A new final rule under HIPAA adds more compliance requirements aimed at supporting reproductive healthcare privacy – so you need to take note if you are a healthcare provider, employer-sponsored group health plan, or other covered entity. While the rule may not significantly change the scope of health information that is protected under HIPAA, you will need to implement certain changes to comply, including revising your HIPAA Notice of Privacy Practices. We’ll explain everything you need to know and give you five steps you should considering taking to comply before the applicable deadlines.

What Happened?

The U.S. Department of Health and Human Services (HHS) issued a final rule on April 22, 2024, as part of a larger effort to protect access to and privacy of reproductive healthcare, after a Supreme Court ruling overturned Roe v. Wade in 2022. That ruling lifted the federal right to abortion access, which led to stricter abortion laws in 21 states and many employer questions about abortion-related employment protections and healthcare benefits.

The final rule adds new privacy protections for reproductive healthcare to federal regulations known as the “Privacy Rule” under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HIPAA’s Privacy Rule provides national standards for safeguarding individuals’ “protected health information” (PHI) such as their medical records and other individually identifiable health information.

Who Does This Impact and When Does This Take Effect?

You must comply with the new rules if you are a “covered entity” (such as a healthcare provider, healthcare clearinghouse, or health plan) or a “business associate” under HIPAA.

The rule takes effect on June 25, 2024, and if you are a covered entity or business associate, you must comply with the new requirements by December 23, 2024 — except that you will have until February 16, 2026, to update your Notice of Privacy Practices.

What Does the New Final Rule Do?

The final rule imposes new compliance requirements so that you will be:

• prohibited from using PHI against people for providing or obtaining lawful reproductive healthcare;
• required to obtain a signed statement in certain situations before using or disclosing PHI potentially related to reproductive healthcare for such prohibited purposes; and
• required to revise your Notice of Privacy Practices to reflect this new final rule.

The rule defines “reproductive healthcare” broadly to include all healthcare matters related to the reproductive system or to its functions and processes. Read on for more details on each of the above requirements.

Ban on Using PHI for Certain Activities

You will be prohibited from using or disclosing PHI to:

• conduct investigations or impose liability (whether criminal, civil, or administrative) on any person for the mere act of seeking, obtaining, or facilitating reproductive healthcare that is lawful under the circumstances; or
• identify any person for the purpose of conducting such investigation or imposing such liability.

However, the above prohibition applies only if the reproductive healthcare is:

• lawful in the state where the care is provided and under the circumstances in which it is provided;
• protected, required, or authorized by federal law under the specific circumstances, regardless of the state in which the care is provided (for example, the right to use contraception is generally protected by the U.S. Constitution); or
• provided by a third party and the rule’s presumption applies (more on that below).

Reproductive healthcare is presumed to be lawful unless you have “actual knowledge” or factual information (supplied by the person requesting the use or disclosure of the PHI) demonstrating a “substantial factual basis” that it is not. Keep in mind, though, that any uses or disclosures of PHI must meet all other applicable conditions under the Privacy Rule – in addition to any new requirements under these latest changes.

Requirement to Obtain Signed Attestations

Each time you receive a request for PHI potentially related to reproductive healthcare, you will be required to obtain a signed attestation, subject to specific requirements, if the request is for any of the following purposes:

• health oversight activities;
• judicial and administrative proceedings;
• law enforcement purposes; and
• disclosures to coroners and medical examiners.

Each signed attestation must have the person requesting PHI confirm that their request is not for a prohibited purpose and acknowledge that improper uses and disclosures of PHI could result in criminal penalties. There are other specific attestation content requirements under the new rule, and HHS is expected to release model language, so you should stay tuned for more information. Covered entities refusing to provide PHI in the above circumstances because the attestation requirement is not satisfied should consult with legal counsel.

Mandate to Revise Notice

You will need to update your Notice of Privacy Practices (NPP) to incorporate the new reproductive healthcare privacy protections. You’ll need to explain when an attestation is required and add descriptions and examples of prohibited uses and disclosures of PHI under the new rule.

The compliance deadline for updating your NPP is February 16, 2026.

5 Steps You Should Consider Taking Now

To ensure you are in full compliance by the applicable deadlines, consider taking these five steps:

1. Update your HIPAA Policies and Procedures. Make sure to address when you can and cannot use or disclose PHI for certain activities related to an individual’s reproductive healthcare and when a signed attestation is needed before doing so.
2. Train Your Workforce on the New Rules. Your employees and other insiders are a common cause of healthcare data breaches. Bring your workforce (including your own employees, contractors, or third-party vendors who have authorized access to your sensitive data and systems) up to speed on the new privacy rules related to reproductive healthcare.
3. Keep Up With Applicable Laws Related to Reproductive Healthcare. Because some of the prohibitions under the new rule apply only when the PHI at issue involves lawful reproductive healthcare, you will need to know what is and is not lawful in your jurisdiction and neighboring jurisdictions. Consult with counsel, particularly when the PHI is related to care provided in another jurisdiction.
4. Prepare a Form Document for the Required Acknowledgements. You will want to have this form ready in advance so that you can provide it as soon as you receive a request for PHI that requires a signed attestation. Look out for model language from HHS or contact your Fisher Phillips attorney.
5. Revise your Notice of Privacy Practices. Work with your counsel to update your NPP to comply with the new final rule and address reproductive healthcare privacy protections.