Seyfarth Synopsis: This past Monday, the Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) issued its final rule aimed at strengthening the HIPAA Privacy rules as they are applied to reproductive health data.

On the heels of the release of the 2022 US Supreme Court decision in Dobbs v. Jackson Women’s Health Organization, the Biden Administration directed the Federal agencies to examine what they could do to protect women’s health and privacy. Shortly thereafter, HHS released guidance under HIPAA related to reproductive health care services under a health plan, focusing on information required to be disclosed by law, for law enforcement purposes, and to avert a serious threat to health or safety (see our earlier Alert here). Then, in April 2023, HHS issued proposed modifications to the HIPAA Privacy Rule aimed at these concerns. A year later, the agency finalized those rules on April 22, 2024 – the Final Rule.

New Prohibition

The Final Rule attempts to protect the privacy of a person legally seeking abortion-related services by prohibiting the use or disclosure of protected health information (PHI) where it is sought for the purpose of:

  • conducting an investigation (be it criminal, civil or administrative) into any person for seeking, obtaining, providing or facilitating reproductive health care;
  • imposing liability (be it criminal, civil or administrative) on any person seeking, obtaining, providing or facilitating reproductive health care;
  • identifying any person for the purpose of conducting such an investigation or imposing such liability.

Of interest, the Final Rule inserts a new definition of Reproductive Health Care, and amends the definition of Person to state a natural person is “a human being who is born alive”.

Lawful Reproductive Health Care  

The prohibition on the use or disclosure of PHI applies where that health care is lawful under federal law or the laws of the state in which it is provided. 

The agency makes clear in its Fact Sheet that the Final Rule is intended to cover situations where a person travels from a state with an abortion ban to a state where the abortion is legal to access care. If the abortion is legal where it is performed, the Final Rule would prohibit the use or disclosure of that person’s PHI for purposes of her home state investigating whether she received an abortion that would have arguably violated the law of the home state had it been performed there. 

The Final Rule also states that reproductive health care is considered lawful, if it is care that is protected by Federal law, including the US Constitution, as is the case with contraception, wherever provided.

The Final Rule also has a presumption built in that the reproductive health care provided by a person other than the covered entity or business associate receiving the request for PHI was lawful, short of actual knowledge it was unlawful or the presentation of facts that substantially demonstrate the care was unlawful.

Other Permitted Disclosures 

HIPAA allows for PHI to be used or disclosed for a finite number of reasons listed in the privacy rule. The Final Rule provides that covered entities and their business associates may continue to use or disclose PHI for those permitted purposes, as long as the use or disclosure is not prohibited by one of the new prohibitions described above. As an example, PHI may be used by a provider to defend itself in a criminal, civil or administrative proceeding seeking to impose liability on that provider for reproductive health care services.

The Final Rule also clarifies that disclosures of PHI to law enforcement is a permissive disclosure. Therefore, disclosures of PHI for reproductive health care, lawful or not, is only permitted if the disclosure is not subject to the new prohibitions, is required by law, and otherwise meets all conditions of the HIPAA privacy rule.

Paperwork 

The Final Rule imposes a burden on covered entities or their business associates who receive a request for PHI related to reproductive health care. In such an event, the covered entity or business associate must obtain a signed Attestation from the requesting party that the use or disclosure is not for a prohibited purpose. HHS says it will be providing model language for such an Attestation.

The Final Rule also requires that covered entities update their Notice of Privacy Practices to address these new rules on the privacy of reproductive health care information, as well as updates for the use or disclosure of PHI related to substance use disorders.

Effective Date 

The Final Rule is effective June 25, 2024 (60 days after its publication in the Federal Register), and covered entities and business associates have until December 23, 2024 to comply with its provisions. However, additional time is provided to issue the revised Notice of Privacy Practice, which must be done by February 16, 2026.

*          *          *

We will continue to monitor the impact and reaction to the Final Rule and are available to assist with any questions as covered entities and business associates work toward implementing the changes.