HIPAA Reproductive Health Rule
Published on:
As of December 23, 2024, healthcare providers must comply with a new HIPAA rule that applies to certain requests for reproductive health information.
Briefly, the HIPAA Privacy Rule to Support Reproductive Health Care Privacy (Final Rule) was published by the Department of Health and Human Services Office for Civil Rights (OCR) in April 2024, as a response to the Dobbs v. Jackson Women’s Health Organization decision in 2022 that allowed states to legally prohibit abortion. The Final Rule addresses public concern about protected health information (PHI) being shared with state agencies, law enforcement, and other authorities for the investigation or prosecution of legally provided reproductive care.
The Final Rule prohibits all HIPAA covered entities and business associates from using or disclosing PHI when requested to investigate or impose liability on anyone for obtaining, providing, or facilitating lawful reproductive healthcare, including requests by law enforcement agencies.
Importantly, the Final Rule only protects lawful reproductive care and not illegal care (for example, a prohibited abortion). Reproductive healthcare is presumed to be lawful, unless the provider has:
1) Actual knowledge that the care was not lawful under the circumstances in which it was provided, or
2) Factual information supplied by the person requesting the use or disclosure of protected health information that demonstrates a substantial factual basis that the reproductive health care was not lawful under the specific circumstances in which it was provided.
To determine the legality of care and/or the purpose of the request, healthcare providers who provide reproductive care, when receiving a subpoena, demand, or other request for PHI that includes or potentially includes information related to reproductive care, must obtain an attestation from the requester that the health information requested is not for a purpose prohibited by the Final Rule.
Attestation forms must indicate who is making the request, who is receiving the PHI, the specific information being requested, and how the information is not for a prohibited purpose under the Final Rule. The model attestation form also includes statements indicating that either:
- The care is lawful, and the request is not for a prohibited purpose, or
- The care in question is not lawful.
Medical practices can develop their own attestation forms, but the OCR published a model form that can be used as a template.
The Final Rule required HIPAA covered entities to comply with the requirements as of 12/23/24 by using the above attestation process. However, it should be noted that medical practices are not required to update their HIPAA Notice of Privacy Practices until 2026. Additionally, the Final Rule has been subject to legal challenges, and changes in national policy related to the new Presidential administration may result in further changes or a reversal of these requirements.
For a more detailed legal analysis of the new requirements, see The New HIPAA Reproductive Health Rule: What You Need to Know.
HHS also published resources and guidelines which can be found on the HIPAA and Reproductive Health page.
MIEC will keep our members informed of any further developments around this requirement. If you have any questions, please contact us at patientsafetyriskmgmt@miec.com.