This article explores the OCR’s 2024 HIPAA Privacy Rule update, which strengthens privacy for reproductive health care info and prohibits using PHI in legal actions related to lawful care, with compliance required by December 22, 2024.
On April 26, 2024, the Office of Civil Rights (OCR) within the Department of Health and Human Services (HHS) announced a significant update to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. This new Final Rule, which took effect on June 25, 2024, aims to strengthen the privacy of reproductive health care information in response to the heightened concerns following the Supreme Court's 2022 decision in Dobbs v. Jackson Women’s Health Organization.
The Dobbs decision, which resulted in 21 states imposing abortion bans and other restrictions on reproductive freedom, sparked fears about the potential misuse of reproductive health information. In response, the OCR's Final Rule introduces critical amendments to the HIPAA Privacy Rule, prohibiting covered entities and their business associates from using or disclosing protected health information (PHI) for criminal, civil, or administrative investigations related to lawful reproductive health care. Compliance with the Final Rule is required by December 22, 2024.
Key Provisions of the Final Rule
- Purpose-Based Prohibition: The new regulations specifically prohibit using or disclosing PHI for the purpose of conducting investigations or imposing liability on individuals seeking, obtaining, providing, or facilitating lawful reproductive health care.
- Attestation Requirement: To ensure compliance, covered entities must obtain a valid attestation from anyone requesting reproductive health information, affirming that the use or disclosure is not for a prohibited purpose. This attestation must be clear, in plain language, and separate from other documents.
- Updating the Notice of Privacy Practices (NPP): HIPAA-covered entities are required to revise their NPPs to incorporate detailed descriptions of the new protections, including examples of prohibited uses and disclosures, and information about the attestation requirement.
- Compliance and Enforcement: The Final Rule mandates compliance by December 22, 2024, with specific provisions for updating NPPs requiring compliance by February 16, 2026. Entities failing to adhere to these new requirements may face severe civil and criminal penalties.
- Preparing for Implementation: Healthcare providers, health plans, and business associates can begin preparing for these changes by updating their policies, training staff, and ensuring all requests for reproductive health information are carefully reviewed for compliance. The OCR has committed to providing additional resources to assist entities in this transition.
Conclusion
The OCR’s Final Rule represents a significant step in safeguarding the privacy of reproductive health information. By preventing the misuse of PHI in investigations and legal proceedings related to lawful reproductive health care, these new regulations aim to foster trust between patients and healthcare providers and ensure continued access to essential health services.
If you have questions about the OCR’s Final Rule or would like assistance with your compliance efforts, please contact clientsuccess@outsidegc.com.
Holly Little is a seasoned healthcare and life sciences attorney, handling a wide range of contracts, reimbursement issues, healthcare management, and compliance issues. She has significant experience and a strong working knowledge of the laws, regulations and industry standards governing clinical trials (FDA regulations, ICH guidelines, GCP guidelines), as well as data protection and privacy laws, including HIPAA and regulation of business associates.