HIPAA Privacy Rule to Support Reproductive Health Care
Updated August 2024
Deemed necessary by the Department of Health and Human Services (HHS) following the U.S. Supreme Court's decision in Dobbs v. Jackson Women's Health Organization and its aftermath of state-level abortion laws, HHS has issued a HIPAA Privacy Rule to Support Reproductive Health Care Privacy (the “2024 Privacy Rule”). The 2024 Privacy Rule amends the HIPAA privacy rule to afford greater protection to protected health information (PHI) that is related to reproductive health care, with the goal of maintaining the necessary trust between patient and healthcare provider. The 2024 Privacy Rule also supports President Biden’s Executive Order on protecting access to reproductive health care, and specifically directing HHS to consider additional actions, including under HIPAA, to enhance protection for information related to reproductive health care.
2024 Privacy Rule Summary
The primary purpose of the 2024 Privacy Rule is to further restrict the use or disclosure of PHI related to reproductive health care. Previously, HIPAA-regulated entities (i.e., covered entities and business associates) were generally permitted to disclose PHI for certain public policy-related reasons, including law enforcement. The 2024 Privacy Rule further restricts this permission by prohibiting such entities from disclosing PHI related to lawful reproductive health care in certain situations. To support this effort, the 2024 Privacy Rule adds and clarifies a couple definitions, imposes a new attestation requirement to be used upon receipt of a request for PHI potentially related to reproductive health care, and requires covered entities to make changes to their Notice of Privacy Practices.
New Definitions
Person
Previously, the term “person” was defined by the HIPAA rules as “a natural person, trust or estate, partnership, corporation, professional association or corporation, or other entity, public or private.” This definition has been clarified under the 2024 Privacy Rule to mean “a natural person (meaning a human being who is born alive), trust or estate, partnership, corporation, professional association or corporation, or other entity, public or private.”
Reproductive Health Care
A new term, “reproductive health care,” has been added as a subset of the term “health care,” to mean health care “that affects the health of the individual in all matters relating to the reproductive system and to its functions and processes.” This definition would include, but is not limited to:
- contraception, including emergency contraception;
- preconception screening and counseling;
- management of pregnancy and pregnancy-related conditions, including pregnancy screening, prenatal care, miscarriage management, treatment for preeclampsia, hypertension during pregnancy, gestational diabetes, molar or ectopic pregnancy, and pregnancy termination;
- fertility and infertility diagnosis and treatment, including assisted reproductive technology (e.g., in vitro fertilization (IVF));
- diagnosis and treatment of conditions that affect the reproductive system (e.g., perimenopause, menopause, endometriosis, adenomyosis); and
- other types of care, services, and supplies used for the diagnosis and treatment of conditions related to the reproductive system (e.g., mammography, pregnancy-related nutrition services, postpartum care products).
Public Health
A new definition of “public health” in the context of surveillance, investigation, or intervention will refer to “population-level activities to prevent disease and promote the health of populations,” to be clearly distinguished from a criminal investigation.
New Category of Prohibited Use or Disclosure of PHI
Prohibited Purposes
Under certain conditions described below, HIPAA-regulated entities will be prohibited from using or disclosing PHI for the following purposes:
- To conduct a criminal, civil, or administrative investigation into a person, or to impose civil, criminal, or administrative liability on any person, for the mere act of seeking, obtaining, providing, or facilitating reproductive health care; or
- To identify any person for any purpose described above.
The use or disclosure of PHI for one of the above purposes will be prohibited if the HIPAA-regulated entity that receives the request for PHI can reasonably determine that one or more of the following three conditions exists:
- The reproductive health care is lawful under the law of the state in which the care is provided and under the circumstances in which it is provided;
- The reproductive health care is protected, required, or authorized under federal law, including the U.S. Constitution, under the circumstances provided, regardless of the state in which care is provided; or
- The reproductive health care was provided by a person other than the HIPAA-regulated entity that receives the request for PHI and the presumption (described below) applies.
The presumption under the 2024 Privacy Rule is that reproductive health care provided by a person other than the HIPAA-regulated entity receiving the request for PHI was lawful unless the HIPAA-regulated entity has actual knowledge that the reproductive health care was not lawful under the circumstances in which it was provided; or the HIPAA-regulated entity receives factual information from the person making the request for the use or disclosure of PHI that demonstrates a substantial factual basis that the reproductive health care was not lawful under the circumstances in which it was provided.
Note that because of the types of requests to which these new rules apply, the covered entity may find itself having to defy what on its face would appear to be a valid subpoena, court order, or administrative request from law enforcement, a court or regulatory agency in order to satisfy its obligations under the HIPAA privacy rule.
The Attestation
When a HIPAA-regulated entity receives a request for PHI potentially related to reproductive health care, the entity must first obtain a signed attestation from the person requesting the information that the use or disclosure is not for a prohibited purpose. The requirement for an attestation will apply when the request for PHI is for any of the following reasons: health oversight activities; judicial and administrative proceedings; law enforcement purposes; and disclosures to coroners and medical examiners.
A valid attestation must include a clear statement that the use or disclosure of PHI is not for a prohibited purpose as well as a statement that a person may be subject to criminal penalties for knowingly obtaining or disclosing PHI in violation of HIPAA. The attestation must be written in plain language and cannot be combined with any other document (though other additional supporting documentation may be provided).
It is a violation of HIPAA rules to rely on a defective attestation in the use or disclosure of PHI – a defective attestation includes one that contains an element or statement that is not required by the 2024 Privacy Rule (i.e., that goes above and beyond what is required). The attestation is also defective if the HIPAA-regulated entity has actual knowledge that material information in the attestation is false, or when a reasonable entity in the same position would not believe that the attestation is true. In considering whether an attestation is true, an entity must consider the “totality of the circumstances surrounding the attestation,” including who the requestor is and the permission upon which the requestor relies.
HHS has provided a model attestation form that covered entities and business associates may use for this requirement.
Effective Date
Compliance with the above amendments to the HIPAA Privacy Rule is required by December 22, 2024. While employers are unlikely to be the primary target of PHI requests subject to these new rules, employers should nevertheless plan to adjust their HIPAA policies and procedures and required HIPAA training for their workforce members that have access to PHI to satisfy these new rules.
Changes to Notice of Privacy Practices
The 2024 Privacy Rule also requires covered entities to make changes to their Notice of Privacy Practices that address both the new prohibited purposes of use or disclosure of PHI related to reproductive health care and the confidentiality of substance use disorder patient records that were originally addressed in a separate final rule that was released on February 16, 2024 (the Part 2 Final Rule).
Compliance with the changes to the Notice of Privacy Practices is expected by February 16, 2026. An updated model Notice of Privacy Practices is expected to be released by that time.
Summary
In complying with the 2024 Privacy Rule, employers will need to revise their HIPAA policies and procedures to account for the new category of prohibited use or disclosure of PHI as well as update their HIPAA training provided to any employees with access to PHI by December 22, 2024. That said, we are expecting further guidance from HHS, including a model attestation form to comply with the 2024 Privacy Rule.
Finally, employers will also need to update their Notice of Privacy Practices by February 16, 2026, though we do expect an updated model Notice of Privacy Practices to be issued by that time.
While every effort has been taken in compiling this information to ensure that its contents are totally accurate, neither the publisher nor the author can accept liability for any inaccuracies or changed circumstances of any information herein or for the consequences of any reliance placed upon it. This publication is distributed on the understanding that the publisher is not engaged in rendering legal, accounting, or other professional advice or services. Readers should always seek professional advice before entering into any commitments.