New HIPAA Rules Strengthen Reproductive Health Privacy

On April 26, 2024, the Department of Health and Human Services (HHS) released new HIPAA Privacy Rule regulations that add enhanced privacy protections for reproductive health information. The changes require covered entities, including self-insured health plans, to obtain a specific attestation before sharing Protected Health Information (“PHI”) related to reproductive health in certain cases. These regulations aim to restrict the use and disclosure of PHI for non-healthcare purposes, such as investigations or legal actions. Compliance deadlines are fast approaching, making it essential for organizations to review and update their HIPAA procedures accordingly.

Nov 19, 2024 4.3 minute read
Aerial view of icy and cracked terrain meeting a body of turquoise water, showing natural patterns and textures.

On April 26, 2024, the U.S. Department of Health and Human Services (“HHS”) and the Office for Civil Rights (“OCR”) issued Final Regulations under the HIPAA Privacy Rule, bringing new protections for data related to reproductive health services. Under these new rules, covered entities, including self-insured health plans and associated business partners, must now obtain a specific attestation from individuals requesting information potentially connected to reproductive health care under certain conditions. In late July, HHS released a Model Attestation form, which self-insured health plans are strongly advised to adopt.

Overview of the New Regulations

These Final Regulations generally limit the permitted uses and disclosures of Protected Health Information (“PHI”) that could “potentially relate to reproductive health care” for non-healthcare purposes, as long as the healthcare services were lawful under federal or state laws. Although the term “potentially related to” is not precisely defined, it is intended to be interpreted broadly. Reproductive health care is broadly defined to encompass any care “affecting the health of an individual related to the reproductive system and its functions.” The preamble to the Final Regulations includes examples, such as contraception, preconception care, pregnancy management, fertility services, and treatments for reproductive health conditions.

The regulations restrict the use or disclosure of PHI for these specific non-healthcare purposes:

  1. Conducting investigations (criminal, civil, or administrative) into individuals solely for seeking, providing, or facilitating legal reproductive healthcare;
  2. Imposing liability (criminal, civil, or administrative) for those same actions when such care was legal where it was provided; and
  3. Identifying individuals for any activities connected to these prohibited purposes.

Importantly, the regulations assume that reproductive health care is lawful unless the covered entity has actual evidence to the contrary or has received substantial evidence indicating the care was illegal.

New Requirements for Attestation

The Final Regulations state that when a covered entity or business associate receives a request for PHI potentially tied to reproductive health, for activities such as health oversight, legal proceedings, law enforcement, or coroner duties, an attestation that meets specific requirements must be obtained from the requester. This attestation, which must be clear and in plain English, may be submitted electronically but cannot be combined with other documents or include irrelevant information.

As specified under Regulation § 164.509(c)(1), a valid attestation must contain:

  • A precise description of the requested information, identifying individuals by name if possible, or by a group if not feasible;
  • The identification of the requester and, where applicable, the entity to whom the PHI will be disclosed;
  • A clear confirmation that the request does not fall under the prohibited purposes noted above;
  • A statement warning that unauthorized acquisition or disclosure of individually identifiable health information may lead to criminal penalties;
  • The requester’s signature (electronic or otherwise) and date, plus a description of their authority if signing on behalf of another.

The HHS-provided Model Attestation includes all necessary elements to comply with the regulation, making it a recommended resource for self-insured plan sponsors. Plan sponsors should prepare by educating employees who handle PHI on these new protocols, establishing processes for collecting compliant attestations, and reviewing agreements and policy materials for potential updates.

Additional Changes and Compliance Deadlines

The Final Regulations introduce further HIPAA updates affecting administrative processes, training, and required updates to the Notice of Privacy Practices. These regulations went into effect on June 25, 2024. Compliance with most changes is required by December 23, 2024, while Notice of Privacy Practice updates must be implemented by February 16, 2026.

If you have questions about the requirements of the written attestation or the final regulations, please contact a member of Wisterm’s employee benefits team.

Other articles of interest

Retirement Plans
A calculator sits on a desk beside a paper that is titled Retirement Plan and a hand holding a pen hovers over the paper.

Balancing Business Success with Employee Retirement Security

Employee retirement plans offer benefits beyond financial security, attracting talent, boosting productivity, and fostering commitment. Navigating complexities requires tailored strategies to maximize benefits for both employers and employees.

Employee Benefits Compliance
Upward view of modern architectural structure with curved steel beams and glass panels.

What Employers Need to Know about Medical Loss Ratio Rebates in 2024

In 2024, employers must distribute MLR rebates tied to employee contributions. Learn about allocation, ERISA compliance, and tax implications.

Mental Health
Aerial view of shallow turquoise water flowing over sandbanks and creating abstract patterns.

Final Rule Issued Under Mental Health and Substance Use Disorder Coverage

New MHPAEA rules in 2025 ensure MH/SUD benefit parity. By 2026, plans must address access gaps and prevent discrimination.