On June 20, 2024, the Department of Health and Human Services (“HHS”) released additional educational resources related to its Final Rule modifying certain provisions of the HIPAA Privacy Rule to support reproductive health care privacy in response to the U.S. Supreme Court’s holding in Dobbs v. Jackson Women’s Health Organization, as well as to several subsequent state-level abortion bans. The new rulemaking strengthens protections concerning the use and disclosure of reproductive health care information. In doing so, the Final Rule seeks to protect access to and the privacy of, reproductive health care and bolster patient-provider confidentiality.
Employer Action Items
The Final Rule has significant implications for covered entities and business associates that handle reproductive health information, such as health plans, health care providers, health care clearinghouses, their contractors, and other vendors. These entities should take the following steps to ensure compliance with the new requirement before the deadline:
- Review the brief educational summary provided by HHS at this link;
- Review and update policies and procedures regarding the use and disclosure of protected reproductive health information and provide training where appropriate to their workforce members regarding such changes no later than December 23, 2024;
- Revise notices of privacy practices and other communications to inform individuals of their rights and responsibilities related to reproductive health information no later than February 16, 2026;
Obtain written authorizations from individuals before using or disclosing such information for purposes other than treatment, payment, health care operations, or as required by law. A model consent form and template plan amendment are available at this link.
Summary
On April 22, 2024, HHS’ Office for Civil Rights (“OCR”) issued a final rule to modify certain provisions of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule. These modifications aim to support reproductive health care privacy in response to the U.S. Supreme Court’s holding in Dobbs v. Jackson Women’s Health Organization and to subsequent state-level abortion bans. The Final Rule is effective June 25, 2024.
Covered health care providers, health plans, health care clearinghouses, and their business associates (collectively, “Regulated Entities”) must comply with all provisions of the Final Rule by December 23, 2024, except for updating their Notice of Privacy Practices, which they have until February 16, 2026, to perfect.
In response to the Dobbs decision, OCR released guidance materials in June 2022 emphasizing HIPAA’s role in safeguarding women’s protected health information (“PHI”). The purpose-based motivations are to ensure that developments in federal and state law do not diminish individuals’ expectations of privacy regarding their health information, leading to distrust and refusal to access health care.
The Final Rule prohibits covered entities from using or disclosing PHI for the criminal, civil or administrative investigation of (or any other proceeding against) any person in connection with seeking, obtaining, providing or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided. It also prohibits the identification of any person for the purpose of initiating an investigation or proceeding. This prohibition applies where a regulated entity reasonably determines that:
- The reproductive health care is lawful under the law of the state in which such health care is provided (and under the circumstances in which it is provided); or
- The reproductive health care is protected, required or authorized by federal law, including the U.S. Constitution, regardless of the state in which such health care is provided.
When a covered entity did not provide the reproductive health care at issue, the final rule prohibits the use or disclosure of PHI if the person making the request does not provide sufficient information to overcome a presumption of illegality. To implement the prohibition, when a regulated entity receives a request for PHI potentially related to reproductive health care, the regulated entity must obtain a signed attestation that the use or disclosure is not for a prohibited purpose.
For more information
We’re ready when you are. Get in touch and a friendly, knowledgeable Baldwin advisor is prepared to discuss your business or individual needs, ask a few questions to get the full picture, and make a plan to follow up.
This document is intended for general information purposes only and should not be construed as advice or opinions on any specific facts or circumstances. The content of this document is made available on an “as is” basis, without warranty of any kind. The Baldwin Insurance Group Holdings, LLC (“The Baldwin Group”), its affiliates, and subsidiaries do not guarantee that this information is, or can be relied on for, compliance with any law or regulation, assurance against preventable losses, or freedom from legal liability. This publication is not intended to be legal, underwriting, or any other type of professional advice. The Baldwin Group does not guarantee any particular outcome and makes no commitment to update any information herein or remove any items that are no longer accurate or complete. Furthermore, The Baldwin Group does not assume any liability to any person or organization for loss or damage caused by or resulting from any reliance placed on that content. Persons requiring advice should always consult an independent adviser.
The Baldwin Group offers insurance services through one or more of its insurance licensed entities. Each of the entities may be known by one or more of the logos displayed; all insurance commerce is only conducted through The Baldwin Group insurance licensed entities. This material is not an offer to sell insurance.
