Administration Finalizes Rule to Bolster HIPAA Privacy Protections for Reproductive Health Information
- April 26, 2024
The Department of Health and Human Services Office for Civil Rights (OCR) published April 26 (89 Fed. Reg. 32976) a final rule prohibiting the disclosure of protected health information (PHI) related to lawful reproductive health care under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule.
In April 2023, OCR proposed modifications to the rule as part of the administration’s ongoing efforts to ensure access to reproductive health care in the wake of the Supreme Court’s ruling in Dobbs v. Jackson Women’s Health Organization, which overturned Roe v. Wade.
OCR said it received almost 30,000 comments on the proposed rule from the public.
The final rule prohibits the use or disclosure of PHI by a covered health care provider, health plan, or health care clearinghouse—or their business associate—for either of the following:
- To conduct a criminal, civil, or administrative investigation into or impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided.
- The identification of any person for the purpose of conducting such investigation or imposing such liability.
The final rule’s prohibition on disclosure applies where a covered entity or business associate reasonably determines that the reproductive health care is lawful under the law of the state in which such health care is provided under the circumstances in which it is provided.
For example, according to the agency’s fact sheet, the prohibition would apply if a resident of one state traveled to another state to receive reproductive health care, including an abortion, that is lawful in the state where such health care was provided.
Other examples provided by OCR include when the health care sought is “protected, required, or authorized by Federal law, including the U.S. Constitution,” such as contraception; and when the health care was provided by a person other than the covered entity that receives the request for PHI when certain presumptions apply.
To implement the prohibition, the final rule requires covered entities to obtain a signed attestation that the use or disclosure is not for a prohibited purpose. This requirement “gives a covered health care provider, health plan, or health care clearinghouse (or business associates) a way of obtaining written representations from persons requesting PHI that their requests are not for a prohibited purpose,” and “puts persons making requests for the use or disclosure of PHI on notice of the potential criminal penalties for those who knowingly and in violation of HIPAA obtain individually identifiable health information (IIHI) relating to an individual or disclose IIHI to another person,” the fact sheet said.
Disclosure for law enforcement purposes is only permitted under the rule where all three of the following conditions are met:
- The disclosure is not subject to the prohibition.
- The disclosure is required by law.
- The disclosure meets all applicable conditions of the Privacy Rule permission to use or disclose PHI as required by law.
The rule is effective on June 25 and compliance will be required by December 23, except for the applicable requirements of 45 C.F.R. § 164.520, which have a compliance date of February 16, 2026.