On April 22, the Department of Health & Human Services’ Office for Civil Rights released a final rule that prohibits entities regulated by the HIPAA Privacy Rule from using or disclosing protected health information to investigate or prosecute patients, providers, or others involved in providing legal reproductive health services. The rule aims to protect patient privacy and ensure that protected health information is not misused in investigations or prosecutions related to reproductive health services.
In response to a request from the AHA, the final rule clarifies that hospitals can rely on the attestation and are not obligated to investigate the validity of the attestation provided by a person requesting a use or disclosure of PHI. This means that hospitals can trust the attestation provided by patients and providers when they request PHI related to reproductive health care.
The rule will go into effect 60 days after publication in the Federal Register and covered entities must be in compliance within 240 days. OCR plans to issue a model attestation form before the compliance date to assist covered entities with meeting the requirements of the final rule. This form will provide guidance on how to properly complete and submit an attestation, ensuring that PHI is only used for legitimate purposes related to reproductive health care.
