December 23, 2024: Deadline for Compliance with the HIPAA Privacy Rule Reproductive Healthcare Final Rule
In April 2024, the HHS Office for Civil Rights (OCR) published the HIPAA Privacy Rule to Support Reproductive Healthcare Privacy Final Rule. The new rule took effect on June 23, 2024, and the compliance date for all but the Notice of Privacy Practices requirement is December 23, 2024. The Notice of Privacy Practices compliance deadline is February 16, 2026.
Why Was the HIPAA Privacy Rule to Support Reproductive Healthcare Privacy Enacted?
The new rule was a response to the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization in 2022. The decision overturned Roe v. Wade which had guaranteed the constitutional right to abortion since 1973. Following the Supreme Court’s decision, the legality of abortion care was left to individual states to decide. As of December 2024, 13 U.S. states have banned abortions, 6 states have gestational limits of between 6 and 12 weeks, and 4 states have gestational limits between 18 and 22 weeks.
Since the Supreme Court’s decision, healthcare providers, patients, and others have expressed concern that their protected health information may be used to track the health care they receive, and many are worried that health information may be shared with state agencies, law enforcement, and others for the purpose of investigating or imposing liability on individuals for obtaining, providing, or facilitating lawful reproductive healthcare. The update to the HIPAA Privacy Rule strengthens reproductive healthcare privacy to ensure that protected healthcare information cannot be obtained for those purposes. Prior to the enactment of this rule, such disclosures were permitted, but not required, by the HIPAA Privacy Rule in certain circumstances.
The Final Rule is currently being challenged in court by Texas Attorney General Ken Paxton, who is seeking to prevent OCR from enforcing the rule in the state of Texas. Depending on the outcome of that challenge, other states launch similar challenges.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Compliance with the Final Rule is Required by December 23, 2024
The final rule applies to HIPAA-covered entities and their business associates and prohibits them from using or disclosing protected health information when requested to investigate or impose liability on anyone for obtaining, providing, or facilitating lawful reproductive healthcare, including requests by law enforcement agencies. When a request is made for protected health information potentially related to reproductive healthcare, HIPAA-regulated entities must obtain an attestation from the requester that the health information requested is not for a purpose prohibited by the final rule.
When is an Attestation Form Required?
A signed attestation form is required when requests are made for protected health information for the following purposes:
- Health oversight activities
- Judicial and administrative proceedings
- Law enforcement purposes
- Disclosures about a decedent to a medical examiner
Attestation Form Requirements
A HIPAA-compliant attestation form must include the following elements:
- Who is making the request
- Who is receiving the request
- The protected health information being requested
- How the information is not for a prohibited purpose
HIPAA-regulated entities may create their own attestation forms; however, OCR has released a model form that can be used for this purpose. Whatever form is used, it can be accepted physically or electronically and must be retained by the regulated entity as it may need to be produced in the event of an audit or compliance investigation.
Enforcement of the Final Rule
This month, ahead of the compliance date, OCR announced that a settlement had been agreed with Holy Redeemer Family Medicine in Pennsylvania over an impermissible disclosure of an individual’s reproductive health information. While the enforcement action was not related to the final rule, it confirms that OCR is committed to ensuring reproductive health information privacy.
It is important to ensure that policies and procedures regarding requests for access and copies of protected health information are updated ahead of the compliance deadline, that staff members are provided with a copy of the updated policies and procedures, records are kept confirming staff members have received those policies and procedures, and training on the new policies and procedures is provided.
The incoming Trump Administration may take a different view from the current administration to reproductive health information privacy and the enforcement of the final rule; however, compliance is mandatory by law until such time that the rule is updated or vacated.
