New “Reproductive Health Care Rule” and how it affects community health centers

In April of 2024, The Department of Health and Human Services (HHS) issued a Final Rule modifying the Standards for Privacy of Individually Identifiable Health Information under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act). The final rule was effective June 25, 2024, and health centers must comply after December 23, 2024.

This new rule has raised questions with community health centers about how it applies to Federally Qualified Health Centers (FQHCs) and their privacy practices.

The new rule is summarized in HHS’s HIPAA Privacy Rule Final Rule to Support Reproductive Health Care Privacy: Fact Sheet.

So, why the new rule?

According to HHS, “This Final Rule is one of many actions taken by HHS to protect access to and privacy of reproductive health care after the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization.” President Biden “directed HHS to consider taking additional actions, including under HIPAA, to better protect information related to reproductive health care and to bolster patient-provider confidentiality.”

HHS defines “reproductive health care” as “care, services, or supplies related to the reproductive health of the individual.”

What are the high points of the new rule?

The new rule, “strengthens privacy protections by prohibiting the use or disclosure of protected health information (PHI) by a covered health care provider [this would include FQHCs], health plan, or health care clearinghouse—or their business associate” to:

  • “To conduct a criminal, civil, or administrative investigation into or impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided.

  • The identification of any person for the purpose of conducting such investigation or imposing such liability.”

The new rule does not change the ability of health care providers to use or disclose PHI for purposes otherwise permitted under the Privacy Rule “where the request for the use or disclosure of PHI is not made to investigate or impose liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care.” For example, a health center could use or disclose PHI to defend itself in an investigation or proceeding related to an FTCA claim involving the provision of reproductive health care.

How does the new rule affect FQHCs?

There are several areas that community health center leaders should be aware of.

  • Ensure all reproductive care you provide is legal in your state. This seems simple enough, but as rules change quickly, it’s important to know the current laws and practice accordingly.

  • Obtain a signed attestation when PHI potentially related to reproductive health care is requested. The new rule “requires a covered health care provider, health plan, or health care clearinghouse (or business associates), when it receives a request for PHI potentially related to reproductive health care, to obtain a signed attestation that the use or disclosure is not for a prohibited purpose.” This attestation is required for PHI requests related to health oversight activities, judicial and administrative proceedings, law enforcement purposes, or disclosures to coroners and medical examiners.” HHS has provided a Model Attestation for health centers to use. Since health center staff may not always know if the PHI requested may contain information related to reproductive health care, it may be a best practice to include this attestation with all requests for PHI. The health center may want to develop a way to identify and track PHI that is potentially related to reproductive health in the EHR or other logs.

  • Revise your Notice of Privacy Practices (NPP). The new rule will require health centers to “revise their NPPs to support reproductive health care privacy” and must also “address proposals made in the Notice of Proposed Rulemaking for the Confidentiality of Substance Use Disorder (SUD) Patient Records (“Part 2 NPRM”), as required by or consistent with the Coronavirus Aid, Relief, and Economic Security (CARES) Act of 2020”. At present, HHS has not released a new Model Notice of Policy Practices.

  • Revise and modify your HIPAA policies and procedures. Now is a good time to take a look at your health center’s HIPAA policies and procedures and ensure they are in compliance with the new rule.

  • Review Business Associate Agreements (BAAs). It’s important to take stock of your health center’s BAAs and determine if any changes need to be made. Consult your attorney before revising any agreements.

  • Train your staff. These new rules are complicated and it’s important to learn these new requirements and then develop systems, policies, and procedures to guide and support your health center staff. FTCA requires annual training on HIPAA and confidentiality practices; make sure these trainings are updated to reflect this new rule.

The reproductive healthcare landscape is changing rapidly within the United States, particularly during election years. Health center leaders should stay alert and up to date to ensure their health center is current with both federal and state reproductive health and privacy laws, rules, and regulations.

+

The information provided on this website does not, and is not intended to, constitute legal advice; instead, all information, content, and materials available on this site are for general informational purposes only. Information on this website may not constitute the most updated legal or other information. This website contains links to other third-party websites. Such links are only for the convenience of the reader, user, or browser; RegLantern does not recommend or endorse the contents of the third-party sites.

Readers of this website should contact their attorney to obtain advice with respect to any particular legal matter. No reader, user, or browser of this site should act or refrain from acting on the basis of information on this site without first seeking legal advice from counsel in the relevant jurisdiction. Only your individual attorney can provide assurances that the information contained herein – and your interpretation of it – is applicable or appropriate to your particular situation. Use of, and access to, this website or any of the links or resources contained within the site do not create an attorney-client relationship between the reader, user, or browser and website authors, contributors, contributing law firms, or committee members and their respective employers. 

All liability with respect to actions taken or not taken based on the contents of this site are hereby expressly disclaimed. The content on this posting is provided "as is;" no representations are made that the content is error-free.

Subscribe to the RegLantern Blog

Kyle Vath

Kyle Vath, BSN, MHA, RN: Kyle Vath is the CEO and co-founder of RegLantern, a company that provides tools and services to health centers that help them move to continual compliance. These services include mock site surveys and web-based tools that allow health centers to organize their compliance documentation. Kyle has served in a wide range of healthcare settings including serving as the Director of Operations for Social Ministries for a large health system, Provider Relations for a health system-owned payer, the Director of Operations for a Federally-Qualified Health Center, long-term care (as a nursing manager, director of nursing, and licensed nursing home administrator), in acute care (as a critical care nurse), and in Tanzania, East Africa as a hospital administrator of a rural mission hospital.

Previous
Previous

Culturally Competent Care in Federally Qualified Health Centers (FQHCs)

Next
Next

Was your FTCA Application submission this year…stressful?