JENNI COLAGIOVANNI
Wachler & Associates, P.C.

On April 26, 2024, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published a Final Rule introducing modifications to the HIPAA Privacy Rule that limit the use or disclosure of reproductive healthcare information (RHI) for certain non-health care purposes.[1] Titled the “HIPAA Privacy Rule to Support Reproductive Health Care Privacy,” the Final Rule prohibits disclosure of protected health information (PHI) related to lawful reproductive health care under certain circumstances. The Final Rule incorporates several changes for HIPAA-covered entities and business associates including a requirement for entities to obtain an attestation in connection with certain requests for reproductive healthcare information, updates to business associate agreements and HIPAA policies and training, and updates to Notices of Privacy Practices (NPPs).

The Final Rule was issued in response to the changing legal landscape, in particular the U.S. Supreme Court’s 2022 decision in Dobbs v Jackson Women’s Health Organization[2], which overturned the precedent protecting a constitutional right to abortion.  In the wake of Dobbs, the Final Rule describes an increase in the likelihood that an individual’s PHI may be disclosed in ways that cause harm to the interests that HIPAA seek to protect, including the trust of individuals in their health care providers and the health care system.

Prohibition: The Final Rule’s purpose-driven protection prohibits a covered entities and business associates (collectively “regulated entities”) from using or disclosing PHI to investigate or impose liability on a person who seeks, obtains, provides, or facilitates reproductive health care that is lawful under the circumstances under which it is provided, or to identify persons for such activities.[3] For the new prohibition on disclosure to apply, the regulated entity must reasonably determine that at least one of the following is met:

  • The reproductive health care is lawful in the state in which it was provided;
  • The reproductive health care is protected, required or authorized by federal law (i.e., protected by the U.S. Constitution), regardless of the state in which the care was provided;
  • When the reproductive health care is provided by a person other than the recipient of the request for PHI.[4]

The Final Rule continues to allow covered healthcare providers to use or disclose PHI for purposes otherwise permitted under the Privacy Rule where the request for the use or disclosure of PHI is not made to investigate or impose liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive healthcare.  Other components of the Final Rule include:

Presumption: The Final Rule includes a presumption, with certain exceptions, that the reproductive health care provided by a person other than the regulated entity receiving the request was lawful.   The presumption applies unless the regulated entity has actual knowledge or the requestor provides factual information that the care was not lawful under the circumstance in which it was provided.[5]

Definition of Reproductive Health Care:  Notably, the Final Rule defines “reproductive health care” as “care, services, or supplies related to the reproductive health of the individual” and expressly indicate the intent for the definition to be interpreted broadly.[6]  The Final Rule illustrates the definition’s breadth with a non-exhaustive list of examples that fit within the definition, including contraceptive medications, including over-the-counter contraceptives, pre-conception screening and counseling; management of pregnancy and pregnancy-related conditions, peri-menopausal and menopausal treatments, as well as services and supplies used for the diagnosis and treatment of conditions related to the reproductive system such as mammography.  Given the broad definition, the Final Rule is likely to impact the health records of nearly all HIPAA regulated organizations and their business associates.

Attestation:  Covered entities and business associates are required to obtain a signed attestation from certain requestors in connection with requests for disclosure of PHI potentially related to reproductive health care for non-health purposes.[7]  The attestation amounts to written representations from the requestor that they do not seek the requested PHI for prohibited purposes. This requirement applies when PHI is requested for non-health purposes such as health oversight activities, judicial and administrative proceedings, law enforcement purposes, and disclosure to coroners and medical examiners.[8] The HHS OCR has indicated that it intends to publish model attestation language.

Notice of Privacy Practices:  Additionally, covered entities are required to modify their NPPs to support reproductive healthcare privacy.[9] In addition to the modifications related to reproductive health care privacy, the Final Rule also recognizes the need for covered entities to revise their NPPs consistent with the proposals made in the Notice of Proposed Rulemaking for the Confidentiality of Substance Use Disorder (SUD) Patient Records (Part 2 NPRM), consistent with the CARES Act of 2020.

Next Steps: The Final Rule is set to take effect on June 25, 2024, with a compliance date of December 23, 2024 (with the exception of requirements pertaining to Notices of Privacy Practices, which covered entities must comply with by February 16, 2026).  The time is now for covered entities to evaluate where RHI may exists in its health and administrative records.  Regulated entities are encouraged to review current HIPAA policies and training to incorporate processes to ensure compliance with requests for information that potentially include RHI, including a process for obtaining required attestations.  Covered entities are advised to review not only their NPPs but also their business associate agreements to ensure compliance with the Final Rule.

[1] See 89 FR 32976.

[2] 597 U.S. 215 (2022).

[3] 45 C.F.R. 164.502(a)(5)(iii)(A).

[4] 45 C.F.R. 164.502(a)(5)(iii)(B).

[5] 45 C.F.R. 164.502(a)(5)(iii)(C).

[6] 45 C.F.R. 160.103 (definitions).

[7] See 45 C.F.R. 164.509.

[8] See 45 C.F.R. 164.512(d) – (g).

[9] See 45 C.F.R. 164.520.