HIPAA Privacy Rule Final Rule to Support Reproductive Health Care Privacy: Fact Sheet (2024)

The Biden-Harris Administration, through the Office for Civil Rights (OCR) at the U.S. Department of Health & Human Services (HHS) has issued a Final Rule to modify the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule to support reproductive health care privacy. This Final Rule is one of many actions taken by HHS to protect access to and privacy of reproductive health care after the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization that has led to extreme state abortion bans and other restrictions on reproductive freedom in 21 states. The Final Rule also supports President Biden’s Executive Orders (EOs) on protecting access to reproductive health care. In particular, under EO 14076, President Biden directed HHS to consider taking additional actions, including under HIPAA, to better protect information related to reproductive health care and to bolster patient-provider confidentiality.

Prohibition

The Final Rule strengthens privacy protections by prohibiting the use or disclosure of protected health information (PHI) by a covered health care provider, health plan, or health care clearinghouse—or their business associate—for either of the following activities:

• To conduct a criminal, civil, or administrative investigation into or impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circ*mstances in which it is provided.
• The identification of any person for the purpose of conducting such investigation or imposing such liability.

Under the Final Rule, the prohibition applies where a covered health care provider, health plan, or health care clearinghouse (covered entities) or business associate (collectively, “regulated entities”) has reasonably determined that one or more of the following conditions exists:

• The reproductive health care is lawful under the law of the state in which such health care is provided under the circ*mstances in which it is provided.
  • For example, if a resident of one state traveled to another state to receive reproductive health care, such as an abortion, that is lawful in the state where such health care was provided.
• The reproductive health care is protected, required, or authorized by Federal law, including the U.S. Constitution, regardless of the state in which such health care is provided.
  • For example, if use of the reproductive health care, such as contraception, is protected by the Constitution.
• The reproductive health care was provided by a person other than the covered health care provider, health plan, or health care clearinghouse (or business associates) that receives the request for PHI and the presumption described below applies.

The Final Rule continues to permit covered health care providers, health plans, or health care clearinghouses (or business associates) to use or disclose PHI for purposes otherwise permitted under the Privacy Rule where the request for the use or disclosure of PHI is not made to investigate or impose liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care. For example:

• A covered health care provider could continue to use or disclose PHI to defend themselves in an investigation or proceeding related to professional misconduct or negligence where the alleged professional misconduct or negligence involved the provision of reproductive health care.
• A covered health care provider, health plan, or health care clearinghouse (or business associates) could continue to use or disclose PHI to defend any person in a criminal, civil, or administrative proceeding where liability could be imposed on that person for providing reproductive health care.
• A covered health care provider, health plan, or clearinghouse (or their business associates) could continue to use or disclose PHI to an Inspector General where the PHI is sought to conduct an audit for health oversight purposes.

Presumption

The Final Rule includes a presumption that the reproductive health care provided by a person other than the covered health care provider, health plan, or health care clearinghouse (or business associates) receiving the request was lawful. In such cases, the reproductive health care is presumed to be lawful under the circ*mstances in which it was provided unless one of the following conditions are met:

• The covered health care provider, health plan, or clearinghouse (or business associates) has actual knowledge that the reproductive health care was not lawful under the circ*mstances in which it was provided.
  • For example, an individual discloses to their doctor that they obtained reproductive health care from an unlicensed person and the doctor knows that the specific reproductive health care must be provided by a licensed health care provider.
• The covered health care provider, health plan, or health care clearinghouse (or business associates) receives factual information from the person making the request for the use or disclosure of PHI that demonstrates a substantial factual basis that the reproductive health care was not lawful under the circ*mstances in which it was provided.
  • For example, a law enforcement official provides a health plan with evidence that the information being requested is reproductive health care that was provided by an unlicensed person where the law requires that such health care be provided by a licensed health care provider.

Attestation

To implement the prohibition, the Final Rule requires a covered health care provider, health plan, or health care clearinghouse (or business associates), when it receives a request for PHI potentially related to reproductive health care, to obtain a signed attestation that the use or disclosure is not for a prohibited purpose. This attestation requirement applies when the request is for PHI for any of the following:

• Health oversight activities.¹
• Judicial and administrative proceedings.²
• Law enforcement purposes.³
• Disclosures to coroners and medical examiners.⁴

The requirement to obtain a signed attestation gives a covered health care provider, health plan, or health care clearinghouse (or business associates) a way of obtaining written representations from persons requesting PHI that their requests are not for a prohibited purpose. Additionally, it puts persons making requests for the use or disclosure of PHI on notice of the potential criminal penalties for those who knowingly and in violation of HIPAA obtain individually identifiable health information (IIHI) relating to an individual or disclose IIHI to another person. We intend to publish model attestation language before the compliance date of this Final Rule.

Notice of Privacy Practices (NPP)

The Final Rule requires covered health care providers, health plans, and health care clearinghouses to revise their NPPs to support reproductive health care privacy. The Final Rule also requires revisions to NPPs to address proposals made in the Notice of Proposed Rulemaking for the Confidentiality of Substance Use Disorder (SUD) Patient Records (“Part 2 NPRM”),⁵ as required by or consistent with the Coronavirus Aid, Relief, and Economic Security (CARES) Act of 2020.

Disclosures to Law Enforcement

The Privacy Rule permits uses or disclosures of PHI without an individual’s authorization only where such uses or disclosures are expressly permitted or required by the Privacy Rule. As explained in OCR guidance, the Privacy Rule permits, but does not require, certain disclosures to law enforcement and others, subject to specific conditions. Thus, covered health care providers, health plans, and health care clearinghouses (and business associates), including their workforce members, are only permitted to disclose PHI for law enforcement purposes where they suspect an individual of obtaining reproductive health care (lawful or otherwise) if the covered entity or business associate is required by law to do so and all applicable conditions are met. Accordingly, under the Final Rule, such disclosure is only permitted where all three of the following conditions are met:

• The disclosure is not subject to the prohibition.
• The disclosure is required by law.
• The disclosure meets all applicable conditions of the Privacy Rule permission to use or disclose PHI as required by law.

How to file a complaint

If you believe that a HIPAA covered entity or its business associate violated your (or someone else’s) health information privacy rights or committed another violation of the Privacy, Security, or Breach Notification Rules, you may file a complaint with the HHS Office for Civil Rights at: https://www.hhs.gov/hipaa/filing-a-complaint/index.html.

The final rule may be viewed or downloaded at: https://www.hhs.gov/sites/default/files/hipaa-privacy-rule-support-reproductive-health-care-privacy.pdf

Endnotes

¹45 CFR 164.512(d).

²45 CFR 164.512(e).

³45 CFR 164.512(f).

⁴45 CFR 164.512(g)(1).

⁵87 FR 74216, 74237 (Dec. 2, 2022). The Part 2 Final Rule was published on February 16, 2024, and stated that the NPP modifications proposed in the Part 2 NPRM would be finalized in a separate Final Rule. The Department combined modifications to the NPP from both rulemakings into a single final rule because 45 CFR 164.104 limits the Secretary to making modifications to a standard or implementation specification no more than once every 12 months.