Policy Briefing — April 22, 2024
HHS finalized HIPAA reproductive health privacy protections that limit disclosures to law enforcement and require attestation before releasing data related to lawful care.
Executive briefing: The U.S. Department of Health and Human Services Office for Civil Rights (OCR) issued a final rule on April 22, 2024 strengthening HIPAA protections for reproductive health information. Covered entities and business associates must refuse to disclose PHI for investigations or proceedings against individuals seeking, providing, or facilitating lawful reproductive health care. When disclosures are otherwise permitted, entities must obtain a signed attestation confirming the request is not for prohibited purposes.
Key requirements
- Use and disclosure prohibition. HIPAA-covered organizations cannot use or disclose reproductive health PHI to conduct investigations or impose liability related to lawful care provided outside the state where services occur.
- Attestation standard. Before honoring certain requests from law enforcement, courts, or insurers, covered entities must secure a specific attestation that the requested PHI will not be used for prohibited investigations.
- Notice updates. Entities must revise HIPAA Notices of Privacy Practices to explain the new protections and attestation requirements.
Operational priorities
- Policy refresh. Update disclosure procedures, law-enforcement request playbooks, and workforce training to reflect the prohibition and attestation obligations.
- Attestation workflow. Implement templates and logging for attestations, ensuring release-of-information teams can validate signatures and retain records.
- Business associate oversight. Amend BAAs to extend the new restrictions and confirm downstream vendors can enforce attestation checkpoints.
Program assurance
- Audit readiness. Document compliance monitoring, including sampling of disclosure requests and attestation verification.
- Incident response. Update breach response plans to include reporting steps for improper reproductive health disclosures.
- Stakeholder communication. Brief clinicians, legal teams, and privacy officers on decision trees for multi-state care delivery and law-enforcement engagement.
Sources
- HHS Press Release — Biden-Harris Administration Strengthens HIPAA Privacy Rule to Protect Reproductive Health Information
- HIPAA Privacy Rule to Support Reproductive Health Care Privacy — Final Rule
Zeph Tech is updating HIPAA compliance programs with reproductive health privacy attestations, multi-state disclosure playbooks, and enhanced workforce training.