The Department of Health and Human Services (HHS) is requiring group health plans (as HIPAA covered entities) to modify their rules regarding the uses and disclosures of PHI relating to reproductive health care. These changes must be reflected in their Notice of Privacy Practices (NPP).
Covered entities must comply with the new rules by December 23, 2024. Modifications to their NPPs must be made by February 16, 2026.
What does the new rule require?
The new rule prohibits a covered entity from using or disclosing PHI for the purpose of investigating or imposing criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care that is lawful:
- under the laws in the state in which it is provided; or
- protected, required, or authorized by Federal law (including the Constitution).
A covered entity that receives a request for PHI must determine the lawfulness of the services provided.
In crafting the new rule, HHS recognized group health plan would face different challenges than health care providers. Group health plans often receive claims from providers in multiple States and are not in a position to easily determine the legality of the services. With that in mind, HHS has created a separate process for those entities.
In this article, we will focus on the new rules as they apply to employer-sponsored group health plans.
How does the new rule apply to group health plans?
A group health plan that receives a request for PHI for the purpose of investigating or imposing liability of any person for the mere act of seeking, providing, obtaining or facilitating reproductive health care may presume that those acts were legal. The plan is not required to conduct research or analysis. Under the new rule, this means that the plan could not disclose the PHI.
However, the authority seeking the information may present information sufficient to overcome the presumption of legality. The information presented must demonstrate a sufficient factual basis that the services were not legal under the circumstances in which they were provided.
The rule offers an example of how this might work.
An investigator requests information from a health plan about claims for coverage of certain reproductive health care provided by a particular health care provider. The health plan must presume that the reproductive health care was lawful unless the investigator supplies information that demonstrates a substantial factual basis to believe that the reproductive health care was not lawful under these circumstances. For example, the investigator could provide the plan with affidavits supplied by complainants that contain the circumstances under which the reproductive health care was provided. In this example, the presumption would be overcome, and the health plan would be permitted to use or disclose the PHI, assuming that all applicable conditions of the Privacy Rule were otherwise met. In contrast, if the investigator requests the same information but only provides an anonymous report of a particular health care provider providing reproductive healthcare that is not lawful under the circumstances in which it is provided, the health plan would not have a substantial factual basis to believe that the reproductive health care was not lawful.
HHS was concerned that requests for PHI for a prohibited purpose may be couched in terms of a request for a permitted purpose in order to hide their true intent. The rule therefore requires all covered entities to obtain a valid attestation when it receives a request for PHI that is potentially related to reproductive health care for any of the following reasons:
-
- health oversight activities;
- judicial and administrative proceedings;
- law enforcement purposes;
- disclosures about decedents to medical examiners and coroners.
To be considered valid, the attestation must include:
-
- a statement that the request is not for a prohibited purpose;
- the name(s) of the person(s) whose PHI is being sought;
- the name(s) of the person(s) to whom the disclosure is to be made;
- a statement that a person who knowingly obtains or discloses information in violation of HIPAA is subject to criminal penalties.
- the signature of the person making the attestation.
A plan cannot accept an attestation as valid if:
-
- it lacks any of the required elements.
- it contains any non-required element.
- it is combined with any other document.
- the plan has actual knowledge that it is false.
- a reasonable covered entity would not believe that the attestation is not being sought for a prohibited purpose.
HHS has indicated that it intends to publish a template for attestations.
It is worth emphasizing that nothing in the new rule requires PHI to be disclosed; it only whether disclosures of PHI about reproductive health care are permitted or prohibited.
Revisions to NPPs
Plan sponsors will need to revise their NPPs to reflect the new rules.[1]
The rules require several specific provisions, including:
- a description, including at least one example, of the types of disclosures prohibited by the rule;
- a description, including at least one example, of the types of disclosures for which an attestation would be required; and
- a statement explaining to individuals that PHI disclosed pursuant to the Privacy Rule may be subject to redisclosure and no longer protected by the Privacy Rule.[2]
Action Items for Plan Sponsors
Plan sponsors will need to revise their privacy practices and procedures to reflect the new rules.
The rules apply to a plan’s business associates as well as to plans themselves. It is anticipated that most requests for PHI related to reproductive health care will come through the plan’s TPA. Plan sponsors will want to review their business associate agreements to determine the need for any amendments related to the new rules.
Plan sponsors will need to revise and distribute their NPPs.
Background
The decision of the Supreme Court in Dobbs v. Jackson Women’s Health Organization overturned long existing rules that had protected a woman’s right to obtain an abortion.
The Court effectively returned the right to regulate abortion to the various States, unfettered by Constitutional constraints. In the wake of that decision, numerous States have passed legislation severely restricting access to abortion and imposing civil and criminal liability on persons who obtain abortions as well as those who perform or facilitate them. Abortions remain legal and accessible in other States, largely as they were prior to the Dobbs decision.
HHS recognized that State authorities seeking to enforce abortion restrictions may request HIPAA covered entities to disclose PHI in aid of their enforcement activities. HHS also recognized that responses to those requests, while permitted under the existing privacy rules, could undermine the balance those rules had struck between the goal of supporting legitimate law enforcement activities and protecting PHI, particularly given the especially sensitive nature of information related to a person’s reproductive health.
To redress that imbalance, HHS has promulgated a new rule that restricts disclosures of PHI when requested to conduct a criminal, civil, or administrative investigation into or to impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating lawful reproductive health care, or to identify any person to initiate such activities.
Although driven largely by issues related to abortion, the rule more broadly defines “reproductive health care” as encompassing all matters relating to the reproductive system and its functions and processes.
[1] Plans that are not currently required to have an NPP are not affected by the new rule. This includes fully insured plans that provide only limited amounts of PHI to the sponsoring employer as described by the Privacy Rule.
[2] Additional modifications to NPPs not related the rules on disclosures regarding reproductive health care will be discussed in a separate blog.