The Department of Health & Human Services’ Office for Civil Rights (OCR) has issued a final rule on April 22 that prevents entities regulated by the HIPAA Privacy Rule from using or disclosing protected health information (PHI) to investigate or prosecute patients, providers, or others involved in providing legal reproductive health services. This new rule aims to safeguard the privacy of individuals seeking reproductive health services and prevent the misuse of their PHI for investigative or prosecutorial purposes.
The final rule requires covered entities to obtain a signed attestation confirming that certain requests for PHI related to reproductive health care are not for prohibited purposes. Additionally, hospitals can rely on the attestation and are not obligated to investigate its validity.
The new rule will take effect 60 days after publication in the Federal Register, and covered entities must comply within 240 days. In response to a request from the American Hospital Association (AHA), OCR plans to provide a model attestation form before the compliance date to assist entities in meeting this requirement.
This final rule is an important step towards protecting the rights of individuals seeking reproductive health services and ensuring that their PHI is not used for investigative or prosecutional purposes. By requiring covered entities to obtain a signed attestation confirming that certain requests for PHI related to reproductive health care are not for prohibited purposes, this new rule provides an additional layer of protection for individuals’ privacy.
