HIPAA Attestation for Reproductive Health Care Related PHI Disclosures


Summary

This template may be used to obtain the attestation needed for certain requests of protected health information relating to reproductive health care under modified Health Insurance Portability and Accountability Act (HIPAA) rules. This template includes practical guidance and drafting notes. Background. The Department of Health and Human Services modified the HIPAA Privacy Rule to strengthen protections on protected health information (PHI) relating to reproductive health care after the Supreme Court overturned Roe v. Wade in Dobbs v. Jackson Women's Health Org., 142 S.Ct. 2228 (2022) and several states began imposing restrictions on abortion availability and access. 89 Fed. Reg. 32,976 (Apr. 26, 2024) (the "2024 Rule"). The 2024 rules, effective as of December 23, 2024, are designed to address a potential chilling effect in the post-Dobbs legal landscape on individuals who may avoid accessing lawful health care services for fear that their PHI could be used against them. The primary modified rule is a prohibition against HIPAA-covered entities and their business associates from using or disclosing PHI relating to reproductive health care for the purpose of initiating or furthering a criminal, civil, or administrative investigation into, or imposing criminal, civil, or administrative liability on, any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care that is: • Lawful in the circumstances and in the state in which it is provided –or– • Protected, required, or authorized by federal law, regardless of the state in which it is provided 45 C.F.R. § 164.502(a)(5)(iii) (see 45 C.F.R. § 164.502(a)(5)(iii)(D) for a description of the scope intended by the phrase "seeking, obtaining, providing, or facilitating reproductive health care"). Attestation requirement. In furtherance of this prohibition, as of December 23, 2024, the rules impose an attestation requirement on certain PHI uses and disclosures. 45 C.F.R. § 164.509. The requirement applies if a covered entity or business associate receives a relevant request for PHI (i.e., PHI potentially relating to reproductive health care services being sought for, or to facilitate, a pertinent investigation or imposition of liability) made pursuant to 45 C.F.R. § 164.512(d), (e), (f), or (g)(1)—which, respectively, permit PHI usage and disclosures (1) to agencies for health oversight activities, (2) for judicial or administrative proceedings, (3) for law enforcement purposes, and (4) to a coroner in the course of their duties. Such requests, of course, may only be granted if they do not violate the prohibition in 45 C.F.R. § 164.502(a)(5)(iii) described above, and the attestation must, among other things, include a statement that the use or disclosure does not violate that provision. This template, which is based on the model language and instructions available at HHS, Model Attestation, may be used to fulfill the attestation requirement. Presumption rule. Under the 2024 rules, covered entities and business associates will need to identify whether they are permitted to agree to relevant requests regarding PHI that relates to reproductive health care and whether an attestation is required (and whether they want to comply since such disclosures are optional not mandatory). To facilitate compliance with this process, a rule of presumption provides that the reproductive health care at issue is presumed to be lawful under the circumstances in which it was provided (and thus the PHI may not be disclosed) whenever the covered entity or business associate receiving the request is not the provider of the health care. However, the presumption is overcome if (1) the request recipient has actual knowledge to the contrary or (2) the requester demonstrates a substantial factual basis to the contrary. 45 C.F.R. § 164.502(a)(5)(iii)(C). When the covered entity or business associate receiving the request is the provider, it must reasonably determine whether the reproductive health care was lawful under the circumstances and in the state in which it was provided and, if not, whether it was protected, required, or authorized by federal law. The entity may only comply with the request, subject to the attestation requirement, if it determines that neither is true. See 45 C.F.R. § 164.502(a)(5)(iii)(B). When the attestation is required. Following from the foregoing, the attestation requirement must be fulfilled if all of the following are true: • A HIPAA covered entity or business associate receives a request for PHI • The PHI is related to reproductive health care services • The request is made for purposes of (1) an agency's health oversight activities, (2) a judicial or administrative proceeding, (3) law enforcement, or (4) a coroner or medical examiner's duties • If the request recipient was not the provider of the reproductive health care services, the presumption does not apply or is overcome • If the request recipient was the provider of the reproductive health care services, it reasonably determines that the health care services were (1) not lawful in the circumstances and in the state where provided and (2) not protected, required, or authorized by federal law –and– • The request recipient elects to disclose the PHI to the requester Other rules. A covered entity or business associate receiving a relevant PHI request should note the following: • An attestation may not be accepted if: ○ It is missing any required element or statement or contains other content that is not required or permitted ○ It is combined with other documents, except for documents provided to support the attestation ○ Material information in the attestation is known to be false –or– ○ The requestor's statement that the use or disclosure is not for a prohibited purpose would not be believable under a reasonable person standard 45 C.F.R. § 164.509(b). • A request recipient must cease complying with the request upon later discovering that a representation made in the attestation is materially false, leading to a use or disclosure for a prohibited purpose 45 C.F.R. §164.509(d). • If the reproductive health care related to a relevant request was provided by a person other than the request recipient, disclosure is only permitted if the requestor supplies information that demonstrates a substantial factual basis that the reproductive health care was not lawful under the specific circumstances in which it was provided. 45 C.F.R. § 164.502(a)(5)(iii)(B)(3), (C)(2). • A new attestation is necessary for each specific use or disclosure request. See 89 Fed. Reg. 33,031. • The request recipient must maintain a written copy of the completed attestation and any relevant supporting documents. See 45 C.F.R. § 164.530(j). For more information on this and other HIPAA Privacy Rule requirements, see HIPAA Privacy, Security, Breach Notification, and Other Administrative Simplification Rules and the other resources in the HIPAA Resource Kit.