The HIPAA Privacy Rule has been amended to provide greater protections for protected health information (PHI) related to reproductive health care. Covered entities and business associates should familiarize themselves with the final rule, which imposes new prohibitions on the use and disclosure of PHI, a new attestation requirement, and revisions to privacy notices. Covered entities and business associates will need to revise their policies and procedures to ensure compliance, and may wish to revisit existing business associate agreements.

Specifically, beginning in December 2024, the Privacy Rule will prohibit uses or disclosures of PHI if the request for PHI is made to investigate or impose liability for the mere act of seeking, obtaining, providing, or facilitating lawful reproductive health care, or to identify any person as part of conducting such activities (whether civil, criminal, or administrative). The term “reproductive health care” covers the full range of health care related to reproductive health, including the provision of medications and devices.

The final rule is effective June 25, 2024, with a compliance date of December 23, 2024 (except for the requirements related to privacy notices, which require compliance by February 16, 2026).

HIPAA Privacy Rule to Support Reproductive Health Care Privacy

On April 26, 2024, the U.S. Department of Health and Human Services (HHS) published a final rule in the Federal Register: HIPAA Privacy Rule to Support Reproductive Health Care Privacy (89 FR 32976). The final rule is intended to bolster patient-provider confidentiality and help promote trust and open communication between individuals and their health care providers or health plans.

HHS described the changes as having “particular urgency” given the recent Supreme Court decision in Dobbs v. Jackson Women’s Health Organization, which “altered the legal and health care landscape,” and had “far-reaching implications for reproductive health care.” HHS expressed concern that the threat of disclosure of PHI to investigate, or impose liability on, an individual could chill an individual’s willingness to seek lawful health care treatment and impact the willingness of health care providers to provide such care, ultimately undermining access to and quality of health care generally. HHS concluded that the “changed environment” requires additional privacy protections to “help restore the Privacy Rule’s carefully-struck balance between individual and societal interests.”

There are three main components to the final rule: (1) a prohibition on certain uses and disclosures; (2) an attestation requirement; and (3) required revisions to privacy practices.

The prohibition and attestation requirement apply directly to covered entities and business associates (regardless of whether the prohibition is specified in a business associate agreement), and may require revisions to existing business associate agreements.

Purpose-Based Prohibition on Certain Uses and Disclosures

The final rule prohibits the use or disclosure of PHI if two elements are met:

• The request for PHI is made for the purpose of investigating or imposing liability for the mere act of seeking, obtaining, providing, or facilitating lawful reproductive health care, or for the purpose of identifying a person as part of conducting such activities – regardless of whether the investigation or potential liability is civil, criminal, or administrative.
• The covered entity or business associate reasonably determines that the reproductive health care at issue was lawful under the circumstances in which it was provided.

The lawfulness element is met if the covered entity or business associate reasonably determines the reproductive health care was either (i) lawful under state law where the health care was provided or (ii) protected, required, or authorized by Federal law (irrespective of state law).

Moreover, if the reproductive health care was provided by “another party,” the covered entity and business associate are entitled to presume that health care was lawful, absent actual knowledge that it was not, or receipt of information demonstrating a substantial factual basis that it was not. This ensures that covered entities and business associates are not required to determine the lawfulness of health care they did not provide; covered entities and business associates are not expected to conduct research, analyze an individual’s PHI, consult with an attorney, or otherwise assess whether the health care provided by another entity was lawful.

If the presumption applies to a situation, the Privacy Rule would permit (but would not require) the regulated entity to disclose the PHI.

For example, if a patient resides in a state where certain abortions are unlawful and the patient obtained such an abortion in another state where it was lawful, the new disclosure requirements would apply to the reproductive health care-related PHI that is possessed by both (a) the provider who performed the abortion and (b) the patient’s providers in her home state.

Attestation Requirement

Before a covered entity or business associate responds to requests for PHI that potentially relate to reproductive health care, the regulated entity must obtain a signed attestation from the requestor that the PHI is not being requested for a prohibited purpose. However, this attestation requirement applies only to requests for PHI for health oversight activities, judicial and administrative proceedings, law enforcement purposes, and disclosures to coroners and medical examiners, and it does not apply if the requestor is another covered entity or business associate.

HHS implemented the attestation requirement recognizing that it might be difficult for HIPAA regulated entities to determine whether PHI was being requested for a permitted or prohibited purpose. The covered entity or business associate is responsible for ensuring that the required elements of the attestation are met, and should also review any additional documents provided by the requestor (for example, a requestor might provide information supporting a position that the health care at issue was not lawfully provided).

The attestation must contain certain very specific elements and statements. Importantly, the attestation is invalid if it omits any required element/statement or if it includes any additional elements/statements or if it is combined other documents (with limited exceptions). Covered entities must take care in preparing and reviewing their attestations; failure to obtain a valid attestation where one is required may subject a regulated entity to civil penalties.

Required Revisions to Notice of Privacy Practice

The rule also requires covered health care providers, plans, and clearinghouses to revise their privacy notices to address reproductive health care privacy, including a description (with at least one example) of the types of uses and disclosures prohibited under the new rules for reproductive health care, in sufficient detail for an individual to understand the prohibition.

HHS is also requiring various revisions to privacy notices related to the requirements of 42 CFR Part 2 (which regulates the confidentiality of certain substance use disorder patient records). The longer compliance timeline for NPP-related requirements relates to the time anticipated for covered entities to implement applicable aspects of the required revisions.

Enforcement

Regulated entities should recall that the Office for Civil Rights routinely investigates health care providers for impermissible disclosures of PHI and that state laws, including those related to reproductive health care, are subject to HIPAA’s general preemption provision.

Further information is available in HHS’s guidance and a fact sheet, which include examples of how the new rules operate in specific circumstances. HHS also intends to publish a model attestation in the coming months.