Action Required for HIPAA Covered Entities Regarding Reproductive Health Care Compliance
On April 22, 2024, the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) issued a Final Rule titled HIPAA Privacy Rule to Support Reproductive Health Care Privacy (Final Rule).i The 2024 Final Rule narrows the general HIPAA disclosure rule that allows covered entities (providers, health plans, or health care clearinghouses) to disclose protected health information (PHI) in specified instances. This Final Rule was enacted by HHS to protect access to and privacy of reproductive health care after the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization that has led to some state abortion bans and other restrictions.
Limitations on Disclosure
The Final Rule requires covered entities to comply with the disclosure limitations by December 23, 2024. Prior to providing information to an individual’s personal representative or under any of the permissive provisions of the HIPAA privacy rule, the covered entity must first obtain an attestation that the PHI that is sought is not for the purposes of investigating or imposing liability on individuals merely for seeking, obtaining, providing, or facilitating lawful reproductive health care.
A covered entity will be required to have the attestation when PHI is disclosed without the individual’s written authorization, under the following specific circumstances:
- When requested by a personal representative of the individual.
- To comply with a court order or court-ordered warrant, a subpoena or summons issued by a judicial officer, or a grand jury subpoena.
- To respond to an administrative request.
- To respond to a request for PHI for purposes of identifying or locating a suspect, fugitive, material witness or missing person.
- To respond to a request for PHI about a victim of a crime, and the victim agrees.
- To report PHI to law enforcement when required by law.
- To report PHI that the covered entity in good faith believes to be evidence of a crime that occurred on the covered entity’s premises.
At the end of July, OCR provided a Model Attestation Form for the Requested Use of Protected Health Information Potentially Related to Reproductive Health Care. The attestation states that federal law prohibits any individual from improperly obtaining PHI and that knowingly obtaining PHI under false pretenses could result in a penalty of up to $100,000 and five years in prison.
Updates to Notice of Privacy Practices
In addition, covered entities must update their Notice of Privacy Practices by February 16, 2026. We are still waiting for HHS to publish a new model of Notice of Privacy Practices.
Next Steps
To ensure compliance with the Final Rule’s heightened privacy protections regarding reproductive health care information, covered entities will need to review and amend their internal HIPAA policies and procedures related to providing reproductive health care information with and without authorizations. Covered entities and their business associates should review the Final Rule and create a compliance plan with respect to updating policies and procedures, health plan documents, business associate agreements and privacy notices. Staff must receive training on the new requirements.
Employers and providers may want to take this opportunity to revisit their covered entity’s policies and procedures as a whole to confirm that they are up to date and legally compliant and that they accurately reflect the company’s current operations. If differences are identified, the covered entity employer should either change the HIPAA policies and procedures to reflect current operation (if that is legally permissible) or change the operations to align.
As always, your Vorys attorney is ready to assist you with updated forms, policies and procedures.
[i] The 2024 Final Privacy Rule became effective June 25, 2024. The compliance date, the date persons subject to this regulation must comply with the applicable requirements of this Final Rule, is December 23, 2024, except for the Notice of Privacy Practices. The compliance date for amending the Notice of Privacy Practices is February 16, 2026. https://www.federalregister.gov/d/2024-08503.
