On April 26, 2024, the Office for Civil Rights (OCR) at the U.S. Department of Health & Human Services (HHS) published its Final Rule to Support Reproductive Health Care Privacy.1 According to OCR, adopting these rules aims to create a “purpose-based prohibition” on specific uses and disclosures of reproductive health Protected Health Information (PHI). Although the Health Insurance Portability and Accountability Act (HIPAA) applies to multiple covered entity types, such as healthcare providers and health plans, this article discusses the final rules specifically relating to employer-sponsored healthcare plans.
The HIPAA Privacy Rule, which falls under HIPAA’s administrative simplification provisions, regulates the use and disclosure of an individual’s protected health information (PHI) by a covered entity (i.e., healthcare provider, health plan and data clearinghouse). Health plans, specifically employer-sponsored group health plans, are considered covered entities and subject to the HIPAA Privacy and Security Rules.
On June 24, 2022, the Supreme Court of the United States (SCOTUS) issued a ruling in Dobbs v. Jackson Women’s Health Organization (Dobbs), which allowed states to create laws that could restrict access to reproductive healthcare needs. Due to these restrictions, certain healthcare providers felt compelled to disclose the PHI of covered patients to agencies that could use the information against a patient or the involved provider/facility assisting with reproductive healthcare needs. This risk to both the individual and the provider existed even if the individual obtained such services legally in a state that did not prohibit such services. Due to the impact of these issues faced by patients traveling across state lines to receive legal reproductive health services from a provider that was outside of their state of residence, OCR believed protections for patients and providers were needed at the national level for the promotion of trust between patients and their healthcare providers.
As stated earlier in this article, the final rule adopts a “purpose-based prohibition” on the disclosure and use of reproductive healthcare related information of covered individuals under HIPAA. This prohibition amends the current privacy rules under HIPAA.3 The new privacy protections prohibit a health plan (or other covered entity) and its business associates from using or disclosing PHI of a covered individual for the following purposes:
These new prohibitions will be referred to as “new privacy protections” for ease of understanding throughout this article.
The above new privacy protections for the use and disclosure of reproductive healthcare PHI only apply to the reproductive service/activity when a person and/or covered entity is seeking, obtaining, providing or facilitating reproductive healthcare. Some examples of when these rules would not apply, even if the information is related to reproductive healthcare PHI, include:
Presumption in Favor of Reproductive Healthcare Provided by a Person that is a Non-Covered Entity
If reproductive healthcare is provided by a person other than the covered entity (or business associate of a covered entity) receiving the request for reproductive healthcare PHI, there is a presumption that such services were lawful unless the covered entity or business associate:
The final rule requires covered entities and business associates to:
When information requests are made to a covered entity (e.g., healthcare provider/health plan) or a business associate for information related to reproductive healthcare PHI, under certain circumstances, the covered entity or business associate must receive a signed attestation from the person/entity requesting such PHI, attesting that the PHI will not be used for a prohibited purpose and assuring the covered entity or business associate that the release of the requested PHI is made in compliance under the law. This applies to requests for PHI in the following circumstances:
HHS will release model attestation language for covered entities before the final rule’s effective date on June 25, 2024.
The guidance regarding modifications to a covered entity’s Notice of Privacy Practices (NPP) is limited regarding how a covered entity must modify the NPP to account for reproductive healthcare and substance use and disorder treatment PHI records. Therefore, covered entities should work with their legal counsel to modify their current HIPAA Notice of Privacy Practices. The compliance deadline for the NPP to include these updated provisions related to reproductive health protections is February 16, 2026.
Uses or disclosures of PHI without an individual’s authorization are only permitted in very limited circumstances under the HIPAA Privacy Rule. The disclosure of PHI to law enforcement does not require a covered individual’s authorization. Under the HIPAA Privacy Rule, so long as disclosure of PHI is required under the law, covered entities and business associates may disclose PHI for law enforcement purposes where they suspect an individual of obtaining reproductive health care (lawful or otherwise) if all applicable conditions are met. Under the final rule as it relates to reproductive healthcare PHI, all three of the following conditions must be met for this type of PHI to be disclosed to law enforcement agencies without a covered individual’s authorization:
Health plan sponsors should exercise caution when disclosing reproductive health-related PHI to a person/entity requesting such information in light of the restrictions set forth in the final rule under HIPAA. It will be necessary to obtain an attestation from individuals legally requesting reproductive healthcare PHI from the health plan. To ensure compliance with the new rules, plan sponsors should speak to their legal counsel if information is ever requested about the reproductive healthcare information of its plan participants/employees.
Health plan sponsors covering reproductive healthcare services as part of their group health plan or providing travelrelated benefits to employees for reproductive health services sought outside of their state of residence/employment should include these new restrictions within their HIPAA Policies and Procedures and review and update any Business Associate Agreements with their Business Associates pursuant to these new rules and seek advice from their legal counsel to ensure compliance under these final rules.
Additionally, health plan sponsors should ensure that they update their Notice of Privacy Practices in a timely fashion.
1 https://www.govinfo.gov/content/pkg/FR-2024-04-26/pdf/2024-08503.pdf
2 https://www.supremecourt.gov/opinions/21pdf/19-1392_6j37.pdf
3 https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/combined-regulation-text/index.html
4 Statutory Inspector Generals are established by law and are intended to be an independent, nonpartisan officials that work in specific governmental agencies that focus on the prevention and detection of waste, fraud and abuse of federal governmental resources.