On April 22, 2024, the federal Department of Health and Human Services' Office of Civil Rights (OCR) released a final rule that strengthens privacy protections regarding reproductive health care. Specifically, the final rule amends the privacy rules under the Health Insurance Portability and Accountability Act (HIPAA) to, among other things, protect the use or disclosure of protected health information (PHI) related to reproductive health care. New restrictions are in place. Quoting the Supreme Court decision, Dobbs v. Jackson Women's Health Organization And given its far-reaching implications for reproductive health care, OCR argues that this rule change is necessary, especially to ensure that individuals are not afraid to seek reproductive health care.
Under HIPAA, the Privacy Rule is one of several rules, collectively known as the HIPAA Rules, that protect the privacy and security of individuals' protected health information (PHI). OCR administers and enforces privacy regulations. This rule requires most health care providers, health plans, health information exchanges, and business associates (collectively, “regulated entities”) to protect the privacy of PHI and imposes restrictions on uses and disclosures. and set the conditions. of such information.
PHI generally refers to personally identifiable health information transmitted or maintained in electronic or other forms or media. A fundamental requirement of the Privacy Rule is that PHI may not be used or disclosed except as permitted by HIPAA, although stricter state laws may further restrict this. Disclosure of PHI may occur in limited circumstances, such as when required by the Secretary of Health and Human Services to investigate a covered entity's compliance with privacy regulations or when required of an individual based on the individual's right of access. Required only in certain situations. In other limited cases, uses and disclosures of his PHI may occur without the individual's authorization (permitted, but not required), such as for treatment, payment, or health care operations.
Even with these protections, OCR observed several concerns related to the use and disclosure of certain PHI related to reproductive health care. These include disclosing such information for purposes other than health care, such as conducting investigations or imposing liability on individuals or others receiving or providing reproductive health care; Includes potential damage caused by. According to OCR, these conditions can discourage individuals from seeking legitimate medical treatment and from providing complete information to health care providers when receiving treatment. It means. It may also discourage health care providers from providing such care.
OCR received approximately 30,000 public comments on the proposed rule. After considering these comments, the final rules for OCR are as follows:
- Use of PHI to investigate or hold accountable individuals, health care providers, or others who seek, obtain, provide, or facilitate reproductive health care that is lawful under the circumstances in which the care is provided; or prohibit disclosure. or to identify persons performing such activities.
- Certain requests for PHI that may relate to reproductive health care may be made to regulated health care providers, health plans, clearinghouses, or their business associates for these prohibited purposes. request to obtain a signed certificate stating that it is not a
- Requires regulated health care providers, health plans, and clearinghouses to change their notices of privacy practices to support reproductive health care privacy.
The final rule becomes effective 60 days after publication in the Federal Register, and regulated businesses must comply within 180 days thereafter. However, OCR has extended the compliance deadline for required updates to the Notice of Privacy Practices (NPP). The agency has announced that the 2024 Substance Use Disorder Patient Records Confidentiality Final Rule, a rule that seeks to better harmonize HIPAA with regulations for certain federally funded substance abuse treatment programs under 42 U.S.C. Based on this, we considered additional changes required for nuclear power plants. The compliance date for these changes is February 16, 2026. OCR adopted the same deadlines for these changes.
The final rule has several other implications. For example, some commenters questioned how this rule would affect current trading partner agreements. OCR noted that the final rule may require regulated entities to amend existing business associate agreements that allow them to engage in activities no longer permitted under the revised Privacy Rule. Another concern raised by commenters is whether minors and legal adults receive the same protections under the Privacy Rule and whether this rule changes existing protections. OCR advised commenters that the final rule does not change how the Privacy Rule applies to adults and minors, and that the protections provided to PHI by this final rule apply equally to adults and minors. guaranteed that it would be done. For example, this final rule prohibits regulated entities from using or disclosing a minor's PHI for any purpose prohibited by the final rule.
The final rule includes clarifications of compliance and changes to the HIPAA rule. It is as follows:
- Clarify the definition of “person”.
- Adopt new definitions of “public health'' surveillance, surveillance, and intervention, and “reproductive health care.''
- Adds new categories of prohibited uses and disclosures.
- Clarifies that a regulated entity may not refuse to recognize an individual as a personal representative for purposes of the Privacy Rule because it provides or facilitates reproductive health care to that individual.
- Imposing new requirements that, in certain circumstances, regulated entities must first obtain certification that the requested use or disclosure is not for a prohibited purpose.and
- Require a change to a covered entity's NPP to notify individuals that their PHI may not be used or disclosed for purposes prohibited by this final rule.
In addition to reviewing and updating written policies and procedures, regulated companies must also ensure that established employee practices are readjusted to comply with the new requirements. Training therefore helps ensure compliance with new requirements.
