HIPAA Final Rule – Effective December 23, 2024
Recently, the government modified the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which impacts BU units subject to HIPAA. Below is the background on the law and guidance to assist you in complying with the new changes.
Background
HIPAA protects sensitive health information from disclosure without a patient’s consent. On April 22, 2024, the U.S. Department of Health and Human Services (HHS), through the Office for Civil Rights (OCR), issued a Final Rule to revise HIPAA (HIPAA Final Rule). The primary purpose of the HIPAA Final Rule is to support reproductive health care privacy. It prohibits the disclosure of protected health information (PHI) related to lawful reproductive health care in certain circumstances, mandates a signed attestation for certain requests, and requires a modification to the Notice of Privacy Practices (NPP). Compliance with the Final Rule is required by December 23, 2024, except for modifying the NPP, which isn’t required until February 16, 2026.
Guidance for BU’s HIPAA Components with the HIPAA Final Rule
Prohibition
BU’s HIPAA Components may not use or disclose PHI for any of the following activities:
- To conduct a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care.
- To impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care.
- To identify any person for any purpose described above.
This prohibition will not apply only if: (1) there is actual knowledge that the reproductive health care was not lawful; or (2) factual information supplied by the person requesting the use or disclosure that demonstrates a substantial factual basis that the reproductive health care was not lawful. However, prior to using and/or disclosing PHI for such activities, a supervisor or manager (as applicable) must be contacted, who will reach out to the HIPAA contact.
Attestation
BU’s HIPAA components may not use or disclose PHI for the following purposes without obtaining a valid Attestation (which can be found on the HIPAA site) from the person requesting the PHI:
- Health Oversight Activities
- Law Enforcement Purposes
- Judicial or Administrative Proceedings
- Disclosures to Coroners and Medical Examiners
While the request is limited to PHI potentially related to reproductive health care, that can be extremely broad, so the Attestation should be completed if the request is for any of the purposes listed above, regardless of the gender of the individual and whether the request seems to be limited to reproductive health care.
Personal Representative
If a person says they are a personal representative of a patient, they may not be treated as such, if it is believed:
- The individual has been or may be subjected to domestic violence, abuse, or neglect by such person;
- Treating such person as the personal representative could endanger the individual; and
- It is not in the best interest of the individual to treat the person as the individual’s personal representative.
This belief cannot be based on the fact that such person has helped or provided reproductive health care for and at the request of the individual. If there is uncertainty as to whether a person should be treated as the personal representative, a supervisor or manager (as applicable) should be contacted, who can reach out to the HIPAA contact, if necessary.
Victims of Abuse, Neglect, or Domestic Violence
The provision or facilitation of reproductive health care is not considered abuse, neglect, or domestic violence.
More Information
BU’s updated HIPAA policies related to these changes can be found here on the BU HIPAA and Health Information Privacy Resources site.
Additional resources related to the HIPAA Final Rule can be found on the HHS website.
You can always reach out to hipaa@bu.edu with any questions you have, or check out BU HIPAA and Health Information Privacy Resources Site for more information, about health privacy matters.