On April 22, 2024, the Department of Health and Human Services (HHS) announced a Final Rule titled HIPAA Privacy Rule to Support Reproductive Health Care Privacy. The Final Rule strengthens the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule by prohibiting disclosure of protected health information (PHI) related to lawful reproductive health care under certain circumstances. The Final Rule is designed to promote high-quality health care by fostering trust and communication between individuals and their health care providers.
The Final Rule:
- Prohibits use or disclosure of PHI to investigate or impose liability on individuals, health care providers, or others who seek, obtain, provide, or facilitate reproductive health care that is lawful under the circumstances under which it is provided, or to identify persons for such activities. Importantly, the Final Rule includes a presumption (with some exceptions) that the reproductive health care provided by a person other than the regulated entity receiving the request was lawful.
- Requires regulated entities (covered entities and their business associates) to obtain a signed attestation from certain requestors that they do not seek PHI for these prohibited purposes. This requirement applies when PHI is requested for health oversight activities, judicial and administrative proceedings, law enforcement purposes, and disclosures to coroners and medical examiners, as described in 45 C.F.R. § 512. According to the HHS Office for Civil Rights (OCR), this requirement “puts persons making requests for the use or disclosure of PHI on notice of the potential criminal penalties for those who knowingly and in violation of HIPAA obtain individually identifiable health information (IIHI) relating to an individual or disclose IIHI to another person.” OCR intends to publish model attestation language.
- Requires covered entities to modify their Notice of Privacy Practices (NPP) to support reproductive health care privacy.
The Final Rule continues to allow regulated entities to use and disclose PHI for permitted purposes, where the request for use or disclosure is not to investigate or impose liability on a person merely for seeking, obtaining, providing, or facilitating reproductive health care. HHS provides examples in its Fact Sheet on the Final Rule, which we paraphrase here:
- A covered health care provider could continue to use or disclose PHI to defend itself in an investigation or proceeding related to professional misconduct or negligence where the alleged professional misconduct or negligence involved the provision of reproductive health care.
- A regulated entity could continue to use or disclose PHI to defend any person in a criminal, civil, or administrative proceeding where liability could be imposed on that person for providing reproductive health care.
- A regulated entity could continue to use or disclose PHI to an inspector general where the PHI is sought to conduct an audit for health oversight purposes.
The Final Rule will be effective 60 days after it is published in the Federal Register (which has not yet occurred), with a compliance date of 240 days after publication. Covered entities must comply with the NPP provisions of the Final Rule by February 16, 2026.
We are happy to help you understand your compliance obligations and begin planning for implementation at your organization.