READ TIME: 6 MINUTES
Following the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization, which overturned Roe v. Wade and its constitutional protection of abortion, many states adopted extreme abortion bans and other restrictions on reproductive health care. Along with these new laws came concerns from both patients and providers that protected health information (PHI) could be used to expose them to both civil and criminal liability under the new state laws. On April 22, 2024, the Department of Health and Human Services (HHS) finalized new regulations aiming to protect PHI relating to reproductive health care. This final rule aims to allay fears of these patients and providers by prohibiting the use and disclosure of PHI related to lawful reproductive health care under certain circumstances.
HIPAA Privacy Rule Refresher
The HIPAA Privacy Rule (the “Privacy Rule”) serves to protect an individual’s PHI. The Privacy Rule applies to “covered entities” which include health care providers, health plans, and health care clearinghouses and their business associates (collectively, “regulated entities”). The rule generally prohibits regulated entities from using or disclosing PHI and sets limits on how PHI can be used or disclosed without an individual’s express authorization. The rule also gives individuals the right to examine their own health records, direct a covered entity to transmit their records to a third party, and request corrections to their records.
Prohibitions
This new rule focuses on patient confidentiality and the prevention of the use of PHI against an individual or their provider for seeking, obtaining, or providing lawful reproductive health care. The final rule defines reproductive health care to mean health care “that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes.” This includes, but is not limited to contraception, preconception screening and counseling, management of pregnancy and related conditions, prenatal care, miscarriage management, pregnancy termination, fertility and infertility diagnosis and treatment, and treatment of conditions that affect the reproductive system.
The final rule prohibits regulated entities from using or disclosing PHI:
- To investigate or penalize, in the civil, criminal, or administrative context, an individual seeking, obtaining, or providing lawful reproductive healthcare.
- To identify any person for the purposes of investigating or imposing such criminal, civil, or administrative
The prohibition applies where a regulated entity has reasonably determined that:
- The reproductive health care is lawful in the state in which it was
- The reproductive health care is protected, authorized, or required by federal
- The reproductive health care was provided by a person other than the regulated entity that received the request for PHI and the presumption of lawful reproductive health care applies.
Presumption
The final rule includes a presumption that reproductive health care provided by a person other than the regulated entity who receives a request for PHI was lawful. The presumption that such reproductive health care was lawful may be rebutted if:
- The regulated entity knows the care was unlawful, or
- The regulated entity receives factual information, forming a “substantial factual basis,” from the individual making the request that the reproductive health care was unlawful in the circumstances in which it was
- Where a request for PHI is made to the regulated entity that provided the reproductive health care, it is up to that entity to determine whether such health care was lawful and thus if disclosure is
New Attestation Requirements
The final rule creates a new requirement for regulated entities who receive a request for PHI potentially related to reproductive health care to obtain a written and signed attestation that the use and disclosure is not for a prohibited purpose.
An attestation is required when a request is made for:
- Health oversight activities
- Judicial and administrative proceedings
- Law enforcement purposes
- Disclosures to coroners and medical examiners A valid attestation must include:
- The name of the individual whose PHI is sought
- The name of the person requesting the PHI
- The name of the person to whom the disclosure is to be made
- The clear statement that the PHI is not for a prohibited purpose
- A statement that a person who knowingly and in violation of HIPAA obtains or discloses individually identifiable health information may be subject to criminal penalties
HHS plans to publish sample attestation language before the compliance date of this final rule.
Notice of Privacy Practices
Under the current Privacy Rule, covered entities are generally required to provide a Notice of Privacy Practice (NPP) to individuals to inform them how a covered entity may use or disclose their PHI and explain their individual rights under the Privacy Rule. Covered entities must now revise their NPPs to explain to individuals how their PHI related to reproductive health care may be used or disclosed under the newly issued final regulations. NPPs must be updated and revised by February 16, 2026.
Employer Action Items
While employers are not regulated by HIPAA directly, employers who provide health benefits or who handle health information in any capacity should stay informed of the implications of this rule. To best navigate the complicated and rapidly changing landscape of state and federal reproductive health law, employers should:
- Stay up to date on guidance released from HHS concerning the updates to the Privacy
- Update NPPs and ensure employees are provided with updated
- Consult with legal counsel should you receive a request for information potentially related to an employee’s PHI or their reproductive health care.
This information has been prepared for UBA by Fisher & Phillips LLP. It is general information and provided for educational purposes only. It is not intended to provide legal advice. You should not act on this information without consulting legal counsel or other knowledgeable advisors.