On April 22nd, 2024, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a final rule amending the Health Insurance Portability and Accountability Act (HIPAA). The Final Rule, titled “HIPAA Privacy Rule to Support Reproductive Health Care Privacy”, officially took effect on June 25, 2024, with a compliance date of December 23rd, 2024.

Let’s break down what this final rule entails and how to ensure compliance.

What does this New Rule cover? 

This final rule was created in response to the Supreme Court’s 2022 decision to overturn the constitutional right to abortion in the U.S., leaving the issue to individual states. As some states began criminalizing certain types of reproductive healthcare, the HHS stepped in to strengthen protections for people seeking or providing lawful reproductive healthcare. The rule also limits the sharing of sensitive information when it’s requested for “non-healthcare purposes.”

What is Reproductive Health Information? 

The Final Rule gives some examples of what’s considered Reproductive Health Information (RHI), but it also clearly states that this list isn’t exhaustive. Here are a few examples:

• • Contraception, including emergency contraception
  • Preconception screening and counseling
  • Managing pregnancy and related conditions, like prenatal care, miscarriage management, and pregnancy termination
  • Fertility and infertility treatments, including assisted reproductive technology like IVF
  • Diagnosing and treating conditions affecting the reproductive system, such as endometriosis or menopause
  • Other related care, like mammograms, postpartum care products, or pregnancy-related nutrition services

You can read the full Final Rule in the Federal Register: HIPAA Privacy Rule To Support Reproductive Health Care Privacy  

What does the Final Rule apply to? 

This rule prevents Covered Entities (like healthcare providers and insurers) and their Business Associates from using or sharing Protected Health Information (PHI) to identify, investigate, or penalize anyone seeking, obtaining, providing, or facilitating reproductive healthcare.

What’s considered a “non-healthcare purpose” under HIPAA? 

• • The Final Rule identifies the types of requests for PHI that are considered “non-healthcare purpose”: 
  • Health oversight activities
  • Judicial and administrative proceedings
  • Law enforcement purposes
  • Disclosures to coroners and medical examiners

To comply, Covered Entities and Business Associates must get a written, signed attestation from the requestor stating that the RHI won’t be used for these prohibited purposes. Requestors who use RHI for these prohibited reasons can face criminal penalties.

What makes an attestation valid? 

Here are the key elements of a valid attestation:

• • Description of Information: Clearly specify the requested information by either:
    • Naming the individual(s) whose PHI is being sought, or
    • Describing the group of people if names aren’t practical
  • Parties Involved: Identify:
    • Who is being asked to share the information
    • Who will receive the information
  • Purpose Confirmation: Include a clear statement confirming the PHI won’t be used for prohibitive purposes under HIPAA.
  • Criminal Penalty Warning: State that violating HIPAA by wrongfully obtaining or sharing PHI can lead to criminal charges.
  • Signature and Authority: The requestor must sign (electronic signatures are acceptable) and date the attestation. If someone else signs on their behalf, they need to explain their authority to do so.
  • Plain Language: The attestation should be easy to understand.
  • Standalone Document: The attestation cannot be combined with any other document.

Is there a Sample Attestation Form? 

Yes! The OCR released a model attestation form in June. You can find it here. 

Where can I find additional resources? 

Need more details? The HHS has a dedicated section on its website about HIPAA and Reproductive Health. Check it out here. 

Key Takeaways 

• This rule is an amendment to HIPAA, and many disclosures listed under the four categories above are permitted, not required.
• Attestations must be standalone documents and not combined with anything else.
• If the Covered Entity didn’t provide the reproductive care in question, the care is presumed lawful.
• RHI is broadly defined, but it still needs to meet HIPAA’s definition of PHI to fall under these protections.

By understanding and following these guidelines, you’ll be ready to comply with the new rule and help safeguard sensitive reproductive health information. 

What if I need more help? 

Haugen Consulting Group has experts in healthcare privacy that can assist you with assessing your current use and disclosure policies and procedures to identify gaps, efficiencies, etc. Contact us here to learn how Haugen can help!