- For example, if a resident of one state traveled to another state to receive reproductive health care, such as an abortion, that is lawful in the state where such health care was provided.
- For example, if use of the reproductive health care, such as contraception, is protected by the Constitution.
The Final Rule continues to permit covered health care providers, health plans, or health care clearinghouses (or business associates) to use or disclose PHI for purposes otherwise permitted under the Privacy Rule where the request for the use or disclosure of PHI is not made to investigate or impose liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care. For example:
- A covered health care provider could continue to use or disclose PHI to defend themselves in an investigation or proceeding related to professional misconduct or negligence where the alleged professional misconduct or negligence involved the provision of reproductive health care.
- A covered health care provider, health plan, or health care clearinghouse (or business associates) could continue to use or disclose PHI to defend any person in a criminal, civil, or administrative proceeding where liability could be imposed on that person for providing reproductive health care.
- A covered health care provider, health plan, or clearinghouse (or their business associates) could continue to use or disclose PHI to an Inspector General where the PHI is sought to conduct an audit for health oversight purposes.
Presumption
The Final Rule includes a presumption that the reproductive health care provided by a person other than the covered health care provider, health plan, or health care clearinghouse (or business associates) receiving the request was lawful. In such cases, the reproductive health care is presumed to be lawful under the circumstances in which it was provided unless one of the following conditions are met:
- The covered health care provider, health plan, or clearinghouse (or business associates) has actual knowledge that the reproductive health care was not lawful under the circumstances in which it was provided.
- For example, an individual discloses to their doctor that they obtained reproductive health care from an unlicensed person and the doctor knows that the specific reproductive health care must be provided by a licensed health care provider.
- For example, a law enforcement official provides a health plan with evidence that the information being requested is reproductive health care that was provided by an unlicensed person where the law requires that such health care be provided by a licensed health care provider.
Attestation
To implement the prohibition, the Final Rule requires a covered health care provider, health plan, or health care clearinghouse (or business associates), when it receives a request for PHI potentially related to reproductive health care, to obtain a signed attestation that the use or disclosure is not for a prohibited purpose. This attestation requirement applies when the request is for PHI for any of the following:
- Health oversight activities. 1
- Judicial and administrative proceedings. 2
- Law enforcement purposes. 3
- Disclosures to coroners and medical examiners. 4
The requirement to obtain a signed attestation gives a covered health care provider, health plan, or health care clearinghouse (or business associates) a way of obtaining written representations from persons requesting PHI that their requests are not for a prohibited purpose. Additionally, it puts persons making requests for the use or disclosure of PHI on notice of the potential criminal penalties for those who knowingly and in violation of HIPAA obtain individually identifiable health information (IIHI) relating to an individual or disclose IIHI to another person. We intend to publish model attestation language before the compliance date of this Final Rule.
Notice of Privacy Practices (NPP)
The Final Rule requires covered health care providers, health plans, and health care clearinghouses to revise their NPPs to support reproductive health care privacy. The Final Rule also requires revisions to NPPs to address proposals made in the Notice of Proposed Rulemaking for the Confidentiality of Substance Use Disorder (SUD) Patient Records (“Part 2 NPRM”), 5 as required by or consistent with the Coronavirus Aid, Relief, and Economic Security (CARES) Act of 2020.
Disclosures to Law Enforcement
The Privacy Rule permits uses or disclosures of PHI without an individual’s authorization only where such uses or disclosures are expressly permitted or required by the Privacy Rule. As explained in OCR guidance, the Privacy Rule permits, but does not require, certain disclosures to law enforcement and others, subject to specific conditions. Thus, covered health care providers, health plans, and health care clearinghouses (and business associates), including their workforce members, are only permitted to disclose PHI for law enforcement purposes where they suspect an individual of obtaining reproductive health care (lawful or otherwise) if the covered entity or business associate is required by law to do so and all applicable conditions are met. Accordingly, under the Final Rule, such disclosure is only permitted where all three of the following conditions are met:
- The disclosure is not subject to the prohibition.
- The disclosure is required by law.
- The disclosure meets all applicable conditions of the Privacy Rule permission to use or disclose PHI as required by law.
How to file a complaint
If you believe that a HIPAA covered entity or its business associate violated your (or someone else’s) health information privacy rights or committed another violation of the Privacy, Security, or Breach Notification Rules, you may file a complaint with the HHS Office for Civil Rights at: https://www.hhs.gov/hipaa/filing-a-complaint/index.html.
Endnotes
4 45 CFR 164.512(g)(1).
5 87 FR 74216, 74237 (Dec. 2, 2022). The Part 2 Final Rule was published on February 16, 2024, and stated that the NPP modifications proposed in the Part 2 NPRM would be finalized in a separate Final Rule. The Department combined modifications to the NPP from both rulemakings into a single final rule because 45 CFR 164.104 limits the Secretary to making modifications to a standard or implementation specification no more than once every 12 months.
