Enhanced HIPAA privacy protections are scheduled to take effect for protected health information (PHI) regarding the reproductive health care of individuals on June 25, 2024.
The new rule issued by the Office of Civil Rights of the Department of Health and Human Services (HHS) modifies certain privacy and security protections provided by the Health Insurance Portability and Accountability Act of 1996 and related regulations as they apply to the use and disclosure of PHI related to “reproductive health care” (“HIPAA RHC Rule“). As the HIPAA RHC Rule goes into effect on June 25, employer-sponsored group health plans, health care providers, health care clearinghouses and other covered entities, as well as their business associates (together, “Regulated Entities”), have until December 22, 2024, to comply with the HIPAA RHC Rule, except that they have until February 16, 2026, to make the required updates to their HIPAA Privacy Notice.
This customer alert addresses the impact of HIPAA’s RHC Rule on employer-sponsored group health plans (and their business associates).
What does reproductive health care involve?
Although the HIPAA RHC Rule was originally intended as a means of responding to the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization and state abortion bans that followed, HIPAA’s protections go far beyond abortion rights. HHS acknowledged that Dobbs would have far-reaching implications for reproductive health care beyond access to abortion, and has stated that it wanted to ensure that individuals do not forego needed reproductive health care for fear that information about that health care will be disclosed or used in any investigation or legal proceeding against the individual. HHS has also indicated that it further recognizes that information related to reproductive health care is particularly sensitive, requiring enhanced privacy protections to encourage the sharing of such sensitive information so that medical records are complete and get proper health care.
As a result, “reproductive health care” is broadly defined in the HIPAA RHC Rule as health care that “affects the health of an individual in all matters related to the reproductive system and its functions and processes.” The rule provides a non-exclusive list of examples that fit within the definition of “reproductive health care” including:
- contraception (including emergency contraception)
- preconception screening and counseling
- management of pregnancy and pregnancy-related conditions, including pregnancy screening, prenatal care, miscarriage management, treatment for preeclampsia, gestational hypertension, gestational diabetes, molar or ectopic pregnancy, and termination of pregnancy
- diagnosis and treatment of fertility and infertility, including assisted reproductive technology and its components (eg in vitro fertilization (IVF)
- diagnosis and treatment of conditions affecting the reproductive system (eg, perimenopause, menopause, endometriosis, adenomyosis)
- other types of care, services, and supplies used to diagnose and treat conditions related to the reproductive system (eg, mammograms, pregnancy-related nutrition services, postpartum care products)
Based on the examples and comments provided by HHS when it published the HIPAA RHC Rule, it is clear that the definition was intended to be broad.
What protections are offered?
Rather than create an entirely new subset of PHI that cannot be easily shared, such as psychotherapy notes, HHS decided instead to implement a purpose-based prohibition against uses and disclosures of PHI related to reproductive health care . Thus, uses and disclosures of an individual’s PHI related to reproductive health care are limited to certain non-health care settings.
Specifically, the HIPAA RHC Rule prohibits a group health plan from using or disclosing PHI related to an individual’s reproductive health care when such use or disclosure is required for any of the following purposes:
- to conduct a criminal, civil or administrative investigation of any person for the mere act of seeking, receiving, providing or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided
- impose criminal, civil or administrative liability on any person for the mere act of seeking, receiving, providing or facilitating reproductive health care, when such health care is lawful under the circumstances in which it is provided; OR
- the identification of any person for the purpose of conducting such investigation or establishing such liability.
The HIPAA RHC Rule includes a non-exclusive list of what constitutes “seeking, receiving, providing, or facilitating” reproductive health care, such as expressing interest, using, performing, furnishing, paying for, disseminating information about, regulating, providing, administering, authorizing, providing coverage, approving, advising, assisting, or taking action to engage in reproductive health care; or trying to do any of these things.
Illegal reproductive health care is not protected
It is important to understand that the protections of HIPAA’s RHC Rule do not apply if the HIPAA Privacy Officer for the group health plan reasonably determines that the reproductive health care was not lawful under the circumstances (based on the law of the state in which health care is provided). If the HIPAA Privacy Officer determines that the reproductive health care was unlawful under the circumstances, the group health plan is permitted to disclose the health care information in these non-health settings in accordance with the normal privacy and security requirements of HIPAA.
Presumptions available for group health plans
Group health plans may assume that the health care provided was legal unless the group health plan has actual knowledge to the contrary or the claimant provides factual information showing a substantial factual basis that the health care was not. legally. In addition, regardless of applicable state law, the group health plan may refuse to disclose PHI related to reproductive health care in any situation where reproductive health care would be protected, required or authorized by federal law.
Additional authentication requirements for some requests
In the event a group health plan receives a request for PHI related to reproductive health care for health care oversight activities, judicial or administrative proceedings, law enforcement purposes, or disclosures to physicians and medical examiners, the group health plan is required obtain a signed and dated certification from the person or entity requesting the use or disclosure. Generally, the certification must identify the types of PHI that are requested and state that the requested use or disclosure is not for a prohibited purpose. Additionally, the certification must contain a notice that persons who knowingly obtain or disclose PHI in violation of HIPAA’s privacy or security rules are subject to criminal penalties.
Specifically, the HIPAA RHC Rule provides that material misrepresentations are subject to potential criminal liability. Additionally, a group health plan’s failure to obtain a required certification can lead to civil penalties. HHS has indicated it will provide a model certification before the compliance date in December.
Changes to the HIPAA Notice of Privacy Practices
By February 16, 2026, a group health plan must update its Notice of Privacy Practices to include information about how PHI related to reproductive health care may be used or disclosed. The Notice is required to include examples of instances in which such uses or disclosures may be made.
Action items:
To ensure compliance with the HIPAA RHC Rule, group health plans should consider the following action points:
- Update the plan’s HIPAA policies and procedures detailing permitted uses and disclosures to include disclosure requirements that apply to PHI related to reproductive health care
- Update any business associate agreements to ensure that business associates agree to comply with the HIPAA RHC Rule
- Update the plan’s HIPAA Notice of Privacy Practices to include prohibitions on uses and disclosures of PHI related to reproductive health care and provide examples
- Redistribute the updated HIPAA Notice of Privacy Practices
- Design an attestation form for use by persons requesting PHI that may be related to reproductive health care (although HHS will provide a model form, any attestation that complies with the HIPAA RHC Rule will suffice)
- Train workforce members with access to PHI on the new prohibitions, use of appropriate authentication forms, and changes to the plan’s HIPAA policies and procedures, and document the training
Employer-sponsored group health plans should take time now to understand how the requirements of the HIPAA RHC Rule will affect their operations and begin implementing the required changes. Group health plans will need to be aware of state-by-state differences that apply to reproductive health care and should consult with legal counsel when issues arise.
#OCR #issues #rule #modifying #regulations #HIPAA #rules
Image Source : natlawreview.com