Compliance Deadlines Approaching for HIPAA Final Rule Supporting Reproductive Health Care Privacy
Effective June 25, 2024, the U.S. Department of Health & Human Services’ Office for Civil Rights (HHS) issued a Final Rule modifying the HIPAA Privacy Rule to enhance reproductive health care privacy. This change follows the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization and aligns with President Biden’s Executive Orders on protecting access to reproductive health care. Most compliance obligations must be in place by Dec. 23, 2024, but the deadline to update the HIPAA Notice of Privacy Practices is Feb. 16, 2026, to coincide with a similar obligation in the Part 2 Regulations Final Rule. See our previous blog post covering the Part 2 details.
HHS has also provided a helpful Fact Sheet explaining the Final Rule.
Key Provisions
- Prohibition on use of PHI: the new rule prohibits regulated entities from using or disclosing PHI for investigations into lawful reproductive health care
- Conditions for prohibition application: the prohibition applies if the reproductive health care is lawful in the state it took place, protected by federal law or presumed lawful unless proven otherwise
Attestation Requirement
Covered entities must obtain a signed attestation that the PHI request is not for a prohibited purpose when the request relates to health oversight, judicial proceedings, law enforcement or disclosures to coroners.
Notice of Privacy Practices
The new rule mandates updates to Notices of Privacy Practices to enhance reproductive health care privacy.
Disclosures to Law Enforcement
PHI disclosures to law enforcement are only permitted if required by law and not subject to the prohibition, meeting all Privacy Rule conditions.
Since the Dec. 23, 2024, deadline for initial compliance is fast approaching, it is important that covered entities act promptly to ensure compliance obligations are in place.