Final HIPAA Privacy Rule Provides New Protections for Reproductive Health Care Information

On April 26, 2024, the Department of Health and Human Services issued a Final 2024 Privacy Rule to Support Reproductive Health Care Privacy (the “Rule”). The Rule was developed in response to the 2022 U.S. Supreme Court decision in Dobbs v. Jackson Women’s Health Organization, which overturned the precedents protecting a constitutional right to abortion. The Rule amends the provisions to the HIPAA Privacy Rule to strengthen privacy protections about the disclosure of protected health information (“PHI”) related to the reproductive health care of an individual for non-health care purposes. In particular, the Rule prohibits uses and disclosures of PHI for criminal, civil, or administrative investigations or proceedings against persons for seeking, obtaining, providing, or facilitating reproductive health care that is lawful under the circumstances in which it is provided.

To enhance the HIPAA privacy protections for reproductive health care information, the Rule makes several changes:

  • Adopting and clarifying certain definitions, including:
    • Defining “person” to mean a “natural person (meaning a human being who is born alive).”
    • Defining “public health” surveillance, investigation, and intervention to be limited to “population-level activities to prevent disease and promote health of populations.”
    • Defining “reproductive health care” broadly to include health care “in all matters relating to the reproductive system and to its functions and processes.”
  • Creating a new category of prohibited uses and disclosures for reproductive health care information where it is sought to conduct civil, criminal, or administrative investigations, or to impose on an individual for the “mere act of seeking, obtaining, providing, or facilitating reproductive health care.”
  • Creating a presumption that the reproductive health care provided by another covered entity is presumed to be lawful unless the covered entity or business associate has actual knowledge to the contrary.
  • Modifying the rules permitting disclosure of PHI to report abuse or neglect and for public health purposes to restrict access to reproductive health care information.
  • Providing that a covered entity may not decline to recognize a person as a personal representative because they provide or facilitate reproductive health care for an individual.
  • Requiring as a condition for disclosure that covered entities obtain an attestation that a requested use or disclosure is not for a prohibited purpose under the Rule, when the request is made by health or law enforcement officials, for judicial or administrative proceedings, or by coroners and medical examiners.
  • Requiring modifications to covered entities’ HIPAA privacy policies and Notice of Privacy Practices to conform to the Rule.

Compliance with the rule is required by December 23, 2024, which means that employers who sponsor self-insured group health plans, and other covered entities, must amend their HIPAA privacy and security policies and operations. Covered entities subject to the Rule are not, however, required to amend their Notice of Privacy Practices until February 16, 2026.

Notably, the Rule incorporates modifications related to the use and disclosure of substance use disorder information under the Confidentiality of Substance Use Disorder (“SUD”) Patient Records final rule. Inevitably, this means that covered entities must incorporate the recent changes under the SUD final rule.

HIPAA Privacy Rule to support Reproductive Health Care Privacy, 89 F.R. 32976 (April 26, 2024); Confidentiality of Substance Use Disorder (SUD) Patient Records, 89 F.R. 12472 (February 16, 2024).