HIPAA Privacy Protections for PHI Related to Reproductive Health Care: The Final Rule and What Covered Entities and Business Associates Need to Know | JD Supra

Earlier this week, the Biden-Harris Administration, through the Office for Civil Rights (OCR) announced a final rule intended to protect protected health information (PHI) related to health care services reproductive health provided legally. As we discussed last year, the HIPAA Privacy Rule was proposed to support reproductive health care privacy in response to concerns about the confidentiality of PHI related to reproductive health care after the decision of Dobbs v. Jackson Women’s Health Organization. In the executive summary of the Final Rule, OCR emphasized that the changing legal landscape post-Dobbs “increases the likelihood that an individual’s PHI may be disclosed in a manner that harms the interests that HIPAA seeks to protect, including trust of people in health care providers and the health system”. The Final Rule defines “reproductive health care” as “health care . . . that affects a person’s health in all matters related to the reproductive system and its functions and processes.”

According to OCR, the agency received nearly 30,000 comments after the proposed rule was issued in April 2023. In its press release announcing the final rule, OCR stated that “the final rule will strengthen the patient and provider confidentiality and will help promote trust and open communication between individuals and their health care providers or health plans, which is essential for high-quality health care.”

The final rule seeks to counter the chilling effects that abortion bans can have on the provision of reproductive health care by prohibiting the use or disclosure of PHI by a covered entity or its business associate for to any of the following activities:

• To conduct a criminal, civil, or administrative investigation or impose liability on any person for seeking, obtaining, providing, or facilitating reproductive health care when such health care is provided under lawful circumstances.
• According to the Final Rule, seeking, obtaining, providing, or facilitating reproductive health care services includes, but is not limited to, “expressing interest in, using, performing, providing, paying for, disseminating information, organizing , insure, administer, authorize, provide coverage, approve, advise, assist or take steps to participate in reproductive health care; or attempting to do so.”
• Identify any person for the purpose of carrying out such investigation or imposing such liability.

In determining whether the prohibition on use or disclosure applies, the covered entity or business associate should consider whether one or more of the following conditions exist:

• Whether the reproductive health care was lawful under the law of the state in which it was provided. The OCR specifically provided as an example of such legal activity a resident of one state who travels to another state where abortion is legal to receive abortion care.
• Whether the reproductive care is protected, required, or authorized by federal law, regardless of where the care is provided in the US. The provision of services related to contraception, which is a right protected by the Constitution, would fall into this category regardless of the state in which the services are provided.

The final rule also includes a presumption that reproductive care was lawfully provided if the care was provided by a person other than the covered entity or business associate that received the PHI request, unless the entity that receives the request has real knowledge that the attention was not. provided under lawful circumstances or the applicant can provide evidence showing a substantial factual basis that the care was not lawfully provided, for example, evidence that the care was provided by an unlicensed person.

Implementation:

In order to implement the prohibition on use and disclosure described above, the final rule also requires covered entities and, where applicable, business partners to take certain steps to implement the rule.

• Confirmation: When a Covered Entity or Business Associate receives a request for PHI potentially related to reproductive health care, the Covered Entity or Business Associate must obtain a signed certification that the use or disclosure does not a prohibited purpose before disclosing the information. The purpose of the attestation is both to protect the covered entity or business associate and to warn the applicant of potential criminal penalties for those who knowingly obtain PHI in violation of HIPAA.
• OCR plans to publish a sample attestation prior to the compliance date of the final rule.
• Notice of Privacy Practices: The final rule also requires covered entities to revise their notices of privacy practices to address privacy of reproductive health care and privacy of substance use disorder patient records (such as set forth in the Notice of Proposed Rulemaking for Substance Use Disorder Confidentiality). Patient records.)

The compliance date for the final rule is 240 days after publication in the Federal Register, except for requirements related to changes in the Notice of Privacy Practices, which must be adopted by February 16, 2026 .