P-R-I-V-A-C-Y is Priceless to Me: The 2024 Privacy Rule
The Department of Health and Human Services issued a final rule amending the HIPAA privacy rules (“2024 Privacy Rule”). The 2024 Privacy Rule limits the use or disclosure of an individual’s PHI in connection with reproductive healthcare for certain non-healthcare purposes, where such use or disclosure could be detrimental to the privacy of the individual, or another person, or the individual’s trust in their healthcare providers. Among other changes, the 2024 Privacy Rule added a new category of prohibited uses and disclosures of PHI, which prohibits the use or disclosure of PHI for any of the following activities:
- to conduct criminal, civil, or administrative investigations into any person for the mere act of seeking, obtaining, providing, or facilitating reproductive healthcare, where such healthcare is lawful under the circumstances in which it is provided;
- to impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive healthcare, where such healthcare is lawful under the circumstances in which it is provided; and
- to identify any person for the purpose of conducting such investigation or imposing such liability.
The final rule will require covered entities to provide updated training to workforce members, update their HIPAA policies and procedures, and update business associate agreement before December 23, 2024.
The Notice of Privacy Practices will also need to be updated, by February 16, 2026, to include the changes enacted by the 2024 Privacy Rule and to address the proposals made in the Notice of Proposed Rulemaking for the Confidentiality of Substance Use Disorder (SUD) Patient Records (“Part 2”).