New HIPAA privacy protections for reproductive healthcare 

July 30, 2024

A new rule from the Department of Health and Human Services (HHS) — the HIPAA Privacy Rule to Support Reproductive Health Care Privacy — requires heightened privacy protections for protected health information involving reproductive healthcare. The Final Rule is the agency’s response to President Biden’s Executive Order 14076 directing the agency to strengthen the protection of sensitive information related to reproductive healthcare services and to bolster patient-provider confidentiality. It modifies existing regulations implementing the Health Insurance Portability and Accountability Act of 1996 (HIPAA), known as the privacy rule. The Final Rule was effective June 25, 2024, with the bulk of new compliance obligations required of covered entities and business associates by Dec. 23, 2024. 

The HIPAA privacy rule establishes federal privacy protections for protected health information (PHI). It preempts contrary state laws, but not state laws providing greater privacy protections. The privacy rule generally prohibits disclosing an individual’s PHI, with the specific exceptions including:

• To the individual
• For treatment, payment, or healthcare operations
• Pursuant to and in compliance with a valid authorization from the individual to whom the PHI pertains
• For certain public health and research purposes
• For health plan underwriting and related purposes
• When required by law
• For health oversight activities
• For judicial and administrative procedures
• For law enforcement purposes

HHS’s Office for Civil Rights (OCR) administers and enforces the HIPAA privacy rule (there is no private right of action for patients or plan members). Penalties range from $137 to $68,928 per violation of a particular HIPAA requirement or prohibition depending on the willfulness of the violation and speed of correction.

With the increase in state laws criminalizing reproductive healthcare following the Dobbs decision, HHS expressed concern that the permissible use or disclosure of PHI for law enforcement purposes or when required by another law could “cause harm to the interests that HIPAA seeks to protect, including the trust of individuals in healthcare providers and the healthcare system.” To address these concerns, the Final Rule modifies the HIPAA privacy rule to limit the circumstances in which an individual’s reproductive PHI can be used or disclosed for certain non-healthcare purposes.

The Final Rule establishes a ban on the use or disclosure of PHI by a HIPAA covered entity (i.e., healthcare provider, health plan, healthcare clearinghouse) or their business associates (BAs) for any of the following:

• Investigations. Criminal, civil, or administrative investigations into any person for the mere act of seeking, obtaining, providing, or facilitating reproductive healthcare.
• Imposing liability. Imposing criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive healthcare.
• Identification. Identifying any person for any purpose described above.

HHS expands upon the following two key terms:

• Any person. The preamble explains that the prohibition is not limited to use or disclosure of PHI for use against the individual; rather, the prohibition applies to the use or disclosure of PHI against “any person,” which encompasses a covered entity, or any other person, including an individual or entity, who may have obtained, provided, or facilitated lawful reproductive healthcare.
• Seeking, obtaining, providing or facilitating reproductive healthcare. The Final Rule clarifies that this term includes, but is not limited to: expressing interest in, using, performing, furnishing, paying for, disseminating information about, arranging, insuring, administering, authorizing, providing coverage for, approving, counseling about, assisting, or otherwise taking action (or attempting to take action) to engage in reproductive healthcare.

The prohibition applies only when a covered entity or BA has reasonably determined that one or more of the following conditions exist:

• The reproductive healthcare is lawful in the state in which it is provided. For example, the prohibition will apply if a resident of one state traveled to another state for an abortion that is lawful in the state where the healthcare was provided.
• The reproductive healthcare is protected, required, or authorized by federal law, including the US Constitution, regardless of the state in which it is provided. For example, the prohibition applies to PHI that relates to contraception, which is protected by the Constitution.
• The presumption described below applies.

The preamble to the Final Rule says that the prohibition preempts state or other laws requiring a covered entity or BA to use or disclose PHI in response to a court order or other legal process for a purpose prohibited by the rule.

Reasonable determination. In the preamble, HHS explains that a covered entity (or BA) makes a reasonable determination by evaluating the facts and circumstances, including the individual’s diagnosis and prognosis, when or where the care was provided, and who provided it. Assertions by the requestor of the PHI shouldn’t be taken at face value.

The prohibition doesn’t apply to the use or disclosure of PHI for purposes otherwise permitted under the HIPAA privacy rule, although an attestation may be required. In the preamble, HHS provides examples of other purposes to which the prohibition doesn’t apply, such as for:

• Public health activities, investigations into sexual assault, human and sex trafficking, or child abuse, or professional misconduct or licensing inquiries when required by law
• Investigations of alleged violations of federal nondiscrimination laws or abusive conduct in connection with reproductive healthcare (for example, sexual assault allegations against a provider)

In cases in which the reproductive healthcare is provided by someone other than the covered entity receiving the PHI request — as is always the case for a group health plan — it is presumed to be lawful. HHS recognizes that in these circumstances, the covered entity doesn’t have enough information to make a reasonable determination about the lawfulness of the reproductive healthcare provided. HHS doesn’t expect covered entities to do research, perform an analysis, or consult with legal experts; review is limited to information supplied by the person making the request for PHI. The presumption is overcome only if the covered entity or BA has actual knowledge or factual information from the requestor that demonstrates that the reproductive healthcare wasn’t lawful.

For example, if an investigator requests from a health plan claim information related to reproductive healthcare provided by a particular provider, the plan must presume that the reproductive healthcare was lawful. The presumption is overcome if the plan has actual knowledge that it wasn’t lawful, or the investigator supplies information demonstrating a substantial factual basis to believe that the reproductive healthcare wasn’t lawful under the circumstances. Affidavits describing the circumstances under which the reproductive healthcare was provided might overcome the presumption, but an anonymous report that the provider was providing unlawful reproductive healthcare would not constitute a substantial factual basis to believe that the reproductive healthcare was unlawful.

The Final Rule defines reproductive healthcare for purposes of the HIPAA privacy rule as healthcare that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes. The preamble to the rule provides a nonexhaustive list of examples of reproductive healthcare, including:

• Contraception, including emergency contraception
• Preconception screening and counseling
• Management of pregnancy and pregnancy-related conditions, including pregnancy screening, prenatal care, miscarriage management, treatment for preeclampsia, hypertension during pregnancy, gestational diabetes, molar or ectopic pregnancy, and pregnancy termination
• Fertility and infertility diagnosis and treatment, including assisted reproductive technology (ART) such as in vitro fertilization (IVF)
• Diagnosis and treatment of conditions that affect the reproductive system (for example, perimenopause, menopause, endometriosis, adenomyosis)
• Other types of care, services, and supplies used for the diagnosis and treatment of conditions related to the reproductive system (for example, mammography, pregnancy-related nutrition services, postpartum care products).

The definition is intentionally broad, but keep in mind that reproductive healthcare information must also meet the definition of PHI to be protected by HIPAA.

A covered entity or BA must obtain a written attestation that the information is not for a prohibited purpose before PHI potentially related to reproductive healthcare can be used or disclosed in the following circumstances:

• Health oversight activities
• Judicial and administrative proceedings
• Law enforcement purposes
• Disclosures to coroners and medical examiners to identify a deceased person, determine cause of death, or other duties as authorized by law

Disclosure for these purposes is permissive, not mandatory under HIPAA, except in instances where HHS requests information as part of a compliance investigation. A new attestation is required for each specific use or disclosure request and covered entities (and BAs if they have access to or hold PHI) must maintain a copy and any relevant supporting documents. A valid attestation must contain the following:

• A description of the information requested, including the name of any individual(s) whose PHI is sought, or, if that’s not practicable, a description of the class of individuals whose PHI is sought.
• The name of the person who has been asked to make the PHI use or disclosure and the name of the person to whom it should be made.
• A statement that obtaining, using or disclosing individually identifiably health information in violation of HIPAA may be subject to criminal penalties.

In addition, the attestation must be in plain language, signed by the requester, and must clearly state that the PHI is not for “criminal, civil, or administrative investigation into or proceeding against any person in connection with seeking, obtaining, providing, or facilitating reproductive healthcare.” It may be completed electronically. An attestation lacking any of the required content, containing extraneous elements or statements, or combined with any other document is considered defective.

HHS warns covered entities that an attestation itself is not determinative of whether the use or disclosure is for a prohibited purpose. Instead, a covered entity (or BA) must consider the totality of the circumstances surrounding the attestation and whether it is reasonable to rely on it. For example, it may not be reasonable to rely on an attestation filed by a public official who has publicly stated their interest in investigating or imposing liability on those who seek, obtain, provide or facilitate certain types of lawful reproductive healthcare.  

Instructions and a model attestation are available from HHS.

The Final Rule requires changes to the HIPAA notice of privacy practices (NPP) to reflect the heightened protections for reproductive health information. In addition, HHS is requiring that the NPP be amended to warn individuals about PHI redisclosure and provide information specific to certain substance use disorder (SUD) records. Group health plans must modify the NPP by Feb. 16, 2026.

Changes related to reproductive healthcare privacy. The NPP must include a description and at least one example of:

• The type of use and disclosure of PHI that is newly prohibited, and
• The type of use and disclosure of PHI for which an attestation is required.

Other changes. The NPP must also include:

• A statement about the potential for information permissibly disclosed to be redisclosed and no longer protected by HIPAA.
• An explanation that Part 2 SUD treatment records, or testimony relaying the content of such records, will not be used or disclosed in civil, criminal, administrative or legislative proceedings against the individual — absent patient consent or a court order.
• Notice of intention to send fundraising communications and an opportunity to elect not to receive them (only applicable to covered entities that create or maintain Part 2 SUD records).

These additional changes unrelated to reproductive healthcare were reserved for the Final Rule because HHS is permitted to make changes to the NPP only once every 12 months. The heightened confidentiality protections for SUD records created by federally assisted SUD treatment providers and programs was previewed in a final rule modifying the Confidentiality of Substance Use Disorder (SUD) Patient Records regulations (“Part 2 rules”) published earlier in 2024. A fact sheet about the Part 2 rules provides more information.

Employer sponsor responsibility for NPPs. Employer plan sponsor compliance obligations vary depending on the group health plan’s funding and employer access to PHI:

• Employers sponsoring self-funded group health plans must provide the NPP to each new member at enrollment, upon request by a plan member, and to plan members within 60 days of a material change. In addition, once every three years plan members must be notified that the NPP is available and how to obtain it.
• Employer sponsors of fully insured group health plans that create and/or receive PHI must maintain an NPP and provide it to plan members upon request (no other distribution obligations).
• Employer sponsors of fully insured group health plans that don’t have access to PHI (except for summary health information and enrollment/disenrollment information) have no NPP compliance obligation (the carrier must comply).

Distribution requirements. The newly required content is considered a material change requiring the distribution of a new NPP. Plans that post the NPPs on their websites according to the HIPAA privacy rule can comply by posting the material change or the revised notice on their websites by Feb. 16, 2026. The same information also must be provided in the next annual mailing to individuals covered by the plan, such as at open enrollment or the beginning of the plan year. Plans that don’t post information on their websites must distribute the information within 60 days of the revision. Given the Feb. 16 compliance date, this presumably means by April 17, 2026.

HHS last issued a model NPP in 2013. Commenters requested a revised model NPP, but the departments have not indicated whether they are considering an update.

With heightened protections for reproductive PHI provided by the Final Rule, disclosure to law enforcement is only permitted when all three of the following criteria are met:

• The disclosure is not subject to the prohibition;
• The disclosure is required by law (meaning that applicable law requires a response to the request for PHI); and
• The disclosure is in compliance with and is limited by:
  • A court order or court-ordered warrant, or a subpoena or summons issued by a judicial officer,
  • A grand jury subpoena, or
  • An administrative request, provided that the information sought is relevant and material to a legitimate law enforcement inquiry, the request is specific and limited in scope, and de-identified information could not reasonably be used.

In June 2022, just after the Supreme Court decision upending the federal right to abortion, HHS provided examples specifically related to reproductive healthcare of when disclosure of PHI to law enforcement is not permitted, in HIPAA Privacy Rule and Disclosures of Information Relating to Reproductive Health Care. As of Dec. 23, 2024, the covered entities in these examples will additionally have to determine that the disclosure is not for a prohibited purpose and obtain a valid written affidavit before making the disclosure.

In sum, the HIPAA privacy rule, as amended by the Final Rule, permits the use or disclosure of PHI without individual notice or an opportunity to object for law enforcement purposes (and for judicial and administrative proceedings) only after it’s determined that the disclosure is not for a prohibited purpose. The disclosure of PHI in these circumstances is permissive — not required — and only allowed if all conditions of the HIPAA privacy rule are met.

State law restricting reproductive healthcare. The privacy rule doesn’t supersede applicable state law regarding the lawfulness of reproductive healthcare unless it conflicts with federal law. For example, the rule doesn’t prevent disclosure of PHI related to abortion services obtained in a state that bans abortion. On the other hand, if a state were to ban contraception, PHI related to contraception within the state would be protected from disclosure by because contraception is currently constitutionally protected. In either case, this is unlikely to impact group health plans, as they typically only cover healthcare items and services that are legal where provided.

Both self-funded group health plans and fully insured group health plans that have access to PHI must comply with the Final Rule. A self-insured health plan sponsor is responsible for HIPAA compliance even where most of the plan administration is delegated to BAs. Compliance is required by Dec. 23, 2024, except with respect to the revised NPP, which is required by Feb. 16, 2026. Action items include:

• Revise HIPAA policies and procedures manual.
• Revise operational workflow to respond to requests for PHI potentially related to reproductive healthcare, including who will determine whether the request is for a prohibited purpose.
  • Develop a process for obtaining (and retaining) a written attestation when a request for PHI potentially related to reproductive healthcare is received, including what vendor will handle and when legal counsel should be involved.
• Provide updated HIPAA training to relevant workforce members.
• Review health plan documents for changes to the HIPAA privacy rule and the Part 2 rules and determine whether a plan amendment is required.
• Review plan member communications to ensure HIPAA references are accurate and up to date.
• Review and revise business associate agreements (BAA) as needed.
  • Consider clarifying each party’s responsibilities when a request for reproductive PHI is received and/or requiring notice to the parties to the BAA if one party receives a request for a prohibited purpose. HHS suggests “a certain percentage” of BAAs will need updates.
  • Changes may be required by the revised Part 2 rules, if applicable.
• Consider developing (or discuss with plan administrators about developing) a procedure for identifying and tracking PHI potentially related to reproductive healthcare, which could be instrumental in responding to requests for PHI.
• Prepare to update and distribute the NPP, as required.

Watch for any litigation challenging the Final Rule (none has yet to be initiated).

• HIPAA privacy rule to support reproductive healthcare privacy (89 CFR 32976, April 26, 2024)
• Fact Sheet (HHS, April 22, 2024)
• Press Release (HHS, April 22, 2024)
• HIPAA privacy rule to support reproductive healthcare privacy (Social Media Toolkit)
• Presentation on Final Rule (slides) (HHS)
• Model attestation for a requested use or disclosure of protected health information potentially related to reproductive healthcare (HHS)
• HIPAA privacy rule and disclosures of information relating to reproductive healthcare (HHS, June 29, 2022)

• HHS adjusts 2023 HIPAA, certain ACA and MSP monetary penalties (Oct. 20, 2023)
• Top 10 health, leave benefit and compliance policy issues in 2024 (Oct. 12, 2023)