Update: The Department of Health and Human Services (HHS) released their model attestation to support compliance with the new attestation requirement under HIPAA, which mandates covered entities (and business associates) to ensure an attestation is obtained before disclosing PHI potentially related to reproductive healthcare in certain circumstances (effective December 23, 2024), described further below. Covered entities may, but are not required, to use to use the model attestation. If covered entities choose to develop their own attestation form with the assistance of counsel, they should note the attestation cannot be combined with any other document and has certain content requirements, such as:
- a description of the information requested, including the name of any individual(s) whose PHI is sought or if not practicable, a description of the class of individuals whose PHI is sought;
- the name or other specific identification of the person(s), or class of persons, who are requested to make the use or disclosure; and to whom the covered entity is to make the request;
- a clear statement that the use or disclosure is not for a prohibited purpose;
- a statement that a person may be subject to criminal penalties if that person knowingly and in violation of HIPAA obtains individually identifiable health information relating to an individual or discloses individually identifiable health information to another person; and
- the signature of the person requesting the protected health information, which may be an electronic signature, and the date.
Original Article:
Recently, HHS published a Final Rule, HIPAA Privacy Rule to Support Reproductive Health Care Privacy, in response to the 2023 Notice of Proposed Rule Making and increased state abortion laws since the U.S. Supreme Court decision in Dobbs v. Jackson Women’s Health Organization. The Final Rule aims to strengthen the Health Insurance Portability Act of 1996 (HIPAA) Privacy Rule by prohibiting the disclosure of protected health information (PHI) related to lawful reproductive health care, described further below.
Compliance Snapshot
- The Final Rule provides protection for individuals who receive reproductive health care when the care is provided lawfully, without risk of an individual’s identity or health information being disclosed for purposes of state criminal, civil or administrative investigations.
- An attestation will be required prior to certain disclosures to confirm that the request is not for an improper purpose, effective beginning December 23, 2024.
- Covered entities, including employer sponsors of self-insured group health plans and insurers, will need to update their Notice of Privacy Practices (NPP) by February 16, 2026, to include these new protections.
Final Rule: Overview
Per the fact sheet, the Final Rule prohibits “the use or disclosure of PHI by a covered health care provider, health plan, or health care clearinghouse—or their business associate—for either of the following activities:
- To conduct a criminal, civil, or administrative investigation into or impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided.
- The identification of any person for the purpose of conducting such investigation or imposing such liability.
Under the Final Rule, the prohibition applies where a covered health care provider, health plan, or health care clearinghouse (covered entities) or business associate (collectively, “regulated entities”) has reasonably determined that one or more of the following conditions exists:
- The reproductive health care is lawful under the law of the state in which such health care is provided under the circumstances in which it is provided.
- For example, if a resident of one state traveled to another state to receive reproductive health care, such as an abortion, that is lawful in the state where such health care was provided.
- The reproductive health care is protected, required, or authorized by Federal law, including the U.S. Constitution, regardless of the state in which such health care is provided.
- For example, if use of the reproductive health care, such as contraception, is protected by the Constitution.
- The reproductive health care was provided by a person other than the covered health care provider, health plan, or health care clearinghouse (or business associates) that receives the request for PHI and the presumption described below applies.”
Attestation Requirement & HIPAA Notice of Privacy Practices Updates
In addition to the above prohibition, the Final Rule requires covered entities (e.g., a group health plan, or its business associates) to obtain an attestation signed by the requestor, noting that such use or disclosure is not prohibited under the final rule. An attestation will apply when requesting PHI for health oversight activities; judicial and administrative proceedings; law enforcement purposes; or disclosures to coroners and medical examiners. HHS intends to publish model attestation language before the effective date of this provision, which is December 23, 2024.
Effective beginning February 16, 2026, group health plans and issuers must have an updated NPP which includes a description (and examples) of the prohibited uses and disclosures of PHI and when an attestation is necessary, among other requirements, as explained further in the Final Rule. It is anticipated that HHS will publish an updated model Notices of Privacy Practices in advance of the effective date of this provision.
Employers who work with Sequoia should note that any related resources will be timely updated to comply with the Final Rule.
Employer Action
While the Final Rule is effective on June 25, 2024, group health plans (and other covered entities) and their business associates will be required to comply with these requirements by December 23, 2024, with updates to the NPP required by February 16, 2026. That said, employers should do the following, dependent on their plan type:
- Self-insured/level funded group health plans:
- By December 23, 2024, plan sponsors should ensure an attestation is obtained before disclosing PHI in the circumstances described above; review and update their HIPAA Policies and Procedures and business associate agreements (BAAs) to ensure the terms comply with the Final Rule; and update employee HIPAA trainings to address this new prohibition.
- By February 16, 2026, plan sponsors should update their NPP to comply with the Final Rule and distribute the updated NPP to participants.
- Fully insured group health plans: By February 16, 2026, plan sponsors should confirm with their carriers that they updated their NPP to comply with the Final Rule, and that the updated NPP has been distributed to participants.
Sequoia will continue to monitor for further guidance as HHS develops its model attestation and updates to the model NPP.
Additional Resources
- HIPAA Privacy Rule to Support Reproductive Health Care Privacy
- HIPAA Privacy Rule Final Rule: Fact Sheet
- HIPAA Privacy Rule Final Rule: Press Release
- Model Attestation
- Sequoia Foreword:
Connect with a Sequoia consultant to learn how Sequoia’s compliance services are integrated in our benefits services and tailored solutions. And if you’re already a Sequoia client, stay on top of your employer obligations with your Compliance Checklist that highlights important compliance dates, action items, and resources.
The information and materials on this blog are provided for informational purposes only and are not intended to constitute legal or tax advice. Information provided in this blog may not reflect the most current legal developments and may vary by jurisdiction. The content on this blog is for general informational purposes only and does not apply to any particular facts or circumstances. The use of this blog does not in any way establish an attorney-client relationship, nor should any such relationship be implied, and the contents do not constitute legal or tax advice. If you require legal or tax advice, please consult with a licensed attorney or tax professional in your jurisdiction. The contributing authors expressly disclaim all liability to any persons or entities with respect to any action or inaction based on the contents of this blog. © 2024 Sequoia Consulting Group. All Rights Reserved.