OCR Updates to the HIPAA Privacy Rule with Respect to Reproductive Health Records

January 29, 2025

To: Hospital Legal Counsel, Compliance Officers, Chief Privacy Officers, and Government Affairs Leaders
 Staff Contact: Cara Helmer, Policy Director, Legal Affairs
carah@wsha.org | (206) 577-1827
 bnSubject: OCR Updates to the HIPAA Privacy Rule with Respect to Reproductive Health Records

Purpose:  The purpose of this bulletin is to inform hospitals, and those seeking healthcare records from hospitals, that the Department of Health and Human Services (HHS) recently released a HIPAA Final Rule under 45 CFR Parts 160 and 164 (link). HHS issued this Final Rule to better protect patient confidentiality and prevent medical records from being used against providers and patients for providing or obtaining lawful reproductive health care.  The Final Rule applies to all covered entities and business associates and has a compliance date of December 23, 2024. The revised notice of privacy practices is due Feb 16, 2026.

Applicability/Scope: The Final Rule applies to HIPAA covered entities and business associates (collectively “regulated entities”). It will also impact any entity requesting protected health information[1] (PHI) from a regulated entity for (1) health oversight activities; (2) judicial and administrative proceedings; (3) law enforcement purposes; or (4) coroners and medical examiners.

Recommendations:

In advance of the compliance date of December 23, 2024, hospitals and other covered entities should take the following steps:

  • Review and update internal policies and procedures to align with the new disclosure restrictions and broadened definitions of reproductive health care.
  • Educate relevant staff on the new provisions in the Final Rule, especially around disclosure limitations and the requirement for attestations.
  • Develop or integrate an attestation process to ensure PHI disclosures meet the new requirements.
  • Retain attestations and other relevant records to demonstrate compliance.
  • Review and update HIPAA business associate agreements to require that business associates implement processes for compliance with the Final Rule.
  • Update any Information Blocking policies to address the delay in exchange of electronic health information due to the new rule requirements.

Overview:

On April 22, 2024, the U.S. Department of Health and Human Services (HHS) issued a Final Rule amending the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule to enhance protections for reproductive health care information.

The HIPAA Privacy Rule was established under the Health Insurance Portability and Accountability Act (HIPAA) of 1996 and is implemented by the U.S. Department of Health and Human Services (HHS). The Privacy Rule defines how PHI can be used and disclosed by covered entities and their business associates while giving patients specific rights over their health information. PHI can generally be shared without patient authorization for treatment, payment, and healthcare operations purposes. While there are other exceptions, most other disclosures of PHI require patient authorization.[2]

This recent update to the Privacy Rule was largely driven by changes in state laws following the U.S. Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization to overturn Roe v. Wade.  This decision led to new legal risks surrounding reproductive health care in many states. The new Final Rule addresses privacy gaps and aims to protect individuals’ access to lawful reproductive health services without fear of their health information being used against them.

New Prohibition on Disclosure of Reproductive Health Information

The Final Rule prohibits a regulated entity (both covered entities and business associates) from using or disclosing PHI that potentially includes reproductive health information for the following purposes:

  • Conducting a criminal, civil or administrative investigation or imposing criminal, civil or administrative liability on any person for the mere act of seeking, obtaining, providing or facilitating reproductive healthcare; or
  • Identifying any person for these purposes

Rule of Applicability and Presumption of Lawfulness

This prohibition on disclosure of reproductive health information only applies when the HIPAA-regulated entity that receives the request for PHI has reasonably determined that one of two conditions exists:

  • The reproductive health care is lawful under the law of the state in which the care is provided and under the circumstances in which it is provided; and
  • The reproductive health care is protected, required, or authorized under federal law, including the US Constitution, under the circumstances provided, regardless of the state in which care is provided. This would apply to emergency circumstances under EMTALA, for example.

The regulated entity receiving the request for PHI is directed to presume that reproductive health care was lawful under the circumstances in which it was provided. This presumption may be rebutted if:

  • The regulated entity has actual knowledge that the care was not lawful under the circumstances, or
  • The regulated entity has “factual information” supplied by the requestor, demonstrating a “substantial factual basis” that the care was not lawful under the circumstances provided.

As long as the presumption is not rebutted, the prohibition on disclosure remains in place.

Definition of “Reproductive Health Information”

“Reproductive Health Information” encompasses all health care “that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes.” The Final Rule states that this definition is to be “interpreted broadly.”

The Rule provides a list of examples that are included in reproductive health information, including contraceptive medications, peri- and post-menopausal treatments, and the provision of medications and devices, including over-the-counter medications or devices. Because this definition is so broad, regulated entities should be aware that reproductive health information is likely to be intermingled with other PHI that is not related to reproductive health.

New Attestation Requirement for Certain Disclosures

The Final Rule includes an attestation requirement for certain requests for PHI. When PHI that is potentially related to reproductive health is requested for one of the following four purposes, an attestation is required:

(1) Health oversight activities;

(2) Judicial and administrative proceedings;

(3) Law enforcement purposes; or

(4) Disclosures to coroners and medical examiners regarding decedents.

If the attestation requirement applies to the requested information, based on the requestor and the information requested, the regulated entity must obtain an attestation prior to releasing reproductive health information. The attestation must state that the requested information will not be used for a prohibited purpose.

A valid attestation must include a description of the PHI requested, the name of the entity requested to make the disclosure, the name of the individual or entity requesting the disclosure, a clear statement that the use or disclosure is not for a prohibited purpose, a statement that a person may be subject to criminal penalties for knowingly obtaining or disclosing individually identifiable health information in violation of HIPAA, and a dated signature from the requestor.  The attestation may not be combined with any other document, such as attestations related to the Washington State Shield LawA covered entity or business associate violates HIPAA if they rely on a defective attestation.

HHS has released a model attestation form which regulated entities may use to ensure that their attestation forms follow all requirements of the Final Rule. It may be beneficial to use the original HHS form, to ensure that it is clear to requestors of PHI that this is a federal requirement and not a demand of individual regulated entities.

Revisions to Notice of Privacy Practices

While the compliance deadline for the rest of the Final Rule is December 23, 2024, updates to notices of privacy practices are not required until February 16, 2026.  This later deadline is designed to coincide with a similar obligation in the 42 CFR Part 2 Final Rule.

All covered entities must update their notice of privacy practices. The updated notice must describe the types of uses and disclosures related to reproductive health care that are prohibited. This must include at least one example of these prohibitions.

The updated notice must also describe, including by use of an example, the types of uses and disclosures for which an attestation is required.

The updated notice must include a statement notifying an individual that PHI disclosed pursuant to the Privacy Rule may be redisclosed and no longer protected by the Privacy Rule.

Additionally, if a covered entity is also a 42 C.F.R Part 2 provider of substance use disorder treatment, updates must be made related to confidentiality of substance use disorder records.

WSHA’s 2024 New Law Implementation Guide

Please visit WSHA’s new law implementation guide online. The Government Affairs team is hard at work preparing resources and information on the high priority bills that passed in 2024 to help members implement the new laws, as well as links to resources such as this bulletin. In addition, you will find the Government Affairs team’s schedule for release of upcoming resources on other laws and additional resources for implementation.

References:

HIPAA Final Rule 

HHS Model Attestation Form

[1] HIPAA protects against the disclosure of “protected health information,” which is “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. “Individually identifiable health information” is information, including demographic data, that relates to: (1) the individual’s past, present or future physical or mental health or condition, (2) the provision of health care to the individual, or (3) the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.
[2] HIPAA provides a baseline for medical record privacy. Other laws, including chapter 70.02 RCW in Washington State, provide heightened protections for certain types of patient records.

Affiliates

Contact Us

Washington State Hospital Association
999 Third Avenue
Suite 1400
Seattle, WA 98104

Map / Directions

206.281.7211 phone
206.283.6122 fax

info@wsha.org

Staff List