In light of the evolving legal landscape surrounding reproductive health care, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), has finalized amendments to the HIPAA Privacy Rule aimed at enhancing privacy protections for sensitive protected health information (PHI) associated with reproductive health care. The OCR announced the final rule, known as the HIPAA Privacy Rule to Support Reproductive Health Care Privacy (Final Rule), on April 22, 2024, with an effective date of June 25, 2024. The privacy provisions discussed here apply to all “Regulated Entities,” meaning both covered entities and business associates must adhere to the HIPAA requirements for PHI related to reproductive health care outlined in the Final Rule. Most of the Final Rule’s requirements must be implemented by Regulated Entities by December 23, 2024. Additionally, updates to the Notice of Privacy Practices for regulated entities must be completed by February 16, 2026.
The Final Rule seeks to:
– Address concerns about the confidentiality and security of reproductive health-related PHI in the possession of healthcare providers.
– Enhance healthcare quality by encouraging individuals to share comprehensive and accurate medical histories without fear, thus improving diagnosis and treatment.
– Support healthcare providers in delivering and facilitating reproductive health care.
– Protect vulnerable populations, including racial minorities and LGBTQ+ individuals, who may experience increased risks of health data privacy violations or mistrust in healthcare providers due to historical discrimination.
The Final Rule amends HIPAA to prohibit Regulated Entities from using or disclosing PHI to:
1. Investigate an individual, healthcare provider, or other parties solely for seeking, obtaining, providing, or facilitating reproductive health care;
2. Impose criminal, civil, or administrative liability on parties for these actions; and/or
3. Identify parties that have sought, obtained, provided, or facilitated reproductive health care.
These prohibitions are applicable when reproductive health care is lawful under the circumstances in which it is provided. This means that either: (i) the provision of reproductive health care is lawful based on the relevant state laws; or (ii) it is protected, required, or authorized by federal law, including the U.S. Constitution, regardless of state law. Regulated Entities must assume that reproductive health care is lawful unless they have actual knowledge that it is not or unless there is substantial evidence to suggest otherwise.
In jurisdictions where reproductive health care is lawful, and if no facts indicate that it was unlawful, Regulated Entities may still use or disclose PHI related to reproductive health care for certain specified purposes, such as health oversight activities, provided they obtain a valid attestation from the requestor. This attestation must clearly state that the use or disclosure is not for any prohibited purposes (e.g., to assist in initiating an investigation against a party for merely seeking, obtaining, providing, or facilitating reproductive health care).
Requestors who falsify an attestation—making false representations regarding the intended uses of the PHI—could face criminal penalties under HIPAA. Regulated Entities may also face potential civil penalties for HIPAA violations, including failing to secure a valid attestation when required before disclosing PHI.
Our DC Employment Lawyers recommend regulated entities to enhance their HIPAA compliance programs in response to the amendments to the HIPAA Privacy Rules by taking the following steps:
1. Review and Update Data Inventory: Assess how reproductive health-related PHI is collected and stored to ensure accurate data management and compliance with the Final Rule. The term “reproductive health care” encompasses a wide range of services, including contraception, fertility treatments, and gender-affirming care. A comprehensive approach to updating data inventories is essential.
2. Develop Template Attestation Forms and Processes: Create template attestation forms and implement procedures for workforce members to manage compliance with attestation requirements.
3. Revise Business Associate Agreements (BAAs): Update existing BAAs to ensure they align with the amended HIPAA requirements for using and disclosing PHI related to reproductive health care.
4. Update HIPAA Policies and Procedures: Ensure that policies reflect the Final Rule’s restrictions on PHI use and disclosure for prohibited purposes, and establish protocols for compliance.
5. Refresh Workforce Member Training: Train workforce members on the limitations and requirements of the Final Rule concerning the use and disclosure of reproductive health care PHI.
6. Update Notice of Privacy Practices (NPP): Covered entities (i.e., healthcare providers, health plans, health care clearinghouses) must modify their NPP by February 16, 2026, to inform individuals that their PHI cannot be used or disclosed for purposes prohibited under the Final Rule