Dates for ComplianceThis Final Rule is effective on June 25, 2024 (“Effective Date”). Regulated Entities will have 180 days beyond the Effective Date to comply with the Final Rule, with the exception of the required NPP modifications. For NPP modification compliance, HIPAA covered entities will have until February 16, 2026. HIPAA Privacy Rule To Support Reproductive Health Care Privacy, 89 Fed. Reg. 32,976 (Apr. 26, 2024) (to be codified at 45 C.F.R. pts. 160 and 164). These prohibitions apply unless the Regulated Entity has actual knowledge that the reproductive health care was not lawfully provided in the state where it was received or under applicable Federal law or received “factual information” from the person requesting the PHI that “demonstrates a substantial factual basis” that the reproductive health care was not lawfully provided in the state where it was received or under applicable Federal law. Applicable Federal law includes when Federal law preempts applicable state law. 87 Fed. Reg. 74216, 74237 (Dec. 2, 2022). HHS combined modifications to the NPP from both rulemakings into a single final rule because 45 C.F.R. § 164.104 limits the Secretary to making modifications to a standard or implementation specification no more than once every 12 months.Id.

prohibits most health plans from using or disclosing PHI that is genetic information for underwriting purposes.[2] Reproductive care is presumed to be lawful unless one of the following conditions is met: (1) The covered entity has actual knowledge that the reproductive health care was not lawful under the circumstances in which it was provided; or (2) The covered entity receives factual information from the person making the request for the use or disclosure of PHI that demonstrates a substantial factual basis that the reproductive health care was not lawful under the circumstances it was provided.[3] The attestation must include a statement that the attestation is signed with the understanding that a person who knowingly and in violation of HIPAA obtains or discloses PHI relating to another person may be subject to criminal liability. Additionally, the comments to the Final Rule explain that a regulated entity that receives in attestation is generally permitted to rely on such. [4] 87 FR 74216, 74237 (Dec. 2, 2022). The Part 2 Final Rule was Published in February 2024 and stated that the NPP modifications proposed in the Part 2 NPRM would be finalized in a separate Final Rule, as HHS has done here.

to enjoin its enforcement of the Online Tracking Guidance. A number of key points can be gleaned from the Complaint. First and foremost, the Complaint alleges and provides proof that the federal government’s own websites that are subject to HIPAA also violate the Online Tracking Guidance, including medicare.gov, the veterans’ administration and the department of defense health system. The Complaint states that OCR has done nothing to enforce the Online Tracking Guidance against these entities. This lawsuit has just been filed and currently is only in the initial stages of litigation. However, covered entities and business associates should keep a close eye on this litigation as it progresses.HIPAA and Part 2 Proposed RegulationsOCR in coordination with the Substance Abuse and Mental Health Services Administration issued proposed regulations to update the decades old regulations on the confidentiality of substance use disorder records (referred to as “Part 2” as in 42 CFR Part 2). See, 87 Fed Reg 74216 (December 2, 2022). The Part 2 proposed regulations are sweeping in nature and should be finalized in 2024.Some health plan sponsors may have not heard of the Part 2 regulations before. Part 2 imposes different requirements for substance use disorder treatment records protected by Part 2 than the HIPAA privacy rules. The regulatory schemes apply to different types of entities and create dual obligations and compliance challenges for HIPAA covered entities and business associates that maintain PHI and Part 2 records, and thus are subject to both sets of rules. In the proposed regulations, OCR intends to revise the Part 2 regulations to reflect applicable standards in the HIPAA privacy rules, and reflect language used in the HIPAA privacy rules. OCR also proposes to revise the NPP to clarify how Part 2 and the HIPAA privacy rules align. Even with the above proposals, Part 2 still only applies to those providers and business associates who have substance abuse treatment records. For self-insured health pla