On June 25, 2024, adjustments to the HIPAA Privateness Rule geared toward supporting reproductive well being care privateness went into impact. Final week, I revealed a weblog put up about these adjustments, together with the creation of three new kinds of prohibited makes use of and disclosures of protected well being info (PHI). This put up addresses one other main change to the legislation: a brand new attestation requirement that applies to 4 kinds of makes use of and disclosures when the PHI at situation is “doubtlessly associated” to reproductive well being care. It’s not simply lined entities and enterprise associates that want to grasp this new requirement- judicial officers, legislation enforcement, well being oversight companies, and medical experts who continuously request PHI to hold out their official duties will probably encounter conditions that require them to adjust to the brand new attestation requirement, too.
Background
Quite a few adjustments to the HIPAA Privateness Rule, together with the brand new attestation requirement, are the results of a Last Rule that was revealed by the U.S. Division of Well being and Human Providers (HHS) on April 26, 2024. For extra details about what prompted promulgation of the Last Rule, a abstract of key adjustments, and an in-depth have a look at the Last Rule’s creation of recent prohibited makes use of and disclosures of PHI, please see this weblog put up.
Essential Dates
The adjustments initiated by the Last Rule went into impact on June 25, 2024. Entities that should abide by HIPAA (lined entities and enterprise associates) should come into compliance with these new requirements- together with the attestation requirement- no later than December 23, 2024.
There’s one exception: the required updates to lined entities’ notices of privateness practices (NPPs), that are addressed in 45 CFR 164.520, wouldn’t have to be carried out till February 16, 2026.
The Attestation Requirement
The attestation requirement will be discovered on the new 45 CFR 164.509. Underneath this provision of the HIPAA Privateness Rule, lined entities and enterprise associates are required to acquire a legitimate attestation from a celebration requesting PHI when each of the next are true:
The requestor is looking for the PHI for certainly one of 4 kinds of makes use of/disclosures of PHI that exist already beneath the Privateness Rule (well being oversight actions, judicial and administrative proceedings, sure legislation enforcement makes use of, and sure coroner/health worker makes use of); and
The PHI requested is “doubtlessly associated” to reproductive well being care.
Earlier than we dive into these two applicability standards for the attestation requirement, let’s first discover why HHS rolled out this new requirement within the first place.
Why Attestations?
In case you learn my earlier put up on the Last Rule, you already know that one of many different main adjustments to the HIPAA Privateness Rule was the creation of recent prohibitions in opposition to utilizing or disclosing PHI to research or impose legal responsibility upon somebody for looking for, acquiring, offering, or facilitating lawful reproductive well being care, or utilizing or disclosing PHI to establish somebody for both of these functions (hereinafter, the “three new prohibited makes use of/disclosures”). See 45 CFR 164.502(a)(5)(iii). This modification is immediately associated to the brand new attestation requirement, which says that events requesting PHI for sure functions should present lined entities/enterprise associates with a written, signed attestation promising that they don’t seem to be requesting PHI for one of many three new kinds of prohibited makes use of/disclosures.
The function of the attestation is to forestall somebody who’s looking for PHI for one of many three new prohibited makes use of/disclosures from utilizing an present, permissible pathway for disclosing PHI beneath HIPAA as a again door to acquire PHI that they intend to make use of for an impermissible function. As HHS defined within the preamble to the Last Rule, “This requirement will assist be sure that these Privateness Rule permissions can’t be used to avoid the brand new prohibition at 45 CFR 164.502(a)(5)(iii) […]. The attestation requirement is meant to cut back the burden [on covered entities and business associates] of figuring out whether or not the PHI request is for a function prohibited beneath 45 CFR 164.502(a)(5)(iii)[…].” 89 FR 33030.
The 4 Makes use of/Disclosures Requiring an Attestation
The brand new attestation requirement doesn’t apply to all requests for PHI. An attestation is barely needed if somebody is requesting PHI that’s “doubtlessly associated” to reproductive well being take care of one of many following 4 functions beneath HIPAA:
Well being oversight actions (45 CFR 164.512(d)). This contains, for instance, a well being oversight company auditing affected person data to substantiate that the lined entity or enterprise affiliate is complying with the legislation.
Judicial and administrative proceedings (45 CFR 164.512(e)). This contains requests for PHI that come within the type of a subpoena or a courtroom order in order that the PHI could also be utilized in an administrative, prison, or civil case.
Regulation enforcement makes use of (45 CFR 164.512(f)). This contains disclosing PHI to legislation enforcement to help with figuring out a fugitive or suspect, offering details about a criminal offense sufferer, and many others.
Coroner and health worker makes use of (45 CFR 164.512(g)(1)). This would come with disclosure of a decedent’s PHI to a coroner or health worker for the aim of figuring out explanation for dying.
Keep in mind: an attestation is barely required in these 4 conditions if the requested PHI is “doubtlessly associated” to reproductive well being care. However what does “doubtlessly associated” to reproductive well being care imply? Let’s talk about this subsequent.
PHI “Probably Associated” to Reproductive Well being Care
Though the Last Rule delivered a brand new definition of the time period “reproductive well being care” at 45 CFR 160.103, HHS didn’t clarify what it means for PHI to be “doubtlessly associated” to such reproductive well being care. Within the preamble to the Last Rule, HHS acknowledged that this broad language might make it difficult to operationalize the attestation requirement however acknowledged that the “doubtlessly associated” language is right here to remain. HHS defined the company’s method by saying: “[T]his will restrict the variety of requests that require an attestation, and due to this fact, the burden of the attestation requirement on regulated entities and individuals requesting PHI. […] By narrowing the scope of the attestation to PHI ‘doubtlessly associated to reproductive well being care,’ the attestation requirement won’t unnecessarily intervene with or delay legislation enforcement investigations that don’t contain PHI ‘doubtlessly associated to reproductive well being care.’ Whereas in follow this scope could also be large, we consider the privateness pursuits of people who’ve obtained reproductive well being care necessitates the inclusion of ‘doubtlessly associated’ PHI.”
Making an attempt to find out whether or not particular PHI is “doubtlessly associated” to reproductive well being care? Along with reviewing the brand new definition of “reproductive well being care” at 45 CFR 160.103, take a look at this weblog put up for extra info, together with a non-exhaustive listing of well being companies that HHS says represent reproductive well being care beneath HIPAA.
Components of an Attestation
A listing of the required components of an attestation will be discovered at 45 CFR 164.509. Lots of the required components for an attestation mirror the core components of a HIPAA authorization- however there are just a few variations, together with two required components of an attestation which are value highlighting right here. An attestation should embrace:
An announcement that the aim for which the PHI is requested just isn’t one of many new prohibited makes use of or disclosures described at 45 CFR 164.502(a)(5)(iii).
An announcement that the occasion requesting the PHI may very well be topic to prison penalties beneath 42 USC 1320d-6 if that individual knowingly and in violation of HIPAA obtains somebody’s individually identifiable well being info (IIHI) (of which PHI is a subset) or discloses IIHI to a different individual.
The attestation have to be signed by the requestor (digital signatures are permissible). It is very important word that the requestor just isn’t required to make use of an attestation kind supplied by the lined entity or enterprise affiliate; a kind created by the requestor that meets the necessities of 45 CFR 164.509 is ample. To keep away from creating extra burdens for requestors, the legislation additionally prohibits lined entities and enterprise associates from including components to the attestation kind past these which are required beneath 45 CFR 164.509– which is to say, they can not demand extra info from the requestor than what the attestation kind already requires. As with HIPAA authorizations, attestations is probably not mixed with different types; nevertheless, a requestor may elect to connect supporting documentation for his or her request for PHI (e.g., a subpoena or courtroom order) and submit it alongside the attestation. 89 FR 33030.
Shortly after the Last Rule was revealed, HHS introduced that it could publish mannequin attestation language earlier than December 23, 2024 (the compliance date for the attestation requirement). That mannequin attestation doc was launched on June 28, 2024 and is accessible right here on HHS’s web site.
Steps for Dealing with a Request for PHI that Requires an Attestation
Keep in mind: the brand new attestation requirement solely applies if (1) the requestor is looking for PHI that’s “doubtlessly associated” to reproductive well being care (2) for one of many following 4 functions: well being oversight actions, judicial and administrative proceedings, sure legislation enforcement makes use of, and sure coroner/health worker makes use of. As a primary step, the lined entity or enterprise affiliate ought to assess the request for PHI and decide whether or not each of those standards are met.
If each standards are glad, then the lined entity or enterprise affiliate ought to be sure that an attestation was submitted alongside the request. If the requestor didn’t submit an attestation, the lined entity or enterprise affiliate would possibly attain out to make the requestor conscious of the attestation requirement, and will present their group’s personal commonplace attestation kind, if they’ve one. It will be significant that the lined entity or enterprise affiliate intently evaluation the attestation to substantiate it’s legitimate, as launch of PHI primarily based on a faulty attestation is a HIPAA violation.
Subsequent, if the attestation is legitimate, then the lined entity or enterprise affiliate ought to conduct its common evaluation to substantiate that the factors for the kind of disclosure are met earlier than releasing any PHI. For instance, if the attestation was submitted alongside a subpoena for PHI to be used in a judicial continuing, then the lined entity or enterprise affiliate should ensure that the same old necessities beneath 45 CFR 164.512(e)(1)(ii) for disclosing PHI pursuant to a subpoena are met. This would come with receiving passable assurance that there have been affordable makes an attempt to inform the affected person of the request for the affected person’s PHI or to safe a professional protecting order. If the attestation is legitimate and all the opposite necessities for making the disclosure are glad, then the PHI could also be launched. The lined entity or enterprise affiliate ought to retain a duplicate of the attestation as required beneath 45 CFR 164.530(j) and doc the disclosure per 45 CFR 164.528.
Regularly Requested Questions
Q1: Does the brand new attestation requirement apply to all requests for PHI (e.g., people requesting their very own well being info, or a treating supplier requesting a affected person’s PHI for therapy functions)?
A1: No. The brand new attestation requirement solely applies if (1) the requestor is looking for PHI that’s “doubtlessly associated” to reproductive well being care (2) for one of many following 4 functions: well being oversight actions, judicial and administrative proceedings, sure legislation enforcement makes use of, and sure coroner/health worker makes use of.
Q2: My group is a lined entity and simply acquired a subpoena or courtroom order for PHI that’s “doubtlessly associated” to reproductive well being care, however the requestor didn’t submit an attestation. Can my group simply ignore this request?
A2: No- you shouldn’t ignore a subpoena or courtroom order. Subpoenas and courtroom orders usually have deadlines by which you might be required to reply and ignoring a subpoena or courtroom order can have critical authorized penalties. In case your group receives a subpoena or courtroom order, you must promptly notify your lawyer, who can assist you navigate deadlines for a response and assess the scope and validity of the subpoena or courtroom order. If an attestation is required however was not submitted by the occasion that issued the subpoena or courtroom order, your lawyer may give you the chance that can assist you notify that judicial official to make them conscious of the attestation requirement.
Q3: I’m a judicial official, legislation enforcement officer, well being oversight company, or coroner/health worker and I count on that my request for PHI will set off the brand new attestation requirement. The place can I get a duplicate of an attestation to fill out?
A3: Many lined entities and enterprise associates will probably develop their very own commonplace attestation forms- during which case, you can contact that entity immediately and ask for a duplicate of their kind. Alternatively, and since requestors are usually not required to make use of a lined entity or enterprise affiliate’s personal kind, you can draft your individual attestation that features all of the required components set out at 45 CFR 164.509. HHS has revealed mannequin attestation language that may be considered right here on HHS’s web site.
This autumn: My group is a lined entity and we lately launched PHI in accordance with HIPAA and pursuant to a legitimate attestation; nevertheless, since then, we have now turn into conscious that the requestor misrepresented their intentions when submitting the attestation and is definitely utilizing the PHI for a prohibited function beneath 45 CFR 164.502(a)(5)(iii). What ought to we do?
A4: Underneath the brand new 45 CFR 164.509(d), if a lined entity or enterprise affiliate “discovers info moderately exhibiting that any illustration made within the attestation was materially false” and PHI was or is being disclosed primarily based on that attestation then the lined entity or enterprise affiliate should stop the disclosure.
Pursuant to 45 CFR 164.509(c)(v), if the requestor of the PHI knowingly requested and obtained the PHI for a function prohibited beneath HIPAA, then the requestor may very well be topic to penalties beneath 42 USC 1320d-6. This contains, however just isn’t restricted to, fines of as much as $250,000 or imprisonment of not more than 10 years, relying on the character of the offense.
Extra Assets
Throughout a June 20, 2024 webinar on the Last Rule, HHS indicated that it could proceed to replace and add to its present steering on the Last Rule, which is accessible right here.
Questions?
Do you’ve gotten questions on this new attestation requirement? Be happy to ship me an e mail at kirsten@sog.unc.edu.