• 2024 HIPAA Final Rule: The New Attestation Requirement

    Download PDF

    This post is written by my colleague, Kirsten Leloudis, who works in the area of public health. Her contact information is below.

     

    On June 25, 2024, changes to the HIPAA Privacy Rule aimed at supporting reproductive health care privacy went into effect. Last week, I published a blog post about these changes, including the creation of three new types of prohibited uses and disclosures of protected health information (PHI). This post addresses another major change to the law: a new attestation requirement that applies to four types of uses and disclosures when the PHI at issue is “potentially related” to reproductive health care. It’s not just covered entities and business associates that need to understand this new requirement- judicial officials, law enforcement, health oversight agencies, and medical examiners who frequently request PHI to carry out their official duties will likely encounter situations that require them to comply with the new attestation requirement, too.

    Background

    Numerous changes to the HIPAA Privacy Rule, including the new attestation requirement, are the result of a Final Rule that was published by the U.S. Department of Health and Human Services (HHS) on April 26, 2024. For more information about what prompted promulgation of the Final Rule, a summary of key changes, and an in-depth look at the Final Rule’s creation of new prohibited uses and disclosures of PHI, please see this blog post.

    Important Dates

    The changes initiated by the Final Rule went into effect on June 25, 2024. Entities that must abide by HIPAA (covered entities and business associates) must come into compliance with these new requirements- including the attestation requirement- no later than December 23, 2024.

    There is one exception: the required updates to covered entities’ notices of privacy practices (NPPs), which are addressed in 45 CFR 164.520, do not have to be implemented until February 16, 2026.

    The Attestation Requirement

    The attestation requirement can be found at the new 45 CFR 164.509. Under this provision of the HIPAA Privacy Rule, covered entities and business associates are required to obtain a valid attestation from a party requesting PHI when both of the following are true:

    • The requestor is seeking the PHI for one of four types of uses/disclosures of PHI that already exist under the Privacy Rule (health oversight activities, judicial and administrative proceedings, certain law enforcement uses, and certain coroner/medical examiner uses); and
    • The PHI requested is “potentially related” to reproductive health care.

    Before we dive into these two applicability criteria for the attestation requirement, let’s first explore why HHS rolled out this new requirement in the first place.

    Why Attestations?

    If you read my earlier post on the Final Rule, you already know that one of the other major changes to the HIPAA Privacy Rule was the creation of new prohibitions against using or disclosing PHI to investigate or impose liability upon someone for seeking, obtaining, providing, or facilitating lawful reproductive health care, or using or disclosing PHI to identify someone for either of those purposes (hereinafter, the “three new prohibited uses/disclosures”). See 45 CFR 164.502(a)(5)(iii).  This change is directly related to the new attestation requirement, which says that parties requesting PHI for certain purposes must provide covered entities/business associates with a written, signed attestation promising that they are not requesting PHI for one of the three new types of prohibited uses/disclosures.

    The role of the attestation is to prevent someone who is seeking PHI for one of the three new prohibited uses/disclosures from using an existing, permissible pathway for disclosing PHI under HIPAA as a back door to obtain PHI that they intended to use for an impermissible purpose. As HHS explained in the preamble to the Final Rule, “This requirement will help ensure that these Privacy Rule permissions cannot be used to circumvent the new prohibition at 45 CFR 164.502(a)(5)(iii) […]. The attestation requirement is intended to reduce the burden [on covered entities and business associates] of determining whether the PHI request is for a purpose prohibited under 45 CFR 164.502(a)(5)(iii)[…].” 89 FR 33030.

    The Four Uses/Disclosures Requiring an Attestation

    The new attestation requirement does not apply to all requests for PHI. An attestation is only necessary if someone is requesting PHI that is “potentially related” to reproductive health care for one of the following four purposes under HIPAA:

    • Health oversight activities (45 CFR 164.512(d)). This includes, for example, a health oversight agency auditing patient records to confirm that the covered entity or business associate is complying with the law.
    • Judicial and administrative proceedings (45 CFR 164.512(e)). This includes requests for PHI that come in the form of a subpoena or a court order so that the PHI may be used in an administrative, criminal, or civil case.
    • Law enforcement uses (45 CFR 164.512(f)). This includes disclosing PHI to law enforcement to assist with identifying a fugitive or suspect, providing information about a crime victim, etc.
    • Coroner and medical examiner uses (45 CFR 164.512(g)(1)). This would include disclosure of a decedent’s PHI to a coroner or medical examiner for the purpose of determining cause of death.

    Remember: an attestation is only required in these four situations if the requested PHI is “potentially related” to reproductive health care. But what does “potentially related” to reproductive health care mean? Let’s discuss this next.

    PHI “Potentially Related” to Reproductive Health Care

    Although the Final Rule delivered a new definition of the term “reproductive health care” at 45 CFR 160.103, HHS did not explain what it means for PHI to be “potentially related” to such reproductive health care. In the preamble to the Final Rule, HHS acknowledged that this broad language may make it challenging to operationalize the attestation requirement but stated that the “potentially related” language is here to stay. HHS explained the agency’s approach by saying: “[T]his will limit the number of requests that require an attestation, and therefore, the burden of the attestation requirement on regulated entities and persons requesting PHI. […] By narrowing the scope of the attestation to PHI ‘potentially related to reproductive health care,’ the attestation requirement will not unnecessarily interfere with or delay law enforcement investigations that do not involve PHI ‘potentially related to reproductive health care.’ While in practice this scope may be wide, we believe the privacy interests of individuals who have obtained reproductive health care necessitates the inclusion of ‘potentially related’ PHI.”

    Trying to determine if specific PHI is “potentially related” to reproductive health care? In addition to reviewing the new definition of “reproductive health care” at 45 CFR 160.103, check out this blog post for more information, including a non-exhaustive list of health services that HHS says constitute reproductive health care under HIPAA.

    Elements of an Attestation

    A list of the required elements of an attestation can be found at 45 CFR 164.509. Many of the required elements for an attestation mirror the core elements of a HIPAA authorization- but there are a few differences, including two required elements of an attestation that are worth highlighting here. An attestation must include:

    • A statement that the purpose for which the PHI is requested is not one of the new prohibited uses or disclosures described at 45 CFR 164.502(a)(5)(iii).
    • A statement that the party requesting the PHI could be subject to criminal penalties under 42 USC 1320d-6 if that person knowingly and in violation of HIPAA obtains someone’s individually identifiable health information (IIHI) (of which PHI is a subset) or discloses IIHI to another person.

    The attestation must be signed by the requestor (electronic signatures are permissible). It is important to note that the requestor is not required to use an attestation form provided by the covered entity or business associate; a form created by the requestor that meets the requirements of 45 CFR 164.509 is sufficient. To avoid creating additional burdens for requestors, the law also prohibits covered entities and business associates from adding elements to the attestation form beyond those that are required under 45 CFR 164.509– which is to say, they cannot demand more information from the requestor than what the attestation form already requires. As with HIPAA authorizations, attestations may not be combined with other forms; however, a requestor could elect to attach supporting documentation for their request for PHI (e.g., a subpoena or court order) and submit it alongside the attestation. 89 FR 33030.

    Shortly after the Final Rule was published, HHS announced that it would publish model attestation language before December 23, 2024 (the compliance date for the attestation requirement). That model attestation document was released on June 28, 2024 and is available here on HHS’s website.

    Steps for Handling a Request for PHI that Requires an Attestation

    Remember: the new attestation requirement only applies if (1) the requestor is seeking PHI that is “potentially related” to reproductive health care (2) for one of the following four purposes: health oversight activities, judicial and administrative proceedings, certain law enforcement uses, and certain coroner/medical examiner uses. As a first step, the covered entity or business associate should assess the request for PHI and determine whether both of these criteria are met.

    If both criteria are satisfied, then the covered entity or business associate should ensure that an attestation was submitted alongside the request. If the requestor did not submit an attestation, the covered entity or business associate might reach out to make the requestor aware of the attestation requirement, and could provide their organization’s own standard attestation form, if they have one. It is important that the covered entity or business associate closely review the attestation to confirm it is valid, as release of PHI based on a defective attestation is a HIPAA violation.

    Next, if the attestation is valid, then the covered entity or business associate should conduct its regular analysis to confirm that the criteria for the type of disclosure are met before releasing any PHI. For example, if the attestation was submitted alongside a subpoena for PHI for use in a judicial proceeding, then the covered entity or business associate must make sure that the usual requirements under 45 CFR 164.512(e)(1)(ii) for disclosing PHI pursuant to a subpoena are met. This would include receiving satisfactory assurance that there have been reasonable attempts to notify the patient of the request for the patient’s PHI or to secure a qualified protective order. If the attestation is valid and all the other requirements for making the disclosure are satisfied, then the PHI may be released. The covered entity or business associate should retain a copy of the attestation as required under 45 CFR 164.530(j) and document the disclosure consistent with 45 CFR 164.528.

    Frequently Asked Questions

    Q1: Does the new attestation requirement apply to all requests for PHI (e.g., individuals requesting their own health information, or a treating provider requesting a patient’s PHI for treatment purposes)?

    A1: No. The new attestation requirement only applies if (1) the requestor is seeking PHI that is “potentially related” to reproductive health care (2) for one of the following four purposes: health oversight activities, judicial and administrative proceedings, certain law enforcement uses, and certain coroner/medical examiner uses.

    Q2: My organization is a covered entity and just received a subpoena or court order for PHI that is “potentially related” to reproductive health care, but the requestor did not submit an attestation. Can my organization just ignore this request?

     A2: No- you should not ignore a subpoena or court order. Subpoenas and court orders typically have deadlines by which you are required to respond and ignoring a subpoena or court order can have serious legal consequences. If your organization receives a subpoena or court order, you should promptly notify your attorney, who can assist help you navigate deadlines for a response and assess the scope and validity of the subpoena or court order. If an attestation is needed but was not submitted by the party that issued the subpoena or court order, your attorney may also be able to help you notify that judicial official to make them aware of the attestation requirement.

    Q3: I am a judicial official, law enforcement officer, health oversight agency, or coroner/medical examiner and I expect that my request for PHI will trigger the new attestation requirement. Where can I get a copy of an attestation to fill out?

    A3: Many covered entities and business associates will likely develop their own standard attestation forms- in which case, you could contact that entity directly and ask for a copy of their form. Alternatively, and because requestors are not required to use a covered entity or business associate’s own form, you could draft your own attestation that includes all the required elements set out at 45 CFR 164.509. HHS has published model attestation language that can be viewed here on HHS’s website.

    Q4: My organization is a covered entity and we recently released PHI in accordance with HIPAA and pursuant to a valid attestation; however, since then, we have become aware that the requestor misrepresented their intentions when submitting the attestation and is actually using the PHI for a prohibited purpose under 45 CFR 164.502(a)(5)(iii). What should we do?

    A4: Under the new 45 CFR 164.509(d), if a covered entity or business associate “discovers information reasonably showing that any representation made in the attestation was materially false” and PHI was or is being disclosed based on that attestation then, the covered entity or business associate must cease the disclosure.

    Pursuant to 45 CFR 164.509(c)(v), if the requestor of the PHI knowingly requested and obtained the PHI for a purpose prohibited under HIPAA, then the requestor could be subject to penalties under 42 USC 1320d-6. This includes, but is not limited to, fines of up to $250,000 or imprisonment of no more than 10 years, depending on the nature of the offense.

    Additional Resources

    During a June 20, 2024 webinar on the Final Rule, HHS indicated that it would continue to update and add to its existing guidance on the Final Rule, which is available here.

     Questions?

    Do you have questions about this new attestation requirement? Feel free to send me an email at kirsten@sog.unc.edu.

     

     

    Sara DePasquale is a Professor at the School of Government specializing in child welfare law (abuse, neglect, dependency, termination of parental rights, and adoption) and juvenile court.
^ Back to Top