• Industry News
  • Access and Reimbursement
  • Law & Malpractice
  • Coding & Documentation
  • Practice Management
  • Finance
  • Technology
  • Patient Engagement & Communications
  • Billing & Collections
  • Staffing & Salary

Triple play: HHS issues three new final rules

Physicians PracticePhysicians Practice June 2024
Volume 2
Issue 6

Don't run afoul of these new privacy and civil rights rules.

gavel stethoscope | © yavdat -

© yavdat -

Between February and the end of April 2024, the U.S. Department of Health and Human Service (HHS) issued three final rules: 42 CFR Part 2 Final Rule, HIPAA Privacy Rule to Support Reproductive Health Care Privacy Final Rule, and Preventing Non-Discrimination and Advancing Civil Rights in Healthcare Final Rule. The common denominators – privacy and civil rights.

Each of these final rules are dense and rich with legislative and regulatory history, as well as select comments received by the agency and the corresponding agency response. The purpose of this article is not to summarize each final rule – the links provided do that. Rather, it is to provide an overview and a notable item from each one.

HIPAA privacy rule – Reproductive healthcare

The U.S. Department of Health and Human Services on Monday, April 22, 2024, issued a finalized version of its new rule that aims to protect the privacy of abortion providers and patients by prohibiting the disclosure of information related to "lawful reproductive health care," according to an announcement made by the agency. The final rule amends the Health Insurance Portability and Accountability Act's privacy rule to bar using or sharing protected health information to investigate or prosecute patients or providers who have obtained or provided legal reproductive healthcare, including an abortion. (emphasis added). The Final Rule was published in the Federal Register four days later, with an effective date of June 25, 2024. 89 Fed. Reg. 32976 (Apr. 26, 2024).

After carefully considering these comments, the Department is issuing a Final Rule that:

  • Prohibits the use or disclosure of PHI when it is sought to investigate or impose liability on individuals, health care providers, or others who seek, obtain, provide, or facilitate reproductive health care that is lawful under the circumstances in which such health care is provided, or to identify persons for such activities.
  • Requires a regulated health care provider, health plan, clearinghouse, or their business associates, to obtain a signed attestation that certain requests for PHI potentially related to reproductive health care are not for these prohibited purposes.
  • Requires regulated health care providers, health plans, and clearinghouses to modify their Notice of Privacy Practices to support reproductive health care privacy.”

A notable area to review closely is the section related to 45 CFR § 164.512, which is known as the law enforcement exception, and how it relates to reproductive healthcare.

Confidentiality of substance use disorder (SUD) patient records regulations at 42 CFR part 2 (“Part 2”)

The Part 2 statute (42 U.S.C. 290dd-2) protects “[r]ecords of the identity, diagnosis, prognosis, or treatment of any patient which are maintained in connection with the performance of any program or activity relating to substance use disorder education, prevention, training, treatment, rehabilitation, or research, which is conducted, regulated, or directly or indirectly assisted by any department or agency of the United States.” Confidentiality protections help address concerns that discrimination and fear of prosecution deter people from entering treatment for SUD.”

A notable area is the aligning of HIPAA with Part 2 and the distinguishing the two requirements in certain areas. For example, disclosure and decision making capacity:

  • Privacy Rule § 164.510(b)(3) permits a health care provider, when a patient is not present or is unable to agree or object to a disclosure due to incapacity or emergency circumstances, to determine whether disclosing a patient’s information to the patient’s family, friends, or other persons involved in the care, is in the best interests of the patient.
  • Where a provider determines that the patient’s best interests, the provider would be permitted to disclose only the PHI that is directly relevant to the person’s involvement in the patient’s care or payment for care. (NOTE: “minimum necessary rule”).
  • “The Privacy Rule permits but does not require providers to disclose information in these situations. Providers who are subject to more stringent privacy standards under other laws, such as certain state confidentiality laws or 42 CFR Part 2, would need to consider whether there is a similar disclosure permission under those laws that would apply in the circumstances.”

Hence, permissible disclosures, when a patient lacks decision making capacity, varies under a variety of circumstances, as well as state laws and between Part 2 and HIPAA.

New rule to strengthen nondiscrimination protections and advance civil rights in health care

The focal point of this Final Rule is Section 1557 of the Affordable Care Act (ACA) is to “advance[e] protections against discrimination in health care. By taking bold action to strengthen protections against discrimination on the basis of race, color, national origin, sex, age, and disability, this rule reduces language access barriers, expands physical and digital accessibility, tackles bias in health technology, and much more.” The scheduled publication date in the Federal Register is May 6, 2024.

While HHS provides this list of areas in the Final Rule, it is important to note that a focal point is artificial intelligence (AI) in relation to discrimination in clinical algorithms, predictive analytics, and other tools. The rule will restore protections gutted by the prior administration and help increase meaningful access to health care for communities across the country. The 1557 final rule draws on extensive stakeholder engagement, review of over 85,000 comments from the public, the Department’s enforcement experience, and developments in civil rights law. Among other things, the rule:

  • Holds HHS’ health programs and activities to the same nondiscrimination standards as recipients of Federal financial assistance.
  • For the first time, the Department will consider Medicare Part B payments as a form of Federal financial assistance for purposes of triggering civil rights laws enforced by the Department, ensuring that health care providers and suppliers receiving Part B funds are prohibited from discriminating on the basis of race, color, national origin, age, sex and disability.
  • Requires covered health care providers, insurers, grantees, and others, to proactively let people know that language assistance services are available at no cost to patients.
  • Requires covered health care providers, insurers, grantees, and others to let people know that accessibility services are available to patients at no cost.
  • Clarifies that covered health programs and activities offered via telehealth must also be accessible to individuals with limited English proficiency, and individuals with disabilities.
  • Protects against discrimination by codifying that Section 1557’s prohibition against discrimination based on sex includes LGTBQI+ patients.
  • Respects federal protections for religious freedom and conscience and makes clear that recipients may simply rely on those protections or seek assurance of them from HHS.
  • Respects the clinical judgement of health care providers.
  • Protects patients from discriminatory health insurance benefit designs made by insurers.
  • Clarifies the application of Section 1557 nondiscrimination requirements to health insurance plans.

Each of these final rules provide new requirements, which should be read closely and integrated into compliance programs, policies and procedures, training, and annual risk analyses. Privacy and security, especially with the advent of AI is only going to make compliance more important in the wake of regulatory requirements and cyber criminals.

Rachel V. Rose, JD, MBA, advises clients on compliance, transactions, government administrative actions, and litigation involving healthcare, cybersecurity, corporate and securities law, as well as False Claims Act and Dodd-Frank whistleblower cases.

Related Videos
Physicians Practice | © MJH LifeSciences
Ike Devji, JD and Anthony Williams discuss wealth management issues
Anders Gilberg gives an interview
Ike Devji, JD and Anthony Williams discuss wealth management issues
Syed Nishat, BFA, gives expert advice
© 2024 MJH Life Sciences

All rights reserved.