On April 22, the Department of Health and Human Services’ Office for Civil Rights published a final rule that prohibits entities governed by the HIPAA Privacy Rule from using or disclosing protected health information to investigate or prosecute patients, providers or others involved in the provision of legal reproductive health care. The rule requires covered entities to obtain a signed certification stating that certain requests for reproductive health-related PHI are not for prohibited purposes.
The final rule also clarifies that hospitals may rely on the attestation provided by the person requesting the use or disclosure of PHI and are not required to investigate the validity of the attestation. The rule will take effect 60 days after publication in the Federal Register, and covered entities must comply within 240 days.
In order to assist covered entities in meeting the requirements of the final rule, OCR plans to issue a model attestation form prior to the compliance date. This rule is intended to protect patient privacy and ensure that protected health information is not misused in investigations or prosecutions related to reproductive health services.