Post

On April 22, 2024, the Office for Civil Rights (OCR) issued a Final Rule, entitled HIPAA Privacy Rule to Support Reproductive Health Care Privacy. The Final Rule strengthens the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule by prohibiting the disclosure of protected health information related to lawful reproductive health care in certain circumstances. HHS issued this Final Rule after hearing from communities that changes were needed to better protect patient confidentiality and prevent medical records from being used against people for providing or obtaining lawful reproductive health care. This Final Rule bolsters patient-provider confidentiality and helps promote trust and open communication between individuals and their health care providers or health plans, which is essential for high-quality health care.

 

The new rule took effect on June 23, 2024, and the compliance date for all but the Notice of Privacy Practices requirement is December 23, 2024. The Notice of Privacy Practices compliance deadline is February 16, 2026.

 

OCR issued guidance explaining how the Privacy Rule permissions for disclosing PHI without an individual’s authorization for purposes not related to health care, such as disclosures to law enforcement officials, are narrowly tailored to protect the individual’s privacy and support their access to health care, including abortion care. This Guidance:

When a HIPAA covered entity or business associate receives a request for protected health information (PHI) potentially related to reproductive health care, it must obtain a signed attestation that clearly states the requested use or disclosure is not for the prohibited purposes described below, where the request is for PHI for any of the following purposes:

 

While it is not required to use the OCR’s attestation form, one has been provided for guidance. If the covered entity chooses to create their own attestation form, the following elements must be included: 

The final rule applies to HIPAA-covered entities and their business associates and prohibits them from using or disclosing protected health information when requested to investigate or impose liability on anyone for obtaining, providing, or facilitating lawful reproductive healthcare, including requests by law enforcement agencies. 

 

When a request is made for protected health information potentially related to reproductive healthcare, HIPAA-regulated entities must obtain an attestation from the requester that the health information requested is not for a purpose prohibited by the final rule.

 

As a DMEPOS supplier, if you provide equipment or supplies and have patient medical records that could contain information specific to the patient’s reproductive health, you need to ensure compliance with this rule. For example, suppliers of breast pumps or incontinence supplies may fall under this category. 

 

If you provide equipment or supplies and have patient medical records that could contain information specific to the patient’s reproductive health, it is advised that you update your HIPAA policies and procedures to include compliance with this rule. As a reminder, your policies and procedures should include both creation and implementation dates, as well as revised dates when revisions are made. 

 

In the event a supplier discloses information without permission, a complaint to the OCR could follow. When a complaint is received, it is the responsibility of the OCR to investigate to determine validity, and if confirmed, you could be susceptible to corrective action, monetary civil penalties, or further referral to law enforcement and/or the Department of Justice.