Compliance
HHS Finalizes Rule to Strengthen Reproductive Healthcare Privacy
May 16, 2024
The U.S. Department of Health and Human Services (HHS) has issued a final rule that strengthens the HIPAA Privacy Rule by prohibiting the disclosure of protected health information (PHI) related to lawful reproductive healthcare in certain situations. According to HHS, these new protections are necessary to protect access to and privacy of reproductive healthcare following the U.S. Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization.
The HIPAA Privacy Rule sets strict limits on the use, disclosure and protection of PHI by healthcare providers, health plans, healthcare clearinghouses and their business associates (regulated entities). The Privacy Rule also allows regulated entities to use or disclose PHI for certain non-healthcare purposes, including certain criminal, civil and administrative investigations and proceedings.
New Protections
The final rule prohibits regulated entities from using or disclosing PHI for the criminal, civil or administrative investigation of (or proceeding against) any person in connection with seeking, obtaining, providing or facilitating reproductive healthcare where such healthcare is lawful under the circumstances in which it is provided. It also prohibits the identification of any person for the purpose of initiating such an investigation or proceeding. This prohibition applies where a regulated entity reasonably determines that:
- The reproductive healthcare is lawful under the law of the state in which such healthcare is provided (and under the circumstances in which it is provided); or
- The reproductive healthcare is protected, required or authorized by federal law, including the U.S. Constitution, regardless of the state in which such healthcare is provided.
Moreover, when a regulated entity did not provide the reproductive healthcare at issue, the final rule prohibits the use or disclosure of PHI when the person making the request does not provide sufficient information to overcome a presumption of legality. For example, this presumption can be overcome if the person making the request provides information showing a substantial factual basis that the reproductive healthcare was unlawful under the circumstances in which it was provided.
To implement the prohibition, when a regulated entity receives a request for PHI potentially related to reproductive healthcare, the regulated entity must obtain a signed attestation that the use or disclosure is not for a prohibited purpose.
Notice of Privacy Practices
The final rule requires regulated entities to revise their notice of privacy practices to support reproductive healthcare privacy. Regulated entities may also need to update their business associate agreements and HIPAA policies and procedures for the final rule’s changes, depending on their terms.
This Legal Update is not intended to be exhaustive, nor should any discussion or opinions be constructed as legal advice. Readers should contact legal counsel for legal advice.