On April 26, 2024, the Biden-Harris Administration, through the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) published a Final Rule, entitled the HIPAA Privacy Rule to Support Reproductive Health Care Privacy. The Final Rule strengthens the Health Insurance Portability Act of 1996 (HIPAA) Privacy Rule by prohibiting the use and disclosure of protected health information (PHI) in certain circumstances. The Final Rule includes the following changes:
- Prohibits the use or disclosure of PHI when it is sought to investigate or impose liability on individuals, health care providers, or others who seek, obtain, provide, or facilitate lawful reproductive health care, or to identify persons for such activities.
- Requires covered entities or business associates to obtain a signed attestation that certain requests (health oversight activities, judicial and administrative proceedings, law enforcement purposes, and disclosures about decedents to coroners and medical examiners) for PHI potentially related to reproductive health care are not for these prohibited purposes.
- Requires covered entities to modify their Notice of Privacy Practices to support reproductive health care privacy.
“OCR encourages HIPAA covered entities and business associates to begin implementing the new Privacy Rule requirements today,” said OCR Director Melanie Fontes Rainer. “Patients deserve to have these privacy protections in place as soon as possible.”
The effective date of the Final Rule is June 25, 2024. This is the date that HIPAA covered entities and their business associates may begin implementing the new requirements. Covered entities and business associates are not required to comply with the new requirements until December 23, 2024, except for the new changes to the HIPAA Notice of Privacy Practices which has a compliance date of by February 16, 2026.
The Final Rule may be viewed here.
The Fact Sheet may be viewed here (corrected link).
If you believe that your (or someone else’s) health information privacy rights or other Privacy, Security, or Breach Notification rules have been violated, you may file a complaint with the HHS Office for Civil Rights at: https://www.hhs.gov/hipaa/filing-a-complaint/index.html.