HIPAA Rule Compliance Guidance- December 2024

Request for Use and Disclosure of Protected Health Information (PHI) Attestation Form (PDF)

Since the Supreme Court overturned the right to certain reproductive procedures in 2022, the Federal government has been at odds with some states in allowing access to reproductive healthcare.  The Department of Health and Human Services has mandated a new rule within HIPAA privacy regulations that must be implemented in every healthcare provider’s office by December 23, 2024.  Knowledge and implementation of the rule is essential.

Congress passed the new rule in April 2024, with implementation effective on June 5, 2024.  HHS and the Office of Civil Rights (OCR) delayed enforcement of the rule until December 23, 2024.  The Rule addresses situations in which states that prohibit abortion try to investigate or prosecute their citizens who obtain abortions in other states where abortion is legal. The Rule generally prohibits providers from disclosing protected health information about reproductive healthcare (“RPHI”) for investigative purposes if the reproductive care was legal in the state where it was rendered.  As health care providers, we are affected by this rule if a third party requests records on an individual where law enforcement may be investigating a patient who underwent the procedure or a provider who performed the procedure.  In those cases, the Federal government restricts the release of records and may construe it to be a breach of PHI if the information is released.

Legal Challenge by Texas

The state of Texas has filed a lawsuit to block the HIPAA Reproductive Health Rule, arguing that it interferes with state sovereignty and the enforcement of its abortion laws. However, as of now, no court has issued a ruling to block or suspend the rule. Unless and until a court does so, providers must comply with the HHS mandate now.

Key Provisions of the HIPAA Reproductive Health Rule

1.  Restriction on Disclosures of RPHI

The rule prohibits healthcare providers from disclosing RPHI for investigative purposes if reproductive healthcare is legal in the state where it was provided. This protection applies regardless of the laws in the patient’s home state.  For example, suppose a resident of a state where abortion is banned travels to a state where abortion is legal to obtain the procedure. In that case, their healthcare provider in either state cannot disclose information about that care to law enforcement, investigators, or other officials from the home state seeking to enforce its abortion laws.

2.  What Counts as RPHI?

RPHI refers to any protected health information (PHI) related to reproductive healthcare services, including but not limited to abortion, contraception, and fertility treatments. This information includes medical records, billing information, and any other data that could identify a patient or the services they received.

3.  New When the Rule Applies in Your Office

Under the Rule, if a healthcare provider, other covered entity, or business associate receives a subpoena, demand, or other request for RPHI, they must reasonably determine if

(1) The reproductive health care is lawful under the law of the state in which such health care is provided under the circumstances in which it is provided [or]

(2) The reproductive health care is protected, required, or authorized by Federal law, including the United States Constitution, under the circumstances in which such health care is provided, regardless of the state in which it is provided, then the covered entity or business associate may not use or disclose the RPHI for any of the following activities:

(1) To conduct a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care.

(2) To impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care.

(3) To identify any person for any [of the foregoing] purpose[s]…

(45 C.F.R. § 164.502(a)(5)(iii)(A)-(B)).

Applying the Rule. Under the Rule, if a healthcare provider, other covered entity, or business associate maintains RPHI about a patient (whether or not the provider rendered the reproductive healthcare), the provider must respond to a request or demand seeking such RPHI as follows:

1. Determine if the reproductive care was legal where rendered. The Rule does not protect RPHI concerning care that was illegal where rendered. On the other hand, if the care was legal, the Rule generally prohibits disclosure for purposes of criminal, civil, or administrative investigations or prosecutions. Importantly, reproductive healthcare

is presumed lawful … unless the covered entity or business associate has any of the following:

(1) Actual knowledge that reproductive health care was not lawful under the circumstances in which it was provided.

(2) Factual information supplied by the person requesting the use or disclosure of protected health information that demonstrates a substantial factual basis that the reproductive health care was not lawful under the specific circumstances in which it was provided.

(45 C.F.R. § 164.502(a)(5)(iii)(C)). To help assess the legality of the care, the provider or business associate must obtain an attestation described in the next section.

2. Determine the purpose of the request by obtaining the required attestation. If the request seeks RPHI concerning legal reproductive care, the provider must determine whether the request is for purposes of investigating or imposing “criminal, civil or administrative liability on [the] person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care.” (45 C.F.R. § 164.502(a)(5)(iii)(A)). To do so, the provider must obtain a written attestation from the requester affirming the purpose of the request. The required attestation must satisfy the requirements in 45 C.F.R. § 164.509; a provider may not rely on a defective attestation. Among other things, the attestation may not be combined with any other document and must contain specified elements as outlined in § 164.509. Persons who submit a false attestation or otherwise obtain RPHI in violation of the Rule may be subject to criminal penalties under 42 U.S.C. § 1320d-6. (42 C.F.R. § 164.509(c)(1)(v)).

Based on recommendations by the OCR, a sample attestation form has been provided to be implemented in your office. 

What Providers Need to Do to Comply

To ensure compliance with the HIPAA Reproductive Health Rule, healthcare providers should take the following steps before the December 23, 2024 deadline:

      1.   Update Privacy Policies

Providers should review their existing privacy policies and update them to include the new protections for RPHI. The policies and procedures should be documented in your mandatory HIPAA compliance manual.  The policies should clearly outline the restrictions on disclosing reproductive health information, the process for handling disclosure requests, and the rights of patients.

      2.   Train Staff

All staff, especially those in patient intake, records management, and billing, should be trained on the new RPHI disclosure restrictions. Staff should understand how to recognize and handle requests for RPHI and how to escalate requests to privacy officers or legal counsel when needed.

      3.   Establish New Internal Procedures

Providers should create procedures for handling requests for RPHI from law enforcement, subpoenas, or other legal entities. This may involve developing a centralized process for reviewing and responding to these requests, ensuring they are not inadvertently honored in violation of the rule.  These policies and procedures should include updating your business associate agreements when applicable.

      4.   Audit and Monitor Compliance

Regular audits and reviews of compliance with the HIPAA Reproductive Health Rule can help identify potential gaps in privacy protections. Providers should ensure that all disclosure requests are documented and that staff are following the updated protocols.

      5.   Consult Legal Counsel

Given the potential for legal challenges and the complexity of balancing federal and state laws, providers may wish to work with legal counsel to ensure compliance with both the HIPAA Reproductive Health Rule and any relevant state laws.

Conclusion

The new HIPAA Reproductive Health Rule significantly strengthens privacy protections for individuals seeking reproductive healthcare, especially those who cross state lines for care. Despite a legal challenge from Texas, the rule is still in effect, and healthcare providers must comply by December 23, 2024. Failure to comply could result in penalties for violating HIPAA’s privacy provisions.

Providers should act now to update privacy policies, train staff, and implement procedures to protect reproductive health information. By doing so, they can ensure compliance with federal law and safeguard the privacy rights of their patients.