Compliance with HIPAA’s Final Privacy Rule for Reproductive Health Care, Deadline Approaching: December 23, 2024

The U.S. Department of Health and Human Services (HHS) has issued the Final Privacy Rule to support reproductive health care and the protection of related health information under the Health Insurance Portability and Accountability Act (HIPAA). This amendment was designed to strengthen privacy and security for individuals seeking reproductive health care.  Other than Notice of Privacy Practices, compliance with the Final Privacy Rule must be adhered to by December 23, 2024. The Notice of Privacy Practices must be adhered to by February 16, 2026. Failure to comply with this rule could result in legal and regulatory repercussions for covered entities and business associates.

Key Provisions and Definitions

The Final Rule introduced new safeguards for reproductive health information, emphasizing the importance of maintaining confidentiality in a complex legal landscape. It clarifies that reproductive health care extends to all individuals and encompasses services like contraception, fertility treatments, pregnancy management, and other health care related to the reproductive system. This definition includes both men’s reproductive health and gender-affirming care.

Prohibition on Use or Disclosure of Reproductive Health Information

The new rule strengthens privacy protection by preventing covered entities and their business associates from using or sharing protected health information (PHI) for two specific purposes:

• To conduct a criminal, civil, or administrative investigation into or impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided.
• The identification of any person for the purpose of conducting such an investigation or imposing such liability.

This safeguard ensures that patients can access services without fear of their information being used to target them for legal or punitive reasons.

Attestation Requirements

A Covered Entity or Business Associate is required to obtain a written attestation when a request for PHI related to reproductive health care is made assuring the entity the use or disclosure will not be for the investigation of lawfulness of reproductive health care for one of the following purposes:

• Disclosures for health oversight activities.
• Disclosures for judicial and administrative proceedings.
• Disclosures for law enforcement purposes.
• Disclosures about decedents to coroners and medical examiners.

Presumption Provision

The rule includes a “presumption provision,” which ensures that reproductive health care is presumed lawful unless there is concrete evidence to the contrary. This provision encourages entities to operate on the assumption that the care was lawful, unless informed otherwise by credible sources. For example, if a health plan receives a request for PHI related to reproductive health care, they must evaluate the circumstances and assume legality unless they have direct knowledge or evidence of unlawful conduct.

Compliance Deadline

It is essential that all covered entities and business associates fully understand and implement these requirements by December 23, 2024, to avoid compliance issues. These regulations are vital for protecting patient privacy and maintaining trust in the healthcare system, particularly in the context of reproductive health services. Organizations that fail to comply risk facing penalties, legal action, and significant damage to their reputations.

TMC has provided our clients with a comprehensive write-up for procedures regarding the Reproductive Health Care ruling. You can access both the write-up and attestation in the client portal.

Not a client and interested in the write-up? Contact us here: https://totalmedicalcompliance.com/contact-us.