Model Attestation for Reproductive PHI Released

In April, the Department of Health and Human Services (“HHS”) issued a final HIPAA Privacy Rule to Support Reproductive Health Care Privacy (“Privacy Rule”). Among other things, the Privacy Rule requires a regulated entity, such as a group health plan or a plan’s business associate, which receives a request for protected health information (“PHI”) potentially related to reproductive health care (“reproductive PHI” or “rPHI”), to obtain a signed and dated attestation from the requesting entity or individual stating that the use or disclosure is not for a prohibited purpose. The attestation requirement takes effect December 23, 2024. HHS recently released the model attestation, which includes background information and instructions.

Background


The Privacy Rule directs that a “regulated entity” cannot use or disclose PHI for:

1. conducting a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating lawful reproductive health care;

2. imposing criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating lawful reproductive health care; or

3. identifying any person for any purpose described in (1) or (2).

  

A “regulated entity” generally includes a group health plan (the covered entity) and a business associate of such plan. 

The Privacy Rule includes specifics on what constitutes “reproductive health care,” and details on when the prohibition applies.

The attestation requirement under the Privacy Rule applies when there is a request to the regulated entity for rPHI for any of the following:  

• Health oversight activities;

• Judicial and administrative proceedings;

• Law enforcement; or

• Disclosures to coroners and medical examiners regarding decedents.    

Attestation Information

The model attestation issued by HHS includes the above background information along with instructional information for both the person requesting the rPHI and the regulated entity. While use of the model attestation itself is not mandatory, it will likely be used in most relevant situations.  


The instructional information essentially directs that a group health plan and/or the plan’s business associate:

 • cannot rely on the attestation to disclose the requested rPHI if:

• the attestation is missing any required element or statement or contains other content that is not required;

• the attestation is combined with other documents, except for documents provided to support the attestation;

• it knows that material information in the attestation is false; or

• a reasonable covered entity or business associate in the same position would not believe the requestor’s statement that the use or disclosure is not for a prohibited purpose.  

• must stop making the requested use or disclosure, if it later discovers information that reasonably shows that any representation made in the attestation is materially false, leading to a use or disclosure for a prohibited purpose as described above.

• must not make a disclosure if the reproductive health care was provided by a person other than the regulated entity and the requestor indicates that the PHI requested is for a prohibited purpose, unless the requestor supplies information that demonstrates a substantial factual basis that the reproductive health care was not lawful under the specific circumstances in which it was provided.

• must obtain a new attestation for each specific use or disclosure request.

• must maintain a written copy of the completed attestation and any relevant supporting documents.  

The attestation itself is a single page and the requesting party must:

1. identify the party who will receive the requested rPHI.

2. identify the person from whom the use or disclosure is requested.

3. describe the specific rPHI requested, including identifying the person(s) whose protected health information is being requested.  

4. check one of two boxes specifying the request is not prohibited because either:

a. the purpose of the request is not for any investigation or imposition of liability related to reproductive healthcare; or

b. the purpose of the request is for an investigation or imposition of liability regarding reproductive healthcare that was not lawful.  

The attestation also highlights that the requesting party could be subject to criminal penalties for improperly obtaining individually identifiable health information relating to an individual or disclosing individually identifiable health information to another person.

Finally, the guidance provides that the attestation may be provided in electronic format, and electronically signed by the requesting party.  

Employer Action For employers with fully insured plans: much of the responsibility for compliance with the attestation requirement should fall on the carrier, which would be the covered entity positioned to respond to requests related to rPHI. Presumably, such employers who receive rPHI requests would refer those to the carrier.

For self-funded (including level-funded) plans: employers will need to address these issues and have an attestation notice available to respond to requests. Most likely, however, it will be the third-party administrator (“TPA”), or other vendors (such as pharmacy benefit managers (“PBMs”) or behavioral health providers or provider networks), who are business associates of the self-funded plan, where such requests may typically be directed. A self-insured plan sponsor will likely need to rely on their TPA or other business associate for compliance with the attestation requirement. Thus, sponsors should work with their TPA and other business associates to ensure they will be prepared to comply with the requirement, including for requests forwarded by the sponsor, starting December 23, 2024.

Employers sponsoring both insured and self-insured plans should consider third party vendors who may be business associates of any employer health plan and may obtain rPHI and receive requests to disclose rPHI. Such vendors might include those administering:

• Health flexible spending accounts (“FSAs”)

• Health reimbursement arrangements (“HRAs”)

• Telehealth • Family-forming/fertility solutions

• Specialty drug carve-outs

• Other data analytics, including brokers and consultants

Where appropriate, employers should work with such vendors to ensure they will be prepared to comply with the attestation requirement starting December 23, 2024.   

Further, as previously reported, the final rule may also require self-funded plans to modify or update the following by December 23, 2024 (depending on existing language or specifics of the plan) to address rPHI:

• Policies and procedures

• Training

• Risk assessment

• Business associate agreements

Finally, self-funded plans will need to update their notice of privacy practices to account for these changes by February 16, 2026. Carriers for fully insured plans are responsible for the notice of privacy practices and should also timely update these notices.

HHS has not yet updated their sample notice of privacy practices to reflect these changes.

We will continue to monitor and inform you of any additional important developments on the attestation requirement.

Resources

Model Attestation for a Requested Use or Disclosure of Protected Health Information Potentially Related to ReproductiveHealth Care  

Dexter Dible