An important first step toward enhancing the privacy of reproductive health information is the recently amended HIPAA Privacy Rule. The aforementioned modifications aim to modify the manner in which covered entities manage protected health information concerning reproductive healthcare.
Recognizing the Final Rule and Its Effects
Almost a year after publishing a Notice of Proposed Rule-making regarding the privacy of protected health information (PHI) possibly related to reproductive health care the Office for Civil Rights (OCR) of the Health and Human Services Department (HHS) has released a Final Rule amending the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. This Final Rule is an improvement to HIPAA that protects the privacy of reproductive health care.
These modifications will affect the privacy policies of all covered entities which are collectively referred to as regulated entities and include health care clearinghouses health plans providers and business associates. In addition to law enforcement objectives the new laws will affect legal and administrative proceedings. The terms of the most recent Final Rule doesn’t seem complicated enough. That being said they come with a host of limitations and repercussions for the regulated businesses they affect.
Terminologies Concerning Reproductive Health and HIPAA
The Final Rule addresses a few important definitions.
- Reproductive Health Care means health care that affects the health of an individual in all matters relating to the reproductive system and to its functions set forth a new standard of care. Nor does the definition regulate what constitutes clinically appropriate reproductive health care.
- A person is defined as a natural person or an alive human being at birth. It also incorporates private institutions and other forms of administration like estates and trusts. Furthermore according to HHS a fertilized egg embryo or fetus do not fall under the definition of a person.
- Public health refers generally to actions taken with the intention of preventing illness and enhancing population health. Tasks such as identifying and reducing risks to the health and safety of a population do not include certain purposes. The following categories of public health operations are currently forbidden by the HIPAA Privacy Rule:
- investigations into actions taken against or proceedings involving criminal civil or administrative charges pertaining to obtaining supplying or enabling reproductive health care.
- Tracking down whoever is planning these investigations or legal actions.
Date of Compliance with the Latest Rule
A number of deadlines are attached to the Final Rule to improve privacy practices in reproductive health care.
This Final Rule will take effect on June 25 2025. For 180 days following the date of implementation all covered businesses and business associates must abide by the rules.
On February 16 2026 the portion of this Final Rule pertaining to Notices of Privacy Practices (NPPs) shall take effect. The postponed aspect of the Final Rule will become effective on the same day as another rule change. The other policy is the 2024 Part 2 Rule also known as the 2024 Confidentiality of Substance Use Disorder (SUD) Patient Records Final Rule. Due to the requirement of both of these rules for modifications to the notice of privacy practices for regulated entities regulated entities will only need to update their NPPs once.
Brief Statement of Latest Rule
The Latest Rule is summarized very simply:
For regulated entities it is forbidden to use or disclose PHI for any of the following reasons:
- As long as the treatment is permissible under the circumstances someone who seeks provides or facilitates reproductive health care may face criminal civil or administrative proceedings or they may be held accountable in any of these capacities.
- Identifying any person with the intention of conducting that kind of investigation or holding someone responsible.
To simplify this discussion, we will refer to all these circumstances as “RHC investigations”.
Rule of Applicability
In accordance with this Final Rule a regulated entity must obviously take other factors into account when deciding whether or not to release PHI. Executing parties must take into account the following situations:.
- The reproductive health care is lawful under the law of the state in which such health care is provided and under the circumstances in which it is provided. For example, when a resident of one state travels to another state where the reproductive health care received is legal, the health care provider is prohibited from honoring a request for PHI for an RHC Investigation purpose from the state of the resident.
- Reproductive health care is protected mandated or allowed by federal legislation including the US Constitution regardless of the setting in which it is rendered. Here reproductive health care that is protected by the constitution is examined through the lens of prevention.
- Investigations into defense attorneys allegations of professional misconduct in cases where they might be held accountable for providing reproductive health care are among the many examples as are audits carried out by the HHS Inspector General about duties related to health supervision.
The Presumption Law
Nowadays the majority of information about reproductive health is obtained from patients or in circumstances where health services are rendered through health information exchanges involving the provision of reproductive health care by other providers. This Final Rule may assist regulated organizations that are not familiar with reproductive health care (RHCs) to presume that a patients RHC from another healthcare provider was appropriate reproductive health care. Regulated entities are not allowed to disclose RHC PHI if the assumption is confirmed.
Validation of the lawfulness of the RHC received at another health care provider can be accomplished in two ways.
- The regulated entity is aware that in this specific instance the RHC was granted in violation of the law.
- When it comes to the claim that the specific RHC was unlawful when it was acquired from a different source the person or organization provides solid factual evidence. A court order may contain a witness statement from someone who witnessed the patient receiving illicit RHC in a state where it is illegal.
It should be noted that although information about the RHC was included in the records of the insured healthcare providers who answered to the information request this Rule of Presumption only applies in situations where the reproductive health care was given by a third party. Regulated entities are accountable for ascertaining the legal status of RHCs that are received in their facilities considering the particular circumstances surrounding the receipt.
Claims and Attestations Regarding Protected Health Information Disclosure
Another new aspect of this Privacy Rule modification that improves patient-provider confidentiality is the requirement for an affirmation in certain situations. An attestation must be submitted with any request for the disclosure of PHI that may be related to data on reproductive health services. Furthermore some goals trigger the requirement for an attestation like the following:
- Uses and disclosures for health oversight activities;
- Information provided in legal and administrative steps.
- Disclosures for law enforcement purposes, or Uses and disclosures about decedents (coroners and medical examiners).
What an Attestation Must Include
For an attestation to be considered legitimate, it is required to include a number of elements. Additionally, the attestation’s terms cannot be mixed with any other forms that might be utilized for requesting the revelation of phi; it must be a stand-alone document. On the other hand, attestations might be included in a set of forms.
- A description of the PHI requested, including:
- The type of PHI being requested.
- The class of individuals whose PHI is being requested, or, if not practical, the name of the individual or individuals whose PHI is being requested.
- The name of the person making the request.
- A clarified declaration that the new rule’s requirements do not forbid the use or publication of phi.
- A declaration stating that the attestation is signed with the understanding that there may be criminal consequences for any individual who intentionally and in violation of HIPAA obtains or discloses personally identifiable health information about another person, or discloses PHI to another person.
Provisions of the HIPAA Privacy Rule and Attestations
Other portions of the HIPAA Privacy Rule still apply.
- As an example, when a regulated entity decides to share requested information after an attestation is accepted as trustworthy, PHI disclosure adheres to the Minimum Necessary Standard.
- Prior to disclosure, it is necessary to confirm the legitimacy and identity of the individuals requesting PHI.
- Attestations do not supersede the terms of the Privacy Rule’s authorizations for PHI disclosure in response to a subpoena, court order, or other legally permitted process of a similar nature. They solely concern PHI disclosures pertaining to medical records that may be used for reproduction. They only pertain to PHI disclosures pertaining to medical records that may be used for reproduction.
- Lastly, a disclosure made after an attestation that is later found to contain material misrepresentations must be reported as a breach to the individual and to the Secretary of HHS.
- Lastly, a disclosure made after an attestation that is later found to contain material misrepresentations must be reported as a breach to the individual and the Secretary of HHS. Disclosures made in response to a request supported by a valid attestation must be included in an accounting of disclosures when or if one is requested by the patient or representative.
Notice of Updates to Privacy Practices
This rule modifications addresses how to update the Part 2 disclosure obligations for the Notice of Privacy Practices (NPP). It also has to be changed to inform patients that disclosures about reproductive health care are prohibited. At least one example of the kinds of PHI uses and disclosures that are forbidden by the new rules must be included in NPPs. NPPs shall furthermore provide a minimum of one instance in which a requester’s attestation is necessary.
What Will Happen With the Modifications to the Privacy Rule to Protect the Privacy of Reproductive Health Care?
Is this Privacy Rule modification going to be a new “Lawyers and Consultants” retirement act? The OCR goes to great lengths to underline multiple times that regulated organizations should not be burdened excessively by the amendments’ provisions when determining when to withhold PHI. Furthermore, they are not allowed to obstruct legitimate law enforcement inquiries. When receiving a request for disclosure for law enforcement purposes in another state, for example, a regulated company is not required to investigate whether a certain type of RHC is legal in that other jurisdiction. Insofar as the reproductive health care was permissible in the state where the regulated company is situated, the prohibition is in force.
Nevertheless, in order to make certain clauses clear, a lot of concerns will likely need further clarification or perhaps become the focus of legal action. A health care provider may view what appears to be a solid foundation for facts from one institution as flimsy grounds for decision-making when it comes to recognizing an attestation. Consequently, even with modifications to their NPP and HIPPA privacy policies, covered entities and business associates will still have to carefully assess when to grant requests from law enforcement for PHI that may be connected to reproductive health care.
