In a major victory for privacy and reproductive health, the Department of Health & Human Services’ Office for Civil Rights released a final rule on April 22 that prohibits entities regulated by the HIPAA Privacy Rule from using or disclosing protected health information to investigate or prosecute patients, providers, or others involved in providing legal reproductive health services.
Under this new rule, covered entities must obtain a signed attestation confirming that certain requests for PHI related to reproductive health care are not for these prohibited purposes. This requirement aims to protect the privacy of individuals seeking reproductive health services and prevent the misuse of their protected health information for investigative or prosecutorial purposes.
The final rule will be effective 60 days after publication in the Federal Register and covered entities must comply within 240 days. In response to a request from the AHA, OCR plans to provide a model attestation form before the compliance date to assist entities in meeting this requirement. This move is a significant step towards protecting patients’ rights and ensuring that their sensitive medical information is not used against them in legal proceedings.
