New HIPAA Reproductive Health Rule Requires Compliance by December 23, 2024

Healthcare

A new HIPAA rule that goes into effect on December 23, 2024 requires each healthcare provider (and other HIPAA covered entities and business associates) to implement new workflows, policies, and procedures in responding to requests for protected health information that may involve “reproductive healthcare information.”

Overview

Following the decision of the U.S. Supreme Court in Dobbs v. Jackson Women’s Health Organization and the overturning of the 1973 decision of Roe v. Wade, the Biden Administration expressed worry that states that prohibit abortion may try to investigate or prosecute citizens who obtain abortions in other states where abortion is legal. Earlier this year, in an effort to prohibit states from obtaining information about such citizens who seek reproductive care that is legal in other states, the Biden Administration finalized the “HIPAA Privacy Rule to Support Reproductive Health Care Privacy” (the “Rule”). The Rule prohibits healthcare providers from disclosing protected health information about reproductive healthcare for investigative purposes if such healthcare was legal in the state in which it was rendered.

The Rule applies to requests for protected health information for the following purposes:

  • Health oversight activities
  • Judicial and administrative proceedings
  • Law enforcement purposes
  • Disclosures about decedents to coroners and medical examiners

The Rule imposes several new requirements that every covered entity and business associate must follow when responding to a subpoena, demand, or other request for records that may contain reproductive health care information.

Broad Definition of “Reproductive Health Care”

The new rule defines “reproductive healthcare information” (“RPHI”) very broadly as information concerning “health care … that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes.” (45 C.F.R. § 160.103).

The definition of RPHI is expansive, including healthcare information related to diagnosis and treatment for a wide range of conditions beyond contraception and abortion to include, but not be limited to, pregnancy, IVF, menopause, endometriosis, mammography, and erectile dysfunction.

Application

 The Rule generally prohibits all HIPAA covered entities (including healthcare providers) and their business associates from disclosing RPHI for a prohibited purpose. Generally, the Rule places a burden on a covered entity or business associate who receives a request for protected health information to determine if there is any RPHI in the records subject to the request and to only disclose the RPHI if the health records are not requested for a purpose prohibited by the Rule and to obtain an attestation (this attestation will be discussed in more detail below) in the event that RPHI is going to be disclosed. Conversely, the Rule does not prohibit disclosure of RPHI if either (i) the reproductive healthcare was illegal where it was obtained, or (ii) the RPHI is not sought for purposes of investigating or prosecuting the person who sought reproductive healthcare.

The Rule requires that a covered entity or business associate responding to a request for any medical information that could include RPHI to obtain an attestation from the party they are disclosing the protected health information to that it will not be used for a prohibited purpose. The required attestation must include certain elements to be valid. The Office for Civil Rights has published a model attestation that may be the safest for providers to rely upon.

The Rule also requires changes to Notices of Privacy Practices related to the new prohibition on disclosure of RPHI as well as changes to the 42 C.F.R. part 2 rules related to disclosure of substance abuse records. The required changes to Notices of Privacy Practices are not effective until 2026 but providers would likely be wise to implement these changes now as they adjust workflows and policies to comply with the other provisions of the Rule concerning RPHI.

Takeaways
  1. HIPAA now prohibits the use or disclosure of protected health information (PHI) to investigate or impose liability on a person for seeking, obtaining, providing, or facilitating reproductive healthcare. “Reproductive healthcare” is very broadly defined.
  2. Requests for disclosure of protected health information that potentially relate to reproductive healthcare must include an attestation from the requestor that the request is not for a prohibited purpose.
  3. Covered entities and business associates will need to review and update their HIPAA policies and procedures and develop a compliant Attestation Form (or use the OCR model form).
  4. Covered entities and business associates will need to train staff to understand the new Rule and to identify situations when an attestation is required to disclose PHI.
  5. Covered entities will need to amend their Notices of Privacy Policies to address these new requirements as well as changes to 42 C.F.R. part 2, addressing substance abuse records.
  6. Covered entities should review existing Business Associate Agreements and consider revisions to such agreements to ensure that business associates are prohibited from disclosing RPHI in violation of the Rule.

In addition to requiring significant operational changes, the new Rule may place healthcare providers and other covered entities and business associates at odds with third-party requestors of records who are not yet familiar with the new Rule.

There is speculation that the incoming Trump administration may take a different view of the matters addressed in the new Rule in the future, potentially rolling back enforcement or the rule itself, but for now compliance with the Rule is required. 

If your organization requires assistance in implementing these necessary changes, please contact members of Sands Anderson’s Health Law Team.

Subscribe now to receive the latest insights from our Health Law Team. 

Services

Subscribe for Updates

Subscribe to receive useful articles, legal updates and firm news to keep you informed and up-to-date on important issues and trends.

Sign Up

Media Contact

Rachel Lufkin
804.783.6799

Email Rachel 

Jump to Page

Sands Anderson Cookie Preference Center

Your Privacy

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek