The Department of Health & Human Services’ Office for Civil Rights April 22 released a final rule prohibiting entities regulated by the HIPAA Privacy Rule from using or disclosing protected health information to investigate or prosecute patients, providers or others involved in providing legal reproductive health services. The rule requires covered entities to obtain a signed attestation that certain requests for PHI potentially related to reproductive health care are not for these prohibited purposes. As requested by the AHA, the final rule makes clear that hospitals can rely on the attestation and are not required to investigate the validity of an attestation provided by a person requesting a use or disclosure of PHI.The rule will take effect 60 days after publication in the Federal Register and require covered entities to comply within 240 days. As requested by the AHA, OCR plans to issue a model attestation form before the compliance date.



Source link