The newly amended HIPAA Privacy Rule marks a significant step towards enhancing the privacy of reproductive health information. These amendments are set to reshape how covered entities handle protected health information in the context of reproductive health care.
In this Article …
- Definitions Related to HIPAA and Reproductive Health
- Final Rule’s Compliance Date
- Final Rule Summary Statement
- The Rule of Applicability
- The Rule of Presumption
- Attestations and Requests for Disclosure of Protected Health Information
- Requirements of an Attestation
- Attestations and Other HIPAA Privacy Rule Provisions
- Notice of Privacy Practices Updates
- What’s Next with the Changes to the Privacy Rule to Support Reproductive Health Care Privacy?
Understanding the Final Rule and Its Implications
Almost one year after issuing a Notice of Proposed Rule-making related to the privacy of protected health information (PHI) potentially related to reproductive health care, the Office for Civil Rights (OCR) of the Health and Human Services Department (HHS) has issued a Final Rule updating the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. This Final Rule represents HIPAA amendments to support reproductive health care privacy.
These changes will affect the privacy practices of covered entities of all types, whether you are a health care provider, health plan, health care clearinghouse, or a business associate (collectively, regulated entities). The new provisions will also affect law enforcement purposes and judicial and administrative proceedings. The provisions of the new Final Rule are relatively straightforward to describe. But they contain certain qualifications and all sorts of implications for the regulated entities they affect.
Definitions Related to HIPAA and Reproductive Health
The Final Rule addresses a few important definitions.
- Reproductive Health Care means health care that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes. OCR further clarifies this definition should not be construed to set forth a new standard of care. Nor does the definition regulate what constitutes clinically appropriate reproductive health care.
- Person means a natural person, meaning a human being who is born alive. It also includes entities such as trusts or estates, or other types of public or private entities. HHS is also specifying the definition of person does not include a fertilized egg, embryo, or fetus.
- Public Health means population-level activities to prevent disease in, and promote the health of, populations. The activities such as identifying and mitigating threats to the health and safety of a population do not include certain purposes. The HIPAA Privacy Rule now excludes from public health activities such as:
- criminal, civil, or administrative investigations into, or proceedings against, any person in connection with seeking, obtaining, providing, or facilitating reproductive health care.
- identifying any person for the purpose of initiating such investigations or proceedings.
Final Rule’s Compliance Date
There are several dates associated with the Final Rule to support reproductive health care privacy practices.
This Final Rule is effective on June 25, 2025. All covered entities and business associates have 180 days beyond this effective date to comply with the provisions of the Rule.
The portion of this Final Rule applicable to Notices of Privacy Practices (NPPs) is not effective until February 16, 2026. This portion of the Final Rule is delayed to coincide with the effective date of another rule change. The other rule is the 2024 Confidentiality of Substance Use Disorder (SUD) Patient Records Final Rule, aka the 2024 Part 2 Rule. Both of these rules require changes to notice of privacy practices for regulated entities, so regulated entities will only have to change their NPPs once.
Final Rule Summary Statement
The Final Rule is summarized very simply:
A regulated entity is prohibited from using or disclosing PHI for either of the following activities:
- To conduct a criminal, civil, or administrative investigation into or impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided.
- The identification of any person for the purpose of conducting such investigation or to impose liability on a person.
To simplify this discussion, we will refer to all these circumstances as “RHC investigations”.
The Rule of Applicability
Naturally, there are additional considerations when a regulated entity decides not to release PHI under this Final Rule. Regulated entities must consider situations where:
- The reproductive health care is lawful under the law of the state in which such health care is provided and under the circumstances in which it is provided. For example, when a resident of one state travels to another state where the reproductive health care received is legal, the health care provider is prohibited from honoring a request for PHI for an RHC Investigation purpose from the state of the resident.
- The reproductive health care is protected, required, or authorized by Federal law, including the U.S. Constitution, regardless of where the health care is provided. The example here is contraception, which is reproductive health care protected by the Constitution.
- Requests for PHI regarding reproductive health care are made for reasons other than RHC investigations. Examples include:
- Investigations of professional misconduct,
- defense of persons in any case where liability could be imposed on a person for providing reproductive health care, or
- audits by the HHS Inspector General for health oversight activities.
The Rule of Presumption
In many cases of health care services delivery these days, there is reproductive health information that is obtained from a patient or from a health information exchange about reproductive health care received at other providers. This Final Rule allows regulated entities, who have no first-hand knowledge about the RHC, to presume that the RHC a patient received from other health care providers was lawful reproductive health care. If this presumption is validated, regulated entities are prohibited from releasing RHC PHI.
Validation of the lawfulness of the RHC received at another health care provider can be accomplished in two ways.
- The regulated entity has actual knowledge that the RHC was not lawful under the circumstances in which it was provided.
- The person or entity supplies factual information that demonstrates a substantial factual basis that the RHC in question was unlawful when it was received elsewhere. For instance, a court order includes a witness statement from someone who witnessed the patient receiving unlawful RHC in a state where it is unlawful.
Note that this Rule of Presumption only applies when the reproductive health care was provided by another party, but information about the RHC is in the records of the covered health care providers receiving the request for information. Regulated entities are responsible for determining whether the RHC received in its own facilities was lawful under the circumstances it was received.
Attestations and Requests for Disclosure of Protected Health Information
Another new aspect of this amendment of the Privacy Rule to bolster patient-provider confidentiality is the requirement for an attestation in certain circumstances. An attestation is required when a disclosure of PHI potentially related to reproductive health care information is requested. And there are specific purposes that trigger the requirement for an attestation, including:
- Uses and disclosures for health oversight activities;
- Disclosures for judicial and administrative proceedings;
- Disclosures for law enforcement purposes; or
- Uses and disclosures about decedents (coroners and medical examiners).
Requirements of an Attestation
There are several elements that an attestation must contain to be considered valid. And the attestation must be a stand-alone document; its terms cannot be combined onto any other forms that may represent requests for disclosure of phi. Attestations may come in a packet of forms, however.
- A description of the PHI requested, including:
- The type of PHI being requested;
- The name of any individual(s) whose PHI is being requested, if practicable, or if not practicable, the class of individuals whose PHI is being requested;
- The name of the person making the request;
- A clear statement that the use or disclosure of phi is not for a purpose prohibited under the provisions of this new rule;
- A statement that the attestation is signed with the understanding that a person who knowingly and in violation of HIPAA obtains or discloses Individually identifiable health information relating to another individual, or discloses PHI to another person, may be subject to criminal liability.
Attestations and Other HIPAA Privacy Rule Provisions
Other portions of the HIPAA Privacy Rule still apply.
- For instance, the Minimum Necessary Standard applies to disclosure of PHI when an attestation is deemed valid, and regulated entities decide to release the information requested.
- The identity and legal authority of persons requesting disclosure of PHI must be verified prior to the disclosure.
- Attestations do not replace the conditions of the Privacy Rule’s permissions to disclose PHI in response to a subpoena or court order or other similar process authorized under law. They are only related to disclosures of PHI related to potentially reproductive health care records.
- Disclosures made pursuant to a request supported by a valid attestation must be included in an accounting of disclosures when or if one is requested by the patient or representative.
- Finally, a disclosure made after an attestation later found to contain material misrepresentations must be reported as a breach to the individual and to the Secretary of HHS.
Notice of Privacy Practices Updates
This rule amendment covers instructions to update the Notice of Privacy Practices (NPP) requirements for disclosures related to Part 2. It also requires changes to advise patients of the prohibition on disclosures related to reproductive health care. NPPs will have to contain at least one example of the types of uses and disclosures of PHI that are prohibited under the new regulations. And NPPs will have to describe at least one example of when an attestation by a requester is required.
What’s Next with the Changes to the Privacy Rule to Support Reproductive Health Care Privacy?
Will this amendment to the Privacy Rule become a new “Lawyers and Consultants” retirement act? The OCR takes pains to emphasize in several places that the amendments are not supposed to place an undue burden on regulated entities to decide when to withhold PHI under the provisions of the amendment. Nor are they supposed to interfere with proper law enforcement investigations. For instance, a regulated entity does not need to research whether a particular type of RHC is lawful in another state when receiving a request for disclosure for law enforcement purposes in that other state. The prohibition is in effect as long as the reproductive health care was lawful in the state where the regulated entity is located.
That said, many issues will probably require more guidance or even be the subject of lawsuits to clarify various provisions. What may seem like a factual basis to one institution may seem to another health care provider like the thinnest of reeds on which to make a decision about honoring an attestation. So while a covered entity or business associate will make changes to its HIPPA privacy policies and NPP, they will still face close decisions on when to release PHI potentially related to reproductive health care when considering requests from law enforcement.
Stay tuned; we are only getting started down this particular rabbit hole!