HIPAA Final Rule Addressing Reproductive Health Requires Significant Compliance Measures

HIPAA protects the privacy of individuals’ protected health information (“PHI”) and sets parameters and restrictions on the use and disclosure of PHI.

Health plans and business associates must comply with the new restrictions on the use and disclosure of PHI by December 23, 2024. In addition, the new HIPAA Notice of Privacy Practices (“NPP”) requirements must be complied with by February 16, 2026.

The Final Rule:

• Prohibits the use or disclosure of PHI for certain purposes;
• Provides limited circumstances under which the prohibition applies; and
• Requires a written attestation in certain circumstances before a covered entity or business associate may use or disclose reproductive health information pursuant to four specific provisions of the HIPAA Privacy Rule.

The Final Rule also adds new definitions for the terms “public health” and “reproductive health care,” and it amends the definition of “person” to clarify that “natural person” means a human being born alive. The Final Rule includes a provision that broadly defines the scope of “seeking, obtaining, providing, or facilitating” reproductive health care. Other provisions related to reporting abuse, neglect, or domestic violence and additional minor changes are included in the Final Rule.

Notably, the Final Rule adds several new requirements for NPPs that reflect the provisions outlined above, as well as the confidentiality requirements in HHS’s 2024 Part 2 Rule.

Purpose and Applicability

The Final Rule is a “purpose-based” rule prohibiting the use or disclosure of PHI by a covered entity or business associate when the purpose of that disclosure is any of the following, collectively referred to as the “Prohibited Purpose”:

• To conduct a civil, criminal, or administrative investigation into any person for the mere act of seeking, obtaining, providing or facilitating reproductive health care;
• To impose liability on a person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care; or
• To identify any person for any purpose described in the above two bullet points.

This ban on the use or disclosure of PHI for the Prohibited Purpose applies when one or more of the following applies:

• The reproductive health care is lawful under the law of the state in which such health care is provided under the circumstances in which it is provided;
• The reproductive health care is protected, required, or authorized by Federal law, including the U.S. Constitution, regardless of the state in which such health care is provided; or
• The rebuttable presumption described in the Final Rule (“Presumption”) applies.

The Presumption is prompted when a covered entity or business associate must make a lawfulness decision regarding health care provided by another entity. In such case, the health care is presumed to be lawfully provided unless that presumption is rebutted by actual knowledge or factual information.

It is important to note that the Final Rule does not create a newly defined subset of PHI for reproductive health care. HHS explained that it would be difficult for covered entities and business associates to segregate reproductive health care information because it encompasses a wide range of data across treatments and providers. Instead, the focus of the regulation is on the use and disclosure of PHI for the Prohibited Purpose.

Attestation

Requests for uses or disclosures under 45 CFR 164.512 of the HIPAA Privacy Rule (i.e., those “for which an authorization or opportunity to agree or object is not required”) must meet the specific requirements of that section. The Final Rule now requires any requesting party to provide a written attestation meeting detailed specifications (“Attestation”) when use or disclosure requests relate to reproductive health information and are requested under the following subsections of 164.512:

(d) Uses and disclosures for health oversight activities;
(e) Disclosures for judicial and administrative proceedings;
(f) Disclosures for law enforcement purposes; or
(g)(1) Uses and disclosures about decedents to coroners and medical examiners.

The elements required to be included in an Attestation are set forth in the Final Rule.

HHS has published the following Model Attestation for a Requested Use or Disclosure of Protected Health Information Potentially Related to Reproductive Health Care: https://www.hhs.gov/sites/default/files/model-attestation.pdf

Notices of Privacy Practices

Covered entities are required to revise their NPPs to indicate the newly enacted protections and to distribute and post their revised NPPs on or before February 16, 2026. The Final Rule’s NPP provision also requires specific NPP revisions related to HHS’s 2024 Part 2 Rule addressing substance use disorder records.

Recommended Action

The changes to the HIPAA regulations set forth under the Final Rule will almost certainly require revisions to existing HIPAA policies and procedures and business associate agreements.

Accordingly, covered entities and business associates should:

• Review and revise HIPAA policies and procedures to address the requirements in the Final Rule. This includes addressing the process for reviewing and processing requests for records that include reproductive health care PHI and attestations.
• Revise and distribute new HIPAA Notices of Privacy Practices.
• Provide training on the revised HIPAA policies and procedures, especially for individuals processing requests for PHI and attestations.
• Review plan communications to ensure all HIPAA references are current to reflect modifications made in the Final Rule.
• Review business associate agreements that may permit business associates to engage in activities that are no longer permitted and revise as necessary.
• Revise business associate agreements to ensure responsibility, liability, and indemnification provisions encompass these new requirements.

For additional information, please contact Emily Langdon at elangdon@fraserstrkyer.com.