In the wake of the Supreme Court's decision in Dobbs v. Jackson Women's Health Organization and subsequent state abortion bans, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services issued a Final Rule (Final Rule) modifying the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule in order to support reproductive health care privacy. As with prior HIPAA rules, the Final Rule applies to covered healthcare providers, health plans, or healthcare clearing houses (each, a Covered Entity) and their business associates.
The Final Rule seeks to strengthen protections concerning the use and disclosure of "reproductive health care" information. For purposes of the Final Rule, "reproductive health care" includes services such as receipt of contraception, management of pregnancy and pregnancy-related conditions, miscarriage management, pregnancy termination, and infertility diagnosis and treatment.
The protections under the Final Rule include:
- A prohibition on the use or disclosure of protected health
information (PHI) by a Covered Entity or their business
associate(s) to conduct a criminal, civil, or administrative
investigation into or impose criminal, civil, or administrative
liability on any person for the mere act of seeking, obtaining,
providing, or facilitating lawful reproductive health care, or to
identify any person for the purpose of conducting such an
investigation.
- Reproductive health care is considered lawful under the Final
Rule if a Covered Entity reasonably determines either of the
following:
- It is lawful under the law of the state in which such healthcare is provided under the circumstances in which it is provided.
- The reproductive health care is protected, required, or authorized by federal law, including the U.S. Constitution, regardless of the state in which such healthcare is provided.
- Reproductive health care is considered lawful under the Final
Rule if a Covered Entity reasonably determines either of the
following:
- A presumption that the reproductive health care provided by a person other than the Covered Entity (or business associate) receiving the request was lawful unless the Covered Entity has actual knowledge or factual information that it was unlawful.
- A requirement that Covered Entities and business associates
obtain a signed and dated attestation when receiving a request for
PHI potentially related to reproductive health care. The
attestation is required when the request is for PHI for any of the
following:
- Health oversight activities.
- Judicial and administrative proceedings.
- Law enforcement purposes.
- Disclosures to coroners and medical examiners.
The attestation must state that the requested use and disclosure of PHI is not for a prohibited purpose, and it puts persons making requests for the use and disclosure of PHI on notice of the potential criminal penalties for knowingly violating the Final Rule. OCR has published a model attestation for use.
Key Compliance Steps and Dates
Due by December 23, 2024
Revise HIPAA Policies and Procedures
Covered Entities will need to revise their HIPAA policies and procedures to incorporate the Final Rule, including to ensure that an attestation is provided under the appropriate circumstances.
Conduct Compliance Training
All workforce members must be trained on the revised HIPAA policies and procedures to ensure compliance with the Final Rule, including the attestation requirement and other considerations when responding to a request for the use or disclosure of PHI potentially related to reproductive health care.
Update Business Associate Agreements (BAAs)
Covered Entities should review and update their BAAs to the extent the Final Rule is not addressed or if the BAAs do not adequately address their respective responsibilities for requests for uses or disclosures of PHI related to reproductive health care.
Due by February 16, 2026
Update Notice of Privacy Practices (NPPs)
Covered Entities will be required to revise their NPPs to reflect the new protections under the Final Rule. Covered Entities will need to revise their NPPs further to address proposals made in the Notice of Proposed Rulemaking for the Confidentiality of Substance Use Disorder (SUD) Patient Records. Because these required changes are extensive, the deadline for revising NPPs is not until February 2026.
Takeaways
Covered Entities (and business associates), particularly employers sponsoring self-funded health plans, should take steps now to ensure compliance with the Final Rule by the end of the year.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.