HIPAA rule strengthens privacy protections for reproductive care

The U.S. Department of Health and Human Services (HHS), through its Office for Civil Rights (OCR), issued a final rule (and an accompanying Fact Sheet) designed to strengthen the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule protections. Specifically, the rule prohibits HIPAA covered entities — including group health plans — (and their business associates, collectively referred to as “regulated entities”) from using or disclosing protected health information (PHI) to investigate or prosecute patients, providers and others involved in providing legal reproductive healthcare, including abortion care.

HIPAA restricts how certain medical information is shared, but it does not prevent regulated entities from sharing the information with law enforcement. The final rule closes this gap in states where the services are legal under state law.

The final rule takes effect June 25, 2024, and regulated entities have until December 23, 2024, to comply with its provisions. However, revised HIPAA Notices of Privacy Practices (NPPs) reflecting the new requirements will not have to be distributed until February 16, 2026. A legal challenge to the final rule is expected.

Prohibition of use and disclosure

The final rule prohibits the use or disclosure of PHI by group health plans and other HIPAA covered entities for the following purposes:

• Conducting an investigation (criminal, civil or administrative) into any person for seeking, obtaining, providing or facilitating reproductive healthcare
• Imposing liability (criminal, civil or administrative) on any person seeking, obtaining, providing or facilitating reproductive healthcare
• Identifying any person for the purpose of conducting such an investigation or imposing such liability

The use or disclosure of PHI is prohibited where reproductive healthcare is lawful under federal law or the laws of the state in which it is provided. Under the final rule, the prohibition would apply where a criminal, civil, or administrative investigation or proceeding is in connection with one of the following:

• The reproductive healthcare is lawful under the law of the state in which such healthcare is provided under the circumstances in which it is provided.
• The reproductive healthcare is protected, required or authorized by federal law, including the U.S. Constitution, regardless of the state in which the healthcare is provided.
• The reproductive healthcare was provided by someone other than the covered healthcare provider, health plan, or healthcare clearinghouse (or business associates) that receives the request for PHI and the reproductive healthcare is presumed to be lawful under the terms of the final rule (i.e., reproductive healthcare is presumed to be lawful unless the regulated entity has actual or factual knowledge that it was unlawful).

“Reproductive healthcare” is defined to include, but not be limited to, contraception, including emergency contraception; pregnancy-related healthcare; fertility or infertility-related healthcare; and other types of healthcare used to diagnose and treat conditions related to the reproductive system. This would include, for example, prenatal care, abortion, miscarriage management, infertility treatment, contraception use, and diagnosis and treatment for reproductive-related conditions.

Note that the final rule continues to allow using or disclosing PHI in the following circumstances:

• When covered healthcare providers must defend themselves in investigations or proceedings related to professional misconduct or negligence where the alleged professional misconduct or negligence involved reproductive healthcare
• When a covered entity must defend any person in a criminal, civil or administrative proceeding where liability could be imposed on that person for providing reproductive healthcare
• When a covered entity must use or disclose PHI to an Inspector General during an audit for health oversight purposes

Attestation

Under the final rule, when a HIPAA covered entity receives a request for PHI potentially related to reproductive healthcare, it must obtain a signed attestation that PHI will not be used for a prohibited purpose. This attestation would need to be provided on a “stand-alone” basis (i.e., not be connected to or accompanied by other documents) in any of the following circumstances:

• Health oversight activities
• Judicial and administrative proceedings
• Law enforcement purposes
• Disclosures to coroners and medical examiners

The final rule provides details on content and distribution requirements for the attestation, as well as what makes it valid. OCR intends to publish a model attestation form prior to the December 23, 2024 compliance date.

HIPAA Notice of Privacy Practices

Generally, the HIPAA Privacy Rule requires covered entities to provide individuals with NPPs to (a) ensure that they understand how their PHI may be used and disclosed, and (b) explain individuals’ rights and the covered entities’ legal duties with respect to PHI.

Under the final rule, NPPs must be revised to reflect:

• The final rule on HIPAA reproductive healthcare privacy and disclosure
• Provisions on confidentiality of medical records relating to individuals with substance use disorders

HHS and OCR will consider providing sample language and examples or provide an updated model NPP.

Going forward

• Group health plan sponsors will need to adopt an attestation process. Plan sponsors will want to consider establishing a signed attestation procedure to identify when an attestation will be required, steps to get the attestation signed and collected, and how the plan sponsor will retain those records.
• Group health plans are required to add elements to their HIPAA NPP addressing the new requirements. Plan sponsors will also want to review and update HIPAA policies and procedures as well as business associate agreements and conduct training to reflect the final rule.