As of right now, covered entities under HIPAA must comply with Executive Order 14076, officially titled Protecting Access to Reproductive Healthcare Services (the “Rule”), by December 23 – less than two weeks from now. However, as a consequence of the 2024 presidential election results, there are questions regarding the enforcement of this regulation. Here’s what you need to consider.
The Rule was signed on July 8, 2022, by President Joe Biden. It is one of many actions taken by the Department of Health and Human Services (HHS) to protect access to and privacy of reproductive health care after the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization. The Dobbs decision has led to extreme state abortion bans and other restrictions on reproductive freedom in 21 states.
The Rule directs HHS, the Federal Trade Commission (FTC), and the Department of Justice (DOJ) to take and consider steps in their respective fields to protect reproductive healthcare services and access to them by:
- Safeguarding access to reproductive health care services, including abortion and contraception;
- Protecting the privacy of patients and their access to accurate information;
- Promoting the safety and security of patients, providers, and clinics; and
- Coordinating the implementation of Federal efforts to protect reproductive rights and access to health care.
The Rule establishes a ban on the use or disclosure of PHI by a HIPAA-covered entity (i.e., healthcare provider, health plan, healthcare clearinghouse) or their business associates (BAs) for any of the following:
- Criminal, civil, or administrative investigations into any person for the mere act of seeking, obtaining, providing, or facilitating reproductive healthcare.
- Imposing criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive healthcare.
- Identifying any person for any purpose described above.
A covered entity or BA must obtain a written attestation that the information is not for a prohibited purpose before PHI potentially related to reproductive healthcare can be used or disclosed in the following circumstances:
- Health oversight activities.
- Judicial and administrative proceedings.
- Law enforcement purposes.
- Disclosures to coroners and medical examiners to identify a deceased person, determine cause of death, or other duties as authorized by law.
A valid attestation must contain the following:
- A description of the information requested, including the name of any individual(s) whose PHI is sought – or, if that’s not practicable, a description of the class of individuals whose PHI is sought.
- The name of the person who has been asked to make the PHI use or disclosure and the name of the person to whom it should be made.
- A statement that obtaining, using, or disclosing individually identifiably health information in violation of HIPAA may be subject to criminal penalties.
The attestation must be in plain language, signed by the requester, and must clearly state that the PHI is not for “criminal, civil, or administrative investigation into or proceeding against any person in connection with seeking, obtaining, providing, or facilitating reproductive healthcare.”1 Additionally, the Rule requires changes to the HIPAA notice of privacy practices (NPP) to reflect the heightened protections for reproductive health information.
With Donald J. Trump set to return to the White House in January, the healthcare industry should expect to see changes in the enforcement of the Rule. It is likely that the Trump administration will not support the changes that enhance the privacy of reproductive health information. It is also reasonable to expect the new administration to downplay any compliance obligations stemming from the Rule, and perhaps even a total lack of enforcement efforts.
While the exact actions and impact on the Rule remain uncertain, it is possible that the Trump administration could take administrative action to rescind the Rule entirely. The administration also could rework existing HIPAA protections so states have greater flexibility to require disclosure of reproductive health care information. Obviously, these circumstances will create further ambiguity for patients and the healthcare industry as a whole. It is recommended that healthcare compliance and privacy professionals continue to take steps to achieve compliance with the requirements of the Rule, while keeping in mind that significant changes may be on the horizon.
Susan is a healthcare compliance leader with over four decades working in a variety of administrative and managerial capacities, including strategic planning, regulatory oversight, revenue cycle risk mitigation, denial and appeal management, privacy and information security, healthcare advocacy, clinical department leadership, provider practice administration, risk management, and quality outcomes. Currently, Susan provides compliance and privacy consulting services to a variety of healthcare organizations, including program implementation, policy and procedure development, compliance and privacy training, and regulatory oversight administration.
Susan is a Certified Internal Auditor (CIA), Certified Healthcare Compliance (CHC), Certified Professional Coder (CPC) and holds a Certification in Risk Management (CRMA).
Download our Latest White Paper
Qualified compliance professionals do the heavy lifting for you, simplifying regulatory change management
Our in-house team works tirelessly to monitor U.S. regulators, carefully read the regulations in their entirety, and translate the information into simple regulatory intelligence you can use. We deliver model procedures and expert tools that can be used to fulfill your business requirements. Everything is validated by a third-party law firm.
