HIPAA Privacy Rule Model Attestation for Reproductive Health Information
Earlier we discussed the Office for Civil Rights (“OCR”) of the US Department of Health and Human Services final rules relating to reproductive health care information (the “Final Rules”). In our prior blog we discussed that OCR intended to issue a model attestation form to be used when requesting reproductive health care information from covered entities and their business associates. OCR recently issued the model attestation form.
Background
Health care providers, health plans and their business associates are prohibited from using or disclosing PHI when the PHI is requested to conduct a criminal, civil, or administrative investigation into or impose criminal, civil, or administrative liability on any person for the act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances, or to identify any person relating to those activities (referred to as “Prohibited Purposes”).
When a covered entity or business associate receives a request for protected health information potentially related to reproductive health care, it must obtain a signed attestation that clearly states the requested use or disclosure is not for Prohibited Purposes, where the request is for PHI for any of the following –
Health oversight activities,
Judicial or administrative proceedings,
Law enforcement, or
Disclosures to coroners and medical examiners regarding decedents.
Model Attestation Form
OCR issued a model attestation form to use when requesting reproductive health information for the above purposes. The attestation form is only a model and is not legally required. Similar to a HIPAA authorization, attestations for reproductive health care information can be obtained and executed electronically.
An attestation must include the following elements –
A description of the information requested that identifies the information in a specific fashion,
The name or other specific identification of the persons, or class of persons, who are requested to make the use or disclosure,
The name or other specific identification of the persons, or class of persons, to whom the covered entity is to make the requested use or disclosure,
A clear statement that the use or disclosure is not for a Prohibited Purpose,
A statement that a person may be subject to criminal penalties if that person knowingly and in violation of HIPAA obtains individually identifiable health information relating to an individual or discloses individually identifiable health information to another person, and
The signature of the person requesting the protected health information, which may be an electronic signature, and date.
A covered entity or business associate is not permitted to rely on a completed attestation if --
It is missing any required element or statement or contains other content that is not required,
It is combined with other documents, except for documents provided to support the attestation,
Any material information in the attestation is known to be false, or
A reasonable covered entity or business associate in the same position would not believe the requestor’s statement that the use or disclosure is not for a prohibited purpose.
A new attestation for each specific use or disclosure request must be provided, and the covered entity or business associate must maintain a written copy of the completed attestation and any relevant supporting documents.
Key Takeaways
Compliance with the Final Rules and the attestation requirement commences on December 23, 2024. The Final Rules contain many unanswered questions and are vague and complex. Covered entities and business associates should review the Final Rules and create a compliance plan with respect to updating their policies and procedures, health plan documents, business associate agreements and privacy notices.
Disclaimer
While we are pleased to have you contact us by telephone, surface mail, electronic mail, or by facsimile transmission, contacting Kilpatrick Townsend & Stockton LLP or any of its attorneys does not create an attorney-client relationship. The formation of an attorney-client relationship requires consideration of multiple factors, including possible conflicts of interest. An attorney-client relationship is formed only when both you and the Firm have agreed to proceed with a defined engagement.
DO NOT CONVEY TO US ANY INFORMATION YOU REGARD AS CONFIDENTIAL UNTIL A FORMAL CLIENT-ATTORNEY RELATIONSHIP HAS BEEN ESTABLISHED.
If you do convey information, you recognize that we may review and disclose the information, and you agree that even if you regard the information as highly confidential and even if it is transmitted in a good faith effort to retain us, such a review does not preclude us from representing another client directly adverse to you, even in a matter where that information could be used against you.