June 25, 2024 has arrived! This means that the Final Rule for HIPAA Privacy to Support Reproductive Health Care Privacy is officially in effect, and HIPAA covered entities and business associates may now begin implementing its new requirements! The deadline to comply with almost all of the new regulatory requirements pertaining to requests for PHI in connection with reproductive health care is December 23, 2024 (just 6 months away!). However, required updates to the HIPAA NPP do not need to be completed until February 16, 2026 (HHS was kind enough to delay the compliance deadline for the reproductive health updates to the HIPAA NPP in order to coincide with the updates to the HIPAA NPP required by the Final Rule for 42 CFR Part 2, which has a February 16, 2026 compliance deadline).
If you are a subscriber to the Legal HIE backend compliance library, we have updated our resources to help you get started with complying with the Final Rule governing Reproductive Health Privacy. Subscribers can now find the following templates, samples, tools, and checklists in our library, all of which have been carefully crafted and updated for compliance with the new Final Rule governing Reproductive Health Privacy:
HIPAA Helper – Health Care Providers (download the Table of Contents)
- TOOL: HIPAA Checklist – Reproductive Health Care Compliance Elements
- FORM: Reproductive Health Care Attestation
- POLICY: Updated Personal Representatives P&P
- POLICY: Updated Public Health P&P
- POLICY: Updated Healthcare Oversight Activities P&P
- POLICY: Updated Judicial & Administrative Requests P&P
- POLICY: Updated Law Enforcement Requests P&P
- POLICY: Updated Deceased Individuals P&P
- POLICY: NEW! Reproductive Health Care Privacy P&P
HIPAA Helper – Business Associates (download the Table of Contents)
- TOOL: HIPAA Checklist – Reproductive Health Care Compliance Elements
- FORM: Reproductive Health Care Attestation
- POLICY: Updated Personal Representatives P&P
- POLICY: Updated Healthcare Oversight Activities P&P
- POLICY: Updated Judicial & Administrative Requests P&P
- POLICY: Updated Law Enforcement Requests P&P
- POLICY: Updated Public Health P&P
- POLICY: Updated Deceased Individuals P&P
- POLICY: NEW! Reproductive Health Care Privacy P&P
HIPAA General Resources
- TOOL: Regulatory Text – HIPAA Privacy Rule to Support Reproductive Health Care Privacy
- TOOL: Crosswalk – HIPAA v. the New Jersey Reproductive Health Care Services Act
- TOOL: Checklist for Reproductive Health (HIPAA and NJ Law)
While the effective date is here, many questions remain about how some of the new requirements should be implemented. Among those giving covered entities and business associates the most angst is the new Attestation requirement.
The Final Rule imposes a new requirement on covered entities and business associates to obtain an Attestation if it receives a request for PHI potentially related to reproductive health care in the context of health oversight activities, judicial and administrative proceedings, law enforcement purposes, and for disclosures to coroners and medical examiners. HHS reasoned that:
“The requirement to obtain a signed attestation gives a covered health care provider, health plan, or health care clearinghouse (or business associates) a way of obtaining written representations from persons requesting PHI that their requests are not for a prohibited purpose. Additionally, it puts persons making requests for the use or disclosure of PHI on notice of the potential criminal penalties for those who knowingly and in violation of HIPAA obtain individually identifiable health information (IIHI) relating to an individual or disclose IIHI to another person.”
Yes, BUT how does one practically implement this Attestation requirement? Organizations, like health care systems, that receive numerous requests for PHI daily will now need to figure out how to “flag” the types of requests that require obtaining an Attestation before disclosing any PHI to the requestor. In the EHR and networked HIE context, this is even more challenging.
One article, written by privacy SME Mohamad Jafari, who has a background in software engineering, attempts to present technological solutions for implementing the Attestation requirement. I highly recommend reading it; you can access the article here (Implementing the Attestation Requirements in the New HIPAA Rule). As part of a proposed workflow, the author offers several suggestions (like using a security labeling service (SLS)) that organizations can consider taking back to their internal IT folks to evaluate. Yet, there will still be implementation challenges. For example, the author suggests that if a request is electronically received and does not include an Attestation, then an organization should “identify all reproductive healthcare information subject to the [Final Rule] (using a SLS) and redact them from the outgoing response.” However, based on my experience with organizations that have attempted to use such an approach with “sensitive data,” this will be infeasible to implement for many requests where the data spans 20+ years and multiple admissions/visits and when the technology (e.g., Epic, NextGen, MEDITECH etc.) is still lacking. But, perhaps as FHIR becomes more widely adopted in the industry, SLS solutions like the one described by the author will become feasible (and hopefully affordable).
If Attestation is not enough to make you want to pull all the hairs out of your head, the interplay between the HIPAA Final Rule and state laws governing reproductive health care information will. After the Dobbs decision, a number of states immediately took it upon themselves to pass laws to protect reproductive health care privacy. A few examples include:
- Connecticut (PA 22-19, effective July 1, 2022, prohibiting information related to reproductive healthcare services from being disclosed in any civil action or any proceeding preliminary thereto or in any probate, legislative or administrative proceeding).
- New Jersey (A3975, effective July 1, 2022, prohibits disclosing of certain information relating to reproductive health care services unless he patient explicitly consents to it).
- Maryland (Chapter 249, passed in May 2023, protecting mifepristone data, the diagnosis, procedure, medication, and related codes for abortion care, and other sensitive health services with a date of service after May 31, 2022, as determined by the Secretary of Health).
- California (AB 352 & AB 254, effective September 27, 2023, adopting privacy protections for information about abortion, abortion-related services and contraceptives)
The interplay of such state laws and the new HIPAA Final Rule presents yet another layer of complexity to implementation for organizations that have to comply with both. We have completed a Crosswalk between the requirements of HIPAA and New Jersey law, which is accessible in our Legal HIE compliance library to subscribed members. Readers in other states should look into doing the same as part of their compliance implementation strategy.
Over the coming months leading up to the December 23, 2024 deadline, HHS has promised to release additional guidance and resources to assist covered entities and business associates comply with the new requirements relating to reproductive health care. HHS has already posted a few Guidance documents on its new webpage dedicated to HIPAA and Reproductive Health, which is helpful. Several examples HHS offers of disclosures of PHI that continue to be allowed irrespective of the new Final Rule are particularly helpful. Here is a reprint of those:
Required by Law Example: An individual goes to a hospital emergency department while experiencing complications related to a miscarriage during the tenth week of pregnancy. A hospital workforce member suspects the individual of having taken medication to end their pregnancy. State or other law prohibits abortion after six weeks of pregnancy but does not require the hospital to report individuals to law enforcement. Where state law does not expressly require such reporting, the Privacy Rule would not permit a disclosure to law enforcement under the “required by law” permission. Therefore, such a disclosure would be impermissible and constitute a breach of unsecured PHI requiring notification to HHS and the individual affected.
Law Enforcement Example: A law enforcement official goes to a reproductive health care clinic and requests records of abortions performed at the clinic. If the request is not accompanied by a court order or other mandate enforceable in a court of law, the Privacy Rule would not permit the clinic to disclose PHI in response to the request. Therefore, such a disclosure would be impermissible and constitute a breach of unsecured PHI requiring notification to HHS and the individual affected.
Law Enforcement Example: A law enforcement official presents a reproductive health care clinic with a court order requiring the clinic to produce PHI about an individual who has obtained an abortion. Because a court order is enforceable in a court of law, the Privacy Rule would permit but not require the clinic to disclose the requested PHI. The clinic may disclose only the PHI expressly authorized by the court order.
Averting Serious Threat to Health or Safety Example: A pregnant individual in a state that bans abortion informs their health care provider that they intend to seek an abortion in another state where abortion is legal. The provider wants to report the statement to law enforcement to attempt to prevent the abortion from taking place. However, the Privacy Rule would not permit this disclosure of PHI to law enforcement under this permission for several reasons, including:
- A statement indicating an individual’s intent to get a legal abortion, or any other care tied to pregnancy loss, ectopic pregnancy, or other complications related to or involving a pregnancy does not qualify as a “serious and imminent threat to the health or safety of a person or the public”.
- It generally would be inconsistent with professional ethical standards as it compromises the integrity of the patient–physician relationship and may increase the risk of harm to the individual.
The full HHS Guidance document can be found here. A helpful Fact Sheet is also posted there. We’ll be keeping an eye out for additional resources and answers to FAQs from HHS in the coming months.
As for those wondering what my ice cream cones have to do with today’s post? . . . Absolutely nothing. But, it’s summer, and you gotta love a picture of a delicious, creamy scoop of ice scream, right?!