Key components of the Final Rule include:
- A prohibition on the use or disclosure of protected health information (PHI) by a HIPAA-covered health care provider, health plan, or health care clearinghouse (covered entities) or its business associate (collectively, regulated entities) for the purpose of identifying, investigating, or imposing liability on a person “for the mere act of seeking, obtaining, providing, or facilitating reproductive health care” (the prohibited purposes).
- A requirement that, when a regulated entity receives certain requests for PHI that could be related to reproductive health care, the regulated entity receives from the requesting party an attestation that the PHI will not be used or disclosed for a prohibited purpose.
- A broad definition of “reproductive health care” as health care that “affects the health of an individual in all matters relating to the reproductive system and to its functions and processes.”
Regulated entities must comply with these portions of the Final Rule by December 23.
The most significant update to the Privacy Rule in more than a decade, the Final Rule marks the latest effort by the Biden Administration to promote reproductive health privacy since the US Supreme Court’s 2022 ruling in Dobbs v. Jackson Women’s Health Organization.
Prohibited Uses and Disclosures of PHI
In explaining the Final Rule’s new prohibition, OCR emphasized that there may be an increased demand for PHI relating to reproductive health care for law enforcement or other purposes in the post-Dobbs environment. Concerned that such PHI could make them a target for investigations and legal actions, some individuals may be discouraged to seek lawful health care or to provide full information to their treating providers. Likewise, providers may be less willing to offer such care. According to OCR, these outcomes would undermine the “trust of individuals in health care providers and the health care system” on which HIPAA is based.
The Final Rule accounts for the patchwork of reproductive health laws following Dobbs, which overturned precedent establishing a federal constitutional right to abortion. It restricts uses and disclosures of PHI for prohibited purposes only if a regulated entity determines the reproductive health care was:
- Lawful under the law of the state in which the health care is provided.
- Protected, required, or authorized by federal law.
- Provided by a person other than the regulated entity, in which case the care is presumed lawful unless the regulated party has: (1) actual knowledge that the care was not lawful or (2) information from the requesting party showing a “substantial factual basis” that the care was not lawful.
If none of these criteria is met, or if the regulated entity obtains authorization from the individual whose PHI is involved, the prohibition does not apply.
The Final Rule still permits a regulated entity to use or disclose PHI for what OCR describes as “legitimate interests” related to reproductive health care — for example, an investigation of an alleged fraud and abuse violation based on unusual prescribing or billing patterns for erectile dysfunction medication.
Required Attestation
The Final Rule also requires a regulated party that receives a request for PHI potentially related to reproductive health care to obtain from the requester a signed attestation that the requested use or disclosure of PHI is not for a prohibited purpose. Such attestation is required if the request relates to one of the following:
- Health oversight activities.
- Judicial and administrative proceedings.
- Law enforcement purposes.
- Disclosures to coroners and medical examiners.
A valid attestation must, among other requirements, be written in plain language, include a clear statement that the use or disclosure is not for a prohibited purpose, and include a statement that a person may be subject to criminal penalties for knowingly obtaining or disclosing individually identifiable health information in violation of HIPAA. If an attestation is defective, use or disclosure of the PHI by the regulated entity is a violation of the Privacy Rule.
The attestation requirement is notable because there is no other comparable requirement in the HIPAA regulations. Recognizing the potential implementation burden of this requirement, OCR will publish a model attestation before December 23.
Updated Notice of Privacy Practices Provisions
Among other changes to the Privacy Rule, the Final Rule modifies the content that a covered entity must include in its notice of privacy practices (NPP), which explains an individual’s rights related to their PHI and the covered entity’s uses and disclosures of that PHI. To further “trust in the relationship between regulated entities and individuals by ensuring that individuals are aware that certain uses and disclosures of PHI are prohibited,” a covered entity must add terms to its NPP describing the types of uses and disclosures of PHI subject to the Final Rule’s prohibition or attestation provisions. Covered entities have until February 16, 2026 to make such updates.
Key Takeaways
The Final Rule is a sweeping overhaul of the Privacy Rule that will impact stakeholders across the health care sector. In preparation for the Final Rule’s compliance date of December 23, a regulated entity should:
- Assess the types of reproductive health information it collects.
- Evaluate its workflows and processes for handling requests for PHI that may be subject to the Final Rule’s attestation requirement (for example, the receipt of a subpoena).
- Monitor for OCR’s release of a model attestation and develop an attestation form tailored to its needs.
- Review and make appropriate updates to HIPAA compliance policies and procedures and business associate agreements.
- Identify any necessary electronic health record updates and technology enhancements.
Additionally, a covered entity should plan to review and update its NPP by February 16, 2026.
A significant aspect of compliance with the Final Rule entails assessing the lawfulness of the reproductive health care related to an individual’s PHI. To this end, all regulated entities should work with their legal counsel to monitor for post-Dobbs changes to reproductive health laws that may apply to them or the patients they serve — particularly patients who travel across state lines for reproductive health services.