The U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) will start to enforce compliance later this month with new special protections for individuals’ reproductive health information as required by a recently finalized HIPAA Privacy Rule, as we noted in an earlier blog post. While the incoming Trump Administration may change enforcement priorities or even rescind that rule, a settlement from OCR that pre-dated implementation of that rule indicates that OCR already affords this information protection.
The settlement marks OCR’s first enforcement action and settlement against a health care provider centered around, and specific to, an impermissible disclosure of an individual’s reproductive health information under the existing Privacy Rule standards. In other words, regardless of whether the incoming administration rescinds or revises the new protections for reproductive health information, OCR has demonstrated that it considers reproductive health information as highly sensitive and will take enforcement action accordingly under the HIPAA Privacy Rule as it is today.
Organizations would be well advised to take the remaining time before the December 23 compliance date to update existing policies to define the scope of reproductive health care-related protected health information (PHI) within the organization and set forth standards and procedures for how the organization will implement compliance with the new requirements including, for example, how the organization will assess and respond to third-party requests for reproductive health care-related PHI, including situations in which an attestation is required.Continue Reading OCR Sets Precedent with Settlement Over Impermissible Disclosure of Reproductive Health Information