What does the HIPAA final rule regarding reproductive health information mean for your organization?

Marti Arvin

Marti Arvin

Marti Arvin (marti.arvin@erlanger.org, linkedin.com/in/marti-arvin-7a6a587/) is the Senior Vice President, Chief Compliance and Privacy Officer at Erlanger Health System in Chattanooga, TN.
2 minute read

By Marti Arvin, JD, CHC-F, CCEP-F, CHPC, CHRC

On April 26, 2024, the U.S. Department of Health and Human Service Office for Civil Rights issued a final privacy rule to support reproductive health privacy.[1] The rule does not allow the sharing of reproductive health information if it is for a prohibited purpose defined as:

  1. To investigate into or impose liability on any person for merely seeking, obtaining, providing, or facilitating lawful reproductive healthcare.[2]

  2. To identify an individual or provider to initiate an investigation against the individual or provider in connection with seeking, obtaining, providing, or facilitating lawful reproductive healthcare.[3]

An attestation must be received from the requestor if the covered entity or business associate reasonably believes specific conditions apply regarding reproductive healthcare, which are:

  1. The reproductive healthcare is lawful under the circumstances and in the state in which the healthcare is provided; and/or

  2. The reproductive healthcare is protected, required, or authorized by federal law regardless of the state in which it is provided; and/or[4]

  3. A presumption that the reproductive healthcare identified in a request is lawful under the circumstances in which it was provided when the care is provided by a person other than the entity receiving the request for the protected health information (PHI). The presumption can be overcome if:

    1. The entity has actual knowledge that the care was not lawful.

    2. “Factual information” provided by the requestor demonstrating a “substantial factual basis” the care was not lawful.[5]

The required attestation needed before PHI related to reproductive healthcare can be shared must include:

  1. A specific description of the information sought, including the name of the individual whose PHI is requested, or if not practicable, a description of the class of individuals whose PHI is sought.

  2. The name or specific identity of the person or entity

    1. being requested to share the PHI and

    2. with whom the PHI will be shared.

  3. A clear statement that the request is not for a prohibited purpose.

  4. A statement the requestor may be subject to criminal penalties for knowingly obtaining or disclosing PHI in violation of HIPAA.

  5. A signature of the requestor.[6]

The compliance date for the attestation provision of the rule is December 23, 2024.[7] Other provisions of the rule require changes to the notice of privacy practices; however, they will not be effective until February 16, 2026. Entities covered by the rule will need to craft an attestation and process for addressing requests for reproductive health information now to meet the compliance date.

 
1 HIPAA Privacy Rule To Support Reproductive Health Care Privacy, 89 Fed. Reg. 32,976 (April 26, 2024), https://www.federalregister.gov/documents/2024/04/26/2024-08503/hipaa-privacy-rule-to-support-reproductive-health-care-privacy.
245 C.F.R. § 164.502(a)(5)(iii)(A)(1).
345 C.F.R. § 164.502(a)(5)(iii)(A)(2).
445 C.F.R. §§ 164.502(a)(5)(iii)(B)(1)-(2).
545 C.F.R. § 164.502(a)(5)(iii)(C).
645 C.F.R. § 164.509(c)(1)(i-vi).
7 HIPAA Privacy Rule To Support Reproductive Health Care Privacy.
This publication is only available to members. To view all documents, please log in or become a member.
Become a Member Login

What to read next...

Effective compliance = Financial prosperity

About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings