As discussed in our prior blog post, on April 26, 2024, the Office for Civil Rights (“OCR”) at the Department of Health and Human Services (“HHS”) issued final regulations (“Reproductive Health Care Rule”) under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) limiting the uses and disclosures of protected health information (“PHI”) in the context of an individual lawfully seeking, obtaining, providing or facilitating reproductive health care.
The Reproductive Health Care Rule also requires covered entities and business associates to obtain a completed and signed attestation in connection with requests for uses and disclosures of PHI that (i) are “potentially related to reproductive health care” and (ii) relate to health oversight activities, judicial and administrative proceedings, law enforcement purposes, or coroners’ and medical examiners’ purposes in connection with a decedent.
Recently, HHS published a model attestation that covered entities and business associates may, but are not required to, use. The model attestation is intended to meet the requirements to be a valid attestation under the Reproductive Health Care Rule.
Attestation Requirements
As a reminder, attestations must be written in plain English, and they must be signed and dated by the person requesting the PHI. Attestations must also include the following elements:
- A description of the specific information requested, including the name of the individual whose PHI is requested (or, if not practicable, the applicable class of individuals).
- The name (or other identifying information) of the person (or class of persons)
- Of whom the requested use or disclosure is made, and
- To whom the requested use or disclosure is to be made.
- A statement that the use or disclosure is not for a prohibited purpose.
- A statement explaining the criminal penalties for knowingly violating HIPAA by obtaining or disclosing individual identifiable health information.
Further, as noted in the model attestation instructions, attestations may not be combined with other documents (except for documents provided to support the attestation) and may not include statements or content that is not otherwise required under the Reproductive Health Care Rule.
Proskauer Perspective
To help prevent contests to the validity of an attestation, covered entities and business associates may wish to consider using the model attestation. In addition, and as a reminder, the Reproductive Health Care Rule has broader implications for HIPAA compliance. Covered entities and business associates are expected to be in full compliance (except with respect to the changes to the Notice of Privacy Practices) by December 23, 2024. With fall fast approaching, it is imperative to begin considering how to comply with the Reproductive Health Care Rule. For potential action items, see our prior blog post.