By: Andrew Silverio, Esq.

On April 26, 2024, HHS Office for Civil Rights (OCR) released a HIPAA Privacy Rule to Support Reproductive Health Care Privacy (Final Rule). This modifies the HIPAA Privacy Rule to enhance the privacy safeguards around protected health information (PHI) related to reproductive health care and serves to protect access to this care in the wake of the Supreme Court’s Dobbs v. Jackson Women’s Health Organization (Dobbs) decision. This decision, overturning the constitutional right to abortion, led to renewed efforts by many states to more heavily restrict and criminalize certain types of reproductive health care, particularly abortion services.

Specifically, the Final Rule does the following:

• Prohibits the use or disclosure of PHI in particular circumstances where reproductive health care is legally sought, obtained, provided, or facilitated.
• Requires a health plan (or its business associates) to obtain a signed attestation that certain requests for PHI potentially related to reproductive health care are not for prohibited purposes.
• Requires health plans to modify their NPP to support reproductive health care privacy.

The main goal here is to protect access to reproductive healthcare by shielding this information from requesters who would be using it to conduct criminal, civil, or administrative investigations into a person for the act of receiving or providing reproductive health care or to impose penalties for doing so.  Covered entities must now secure an attestation that a requester of such information is not seeking it for one of these impermissible purposes.

Covered entities will also have to revise their notices of privacy practices (NPP) to explain this new prohibition and attestation requirement and provide an example of each.

The Final Rule itself is effective June 25, 2024, which means plans must comply with the majority of its requirements within 180 days of that date. The exception is the updated notice of privacy practices (NPP) requirements, which must be complied with by February 16, 2026.

The departments are releasing a model attestation but have not noted whether they will release an updated model Notice of Privacy Practices. However, we would expect they will do so prior to the effective date of the new NPP requirements. Otherwise, the materials provided by HHS and CMS online will be non-compliant, a situation we would not expect the Departments to allow to persist for long.

In general, we do expect that self-funded plan sponsors will rely on their TPAs for compliance with all of these requirements, as they currently do with preparing NPPs and compliant Business Associate Agreements.