HIPAA attestation form introduced to protect reproductive health care data

A new HIPAA attestation form was introduced to bolster privacy protections for reproductive health care data.

What happened

A new HIPAA attestation form has been introduced as part of updates to HIPAA regulations, focusing on protecting data related to reproductive health care. Effective December 23, 2024, the guidance prohibits using or disclosing protected health information (PHI) for specific purposes, including investigations or actions targeting individuals who lawfully seek, provide, or facilitate reproductive health care.

The new attestation form must be used whenever a request for PHI relating to reproductive health care is received. This change indicates the need for health plans to integrate these requirements into their compliance processes, including staff training, policies and procedures, and business associate agreements (BAAs).

Going deeper

The updated regulations include two main protections:

• PHI cannot be used or disclosed to conduct or support criminal, civil, or administrative investigations, or to impose liability on individuals involved in lawful reproductive health care.
• PHI cannot be used to identify individuals for such investigations or liabilities.

These updates aim to address concerns around privacy and legal protections for reproductive health care. In addition to the attestation form, the requirements will soon require modifications to notices of privacy practices (NPPs), which must be updated by February 2026.

Health plans and covered entities must integrate these changes into their compliance strategies to avoid potential violations.

In the know

The new HIPAA attestation form has strict conditions for the use and disclosure of reproductive health care data. Covered entities can only rely on the attestation if it is complete. If a covered entity discovers that the attestation contains false information or suspects the disclosure is for a prohibited purpose, they must immediately stop using or disclosing the protected health information. Each request requires a new attestation, and a written copy must be maintained along with supporting documents.

The big picture 

This regulatory change signals an increased focus on safeguarding sensitive health information, particularly in areas with heightened privacy concerns like reproductive health care. Incorporating these changes promptly can help health plans avoid compliance risks and maintain trust with patients and stakeholders.

FAQs

What is HIPAA?

HIPAA, the Health Insurance Portability and Accountability Act, is a federal law that sets standards for protecting sensitive health information and ensures its privacy and security.

What is protected health information (PHI)?

Protected health information refers to any identifiable health data created or maintained by covered entities or business associates, like medical records or billing details.

What is reproductive health care data?

Reproductive health care data includes any protected health information related to services like contraception, fertility treatments, pregnancy care, or other reproductive health services.

What are notices of privacy practices (NPPs)?

Notices of privacy practices explain a patient's rights under HIPAA, how their health information may be used or shared, and the privacy practices of their healthcare provider or plan.

What is a business associate agreement (BAA)?

A business associate agreement is a contract that ensures third parties handling protected health information follow HIPAA's privacy and security rules.