HIPAA and Reproductive Health: Certain Updates Take Effect December 23, 2024
12/19/24
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule regulations have been updated to impose additional requirements on covered entities to safeguard the privacy of reproductive health related protected health information (“PHI”).
The disclosure of PHI related to lawful reproductive health care is now prohibited in certain circumstances. “Covered entities” (health care providers, etc.) and their “business associates” are prohibited from using or disclosing PHI when it is being requested to investigate or impose liability on the patient, health care providers, or others who seek, obtain, provide or facilitate lawful reproductive health care, or to identify persons for such activities under the specific circumstances described below.
This prohibition applies where covered entities, or business associates, have reasonably determined that:
- The reproductive health care is lawful under the law of the state in which it was provided under the circumstances in which it was provided. For example, if a resident of one state traveled to another state to receive reproductive health care, such as an abortion, that is lawful in the state where such health care is provided; or
- The reproductive health care is protected, required, or authorized by federal law, including the U.S. Constitution, regardless of the state in which such health care is provided. For example, if the use of the reproductive health care, such as contraception, is protected by the Constitution; or
- The reproductive health care was not provided by the covered entity, but the covered entity presumes it was lawful. However, if the covered entity receives a request for PHI, and the covered entity has actual knowledge or the requester provides a “substantial factual basis” for the covered entity to believe that the reproductive health care was not lawful under the circumstances under which it was provided to the patient, this presumption does not apply. For example, if the patient or the requester tells the covered entity the patient received reproductive health care from an unlicensed person and the covered entity knows that the specific reproductive health care must be provided by a licensed health care provider.
Notably, if a provider receives a request for reproductive health information for (i) health oversight activities, (ii) judicial and administrative proceedings, (iii) law enforcement purposes, or (iv) to coroners and medical examiners (related to decedents), the provider must receive a signed attestation from the requester. The attestation must include certification that the request is not for prohibited purposes and an acknowledgement that a person may be subject to criminal penalties for knowingly obtaining or disclosing individually identifiable health information in violation of HIPAA. Covered entities and business associates should not provide any information that may contain reproductive health information to such a requester who does not provide a fully compliant attestation.
Covered entities should update their policies and work practices to address the new reproductive health protections and attestation requirements.
Bodman PLC can provide guidance on this matter and others and provide practical advice to meet your needs. To discuss these or any other legal issues affecting your organization, please contact your Bodman attorney or one of the authors, Brandon Dalziel or Grace Connolly. Bodman cannot respond to your questions or receive information from you without first clearing potential conflicts with other clients. Thank you for your patience and understanding.