PDF
Share

HIPAA Privacy Rules add Reproductive Health Protections Post Dobbs

The Final Rule makes significant changes to the following sections; (1) the Definitions Section (§160.103), (2) the Uses and Disclosures of PHI: General Rules Section (§164.502), (3) the Uses and Disclosures for Which an Authorization or Opportunity to Agree or Object Is Not Required Section (§164.512) and (4) the Notice of Privacy Practices (“NPP”) for PHI Section (§ 164.520). It also adds a new section regarding Uses and Disclosures for which an Attestation is Required (§164.509). A summary of the changes is described in more detail below:

  1. Definitions (§ 160.103)
    • The definition of Public Health Activities was clarified to exclude those activities with any of the following purposes:
      1. To conduct a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating healthcare;
      2. To impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating healthcare;
      3. To identify any person for any of the activities described at paragraphs (1) or (2) of this definition.
    • A definition for reproductive healthcare was added which means health care “that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes. This definition shall not be construed to set forth a standard of care for or regulate what constitutes clinically appropriate reproductive health care.”
  2. Uses and Disclosures of PHI: General Rules (§164.502)
    • The section on uses and disclosures of PHI related to reproductive healthcare includes a prohibition, rule of applicability, presumption, and scope which set forth the requirements below:
    • Provided that the PHI conforms with the rule of applicability and the presumption noted below, a CE or BA may not use or disclose PHI for any of the following activities:
      1. To conduct a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care;
      2. To impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive healthcare;
      3. To identify any person for any of the activities described in paragraphs (1) or (2) above under this Prohibition subsection.
    • Rule of applicability. The Prohibition applies only where the relevant activities are in connection with any person seeking, obtaining, providing, or facilitating reproductive healthcare, and the CE or BA that received the request for PHI has reasonably determined that one or more of the following conditions exists:
      1. The reproductive health care is lawful under the law of the state in which such health care is provided under the circumstances in which it is provided;
      2. The reproductive health care is protected, required, or authorized by Federal law, including the United States Constitution, under the circumstances in which such healthcare is provided, regardless of the state in which it is provided.
      3. The presumption noted below applies.
    • The reproductive health care provided by another person is presumed lawful under the rules of applicability of this Section (§164.502) unless the CE or BA has any of the following:
      1. Actual knowledge that the reproductive healthcare was not lawful under the circumstances in which it was provided;
      2. Factual information supplied by the person requesting the use or disclosure of PHI that demonstrates a substantial factual basis that the reproductive healthcare was not lawful under the specific circumstances in which it was provided.
    • Scope. Seeking, obtaining, providing, or facilitating reproductive healthcare includes, but is not limited to, expressing interest in, using, performing, furnishing, paying for, disseminating information about, or other descriptions enumerated in the Final Rule.
  3. Uses and Disclosures for Which an Attestation is Required (§ 164.509)
    • To assist in ensuring the use and disclosure of reproductive healthcare is not for a prohibited purpose, the OCR is also requiring regulated entities to obtain an attestation from requestors seeking PHI for certain purposes (i.e, health oversight activities, disclosures for judicial and administrative proceedings, law enforcement purpose, and uses and disclosures about decedents). The attestation must contain the following elements:
      1. The name of the individuals whose PHI is sought, unless including the name is not practicable, in which case a description of the class of individuals whose PHI is sought;
      2. The name of the person, or class of persons, who are requested to make the use or disclosure;
      3. The name or other specific identification of the person(s), or class of persons, to whom the CE is to make the requested use or disclosure; and
      4. A clear statement that the use or disclosure is not for a purpose prohibited under the General Uses and Disclosures section (§164.502)
      5. A statement that a person may be subject to criminal penalties if that person knowingly and in violation of HIPAA obtains individually identifiable health information (IIHI) or discloses IIHI to another person; and
      6. A signature of the person requesting the PHI and date.
    • OCR has published a sample Attestation form which can be accessed here.
  4. Uses and Disclosures for Which an Authorization or Opportunity to Agree or Object Is Not Required (§164.512)
    • Generally, a CE may disclose PHI about an individual to a governmental entity when that CE reasonably believes that an individual is a victim of abuse, neglect, or domestic violence. The Final Rule added a new rule of construction to clarify that no PHI that would normally be permitted to be used or disclosed to a governmental entity without an Authorization should be interpreted to permit disclosures that would otherwise be a prohibition under the General Uses and Disclosure related to Reproductive Health Care (§164.502) when the sole basis of the report of abuse, neglect, or domestic violence is the provision or facilitation of reproductive health care.
  5. Notice of Privacy Practices for Protected Health Information (§164.520)
    • A CE’s NPP must be amended with the following information:
      1. A description, including at least one example, of the types of uses and disclosures of reproductive health care that are prohibited under §164.502;
        • For example, a hospital would be prohibited from disclosing PHI related to reproductive health care to a law enforcement officer to aid in the investigation of a patient who may have sought an abortion.
      2. A description, including at least one example, of the types of uses and disclosures for which an attestation is required under §164.509;
        • For example, a clinic’s disclosure of PHI related to reproductive health care in direct response to a court order would be permissible provided that such disclosure would be limited to the PHI expressly authorized under that order and the CE obtains a valid attestation pursuant to §164.509.
      3. A statement adequate to put the individual on notice of the potential for information disclosed pursuant to this subpart to be subject to redisclosure by the recipient and no longer protected by this subpart.
    • The Final Rule also includes changes to an NPP regarding the uses or disclosures of Substance Use Disorder Records in accordance with the Part 2 Rules (42 CFR part 2).
Jump to Page

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.