Legal Brief

Posted on: 5/3/24

Last Friday, April 26, the Department of Health and Human Services Office for Civil Rights (OCR) published a final rule that prohibits the disclosure of protected health information (PHI) related to lawful reproductive healthcare under the HIPAA Privacy Rule. The Rule prohibits the use or disclosure of PHI by a covered entity or its business associate for either of the following activities:

• To conduct a criminal, civil, or administrative investigation into or impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive healthcare, where such healthcare is lawful under the circumstances in which it is provided. 
• The identification of any person for the purpose of conducting such investigation or imposing such liability. 

Essentially, if one of the conditions below exists, then the prohibitions above apply to the PHI:
• The reproductive healthcare is lawful under Oklahoma law;
• The reproductive healthcare is protected, required or authorized by federal law (such as use of contraception, which is protected by the Constitution); or 
• The reproductive healthcare was provided by a person who is not a covered entity or a business associate. 

Covered entities and business associates are still permitted to use or disclose reproductive healthcare PHI for purposes permitted under the HIPAA Privacy Rule, so long as the request for the PHI is NOT made to investigate or impose liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive healthcare. 

When a request for PHI related to reproductive healthcare is made, a healthcare provider must obtain a signed attestation from the requestor that the use or disclosure is not for a prohibited purpose. This requirement applies when the request for PHI is for health oversight activities, judicial and administrative proceedings, law enforcement purposes, and disclosures to coroners and medical examiners. This attestation requirement is a way for healthcare providers to obtain written representations from persons requesting PHI that their requests are not for a prohibited purpose. 

The Final Rule also contains Notice of Privacy Practice requirements, dictating that NPPs must be updated to state that a covered entity supports reproductive health care privacy. For additional information about the requirements of the Final Rule or to view or download the Final Rule, please click here. (Maggie Martin)