HIPAA Privacy Rule Protects Reproductive Rights

/in /by

APPLIES TO

All Employers subject to HIPAA or HIPAA-Covered Transactions

EFFECTIVE

June 25, 2024

QUESTIONS?

Contact HR On-Call

(888) 378-2456
Quick Look

  • Reproductive health care is covered by the Privacy Rule under HIPAA and the HITECH Act.

Discussion:

Earlier this year, the U.S. Department of Health and Human Services (HHS) issued a final rule adding protections for reproductive rights to the Standards for Privacy of Individually Identifiable Health Information (Privacy Rule) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act). Although the final rule went into effect on June 25, 2024, compliance with the final rule is required as of December 23, 2024.

 

HIPAA applies only to “covered entities,” which are defined as: (1) health plans; (2) healthcare clearinghouses; and (3) healthcare providers that electronically transmit certain health information (and certain “business associates” of covered entities). While most employers do not fall into these categories, HIPAA does apply to an employer’s request for health information from a covered entity, which means that an employee must authorize the disclosure, unless otherwise permitted by law. Additionally, employers may be involved in HIPAA-covered transactions, such as employer on-site clinics provided as an employee health benefit, self-insured health plans for employees, or when the employer acts as an intermediary between employees, healthcare providers, and health plans.

 

The HHS Final Rule defines “reproductive health care” as health care “that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes.” A covered entity or business associate may not use or disclose protected health information for any of the following activities:

 

(1) To conduct a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care.

(2) To impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care.

(3) To identify any person for any of the activities described at paragraphs (1) or (2).

 

The reproductive health care privacy protections apply only where (A) the relevant activity is in connection with any person seeking, obtaining, providing, or facilitating reproductive health care, and (B) the covered entity or business associate that received the request for protected health information has reasonably determined that the reproductive health care is either lawful in the state in which it was provided; protected, required, or authorized by federal law (regardless of the state in which it is provided); or presumed lawful. Privacy protections apply, for example, if a resident of one state traveled to another state to receive reproductive health care, such as an abortion, that is lawful in the state where such health care was provided.

 

Reproductive health care is presumed lawful unless the covered entity or business associate has actual knowledge that the reproductive health care was not lawful under the circumstances in which it was provided, or factual information supplied by the person requesting the use or disclosure of protected health information that demonstrates a substantial factual basis that the reproductive health care was not lawful under the specific circumstances in which it was provided. Reproductive health care would not be presumed lawful, for example, when a law enforcement official provides a health plan with evidence that the information being requested is reproductive health care that was provided by an unlicensed person where the law requires that such health care be provided by a licensed health care provider.

 

Privacy notice requirements were also expanded under 45 C.F.R. § 164.520, but do not go into effect until February 16, 2026. Employers must take care to ensure that HIPAA privacy protections are followed for any covered transactions.

 

Action Items

  1. Review the final rule here.
  2. Review the fact sheet here.
  3. Have appropriate personnel trained on the new requirements.
  4. Prepare to update privacy notices.

  

Disclaimer: This document is designed to provide general information and guidance concerning employment-related issues. It is presented with the understanding that ManagEase is not engaged in rendering any legal opinions. If a legal opinion is needed, please contact the services of your own legal adviser. © 2024 ManagEase