Comply With Us

Reproductive Health Care Gets More Protection Under HIPAA

May 20, 2024

As a result of the Supreme Court decision in Dobbs v. Jackson Women’s Health Organization back in 2022, federal agencies were directed to research what could be done to protect women’s health and privacy. HHS has consequently released HIPAA guidance related to reproductive health care services under a health plan, with a focus on the information required to be disclosed by law. A Notice of Proposed Rulemaking was issued in April 2023, modifying the HIPAA Privacy Rule, and, one year later, a Final Rule was issued on April 22nd, 2024, that changes specific provisions of the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations to support reproductive health care privacy.

The Final Rule becomes effective on June 25, 2024, and applies to covered healthcare providers, health plans, healthcare clearinghouses, and their business associates (collectively, Regulated Entities). Regulated Entities must comply with all provisions of the Final Rule by December 22, 2024, except for updating their Notice of Privacy Practices (NPP), which must be completed by February 16, 2026.

The Office of Civil Rights (OCR), a division of HHS, first released materials addressing HIPAA's role in safeguarding women’s protected health information (PHI) in June of 2022. OCR declared that their goal was to ensure that the Dobbs decision did not diminish any individual’s expectations regarding the privacy of their health information in a manner that leads to their distrust and refusal to access health care. The actual rulemaking process to support this goal began the following year.

The Final Rule now seeks to further protect the privacy of a person legally seeking abortion-related services by explicitly prohibiting the use or disclosure of protected health information by Regulated Entities for:

  • Conducting a criminal or administrative investigation into any person for seeking, obtaining, providing, or facilitating reproductive health care where such health care is lawful;
  • Imposing criminal, civil, or administrative liability on any person for the act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful; and/or
  • Identifying any person for the purpose of conducting an investigation or imposing liability.

The prohibition on the use or disclosure of PHI applies where that health care is lawful under federal law or the state's laws. The prohibition preempts state laws mandating the use or disclosure of PHI under a court order or other legal process for a prohibited purpose. It only applies when a Regulated Entity has reasonably determined that at least one of the following conditions exists:

  • Reproductive health care is lawful under the law of the state in which such health care is provided under the circumstances in which it is provided; 
  • Reproductive health care is protected, required, or authorized by federal law, including the U.S. Constitution, regardless of the state in which health care is provided; and/or 
  • The reproductive health care was provided by a person other than the Regulated Entity that receives the request for PHI, and the presumption is that the care provided was lawful.

If any of these conditions are not satisfied (for example, if the Regulated Entity knows the reproductive health care to have been delivered unlawfully), then the Final Rule’s protections would not apply. A Regulated Entity would then be permitted, but not required, to disclose PHI to law enforcement, as long as that disclosure is in accordance with the Privacy Rule. However, the Final Rule also clarifies that disclosures of PHI to law enforcement are only permitted if certain conditions are met. Specifically, disclosures of PHI for reproductive health care, lawful or not, are only permissible in this circumstance if they:

  • Are not subject to the new prohibitions;
  • Are required by law; and
  • Meet all conditions of the HIPAA privacy rule.

HIPAA allows PHI to be used or disclosed for a finite number of additional reasons listed in the privacy rule, such as so that a provider can defend itself in a criminal, civil, or administrative proceeding seeking to impose liability for reproductive health care services. The Final Rule provides that covered entities and their business associates may continue to use or disclose PHI for those permitted purposes, as long as the use or disclosure is not prohibited by one of the new provisions.

To help facilitate compliance with the Final Rule and assist Regulated Entities in determining when a use/disclosure of PHI is permissible, this new guidance requires that such entities obtain a signed and dated attestation from the person or entity requesting PHI potentially related to reproductive health care for (1) health care oversight activities, (2) judicial and administrative proceedings, (3) law enforcement purposes, and (4) disclosures to coroners and medical examiners. The attestation must state that the requested use or disclosure of PHI is not for a prohibited purpose and include a statement of notice of the criminal penalties for persons who knowingly obtain or disclose individually identifiable health information in violation of HIPAA. HHS has indicated that it will provide model language for the attestation. 

Lastly, the Final Rule requires that health care providers, health plans, and health care clearinghouses revise their Notice of Privacy Practices to strengthen privacy. Specifically, they must revise their NPPs to inform individuals about how their PHI may or may not be used or disclosed and provide examples.

With the effective date of the Final Rule quickly approaching, Regulated Entities should incorporate the following items into a compliance strategy for the new requirements: 

  • Update HIPAA Policies and Procedures and NPPs. Regulated Entities must update their HIPAA policies and procedures regarding the use and disclosure of information that could be related to reproductive health care. Healthcare providers, health plans, and healthcare clearinghouses must update their NPPs and post the revised versions on their websites. 
  • Create and Draft Attestations. Regulated Entities must adopt an attestation form and implement a process for administering the attestation form according to the Final Rule’s requirements. Regulated Entities should also consider whether it will be more administratively straightforward to require attestations for all PHI requests that fall within “non-healthcare” categories, as outlined in the Attestation Requirement. Because reproductive health care is such a broad concept, an across-the-board approach could limit the possibility that a Regulated Entity will fail to identify whether PHI is related to this type of care. 
  • Compliance Training. Regulated Entities should update their HIPAA training for applicable employees to include (1) the limitations on the uses and disclosure of PHI under the Final Rule and (2) the new attestation form requirement.

As indicated earlier, Regulated Entities must comply with most aspects of this new guidance by December 23, 2024. MZQ Consulting is available to answer any questions or concerns that may arise regarding this significant Final Rule.