HIPAA Privacy Rule Model Attestation for Reproductive Health Information

Earlier we discussed the Office for Civil Rights (“OCR”) of the US Department of Health and Human Services final rules relating to reproductive health care information (the “Final Rules”).  In our prior blog we discussed that OCR intended to issue a model attestation form to be used when requesting reproductive health care information from covered entities and their business associates.  OCR recently issued the model attestation form.  

Background

Health care providers, health plans and their business associates are prohibited from using or disclosing PHI when the PHI is requested to conduct a criminal, civil, or administrative investigation into or impose criminal, civil, or administrative liability on any person for the act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances, or to identify any person relating to those activities (referred to as “Prohibited Purposes”). 

When a covered entity or business associate receives a request for protected health information potentially related to reproductive health care, it must obtain a signed attestation that clearly states the requested use or disclosure is not for Prohibited Purposes, where the request is for PHI for any of the following –

Health oversight activities,

Judicial or administrative proceedings,

Law enforcement, or

Disclosures to coroners and medical examiners regarding decedents.

Model Attestation Form

OCR issued a model attestation form to use when requesting reproductive health information for the above purposes.  The attestation form is only a model and is not legally required.  Similar to a HIPAA authorization, attestations for reproductive health care information can be obtained and executed electronically. 

An attestation must include the following elements –

A description of the information requested that identifies the information in a specific fashion,

The name or other specific identification of the persons, or class of persons, who are requested to make the use or disclosure,

The name or other specific identification of the persons, or class of persons, to whom the covered entity is to make the requested use or disclosure,

A clear statement that the use or disclosure is not for a Prohibited Purpose,

A statement that a person may be subject to criminal penalties if that person knowingly and in violation of HIPAA obtains individually identifiable health information relating to an individual or discloses individually identifiable health information to another person, and 

The signature of the person requesting the protected health information, which may be an electronic signature, and date. 

A covered entity or business associate is not permitted to rely on a completed attestation if --

It is missing any required element or statement or contains other content that is not required,

It is combined with other documents, except for documents provided to support the attestation,

Any material information in the attestation is known to be false, or

A reasonable covered entity or business associate in the same position would not believe the requestor’s statement that the use or disclosure is not for a prohibited purpose.

A new attestation for each specific use or disclosure request must be provided, and the covered entity or business associate must maintain a written copy of the completed attestation and any relevant supporting documents.  

Key Takeaways

Compliance with the Final Rules and the attestation requirement commences on December 23, 2024.  The Final Rules contain many unanswered questions and are vague and complex.  Covered entities and business associates should review the Final Rules and create a compliance plan with respect to updating their policies and procedures, health plan documents, business associate agreements and privacy notices.   

close
Loading...
Knowledge assets are defined in the study as confidential information critical to the development, performance and marketing of a company’s core business, other than personal information that would trigger notice requirements under law. For example,
The new study shows dramatic increases in threats and awareness of threats to these “crown jewels,” as well as dramatic improvements in addressing those threats by the highest performing organizations. Awareness of the risk to knowledge assets increased as more respondents acknowledged that their