Enhanced HIPAA privacy protections are scheduled to take effect for protected health information (PHI) relating to individuals’ reproductive health care on June 25, 2024.
The new rule issued by the Department of Health and Human Services Office of Civil Rights (HHS) modifies certain privacy and security protections provided by the Health Insurance Portability and Accountability Act of 1996 and its related regulations as they apply to the use and disclosure of PHI that relates to “reproductive health care” (the “HIPAA RHC Rule”). While the HIPAA RHC Rule is effective June 25, employer-sponsored group health plans, health care providers, health care clearing houses, and other covered entities, as well as their business associates (collectively, “Regulated Entities”), have until December 22, 2024, to comply with the HIPAA RHC Rule, with the exception that they have until February 16, 2026, to make required updates to their HIPAA Notice of Privacy Practices.
This client alert addresses the impact of the HIPAA RHC Rule on employer-sponsored group health plans (and their business associates).
What Does Reproductive Health Care Encompass?
Although the HIPAA RHC Rule was initially intended as a means of responding to the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization and the state abortion bans that followed, the HIPAA protections go far beyond abortion rights. HHS recognized that Dobbs would have far-reaching implications for reproductive health care beyond access to abortion, and it has stated that it wanted to ensure that individuals would not forgo necessary reproductive health care out of fear that information regarding that health care would be disclosed or used in any investigations or legal proceedings against the individual. HHS has also indicated that it further recognized that information about reproductive health care is particularly sensitive, requiring heightened privacy protection to encourage the sharing of such sensitive information so medical records can be complete and proper health care can be received.
As a result, “reproductive health care” is broadly defined in the HIPAA RHC Rule as health care that “affects the health of an individual in all matters relating to the reproductive system and its functions and processes.” The rule provides a non-exclusive list of examples that fit within the definition of “reproductive health care” including:
- contraception (including emergency contraception)
- preconception screening and counseling
- management of pregnancy and pregnancy-related conditions, including pregnancy screening, prenatal care, miscarriage management, treatment for preeclampsia, hypertension during pregnancy, gestational diabetes, molar or ectopic pregnancy and pregnancy termination
- fertility and infertility diagnosis and treatment, including assisted reproductive technology and its components (e.g., in vitro fertilization (IVF)
- diagnosis and treatment of conditions that affect the reproductive system (e.g., perimenopause, menopause, endometriosis, adenomyosis)
- other types of care, services, and supplies used for the diagnosis and treatment of conditions related to the reproductive system (e.g., mammography, pregnancy related nutrition services, postpartum care products)
Based on the examples and comments provided by HHS when it published the HIPAA RHC Rule, it is clear that the definition was intended to be broad.
What Protections are Provided?
Rather than create a whole new subset of PHI that cannot be easily segregated, like psychotherapy notes, HHS decided instead to implement a purpose-based prohibition against uses and disclosures of PHI that relates to reproductive health care. Thus, uses and disclosures of an individual’s PHI relating to reproductive health care are limited in certain non-health care settings.
Specifically, the HIPAA RHC Rule prohibits a group health plan from using or disclosing PHI relating to an individual’s reproductive health care where such use or disclosure is being sought for any of the following purposes:
- to conduct a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided
- to impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided; or
- the identification of any person for the purpose of conducting such investigation or imposing such liability.
The HIPAA RHC Rule includes a non-exclusive list of what “seeking, obtaining, providing, or facilitating” reproductive health care includes, such as expressing interest in, using, performing, furnishing, paying for, disseminating information about, arranging, insuring, administering, authorizing, providing coverage for, approving, counseling about, assisting, or otherwise taking action to engage in reproductive health care; or attempting to do any of these things.
Unlawful Reproductive Health Care is Not Protected
It is important to understand that the HIPAA RHC Rule’s protections do not apply if the HIPAA Privacy Officer for the group health plan reasonably determines that the reproductive health care was not lawful under the circumstances (based on the law of the state in which the health care is provided). If the HIPAA Privacy Officer determines that the reproductive health care was unlawful under the circumstances, the group health plan is permitted to disclose the health care information in these non-health care settings in accordance with HIPAA’s normal privacy and security requirements.
Presumptions Available to Group Health Plans
Group health plans may presume that the health care provided was lawful, unless the group health plan has actual knowledge to the contrary or the person making the request provides factual information demonstrating a substantial factual basis that the health care was not lawful. In addition, regardless of the applicable state law, the group health plan may refuse to disclose the PHI relating to reproductive health care in any situation where the reproductive health care would be protected, required, or authorized by federal law.
Additional Attestation Requirements for Certain Requests
In the event a group health plan receives a request for PHI relating to reproductive health care for health care oversight activities, judicial or administrative proceedings, law enforcement purposes, or disclosures to coroners and medical examiners, the group health plan is required to obtain a signed and dated attestation from the person or entity requesting the use or disclosure. Generally, the attestation must identify the types of PHI being requested and state that the requested use or disclosure is not for a prohibited purpose. In addition, the attestation must contain a notice that persons who knowingly obtain or disclose PHI in violation of HIPAA’s privacy or security rules are subject to criminal penalties.
Notably, the HIPAA RHC Rule provides that material misrepresentations are subject to potential criminal liability. In addition, a group health plan’s failure to obtain a required attestation could lead to civil penalties. HHS has indicated that it will provide a model attestation prior to the December compliance date.
Changes to HIPAA Notice of Privacy Practices
By February 16, 2026, a group health plan must update its Notice of Privacy Practices to include information about how PHI relating to reproductive health care may be used or disclosed. Examples of instances in which such uses or disclosures may be made are required to be included in the Notice.
Action Items:
To ensure compliance with the HIPAA RHC Rule, group health plans should consider the following action items:
- Update the plan’s HIPAA policies and procedures detailing permitted uses and disclosures to include the disclosure requirements that apply to PHI that relates to reproductive health care
- Update any business associate agreements to ensure business associates agree to comply with the HIPAA RHC Rule
- Update the plan’s HIPAA Notice of Privacy Practices to include the prohibitions regarding uses and disclosures of PHI relating to reproductive health care, and provide examples
- Redistribute the updated HIPAA Notice of Privacy Practices
- Draft an attestation form for use by persons requesting PHI that may be related to reproductive health care (although HHS will provide a model form, any attestation that complies with the HIPAA RHC Rule will suffice)
- Train workforce members with access to PHI on the new prohibitions, use of appropriate attestation forms, and changes to the plan’s HIPAA policies and procedures, and document the training
Employer-sponsored group health plans should take time now to understand how the requirements of the HIPAA RHC Rule will affect their operations and begin implementing the required changes. Group health plans will need to be mindful of the state-by-state differences that apply to reproductive health care and should consult legal counsel as issues arise.