May 08, 2024
Key Actions
- By December 23, 2024 - Work with consultants, advisors and business associates to ensure appropriate processes are adopted and business associate agreements are updated to follow the new rules and adhere to the direction of the health plan as the covered entity in responding to requests for PHI.
- Ensure an attestation form is developed and used for covered requests for PHI that may relate to reproductive health care and ensure the plan and all business associates use an appropriate attestation form and process. (Note: a model attestation form is expected to be released prior to December 23, 2024)
- Revise the plan’s Notices of Privacy Practices (NPP) to clearly detail the permitted and prohibited uses and disclosures of PHI prior to February 16, 2026.
The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) published final regulations on April 26, 2024, focused on privacy protections for individuals accessing and providing reproductive health care and their protected health information (PHI). The new rule requires action by regulated entities, including health plans and/or their business associates to comply.
The rule prohibits the use or disclosure of PHI by a regulated entity, including a health plan and/or their business associate if they get certain requests for PHI that would be used for either of the following activities, which are generally referred to as “prohibited purposes”:
- To conduct a criminal, civil, or administrative investigation into or impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided.
- The identification of any person for the purpose of conducting such investigation or imposing such liability.
In order to help plans and business associates determine whether use and disclosure in response to a request is permitted or prohibited, HHS creates several new administrative elements, including an affidavit requirement, with which covered entities and business associates must comply. These final rules are more streamlined than were originally proposed by the Department in 2023 but have a variety of administrative presumptions and requirements that may arise under different scenarios.
In response to the Department’s 2023 proposed rules, the Business Group filed comments and suggestions aimed at helping ensure administrability and reliability for employer plans. Many of our suggestions are reflected in these final rules and the preamble discussion, but plan sponsors should be advised to swiftly engage with legal counsel to identify potential questions and risks, and develop solutions appropriate for their plans and programs.
Background on HIPAA and PHI in Context of Reproductive Health Care
While HIPAA currently prohibits using or disclosing PHI on a general basis, it makes limited exceptions. HIPAA permits certain uses and disclosures of PHI, without the individual’s authorization, for identified activities that benefit the community, such as public health activities, judicial and administrative proceedings, law enforcement purposes, and research.
In light of the Supreme Court’s decision in Dobbs vs. Jackson Women’s Health Organization and the state-level prohibitions on certain reproductive health care services that followed, HHS believes the prospect of using PHI for law enforcement and other purposes “is likely to chill an individual’s willingness to seek lawful health care treatment or to provide full information to their health care providers when obtaining that treatment, and on the willingness of health care providers to provide such care…” The final regulation is intended to help alleviate concerns of individuals seeking, providing, or facilitating such services.
Additionally, this regulation is expected to help health plans and other regulated entities understand how best to manage, document, reply, deny, or otherwise take action in response to requests for reproductive health care PHI in certain circumstances.
Summary of PHI Use & Disclosure Changes Under the New Rule – Attestation
Under the HIPAA final rule, in order to provide PHI potentially related to reproductive health care to certain requestors, regulated entities, including health plans and/or business associates, will be required to obtain assurances through an attestation from the person or entity requesting PHI that “the use or disclosure would not be for a prohibited purpose.”
The rule broadly defines “reproductive health care” as “health care . . . that affects the health of an individual in all matters relating to the reproductive system and its functions and processes.”
An attestation will be required when a request for such information is received on the basis of being permitted for: disclosures for health oversight activities, disclosures for judicial and administrative legal proceedings, disclosures for law enforcement activities, and disclosures to coroners and medical examiners.
HHS/OCR outline specific criteria that an attestation must meet, including the names of involved parties, a clear statement that the request for PHI is not for a “prohibited purpose,” i.e., not:
- To conduct a criminal, civil, or administrative investigation into or impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided.
- Or for the identification of any person for the purpose of conducting such investigation or imposing such liability.
Additionally, the attestation must provide acknowledgment of potential criminal penalties for unauthorized use and disclosure, and must be signed by the requestor or an authorized representative with additional details. HHS/OCR indicates that it intends to provide a model attestation prior to the compliance date of December 23, 2024.
Note on Additional Information about Unlawful Activity
Because providing the requested information is only prohibited to guard against investigations, liability, or identification when the health care was “lawful under the circumstances” there may be instances when plans receive requests for information that assert the provision of the health care was in-fact unlawful and therefore the information should be permitted to be provided. There are different rules that apply to this situation depending on whether the request for information is received by a regulated entity that directly provided the health care at issue, or not.
Because a health plan generally does not directly provide health care services, i.e., it is not a medical provider, we would expect employer plan covered entities and their business associates to be mainly following the rules applicable to regulated entities that do not directly provide the health care that is the subject of the request. In this situation, the plan and business associates would generally start with the presumption that the reproductive health care provided was done lawfully. But the requestor may provide additional information to try to show the plan and/or business associate that the care was actually unlawful.
Any plan or business associate response or action in this situation should be carefully undertaken and may warrant engaging counsel given the complexity of the rules and their application to a particular set of circumstances. We are noting this element here to help plans and their business associates prepare to receive, review, and appropriately act on both the attestation and, potentially, additional information from requestors that allege unlawful activities that may be reflected or revealed in the PHI requested.
Plan Sponsors Need to Create and/or Update Certain Documents and Procedures
The modifications in this final rule may also require plan sponsors to revise existing business associate agreements, as the rule mandates covered entities and their business associates to obtain valid attestations when the requested PHI might relate to reproductive health care. Plans will want to work with their service providers, especially business associates, to ensure that everyone understands the new rules and the direction of the plan with respect to covered requests. In some cases, plans may wish to review whether all or some requests that would have otherwise been entirely handled by the business associate be referred to the plan/covered entity to manage and provide response and/or direction.
Finalized Updates to the Notice of Privacy Practices
HHS/OCR is also finalizing certain changes to Notices of Privacy Practices (NPP). This final rule provides revisions related to reproductive health care privacy, and also ties up other revisions pending from other proposed rulemaking. The Notices must clearly detail the uses and disclosures of PHI, specifying both permitted and prohibited activities under HIPAA and other applicable laws. The revised Notices will also need to include examples of prohibited purposes and necessary attestations when certain types of PHI are involved. Additionally, plans must inform plan participants that, once their PHI is disclosed per the rule's allowances, it may be subject to redisclosure and is no longer protected under the rule.
Group plans are required to comply with most aspects of the new rule – including the creation of attestations – by December 23, 2024. For the modified NPPs, the compliance date extends to February 16, 2026.
If you have questions, comments, or concerns about these or other regulatory and compliance issues, please contact us.
We provide this material for informational purposes only; it is not a substitute for legal advice.
More Topics
Articles & Guides
Compliance
This content is for members only. Already a member?
Login
Join today to gain access to member-only resources!
Learn More