OCR Issues HIPAA Reproductive Health Care Privacy Final Rule
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has released its long-awaited Final Rule on reproductive healthcare privacy. The HIPAA Privacy Rule to Support Reproductive Health Care Privacy implements changes to the Health Insurance Portability and Accountability Act (HIPAA) to improve privacy protections for women, their family members, and doctors by prohibiting disclosures of protected health information when it is sought to investigate or impose liability on individuals or healthcare providers for seeking, obtaining or providing legal reproductive health care.
“Many Americans are scared their private medical information will be shared, misused, and disclosed without permission. This has a chilling effect on women visiting a doctor, picking up a prescription from a pharmacy, or taking other necessary actions to support their health,” said HHS Secretary Xavier Becerra. “The Biden-Harris Administration is providing stronger protections to people seeking lawful reproductive health care regardless of whether the care is in their home state or if they must cross state lines to get it. With reproductive health under attack by some lawmakers, these protections are more important than ever.”
Background to the HIPAA Privacy Rule to Support Reproductive Health Care Privacy
HIPAA already contains provisions that restrict and prevent certain uses and disclosures of protected health information, including information related to reproductive healthcare; however, since the overturning of Roe v. Wade, which removed the federal right to an abortion, fears have grown that the HIPAA Rules are not sufficiently strong to prevent disclosures of reproductive health care information that could prove harmful to individuals. The Privacy Rule permits, but does not require, uses and disclosures of protected health information when another law requires a regulated entity to make those uses or disclosures. In states that have implemented bans or severe restrictions on abortions, there are justifiable concerns that those states may seek access to protected health information to support investigations and prosecutions of women who travel to more permissive states to receive the care they need and the healthcare professionals that facilitate or administer lawful abortion care.
Some states have already introduced state-level legislation to better protect reproductive healthcare privacy; however, an update to the federal HIPAA law was required to ensure that women and healthcare professionals receive the same privacy protections regardless of where they live. After listening to feedback from healthcare providers, privacy advocates, and individuals, OCR proposed HIPAA updates in April 2023 to modify the HIPAA Privacy Rule to address the changes to the legal landscape in response to the fall of Roe v. Wade. The HIPAA Privacy Rule to Support Reproductive Health Care Privacy modifies certain provisions of the Standards for Privacy of Individually Identifiable Health Information (HIPAA Privacy Rule) to better protect women and healthcare providers.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
One of the main purposes of the HIPAA Privacy Rule was to limit uses and disclosures of protected health information to those that were necessary for treatment, payment, or healthcare operations. The Privacy Rule ensures that individuals can seek healthcare from and share information with their healthcare providers without fear that their sensitive information will be disclosed outside of the relationship with their healthcare provider. When the Supreme Court ruled on Dobbs v. Jackson Women’s Health Organization, a precedent was overturned that protected the constitutional right to abortion, thus overturning Roe v Wade. The Dobbs ruling made it more likely that an individual’s protected health information would be disclosed in ways that HIPAA aimed to prevent.
Since the Dobbs ruling, many states have introduced almost total bans on abortions in their respective states or have placed severe restrictions on reproductive healthcare. As such, there is a risk that those states will seek access to reproductive healthcare information that has been legally provided in a state that permits abortion care, and will attempt to use that information to conduct an investigation against or impose liability on an individual or another person that obtained, facilitated, or provided care that is not legal in an individual’s home state. According to the HHS, fear of those disclosures “is likely to chill an individual’s willingness to seek lawful health care treatment or to provide full information to their health care providers when obtaining that treatment, and on the willingness of health care providers to provide such care.”
The HIPAA Privacy Rule to Support Reproductive Health Care Privacy modifies the HIPAA Privacy Rule to limit the circumstances under which an individual’s reproductive healthcare information can be used for certain non-health care purposes, where such use or disclosure could be detrimental to the privacy of the individual or another person or the individual’s trust in their health care providers.
OCR’s notice of proposed rulemaking (NPRM) was published in the Federal Register and OCR received more than 300,000 comments from the public and healthcare stakeholders on the proposed rule. After carefully considering those comments, consulting with the Department of Justice, National Committee on Vital and Health Statistics (NCVHS), Attorney General, and Indian Tribes, holding listening sessions with healthcare industry stakeholders, and reviewing correspondence from Members of Congress and state attorneys general, OCR issued its Final Rule that implements the proposed changes. The HIPAA changes will take effect 60 days following the publication of the HIPAA Privacy Rule to Support Reproductive Health Care Privacy in the Federal Register and the compliance date is 180 days after the effective date.
“This final rule balances the interests of society in obtaining
Summary of the HIPAA Privacy Rule to Support Reproductive Health Care
The HIPAA Privacy Rule to Support Reproductive Health Care prohibits a regulated entity from using or disclosing an individual’s PHI for the purpose of conducting a criminal, civil, or administrative investigation into or imposing criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care that is lawful under the circumstances in which it is provided. Lawful means that it is either 1) lawful under the circumstances in which the healthcare is provided and in the state that it is provided or 2) protected, required, or authorized by Federal law, including the United States Constitution, regardless of the state in which such health care is provided.
In the new rule, OCR has clarified the definition of “person” – A natural person (meaning a human being who is born alive), trust or estate, partnership, corporation, professional association or corporation, or other entity, public or private – and has adopted new definitions of “public health” in the context of surveillance, investigation, or intervention, and “reproductive health care.” Reproductive health care is a subset of the term “health care,” and is defined as “health care that affects the health of the individual in all matters relating to the reproductive system and to its functions and processes.”
The Final Rule also adds a new category for prohibited uses and disclosures to clarify that a regulated entity may not decline to recognize a person as a personal representative for the purposes of the Privacy Rule because they provide or facilitate reproductive health care for an individual.
The Final Rule imposes a new requirement that, in certain circumstances, regulated entities must first obtain an attestation that a requested use or disclosure is not for a prohibited purpose, specifically that requests for protected health information potentially related to reproductive health care are not for prohibited purposes.
The Final Rule also requires modifications to covered entities’ Notices of Privacy Practices to inform individuals that their protected health information may not be used or disclosed for a purpose prohibited under the Final Rule to support healthcare privacy.
Key Compliance Dates
The Final Rule was published in the Federal Register on April 26, 2024.
| Key Dates | Legal timescale | Date |
| Effective date | 60 days after publication in the Federal Register | June 25, 2024 |
| Compliance date for persons subject to the regulation | 240 days after publication in the Federal Register (180 days after the effective date) | January 1, 2025 |
| Compliance date for persons subject to 45 CFR 164.520 (Notice of Privacy Practices)* | February 16, 2026 | February 16, 2026 |
*The extended compliance date regarding the Notice of Privacy Practices requirement of the Final Rule is to avoid a situation where entities subject to the Part 2 regulations would be required to update their notices of privacy practices twice in a short period, as a result of the extensive changes implemented by the Confidentiality of Substance Use Disorder (SUD) Patient Records Final Rule.
While the update to the Privacy Rule has been welcomed by many privacy advocates, the HHS has been criticized for not going far enough. When the HHS published its NPRM, a group of lawmakers called for the HHS to go further and require law enforcement access to medical records to only be possible with a warrant, to prohibit the sharing of records with other law enforcement agencies, and to require patients to be notified about any disclosure of their reproductive health information.
U.S. Senator Ron Wyden (D-OR), Chair of the Senate Finance Committee, is one of the Senators calling for greater restrictions. “I commend the Biden-Harris administration for pulling out all the stops to protect women and their access to health care from MAGA state officials and the extremist Supreme Court. But I fear this final rule by HHS misses the mark, failing to protect reproductive health records from warrantless law enforcement demands, as well as medical records associated with other sensitive categories of health information,” said Sen. Wyden. “It is outrageous that Americans’ medical records receive fewer protections under federal law than their emails or photos. It’s time for Congress to step in and protect Americans’ rights. As the Chairman of the Senate Finance Committee, which has jurisdiction over the HIPAA Privacy Rule, I will be exploring additional avenues to meaningfully protect Americans’ health privacy.”
The full text of the HIPAA Privacy Rule to Support Reproductive Health Care Privacy is available in a 291-page PDF file on the HHS website. The document includes the HHS’s justification for implementing the new HIPAA regulations and a discussion of the comments received from the public and healthcare stakeholders.
