New HIPAA Rules Strengthen Reproductive Health Privacy

On April 26, 2024, HHS updated HIPAA rules to strengthen reproductive health privacy. Covered entities must secure attestations before sharing PHI in specific cases. Compliance deadlines are nearing.

Nov 19, 2024 4.3 minute read
Aerial view of icy and cracked terrain meeting a body of turquoise water, showing natural patterns and textures.

On April 26, 2024, the U.S. Department of Health and Human Services (“HHS”) and the Office for Civil Rights (“OCR”) issued Final Regulations under the HIPAA Privacy Rule, bringing new protections for data related to reproductive health services. Under these new rules, covered entities, including self-insured health plans and associated business partners, must now obtain a specific attestation from individuals requesting information potentially connected to reproductive health care under certain conditions. In late July, HHS released a Model Attestation form, which self-insured health plans are strongly advised to adopt.

Overview of the New Regulations

These Final Regulations generally limit the permitted uses and disclosures of Protected Health Information (“PHI”) that could “potentially relate to reproductive health care” for non-healthcare purposes, as long as the healthcare services were lawful under federal or state laws. Although the term “potentially related to” is not precisely defined, it is intended to be interpreted broadly. Reproductive health care is broadly defined to encompass any care “affecting the health of an individual related to the reproductive system and its functions.” The preamble to the Final Regulations includes examples, such as contraception, preconception care, pregnancy management, fertility services, and treatments for reproductive health conditions.

The regulations restrict the use or disclosure of PHI for these specific non-healthcare purposes:

  1. Conducting investigations (criminal, civil, or administrative) into individuals solely for seeking, providing, or facilitating legal reproductive healthcare;
  2. Imposing liability (criminal, civil, or administrative) for those same actions when such care was legal where it was provided; and
  3. Identifying individuals for any activities connected to these prohibited purposes.

Importantly, the regulations assume that reproductive health care is lawful unless the covered entity has actual evidence to the contrary or has received substantial evidence indicating the care was illegal.

New Requirements for Attestation

The Final Regulations state that when a covered entity or business associate receives a request for PHI potentially tied to reproductive health, for activities such as health oversight, legal proceedings, law enforcement, or coroner duties, an attestation that meets specific requirements must be obtained from the requester. This attestation, which must be clear and in plain English, may be submitted electronically but cannot be combined with other documents or include irrelevant information.

As specified under Regulation § 164.509(c)(1), a valid attestation must contain:

  • A precise description of the requested information, identifying individuals by name if possible, or by a group if not feasible;
  • The identification of the requester and, where applicable, the entity to whom the PHI will be disclosed;
  • A clear confirmation that the request does not fall under the prohibited purposes noted above;
  • A statement warning that unauthorized acquisition or disclosure of individually identifiable health information may lead to criminal penalties;
  • The requester’s signature (electronic or otherwise) and date, plus a description of their authority if signing on behalf of another.

The HHS-provided Model Attestation includes all necessary elements to comply with the regulation, making it a recommended resource for self-insured plan sponsors. Plan sponsors should prepare by educating employees who handle PHI on these new protocols, establishing processes for collecting compliant attestations, and reviewing agreements and policy materials for potential updates.

Additional Changes and Compliance Deadlines

The Final Regulations introduce further HIPAA updates affecting administrative processes, training, and required updates to the Notice of Privacy Practices. These regulations went into effect on June 25, 2024. Compliance with most changes is required by December 23, 2024, while Notice of Privacy Practice updates must be implemented by February 16, 2026.

If you have questions about the requirements of the written attestation or the final regulations, please contact a member of Wisterm’s employee benefits team.

Other articles of interest

Employee Benefits
Abstract aerial photography of Arctic landscape

2025 PCORI Fee Announced

The IRS has announced the PCORI fee that insurers and self-insured health plan sponsors will pay for plan years ending from October 2024 through September 2025.

Life Insurance
Woman selecting life insurance options

Should I Switch Life Insurance Providers?

Switching life insurance providers may seem appealing, but it comes with potential challenges like new medical exams, fees, and reset contestability periods.

Employee Benefits
San Francisco, CA, United States - Buildings Under Cloudy Sky during Sunset

California Expands Disability and Paid Family Leave Benefits

SB 1090 increases SDI and PFL wage replacement to 70-90% and streamlines claim processing.