HIPAA Privacy Rule to Support Reproductive Health Care Privacy - Bim Group

HIPAA Privacy Rule to Support Reproductive Health Care Privacy

News

Share this post:

Linkedin

READ TIME: 6 MINUTES

Following the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization, which overturned Roe v. Wade and its constitutional protection of abortion, many states adopted extreme abortion bans and other restrictions on reproductive health care. Along with these new laws came concerns from both patients and providers that protected health information (PHI) could be used to expose them to both civil and criminal liability under the new state laws. On April 22, 2024, the Department of Health and Human Services (HHS) finalized new regulations aiming to protect PHI relating to reproductive health care. This final rule aims to allay fears of these patients and providers by prohibiting the use and disclosure of PHI related to lawful reproductive health care under certain circumstances.

HIPAA Privacy Rule Refresher

The HIPAA Privacy Rule (the “Privacy Rule”) serves to protect an individual’s PHI. The Privacy Rule applies to “covered entities” which include health care providers, health plans, and health care clearinghouses and their business associates (collectively, “regulated entities”). The rule generally prohibits regulated entities from using or disclosing PHI and sets limits on how PHI can be used or disclosed without an individual’s express authorization. The rule also gives individuals the right to examine their own health records, direct a covered entity to transmit their records to a third party, and request corrections to their records.

Prohibitions

This new rule focuses on patient confidentiality and the prevention of the use of PHI against an individual or their provider for seeking, obtaining, or providing lawful reproductive health care. The final rule defines reproductive health care to mean health care “that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes.” This includes, but is not limited to contraception, preconception screening and counseling, management of pregnancy and related conditions, prenatal care, miscarriage management, pregnancy termination, fertility and infertility diagnosis and treatment, and treatment of conditions that affect the reproductive system.

The final rule prohibits regulated entities from using or disclosing PHI:

  • To investigate or penalize, in the civil, criminal, or administrative context, an individual seeking, obtaining, or providing lawful reproductive healthcare.
  • To identify any person for the purposes of investigating or imposing such criminal, civil, or administrative

The prohibition applies where a regulated entity has reasonably determined that:

  • The reproductive health care is lawful in the state in which it was
  • The reproductive health care is protected, authorized, or required by federal
  • The reproductive health care was provided by a person other than the regulated entity that received the request for PHI and the presumption of lawful reproductive health care applies.

Presumption

The final rule includes a presumption that reproductive health care provided by a person other than the regulated entity who receives a request for PHI was lawful. The presumption that such reproductive health care was lawful may be rebutted if:

  • The regulated entity knows the care was unlawful, or
  • The regulated entity receives factual information, forming a “substantial factual basis,” from the individual making the request that the reproductive health care was unlawful in the circumstances in which it was
  • Where a request for PHI is made to the regulated entity that provided the reproductive health care, it is up to that entity to determine whether such health care was lawful and thus if disclosure is

New Attestation Requirements

The final rule creates a new requirement for regulated entities who receive a request for PHI potentially related to reproductive health care to obtain a written and signed attestation that the use and disclosure is not for a prohibited purpose.

An attestation is required when a request is made for:

  • Health oversight activities
  • Judicial and administrative proceedings
  • Law enforcement purposes
  • Disclosures to coroners and medical examiners A valid attestation must include:
  • The name of the individual whose PHI is sought
  • The name of the person requesting the PHI
  • The name of the person to whom the disclosure is to be made
  • The clear statement that the PHI is not for a prohibited purpose
  • A statement that a person who knowingly and in violation of HIPAA obtains or discloses individually identifiable health information may be subject to criminal penalties

HHS plans to publish sample attestation language before the compliance date of this final rule.

Notice of Privacy Practices

Under the current Privacy Rule, covered entities are generally required to provide a Notice of Privacy Practice (NPP) to individuals to inform them how a covered entity may use or disclose their PHI and explain their individual rights under the Privacy Rule. Covered entities must now revise their NPPs to explain to individuals how their PHI related to reproductive health care may be used or disclosed under the newly issued final regulations. NPPs must be updated and revised by February 16, 2026.

Employer Action Items

While employers are not regulated by HIPAA directly, employers who provide health benefits or who handle health information in any capacity should stay informed of the implications of this rule. To best navigate the complicated and rapidly changing landscape of state and federal reproductive health law, employers should:

  1. Stay up to date on guidance released from HHS concerning the updates to the Privacy
  2. Update NPPs and ensure employees are provided with updated
  3. Consult with legal counsel should you receive a request for information potentially related to an employee’s PHI or their reproductive health care.

 

 

This information has been prepared for UBA by Fisher & Phillips LLP. It is general information and provided for educational purposes only. It is not intended to provide legal advice. You should not act on this information without consulting legal counsel or other knowledgeable advisors.

Recent Insights

May 18, 2026
News

HR Elements: Redesigning Benefits for a Multigenerational Workforce

For the first time in history, many employers are managing a workforce that spans five generations—from employees just entering the workforce to those delaying retirement well into their sixties and seventies. While this diversity can strengthen organizations through broader perspectives and experience, it is also reshaping how employers think about benefits. Traditional, “one-size-fits-all” offerings are […]
Read more
May 18, 2026
News

CMS Revises Medicare Part D Creditable Coverage Rules for 2027

READ TIME: 5 MINUTES The Centers for Medicare & Medicaid Services (CMS) has finalized important changes affecting Medicare Part D creditable coverage determinations beginning with plan years starting on or after January 1, 2027. The updates will impact the way employer-sponsored health plans evaluate prescription drug coverage and comply with Medicare Part D disclosure requirements. The final […]
Read more
May 18, 2026
News

A New Era of Health and Welfare Fiduciary Litigation

READ TIME: 7 Minutes Health and welfare plan fiduciaries are entering a period of increased legal scrutiny. For many years, fiduciary litigation under the Employee Retirement Income Security Act of 1974 (ERISA) focused primarily on retirement plans, and particularly on allegations of excessive fees involving 401(k) plans. More recently, however, plaintiffs and regulators have shifted […]
Read more
April 1, 2026
News

Managing AI Use in the Workplace Without Stifling Innovation

Artificial intelligence is already part of the workplace. Employees are using generative tools to draft emails, summarize documents, build presentations, analyze data, and accelerate research. In many cases, these tools appeared before organizations had formal policies in place. The result is a familiar tension: leadership recognizes the productivity benefits of AI, but concerns remain around […]
Read more