In an effort to support reproductive health care privacy, the U.S. Department of Health and Human Services (HHS) recently modified the standards for privacy of individually identifiable health information (Privacy Rule) relevant to an individual’s reproductive health information under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended. The new 2024 Privacy Rule has a compliance date in December 2024, except for required updates to health care providers’ Notice of Privacy Practices, which are required to be implemented by Feb. 16, 2026.

Background

The 2024 Privacy Rule is a response to Dobbs v. Jackson Women’s Health Organization and concerns that the resulting changes in the legal landscape increase the likelihood that an individual’s protected health information may be disclosed in ways that cause harm to the interests that HIPAA seeks to protect. For instance, HHS explained that the HIPAA “law enforcement” exception could, in the current environment, undermine the primary goal of the HIPAA Privacy Rule to provide greater protections for individuals’ privacy to engender a trusting relationship between individuals and health care providers. By amending the HIPAA Privacy Rule to add additional privacy requirements for reproductive health information when shared with law enforcement and in other situations, this new rule seeks to bolster access to and security surrounding reproductive health care.

Prohibited Uses and Disclosures

The 2024 Privacy Rule adds the term “[r]eproductive health care,” which is defined to include “health care…that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes.”[1] The 2024 Privacy Rule prohibits the use or disclosure of protected health information by a covered entity or business associate (the Discloser) if two conditions exist. First, there must be a “connection with any person seeking, obtaining, providing, or facilitating reproductive health care….”[2] Second, that care must meet at least one of three criteria, as “reasonably determined” by the Discloser: (1) the care must comply with the laws of the state where it is provided, (2) the care must be “protected, required, or authorized” by federal law, or (3) the care must warrant a “presumption” of lawfulness.[3] This presumption is appropriate only when care is provided by a person other than the Discloser and the Discloser does not have “[a]ctual knowledge” or “a substantial factual basis” to suggest that it is unlawful.[4]

The ban prohibits the use or disclosure of such information  — including the identity of an individual[5] — for the purpose of imposing criminal, civil, or administrative liability, or conducting a related investigation, on any person “for the mere act of seeking, obtaining, providing, or facilitating reproductive health care.”[6]

Required Attestations and Authorizations

The 2024 Privacy Rule permits use or disclosure of reproductive health care information in limited circumstances. If the Discloser obtains a “valid attestation,” it may use or disclose “protected health information potentially related to reproductive health care” for any of four purposes: (1) for health oversight activities, (2) for judicial and administrative proceedings, (3) for law enforcement, and (4) for coroner and medical examiner tasks.[7] A “valid attestation” must verify that use or disclosure is not prohibited, must avoid defects listed in 45 C.F.R. § 164.509(b)(2), and must meet requirements set forth in § 164.509(c)(1).[8] The Discloser should also generally avoid combining the attestation with other documents and should utilize plain language without any material misrepresentations.[9]

In some circumstances, the Discloser may use or disclose protected health information without authorization. The 2024 Privacy Rule does not eliminate this authority. However, the new rule clarifies that, in the event such disclosure is permitted as a result of an “administrative request,” that request must be one “for which response is required by law.”[10]

Privacy Notices

Generally, an individual has a right to “adequate notice” of the uses and disclosures of protected health information that may be made by a health care provider, including related rights and duties.[11] When there is a “material change” to these privacy requirements, the covered entity “must promptly revise and distribute” such notices.[12] Covered entities will need to complete such revisions in light of the 2024 Privacy Rule’s expanded protections for reproductive health care by Feb. 16, 2026. HHS plans to provide a model notice that will assist covered entities in facilitating this update to their Notice of Privacy Practices.

Taft strives to provide regular updates regarding legal developments that impact clients. Please contact the authors of this update with any questions.

[1] 45 C.F.R. § 160.103.

[2] 45 C.F.R. § 164.502(a)(5)(iii)(B).

[3] 45 C.F.R. § 164.502(a)(5)(iii)(B)(1-3).

[4] 45 C.F.R. § 164.502(a)(5)(iii)(C).

[5] 45 C.F.R. § 164.502(a)(5)(iii)(A).

[6]  Id.

[7] 45 C.F.R. § 164.509(a); See also 45 C.F.R. § 164.512(d), (e), (f), and (g)(1).

[8] 45 C.F.R. § 164.509(b-c).

[9] See 45. C.F.R. § 164.509(b)(3); 45 C.F.R. § 164.509(c)(2); 45 C.F.R. § 164.509(d).

[10] 45 C.F.R. § 164.512(f)(1)(ii)(C).

[11] 45 C.F.R. § 164.520(a)(1).

[12] 45 C.F.R. § 164.520(b)(3).