In response to the shifting legal landscape around reproductive health care, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) finalized amendments to the HIPAA Privacy Rule to strengthen privacy protections for highly sensitive protected health information (PHI) related (or potentially related) to reproductive health care. OCR announced the final rule on HIPAA Privacy Rule to Support Reproductive Health Care Privacy (Final Rule) on April 22, 2024, which became effective on June 25, 2024. The privacy limitations outlined in this post directly apply to all “Regulated Entities,” meaning that both covered entities and business associates must comply with the HIPAA requirements for PHI pertaining to reproductive health care set forth in the Final Rule.[1] Regulated Entities must comply with most of the Final Rule’s requirements by December 23, 2024. The deadline to comply with requirements pertaining to relevant updates to regulated entities’ the Notice of Privacy Practices is February 16, 2026.
Purpose for the Amendments
The Final Rule aims to:
- Address individuals’ concerns regarding the confidentiality and security of reproductive health-related PHI in the hands of healthcare providers.
- Strengthen health care quality by encouraging individuals to share complete and accurate medical histories without fear, thereby improving diagnosis and treatment.
- Support providers in continuing to offer and facilitate reproductive health care.
- Protect vulnerable groups such as racial minorities and LGBTQ+ individuals who may face heightened risks of health data privacy violations or distrust in health care providers due to historical and systemic discrimination.
Privacy Limitations for Uses and Disclosures of PHI Pertaining to Reproductive Health Care
The Final Rule amended HIPAA to prohibit Regulated Entities from using or disclosing PHI to:[2]
- investigate an individual, health care provider, or other person (Party or Parties) for the mere act of seeking, obtaining, providing, or facilitating reproductive health care;
- impose criminal, civil, or administrative liability on Parties for the mere act of seeking, obtaining, providing, or facilitating reproductive health care; and/or
- identify Parties that have sought, obtained, provided, or facilitated reproductive health care.
These prohibitions apply when reproductive health care is lawful under the circumstances in which it is provided, meaning that either: (i) the provision of reproductive health care is lawful under the circumstances and in the state in which it is provided; or (ii) protected, required, or authorized by Federal law, including the U.S. Constitution, regardless of the state in which such health care is provided.[3] Regulated Entities must presume reproductive health care is lawful unless the Regulated Entity: (i) has actual knowledge that reproductive health care was unlawful under the circumstances in which it was provided; or (ii) the requestor demonstrates substantial factual basis that the reproductive health care was unlawful under the circumstances in which it was provided.[4]
In jurisdictions where reproductive health care is lawful and when there are no facts indicating the health care was unlawful under the circumstances in which it was provided, Regulated Entities may still use or disclose PHI pertaining to reproductive health care for certain enumerated purposes, such as health oversight activities, if the Regulated Entity obtains a valid attestation from the requestor that, among other things, clearly states that the use or disclosure is not for a prohibited purpose (e.g., to initiate to assist with initiating an investigation or legal proceeding against a Party for the mere act of seeking, obtaining, providing, or facilitating reproductive health care).[5]
Requestors who falsify an attestation (i.e., make material representations regarding the intended uses of the PHI requested) to obtain (or cause to be disclosed) PHI could be subject to criminal penalties under HIPAA.[6] Regulated Entities may be subject to potential civil penalties for violating the HIPAA Rules, including for failing to obtain a valid attestation, if required, before disclosing PHI.[7]
Next Steps
Regulated Entities must shore up their HIPAA compliance programs to comply with the amendments to the HIPAA Privacy Rules, including as follows:
- Review and Update Data Inventory. Regulated Entities should assess where and how they collect and store reproductive health-related PHI. This ensures accurate data management, and enables Regulated Entities to efficiently respond to PHI requests and mitigate its risk of non-compliance with the Final Rule. The definition of “reproductive health care”[8] is broad, encompassing services such as, without limitation, contraception, fertility treatments, and gender-affirming care.[9] Organizations must adopt a comprehensive view when updating data inventories. As such, Regulated Entities should adopt a broad definition of PHI pertaining to reproductive health care when reviewing its data and updating its data inventories.
- Develop Template Attestation Form and Processes Complying with Attestation Requirement. Entities should create template attestation forms and implement processes for workforce members to administer and track compliance with attestation requirements.
- Revise Business Associate Agreements (BAA). If a Regulated Entity’s existing BAAs are inconsistent with or do not directly address the amended HIPAA requirements for uses and disclosures of PHI pertaining (or potentially pertaining) to reproductive health care, Regulated Entities should update their BAAs to address the Final Rule’s requirements.
- Updated HIPAA Policies and Procedures. Ensure policies reflect the Final Rule’s limitations on using or disclosing PHI for prohibited purposes and, as appropriate, develop protocols for handling these requirements.
- Refresh Workforce Member Training. Regulated Entities must train workforce members on the Final Rule’s limitations and requirements for using and disclosing PHI pertaining (or potentially pertaining) to reproductive health care.
- Update Notice of Privacy Practices (NPP). Additionally, covered entities (i.e., health care providers, health plans, health care clearinghouses) must also modify their NPP by February 16, 2026 to inform individuals that their PHI may not be used or disclosed for a purpose prohibited under the Final Rule.
__________________
For more information, please contact the authors or your Squire Patton Boggs relationship attorney.
Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only and is not intended to constitute or be relied upon as legal advice.
[1] “The prohibition standard finalized in 45 CFR 164.502(a)(5)(iii)(A) applies directly to all regulated entities; meaning, all HIPAA covered entities and business associates. We also note that the finalized presumption of lawfulness for the underlying health care, when applicable, directly applies to business associates, as does the attestation requirement in 45 CFR 164.509.” 89 Fed. Reg. 33,020 (April 26, 2024). “Both covered entities and business associates process requests for PHI. The Privacy Rule permits [R]egulated [E]ntities to determine whether a business associate can respond to such requests or whether they are required to defer to the covered entity . . . [t]hus, the Department has determined that it is appropriate to hold both covered entities and business associates directly liable for compliance with the attestation requirement.” 89 Fed. Reg. 33029.
[2] 45 C.F.R. § 164.502(a)(5)(iii)(A).
[3] 45 C.F.R. § 164.502(a)(5)(iii)(B).
[4] 45 C.F.R. § 164.502(a)(5)(iii)(C).
[5] 45 C.F.R. § 164.509; https://www.hhs.gov/hipaa/for-professionals/special-topics/reproductive-health/final-rule-fact-sheet/index.html.
[6] 42 U.S.C. 1320d-6(b).
[7] 42 U.S.C. 1320d-5.
[8] The Final Rule broadly defines “reproductive health care” to mean “health care . . . that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes.”45 C.F.R. § 160.103.
[9] 89 Fed. Reg. 33006; 89 Fed. Reg. 32992.