The Department of Health and Human Services (HHS) has released a model attestation that will be required for use by covered entities and business when they receive requests for protected health information (PHI) that is “potentially related to reproductive health care”. The attestation was released in order to facilitate covered entities’ compliance with rules that were finalized earlier this year in response to the Supreme Court decision that overturned Roe v. Wade. The final rules prohibit use or disclosure of health information related to reproductive health care for a civil or criminal investigation or prosecution if the item or service in question was legal in the state where an individual received care.

• Health plans and their business associates must obtain a specific attestation from anyone who seeks information that could be related to reproductive health care. A defective attestation could result in a HIPAA violation.
• The regulations do not include an explanation or definition of information “potentially related” to reproductive health care/abortion; the attestation requirement is designed to be interpreted broadly. The attestation should be used in any situation that could potentially be interpreted as involving a request for information related to reproductive health care.
• A valid attestation must include all of the following elements, all of which are contained in the model attestation:
  • Name of entity requesting PHI
  • Name of entity being asked to make a disclosure
  • Explanatory description of PHI being requested
  • Statement that the disclosure or use of PHI is not for a prohibited purpose
  • Statement that a request that is made knowingly in violation of HIPAA may result in criminal penalties
  • Signature of the person requesting PHI, along with the date of the request; if signed by someone else on behalf of the requester, a description of the signer’s authority to act on behalf of the requester must also be included
• In addition to the fact that the attestation may be invalid if any of the aforementioned elements is not included, there are other factors that may invalidate an attestation:
  • Addition of any extra elements not explicitly required in the attestation
  • Knowingly making a false attestation
  • Making an attestation that a reasonable health plan or business associate in the same position would not believe to be true
  • Combining more than one attestation into a single signed document
• The new attestation requirement will become effective December 23, 2024, along with most of the new HIPAA rules (a requirement to update language in the HIPAA Notice of Privacy Practices does not take effect until February 16, 2026). Plans may need to institute new processes and training for evaluating PHI disclosure requests in order to ensure that the attestation requirements are met, and no HIPAA violations occur.