Earlier this week, the Biden-Harris Administration, through the Office for Civil Rights (OCR) announced a Final Rule aimed at protecting protected health information (PHI) related to lawfully provided reproductive health care services. As we discussed last year, the HIPAA Privacy Rule to Support Reproductive Health Care Privacy was proposed in response to concerns about the confidentiality of PHI related to reproductive health care following the decision in Dobbs v. Jackson Women’s Health Organization. In the executive summary of the Final Rule, OCR emphasized that the changing post-Dobbs legal landscape “increases the likelihood that an individual’s PHI may be disclosed in ways that cause harm to the interests that HIPAA seeks to protect, including the trust of individuals in health care providers and the health care system.” The Final Rule defines “reproductive health care” as “health care…that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes.”
According to OCR, the agency received almost 30,000 comments following issuance of the Proposed Rule in April 2023. In its press release announcing the Final Rule, OCR stated that the “Final Rule will bolster patient-provider confidentiality and help promote trust and open communication between individuals and their health care providers or health plans, which is essential for high-quality health care.”
The Final Rule seeks to counter the chilling effects abortion bans may have on the provision of reproductive health care by prohibiting the use or disclosure of PHI by a covered entity or their business associate for either of the following activities:
- To conduct a criminal, civil, or administrative investigation into or to impose liability on any person for seeking, obtaining, providing, or facilitating reproductive health care when such health care is provided under lawful circumstances.
- Under the Final Rule, seeking, obtaining, providing, or facilitating reproductive health care services includes, but is not limited to, “expressing interest in, using, performing, furnishing, paying for, disseminating information about, arranging, insuring, administering, authorizing, providing coverage for, approving, counseling about, assisting, or otherwise taking action to engage in reproductive health care; or attempting any of the same.”
- To identify any person for the purpose of conducting such investigation or imposing such liability.
In determining whether the prohibition against use or disclosure applies, the covered entity or business associate should consider whether one or more of the following conditions exists:
- Whether the reproductive health care was lawful under the law of the state in which it was provided. OCR specifically provided as an example of such lawful activity a resident of one state traveling to another state where abortion is legal to receive abortion care.
- Whether the reproductive care is protected, required, or authorized by Federal law, regardless of where in the US the care is provided. The provision of services related to contraception, which is a protected right under the Constitution, would fall into this category regardless of the state in which the services are provided.
The Final Rule also includes a presumption that the reproductive care was lawfully provided if the care was provided by a person other than the covered entity or business associate receiving the request for PHI, unless the entity receiving the request has actual knowledge that the care was not provided under lawful circumstances or the requestor can provide evidence that demonstrates a substantial factual basis that the care was not lawfully provided, for example, evidence that the care was provided by an unlicensed person.
Implementation:
In order to implement the prohibition against use and disclosure outlined above, the Final Rule also requires covered entities, and where applicable business associates, to take certain steps to implement the rule.
- Attestation: When a covered entity or business associate receives a request for PHI potentially related to reproductive health care, the covered entity or business associate must obtain a signed attestation that the use or disclosure is not for a prohibited purpose prior to disclosing the information. The purpose of the attestation is both to protect the covered entity or business associate and to put the requestor on notice of the potential criminal penalties for those who knowingly obtain PHI in violation of HIPAA.
- OCR plans to publish a sample attestation prior to the compliance date of the Final Rule.
- Notice of Privacy Practices: The Final Rule also requires covered entities to revise their notices of privacy practices to address reproductive health care privacy and privacy of substance use disorder patient records (as set forth in the Notice of Proposed Rulemaking for the Confidentiality of Substance Use Disorder Patient Records.)
The Compliance Date for the Final Rule is 240 days after publication in the Federal Register, except for the requirements related to changes in the Notice of Privacy Practices, which must be adopted by February 16, 2026.