The New HIPAA Reproductive Health Rule: What You Need to Know
By Kim Stanger
Healthcare providers must comply with the new HIPAA Reproductive Health Rule (the “Rule”) by December 23, 2024.1 Here is what you need to know and do before then.
Overview. In the wake of Dobbs v. Jackson Women’s Health Organization, the Biden Administration has been concerned about situations in which states that prohibit abortion try to investigate or prosecute their citizens who obtain abortions in other states where abortion is legal. The Rule generally prohibits providers from disclosing protected health information about reproductive healthcare (“RPHI” in this article) for investigative purposes if the reproductive care was legal in the state in which it was rendered.
The Rule faces an uncertain future. Texas has sued HHS to block the Rule.2 Although no substantive decision has yet been issued, federal courts in Texas have been willing to limit federal regulations concerning reproductive health. Perhaps more importantly, it is not clear whether the Trump administration will maintain the Rule. In the meantime, however, the regulation is on the books and providers should comply.
Application. The new Reproductive Health Rule applies to “reproductive health care,” i.e., “health care … that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes.” (45 C.F.R. § 160.103). The Rule applies to all HIPAA-covered entities (including healthcare providers) and their business associates who have RPHI and receive requests for RPHI whether or not the provider actually rendered the care.
The General Rule. Under the Rule, if a healthcare provider, other covered entity, or business associate receives a subpoena, demand, or other request for RPHI and has reasonably determined that
(1) The reproductive health care is lawful under the law of the state in which such health care is provided under the circumstances in which it is provided [or]
(2) The reproductive health care is protected, required, or authorized by Federal law, including the United States Constitution, under the circumstances in which such health care is provided, regardless of the state in which it is provided,
then the covered entity or business associate may not use or disclose the RPHI for any of the following activities:
(1) To conduct a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care.3
(2) To impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care.
(3) To identify any person for any [of the foregoing] purpose[s]…
(45 C.F.R. § 164.502(a)(5)(iii)(A)-(B)). Thus, the Rule only prohibits disclosure of RPHI if (i) the care is legal where and under the circumstances it was rendered, and (ii) the RPHI is sought for purposes of investigating or prosecuting the person who sought reproductive healthcare. Conversely, the Rule does not prohibit disclosure of RPHI if either (i) the reproductive healthcare was illegal where it was obtained, or (ii) the RPHI is not sought for purposes of investigating or prosecuting the person who sought reproductive healthcare. Of course, healthcare providers and business associates would still need to comply with other HIPAA rules before such RPHI may be disclosed.
Applying the Rule. Under the Rule, if a healthcare provider, other covered entity, or business associate maintains RPHI about a patient (whether or not the provider rendered the reproductive healthcare), the provider must respond to a request or demand seeking such RPHI as follows:
1. Determine if the reproductive care was legal where rendered. The Rule does not protect RPHI concerning care that was illegal where rendered. On the other hand, if the care was legal, the Rule generally prohibits disclosure for purpose of criminal, civil, or administrative investigations or prosecutions. Importantly, reproductive healthcare
is presumed lawful … unless the covered entity or business associate has any of the following:
(1) Actual knowledge that the reproductive health care was not lawful under the circumstances in which it was provided.
(2) Factual information supplied by the person requesting the use or disclosure of protected health information that demonstrates a substantial factual basis that the reproductive health care was not lawful under the specific circumstances in which it was provided.
(45 C.F.R. § 164.502(a)(5)(iii)(C)). To help assess the legality of the care, the provider or business associate must obtain an attestation described in the next section.
2. Determine the purpose of the request by obtaining a required attestation. If the request seeks RPHI concerning legal reproductive care, the provider must determine whether the request is for purposes of investigating or imposing “criminal, civil or administrative liability on [the] person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care.” (45 C.F.R. § 164.502(a)(5)(iii)(A)). To do so, the provider must obtain a written attestation from the requester affirming the purpose of the request.4 The required attestation must satisfy the requirements in 45 C.F.R. § 164.509; a provider may not rely on a defective attestation. Among other things, the attestation may not be combined with any other document and must contain specified elements as set forth in § 164.509. Persons who submit a false attestation or otherwise obtain RPHI in violation of the Rule may be subject to criminal penalties under 42 U.S.C. § 1320d-6. (42 C.F.R. § 164.509(c)(1)(v)).
The Office for Civil Rights has published a model attestation at https://www.hhs.gov/sites/default/files/model-attestation.pdf. Providers and business associates are not required to use the OCR’s model attestation, but doing so is likely easier and safer. Among other things, the OCR’s model attestation requires the requester to certify either:
☐ The purpose of the use or disclosure of protected health information is not to investigate or impose liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care or to identify any person for such purposes.
[Or]
☐ The purpose of the use or disclosure of protected health information is to investigate or impose liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, or to identify any person for such purposes, but the reproductive health care at issue was not lawful under the circumstances in which it was provided.
(https://www.hhs.gov/sites/default/files/model-attestation.pdf).
A covered entity or business associate may not rely on an attestation if:
(iv) The covered entity or business associate has actual knowledge that material information in the attestation is false [or]
(v) A reasonable covered entity or business associate in the same position would [believe, despite the attestation, that the use or disclosure is for purposes of investigating or imposing liability for obtaining reproductive care].
(45 C.F.R. § 164.509(b)(2)).
If the provider determines that the RPHI is not for a prohibited purpose, the provider may disclose the RPHI. On the other hand, if the provider determines that the RPHI is for the purpose of investigating or prosecuting the reproductive care patient, HIPAA prohibits the disclosure.
If, during the course of using or disclosing protected health information in reasonable reliance on a facially valid attestation, a covered entity or business associate discovers information reasonably showing that any representation made in the attestation was materially false, leading to a use or disclosure for a purpose prohibited under [the Rule], the covered entity or business associate must cease such use or disclosure.
(45 C.F.R. § 164.509(d)).
What You Must Do. To ensure compliance, providers, other covered entities, and business associates need to do the following before December 23, 2024:
1. Review and modify your HIPAA policies and procedures and train employees concerning the Rule.
2. Review and consider modifying authorizations or request for information forms to ask if the person is seeking RPHI. If no RPHI is sought, then the Rule does not apply. If RPHI is sought along with other information, then the provider will need to comply with the Rule.
3. Draft and use a compliant attestation or adopt and use the OCR model attestation when the provider or business associate receives requests for RPHI. The provider or business associate should retain a copy of the attestation to verify compliance.
Notice of Privacy Practices. The Rule will require providers and other covered entities to update their Notice of Privacy Practices (NPP) by February 16, 2026. The update will also need to address recent changes to 42 C.F.R. part 2 relating to substance use disorder records. (45 C.F.R. § 164.520). HHS has proposed additional HIPAA changes that will also need to be addressed in the NPP, but those proposals have not been finalized. (86 F.R. 6446 (1/21/21)). Presumably, HHS postponed the deadline for the Notice updates to accommodate the anticipated changes.
1 The Rule actually became effective June 5, 2024, but HHS postponed the compliance date for most provisions to December 23, 2024. (89 FR 32976).
2 Texas v. HHS, 5:24-cv-00204-H (N.D. Tex. 2024).
3 For purposes of the Rule,
seeking, obtaining, providing, or facilitating reproductive health care includes, but is not limited to, any of the following: expressing interest in, using, performing, furnishing, paying for, disseminating information about, arranging, insuring, administering, authorizing, providing coverage for, approving, counseling about, assisting, or otherwise taking action to engage in reproductive health care; or attempting any of the same.
(45 C.F.R. § 164.502(a)(5)(iii)(D)).
4 The Rule expressly prohibits covered entities or business associates from using or disclosing RPHI “for purposes specified in § 164.512(d) [health oversight activities], (e) [judicial or administrative proceedings], (f) [law enforcement purposes], or (g)(1) [coroners and medical examiners], without obtaining an attestation that is valid … from the person requesting the use or disclosure and complying with all applicable conditions” of the Rule. (45 C.F.R. § 164.509(a)).