HIPAA and the Holidays: Reproductive Health Compliance Deadlines During the Holiday Season

Alert
Hodgson Russ Healthcare and Cybersecurity & Privacy Alert

The 2022 Supreme Court decision in Dobbs v. Jackson Women’s Health Organization (“Dobbs”) overturned precedent that protected a constitutional right to abortion and changed the legal and health care landscape. In April 2023, the Department of Health and Human Services, Office for Civil Rights ("OCR") published proposed modifications to the HIPAA Privacy Rule to address those changes to the legal landscape. According to the OCR, “the changing legal landscape increases the likelihood that an individual’s Protected Health Information (“PHI”) may be disclosed in ways that cause harm to the interest that HIPAA seeks to protect, including the trust of the individuals in health care providers and the health care system.”

This Final Rule, published in April 2024, adds reproductive health protections, and hence limits the circumstances in which a Covered Entity (“CE”) or Business Associate (“BA”) can use or disclose an individual’s PHI about reproductive health care for certain non-health care purposes, where such use or disclosure could be detrimental to an individual’s privacy or erode that individual’s trust in health care providers who collected or received such PHI. The Final Rulemaking also enhances protections for health care practitioners who perform lawful reproductive health care for their patients.

The Final Rule can be accessed in the Federal Register here. As described below, the following three changes imposed by the Final Rule may have significant impact on the operations of CEs and their BAs: (1) a prohibition on certain uses and disclosures; (2) an attestation requirement; and (3) required revisions to privacy practices. A summary of the changes is available here.

The compliance date for the Final Rule except for the NPP requirements is December 23, 2024. The compliance date for the NPP requirements is February 16, 2026. In advance of these deadlines, entities covered by the Final Rule should conduct the following compliance initiatives:

  1. Consider where reproductive health care data is maintained, including the possibility that it exists in general health care records.
  2. Create appropriate records request procedures that incorporate an analysis of the prohibitions imposed by the Final Rule.
  3. Develop an attestation form and evaluate whether to apply it on a global basis in order to ensure that no reproductive health care information is missed.
  4. Review and revise the NPP to include all modifications and content required by the Final Rule.
  5. Train and document training of all workforce members on the Final Rule requirements.
  6. Consider changes to the specific HIPAA policies and procedures.

For questions, please contact Roopa Chakkappan at 716.848.1258, or Michelle Merola at 519.736.2917.

Disclaimer:

This client alert is a form of attorney advertising. Hodgson Russ LLP provides this information as a service to its clients and other readers for educational purposes only. Nothing in this client alert should be construed as, or relied upon, as legal advice or as creating a lawyer-client relationship.

Jump to Page

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.