New HIPAA Final Rule Supporting Reproductive Health Care Privacy Also Requires Amending Notices of Privacy Practices

By: Margaret Young Levi

On April 22, 2024, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) announced a Final Rule entitled HIPAA Privacy Rule to Support Reproductive Health Care Privacy. This Final Rule not only bolsters the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (collectively, HIPAA) by prohibiting the disclosure of protected health information (PHI) related to lawful reproductive health care in certain circumstances, but also requires HIPAA covered entities (health care providers, health plans, and health care clearinghouses) to amend their Notices of Privacy Practices (NPPs).

HIPAA and Reproductive Health Care Privacy

HHS is issuing this Final Rule because of concerns that officials in states with more extreme abortion bans, like Kentucky, will seek medical records from states where abortion is legal (or even from their own states) in order to prosecute individuals who cross state lines to seek an abortion. To prevent those medical records from being used against people for providing or obtaining lawful reproductive health care, the Final Rule prohibits the use or disclosure of PHI by a covered entity—or their business associate—for the following activities:

• To conduct a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided;
• To impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided; or
• The identification of any person for the purpose of conducting such investigation or imposing such liability.

The covered entity or business associate must reasonably determine the reproductive health care is lawful under the law of the state in which such health care is provided or otherwise protected by federal law. In certain circumstances, covered entities and business associates may presume that the care provided was lawful.

Covered entities and business associates must demand and receive a valid attestation in order to process a request for PHI potentially related to reproductive health care that will be used for health oversight activities, judicial or administrative proceedings, law enforcement purposes, or disclosures to coroner and medical examiners. This valid attestation must be written in plain language and contain, among other things, the name of the person requesting the information, an attestation that the use or disclosure is not for a prohibited purpose, and a statement putting the requestor on notice that they may be subject to criminal penalties pursuant to 42 U.S.C. 1320d-6 if that person knowingly and in violation of HIPAA obtains or discloses individually identifiable health information. Fortunately, OCR intends to publish model attestation language before the compliance date, which will aid covered entities in adopting that new form.

In a Fact Sheet accompanying the Final Rule, HHS reminds covered entities (and business associates) that HIPAA permits, but does not require, certain disclosures to law enforcement and then only when all conditions are met. Referring to previous OCR guidance, HHS explains that covered entities (and business associates) are “only permitted to disclose PHI for law enforcement purposes where they suspect an individual of obtaining reproductive health care (lawful or otherwise) if the covered entity or business associate is required by law to do so and all applicable conditions are met.” Under this Final Rule, HHS cautions that a disclosure to law enforcement is only permitted where all three of the following conditions are met:

• The disclosure is not subject to the prohibition,
• The disclosure is required (not simply permitted) by law, and
• The disclosure meets all applicable conditions of the HIPAA exception for permission to use or disclose PHI as required by law set forth in 45 CFR 164.512(a).

In light of these changes in the Final Rule, covered entities and business associates will need to adopt an Attestation form, revise policies and procedures relating to the disclosure of PHI to address these new restrictions on disclosures of PHI containing information about reproductive health care, and consider appropriate revisions to their Business Associate Agreements. Affected members of the workforce will also need to be trained in these new procedures.

Notice of Privacy Practices (NPP) – Substance Use Disorder Records

Covered entities will also need to revise their NPPs. The Final Rule modifies 45 C.F.R. 164.520, not only to require covered entities to amend their NPPs to support reproductive health care privacy, but also to address the confidentiality of substance use disorder (SUD) patient records, as required by the Coronavirus Aid, Relief, and Economic Security (CARES) Act of 2020.

Per the Final Rule, covered entities must provide individuals with additional information about how their PHI may or may not be disclosed for purposes related to reproductive health care. Specifically, covered entities must modify their NPPs to inform individuals that their PHI may not be used or disclosed for a purpose prohibited under the Final Rule, including at least one example of the types of uses and disclosures prohibited under new 45 CFR 164.502(a)(5)(iii) in sufficient detail for an individual to understand the prohibition. The NPP must also contain a description, including at least one example of the types of uses and disclosures for which an attestation is required under new 45 CFR 164.509.

The NPP must include a statement to place the individual on adequate notice of the potential for information disclosed pursuant to HIPAA to be subject to redisclosure by the recipient and no longer protected by HIPAA. This change will afford transparency and assist covered entities in explaining the limitations of HIPAA to individuals.

The Final Rule also includes changes to align NPP requirements for HIPAA covered entities with similar requirements for programs that provide SUD treatment under 42 U.S.C. 290dd-2 (Part 2). Currently, Part 2 programs must provide a written confidentiality notice to patients (the Patient Notice), while covered entities must provide individuals with their NPP. HHS has now revised both these confidentiality requirements that will allow a combined Patient Notice and NPP. On February 16, 2024, HHS released a final rule entitled Confidentiality of Substance Use Disorder (SUD) Patient Records (“2024 Part 2 Rule”) finalizing confidentiality requirements for SUD patient records under Part 2 consistent with the CARES Act to align the requirements for the Patient Notice as closely as possible with the NPP requirements. Now this Final Rule similarly amends the NPP requirements, allowing covered entities to combine the Patient Notice and NPP. They may continue to provide separate documents if desired.

The Final Rule requires covered entities that create or maintain PHI that is also a record of SUD treatment provided by a Part 2 program, i.e., covered entities that are Part 2 programs and covered entities that receive Part 2 records from a Part 2 program, to provide notice to individuals of the ways in which those covered entities may use and disclose such records, and of the individual’s rights and the covered entities’ responsibilities with respect to such records. A covered entity that receives or maintains records subject to Part 2 must supply an NPP written in plain language and containing the elements required.

Consistent with the CARES Act, where NPP’s descriptions of uses or disclosures that are permitted for treatment, payment, and operations (TPO) or without an authorization must reflect “other applicable law” that is more stringent than HIPAA, note that other applicable law includes Part 2. Likewise, Part 2 is specifically included in the “other applicable law” referenced in the requirement to describe uses and disclosures that are permitted for TPO or without an authorization sufficient to place an individual on notice of the uses and disclosures that are permitted or required by HIPAA and other applicable law.

Covered entities must provide notice to individuals that a Part 2 record, or testimony relaying the content of such record, may not be used or disclosed in a civil, criminal, administrative, or legislative proceeding against the individual absent written consent from the individual or a court order, consistent with the requirements of 42 CFR Part 2.

Covered entities must provide individuals with a clear and conspicuous opportunity to elect not to receive any fundraising communications before using Part 2 records for fundraising purposes for the benefit of the covered entity.

OCR clarifies that although separate covered entities that participate in an organized health care arrangement (OHCA) may issue a joint NPP for the OHCA, Part 2 requirements continue to apply to the Part 2 records maintained by covered entities that are part of OHCAs and individuals who are the subjects of such records maintain all rights under Part 2.

While making these required changes, it is also a good time for a covered entity to review its NPP in its entirety to see if other changes are necessary and to ensure that it remains current and adequately describes how the covered entity uses and discloses PHI as well as how individuals may access their records.

Effective Dates and Compliance Dates

The Final Rule will be effective 60 days after publication in the Federal Register. Except for the NPP requirements discussed below, the compliance date will be 180 days after the effective date. Covered entities will have 240 days, in total, beyond publication to fully comply with most provisions in the Final Rule, which OCR is expected to publish in the next week or so.

Mercifully, OCR extended the compliance date for amending the NPP until February 16, 2026, substantially later than the compliance date for most of this Final Rule. This extension aligns the compliance date with the compliance date in the 2024 Part 2 Rule and recognizes the considerable time and effort required for compliance with these new rules. It allows covered entities regulated under both this Final Rule and the 2024 Part 2 Rule to implement all changes to their NPPs at the same time.

Looking for assistance with your organization’s privacy policies? We work with clients in the preparation and updating of privacy policies and procedures to comply with the HIPAA Privacy Rule and more.  Such policies are essential to meet patients’ expectations surrounding the protection of their privacy as well as the expectations of regulatory enforcement agencies such as the HHS Office for Civil Rights. If you are looking for assistance in this area, or to learn more about Wyatt’s data privacy and cyber security practice, visit the Wyatt Data Privacy & Cyber Security webpage.

If you need additional information, please contact: Margaret Young Levi, mlevi@wyattfirm.com, at 859.288.7469. 

CMS Issues Updated Guidance on Texting Patient Orders

By: Margaret Young Levi

On February 8, 2024, the Centers for Medicare and Medicaid Services (CMS) issued a memorandum entitled Texting of Patient Information and Orders for Hospitals and CAHs (the 2024 Memo), which provides updated guidance to State Survey Agency Directors.  This 2024 Memo now permits the texting of patient orders among members of the hospital care team—if the texting is accomplished on a secure platform that protects the privacy and integrity of the patient information. 

This new guidance updates CMS’ previous memorandum entitled Texting of Patient Information among Healthcare Providers in Hospitals and Critical Access Hospitals (CAHs) (the 2017 Memo), which permitted texting patient information if done through a secure platform, but prohibited texting of patient orders regardless of the platform utilized.

Even though texting of patient orders through a secure platform is now permitted by CMS, that does not mean it is recommended.  CMS still prefers that providers enter their orders into the medical record via computerized provider order entry (CPOE) or even a handwritten order because of concerns about medical record retention, accuracy, privacy and security, etc. as set forth in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Medicare Conditions of Participation (CoPs), and, if applicable, The Joint Commission (TJC) standards discussed below. 

To comply with HIPAA regulations, in its 2024 Memo CMS recommends that providers utilize and maintain systems/platforms that are “secure and encrypted and must ensure the integrity of author identification as well as minimize the risks to patient privacy and confidentiality.”  CMS continues, “Providers should implement procedures/processes that routinely assess the security and integrity of the texting systems/platforms that are being utilized to avoid negative outcomes that could compromise the care of patients.”

The hospital and CAH CoPs at 42 C.F.R. 482.24 and 485.638, respectively, require among other things that inpatient and outpatient medical records be “accurately written, promptly completed, properly filed and retained, and accessible.”  They also require that the hospital must use “a system of author identification and record maintenance that ensures the integrity of the authentication and protects the security of all record entries.”  In addition, the CoPs require that medical records must be retained in their original or legally reproduced form for a period of at least 5 years. The CoPs also require that all orders, including verbal orders, must be dated, timed, and authenticated promptly by the ordering practitioner and be included in the medical record.  Any secure texting platform must not only protect the privacy and security of the information contained in the order but also allow the order to be securely transmitted into the hospital’s electronic medical record hospital to comply with these CoPs. 

TJC previously prohibited texting orders and is now reconsidering its stance on the topic.  TJC’s website currently states, “The practice of texting patient orders is currently under review,” and TJC has promised to publish updates in the Perspectives Newsletters. TJC accredited facilities may want to wait for TJC guidance on this topic before implementing secure texting of orders.

In summary, we recommend that hospitals implement texting of patient orders with caution and only after addressing these concerns.  Hospitals should assess any secure texting platform to ensure it protects the privacy and security of any PHI as well as allows the hospital to meet the Medicare CoPs and, if applicable, TJC standards.  Hospitals should also re-assess texting platforms routinely to ensure they continue to meet these standards.

Contact a member of Wyatt’s data privacy and cyber security practice if you have questions or require assistance. To learn more about Wyatt’s data privacy and cyber security practice, visit the Wyatt Data Privacy & Cyber Security webpage.

If you need additional information, contact: Kathie McDonald-McClure, kmcclure@wyattfirm.com, at 502.562.7526

Breach Notification Deadline is February 29th

By: Margaret Young Levi

Head’s up!  The deadline for notifying the Office for Civil Rights (OCR) of healthcare data breaches affecting fewer than 500 individuals is early this year.  Reports of small data breaches may be submitted to OCR annually, usually on March 1st, but because 2024 is a leap year, the reports are due on or before Thursday, February 29^th. 

The HIPAA Breach Notification Rule, 45 C.F.R. §§ 164.400-414, requires HIPAA covered entities to provide notification following a breach of unsecured protected health information (PHI) to affected individuals, to OCR, and, in certain circumstances, to the media.

HIPAA covered entities must notify all individuals whose PHI has been impermissibly used or disclosed without unreasonable delay, and in no case later than 60 days from the discovery of a breach.

Reporting to OCR is accomplished by electronically submitting a breach report form. If a breach affects 500 or more individuals, then covered entities must submit the breach report to OCR without unreasonable delay and in no case later than 60 days following a breach. If, however, the breach affects fewer than 500 individuals, then the covered entity may choose to submit such breach reports on an annual basis. (Note that covered entities must submit a separate breach report for each breach incident and cannot combine them.) Annually submitted breach reports are due to OCR no later than 60 days after the end of the calendar year in which the breaches are discovered, which falls on February 29, 2024. In addition to notifying the individual and OCR, covered entities that experience a breach affecting more than 500 residents of a state or jurisdiction are required to provide notice to prominent media outlets serving the state or jurisdiction.  This media notification must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach.

Looking for assistance with your organization’s data security policies? We work with clients and their IT team in the preparation and updating of information security policies and procedures to comply with the HIPAA Security Rule, FTC Safeguards Rule, and more.  Such policies are essential in today’s cyber threats environment to meet the expectations of regulatory enforcement agencies such as the HHS Office for Civil Right and FTC. Information security policies also aide organizations in meeting other legal requirements and expections, e.g., contractual, cyber insurance underwriting, consumer, and other third-parties. If you are looking for assistance in this area, and to learn more about Wyatt’s data privacy and cyber security practice, visit the Wyatt Data Privacy & Cyber Security webpage.

If you need additional information, contact: Kathie McDonald-McClure, kmcclure@wyattfirm.com, at 502.562.7526

HHS and American Hospital Association Alert Providers to Act Now on “Citrix Bleed” Vulnerability

The United States Health & Human Services Department (HHS) Health Sector Cybersecurity Coordination Center (HH3) issued an HH3 Sector Alert for a software vulnerability dubbed the “Citrix Bleed“. The HH3 Alert advises on a Citrix security advisory regarding a zero-day vulnerability that impacts the NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (fomerly Citrix Gateway). The HH3 Alert, issued on November 30, 2023, urges healthcare organizations to upgrade their devices to prevent damage to the health sector from cyber attacks, including ransomware.

Per the HH3 Alert, even if the patch that Citrix released for this vulnerability was implemented, Citrix warns that compromised sessions will still be active after the patch is implemented. Organizations should follow the Citrix guidance to upgrade devices and remove any active or persistent sessions with the commands listed in the Alert.

On December 1, 2023, the American Hospital Association (AHA) similarly alerted its members about the Citrix Bleed issuing its own alert titled, “Urgent: Hospital Action Needed to Protect Against ‘Citrix Bleed’ Threat.” AHA also published the following article the same day: “HHS-HC3 calls for immediate hospital action to protect against ‘Citrix Bleed’ vulnerability and ransomware threat.”

In its weekly Medicare MLN Connects news on December 7, 2023, the Centers for Medicare and Medicaid Services (CMS) asks providers to make sure their IT department reads the information and takes necessary action. Providers also should share the HH3 Alert with their network clearinghouse and vendors.

Relatedly, on December 6, 2023, CNN reported that HHS shared exclusively with CNN a plan focused on getting more money and training to small and rural health care providers who lack dedicated cybersecurity staff. CNN reported that Biden administration officials “have long been concerned that software providers continue to sell insecure products that hackers are too easily able to exploit.” Click here to read the full CNN article, titled “US health officials call for surge in funding and support for hospitals in wake of cyberattacks that diverted ambulances,” by Sean Lyngass.

Looking for assistance with your organization’s data security policies? We work with clients and their IT team in the preparation and updating of information security policies and procedures to comply with the HIPAA Security Rule, FTC Safeguards Rule, and more.  Such policies are essential in today’s cyber threats environment to meet the expectations of regulatory enforcement agencies such as the HHS Office for Civil Right and FTC. Information security policies also aide organizations in meeting other legal requirements and expections, e.g., contractual, cyber insurance underwriting, consumer, and other third-parties. If you are looking for assistance in this area, and to learn more about Wyatt’s data privacy and cyber security practice, visit the Wyatt Data Privacy & Cyber Security webpage.

If you need additional information, contact: Kathie McDonald-McClure, kmcclure@wyattfirm.com, at 502.562.7526

HHS Proposed Rule Aligns Regulation on Confidentiality of Substance Use Disorder Treatment Records with HIPAA

by Kathie McDonald-McClure

UPDATE: On February 16, 2024, HHS published a Final Rule (89 Fed Reg 12472) to amend Part 2 rules on patient confidentiality of SUD records. While the Final Rule’s effective date is April 16, 2024, the deadline for compliance is February 16, 2026. Based on public comments to the Proposed Rule, HHS included further substantive modifications in the Final Rule, which HHS outlines in a Fact Sheet on the Part 2 Final Rule.

On November 28, 2022, the Secretary for the United States Department of Health & Human Services (HHS) released a Proposed Rule to amend the requirements in Title 42, Part 2, on confidentiality of substance use disorder (SUD) patient records in federally assisted Part 2 Programs.  Part 2 protects the confidentiality of SUD patient records (which generally include alcoholism, alcohol abuse, and drug abuse treatment and prevention records) by restricting the circumstances under which Part 2 Programs or other lawful holders can disclose such records.

Section 3221 of the CARES Act of 2020, enacted by Congress on March 27, 2020, in response to the COVID-19 pandemic, in effect, had amended Title 42, Part 2, to align it with HIPAA but also required HHS to implement these amendments in the Part 2 regulation through the rule-making process. The 260-page Proposed Rule, in sum, would incorporate requirements and definitions from the HIPAA rules into the 40-year-old Part 2 regulation, including HIPAA’s consent, disclosure, de-identification, unsecured PHI and breach notification requirements, as well as HIPAA penalties for noncompliance.

Part 2 Compliance Challenges. For years, providers who are subject to both HIPAA and Part 2’s separate privacy requirements for SUD records have had to grapple with identifying and segregating SUD records that are subject to Part 2 from records that are subject only to HIPAA. In the Proposed Rule, HHS acknowledges that this has contributed to ongoing operational and compliance challenges for providers. HHS notes several examples of this challenge, including the following:  

For example, once a HIPAA covered entity or business associate disclosed PHI to a person who was not a covered entity or business associate, the information was no longer protected by the Privacy Rule, and thus the Privacy Rule’s limitations on uses and disclosures did not apply. In contrast, Part 2 strictly limited the re-disclosure of Part 2 records by any individual or entity that received a Part 2 record directly from a Part 2 program or other “lawful holder” of patient identifying information, absent written patient consent or as otherwise permitted under the regulations.

(Proposed Rule, pp. 19-20.)

SUD Treatment De-Stigmatization & Coordination. HHS additionally notes that the continued segregation of Part 2 Program SUD records sets these records apart in ways that perpetuate the stigma surrounding a person with SUDs.

Prior to passage of the CARES Act, Congressional hearings on the Opioid Crisis had already highlighted the need for HHS to promulgate regulations modifying the confidentiality requirements for Part 2 records to align with HIPAA. Testimony before Congress was that SUD records were being withheld in ways that inhibit care coordination between providers of a person’s mental health and physical health, conditions that are inextricably linked. In the HHS Announcement of the Proposed Rule, Secretary Becerra says, “This proposed rule would improve coordination of care for patients receiving treatment while strengthening critical privacy protections to help ensure individuals do not forego life-saving care due to concerns about records disclosure.” 

Summary of Changes. Some of the most significant changes would include:

Continue reading →