Attestations are at the heart of permissible disclosures under the HHS Office for Civil Rights’ (OCR) new reproductive health privacy rule—and OCR wants covered entities (CEs) and business associates (BA) to use them now. The rule took effect June 25, although compliance won’t be mandatory until three days before Christmas for most of the requirements, with the exception of changes to notices of privacy practices. The compliance date for those isn’t until Feb. 16.[1]
When the rule was published in April, HHS promised to share model attestation language before the compliance date. But on June 25, OCR surprised the compliance community by issuing its attestation form uncharacteristically early.[2] Moreover, the agency urged its adoption—and full compliance with the rule.
“Patients deserve to have these privacy protections in place as soon as possible,” OCR Director Melanie Fontes Rainer said in an email to the agency’s privacy and security listservs. “OCR encourages HIPAA covered entities and business associates to begin implementing the new Privacy Rule requirements today.”
The rule seeks to protect patients and providers legally complying with their state’s abortion laws, which may be more liberal than those of neighboring states, in the wake of the Supreme Court decision in Dobbs v. Jackson Women's Health Organization two years ago. Dobbs “overturned precedent that protected a constitutional right to abortion and altered the legal and health care landscape,” HHS said in the preamble to the rule.[3]
As the rule explains, HHS has imposed a “purpose-based prohibition against certain uses and disclosures” to further safeguard protected health information (PHI) about “reproductive health care and the interests of society in an effective health care system by enabling individuals and licensed health care professionals to make decisions about reproductive health care based on a complete medical record, while balancing those interests with other interests of society in obtaining PHI for certain non-health care purposes.”
Specifically, the rule “prohibits the use or disclosure of PHI when it is sought to investigate or impose liability on individuals, health care providers, or others who seek, obtain, provide, or facilitate reproductive health care that is lawful under the circumstances in which such health care is provided, or to identify persons for such activities,” HHS said in an April 22 news release.[4]
Regarding attestations, the rule “requires covered entities or business associates to obtain a signed attestation that certain requests (health oversight activities, judicial and administrative proceedings, law enforcement purposes, and disclosures about decedents to coroners and medical examiners) for PHI potentially related to reproductive health care are not for these prohibited purposes,” OCR said in the listserv email.