The Office for Civil Rights (OCR) at the U.S. Department of Health & Human Services (HHS) issued a new Final Rule on April 22, 2024, with the aim of strengthening privacy protections under HIPAA related to reproductive healthcare information. The 2024 HIPAA Privacy Rule changes clarify how covered organizations can use and disclose protected health information (PHI) relating to abortion, pregnancy, contraception, and other reproductive health services without an individual’s signed authorization, with limited exceptions. Key points of the Final Rule include:
- Defines “reproductive healthcare”
- Limits disclosures of reproductive health PHI to law enforcement
- Requires covered organizations to obtain a signed attestation that the use or disclosure of reproductive health PHI is not for a prohibited purpose
- Requires covered organizations to revise their Notice of Privacy Practices to support reproductive health care privacy practices
The Final Rule is effective on June 25, 2024, with compliance dates of December 23, 2024, and February 16, 2025 (for applicable Notice of Privacy Practices requirements)
In anticipation of the Final Rule going into effect, Clearwater’s Privacy & Compliance experts recommend that organizations take the following actions:
- Revise policies and procedures addressing disclosures of PHI for law enforcement purposes
- Design a template attestation addressing uses or disclosures of reproductive health PHI
- Revise your Notice of Privacy Practices to support reproductive healthcare privacy practices
- Provide updated training and education to all members of the workforce within a reasonable period of time
