2 minute read
The U.S. Department of Health and Human Services (HHS) issued a final rule which strengthens HIPAA Privacy Rule by prohibiting PHI disclosure related to lawful reproductive health care in certain situations to protect access and privacy. The rule limits the use, disclosure, and protection of protected health information (PHI) by health care entities. It also permits the use of PHI for non-health care purposes, such as legal investigations.
New Protections
The final rule prohibits regulated entities from using or disclosing PHI for investigations related to reproductive health care, where lawful. It also prohibits identifying individuals for such investigations. This prohibition applies where a regulated entity reasonably determines that:
- The reproductive health care is lawful under the law of the state in which such health care is provided (and under the circumstances in which it is provided); or
- The reproductive health care is protected, required, or authorized by federal law, including the U.S. Constitution, regardless of the state in which such health care is provided.
If a regulated entity did not provide reproductive health care, the final rule prohibits disclosing PHI without sufficient information to prove legality. This can be overcome by providing evidence that the care was unlawful under the circumstances. When a regulated entity receives a request for PHI related to reproductive health care, they must obtain a signed attestation confirming the use is not prohibited.
Notice of Privacy Policy
Regulated entities may want to review their privacy practices for reproductive health care support and adjust agreements and HIPAA policies for the final rule changes. Download the bulletin for more details.
Important Dates
- April 22, 2024: HHS released an unpublished version of the final rule.
- April 26, 2024: Final rule is scheduled to be published in the Federal Register.
- December 22, 2024: Regulated entities must comply with the final rule by this date, except as noted above.
- February 16, 2026: Regulated entities must update their HIPAA notice of privacy practices by this date.
National Insurance Services is not a law firm and no opinion, suggestion, or recommendation of the firm or its employees shall constitute legal advice. Readers are advised to consult with their own attorney for a determination of their legal rights, responsibilities and liabilities, including the interpretation of any statute or regulation, or its application to the readers’ business activities.