By: HUB’s EB Compliance Team

The Department of Health and Human Services (“HHS”) has now released a model attestation for covered entities (including health plans) and business associates to use when they receive requests for protected health information (“PHI”) potentially related to reproductive health care. Employers and their business associates should review the attestation closely and begin preparing their processes to request these attestations.

Background

As described in this prior article, HHS finalized rules earlier this year related to requests that potentially involve abortion-related health information. These rules were proposed by HHS in response to the Supreme Court's Dobbs v. Jackson Women's Health Organization decision, which overturned Roe v. Wade. In general, the final rule makes it a HIPAA violation to use or disclose reproductive health care information for a civil or criminal investigation or prosecution if the item or service was legal in the state where the service was performed.

The final rules also introduce key administrative burdens on plan sponsors, which must be implemented by December 23, 2024. One of those burdens is requiring the attestation. In addition, the rules require changes to the Notice of Privacy Practices. Those are not required until February 16, 2026, but can be adopted sooner.

The Attestation

As noted above, the rule also requires health plans and their business associates to obtain a specific attestation from anyone seeking information "potentially related to reproductive health care," as defined in the rules. If an attestation is defective, then any use or disclosure of information potentially related to reproductive health care is a HIPAA violation.

The use of “potentially related” was intentional by HHS because they wanted the requirement to be interpreted broadly. The regulations do not provide any clarity on what information might be “potentially related” to abortion, which will likely result in health plans and their business associates asking for more attestations than they actually need.

The model attestation includes all the requirements for a valid attestation, which are:

  1. Name of PHI requester: The name or other specific identification of the person(s), or class of persons, who will use or receive the PHI.
  2. Name of PHI holder: The name or other specific identification of the person(s), or class of persons, who are requested to make the use or disclosure. This could include the name of the health plan and perhaps even the name of the specific person who is being requested to make the disclosure.
  3. Explanatory description of PHI: A description of the PHI requested that identifies the PHI in a specific fashion, including either the names of any individuals or, if that is not practicable, a description of the class of individuals whose information is being sought.
  4. Validating statement for compliant use: A clear statement that the use or disclosure is not for a purpose prohibited by these new rules. In other words, it is not for a civil or criminal investigation or prosecution related to reproductive health care where the service was legal.
  5. Criminal Penalty Acknowledgement: A statement that a person may be subject to criminal penalties pursuant to 42 U.S.C. 1320d-6 if that person knowingly and in violation of HIPAA obtains individually identifiable health information relating to an individual or discloses individually identifiable health information to another person.
  6. Signature: Signature of the person requesting the PHI, which may be an electronic signature, and date. If the attestation is signed by a representative of the person requesting the information, a description of such representative’s authority to act for the person must also be provided.

The attestation will be invalid if any of the above elements are missing or if any elements are added to it. Therefore, employers and business associates will likely end up sticking to the model attestation to avoid any potential concerns about an attestation’s validity. However, note that people often have difficulty properly filling out forms. As a result, a close review of the form to ensure that it has been properly completed will also be required.

The attestation is also not valid if the health plan or business associate has actual knowledge that the attestation is false (for example, if they know the information will be used for a criminal prosecution). Additionally, the attestation is not valid if a reasonable health plan or business associate in the same position would not believe the attestation is true. Finally, this attestation cannot be combined with any other attestation.

As HUB noted previously, the broad scope of the HHS phrase “potentially related” information combined with the vague standard for evaluating the truth of the attestation will put health plans and their business associates in a difficult position for evaluating requests for PHI. While some requests will be clear or easy, closer calls will result in likely unnecessary attestations.

Conclusion

Health plans and their business associates have until December 23, 2024, to come into compliance with most of these new HIPAA rules, including the new attestation requirement. This will likely mean instituting a new process for evaluating requests for use or disclosure of protected health information, particularly if the requests come from law enforcement, and updating training to reflect that new process. Covered entities should also consider whether they need to update their training materials or amend their business associate agreements to capture the new protections and attestation requirements that apply to the disclosure of certain abortion-related information.

If you have any questions, please contact your HUB Advisor. View more compliance articles in our Compliance Directory.

NOTICE OF DISCLAIMER

Neither Hub International Limited nor any of its affiliated companies is a law or accounting firm, and therefore they cannot provide legal or tax advice. The information herein is provided for general information only, and is not intended to constitute legal or tax advice as to an organization’s or individual's specific circumstances. It is based on Hub International's understanding of the law as it exists on the date of this publication. Subsequent developments may result in this information becoming outdated or incorrect and Hub International does not have an obligation to update this information. You should consult an attorney, accountant, or other legal or tax professional regarding the application of the general information provided here to your organization’s specific situation in light of your or your organization’s particular needs.