ARTICLE
14 August 2024

2024 Privacy Rule

TC
Thompson Coburn LLP

Contributor

Thompson Coburn LLP logo
For almost 90 years, Thompson Coburn LLP has provided the quality legal services and counsel our clients demand to achieve their most critical business goals. With more than 380 lawyers and 40 practice areas, we serve clients throughout the United States and beyond.
Explore Firm Details
Generally, the 2024 Privacy Rule goes into effect June 25, 2024, but regulated entities have 180 days to bring their documentation and operations into compliance.
United States Privacy
Photo of Michael Lane
Photo of Cathryn Conrad
Photo of Amy Dygert Stansfield
Authors
To print this article, all you need is to be registered or login on Mondaq.com.

The Office for Civil Rights of the U.S. Department of Health and Human Services issued required modifications to the Health and Insurance Portability and Accountability Act of 1996, known as the 2024 Privacy Rule, in the form of final regulations on April 22, 2024. The 2024 Privacy Rule establishes new prohibitions on covered entities and business associates ("Regulated Entities") regarding the use and disclosure of certain PHI, adds an attestation requirement for certain types of disclosures, and implements other changes to HIPAA regulations, including adding new definitions.

Generally, the 2024 Privacy Rule goes into effect June 25, 2024, but regulated entities have 180 days to bring their documentation and operations into compliance. Therefore, by December 23, 2024, HIPAA policies and procedures documents, risk assessments, and business associate agreements, if needed, should be updated to reflect the new requirements. Employers with self-funded health plans should begin reviewing these new requirements soon to ensure operations and documentation are in compliance ahead of this deadline.

New Prohibitions on Use & Disclosure of PHI

The 2024 Privacy Rule establishes new prohibitions on a Regulated Entity's use and disclosure of PHI in the following circumstances:

  • First, the 2024 Privacy Rule prohibits the use or disclosure of PHI by Regulated Entities for purposes of conducting a criminal, civil, or administrative investigation or proceeding against a person in connection with seeking, obtaining, providing or facilitating reproductive health care where such health care is lawful under the circumstances in which it is provided.
  • Second, the 2024 Privacy Rule prohibits Regulated Entities from using or disclosing PHI for the purpose of identifying an individual, health care provider, or other person for purposes related to such an investigation or proceeding where the reproductive care is lawful.

Note that the prohibitions above do not automatically apply to all PHI regarding reproductive health care. Rather, the prohibitions arise depending on the purpose for which such PHI is sought.

In order for the prohibitions above to apply, the Regulated Entity must reasonably determine that at least one of the following circumstances is satisfied:

  • The reproductive health care is lawful under the law of the state in which such health care is provided under the circumstances in which it is provided.
  • The reproductive health care is protected, required, or authorized by Federal law, including the U.S. Constitution, regardless of the state in which such health care is provided (e.g. contraception).
  • The reproductive health care was provided by a person other than the covered health care provider, health plan, or health care clearinghouse (or business associate) that receives the request for PHI and a presumption that the health care was lawful applies. The presumption noted above shall apply unless one of the following occur:
  • The covered entity has actual knowledge that the reproductive health care was not lawful under the circumstances in which it was provided.
  • The covered entity receives factual information from the person making the request for the use or disclosure of PHI that demonstrates a substantial factual basis that the reproductive health care was not lawful under the circumstances in which it was provided.

New Attestation Requirement

In addition to these new prohibitions, the 2024 Privacy Rules require a Regulated Entity to receive a signed attestation prior to making certain disclosures of PHI otherwise required under HIPAA regulations. The signed attestation requirement arises when PHI is requested for any of the following:

  • Health oversight activities;
  • Judicial and administrative proceedings;
  • Law enforcement purposes; or
  • Disclosures to coroners and medical examiners.

HHS recently published a model attestation form plans are encouraged to use for this requirement.

Required Updates to Notice of Privacy Policies (stay tuned)

While the 2024 Privacy Rules require additional changes to the Notice of Privacy Policies, the deadline for this update is delayed until February 16, 2026. Prior to that deadline, a new model notice will be released.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Michael Lane
Michael Lane
Photo of Cathryn Conrad
Cathryn Conrad
Photo of Amy Dygert Stansfield
Amy Dygert Stansfield
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More