New Privacy Rule for Reproductive Health Care by HHS OCR Unveiled
Health & WellnessUS News

New Privacy Rule for Reproductive Health Care by HHS OCR Unveiled

160

TL/DR –

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has published the “HIPAA Privacy Rule to Support Reproductive Health Care Privacy” in response to the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization to eliminate the federal constitutional right to abortion. This new rule amends existing privacy standards, defining a new category of protected health information, which includes reproductive health care information. The rule prohibits the use or disclosure of this information for the purpose of investigating or imposing liability on individuals or organizations who provide or facilitate lawful reproductive health care, requires entities to obtain signed attestations that such information will not be used for these prohibited purposes, and updates their Notices of Privacy Practices to reflect these changes.

OCR’s Final Rule on HIPAA Privacy Supports Reproductive Health Care Privacy

Following the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization in 2022, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published the “HIPAA Privacy Rule to Support Reproductive Health Care Privacy” on April 26, 2024. This rule amends the Privacy standards of HIPAA and the HITECH Act to reinforce privacy protections for reproductive health care information. It aims to ensure patients are not deterred from seeking health care or sharing important information with providers.

Key Provisions of the Final Rule

The Final Rule stipulates:

  • Prohibition of PHI use or disclosure for investigations or liability imposition on individuals, health care providers, etc., who seek, provide, or facilitate lawful reproductive health care.
  • A signed attestation requirement from covered entities and business associates for certain PHI requests potentially related to reproductive health care.
  • A requirement for covered entities to modify their Notices of Privacy Practices (NPPs) to support reproductive health care privacy.

OCR Director Melanie Fontes Rainer, in a news release, expressed concern that patient records could be sought when patients travel to clinics for lawful care. The Final Rule addresses these concerns, particularly with the rise of new and revived state abortion laws.

Practical Implications for HIPAA Covered Entities & Business Associates

Covered entities and business associates should consider the implications of the new category of PHI on existing HIPAA policies. This includes developing new attestation forms, assessing the lawfulness of reproductive health care, and updating privacy practices notices. Training employees to handle these changes is also necessary.

The Final Rule will be effective from June 25, 2024, with a compliance date of December 23, 2024. However, the NPP requirements will take effect on February 16, 2026. This is in line with OCR’s 42 CFR Part 2 Rule of February 16, 2024, allowing entities regulated under both rules to implement changes to their NPPs simultaneously.

Entities should consider the framework of the HIPAA Privacy Rule and these modifications when dealing with third-party requests for any PHI that may include reproductive health information (the current HIPAA Privacy Rule remains in effect until the new rule takes effect). It’s crucial to protect the privacy interests of patients, especially post-Dobbs.

Entities face the challenge of implementing these new requirements and training their workforce. Questions about the burden of determining the lawfulness of reproductive health care provided to an individual remain. For more information on this topic, review our past blog on the 2023 proposed rule.


Read More Health & Wellness News ; US News

You might also like More from author