No, there is not an explicit right to privacy listed in the Bill of Rights or the larger U.S. Constitution. However, the nation’s highest court has ruled that, while such a right is not expressly granted in that venerable document, there is an implied right to privacy based on the cumulative thrust of the several enumerated rights. In subsequent legislation and rulemaking, the federal government has extended this right to the healthcare space. Specifically, the 1996 Health Insurance Portability and Accountability Act (HIPAA) outlined a patient’s right to privacy as it concerns his/her own protected health information (PHI), as well as the patient’s right to access their own PHI.
Many other HIPAA-related laws and regulations have been promulgated since 1996 (e.g., security rule, HITECH Act). The latest rules were released earlier this year; the following provides a breakdown of what you need to know.
Substance Abuse and Mental Health
On February 8, 2024, the U.S. Department of Health and Human Services (HHS), through the Substance Abuse and Mental Health Services Administration (SAMHSA) and the Office for Civil Rights (OCR), announced a final rule modifying the Confidentiality of Substance Use Disorder (SUD) Patient Records regulations at 42 CFR Part 2. The final rule includes the following modifications to Part 2:
Patient Consent
The rule allows a single consent for all future uses and disclosures for treatment, payment, and health care operations. It also allows HIPAA covered entities and business associates that receive records under this consent to redisclose the records in accordance with the HIPAA regulations.
Other Uses and Disclosures
The final rule permits disclosure of records without patient consent to public health authorities, provided that the records disclosed are de-identified according to the standards established in the HIPAA Privacy Rule. It also restricts the use of records and testimony in civil, criminal, administrative, and legislative proceedings against patients, absent patient consent or a court order.
Penalties and Liabilities
The final rule aligns Part 2 penalties with HIPAA by replacing criminal penalties currently in Part 2 with civil and criminal enforcement actions that also apply to HIPAA violations. It also applies the same requirements of the HIPAA Breach Notification Rule to breaches of records under Part 2. Furthermore, the final rule aligns Part 2 Patient Notice requirements with the requirements of the HIPAA Notice of Privacy Practices.
The February rule creates a limit on civil or criminal liability for investigative agencies that act with reasonable diligence to determine whether a provider is subject to Part 2 before making a demand for records in the course of an investigation. The safe harbor requires investigative agencies to take certain steps in the event they discover they received Part 2 records without having first obtained the requisite court order.
The rule generated in February was designed to further strengthen the privacy and protections of patients seeking treatment for substance abuse or mental health. It is important to note that these provisions will not go into effect for another two years, i.e., February 16, 2026. Therefore, the medical community will have some time to get ready for full compliance with this new rule. For a fuller account of this rule, click on the following link: Federal Register :: Confidentiality of Substance Use Disorder (SUD) Patient Records
Reproductive Health
The OCR released another final rule involving HIPAA and patients’ privacy rights, specifically involving reproductive healthcare. Published on April 26, 2024, this final rule becomes effective on June 25, 2024, while compliance with the rule is required by December 23, 2024.
The protections extended in the April rule are designed, in part, to prevent state governments from adversely affecting the rights of patients or physicians where “Reproductive Health Care” (RHC) was lawfully obtained. RHC is broadly defined as “all matters relating to the reproductive system and its functions and processes.” To be clear, a patient’s PHI may be obtained if the RHC was unlawfully obtained.
One of the key provisions of the rule surrounds a new attestation that must be executed in connection with RHC-related disclosures. Covered entities and business associates cannot release PHI relating to a patient’s lawfully obtained RHC to any person or entity (including any government entity) without first receiving a written attestation which states that the PHI is not being sought for a “prohibited purpose.” A “prohibited purpose” exists where a person or entity is either investigating or employing criminal, civil, or administrative processes to adversely affect someone for having lawfully obtained RHC. To clarify, unlawfully obtained RHC is not a prohibited purpose.
There is a presumption that all RHC is lawful if the care was lawful in the state in which the care was rendered. According to one healthcare attorney, that presumption can be overcome if you have actual knowledge that the RHC was unlawfully obtained or the person seeking the PHI provides “a substantial factual basis” of such. In that case, the government can provide an attestation that the request for PHI is not for a prohibited purpose (because it is not prohibited to seek PHI for unlawfully obtained RHC).
The new rule will now force covered entities and business associates to determine if the RHC was lawfully obtained before releasing PHI. If PHI is released without getting the attestation, civil penalties may ensue. The OCR will publish a model attestation form to ensure the inclusion of the required attestation elements.
Finally, the Notice of Privacy Practices (NPP) used by HIPAA-covered entities must be amended to address the issues covered in this rule. However, that change isn’t required until February 16, 2026. For more information on the April final rule, visit the OCR’s website at HIPAA Privacy Rule Final Rule to Support Reproductive Health Care Privacy: Fact Sheet | HHS.gov.