproductive healthcare. The change to the HIPAA Privacy Rule protects reproductive healthcare privacy to be sure that protected healthcare information (PHI) is not used for those reasons. Before the approval of this law, such disclosures were allowed, although not necessary, by the HIPAA Privacy Rule in some instances.

Texas Attorney General Ken Paxton is challenging the Final Rule in court, hoping to stop OCR from implementing the rule in Texas. Based on the results of that challenge, similar challenges may be started by other states.

Final Rule Compliance Begins on December 23, 2024

The final rule is applicable to HIPAA-regulated entities as well as their business associates and forbids them from utilizing or sharing PHI when asked to review or enforce liability on any person for getting, offering, or aiding legitimate reproductive healthcare, which includes requests by police authorities. If PHI potentially associated with reproductive healthcare is requested, the requester must present an attestation to the HIPAA-covered entities that the health data asked for is not to be used for something that is forbidden by the final rule.

An Attestation Form is Required When Requesting PHI for the following purposes:

  • Health monitoring activities
  • Administrative and judicial processes
  • Law enforcement requirements
  • Disclosures regarding a deceased to a medical evaluator

Elements of an Attestation Form Requirement
A HIPAA-compliant attestation form must include the following elements:

  • Who is filing the request
  • Who is getting the request
  • The protected health information (PHI) required
  • How the data is not for a forbidden purpose

HIPAA-covered entities may produce their attestation forms, but OCR has published a sample form that can be used for this purpose. Regardless of the form used, it may be filed physically or digitally and should be kept by the covered entity since it may be necessary to present it in case of an audit or compliance analysis.

Observance of the Final Rule

In December 2024, before the compliance date, OCR reported a settlement reached with Holy Redeemer Family Medicine in Pennsylvania to resolve an impermissible disclosure of a person’s reproductive health data. Although the enforcement action wasn’t associated with the final rule, it shows that OCR is determined to protect reproductive health data privacy.

It is necessary to ensure that guidelines and procedures concerning requests for access and copies of medical records are updated before the compliance due date, that employees are given a copy of the current guidelines and procedures, information is retained confirming employees have obtained those guidelines and procedures, and HIPAA training on the new guidelines and procedures is made available.

The Trump Administration may have another perspective concerning reproductive health data privacy and the observance of the final rule; nevertheless, compliance is compulsory legally until the time comes when the rule is modified or left.

Image credits: Maelgoa, AdobeStock

Twitter Facebook LinkedIn Reddit Copy link Link copied to clipboard
Photo of author

Posted by

John Blacksmith

John Blacksmith is a journalist with several years experience in both print and online publications. John has specialised in Information technology in the healthcare sector and in particular in healthcare data security and privacy. His focus on healthcare data means he has specialist knowledge of the HIPAA regulations. John has a degree in journalism.
Twitter
LinkedIn

Related News

Stay Connected

  • Twitter
  • LinkedIn
  • Reddit
  • Mastodon

Subscribe

*Our Privacy Policy and Terms & Conditions