Recent developments have cast uncertainty over the future of the 2024 Privacy Rule and its enforcement. Haynes Boone attorneys Jennifer Kreick and Thomas Tanabe explain the details of the rule and breakdown what could change moving forward in an American Health Law article.
Read an excerpt below:
The Final Rule to modify the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule to support reproductive health care privacy (2024 Privacy Rule) requires covered entities and business associates (Regulated Entities) to comply with many provisions beginning December 23, 2024. Complying with the 2024 Privacy Rule will require Regulated Entities to review and update their policies and procedures and ensure personnel are properly trained on the new requirements. However, recent events have made the future of the 2024 Privacy Rule and its enforcement unclear.
2024 Privacy Rule Background
On April 26, 2024, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued the 2024 Privacy Rule to modify the Standards for Privacy of Individually Identifiable Health Information (2000 Privacy Rule) issued pursuant to HIPAA to protect the access to and privacy of reproductive health care. The 2024 Privacy Rule was issued as a response to the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization to address concerns that an individual’s protected health information (PHI) related to lawful reproductive health care may be disclosed and used for non-health care purposes, such as conducting investigations against, or to impose liability upon, an individual, health care provider, or another person.
Key Elements of the 2024 Privacy Rule
The 2024 Privacy Rule defines “reproductive health care” broadly to include health care as it “affects the health of an individual in all matters relating to the reproductive system and to its functions and processes.” This could potentially include information not only related to pregnancy and abortion care but related to medications (such as hormone replacement therapy, birth control, or erectile dysfunction medication), procedures (such as mastectomies or hysterectomies), or notes related to the reproductive system (such as date of last period). This information is not easily identified and may be found in various locations in a medical record, including in notes obtained from other providers, which makes compliance difficult for Regulated Entities who likely do not have the resources to manually review each record for PHI related to lawful reproductive health care.
