In light of the changing legal landscape following Dobbs v. Jackson Women’s Health Organization, the Department of Health and Human Services (the “Department”) issued a final rule (link, and corresponding fact sheet link) modifying the Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”) under the Health Insurance Portability and Accountability Act of 1996 (“HIPPA”) to provide additional protections for protected health information about lawful reproductive health care (“rPHI”). Such protections include:

• A prohibition on the use and disclosure of rPHI to conduct a criminal, civil, or administrative investigation into or to impose criminal, civil, or administrative liability on any person for the mere action of seeking, obtaining, providing, or facilitating lawful reproductive health care, or to identify any person to initiate such activities. The final rule clarifies that reproductive health care is lawful if a covered entity (such as a health plan) reasonably determines it is (x) lawful in the state in which it is provided under the circumstances in which it is provided or (y) otherwise protected, required, or authorized by Federal law (including the U.S. Constitution) under the circumstances in which it is provided without regard to the location.

• A presumption that reproductive health care was lawful under the circumstance in which it was provided unless the covered entity has actual knowledge or is provided with factual information to the contrary.

• A requirement that covered entities obtain a signed attestation from persons requesting rPHI representing that their requests are not for a prohibited purpose. The attestation requirement applies when the rPHI request is for health oversight activities, judicial and administrative proceedings, law enforcement purposes, or disclosures to coroners and medical examiners. The attestation must meet specified requirements and generally may not be combined with other documents or include any statements other than those meeting the specified requirements. The Department has provided a model attestation (link).

The final rule adds definitions for “Public health” and “Reproductive health care” and revises the definition of “Person” to clarify that, for purposes of the Privacy Rule, a natural person is limited to a human being who is born alive. It is important to note that the final rule defines “Reproductive health care” broadly – the term covers health care of any individual in all matters related to the reproductive system and to it functions and processes.

Action Items Due December 23, 2024

• Update HIPAA Policies and Procedures. Update HIPAA policies and procedures as needed to address prohibited or restricted uses and disclosures of rPHI, to address attestation requirements and procedures and to revise or add defined terms, in each case, in a manner consistent with the final rule. HIPAA policies and procedures may be contained within plan documents and summary plan descriptions or may consist of one or more written policies or procedures separate from the plan document and summary plan description.

• Update Business Associate Agreements. Update agreements with business associates to require that they implement processes for compliance with the final rule or to otherwise clarify each party’s responsibilities with respect to requests for uses or disclosures of rPHI. Typical business associates with respect to a health plan might include a third-party administrator, pharmacy benefits manager, healthcare consultant, stop loss carriers, external review organizations, and others who would handle protected health information.

• Create Attestation Form. Customize the model attestation provided by the Department.

• Update HIPAA Training Presentations. Update HIPAA training presentations to incorporate content on the requirements of the final rule and to reflect updates made to HIPAA policies and procedures.

Action Item Due February 16, 2026

• Update Notice of Privacy Practices. Under the Privacy Rule, an individual has a right to notice in the form of a notice of privacy practices (NPP), which describes an individual’s health information privacy rights and addresses how a health plan may use and disclose individuals’ protected health information and the health plan’s other obligations concerning protected health information. Health plans must provide NPPs to all covered participants and beneficiaries as well as to new enrollees in a plan at the time of enrollment. The final rule requires revisions to NPPs to address prohibited uses and disclosure of rPHI and disclosures for which a covered entity must first obtain a signed attestation from persons requesting rPHI. Additionally, the final rule requires revisions to the NPPs to address proposals made in the Notice of Proposed Rulemaking for the Confidentiality of Substance Use Disorder (SUD) Patient Records. These revisions would only apply for the NPPs of health plans that create or maintain protected health information that is also a record of SUD treatment provided by a Part 2 program (a federally assisted program that provides alcohol or drug abuse diagnosis, treatment or referral for treatment). Health plans may receive records protected under 42 CFR part 2 in connection with employee assistance programs and working with SUD vendors.