Are You Ready for the HIPAA Privacy Rule Compliance Requirements for Reproductive Health Care?

The Department of Health and Human Services, Office for Civil Rights (“OCR”) issued a Final Rule earlier this year, entitled HIPAA Privacy Rule to Support Reproductive Health Care Privacy (the “RHC Final Rule”), that amends the HIPAA Privacy Rule and strengthens privacy protections for protected health information (“PHI”) concerning Reproductive Health Care. Following the overturning of Roe v. Wade by the U.S. Supreme Court’s Dobbs v. Jackson Women’s Health Organization, the RHC Final Rule modifies the requirements related to disclosing information regarding reproductive health services and items. The RHC Final Rule went into effect on June 25, 2024, with a compliance deadline of December 23, 2024. Here’s what covered entities and business associates need to know to stay compliant.

Key Provisions of the RHC Final Rule

Definition of Reproductive Health Care

The RHC Final Rule adds a definition for “Reproductive Health Care”, which is broadly defined and means health care that “affects the health of an individual in all matters relating to the reproductive system and to its functions and processes.”¹

Prohibited Uses and Disclosures of PHI

The RHC Final Rule prohibits the use or disclosure of PHI by covered entities and business associates for the following activities:

• To conduct a criminal, civil, or administrative investigation into or impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided.

• The identification of any person for the purpose of conducting such investigation or imposing such liability.²

However, note that these prohibitions apply where the relevant healthcare service or item is in connection with a person seeking, obtaining, providing, or facilitating Reproductive Health Care, and the covered entity or business associate, as applicable, reasonably determines that one or more of the following conditions exist:

• The Reproductive Health Care service or item is lawful in the state where such healthcare is provided under the circumstances it was provided;
• The Reproductive Health Care is protected, required, or authorized by federal law, including the U.S. Constitution, regardless of the state in which it was provided; and/or
• The Reproductive Health Care was provided by a person other than the covered entity (or business associates) that receives the request for PHI and the presumption described below applies.

The OCR provides some examples of when the prohibitions above apply, such as when a patient travels out of state to receive Reproductive Health Care and the Reproductive Health Care services or items are legal in the state in which the services or items are provided.³ The OCR has indicated that while it does not expect providers and facilities to conduct their own investigations, they are expected to make reasonable determinations based on the facts presented as to whether Reproductive Health Care services or items were rendered lawfully.⁴

The “Presumption”

• Actual knowledge that the Reproductive Health Care was not lawful under the circumstances in which it was provided; or
• Factual information from the person making the request that demonstrates a substantial factual basis that the Reproductive Health Care was not lawful under the specific circumstances in which it was provided.⁵

Under these circumstances, the RHC Final Rule’s prohibitions on disclosing information would not apply and providers may release the information when HIPAA otherwise permits such uses or disclosures and further limitations under state law do not apply.

Permissible Disclosures

The RHC Final Rule continues to permit HIPAA-covered entities and their business associates to use or disclose PHI for purposes otherwise permitted under the Privacy Rule where the request for use or disclosure of PHI is not made to investigate or impose liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive healthcare.

Law Enforcement Disclosures

Under the RHC Final Rule, covered entities, business associates, and their workforce members are only permitted to disclose PHI for law enforcement purposes where they suspect an individual obtained Reproductive Health Care (regardless of whether or not it was lawful) if the covered entity or business associate is required by law to make the disclosures and all applicable requirements are met. Specifically, such disclosures are only permitted when the disclosure is not subject to the prohibition outlined above, the disclosure is required by law, and the disclosure meets all applicable conditions of the Privacy Rule.⁶ Policies related to responding to law enforcement requests for information, including disclosures related to abuse, should be reviewed and updated accordingly to encompass requirements that apply to Reproductive Health Care.

Public Health Disclosures

The RHC Final Rule made additional changes to clarify that activities related to “public health surveillance,” “public health investigation,” and “public health intervention,” do not include any activities that are for any of the following purposes:

• To conduct a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating health care;
• To impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating health care; or
• To identify any person for any of the activities described.⁷

Covered entities and business associates should ensure their HIPAA policies related to permissible disclosures concerning “public health” align with these updated definitions.

Steps for Compliance with the RHC Final Rule

The RHC Final Rule requires multiple policy updates to become compliant as well as updates to the Notice of Privacy Practices.  Workforce training should also be updated to ensure workforce members are fully apprised of these new requirements. 

Attestations

Covered entities and their business associates must obtain an attestation from the requestor when it receives a request for PHI potentially related to Reproductive Health Care providing that the use or disclosure is not for a prohibited purpose.  This requirement is applicable to requests related to health oversight activities, judicial and administrative proceedings, law enforcement purposes, and disclosures to coroners and medical examiners. The attestation requirement applies even if a request is not specifically directed at reproductive health services. Like HIPAA Authorizations, there are specific content requirements that must be part of the attestation form for it to be considered valid. Covered entities and their business associates should work with legal counsel to ensure that a legally compliant attestation form is implemented, along with policy updates that specify when an attestation is required and what it must contain to be in compliance with the RHC Final Rule. The OCR has published a model attestation as well.⁸

Changes to Policies and Procedures

Covered entities and business associates should also perform broader policy updates to address the RHC Final Rule changes related to uses and disclosures of Reproductive Health Information. This may include, without limitation, changes to intake forms, operational procedures, and HIPAA policies pertaining to responding to requests for PHI related to Reproductive Health Care, disclosures to law enforcement, and responding to legal or administrative investigations and inquiries.  Covered entities and business associates should confer with their legal counsel to ensure that all necessary updates are reflected in their HIPAA policies and any related procedures.

Staff Training

Covered entities and business associates must train workforce members on updated policies and procedures.  Training should include the new requirements for processing PHI requests related to Reproductive Health Care. It is also important for compliance to document all training sessions for compliance purposes.

Notice of Privacy Practices

By February 16, 2026, covered entities and their business associates must update their Notice of Privacy Practices to reflect the Reproductive Health Care changes. While this article focuses on the RHC Final Rule, covered entities should note that additional modifications are also required to comply with the Confidentiality of Substance Use Disorder (SUD) Patient Records regulations (“Part 2”). Notice of Privacy Practices updates should address both the Reproductive Health Care changes as well as the changes to the Part 2 rules.

Looking Ahead

While it is unknown what enforcement will look like in the future, all covered entities and business associates should take steps to ensure compliance with these current regulations.  Please reach out to our attorneys at Johnson Pope or legal counsel of your choice for legal advice related to the RHC Final Rule and compliance requirements that apply to you.

Disclaimer

The regulatory updates related to the RHC Final Rule are extensive and cannot be fully summarized in one article. Other requirements apply.  This article does not constitute legal advice and is provided for general informational purposes only. 

References and Resources:

• U.S. Dep’t of Health and Human Servs., HIPAA Privacy Rule Final Rule to Support Reproductive Health Care Privacy: Fact Sheet (viewed Nov. 15, 2024), https://www.hhs.gov/hipaa/for-professionals/special-topics/reproductive-health/final-rule-fact-sheet/index.html.
• HIPAA Privacy Rule to Support Reproductive Health Care Privacy, 89 Fed. Reg. 32976-33066 (Apr. 26, 2024), https://www.hhs.gov/sites/default/files/hipaa-privacy-rule-support-reproductive-health-care-privacy.pdf.
• S. Dep’t of Health and Human Servs., Office of Civil Rights, HIPAA Privacy Rule to Support Reproductive Health Care Privacy Final Rule (PPT. Presentation, Published April 26, 2024), https://www.hhs.gov/sites/default/files/hipaa-support-rhc-privacy.pdf.

¹ 45 C.F.R. § 160.103.
² 45 C.F.R. § 160.103; 45 C.F.R. § 160.502(a)(5)(iii)(A).
³ U.S. DEP’T OF HEALTH AND HUMAN SERVS., HIPAA PRIVACY RULE FINAL RULE TO SUPPORT REPRODUCTIVE HEALTH CARE PRIVACY: FACT SHEET (viewed Nov. 15, 2024), https://www.hhs.gov/hipaa/for-professionals/special-topics/reproductive-health/final-rule-fact-sheet/index.html.
⁴ HIPAA Privacy Rule to Support Reproductive Health  Care Privacy, 89 Fed. Reg. 33014-33015 (Apr. 26, 2024).
⁵ 45 C.F.R. 164.102.
⁶ See 45 CFR 164.512(a)(1); 45 CFR 164.103 (definition of ‘‘Required by law’’). The definition provides additional explanation about what constitutes a mandate contained in law.
⁷ 45 C.F.R. § 164.502(5)(iii)(A).
⁸ U.S. DEP’T OF HEALTH AND HUMAN SERVS., HIPAA PRIVACY RULE FINAL RULE TO SUPPORT REPRODUCTIVE HEALTH CARE PRIVACY: FACT SHEET (viewed Nov. 15, 2024), https://www.hhs.gov/hipaa/for-professionals/special-topics/reproductive-health/final-rule-fact-sheet/index.html.