The Office for Civil Rights of the U.S. Department of Health and Human Services issued required modifications to the Health and Insurance Portability and Accountability Act of 1996, known as the 2024 Privacy Rule, in the form of final regulations on April 22, 2024. The 2024 Privacy Rule establishes new prohibitions on covered entities and business associates (“Regulated Entities”) regarding the use and disclosure of certain PHI, adds an attestation requirement for certain types of disclosures, and implements other changes to HIPAA regulations, including adding new definitions.
Generally, the 2024 Privacy Rule goes into effect June 25, 2024, but regulated entities have 180 days to bring their documentation and operations into compliance. Therefore, by December 23, 2024, HIPAA policies and procedures documents, risk assessments, and business associate agreements, if needed, should be updated to reflect the new requirements. Employers with self-funded health plans should begin reviewing these new requirements soon to ensure operations and documentation are in compliance ahead of this deadline.
New Prohibitions on Use & Disclosure of PHI
The 2024 Privacy Rule establishes new prohibitions on a Regulated Entity’s use and disclosure of PHI in the following circumstances:
- First, the 2024 Privacy Rule prohibits the use or disclosure of PHI by Regulated Entities for purposes of conducting a criminal, civil, or administrative investigation or proceeding against a person in connection with seeking, obtaining, providing or facilitating reproductive health care where such health care is lawful under the circumstances in which it is provided.
- Second, the 2024 Privacy Rule prohibits Regulated Entities from using or disclosing PHI for the purpose of identifying an individual, health care provider, or other person for purposes related to such an investigation or proceeding where the reproductive care is lawful.
Note that the prohibitions above do not automatically apply to all PHI regarding reproductive health care. Rather, the prohibitions arise depending on the purpose for which such PHI is sought.
In order for the prohibitions above to apply, the Regulated Entity must reasonably determine that at least one of the following circumstances is satisfied:
- The reproductive health care is lawful under the law of the state in which such health care is provided under the circumstances in which it is provided.
- The reproductive health care is protected, required, or authorized by Federal law, including the U.S. Constitution, regardless of the state in which such health care is provided (e.g. contraception).
- The reproductive health care was provided by a person other than the covered health care provider, health plan, or health care clearinghouse (or business associate) that receives the request for PHI and a presumption that the health care was lawful applies.
The presumption noted above shall apply unless one of the following occur:
- The covered entity has actual knowledge that the reproductive health care was not lawful under the circumstances in which it was provided.
- The covered entity receives factual information from the person making the request for the use or disclosure of PHI that demonstrates a substantial factual basis that the reproductive health care was not lawful under the circumstances in which it was provided.
New Attestation Requirement
In addition to these new prohibitions, the 2024 Privacy Rules require a Regulated Entity to receive a signed attestation prior to making certain disclosures of PHI otherwise required under HIPAA regulations. The signed attestation requirement arises when PHI is requested for any of the following:
- Health oversight activities;
- Judicial and administrative proceedings;
- Law enforcement purposes; or
- Disclosures to coroners and medical examiners.
HHS recently published a model attestation form plans are encouraged to use for this requirement.
Required Updates to Notice of Privacy Policies (stay tuned)
While the 2024 Privacy Rules require additional changes to the Notice of Privacy Policies, the deadline for this update is delayed until February 16, 2026. Prior to that deadline, a new model notice will be released.