OCR

New HIPAA Final Rule Supporting Reproductive Health Care Privacy Also Requires Amending Notices of Privacy Practices

nsreenan Data Privacy & Security, HIPAA, Privacy & Security , , , , , , , ,

By: Margaret Young Levi

On April 22, 2024, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) announced a Final Rule entitled HIPAA Privacy Rule to Support Reproductive Health Care Privacy. This Final Rule not only bolsters the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (collectively, HIPAA) by prohibiting the disclosure of protected health information (PHI) related to lawful reproductive health care in certain circumstances, but also requires HIPAA covered entities (health care providers, health plans, and health care clearinghouses) to amend their Notices of Privacy Practices (NPPs).

HIPAA and Reproductive Health Care Privacy

HHS is issuing this Final Rule because of concerns that officials in states with more extreme abortion bans, like Kentucky, will seek medical records from states where abortion is legal (or even from their own states) in order to prosecute individuals who cross state lines to seek an abortion. To prevent those medical records from being used against people for providing or obtaining lawful reproductive health care, the Final Rule prohibits the use or disclosure of PHI by a covered entity—or their business associate—for the following activities:

  • To conduct a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided;
  • To impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided; or
  • The identification of any person for the purpose of conducting such investigation or imposing such liability.

The covered entity or business associate must reasonably determine the reproductive health care is lawful under the law of the state in which such health care is provided or otherwise protected by federal law. In certain circumstances, covered entities and business associates may presume that the care provided was lawful.

Covered entities and business associates must demand and receive a valid attestation in order to process a request for PHI potentially related to reproductive health care that will be used for health oversight activities, judicial or administrative proceedings, law enforcement purposes, or disclosures to coroner and medical examiners. This valid attestation must be written in plain language and contain, among other things, the name of the person requesting the information, an attestation that the use or disclosure is not for a prohibited purpose, and a statement putting the requestor on notice that they may be subject to criminal penalties pursuant to 42 U.S.C. 1320d-6 if that person knowingly and in violation of HIPAA obtains or discloses individually identifiable health information. Fortunately, OCR intends to publish model attestation language before the compliance date, which will aid covered entities in adopting that new form.

In a Fact Sheet accompanying the Final Rule, HHS reminds covered entities (and business associates) that HIPAA permits, but does not require, certain disclosures to law enforcement and then only when all conditions are met. Referring to previous OCR guidance, HHS explains that covered entities (and business associates) are “only permitted to disclose PHI for law enforcement purposes where they suspect an individual of obtaining reproductive health care (lawful or otherwise) if the covered entity or business associate is required by law to do so and all applicable conditions are met.” Under this Final Rule, HHS cautions that a disclosure to law enforcement is only permitted where all three of the following conditions are met:

  • The disclosure is not subject to the prohibition,
  • The disclosure is required (not simply permitted) by law, and
  • The disclosure meets all applicable conditions of the HIPAA exception for permission to use or disclose PHI as required by law set forth in 45 CFR 164.512(a).

In light of these changes in the Final Rule, covered entities and business associates will need to adopt an Attestation form, revise policies and procedures relating to the disclosure of PHI to address these new restrictions on disclosures of PHI containing information about reproductive health care, and consider appropriate revisions to their Business Associate Agreements. Affected members of the workforce will also need to be trained in these new procedures.

The Notice of Privacy Practices (NPP) will need to be amended

Covered entities will also need to revise their NPPs pursuant to the Final Rule’s modification of 45 C.F.R. 164.520. This modification will require covered entities to amend their NPPs not only as to reproductive health care privacy but also to address the confidentiality of substance use disorder (SUD) patient records, as required by the Coronavirus Aid, Relief, and Economic Security (CARES) Act of 2020.

Reproductive Health Care Records. Per the Final Rule, covered entities must provide individuals with additional information about how their PHI may or may not be disclosed for purposes related to reproductive health care. Specifically, covered entities must modify their NPPs to inform individuals that their PHI may not be used or disclosed for a purpose prohibited under the Final Rule, including at least one example of the types of uses and disclosures prohibited under new 45 CFR 164.502(a)(5)(iii) in sufficient detail for an individual to understand the prohibition. The NPP must also contain a description, including at least one example of the types of uses and disclosures for which an attestation is required under new 45 CFR 164.509.

The NPP must include a statement to place the individual on adequate notice of the potential for information disclosed pursuant to HIPAA to be subject to redisclosure by the recipient and no longer protected by HIPAA. This change will afford transparency and assist covered entities in explaining the limitations of HIPAA to individuals.

Part 2 Substance Use Disorder Records. The Final Rule also includes changes to align NPP requirements for HIPAA covered entities with similar requirements for programs that provide SUD treatment under 42 U.S.C. 290dd-2 (Part 2). Currently, Part 2 programs must provide a written confidentiality notice to patients (the Patient Notice), while covered entities must provide individuals with their NPP. HHS has now revised both these confidentiality requirements that will allow a combined Patient Notice and NPP. On February 16, 2024, HHS released a final rule entitled Confidentiality of Substance Use Disorder (SUD) Patient Records (“2024 Part 2 Rule”) finalizing confidentiality requirements for SUD patient records under Part 2 consistent with the CARES Act to align the requirements for the Patient Notice as closely as possible with the NPP requirements. Now this Final Rule similarly amends the NPP requirements, allowing covered entities to combine the Patient Notice and NPP. They may continue to provide separate documents if desired.

The Final Rule requires covered entities that create or maintain PHI that is also a record of SUD treatment provided by a Part 2 program, i.e., covered entities that are Part 2 programs and covered entities that receive Part 2 records from a Part 2 program, to provide notice to individuals of the ways in which those covered entities may use and disclose such records, and of the individual’s rights and the covered entities’ responsibilities with respect to such records. A covered entity that receives or maintains records subject to Part 2 must supply an NPP written in plain language and containing the elements required.

Consistent with the CARES Act, where NPP’s descriptions of uses or disclosures that are permitted for treatment, payment, and operations (TPO) or without an authorization must reflect “other applicable law” that is more stringent than HIPAA, note that other applicable law includes Part 2. Likewise, Part 2 is specifically included in the “other applicable law” referenced in the requirement to describe uses and disclosures that are permitted for TPO or without an authorization sufficient to place an individual on notice of the uses and disclosures that are permitted or required by HIPAA and other applicable law.

Covered entities must provide notice to individuals that a Part 2 record, or testimony relaying the content of such record, may not be used or disclosed in a civil, criminal, administrative, or legislative proceeding against the individual absent written consent from the individual or a court order, consistent with the requirements of 42 CFR Part 2.

Covered entities must provide individuals with a clear and conspicuous opportunity to elect not to receive any fundraising communications before using Part 2 records for fundraising purposes for the benefit of the covered entity.

OCR clarifies that although separate covered entities that participate in an organized health care arrangement (OHCA) may issue a joint NPP for the OHCA, Part 2 requirements continue to apply to the Part 2 records maintained by covered entities that are part of OHCAs and individuals who are the subjects of such records maintain all rights under Part 2.

While making these required changes, it is also a good time for a covered entity to review its NPP in its entirety to see if other changes are necessary and to ensure that it remains current and adequately describes how the covered entity uses and discloses PHI as well as how individuals may access their records.

Effective Dates and Compliance Dates

The Final Rule will be effective 60 days after publication in the Federal Register. Except for the NPP requirements discussed below, the compliance date will be 180 days after the effective date. Covered entities will have 240 days, in total, beyond publication to fully comply with most provisions in the Final Rule, which OCR is expected to publish in the next week or so.

Mercifully, OCR extended the compliance date for amending the NPP until February 16, 2026, substantially later than the compliance date for most of this Final Rule. This extension aligns the compliance date with the compliance date in the 2024 Part 2 Rule and recognizes the considerable time and effort required for compliance with these new rules. It allows covered entities regulated under both this Final Rule and the 2024 Part 2 Rule to implement all changes to their NPPs at the same time.

Looking for assistance with your organization’s privacy policies? We work with clients in the preparation and updating of privacy policies and procedures to comply with the HIPAA Privacy Rule and more.  Such policies are essential to meet patients’ expectations surrounding the protection of their privacy as well as the expectations of regulatory enforcement agencies such as the HHS Office for Civil Rights. If you are looking for assistance in this area, or to learn more about Wyatt’s data privacy and cyber security practice, visit the Wyatt Data Privacy & Cyber Security webpage.

If you need additional information, please contact: Margaret Young Levi, mlevi@wyattfirm.com, at 859.288.7469

OCR Settlement a Message to Providers: Every Day Counts to Notify Affected Persons After a HIPAA Data Breach

Margaret Young Levi Data Privacy & Security, HIPAA, Privacy & Security , , , ,

The U.S. Department of Health & Human Services, Office of Civil Rights (OCR) entered into a settlement with Presence Health Network relating to its failure to provide timely notification of a breach of unsecured protected health information under the Health Insurance Portability & Accountability Act (HIPAA). OCR data breach settlements typically concern a covered entity’s failure to properly secure protected health information; this marks the first settlement involving a provider’s failure to report a data breach in a timely manner.

Under the HIPAA Breach Notification Rules, covered entities must provide notification of a breach without unreasonable delay and in no case later than 60 days following the discovery of a breach to affected individuals, and, in breaches affecting more than 500 individuals, to OCR and the media.

Presence Health is a not-for-profit health system serving 150 locations in Illinois. Presence Health first discovered that some paper copies of its surgery schedules at one location were missing on October 22, 2013, and these documents contained the protected health information of 836 individuals. The information consisted of the Continue reading

Recent OIG Studies Recommend Tighter Enforcement of the Privacy and Security Rules

Margaret Young Levi Federal Law Resources , , , , , ,

The U.S. Department for Health & Human Services’ Office of Inspector General (OIG) has conducted two recent studies calling for tighter enforcement of the Privacy and Security Rules under the Health Insurance Portability and Accountability Act (HIPAA).

OCR Should Strengthen Its Oversight of Covered Entities’
Compliance With the HIPAA Privacy Standards

In the first study, the OIG recommends that the Office of Civil Rights (OCR), the government agency responsible for enforcing covered entities’ compliance with the HIPAA Privacy Standards, should strengthen its oversight of these privacy standards. The OIG reviewed a statistical sample of privacy cases investigated by the OCR from September 2009 through March 2011, surveyed and interviewed OCR staff, reviewed the OCR’s investigation policies, and surveyed providers’ compliance with five selected privacy standards.

Based upon this review, the OIG concluded that OCR should strengthen its oversight of covered entities’ compliance with the Privacy Rule. It criticized the OCR’s oversight as “primarily reactive” and suggested they be more Continue reading

Federal Government Report Summarizes Health Care Privacy Compliance Efforts

Margaret Young Levi Electronic Health Records, Federal Law Resources, Health Information Technology, HITECH Law , , , , , , ,

government buildingThe U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has issued two reports to Congress required by Section 13402(i) of the Health Information Technology for Economic and Clinical Health (HITECH) Act:

–“Annual Report to Congress on Breaches of Unsecured Protected Health Information For Calendar Years 2011 and 2012” (the Breach Report); and

–“Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance For Calendar Years 2011 and 2012” (the Compliance Report).

Both of OCR’s reports (as well as previous annual reports) may be accessed here. This post discusses the Compliance Report. We summarized the Breach Report in a separate post entitled “Federal Government Report on Data Breaches in Health Care.”

OCR is the office responsible for administering and enforcing the HIPAA Privacy, Security, and Breach Notification Rules. The Compliance Report summarizes OCR’s compliance and enforcement activity with respect to the HIPAA Privacy, Security, and Breach Notification Rules.

Continue reading