HIPAA Privacy Rule To Support Reproductive Healthcare Privacy Compliance 1st Talk Compliance podcast

Content provided by First Healthcare Compliance. All podcast content including episodes, graphics, and podcast descriptions are uploaded and provided directly by First Healthcare Compliance or their podcast platform partner. If you believe someone is using your copyrighted work without your permission, you can follow the process outlined here https://player.fm/legal.

1st Talk Compliance »
HIPAA Privacy Rule to Support Reproductive Healthcare Privacy Compliance

22h ago 20:10

MP3•Episode home

In this episode of 1^st Talk Compliance, Kevin Chmura is joined by Rachel Rose, JD, MBA, to discuss the HIPAA Privacy Rule to Support Reproductive Healthcare Privacy, passed in 2024. With the reproductive healthcare landscape being very dynamic, this new rule has already passed one compliance date, with a second important date coming in February 2026.

Tune in to learn about this new rule, and what it means in terms of reproductive health, patient privacy, and the legality between different states. In addition, learn some best practices for implementing the requirements of this rule into your practice.

Kevin Chmura

Rachel, thank you for joining us. Appreciate you joining us and looking forward to a timely discussion.

Rachel V. Rose

Thank you, Kevin, for having me, as well as to Panacea and First Healthcare Compliance, it’s always my pleasure to coordinate and converse with you on our favorite healthcare compliance topics.

Kevin Chmura

And it’s always great having you helping us with this and your expertise is invaluable. And you helped us and were the contributor, really writer, of an e-book on this particular subject that will be released very soon. Really this podcast is somewhat of a companion piece to that. And so what we’re talking about today is the HIPAA privacy rule to support reproductive health care privacy, passed in 2024.

Reproductive health is a prominent and evolving topic within the healthcare policy landscape. It really, major changes have come down in recent years, and so there’s just a ton. So we thought it would be great to publish a book to get everybody up to speed and, but moreover, this podcast is an opportunity for people to hear directly from the person who helped us develop that. And that is Rachel. So, Rachel, I wonder, can you just start off by giving us a synopsis of the 2024 Final Rule, maybe some key terms we should be thinking about?

Rachel V. Rose

Sure. As you mentioned, Kevin, the reproductive healthcare landscape is very dynamic and the rule itself was issued on April 22nd of 2024 with an effective date of June 25th of 2024. And basically what an effective date does is to start the clock running as to when certain requirements need to be implemented. In this particular rule, which I will refer to as the HIPAA Reproductive Rule, has two prongs of compliance dates. The first already passed and that had to be done by December 23rd, 2024.

And for your clients who were with First Healthcare Compliance or Panacea at the time, they were able to access FAQs. And the first prong of the requirements really addressed every applicable item that I’ll run through, with the exception of the notice of privacy practices. Now, for anyone who’s been in the healthcare sector for a long time, and for anyone who goes to the doctor, a dentist or even a pharmacy to pick something up, we all know we have to sign the HIPAA authorization form, and then covered entities are required to post their notice of privacy practices.

So the updated privacy practices, which need to include some of the reproductive health requirements among other items, does not need to be done until February 16 of 2026. So this is similar to the staggering of the compliance dates which we saw with the Final OmnibusRrule, which was published in the Federal Register, it’s hard to believe, but going on over 12 years ago and that was January 25th of 2013.

Now specifically, the HIPAA reproductive rule really prohibits the disclosure of protected health information related to in these terms I need you to focus on: lawful reproductive health care in certain circumstances. And the reason it’s important is because legal means that whatever service or good is being sought, it has to be legal within the jurisdiction where the individual is receiving that care or that good, so to speak.

And so if we want to take certain types of surgeries or certain types of procedures that in a viable fetus’s life, then you need to be in a jurisdiction or a state where that is permissible. So the terms are the meaning of a person. What is a person? If you read the Final Rule, it means a natural person, meaning a human being that is born alive, a trust or estate, a partnership, corporation, professional association or corporation, or other entity, public or private.

And this definition is common. It was adopted by the U.S. Supreme Court several years ago. So when someone says a person, it can mean either an individual human being or one of the other more business-oriented items. Now, public health is also a term. And for this Final Rule, it’s used in terms of public health surveillance, public health investigation and public health intervention, and this means population level activities to prevent disease in, or promote the health of, populations.

For those who are familiar with HIPAA, there has always been what’s known as the public health exception, and that has limited applicability. But one of the exceptions is to report a positive test for a communicable disease. We saw this during COVID. It is required for sexually transmitted diseases and other kinds of diseases. We’re seeing it now with all of the media attention on measles and those types of conditions.

What’s important to note about public health is that those activities, which include identifying, monitoring, preventing or mitigating ongoing or prospective threats to health or safety, do not include any of the three following purposes, and that’s: to conduct a criminal, civil or administrative investigation into any person for the mere act of seeking, obtaining, providing or facilitating health care. Secondly, to impose criminal, civil or administrative liability on any person for the mere act of seeking, obtaining, providing or facilitating health care. And lastly, to identify any person for the activities that I just described.

And I’m often asked, well, Rachel, what do you mean? If I’m seeking and what do you mean about going to a different jurisdiction? And for those who are familiar with the old school drinking age laws, for example, in Louisiana, the age used to be eighteen.

So if you were eighteen, even though you were a Texas resident and went over the border to drink in Louisiana, it was legal and there was nothing that Texas could do as you were coming across the border. Now, intoxication while driving is a separate animal. But just because a person went over the border to drink in a jurisdiction or a state where it was legal doesn’t mean that Texas had any recourse against that person so long as they were sober coming back over the border. Right.

A similar situation with reproductive health care. And that’s what the focus of this privacy is, if a person goes to a state to seek certain types of care, and the two areas that seem to be at issue particularly are surgical abortions or transgender care, especially as it relates to minors. So the other key term that everyone needs to be familiar with, and that should be in policies and procedures as well as training, is the term reproductive healthcare, and that means healthcare that’s been defined in this particular section, that affects the health of an individual and all matters relating to the reproductive system and to its functions and processes. This definition shall not be construed to set forth the standard of care or regulate what constitutes clinically appropriate reproductive healthcare.

So what HHS, OCR said here is we are not looking to step into the shoes of the physician and determine what is appropriate under certain circumstances. We are not involved in the practice of medicine. We are just giving a roadmap of what is particular. And everything I just read really comports with the July 2022 opinion in Dobbs versus Jackson Women’s Health Organization, which overturned Roe v Wade.

And what’s important about that opinion is actually Justice Kavanaugh’s concurrence. And it’s important because just as I mentioned, going across state lines to receive care or use the purchase and consumption of alcohol situation, by way of analogy. Justice Kavanaugh expressly stated that nothing in this opinion is meant to contradict or inhibit any other part of the Constitution, and interstate commerce is expressly stated in our Constitution.

So really everything is aligned with Dobbs as well as the opinions in the case.

Kevin Chmura

Yeah, it’s a great, great rundown. It’s impossible to talk about reproductive health in any context over the last several years in America without intersecting with Dobbs some way or another, right? That’s the seismic shift and I’m glad you touched on that. I think that’s a real critical area. And so, you know, the Final Rule is in concert with, or interacts is I guess a better way of saying it, considers Dobbs in the rule itself in all of the areas of Dobbs, correct?

Rachel V. Rose

That’s absolutely correct, Kevin. And it goes back to that legally attainable reproductive health care, right? So if you’re in a jurisdiction where it’s not permissible or it’s not legal, then this rule is not going to help you on that front, right? It’s meant for individuals who are seeking care in a jurisdiction where it’s legal and nothing in this final rule tries to interfere with that.

But it does make clear that just because someone goes across to seek care in another jurisdiction when they come back to their home state, the home state really has no recourse against them.

Kevin Chmura

By the way, I’m just old enough to remember my oldest brother driving over the border from New Jersey to New York for the 18-year-old drinking age. I was not so lucky. But, so that’s a great analogy and it’s a great way of looking at it. So are there any other compliance items or dates that are critical that we should be thinking about?

Rachel V. Rose

Well, as we mentioned from the outset, individuals and covered entities, etc. should have had the attestations which are now under 45 CFR Section 164.509. This is new as part as of the reproductive HIPAA rules and here regulated entities are required to obtain an attestation when it receives a request for PHI potentially related to reproductive health care. So what they need to do is first, create the attestation. Second, obtain the attestation from the requester that the use or disclosure is not for a prohibited purpose, and a prohibited purpose would be for health oversight activities, law enforcement purposes, and disclosures to coroners and medical examiners.

So from these three bullet points, I would recommend A. Training the people who actually handle the medical records for your organization and making sure that they understand that if one of these requests are made and if you’re working in an OBGYN practice, it’s probably pretty easy, right? To make this a normal part of the processes. For other types of specialties, it might not be as common, but still training needs to occur. There is already a law enforcement exception under HIPAA and that’s found at CFR 164.512. But as we know, even with that law enforcement exception, it safeguards our due process, right? So really, this serves as a further safeguard so that law enforcement is not trying to get around the normal processes such as going to court, getting a warrant, getting a subpoena.

I would recommend having an outside legal counsel review the requests, especially for the first few of them, snd also, if something just doesn’t seem appropriate. So that’s what I would recommend doing. And then we have a little bit of time left until February 16th of 2026, and that’s when covered entities are going to be required to update their notice of privacy practices to reflect changes to both the HIPAA Privacy Rule by including this reproductive component, as well as 42 CFR Part Two, which is more relevant to substance abuse and mental health disorders. And that relates more to SAMHSA, the Substance Abuse and Mental Health Services Administration.

Kevin Chmura

That’s great. So throughout there you touched on Ithink a number of best practices necessary, but also best practices. Wonder for the listeners, maybe we wrap with as much advice as you’re willing to give to folks on how best to comply, what they should be thinking about immediately.

Rachel V. Rose

Sure. So I think one thing to think about, if you haven’t already implemented what should have been implemented in December of 2024, I would jump on that. Secondly, what is your electronic health record doing? Are you working with your organization’s IT and provider to have a tab in the individual’s medical record, which requires a separate audit log and log in for sensitive information related to reproductive healthcare items?

Psychotherapy note should already be in there if it’s that type of practice or the 42 CFR Part Two, so the substance use disorder item. So that’s one area to focus on there. Another area is the revised notices and there should be a separate provision that documents the Part Two changes. And then lastly, as part of the annual HIPAA risk analysis, I would absolutely recommend having the auditor include these facets of the HIPAA Reproductive Rule into the risk analyses so that you can ensure that it is covered.

Kevin Chmura

That’s great and auditors are always looking for one more thing to audit for. So I’m sure that the audit community is happy to hear that. So Rachel, I think this has been great. I, we really appreciate it. This is a timely topic, probably one that’s worth revisiting as we move through February Compliance dates, and then into the future to probably talk about enforcement and other things that are happening all around this, because this is a topic that’s evolving and we’re coming into the middle of.

So I would like to thank you for joining us and providing us so much information. Thank you.

Rachel V. Rose

Oh, you’re most welcome, Kevin. And as always, thank you for having me as your guest.

Kevin Chmura

And we look forward to bringing you back to continue the discussion on this. Thank you.

Rachel V. Rose

Thank you.

268 episodes

#Business News #Healthcare Compliance #1st Talk Compliance #News