On June 25, 2024, adjustments to the HIPAA Privateness Rule aimed toward supporting reproductive well being care privateness went into impact. Final week, I revealed a weblog submit about these adjustments, together with the creation of three new forms of prohibited makes use of and disclosures of protected well being info (PHI). This submit addresses one other main change to the legislation: a brand new attestation requirement that applies to 4 forms of makes use of and disclosures when the PHI at difficulty is “probably associated” to reproductive well being care. It’s not simply lined entities and enterprise associates that want to know this new requirement- judicial officers, legislation enforcement, well being oversight companies, and medical experts who continuously request PHI to hold out their official duties will doubtless encounter conditions that require them to adjust to the brand new attestation requirement, too.
Background
Quite a few adjustments to the HIPAA Privateness Rule, together with the brand new attestation requirement, are the results of a Ultimate Rule that was revealed by the U.S. Division of Well being and Human Companies (HHS) on April 26, 2024. For extra details about what prompted promulgation of the Ultimate Rule, a abstract of key adjustments, and an in-depth take a look at the Ultimate Rule’s creation of recent prohibited makes use of and disclosures of PHI, please see this weblog submit.
Essential Dates
The adjustments initiated by the Ultimate Rule went into impact on June 25, 2024. Entities that should abide by HIPAA (lined entities and enterprise associates) should come into compliance with these new requirements- together with the attestation requirement- no later than December 23, 2024.
There’s one exception: the required updates to lined entities’ notices of privateness practices (NPPs), that are addressed in 45 CFR 164.520, don’t have to be applied till February 16, 2026.
The Attestation Requirement
The attestation requirement could be discovered on the new 45 CFR 164.509. Beneath this provision of the HIPAA Privateness Rule, lined entities and enterprise associates are required to acquire a sound attestation from a celebration requesting PHI when each of the next are true:
- The requestor is in search of the PHI for certainly one of 4 forms of makes use of/disclosures of PHI that exist already underneath the Privateness Rule (well being oversight actions, judicial and administrative proceedings, sure legislation enforcement makes use of, and sure coroner/medical expert makes use of); and
- The PHI requested is “probably associated” to reproductive well being care.
Earlier than we dive into these two applicability standards for the attestation requirement, let’s first discover why HHS rolled out this new requirement within the first place.
Why Attestations?
In the event you learn my earlier submit on the Ultimate Rule, you already know that one of many different main adjustments to the HIPAA Privateness Rule was the creation of recent prohibitions towards utilizing or disclosing PHI to analyze or impose legal responsibility upon somebody for in search of, acquiring, offering, or facilitating lawful reproductive well being care, or utilizing or disclosing PHI to establish somebody for both of these functions (hereinafter, the “three new prohibited makes use of/disclosures”). See 45 CFR 164.502(a)(5)(iii). This variation is instantly associated to the brand new attestation requirement, which says that events requesting PHI for sure functions should present lined entities/enterprise associates with a written, signed attestation promising that they aren’t requesting PHI for one of many three new forms of prohibited makes use of/disclosures.
The function of the attestation is to stop somebody who’s in search of PHI for one of many three new prohibited makes use of/disclosures from utilizing an present, permissible pathway for disclosing PHI underneath HIPAA as a again door to acquire PHI that they intend to make use of for an impermissible function. As HHS defined within the preamble to the Ultimate Rule, “This requirement will assist be certain that these Privateness Rule permissions can’t be used to avoid the brand new prohibition at 45 CFR 164.502(a)(5)(iii) (…). The attestation requirement is meant to cut back the burden (on lined entities and enterprise associates) of figuring out whether or not the PHI request is for a function prohibited underneath 45 CFR 164.502(a)(5)(iii)(…).” 89 FR 33030.
The 4 Makes use of/Disclosures Requiring an Attestation
The brand new attestation requirement doesn’t apply to all requests for PHI. An attestation is barely needed if somebody is requesting PHI that’s “probably associated” to reproductive well being take care of one of many following 4 functions underneath HIPAA:
- Well being oversight actions (45 CFR 164.512(d)). This contains, for instance, a well being oversight company auditing affected person data to substantiate that the lined entity or enterprise affiliate is complying with the legislation.
- Judicial and administrative proceedings (45 CFR 164.512(e)). This contains requests for PHI that come within the type of a subpoena or a courtroom order in order that the PHI could also be utilized in an administrative, felony, or civil case.
- Legislation enforcement makes use of (45 CFR 164.512(f)). This contains disclosing PHI to legislation enforcement to help with figuring out a fugitive or suspect, offering details about against the law sufferer, and many others.
- Coroner and medical expert makes use of (45 CFR 164.512(g)(1)). This would come with disclosure of a decedent’s PHI to a coroner or medical expert for the aim of figuring out reason for loss of life.
Bear in mind: an attestation is barely required in these 4 conditions if the requested PHI is “probably associated” to reproductive well being care. However what does “probably associated” to reproductive well being care imply? Let’s focus on this subsequent.
PHI “Doubtlessly Associated” to Reproductive Well being Care
Though the Ultimate Rule delivered a brand new definition of the time period “reproductive well being care” at 45 CFR 160.103, HHS didn’t clarify what it means for PHI to be “probably associated” to such reproductive well being care. Within the preamble to the Ultimate Rule, HHS acknowledged that this broad language could make it difficult to operationalize the attestation requirement however said that the “probably associated” language is right here to remain. HHS defined the company’s method by saying: “(T)his will restrict the variety of requests that require an attestation, and subsequently, the burden of the attestation requirement on regulated entities and individuals requesting PHI. (…) By narrowing the scope of the attestation to PHI ‘probably associated to reproductive well being care,’ the attestation requirement is not going to unnecessarily intervene with or delay legislation enforcement investigations that don’t contain PHI ‘probably associated to reproductive well being care.’ Whereas in apply this scope could also be extensive, we imagine the privateness pursuits of people who’ve obtained reproductive well being care necessitates the inclusion of ‘probably associated’ PHI.”
Attempting to find out whether or not particular PHI is “probably associated” to reproductive well being care? Along with reviewing the brand new definition of “reproductive well being care” at 45 CFR 160.103, take a look at this weblog submit for extra info, together with a non-exhaustive record of well being providers that HHS says represent reproductive well being care underneath HIPAA.
Components of an Attestation
A listing of the required parts of an attestation could be discovered at 45 CFR 164.509. Lots of the required parts for an attestation mirror the core parts of a HIPAA authorization- however there are a couple of variations, together with two required parts of an attestation which might be price highlighting right here. An attestation should embody:
- A press release that the aim for which the PHI is requested will not be one of many new prohibited makes use of or disclosures described at 45 CFR 164.502(a)(5)(iii).
- A press release that the get together requesting the PHI may very well be topic to felony penalties underneath 42 USC 1320d-6 if that individual knowingly and in violation of HIPAA obtains somebody’s individually identifiable well being info (IIHI) (of which PHI is a subset) or discloses IIHI to a different individual.
The attestation have to be signed by the requestor (digital signatures are permissible). It is very important notice that the requestor will not be required to make use of an attestation kind offered by the lined entity or enterprise affiliate; a kind created by the requestor that meets the necessities of 45 CFR 164.509 is enough. To keep away from creating extra burdens for requestors, the legislation additionally prohibits lined entities and enterprise associates from including parts to the attestation kind past these which might be required underneath 45 CFR 164.509– which is to say, they can not demand extra info from the requestor than what the attestation kind already requires. As with HIPAA authorizations, attestations is probably not mixed with different types; nonetheless, a requestor may elect to connect supporting documentation for his or her request for PHI (e.g., a subpoena or courtroom order) and submit it alongside the attestation. 89 FR 33030.
Shortly after the Ultimate Rule was revealed, HHS introduced that it might publish mannequin attestation language earlier than December 23, 2024 (the compliance date for the attestation requirement). That mannequin attestation doc was launched on June 28, 2024 and is offered right here on HHS’s web site.
Steps for Dealing with a Request for PHI that Requires an Attestation
Bear in mind: the brand new attestation requirement solely applies if (1) the requestor is in search of PHI that’s “probably associated” to reproductive well being care (2) for one of many following 4 functions: well being oversight actions, judicial and administrative proceedings, sure legislation enforcement makes use of, and sure coroner/medical expert makes use of. As a primary step, the lined entity or enterprise affiliate ought to assess the request for PHI and decide whether or not each of those standards are met.
If each standards are glad, then the lined entity or enterprise affiliate ought to be certain that an attestation was submitted alongside the request. If the requestor didn’t submit an attestation, the lined entity or enterprise affiliate may attain out to make the requestor conscious of the attestation requirement, and will present their group’s personal commonplace attestation kind, if they’ve one. It can be crucial that the lined entity or enterprise affiliate intently evaluate the attestation to substantiate it’s legitimate, as launch of PHI primarily based on a faulty attestation is a HIPAA violation.
Subsequent, if the attestation is legitimate, then the lined entity or enterprise affiliate ought to conduct its common evaluation to substantiate that the standards for the kind of disclosure are met earlier than releasing any PHI. For instance, if the attestation was submitted alongside a subpoena for PHI to be used in a judicial continuing, then the lined entity or enterprise affiliate should make it possible for the standard necessities underneath 45 CFR 164.512(e)(1)(ii) for disclosing PHI pursuant to a subpoena are met. This would come with receiving passable assurance that there have been affordable makes an attempt to inform the affected person of the request for the affected person’s PHI or to safe a certified protecting order. If the attestation is legitimate and all the opposite necessities for making the disclosure are glad, then the PHI could also be launched. The lined entity or enterprise affiliate ought to retain a replica of the attestation as required underneath 45 CFR 164.530(j) and doc the disclosure in keeping with 45 CFR 164.528.
Continuously Requested Questions
Q1: Does the brand new attestation requirement apply to all requests for PHI (e.g., people requesting their very own well being info, or a treating supplier requesting a affected person’s PHI for therapy functions)?
A1: No. The brand new attestation requirement solely applies if (1) the requestor is in search of PHI that’s “probably associated” to reproductive well being care (2) for one of many following 4 functions: well being oversight actions, judicial and administrative proceedings, sure legislation enforcement makes use of, and sure coroner/medical expert makes use of.
Q2: My group is a lined entity and simply obtained a subpoena or courtroom order for PHI that’s “probably associated” to reproductive well being care, however the requestor didn’t submit an attestation. Can my group simply ignore this request?
A2: No- you shouldn’t ignore a subpoena or courtroom order. Subpoenas and courtroom orders usually have deadlines by which you might be required to reply and ignoring a subpoena or courtroom order can have severe authorized penalties. In case your group receives a subpoena or courtroom order, you need to promptly notify your legal professional, who might help you navigate deadlines for a response and assess the scope and validity of the subpoena or courtroom order. If an attestation is required however was not submitted by the get together that issued the subpoena or courtroom order, your legal professional may give you the chance that will help you notify that judicial official to make them conscious of the attestation requirement.
Q3: I’m a judicial official, legislation enforcement officer, well being oversight company, or coroner/medical expert and I anticipate that my request for PHI will set off the brand new attestation requirement. The place can I get a replica of an attestation to fill out?
A3: Many lined entities and enterprise associates will doubtless develop their very own commonplace attestation forms- through which case, you possibly can contact that entity instantly and ask for a replica of their kind. Alternatively, and since requestors usually are not required to make use of a lined entity or enterprise affiliate’s personal kind, you possibly can draft your personal attestation that features all of the required parts set out at 45 CFR 164.509. HHS has revealed mannequin attestation language that may be considered right here on HHS’s web site.
This fall: My group is a lined entity and we not too long ago launched PHI in accordance with HIPAA and pursuant to a sound attestation; nonetheless, since then, now we have grow to be conscious that the requestor misrepresented their intentions when submitting the attestation and is definitely utilizing the PHI for a prohibited function underneath 45 CFR 164.502(a)(5)(iii). What ought to we do?
A4: Beneath the brand new 45 CFR 164.509(d), if a lined entity or enterprise affiliate “discovers info moderately displaying that any illustration made within the attestation was materially false” and PHI was or is being disclosed primarily based on that attestation then the lined entity or enterprise affiliate should stop the disclosure.
Pursuant to 45 CFR 164.509(c)(v), if the requestor of the PHI knowingly requested and obtained the PHI for a function prohibited underneath HIPAA, then the requestor may very well be topic to penalties underneath 42 USC 1320d-6. This contains, however will not be restricted to, fines of as much as $250,000 or imprisonment of not more than 10 years, relying on the character of the offense.
Further Assets
Throughout a June 20, 2024 webinar on the Ultimate Rule, HHS indicated that it might proceed to replace and add to its present steerage on the Ultimate Rule, which is offered right here.
Questions?
Do you’ve gotten questions on this new attestation requirement? Be at liberty to ship me an e mail at kirsten@sog.unc.edu.