Health and Human Services (HHS) Announces New HIPAA Rule to Support Reproductive Healthcare Privacy

The new HIPAA provision imposes requirements on regulated entities that will provide additional protections for those seeking reproductive care.

The Department of Health and Human Services (HHS) announced a new final rule meant to strengthen the HIPAA Privacy Rule by adding new prohibitions on the disclosure of protected health information (PHI) related to lawful reproductive healthcare.

According to HHS, these new protections are necessary to protect access to and privacy of reproductive healthcare following the U.S. Supreme Court's decision in Dobbs v. Jackson Women’s Health Organization.

The HIPAA Privacy Rule sets strict limits on the use, disclosure and protection of PHI by

• healthcare providers,
• health plans,
• healthcare clearinghouses,
• and their business associates (regulated entities).

The Privacy Rule also allows regulated entities to use or disclose PHI for certain non-health-care purposes, including certain criminal, civil and administrative investigations and proceedings.

Below are four key points for understanding the new HIPAA rule:

1. In order to more stringently guard against the unauthorized disclosure of PHI, the new HIPAA rule does the following:

• Prohibits the use or disclosure of PHI when it is sought to investigate or impose liability on individuals, healthcare providers, or others who seek, obtain, provide, or facilitate reproductive healthcare that is lawful and the circumstances in which such healthcare is provided, or to identify persons for such activities.
• Requires a healthcare provider, health plan, clearinghouse, or their business associates, to obtain a signed attestation that certain request for PHI potentially related to reproductive healthcare are not for these prohibited purposes.
• Requires regulated healthcare providers, health plans, and clearinghouses to modify their Notice of Privacy Practices to support reproductive healthcare privacy.

2. Under the new rule, prohibitions on disclosing private health information apply when a covered healthcare provider, health plan, healthcare clearinghouse, or business associate determines that at least one of the three following conditions exists:

1. The reproductive healthcare is lawful under the law of the state in which such healthcare is provided under the circumstances in which it is provided, including if a resident of one state travels to another state to receive reproductive healthcare if such care is lawful in the state where it was provided.
2. The reproductive healthcare is protected, required, or authorized by federal law or the U.S. Constitution, regardless of the state in which the healthcare was provided.
3. The reproductive healthcare was provided by a person other than the covered healthcare provider, health plan, healthcare clearinghouse, or business associate that receives the request for PHI.

3. As of this writing, the HHS has not yet released either a sample attestation form or an updated model Notice of Privacy Practices. However, the final rule states that the attestation requirement applies when the request for PHI is made for any of the following reasons:

• Health oversight activities
• Judicial and administrative proceedings
• Law enforcement purposes
• Disclosures to coroners and medical examiners

4. The new rule requires the attestation must be written in plain language and include the following:

1. The name of any individual whose PHI is sought; if not practicable, the notice must contain a description of the class of individuals whose PHI is sought
2. The name or other specific identification of the person or persons requesting the disclosure.
3. The name or other specific identification of the person or persons to whom the covered entity is to make the request use or disclosure
4. A clear statement that the use or disclosure is not for a prohibited purpose
5. A statement that details the criminal penalties a person may be subject to if they violate HIPAA
6. The signature of the person requesting the PHI and the date the attestation was signed.

The final rule will take effect 60 days after being published in the federal register, approximately at the end of June. Regulated entities must comply with the final rule by December 22, 2024, except for the notice update. Regulated entities must update their HIPAA notice of privacy practices by February 16, 2026. Employers should work with their services providers to discuss attestation responsibilities and the updating of the Notice of Privacy Practices.

For more context surrounding the Dobbs v. Jackson and how it impacts employer-sponsored health plans, review our on-demand webinar event Employer Considerations in Light of Dobbs Decision.