The U.S. Department of Health and Human Services (HHS) has issued a final rule that strengthens the HIPAA Privacy Rule by prohibiting the disclosure of protected health information (PHI) related to lawful reproductive health care in certain situations. According to HHS, these new protections are necessary to protect access to and privacy of reproductive health care following the U.S. Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization.
The HIPAA Privacy Rule sets strict limits on the use, disclosure and protection of PHI by health care providers, health plans, health care clearinghouses and their business associates (regulated entities). The Privacy Rule also allows regulated entities to use or disclose PHI for certain non-health-care purposes, including certain criminal, civil and administrative investigations and proceedings.
New Protections
The final rule prohibits regulated entities from using or disclosing PHI for the criminal, civil or administrative investigation of (or proceeding against) any person in connection with seeking, obtaining, providing or facilitating reproductive health care where such health care is lawful under the circumstances in which it is provided. It also prohibits the identification of any person for the purpose of initiating such an investigation or proceeding. This prohibition applies where a regulated entity reasonably determines that:
The reproductive health care is lawful under the law of the state in which such health care is provided (and under the circumstances in which it is provided); or
The reproductive health care is protected, required or authorized by federal law, including the U.S. Constitution, regardless of the state in which such health care is provided.
Moreover, when a regulated entity did not provide the reproductive health care at issue, the final rule prohibits the use or disclosure of PHI when the person making the request does not provide sufficient information to overcome a presumption of legality. For example, this presumption can be overcome if the person making the request provides information showing a substantial factual basis that the reproductive health care was unlawful under the circumstances in which it was provided.
To implement the prohibition, when a regulated entity receives a request for PHI potentially related to reproductive health care, the regulated entity must obtain a signed attestation that the use or disclosure is not for a prohibited purpose.
Notice of Privacy Practices
The final rule requires regulated entities to revise their notice of privacy practices to support reproductive health care privacy. Regulated entities may also need to update their business associate agreements and HIPAA policies and procedures for the final rule’s changes, depending on their terms.
Key Dates
- April 22, 2024: HHS released an unpublished version of the final rule.
- April 26, 2024: The final rule is scheduled to be published in the Federal Register.
- Dec. 22, 2024: Regulated entities must comply with the final rule by this date, except as noted below.
- Feb. 16, 2026: Regulated entities must update their HIPAA notice of privacy practices by this date.
This Legal Update is not intended to be exhaustive nor should any discussion or opinions be construed as legal advice. Readers should contact legal counsel for legal advice.
© 2024 Zywave, Inc. All rights reserved.
