New HIPAA Privacy Rule Requires Action by Certain Group Health Plans
Overview
On April 22, 2024, the Department of Health and Human Services’ (“HHS”) Office for Civil Rights (“OCR”) issued a new final privacy rule (“2024 Privacy Rule”) pursuant to the Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”). The 2024 Privacy Rule requires significant changes to the HIPAA policies and procedures and related documentation of covered entities (including group health plans) and their business associates.
Background
The 2024 Privacy Rule stems from the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization and related legal developments which, in OCR’s view, necessitate the need for enhanced protection of information relating to an individual’s reproductive health care. More specifically, the 2024 Privacy Rule is intended to “ensure that individuals are not afraid to seek health care from, or share important information with, their health care providers because of a concern that their sensitive information will be disclosed outside of their relationship with their healthcare providers.”
The New Requirements
The 2024 Privacy Rule includes multiple mechanisms aimed at strengthening the protection of reproductive health care protected health information (“PHI”).
New Restrictions on Use and Disclosure of PHI
The 2024 Privacy Rule expressly limits the circumstances in which an individual’s PHI relating to their reproductive health care may be used or disclosed for non-health care purposes. “Reproductive health care” is defined broadly – examples include an individual’s receipt of contraception, management of pregnancy and pregnancy-related conditions, miscarriage management, pregnancy termination, fertility or infertility diagnosis and treatment, assistive reproductive technology, and other diagnoses, treatment and care that affect the reproductive system, where the care or services are lawfully obtained. Following the December 23, 2024, compliance date for these new protections, group health plans and their business associates may not disclose PHI when requested for any of the following prohibited purposes:
- To conduct a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care;
- To impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care; and
- To identify any person for the purpose of conducting such an investigation or imposing such a liability.
In its preamble to the 2024 Privacy Rule, OCR stresses the limited scope of these new requirements, highlighting that the above restrictions relate only to cases in which PHI is requested for the purpose of investigating or imposing liability on a person for the act of seeking, obtaining, providing, or facilitating lawful reproductive health care. In this regard, it is also important to keep in mind that state laws mandating the use or disclosure of PHI pursuant to a court order or other legal process for a purpose prohibited by the 2024 Privacy Rule are generally preempted by the HIPAA statute itself and only apply in limited circumstances (for example, where a group health plan or its business associate has actual knowledge that the reproductive health care was not lawful under the circumstances in which it was provided). Where preemption does not apply, disclosure of PHI to law enforcement would be permitted by the 2024 Privacy Rule (but not required), so long as such disclosure is otherwise in accordance with HIPAA.
New Attestation Requirement
The 2024 Privacy Rule also requires group health plans and their business associates to obtain a signed and dated attestation from a person requesting PHI potentially related to reproductive health care in certain contexts, including for health care oversight activities, judicial and administrative proceedings, and for law enforcement purposes. The attestation must state that the requested use or disclosure of PHI is not for a prohibited purpose and include a notification of criminal penalties for persons who knowingly violate HIPAA. The attestation requirement, which is intended to facilitate compliance, will introduce new HIPAA administrative complexities. OCR intends to publish a model attestation form prior to the December 23, 2024, compliance date.
New Notice of Privacy Practices (“NPPs”) Disclosures
The 2024 Privacy Rule also requires covered entities and their business associates to revise their NPPs in ways related to strengthening reproductive health care privacy and other sensitive health information. For example, NPPs will need inform individuals about how their reproductive health care PHI may be used or disclosed and address proposals made previously in the Notice of Proposed Rulemaking for the Confidentiality of Substance Use Disorder (SUD) Patient Records pursuant to the CARES Act of 2020.
Effective Dates and Next Steps
The 2024 Privacy Rule takes effect on June 25, 2024, and covered entities must comply with most requirements by December 23, 2024. The deadline for updating the NPP is February 16, 2026. Group health plans that have access to PHI (all self-funded plans and certain fully insured plans) should begin planning immediately to ensure timely compliance with the 2024 Privacy Rule. Compliance will necessitate updates to HIPAA policies and procedures, NPPs and certain business associate agreements, as well as the development of an attestation form and corresponding administrative process. HIPAA’s workforce training requirement will also need to address these new provisions.
Refer to the text of the 2024 Privacy Rule and the corresponding HHS Fact Sheet for additional details. Please let us know if you have questions about the 2024 Privacy Rule or need legal assistance with compliance planning and implementation.
This summary is provided as an informational tool. It is not intended to be and should not be considered legal advice, and receipt of this information does not establish an attorney-client relationship.