Death Investigations & the HIPAA Final Rule to Support Reproductive Health Care Privacy
HealtheConnections has put a process in place to be compliant with a specific HIPAA regulation. This affects any users who identify as someone who conducts death investigations and uses HealtheConnections’ health information exchange (HIE) for that purpose.
If you have questions about HIPAA regulations, we encourage you to contact your legal counsel or the Department of Health and Human Services.
To comply with this regulation, you will be prompted to attest for EACH PATIENT you are looking up during a death investigation. This is an automated prompt within our portal. For each patient, you are attesting that you understand and are accessing these data for approved uses under federal regulation. Inappropriate or otherwise fraudulent access will be subject to consequences per federal law.
Click here to review the model attestation. Please remember:
– You may only select ONE option per group of patients.
– If you select the wrong option, you may submit again correctly.
– If you select option 1 (you are not conducting an investigation into reproductive health care), you may submit up to 5 patients with one attestation; if your session times out, you will need to re-submit the attestation.
– If you select option 2 (you are conducting an investigation, but the care was unlawful), you must submit documentation supporting your position that the care was unlawful; send your documentation to support@healtheconnections.org. This documentation will be reviewed by HealtheConnections’ legal counsel. Review of your documentation may take several weeks. If the documentation is sufficient and access is granted, you will receive a unique authorization code for that patient. When selecting option 2, you can only view one patient at a time and must type the corresponding authorization code in the attestation box.
Background & HIPAA Change Pertaining to Requests for Access to PHI POTENTIALLY Related to Reproductive Health Care:
Effective December 23, 2024, when a HIPAA covered entity or business associate receives a request for protected health information (PHI) potentially related to reproductive health care, it must obtain a signed attestation that clearly states the requested use or disclosure is not for the prohibited purposes described below, where the request is for PHI for any of the following purposes:
• Health oversight activities – See 45 CFR 164.512(d)
• Judicial or administrative proceedings – See 45 CFR 164.512(e)
• Law enforcement – See 45 CFR 164.512(f)
• Regarding decedents, disclosures to coroners and medical examiners – See 45 CFR 164.512(g)
As a business associate to our Participants (which are HIPAA Covered Entities), HealtheConnections may not use or disclose PHI for the following purposes:
(1) To conduct a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating lawful reproductive health care.
(2) To impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating lawful reproductive health care.
(3) To identify any person for any purpose described in (1) or (2).
To read more about the specifics of this rule, please see the US Dept of Health and Human Services website here: https://www.hhs.gov/hipaa/for-professionals/special-topics/reproductive-health/final-rule-fact-sheet/index.html