On April 26, 2024, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released a HIPAA Privacy Rule to support reproductive health care privacy.
The final rule modifies the Standards of Privacy for Individually Identifiable Health Information (“Privacy Rule”) under the HIPAA and HITECH Acts.
Specifically, the final rule does the following:
- Prohibits the use or disclosure of protected health information (PHI) in particular circumstances where reproductive health care is legally sought, obtained, provided, or facilitated.
- Requires a health plan (or its business associates) to obtain a signed attestation that certain requests for PHI potentially related to reproductive health care are not for prohibited purposes.
- Requires health plans to modify their Notice of Privacy Practices (NPP) to support reproductive health care privacy.
The main goal of this ruling is to protect access to reproductive health care by shielding sensitive reproductive health care information from requesters who would be using it to conduct criminal, civil, or administrative investigations into a person for the act of receiving or providing reproductive health care or to impose penalties for doing so.
The final rule went into effect on June 25, 2024. Plans must comply with the majority of the requirements within 180 days of that date.
Covered entities must now secure an attestation that any requester of such information is not seeking it for one of these impermissible purposes. Find a model attestation here.
The exception to the above timeline for compliance is the Notice of Privacy Practices (NPP) requirement, which must be complied with by February 16, 2026.
Covered entities will also have to revise their notices of privacy practices (NPP) to explain this new prohibition and attestation requirement and provide an example of each.
The Departments have not yet noted if they will release an updated model NPP, but we expect that they will release one prior to the required compliance date.
For questions on HIPAA compliance, please reach out to your Account Manager.