On April 22, 2024, the Office for Civil Rights (OCR) of the federal Department of Health and Human Services announced a final rule that improves privacy protections related to reproductive health care. Specifically, the final rule amends the Privacy Rule under the Health Insurance Portability and Accountability Act (HIPAA) to establish, among other things, new restrictions on the use or disclosure of protected health information (PHI) related to the care of reproductive health. Referring to the decision of the Supreme Court in Dobbs v. Jackson Women’s Health Org and its far-reaching implications for reproductive health care, OCR argues that the rule change is necessary to ensure, among other things, that people are not afraid to seek reproductive health care.
Under HIPAA, the Privacy Rule is one of several rules known as the HIPAA Rules that protect the privacy and security of individuals’ protected health information (PHI). OCR administers and enforces the Privacy Rule, which requires most health care providers, health plans, health care clearinghouses, and business associates (collectively, “regulated entities”) to protect the privacy of PHI and sets limits and conditions on the use and disclosure of PHI. such information.
PHI generally refers to individually identifiable health information transmitted by or maintained in electronic media or other form or medium. A key requirement of the Privacy Rule is that PHI may not be used or disclosed except as permitted by HIPAA and which may be further limited by a different, more stringent state law. Disclosure of PHI is required only in limited circumstances, such as when required by the Secretary of Health and Human Services to investigate a covered person’s compliance with the Privacy Rule and the person’s right of access. In other limited cases, uses and disclosures of PHI may be made (they are permitted, not required) without the individual’s permission, such as for treatment, payment, or health care operations.
Even with these protections, OCR has noted several concerns related to the use and disclosure of certain PHI related to reproductive health. These include potential harm caused by the disclosure of such information for purposes other than health care, such as conducting an investigation against or imposing liability on an individual or other person receiving or providing reproductive health care. According to OCR, these situations can dampen an individual’s willingness to seek legitimate health care treatment or to provide full information to their health care providers when receiving that treatment. They may also inhibit health care providers’ willingness to provide such care.
OCR received almost 30,000 public comments on the proposed rule. After considering these comments, OCR’s final rule:
- Prohibits the use or disclosure of PHI when seeking to investigate or prosecute individuals, health care providers, or others who seek, obtain, provide, or facilitate reproductive health care that is lawful under the circumstances in which such health care is provided care, or to identify individuals for such activities.
- Requires a regulated health care provider, health plan, clearinghouse, or their business associates to obtain a signed certification that certain requests for PHI potentially related to reproductive health care are not for these prohibited purposes.
- Requires regulated health care providers, health plans, and clearinghouses to change their Notice of Privacy Practices to support the privacy of reproductive health care.
The final rule takes effect 60 days after it is published in the Federal Register, and regulated entities will have 180 days after that to comply. However, OCR has extended the compliance date for required updates to Notices of Privacy Practices (NPP). The agency has considered additional changes required for the NPP under the 2024 Substance Use Disorder Patient Record Privacy Final Rule (rules intended to better harmonize HIPAA with rules governing certain federally funded programs for substance abuse treatment under 42 USC Part 2). The compliance date for these changes is February 16, 2026. OCR has adopted the same deadline for these changes.
The final rule will have several other implications. For example, some commenters questioned how the rule would affect their current business associate agreements. OCR noted that the final rule may require regulated entities to revise existing business associate agreements when such agreements allow regulated entities to engage in activities no longer permitted under the revised Privacy Rule. Another concern raised by commenters is whether minors and adults have equal protection under the Privacy Rule and whether this rule would alter existing protections. OCR assured commenters that the final rule does not change how the Privacy Rule applies to adults and minors—the protections afforded to PHI by this final rule apply equally to adults and minors. For example, under this final rule, a regulated entity is prohibited from using or disclosing a minor’s PHI for the purposes prohibited under the final rule.
The final rule includes conforming and clarifying changes to HIPAA rules, such as:
- clarification of the definition of “person”;
- adopting new definitions for surveillance, investigation or intervention of “public health” and “reproductive health care”;
- adding a new category of prohibited uses and disclosures;
- clarifying that a regulated entity may not refuse to recognize an individual as a personal representative for purposes of the Privacy Rule because it provides or facilitates reproductive health care for an individual;
- imposing a new requirement that, in certain circumstances, regulated entities must first obtain certification that the requested use or disclosure is not for a prohibited purpose; and
- requiring modifications to covered entities’ NPPs to inform individuals that their PHI may not be used or disclosed for a purpose prohibited under this final rule.
Regulated entities will not only need to review and update their written policies and procedures, but will also need to ensure that established practices by workforce members are revised to meet the new requirements. Training will therefore be useful to ensure compliance with the new requirements.
