HHS Finalizes Amendments to HIPAA Strengthening Privacy of Reproductive Health Information Post-Dobbs

Slated to take effect early 2026, the final rule will prohibit covered entities and their business associates from disclosing PHI for the purpose of investigating or imposing liability on individuals “for the mere act of seeking, obtaining, providing, or facilitating” reproductive health care that is lawful under the law of the state in which such health care is provided under the circumstances in which it is provided. In such instances, the regulated entity must refuse the request, potentially placing entities doing business in multiple states in the difficult position of complying with HIPAA, on the one hand, and facing contempt of court charges or adverse health oversight determinations on the other. PHI regarding reproductive health care is not protected under the new rule if the provider knows the care was not lawful under the specific circumstances in which it was provided, or the authority requesting it demonstrates a substantial factual basis that it was not lawful under those circumstances. The final rule also mandates regulated entities secure attestations for these types of requests confirming that the requestor does not seek PHI for a prohibited purpose. Covered health care providers will additionally need to update their Notices of Privacy Practices, as well as internal privacy policies and procedures, to implement the new prohibition and attestation requirements.

Ultimately, OCR’s amendments appear to strike a middle-of-the road approach in an effort to bolster reproductive health care privacy. For example, as detailed in the commentary, OCR chose not to create a new category of specially-protected PHI (such as with psychotherapy notes) to avoid compelling the segregation of reproductive health records and possibly creating difficulties with care coordination.[i] Nevertheless, many states are already headed in the direction of requiring segregation of reproductive health records, with California and Maryland leading the way by prohibiting the sharing of such records over health information exchanges without authorization from the patient.

This update builds upon our previous discussion of HHS’s proposed changes outlined in the April 2023 Notice of Proposed Rulemaking (NPRM), available here. Key provisions of the finalized HIPAA Privacy Rule are summarized below:

Clarification of Terms and Definitions

To facilitate the implementation of the updated Privacy Rule, HHS both added and clarified certain terms and definitions, such as:

• Person: The final rule clarifies that the term “person” refers to a “natural person (meaning a human being who is born alive), trust or estate, partnership, corporation, professional association or corporation, or other entity, public or private”; in other words, a “person” does not include a fertilized egg, embryo, or fetus.
• Public health: As used in the terms “public health surveillance”, “public health investigation”, and “public health intervention”, the final rule refines the term to mean “population-level activities to prevent disease in and promote the health of populations” and to expressly carve out the collection of PHI for the purpose of investigating or prosecuting individuals involved in reproductive health care.
• Reproductive health care: Finally, HHS adds the term “reproductive health care” to the regulations as a subcategory of the existing term “health care” under HIPAA, defined as health care “that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes”. In commentary, OCR provides a “non-exclusive list of examples” of reproductive health care to help guide regulated entities in evaluating what information they collect and maintain that would fall within the rule’s scope.[ii] OCR also added a statement in the final rule’s definition reaffirming that the term should not be construed to establish a standard of care for or regulate what constitutes clinically appropriate reproductive health care.

Creating a Purpose-Based Prohibition Against Certain Disclosures of Reproductive Health Care Information and Presumption of Lawful Care

Codified at 45 C.F.R. § 164.502(a)(5)(iii), the regulation prohibits the disclosure of PHI by a regulated entity when the purpose of the requested disclosure is to investigate or impose liability[iii] on individuals merely because they sought, obtained, provided, or facilitated reproductive health care that was lawful under the circumstances in which it was provided.

For example, an investigation into whether a particular abortion was necessary to save a pregnant person’s life would constitute an investigation into the “mere act” of “seeking, obtaining, providing, or facilitating” reproductive health care, such that disclosure would be prohibited if the care was lawfully provided. OCR reiterated that not all methods to investigate the lawfulness of reproductive health care are foreclosed by this rule, however; for instance, the prohibition would not foreclose a regulated entity from disclosing reproductive health information when it is sought to investigate or impose liability on a person for submitting a false claim for reproductive health care for payment to the government, when PHI is sought by a health oversight agency.

The final rule clarifies that, in receiving requests from law enforcement involving the provision of reproductive health care, a regulated entity must presume that the care provided was lawful under the circumstances. However, the presumption can be overcome where: (1) the regulated entity has actual knowledge the care was unlawful, or (2) the requestor supplies factual information that demonstrates a “substantial factual basis” that the care was unlawful under the specific circumstances in which it was provided.

 Requirement for Signed Attestation

The final rule also creates 45 C.F.R. § 164.509, adding a new attestation requirement for requests for reproductive health information subject to an exception to the purpose-based prohibition detailed above. Specifically, regulated entities must obtain a valid attestation from a person requesting reproductive health care information before disclosing it for certain purposes of law enforcement and health oversight activities.

To be valid, the attestation must be a stand-alone document, written in plain language, and contain only the specific elements enumerated in Section 164.509, including a clear statement that the use or disclosure of PHI related to reproductive health care is not for a prohibited purpose. The final rule makes clear that a regulated entity can reasonably rely on the representations in the attestation if, under the circumstances, it determines that the request is not for investigating or imposing liability for the mere act of seeking, obtaining, providing, or facilitating allegedly unlawful reproductive health care. However, a regulated entity cannot rely on an attestation if it is facially invalid (e.g., where not all required elements are included), or if the covered entity or business associate reasonably would not believe that the attestation is true or has actual knowledge that material information in the attestation is false.

HHS intends to publish model attestation language before the compliance date of the final rule.

Mandatory Updates to Notice of Privacy Practices

The CARES Act (Section 3221(i)) required modifications of the current NPP regulations to include new requirements for Part 2 Programs that are also covered entities. Earlier this year, HHS published the 2024 Part 2 Final Rule, which included modifications to the Part 2 required Patient Notice and reserved modifications to the HIPAA NPP for a forthcoming HIPAA rule.  (You can find our prior discussion of the Part 2 Final Rule here.)

In the final rule, HHS finalized a number of proposals related to the notice requirements, including:

• Requiring covered entities that create or maintain Part 2 records to provide notice of the ways in which those covered entities may use and disclose such records, and of individual’s rights and the covered entities’ responsibilities with respect to such records.
• Clarifying that covered entities that receive or maintain Part 2 records must provide an NPP that is written in plain language and contains required elements.
• Making it clear that Part 2 is specifically included in certain references to “other applicable law” referenced in the NPP requirements. Requiring additional information to be included about how PHI may or may not be disclosed under the final rule: among other requirements, the NPP must include descriptions and at least one example of the types of uses and disclosures prohibited under the new reproductive health care final rule, as well as a description, also including at least one example, of the types of uses and disclosures for which an attestation is required for disclosure of reproductive health care.
• Requiring a statement that PHI disclosed pursuant to HIPAA may be subject to redisclosure and no longer protected by HIPAA.
• Requiring notice that a Part 2 record, or testimony relaying the content of such record, may not be used or disclosed in a civil, criminal, administrative, or legislative proceeding against the individual absent written consent from the individual or a court order.
• Requiring that individuals be provided with an opportunity to elect not to receive any fundraising communications before a covered entity uses Part 2 records for fundraising purposes.

While many of the requirements relate specifically to Part 2 Programs, there are new NPP requirements that will apply broadly to all covered entities so health care providers should closely review and revise existing NPPs.

. . .

The effective date of the final rule is June 25, 2024, though regulated entities have until December 23, 2024, to comply with the applicable requirements of this final rule, except that health care providers have until February 16, 2026, to implement updated NPPs. Covered entities are encouraged to familiarize themselves with the updated regulations and evaluate what information they maintain would be subject to the new requirements, identify and develop operational processes and procedures to appropriately  safeguard such data in compliance with the new requirements, and update or create internal and public-facing materials, such as revising their policies and procedures and NPPs, drafting an attestation template, and providing workforce training on the new requirements.

[i] In rationalizing its approach, OCR also notes in commentary to the final rule that it sought to carefully strike a “balance between individual and societal interests” and accommodate “state autonomy to the extent consistent with the need to maintain rules for health information privacy that serve HIPAA’s objectives.”

[ii] This list includes: contraception, including emergency contraception; preconception screening and counseling; management of pregnancy and pregnancy-related conditions, including pregnancy screening, prenatal care, miscarriage management, treatment for preeclampsia, hypertension during pregnancy, gestational diabetes, molar or ectopic pregnancy, and pregnancy termination; fertility and infertility diagnosis and treatment, including assisted reproductive technology and its components (e.g., IVF); diagnosis and treatment of conditions that affect the reproductive system (e.g., perimenopause, menopause, endometriosis, adenomyosis); and other types of care, services, and supplies used for the diagnosis and treatment of conditions related to the reproductive system (e.g., mammography, pregnancy-related nutrition services, postpartum care products).

[iii] The prohibition applies to information sought for the purpose of investigations including, but not limited to, law enforcement investigations, third party investigations in furtherance of civil proceedings, state licensure proceedings, criminal prosecutions, and family law proceedings.