On April 22, 2024, the Office for Civil Rights (OCR) for the United States Department of Health and Human Services issued a Final Rule amending the Privacy Rule of the Health Insurance Portability and Accountability Act (HIPAA). The Final Rule, which goes into effect on June 25, 2024, promulgates additional HIPAA privacy protections with respect to protected health information (PHI) related to reproductive health care[i]. Note, the compliance deadline is December 22, 2024, and the changes required to Notices of Privacy Practices (NPPs) must be implemented by February 16, 2026.

OCR’s issuance of the Final Rule represents part of the Federal government’s regulatory response to the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization, 597 U.S. 215 (2022), which concluded that the United States Constitution does not protect the right to an abortion. As such, OCR has concluded that preserving an individual’s expectation of privacy with respect to reproductive health care is crucially important to protecting the integrity of the provider‑patient relationship and the health care system more broadly. The Final Rule addresses these concerns by promulgating new regulations in three general categories related to PHI involving lawful reproductive health care:

1. Uses and disclosures of PHI,
2. Attestation requirements for requests for PHI, and
3. Changes to NPPs.

Uses and Disclosures of PHI Related to Reproductive Health Care

The Final Rule restricts certain uses and disclosures of PHI for certain non-health care purposes. The restrictions include prohibiting using PHI to conduct a criminal, civil or administrative investigation into, or to impose criminal, civil or administrative liability on, any person for the mere act of seeking, obtaining, providing or facilitating lawful reproductive health care, or to identify any person to initiate such activities.

The restrictions apply when a regulated entity receives a reproductive health care-related PHI request and reasonably determines that one of the following circumstances exists:

1. The reproductive health care is lawful under the law of the state in which such health care is provided under the circumstances in which it is provided;
2. The reproductive health care is protected, required or authorized by Federal law, including the United States Constitution, under the circumstances in which such health care is provided, regardless of the state in which it is provided; or
3. The reproductive health care was provided by another person (i.e., not the regulated entity), unless the regulated entity has (a) actual knowledge that the reproductive health care was not lawful under the circumstances in which it was provided, or (b) factual information supplied by the person requesting the use or disclosure of PHI that demonstrates a substantial factual basis that the reproductive health care was not lawful under the specific circumstances in which it was provided. It is important to note that this presumption of lawful reproductive health care represents OCR’s intent to improve the ability of the regulated entity that received the request for the use or disclosure of PHI to assess the lawfulness of the reproductive health care in instances where the reproductive health care at issue was provided by another party.

The Final Rule does not create a newly defined subset of PHI, unlike psychotherapy notes, which OCR has afforded special protections due to the sensitivity of the information. Rather, because it is difficult to segregate reproductive health information across the health care ecosystem and to avoid excessive implementation costs, OCR promulgated the new regulations via a “purpose-based prohibition” model that fits into the existing framework of the Privacy Rule. Furthermore, the Final Rule does not prohibit the use or disclosure of reproductive health-related PHI for the purposes of investigating alleged violations of the False Claims Act, audits conducted by the Office of Inspector General aimed at protecting the integrity of the Medicare or Medicaid programs, or investigating alleged violations of Federal nondiscrimination laws or abusive conduct that occurs in connection with reproductive health care (e.g., sexual assault).

Attestation Requirements Related to Reproductive Health Care

The Final Rule requires requestors of PHI related to reproductive health care to attest that they are not seeking the information for prohibited purposes, and requires providers to obtain such attestation before using or disclosing such information for health oversight activities (i.e., audits and investigations), judicial and administrative proceedings (i.e., a court order), law enforcement purposes (i.e., laws that require reporting certain types of wounds or injuries) or to aid coroners and medical examiners (i.e., identifying a deceased person or cause of death).

A valid attestation must verify that the use or disclosure is not otherwise prohibited by 45 C.F.R. 164.502(a)(5) and may be in electronic form, provided the attestation includes the following:

1. A description of the information requested, including the name of any individuals whose PHI is sought, or, if not practicable, a description of the class of individuals whose PHI is sought;
2. The identity of the person(s) or class of persons being asked to disclose or use the PHI;
3. The identity of the person(s) or class of persons asking for the PHI;
4. A clear statement that the recipient of the PHI will not use or disclose the PHI for a prohibited purpose;
5. A statement that a person may be subject to penalties pursuant to 42 U.S.C. 1320d-6 if that person knowingly and in violation of HIPAA obtains individually identifiable health information relating to an individual or discloses individually identifiable health information to another person;
6. A signature of the person requesting the PHI, which may be an electronic signature, and date. If the attestation is signed by a representative of the person requesting the information, a description of such representative’s authority to act for the person must also be provided; and
7. The attestation must be written in plain language and not make or rely on any material misrepresentations.

Updates to NPPs

The Final Rule outlines required changes to regulated entities’ NPPs to reflect the above prohibition and attestation requirements. The compliance date for the new NPP requirements is February 16, 2026, and OCR plans to publish a revised model notice prior to the compliance date.

Additional Considerations for Covered Entities and Business Associates

The Final Rule also implicates business associate agreements (BAAs). For example, health care providers, plans, clearinghouses, and business associates may need to revise existing BAAs to ensure that they do not permit activities that violate regulations promulgated by the amended Privacy Rule. Furthermore, OCR has expanded the attestation requirement to apply to business associates, ensuring that they are directly liable for compliance with the attestation requirement, regardless of whether such liability is explicitly provided for in a BAA. OCR expects a certain percentage of BAAs “will likely need to be updated to reflect a determination made by parties about their respective responsibilities when either party receives requests for disclosures of PHI.”

Regulated entities should conduct updated workforce training before the end of this year and update all NPPs on or before February 16, 2026. Proskauer will continue to monitor updates from OCR as the Final Rule becomes effective next week and its requirements roll out over the upcoming years.

[i] “Reproductive Health Care” is defined broadly to mean “health care, as defined in this section, that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes.” See Final Rule page 92. OCR provides several examples that fit within this expansive definition, including emergency contraception, pregnancy management, treatment of pregnancy-related conditions, pregnancy termination, fertility and infertility diagnosis and treatment (e.g., in vitro fertilization), and the diagnosis and treatment of conditions related to the reproductive system, including mammography, pregnancy-related nutrition services and postpartum care products. See Final Rule page 92

Michael J. Menconi also contributed to this article.