On April 26, 2024, the Department of Health and Human Services (HHS) released a final rule modifying the Health Insurance Portability and Accountability Act (HIPAA) privacy requirements that apply to information regarding “reproductive health care.” The changes made by the final rule create additional requirements for the disclosure of protected health information (PHI) related to an individual’s reproductive health care. Self-insured health plans, as covered entities under HIPAA, will need to take steps to ensure that they are compliant with the requirements of the final rule.
What is Reproductive Health Care?
The new requirements imposed by the final rule apply to “reproductive health care,” a term that has previously been undefined. The final rule defines reproductive health care as health care that “affects the health of an individual in all matters relating to the reproductive system and to its functions and processes.”
HHS intends for this definition to apply broadly and provides a non-exhaustive list of examples of reproductive health care, including:
- Contraception, including emergency contraception;
- Preconception screening and counseling;
- Management of pregnancy and pregnancy related conditions;
- Prenatal care;
- Miscarriage management;
- Several health conditions related to pregnancy (e.g. preeclampsia, gestational diabetes);
- Assisted reproductive technology (e.g. in vitro fertilization (IVF));
- Diagnosis and treatment of conditions that affect the reproductive system; and
- Other types of care, services, and supplies used for the diagnosis and treatment of conditions related to the reproductive system.
Prohibition on Use and Disclosure of Protected Health Information Related to Reproductive Health Care
The final rule imposes new requirements on the use or disclosure of PHI related to a person’s reproductive health care. Specifically, the final rule prohibits a HIPAA covered entity or business associate from:
- Using or disclosing PHI to conduct a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care;
- Using or disclosing PHI to impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care; or
- Using or disclosing PHI to identify any person for any purpose described above.
The final rule’s prohibition is only applicable where the relevant activity is in connection with any person seeking, obtaining, providing, or facilitating reproductive health care, and the covered entity or business associate that received the request for the PHI has reasonably determined that one or more of the below exists:
- The reproductive health care is lawful under the law of the state in which such health care is provided under the circumstances in which it is provided.
- The reproductive health care is protected, required, or authorized by Federal law, including the United States Constitution, under the circumstances in which such health care is provided, regardless of the state in which it is provided.
These new requirements will require covered entities and business associates to update their HIPAA policies and procedures as well as HIPAA training materials. Compliance with these new requirements is required by December 23, 2024.
Required Attestation
The final rule requires an attestation for uses or disclosures of PHI potentially related to reproductive health care for the purposes of health oversight activities, judicial and administrative proceedings, law enforcement purposes, and providing information to a coroner or medical examiner. The attestation is meant to ensure that these requests for PHI are not being used to access PHI for a prohibited purpose.
A valid attestation must contain:
- A description of the information requested, including one of the following:
- The name of any individual(s) whose PHI is sought, if practicable;
- If not practicable, a description of the class of individuals whose PHI is sought.
- The name or identification of the person(s) who are requested to make the use or disclosure.
- The name or identification of the person(s) to whom the covered entity is to make the requested use or disclosure.
- A statement that the use or disclosure is not for a prohibited purpose described above.
- A statement that a person may be subject to criminal penalties if they knowingly violate HIPAA.
- Signature of the person requesting the protected health information, which may be an electronic signature, and date.
An attestation that deviates from the above requirements is considered a defective attestation and using or disclosing PHI pursuant to defective attestation is a HIPAA violation. An attestation that is combined with any other document is also considered defective, though additional documentation can be submitted to support the attestation.
Compliance with the attestation requirement is required by December 23, 2024. HHS plans to provide a model attestation prior to the compliance date.
Updated Notice of Privacy Practices
The final rule also requires updates to be made to the HIPAA Notice of Privacy Practices (NPP). The NPP must be updated to include a description, with at least one example of the uses and disclosures prohibited by the final rule in sufficient detail for an individual to understand what is prohibited. The NPP must also include a description, with at least one example, of the types of uses and disclosures which require an attestation as described above.
The updated NPP must be provided to participants by February 16, 2026.
Key Takeaways:
Employers who sponsor self-funded health plans should carefully review the requirements of the new rule and should be prepared to make any required changes to their HIPAA policies and procedures and HIPAA trainings. M3 is working on updating its HIPAA resources to comply with the changes imposed by the final rule.
The information provided is a summary of laws and regulations relating to employee benefit plan compliance. This information should not be construed as legal advice. In all cases, employers should consult with their own legal counsel.
\