On April 22, 2024, the Department of Health and Human Services' Office for Civil Rights issued a new HIPAA Final Privacy Rule, requiring changes to HIPAA policies and procedures for organizations, group health plans, and business associates. The Final Rule includes requirements for increased protection of PHI related to reproductive health and treatment for substance abuse disorders. Organizations are expected to be compliant with these new requirements by December 23, 2024.
This article outlines the new requirements associated with the Final Rule, and highlight Medbridge compliance courses that have been updated in concordance with the new HIPAA requirements.
- New Restrictions on the Use and Disclosure of PHI
- New Attestation Requirements
- New Notice of Privacy Practice (NPP) Disclosure Requirements
- Updates to Medbridge Compliance Courses
New Restrictions on the Use and Disclosure of PHI
The 2024 Privacy Rule restricts the use or disclosure of Protected Health Information (PHI) related to reproductive healthcare for prohibited reasons. These prohibited reasons include the following:
- Conducting a criminal, civil, or administrative investigation
- Imposing criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care that is lawful under the circumstances in which it is provided
- Identifying an individual, health care provider, or other person for the purpose of initiating such an investigation or proceeding.
The rule does not include reproductive healthcare information as a new subset of PHI but rather prohibits certain uses of it. This means that any PHI that could be potentially related to reproductive healthcare needs to be treated with an extra layer of protection.
New Attestation and Consent Form Requirements
In order to ensure this expanded, use-based protection, the 2024 Final Rule requires a signed and dated attestation to be obtained from any party requesting information that could be related to reproductive health, stating that it will not be used for prohibited purposes.
The US Department of Health and Human Services has released a model attestation form to use as a guide, which can be found here.
Additionally, the Final Rule requires a separate patient consent form for the use and disclosure of PHI related to Substance Abuse Disorder (SUD) treatment, including for treatment purposes. It also prohibits combining this release of information with consent to release for any non-treatment reasons, meaning further consent is required to release documentation for civil, criminal, administrative or legislative proceedings.
New Notice of Privacy Practice (NPP) Disclosure Requirements
In addition to adopting the new attestation requirements, healthcare organizations and covered entities need to update their Notice of Privacy Practice (NPP) Disclosure to disclose the new protections over reproductive healthcare privacy and, when applicable, protections surrounding PHI related to Substance Abuse Disorder treatment.
The following resources from the Department of Health and Human Services may be helpful references for creating and updating NPPs:
Organizations are required to have their NPPs updated by the compliance date of February 16, 2026.
Updates to Medbridge Compliance Courses
The following Medbridge courses have been updated to include education on the new Final Rule:
-
HIPAA Microlearning: Practices to Protect Health Information
-
HIPAA Microlearning: The Privacy Rule and Releasing Information
-
HIPAA: Compliance Training for Front of Clinic and Office Staff
-
HIPAA: Patient Privacy and Information Security in Home Health and Hospice
Resources:
Fact Sheet: 42 CFR Part 2 Final Rule - Confidentiality of Substance Use Disorder Patient Records
Fact Sheet: HIPAA Privacy Rule Final Rule to Support Reproductive Health Care Privacy
Note: The information and courses provided here are only recommendations. Each organization is responsible for ensuring its own compliance with applicable federal, state, and local laws and regulations and accreditation standards, as well as alignment with the needs of its patient population and staff. Always consult your company’s legal or compliance personnel with any questions or concerns related to this subject matter. These recommendations are not a substitute for legal advice for any individual provider or organization.