HIPAA Privacy Rules Get a Post-Dobbs Refresh on Reproductive Health Care

HIPAA Privacy Rules Get a Post-Dobbs Refresh on Reproductive Health Care
Friday, May 3, 2024

Employers will soon see the national debate about abortion popping up in some unexpected places: the HIPAA privacy policies and procedures and notices of privacy practices they use for their health benefit plans.

Quick Hits

  • Final privacy rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) set basic limitations on the use or disclosure by covered entities (such as employer health benefit plans) and their business associates of reproductive health care information.
  • The final rules state that reproductive care is, for HIPAA purposes, presumed to be legal unless the employer health benefit plan or its business associate has “actual knowledge” that the care was not lawful under the circumstances.
  • The final rules generally require compliance on December 23, 2024. Effective February 16, 2026, covered entities will be required to update their notices of privacy practices.

Eagerly anticipated final rules by the U.S. Department of Health and Human Services (HHS), requiring compliance no later than December 23, 2024, set basic limitations on the use or disclosure by covered entities (such as employer health benefit plans) and their business associates of reproductive health care information. The limitations cover the use or disclosure of reproductive health care information to conduct civil, criminal, or administrative investigations or to impose such liability on individuals for “seeking, obtaining, providing, or facilitating” reproductive health care, so long as that care was legal where provided and was protected, required, or authorized by federal law in the relevant circumstances. The limitations also apply to uses or disclosures designed to identify any person for either of these purposes.

These rules come two years after the Supreme Court of the United States, in Dobbs v. Jackson Women’s Health Organizationexpressly overruled the two key rulings that established and upheld a constitutional right to abortion and gave states the authority to regulate abortion. The 2024 rules also come eleven years after final regulations last significantly modified the fundamental rules governing the privacy, security, and breaches of protected health information (PHI) under HIPAA.

Importantly, the 2024 rules indicate that reproductive care is, for HIPAA purposes, presumed to be legal unless the employer health benefit plan or its business associate has “actual knowledge” that the care was not lawful under the circumstances, or factual information provided by the requester indicates that there is a “substantial factual basis” to believe that the care was not lawful.

The 2024 rules apply a broad definition of “seeking, obtaining, providing or facilitating” reproductive health care to include “expressing interest in, using, performing, furnishing, paying for, disseminating information about, arranging, insuring, administering, authorizing, providing coverage for, approving, counseling about, assisting or otherwise taking action to engage in reproductive health care,” or attempting to do so.

Additionally, the 2024 rules modify the HIPAA rules on disclosure of PHI to report abuse or neglect and for public health purposes to limit access to reproductive care information. For example, under current rules, a health benefit plan can refuse to treat an individual as a personal representative when it has a “reasonable belief” that the person has abused or may abuse or neglect the relevant individual. The new rules clarify that the basis for that reasonable belief cannot be the seeking of reproductive health care for and at the request of the individual.

Health benefit plans and their business associates will also have to get written attestations before releasing PHI potentially related to reproductive care to officials such as health or law enforcement officials. Such attestations will have to clearly state that the requested disclosure did not violate the new HIPAA rules on reproductive health care and that criminal penalties could be imposed for improper uses and disclosures of PHI.

Finally, the rules will require plans and their business associates to update their notices of privacy practices. The notices will have to describe and give an example of both the uses and disclosures of reproductive health care PHI prohibited under the new HIPAA rules, and the types of uses and disclosures for which an attestation would be required. An extended deadline applies to updating notices of privacy practices; modifications will not be due until February 16, 2026.

The final regulations also modify the HIPAA privacy rules related to substance abuse disorder patient information to reflect recent changes to the 2024 Confidentiality of Substance Use Disorder (SUD) Patient Records Final Rule (2024 Part 2 Rule) to better align these rules with HIPAA.

© 2024, Ogletree, Deakins, Nash, Smoak & Stewart, P.C., All Rights Reserved.

Current Legal Analysis

Legal Disclaimer

You are responsible for reading, understanding and agreeing to the National Law Review's (NLR’s) and the National Law Forum LLC's  Terms of Use and Privacy Policy before using the National Law Review website. The National Law Review is a free to use, no-log in database of legal and business articles. The content and links on www.NatLawReview.com are intended for general information purposes only. Any legal analysis, legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice. No attorney-client or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms, attorneys or other professionals or organizations who include content on the National Law Review website. If you require legal or professional advice, kindly contact an attorney or other suitable professional advisor.  

Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. The National Law Review is not a law firm nor is www.NatLawReview.com  intended to be  a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional.  NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us. 

Under certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules. The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements. Attorney Advertising Notice: Prior results do not guarantee a similar outcome. Statement in compliance with Texas Rules of Professional Conduct. Unless otherwise noted, attorneys are not certified by the Texas Board of Legal Specialization, nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional Credentials.

The National Law Review - National Law Forum LLC 2020 Green Bay Rd., Suite 178, Highland Park, IL 60035  Telephone  (708) 357-3317 or toll free (877) 357-3317.  If you would ike to contact us via email please click here.

Copyright ©2024 National Law Forum, LLC