On April 26, 2024, the U.S. Department of Health and Human Services (“HHS”) issued new reproductive healthcare rules, which will go into effect on December 23, 2024. The underlying goals of these rules are to ensure individuals do not forego lawful health care when needed or withhold information from providers out of fear that sensitive information will be revealed, and to respect interests of the states and HHS.

Under the new rules, the following uses and disclosures of reproductive health care records are prohibited:

  • To conduct a criminal, civil, or administrative investigation into, or impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care where such health care is lawful under the circumstances in which it is provided; and
  • To identify any person for the purpose of conducting such an investigation or imposing such liability.

The above limits on prohibition only apply when the relevant activity is in connection with any person “seeking, obtaining, providing, or facilitating reproductive health care” and the Covered Entity or Business Associate receiving the request for PHI that may contain reproductive health care has reasonably determined that:

  • The reproductive health care is lawful under the law of the state in which such health care is provided under the circumstances in which it is provided; or
  • The reproductive health care is protected, required, or authorized by Federal law, under the circumstances in which it is provided, regardless of the state; or
  • The reproductive health care is presumed to be lawful, per the regulations (as further described below).

It should be noted that reproductive health care by another person is presumed lawful unless the Covered Entity or Business Associate has actual knowledge that the reproductive health care was not lawfully provided under the circumstances, or if factual information provided by the requestor of the PHI demonstrates a substantial factual basis that it was not lawfully provided under the circumstances.

A Covered Entity or Business Associate who has received a request for disclosure, must get a valid attestation in plain language from the requestor for the following specified purposes:

  • Health Oversight Activities
  • Judicial and Administrative Procedures
  • Law Enforcement Purposes
  • About Decedents to Coroners or Medical Examiners

The required elements of the attestation are as follows:

  • A specific description of the information requested, including the name of any individual/class of individuals;
  • The name or other specific identification of the person(s) requested to make the use or disclosure
  • The name or other specific identification of the person(s) who are requesting the use or disclosure
  • A clear statement that the use or disclosure is not for a Prohibited Purpose
  • A statement that the requestor may be subject to criminal penalties pursuant to 42 U.S.C. 1320d-6 if they knowingly request individually identifiable health information in violation of HIPAA.

HHS has also specified elements of an invalid attestation:

  • Compound attestation
  • Attestation for multiple uses/disclosures
  • Attestation seeking more than the minimum necessary
  • Attestation that RHC was unlawful without review of circumstances and determination that reliance on representation(s) by requester is reasonable
  • Attestation for use for judicial or administrative purposes where requirements of 45 C.F.R. 164.512(e)(1)(ii) or (f)(1)(ii)(C) have not been met (e.g., QPO)
  • Attestation stating anything in ADDITION to what is required.

If a patient has already signed an authorization for disclosure to a certain requestor, Covered Entities and Business Associates are obligated to provide the records. As the compliance date of December 23, 2024 is rapidly approaching, Covered Entities and Business Associates should contact a knowledgeable healthcare lawyer to ensure that they adhere to the newly-issued rules as soon as possible.  The author, Amy A. Perry, Esq., can be reached at aaperry@foxrothschild.com or 646-601-7680.