As of December 23, health care providers, health plans, and health care clearinghouses (covered entities) and their business associates (collectively, regulated entities) must comply with new reproductive health care privacy protections under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. Enforcement will begin against the backdrop of a pending lawsuit challenging the validity of the new protections and an incoming Trump Administration with an uncertain enforcement posture.

The 2024 Final Rule

The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) adopted the privacy protections in a 2024 final rule earlier this year, which we discussed in a prior alert. The rule prohibits regulated entities from using or disclosing protected health information (PHI) to identify, investigate, or hold someone liable for seeking, obtaining, providing, or facilitating reproductive health care that was lawfully provided in the relevant circumstances (for example, an abortion in a state where abortion is legal). “Reproductive health care” is any health care that “affects the health of an individual in all matters relating to the reproductive system and to its functions and processes.” This may include, for example, abortion, contraception, fertility medicine, and certain gender-affirming care procedures.

Starting December 23, regulated entities must obtain a signed, written attestation that PHI will not be used or disclosed for prohibited purposes when the following criteria are present:

• The regulated entity receives a request for PHI potentially related to reproductive health care.
• The request relates to health oversight activities, judicial and administrative proceedings, law enforcement purposes, or disclosures to coroners and medical examiners.

For instance, if a regulated entity receives a subpoena for medical records from a state licensing agency investigating a physician’s performance of an abortion, the attestation requirement would apply. Failure to secure this attestation could result in a privacy breach, potentially leading to administrative penalties or even criminal sanctions.

HHS Releases Model Attestation to Aid Compliance

To assist regulated entities in their compliance efforts, HHS released a model attestation after publishing the 2024 final rule. The document includes fields where a party must provide information about a request for PHI potentially related to reproductive health care for one of the above-noted purposes, including information about the intended recipient of the PHI, the requester, and the individual whose PHI is requested. The model attestation also includes a statement that the PHI will not be used or disclosed for a prohibited purpose. While not mandatory, use of the model attestation may simplify compliance and reduce unnecessary variation.

Even if a regulated entity adopts the model attestation for use, it may encounter challenges complying with the attestation requirement, which is unprecedented under the HIPAA Privacy Rule. At the outset, the entity must determine whether a request for PHI is “potentially related to reproductive health care.” Given how broadly the rule defines “reproductive health care,” some regulated entities may struggle to accurately assess whether a request potentially relates to reproductive health care, leading to inconsistent application of the rule and potential inadvertent disclosures. These challenges could result in administrative burdens and delays in processing requests, even when the individual whose PHI is involved has not sought or obtained reproductive health care.

Additionally, a regulated entity must consider whether a request for PHI potentially related to reproductive health care is for a prohibited purpose. If the entity has “actual knowledge that material information in the attestation is false” or if a “reasonable” entity “in the same position would not believe that the attestation is true,” the attestation is invalid. This may require analyzing whether reproductive health care was lawfully rendered.

In making these determinations, some regulated entities may face resistance from requesting parties reluctant to provide the required attestation, which could complicate compliance efforts. Particularly with requests from law enforcement agencies, a regulated entity may be placed in the difficult position of choosing between adhering to a court order and risking an impermissible disclosure of PHI, potentially affecting investigations into serious issues such as rape, incest, and domestic violence.

Texas Sues to Challenge Final Rule

As regulated entities prepare for compliance with the 2024 final rule, the State of Texas is challenging the rule’s enforceability in a lawsuit against HHS, the HHS secretary, and the director of OCR. The lawsuit also challenges provisions of the 2000 final rule that originally codified the HIPAA Privacy Rule, namely a three-part test that governs when a regulated entity may disclose PHI in response to a state agency’s administrative subpoena. Texas argues that these rules unlawfully hinder state investigations by restricting law enforcement’s access to PHI.

In its complaint, Texas asserts that both the 2000 and 2024 final rules violate the Administrative Procedure Act (APA), which governs the process by which federal agencies develop and issue regulations, because:

• The rules exceed HHS’s authority under the HIPAA statute, which preserves “the authority, power, or procedures established under any law providing for the reporting of disease or injury, child abuse, birth, or death, public health surveillance, or public health investigation or intervention.”
• The rules lack a reasonable justification and are arbitrary and capricious.

The state requests that the rules be vacated and their enforcement enjoined — remedies that, if granted, could significantly impact the rules’ enforcement nationwide.

The recent US Supreme Court decision in Loper Bright Enterprises v. Raimondo, which overturned Chevron USA. v. National Resource Defense Council, may play a crucial role in the Texas court’s analysis. Previously, the Chevron doctrine required courts to defer to federal agencies’ reasonable interpretations of ambiguous statutes. With its overturning, courts must now exercise independent judgment in interpreting statutory provisions. This change may help Texas to the extent that the court more rigorously scrutinizes the statutory basis for HHS’s rulemaking than it would have under Chevron.

How Will the Change of Presidential Administrations Impact Enforcement?

With key parts of the 2024 final rule taking effect shortly before President-elect Trump takes office, there is uncertainty about whether and how the new Administration will enforce these protections. While the Biden Administration has consistently taken executive actions to promote access to reproductive health care, President-elect Trump has preferred to defer to state governments on such matters, as evidenced by his support for the Supreme Court’s ruling in Dobbs v. Jackson Women’s Health Organization. That decision empowered states to regulate abortion and prompted the 2024 final rule.

Neither President-elect Trump nor his HHS Secretary nominee Robert F. Kennedy Jr. has publicly addressed the 2024 Privacy Rule. However, at the end of President Trump’s first term, OCR proposed to significantly amend the HIPAA Privacy Rule, largely in ways to loosen its restrictions on regulated entities. For example, the proposed rule would have expanded the ability of covered entities to disclose PHI to avert a threat to health or safety when a harm is “serious and reasonably foreseeable,” instead of the current stricter standard, which requires a “serious and imminent” threat to health or safety. OCR has never finalized any of the proposed changes.

Key Takeaways

Regardless of the incoming Administration’s approach, changes to the 2024 privacy rule will not occur immediately. Absent a court order vacating the rule or enjoining OCR from enforcing it, OCR must modify or repeal the rule through administrative rulemaking in compliance with the APA. Therefore, regulated entities should be prepared to comply with the rule, despite the ongoing Texas lawsuit and transition between Administrations. To that end, regulated entities should work with their legal and compliance teams to:

• Assess whether they collect PHI related to reproductive health care.
• Review and update HIPAA compliance policies, procedures, and business associate agreements to align with the 2024 privacy rule.
• Consider adopting OCR’s model attestation for compliance and providing education and training on its use, particularly for staff who handle records requests.
• Stay informed about developments in the Texas litigation and potential enforcement changes following President-elect Trump’s inauguration.