HHS Issues Model Attestation Required by Final HIPAA Regulations Supporting Reproductive Health Care Privacy

On April 26, 2024, the U.S. Department of Health and Human Services (HHS) and Office for Civil Rights (OCR) published Final Regulations under HIPAA’s Privacy Rule introducing greater protections for information related to reproductive health care. One aspect of the Final Regulations requires all covered entities, including self-insured group health plans and all business associates, to obtain, under certain circumstances, an attestation meeting specified content requirements from anyone seeking information potentially related to reproductive health care. HHS issued a Model Attestation at the end of July, and self-insured group health plans are urged to use it.

The Final Regulations

Generally, the Final Regulations limit uses and disclosures of Protected Health Information (PHI)[1] “potentially relating to reproductive health care” for certain non-healthcare purposes if the health care was legal under federal law or the law of the state in which the services were provided. The Regulations do not elaborate upon the meaning of “potentially related to,” but the language clearly requires a broad interpretation. “Reproductive health care” is defined by the Regulations to mean “health care . . . that affects the health of an individual in matters relating to the reproductive system and its functions and processes.” The Preamble to the Final Regulations includes a non-exhaustive list of services that constitute reproductive health care, including contraception, preconception screening and counseling, managing pregnancy and pregnancy-related conditions, fertility and infertility diagnosis and treatment, the diagnosis and treatment of conditions affecting the reproductive system, and other types of care, services, and supplies used for diagnosing and treating conditions related to the reproductive system.

The Final Regulations prohibit the use and disclosure of PHI for the following non-healthcare purposes:

1. To conduct a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it was provided;
2. To impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it was provided; and
3. To identify any person for any purpose described in the above two prohibitions.

Notably, the Regulations include a presumption that reproductive health care is lawful unless the covered entity has actual knowledge that it is not or receives information from the person requesting the use or disclosure that provides a substantial factual basis that the care was unlawful.

The Attestation

Under the Regulations, if a covered entity or business associate receives a request for PHI potentially related to reproductive health care, for health oversight activities, judicial and administrative proceedings, law enforcement purposes, or for the authorized duties and activities of coroners and medical examiners—all uses or disclosures which would otherwise be permitted under existing provisions of the HIPAA Privacy Rule—then the covered entity or business associate must obtain an attestation from the person or entity requesting the use or disclosure, meeting specific form and content requirements.

Specifically, the Regulations require that the attestation be written in plain English. The attestation may be electronic, but an attestation will not be valid if it is combined with other documents or if it contains information not required under the Final Regulations.

Additionally, pursuant to Regulation § 164.509(c)(1) the attestation must include the following content:

1. A description of the information requested that identifies the information in a specific fashion, including one of the following: (a) the name of any individual(s) whose PHI is sought, if practicable; or if not practicable, (b) a description of the class of individuals whose PHI is sought.
2. The name or other specific identification of the person(s) or class of persons who are requested to make the use or disclosure.
3. The name or other specific identification of the person(s) or class of persons to whom the covered entity is to make the requested use or disclosure.
4. A clear statement that the use or disclosure is not for one of the prohibited purposes described above.
5. A statement that a person may be subject to criminal penalties pursuant to 42 U.S.C. 1320d-6 if that person knowingly and in violation of HIPAA obtains individually identifiable health information relating to an individual or discloses individually identifiable health information to another person.
6. The signature of the person requesting the protected health information which may be an electronic signature and date. If the attestation is signed by a representative of the person requesting the information, a description of such representative’s authority to act for the person must also be provided.

The Model Attestation meets all of the requirements to be a valid attestation and sponsors of self-insured group health plans are encouraged to use it to avoid challenges to the attestation’s validity. Plan sponsors will need to educate their employees with access to PHI about the new rules, develop a process for collecting valid attestations, and review their current business associate agreements and policy and procedure materials to determine whether amendments are required.

The Final Regulations include other changes and requirements that will have a broader impact on HIPAA administration, training, policies, and procedures including required updates to the Notice of Privacy Practices, which are beyond the scope of this post.

The Final Regulations became effective on June 25, 2024. Except for the changes to the Notice of Privacy Practices, compliance is required by December 23, 2024. Updates to the Notice of Privacy Practices must be made no later than February 16, 2026.

If you have questions about the Final Regulations or the requirements of the written attestation, please contact a member of Verrill’s Employee Benefits & Executive Compensation Group.