In April 2024, regulations were issued specific to strengthening protections to those that receive reproductive health care without risk of their identity or protected health information (PHI) being released to conduct a criminal, civil or administrative investigation for the act of seeking, obtaining, providing or facilitating reproductive health care where the care is lawful under the circumstances, or to identify any person related to such activities (prohibited purposes).
These regulations are intended to protect individuals who receive services related to reproductive health care defined very broadly as health care that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes. These regulations restrict the release of certain reproductive health information. The rules require that if such information is released for a permissible purpose the individual receiving the information must attest to the fact that it will only be used for a permissible purpose. The regulations further provide that the HIPAA Notice of Privacy Practices must accurately reflect this protection.
Attestation
When a covered entity or business associate receives a request for PHI related to reproductive health care, a signed attestation must be received that indicates the use or disclosure is not for prohibited purposes, when the request is used for health oversight activities, judicial or administrative reasons, law enforcement or disclosure to medical examiners.
As a reminder under HIPAA a covered entity is health care provider, a health plan, or a health care clearinghouse.
A model attestation form can be found here. Under the final rule, a covered entity or business associate must, by December 23, amend policies and procedures, ensure workforce training and start using the attestation by February 2026 the Notice of Privacy Practices must be amended.
Beginning February 16, 2026, group health plans and insurers must have an updated Notice of Privacy Practices that includes a description, along with examples of the prohibited uses and disclosures of PHI and when an attestation is required.
Most often, employers sponsoring health plans engage business associates to perform these types of duties. Employers should review their business associate agreements and amend as appropriate to make certain that business associate agreements comply with these requirements.
Litigation is already in the works on these regulations, and we will update this topic as more information becomes available.
The information contained in this Benefit Beat is not intended to be legal, accounting, or other professional advice, nor are these comments directed to specific situations. This information is provided as general guidance and may be affected by changes in law or regulation. This information is not intended to replace or substitute for accounting or other professional advice. You must consult your own attorney or tax advisor for assistance in specific situations. This information is provided as-is, with no warranties of any kind. CBIZ shall not be liable for any damages whatsoever in connection with its use and assumes no obligation to inform the reader of any changes in laws or other factors that could affect the information contained herein.
© Copyright CBIZ, Inc. All rights reserved. Use of the material contained herein without the express written consent of the firms is prohibited by law. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein. Material contained in this publication is informational and promotional in nature and not intended to be specific financial, tax or consulting advice. Readers are advised to seek professional consultation regarding circumstances affecting their organization.
“CBIZ” is the brand name under which CBIZ CPAs P.C. and CBIZ, Inc. and its subsidiaries, including CBIZ Advisors, LLC, provide professional services. CBIZ CPAs P.C. and CBIZ, Inc. (and its subsidiaries) practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations, and professional standards. CBIZ CPAs P.C. is a licensed independent CPA firm that provides attest services to its clients. CBIZ, Inc. and its subsidiary entities provide tax, advisory, and consulting services to their clients. CBIZ, Inc. and its subsidiary entities are not licensed CPA firms and, therefore, cannot provide attest services.