Covered Entities and Business Associates: Are You in Compliance With the HIPAA Reproductive Healthcare Privacy Rule?

As further detailed in one of our past articles, on April 22, 2024, the U.S. Department of Health and Human Services ("HHS") Office for Civil Rights ("OCR") issued the "HIPAA Privacy Rule to Support Reproductive Health Care Privacy" (the "Final Rule") to modify the HIPAA Privacy Rule in an attempt to strengthen privacy protections for reproductive health care information in the wake of the Supreme Court's decision in Dobbs v. Jackson Women's Health Organization and the increasing number of state law restrictions on abortion and other reproductive health treatment.¹

The Final Rule requires HIPAA-covered entities and business associates to obtain attestations from requesters of reproductive health information in specific situations. More specifically, under the Final Rule, when a HIPAA-covered entity or business associate receives a request for protected health information (PHI) that may be potentially related to "reproductive health care," they are required to obtain a signed attestation that the use or disclosure is not for a "prohibited purpose," as defined in HIPAA. The compliance date for this attestation requirement was December 23, 2024 and will require changes to the standard record request process.

Although a federal district court in Texas has recently preliminarily enjoined OCR's enforcement of the Final Rule, this injunction on enforcement applies only to the plaintiff in the lawsuit (a Texas physician and owner of a clinic, who challenged the statutory authority of the Final Rule and argued that the Final Rule would impair her and her employees' ability to fulfill their state-mandated obligation to report child abuse cases and participate in public health investigations).  At this time, the Final Rule continues in full effect for all other covered entities and business associates, which means they should be prepared to comply with the aforementioned attestation requirement. We will continue to monitor the status of this case and other challenges to the Final Rule.

In addition to the attestation requirement explained above, the Final Rule also requires certain revisions to covered entities' Notice of Privacy Practices, including a description of the types of uses and disclosures prohibited under the Final Rule and a description of the types of uses and disclosures for which an attestation is required. The compliance date for the required revisions to the Notice of Privacy Practices is February 16, 2026.

Day Pitney's Healthcare and Privacy attorneys have been counseling clients on the implementation of the Final Rule. If you need assistance with developing policies and procedures to comply with the Final Rule's attestation requirement, or assistance with updating your Notice of Privacy Practices, please contact a member of Day Pitney's Healthcare or Privacy team.

¹ In the commentary to the Final Rule, OCR explains that "[in] order to continue to protect privacy in a manner that promotes trust between individuals and health care providers and advances access to, and improves the quality of, health care, we have determined that the Privacy Rule must be modified to limit the circumstances in which provisions of the Privacy Rule permit the use or disclosure of an individual's PHI about reproductive health care for certain non-health care purposes, where such use or disclosure could be detrimental to privacy of the individual or another person or the individual's trust in their health care providers." 89 Fed. Reg. 32978 (April 26, 2024). See, generally, Purl v. U.S. Dep't of Health & Human Servs., No. 2:24-cv-00228 (N.D. Tex. Dec. 22, 2024).