On April 26, 2024, the U.S. Department of Health and Human Services (HHS) issued the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule to Support Reproductive Health Care Privacy Final Rule1(Final Rule), modifying the Privacy Rule2 under HIPAA and the Health Information Technology for Economic and Clinical Health Act. This change was prompted by the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization3, as this decision “increases the likelihood that an individual’s PHI may be disclosed in ways that cause harm to the interests that HIPAA seeks to protect, including the trust of individuals in health care providers and the health care system."4
Since overturning Roe v. Wade, many providers have voiced concerns that patients are reluctant to share crucial medical information with them due to fears that their medical records may be accessed by law enforcement or legal entities, even when they seek lawful reproductive care. This fear may deter individuals from legally seeking healthcare services or from openly sharing their medical information. The Final Rule aims to prevent the use and/or disclosure of Protected Health Information (PHI) for prosecuting patients or providers for securing lawful care.
What Does the Final Rule Include?
Presumption
The Final Rule establishes a presumption that the reproductive health care provided by another person is considered lawful unless the Covered Entity5 or business associate6 has: (1) actual knowledge that reproductive health care was not lawful under the circumstances it was provided, or (2) information supplied by the person requesting the use or disclosure of the PHI demonstrates a substantial factual basis that the reproductive health care was not lawful. Generally, the Final Rule intends to safeguard the privacy of individuals receiving reproductive health care by presuming the care is legal unless there is clear evidence that suggests otherwise.
Prohibition
The Final Rule prohibits covered entities and business associates from using or disclosing PHI for any of the following reasons,7 (1) to conduct a criminal, civil, or administrative investigation into a person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, (2) to impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, or (3) to identify any person for purposes of the above.
The prohibition on disclosure applies when the activity involves any person seeking, obtaining, providing, or facilitating reproductive health care AND the covered entity or business associate receiving the request for the PHI has reasonably determined that: (1) the reproductive health care is lawful under the law of the state where it is provided, (2) reproductive health care is protected, required, or authorized by Federal Law, like the Emergency Medical Treatment and Active Labor Act, regardless of the state where health care is provided, or (3) the presumption applies.
What is Required?
Beginning December 23, 2024, covered entities must implement a process to identify when a PHI request may be related to reproductive healthcare and obtain a signed attestation confirming that the requested use or disclosure is not for prohibited purposes. The request must be for PHI for any of the following: (1) health oversight activities, (2) judicial and administrative proceedings, (3) law enforcement purposes, and (4) disclosures to coroners and medical examiners. This task may be challenging for organizations because reproductive healthcare information can be found in any patient’s records, at any place within the medical record system. Covered entities should adhere to the model attestation provided by the government, linked here.
Beginning February 16, 2026, covered entities must also update and re-distribute the organization's Notice of Privacy Practices (NPPs) to incorporate information about the protection of reproductive healthcare. These updates should include a description of the organization's responsibilities regarding prohibited disclosures of reproductive healthcare information and the attestation requirements. We anticipate that the Office for Civil Rights (OCR) will publish an updated example of an NPP with language to comply with this requirement.
Finally, the Final Rule clarifies that disclosure of PHI to law enforcement is only permitted in these circumstances: (1) the disclosure is not subject to the prohibition, (2) the disclosure is required by law, and (3) the disclosure meets all applicable conditions of the Privacy Rule permission to use or disclose PHI as required by law.8 Under the Privacy Rule, uses and disclosures required by law are any uses or disclosures that (1) comply with and are limited to the relevant requirements of the law and (2) meet the requirements of “disclosures about victims of abuse, neglect, or domestic violence,” “disclosures for judicial and administrative proceedings,” or “disclosures for law enforcement purposes.”9
What’s Next?
As deadlines for compliance approaches, covered entities should consider the following to ensure adherence to this new regulatory update:
- Update policies and procedures to reflect the above process and ensure that the organization's practices align with the new requirements.
- Develop a procedure to handle requests for PHI related to reproductive healthcare, specifying who will be responsible for determining prohibited purposes.
- Offer training and education to staff regarding the changes and expectations related to the revised policies and procedures. This training should be provided to all staff involved in the disclosure and protection of PHI.
- Update Business Associate Agreements to include the requirements in the Final Rule.
- Work with your Information Security department to review the PHI that is automatically disclosed from your organization to identify if any of these will need to be updated to comply with the rule.
- Be attentive to any updates from the OCR regarding changes to their NPPs.
- Coordinate with community partners who might be affected by the attestation requirement such as coroners, local attorneys and courts, and any others who request records on a regular basis.
- Ensure that internal departments such as Social Work, Security, and staff in the Emergency Department are well-informed about the rules, as they may encounter unofficial approaches from law enforcement.
Recently on November 26, 2024, HHS OCR settled with Holy Redeemer Family Medicine for a HIPAA Privacy Rule violation due to the unauthorized disclosure of a female patient’s PHI to her prospective employer. Holy Redeemer agreed to pay $35,581 and implement a corrective action plan, with OCR monitoring the plan's implementation for two years to ensure compliance and protect patient privacy. This case reinforces the importance of HIPAA compliance, particularly regarding sensitive areas like reproductive health.10
Based on the reelection of President Trump, it is possible that the Final Rule may change. Covered entities will need to implement the attestation requirement and should remain informed about any upcoming changes, as it is anticipated that the new administration may update or possibly remove the Final Rule relating to reproductive care.
How to Contact Us
We are here to help you develop the necessary processes or evaluate your existing procedures to ensure adherence to the Final Rule. Please contact Lisa Taylor at +1 202.449.7123 or lisa.taylor@ankura.com.
SOURCES
[1] 45 CFR Parts 160 and 164. https://www.federalregister.gov/documents/2024/04/26/2024-08503/hipaa-privacy-rule-to-support-reproductive-health-care-privacy.
[2] 45 CFR part 160 and subparts A and D of part 164
[3] Dobbs v. Jackson Women's Health Organization, 597 U.S. 215 (2022).
[4] 45 CFR Parts 160 and 164. https://www.federalregister.gov/documents/2024/04/26/2024-08503/hipaa-privacy-rule-to-support-reproductive-health-care-privacy.
[5] See 45 CFR 160.103
[6] See 45 CFR 160.103
[7] See 45 CFR 160.103
[8] HHS, HIPAA Privacy Rule Final Rule to Support Reproductive Health Care Privacy: Fact Sheet. https://www.hhs.gov/hipaa/for-professionals/special-topics/reproductive-health/final-rule-fact-sheet/index.html#:~:text=The%20Final%20Rule%20requires%20covered,support%20reproductive%20health%20care%20privacy.
[9] 45 CFR §164.512(a).
[10] HHS OCR, HHS Office for Civil Rights Settles with Holy Redeemer Hospital Over Disclosure of Patient’s Protected Health Information, Including Reproductive Health Information, https://www.hhs.gov/about/news/2024/11/26/hhs-office-civil-rights-settles-holy-redeemer-hospital-disclosure-patients-protected-health-information-including-reproductive-health-information.html.
Sign up to receive all the latest insights from Ankura. Subscribe now
© Copyright 2024. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
