As previously discussed in our newsletter here, HHS issued a final rule that prohibits a covered entity, such as an employer-sponsored group health plan (or its business associate) (collectively, the “Regulated Entities”), from using or disclosing protected health information (“PHI”) when it is requested to conduct a criminal, civil, or administrative investigation into or impose criminal, civil, or administrative liability on any person for the act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances, or to identify any person relating to those activities (“Prohibited Activities”).
Regulated Entities who receive requests for PHI potentially related to reproductive health care must obtain a signed attestation from the requestor that the use or disclosure is not for any of the Prohibited Activities, where the request is for PHI for any of the following:
- health oversight activities;
- judicial or administrative proceedings;
- law enforcement purposes; or
- disclosures to coroners and medical examiners.
HHS released a model attestation that Regulated Entities may but are not required to use. Regulated Entities may develop their own attestation form, as long as the attestation is not combined with any other document and the attestation includes the following elements:
- a description of the information requested that identifies the information requested, including the name of the individual whose PHI is requested (or if not practicable, the applicable class of individuals);
- the name or other specific identification of the persons, or class of persons, (i) who are requested to make the use or disclosure, and (ii) to whom the covered entity is to make the requested use or disclosure;
- a clear statement that the use or disclosure is not for one of the Prohibited Activities;
- a statement that a person may be subject to criminal penalties if that person knowingly and in violation of HIPAA obtains individually identifiable health information relating to an individual or discloses individually identifiable health information to another person; and
- the signature of the person requesting the PHI, which may be an electronic signature, and date.
By December 23, 2024, Regulated Entities will be required to begin obtaining attestations upon receiving requests for PHI potentially related to reproductive health care. Regulated Entities should contact their legal counsel to ensure their HIPAA policies and procedures are up to date for these new requirements.
The model attestation form is available here.