HIPAA Privacy Rule Changes 2024: Personal Representatives & Reproductive Healthcare

Compliance Deadline

By December 23, 2024, all entities regulated under the HIPAA Privacy Rule must comply with the latest amendments issued by the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR). These amendments provide enhanced protections for reproductive health information and offer guidance for handling abuse, neglect, and endangerment cases.

Exception: The updates to the Notice of Privacy Practices do not need to be implemented until February 16, 2026.

The Privacy Rule

The Privacy Rule in and of itself consists of detailed provisions designed to protect the privacy of individuals’ personal health information (PHI), which includes most individually identifiable health information created, received, maintained, or transmitted by “covered entities.” Under the Privacy Rule, covered entities and their “business associates” (collectively “Regulated Entities”) are prohibited from using or disclosing PHI without obtaining a written authorization from the individual to whom the PHI pertains, unless a specific exception applies.

Personal Representatives: Abuse, Neglect, & Endangerment

Under the new guidelines, a personal representative is someone authorized by state law to make healthcare decisions on behalf of another individual. While patients can designate personal representatives to access their PHI, this designation does not extend to making healthcare decisions unless specified.

When a healthcare provider (decision maker for the Regulated Entity) believes that an individual, including an unemancipated minor, may be subjected to domestic violence, abuse, or neglect by the personal representative, or that treating the person as such could endanger the individual, they may choose not to treat that person as the individual’s personal representative. This decision is based on professional judgment and prioritizes the individual’s best interests.

Substance Use Disorder (SUD) Regulations Aligned with HIPAA Privacy Rule Standards

Updates were made to ensure better protection and clearer communication regarding SUD patient records, aligning them with HIPAA standards while expanding patient rights and clarity.

Key Changes

Key changes include:

1. Allowing Disclosures with Patient Consent:
   • Disclosures for treatment, payment, and healthcare operations can now occur with patient consent.
   • Expands patient rights to access their own SUD records.
2. Consistent Notice Requirements:
   • Patient Notice requirements and Notice of Privacy Practices (NPP) requirements modified to provide consistent notices.
   • Covered entities must inform individuals about the use, disclosure, rights, and responsibilities regarding these records.
3. Plain Language Requirement:
   • The NPP must be written in plain language to ensure clarity for patients.
   • The phrasing changes to “receiving or maintaining” records.
4. Additional Requirements:
   • NPP must include a description and example of prohibited uses and disclosures.
   • NPP must describe and provide an example of uses and disclosures requiring an attestation.
   • A statement informing individuals that PHI disclosed under the Privacy Rule may be redisclosed and lose protection.

New Prohibited Uses & Disclosures

The amendments introduce three new prohibited uses/disclosures of PHI, which are subject to the “Rule of Applicability.” These prohibitions prevent the use or disclosure of PHI for:

1. Conducting investigations or imposing liability on individuals for seeking, obtaining, providing, or facilitating lawful reproductive health care.
2. Imposing liability on individuals for the same reasons.
3. Identifying individuals for these prohibited activities.

This includes a wide range of activities related to reproductive health care, such as expressing interest in, using, performing, paying for, and disseminating information about reproductive health services.

Definition of Reproductive Health Care

Reproductive health care is broadly defined as any health care affecting the reproductive system and its functions. This includes, but is not limited to:

• Contraception (including emergency contraception)
• Preconception screening and counseling
• Pregnancy and pregnancy-related conditions management
• Prenatal care
• Miscarriage management
• Pregnancy termination (abortion)
• Fertility care (e.g., IVF)
• Diagnosis/treatment of conditions like menopause and endometriosis
• Mammography
• Pregnancy-related nutrition services
• Postpartum care products

The Rule of Applicability

The use or disclosure of PHI is prohibited only if the reproductive health care in question is lawful. This includes scenarios where:

• The care was lawful in the state it was provided.
• The care is protected or authorized by federal law.
• The care is presumed lawful unless there is substantial evidence to the contrary.

Substantial evidence = (1) actual knowledge that the reproductive health care was not lawful or (2) factual information provided by the person requesting the information that demonstrates a substantial factual basis that the reproductive health care was not lawful under the specific circumstances in which it was provided. This is referred to as the “presumption” under the final rule.

Attestation Requirements

For certain uses and disclosures, entities must receive a valid attestation confirming that the PHI will not be used for prohibited purposes. This attestation must be specific, written in plain language, and may be in electronic format with a valid electronic signature.

The attestation may not be combined with any other document, such as a general authorization form. The final rule requires strict compliance with the attestation rules. An attestation may be deemed invalid if it contains less or more information than is required.

OCR published the model attestation form at the end of July. See attestation form is available on the U.S. Department of Health and Human Services website.

Notice of Privacy Practices

Entities must update their Notice of Privacy Practices to reflect the new rules by February 16, 2026. OCR will provide a model notice to facilitate these updates.

Penalties: Failure to comply with new Attestation requirements subjects persons and regulated entities to civil and criminal penalties for violation of HIPAA Rules.

A person (including a regulated entity or someone who requests PHI) who knowingly and in violation of the provisions obtains or discloses PHI relating to another individual would be subject to potential criminal liability. Thus, a person who knowingly and in violation of HIPAA falsifies an attestation (e.g., makes a material misrepresentation about the intended uses of the PHI requested) to obtain (or cause to be disclosed) an individual’s PHI could be subject to the criminal penalties. Additionally, a regulated entity is subject to potential civil penalties for violations of the HIPAA Rules, including a failure to obtain a valid attestation before disclosing PHI, where an attestation is required.

How Can We Help?

The HBS Data Privacy & Cybersecurity team can help answer your questions or assist with any of the following:

• Update HIPAA Privacy Policies and Procedures to comply with the final rule by December 23, 2024.
• Create Attestation Form using the model form linked above by December 23, 2024.
• Update HIPAA Notice of Privacy Practice to comply with the final rule addressing substance use disorder benefits by the February 16, 2026.
• Provide updated workforce training by December 23, 2024.

Disclaimer

This material is provided for informational purposes only. It is not intended to constitute legal advice nor does it create a client-lawyer relationship between Hall Booth Smith, P.C. and any recipient. Recipients should consult with counsel before taking any actions based on the information contained within this material. This material may be considered attorney advertising in some jurisdictions. Prior results do not guarantee a similar outcome.