In April, the Department of Health and Human Services (“HHS”) issued a final HIPAA Privacy Rule to Support Reproductive Health Care Privacy (“Privacy Rule”). Among other things, the Privacy Rule requires a regulated entity, such as a group health plan or a plan’s business associate, which receives a request for protected health information (“PHI”) potentially related to reproductive health care (“reproductive PHI” or “rPHI”), to obtain a signed and dated attestation from the requesting entity or individual stating that the use or disclosure is not for a prohibited purpose. The attestation requirement takes effect December 23, 2024. HHS recently released the model attestation, which includes background information and instructions.
The Privacy Rule directs that a “regulated entity” cannot use or disclose PHI for:
A “regulated entity” generally includes a group health plan (the covered entity) and a business associate of such plan.
The Privacy Rule includes specifics on what constitutes “reproductive health care,” and details on when the prohibition applies.
The attestation requirement under the Privacy Rule applies when there is a request to the regulated entity for rPHI for any of the following:
The model attestation issued by HHS includes the above background information along with instructional information for both the person requesting the rPHI and the regulated entity. While use of the model attestation itself is not mandatory, it will likely be used in most relevant situations.
The instructional information essentially directs that a group health plan and/or the plan’s business associate:
The attestation itself is a single page and the requesting party must:
The attestation also highlights that the requesting party could be subject to criminal penalties for improperly obtaining individually identifiable health information relating to an individual or disclosing individually identifiable health information to another person.
Finally, the guidance provides that the attestation may be provided in electronic format, and electronically signed by the requesting party.
For employers with fully insured plans: much of the responsibility for compliance with the attestation requirement should fall on the carrier, which would be the covered entity positioned to respond to requests related to rPHI. Presumably, such employers who receive rPHI requests would refer those to the carrier.
For self-funded (including level-funded) plans: employers will need to address these issues and have an attestation notice available to respond to requests. Most likely, however, it will be the third-party administrator (“TPA”), or other vendors (such as pharmacy benefit managers (“PBMs”) or behavioral health providers or provider networks), who are business associates of the self-funded plan, where such requests may typically be directed. A self-insured plan sponsor will likely need to rely on their TPA or other business associate for compliance with the attestation requirement. Thus, sponsors should work with their TPA and other business associates to ensure they will be prepared to comply with the requirement, including for requests forwarded by the sponsor, starting December 23, 2024.
Employers sponsoring both insured and self-insured plans should consider third party vendors who may be business associates of any employer health plan and may obtain rPHI and receive requests to disclose rPHI. Such vendors might include those administering:
Where appropriate, employers should work with such vendors to ensure they will be prepared to comply with the attestation requirement starting December 23, 2024.
Further, as previously reported, the final rule may also require self-funded plans to modify or update the following by December 23, 2024 (depending on existing language or specifics of the plan) to address rPHI:
Finally, self-funded plans will need to update their notice of privacy practices to account for these changes by February 16, 2026. Carriers for fully insured plans are responsible for the notice of privacy practices and should also timely update these notices.
HHS has not yet updated their sample notice of privacy practices to reflect these changes.
We will continue to monitor and inform you of any additional important developments on the attestation requirement.
Additional Info
Categories
Our Advisors offer in-depth analysis and are ready to help you successfully navigate employee benefits and health insurance.
Our website uses cookies. Click here to view our privacy policy.