New HIPAA Rules Require Immediate Action By Employers and Business Associates

Overview

In response to the Supreme Court’s overturning of Roe v. Wade, the Office of Civil Rights (OCR) within the Department of Health and Human Services (HHS) – the agency with the jurisdiction to enforce HIPAA – issued new guidance to address the protection of protected health information (PHI) that is related to reproductive health care.

Immediate Action Required

Covered Entities (i.e., health plans) and Business Associates must train applicable workforce members and amend their HIPAA policies and procedures by December 23, 2024 with respect to the requirements of this new guidance.  These entities must also update their Notice of Privacy Practices (NPP), but the updated NPP is not required until February 16, 2026.

Specifics

Under OCR’s new guidance, Covered Entities and Business Associates are prohibited from using or disclosing PHI that may be related to reproductive health care – which is defined in the new guidance – for purposes of criminal, civil or administrative investigations, or the imposition of liability (or to identify a person for investigation or to impose liability).  Further, in the event that a Covered Entity or Business Associate receives a request for PHI that may be related to reproductive health care for any of the following purposes:

• Health oversight activities;
• Judicial or administrative proceedings;
• Law enforcement; or
• Disclosures to coroners or medical examiners (with respect to decedents);

the requestor must provide an attestation that meets certain requirements.  Specifically, the attestation must be in writing (including in electronic form), and must satisfy certain content requirements.  Most importantly, the requestor must attest that the purpose of the use or disclosure, is not for a prohibited purpose.

Miller Johnson Compliance Assistance

Miller Johnson is hosting a free webinar to explain this new guidance on November 7, 2024.  You can sign up for the webinar here.  (As this webinar can be used to satisfy the workforce training requirement, any employee who deals with PHI should attend.)

Additionally, Miller Johnson is selling amendments to its HIPAA kits to comply with the requirements of the guidance.  There are two versions of the kit available: (1) one for employer health plans (including medical FSAs and HRAs); and (2) one for Business Associates.

These amendments, which include the amendment to the HIPAA policies and procedures, a sample attestation, and a copy of the training webinar, with slides are available for sale for $500 apiece.

If you need the whole kit (which includes the amendment and materials described above), the kits are for sale (again, one for employer health plans, including medial FSAs and HRAs; and one for Business Associates), for $1,350 apiece.

On the Horizon

There are additional HIPAA changes on the horizon that will likely require more changes to HIPAA policies and procedures.  As a result, we are in the process of restating or updating our HIPAA kits.  We are also making the kits more “user friendly” and easier to understand.

We will let you know when the revised kits are available for purchase.  If you purchase an amendment (or an entire kit) now, you will receive a $500 credit towards the purchase of the new kit.

Conclusion

If you have any questions, please attend our free webinar on November 7 or contact Tripp VanderWal.

HIPAA / HITECH KITS

PURCHASE HERE: