What You Need to Know About the New Final Rule on Reproductive Health Care Privacy Under HIPAA

Employee Benefits & Executive Compensation

June 17, 2024

The Office of Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) issued a final rule on April 26, 2024, to amend the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule to support privacy in reproductive health care (the “RHC Rule”). Along with the final rule, OCR also issued a fact sheet that further explains the RHC Rule and its practical implications.

OCR indicated that the purpose of the RHC Rule is to protect access to and privacy of reproductive health care that is perceived to be threatened by the recent actions of more than 20 states in the wake of the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization. The RHC Rule points out that the changing legal landscape increases the chances that a person’s protected health information (PHI) in connection with reproductive health care may be disclosed in ways that harm what HIPAA seeks to protect, particularly trust in the health care system and its providers.

The RHC Rule is effective as of June 25, 2024. Covered health care providers, health plans, and health care clearinghouses (and their business associates) (collectively, “Regulated Entities”) must comply with all provisions of the RHC Rule by December 23, 2024, including updating their HIPAA policies and procedures. The required Notice of Privacy Practices need not be updated until February 16, 2026.

What the RHC Rule Prohibits

Generally, the RHC Rule prohibits the use or disclosure of reproductive health care PHI by Regulated Entities for either of the following purposes:

To conduct a criminal, civil, or administrative investigation into or to impose liability on any person for simply seeking, obtaining, providing, or facilitating reproductive health care, where such health care, under the circumstances provided, is lawful.
The identification of any person for the purpose of such an investigation or imposition of liability in connection with their merely seeking, obtaining, providing, or facilitating reproductive health care.

The RHC Rule defines “reproductive health care” broadly to include all health care that can be provided to address reproductive health including contraception (and emergency contraception), pregnancy-related health care, miscarriage treatment, fertility or infertility-related health care, and other types of care, services, or supplies used for the diagnosis and treatment of reproductive health, including the treatment of peri- and post-menopausal conditions.

The RCR Rule indicates that the prohibition described above preempts state laws that mandate disclosure of PHI for a prohibited purpose even where pursuant to a court order or other legal process. It applies where Regulated Entities have reasonably determined that one or more of the following exists as to the reproductive health care:

The health care is otherwise lawful under the law of the state in which the care is provided, whether or not the recipient of the care is a resident.
The reproductive health care is protected (such as the use of contraception), required, or authorized by federal law, regardless of the state in which the care is provided.
The health care was provided by a person other than the Regulated Entity that receives the request for PHI and its provision is presumed to be lawful.

For these purposes, reproductive health care is presumed to be lawful unless the Regulated Entity has actual knowledge that the care was not lawful. Reproductive health care is not presumed to be lawful if the Regulated Entity is informed by the health care recipient that the reproductive health care was provided by an unlicensed person and such provision of care requires licensure. In addition, reproductive health care is not presumed to be lawful if the Regulated Entity receives factual information from the person requesting PHI that demonstrates a substantial factual basis that the care was not lawful as provided.

What the RHC Rule Still Permits

The RHC Rule continues to permit Regulated Entities to use or disclose PHI for purposes otherwise permitted under the Privacy Rule where the request for the PHI is not made to investigate or impose liability on any person for the simple act of seeking, obtaining, providing, or facilitating reproductive health care. For example, Regulated Entities may use or disclose PHI (a) to defend one’s self in an investigation or proceeding related to professional misconduct or negligence where the alleged professional misconduct or negligence involved the provision of reproductive health care, (b) to defend any person in a criminal, civil, or administrative proceeding where liability could be imposed on that person for providing reproductive health care, or (c) to an Inspector General where PHI is sought to conduct an audit for health oversight purposes.

Required Attestation

When Regulated Entities receive a request for reproductive health care PHI, the RHC Rule requires that Regulated Entities obtain a signed attestation that the use or disclosure is not for a prohibited purpose. The attestation is required when such PHI request is potentially related to any of the following:

Disclosures to coroners and medical examiners,
Health oversight activities,
Judicial and administrative proceedings, and
Law enforcement purposes.

The OCR intends to issue model attestation language before December 23, 2024.

Next Steps

Health care providers, health plans, health care clearinghouses, and their business associates should consider taking the following actions:

Review and update their Notice of Privacy Practices, including providing examples of how individuals’ reproductive health care PHI may or may not be disclosed.
Review and update as needed all HIPAA business associate agreements to require them to implement compliance with the RHC Rule.
Review and update policies and procedures to the extent they are affected by the RHC Rule, such as the description of permitted disclosures, HIPAA definitions, and the implementation of the attestation requirement.
Identify where reproductive health care PHI can be found in invoicing and other administrative records to avoid inadvertent disclosure.
Train personnel responsible for managing health care and/or health plan information and/or responding to PHI requests about the requirements of the RHC Rule, including the process for obtaining required attestations.

If you have any questions about this HIPAA Reproductive Health Care Privacy guidance, HIPAA and its requirements, business associate agreements, HIPAA policies and procedures, or the Notice of Privacy Practices, or any other question about your health care plan, please contact any member of our Employee Benefits and Executive Compensation practice group.

For additional information on this topic, please contact your regular Calfee attorney or the author(s) listed below:
		Jason A. Rothman 216.622.8227 jrothman@calfee.com

		Robert M. Cipolla 804.357.1292 rcipolla@calfee.com

		Sheila M. Ninneman 216.622.8360 sninneman@calfee.com

For more updates and alerts, visit the News section of Calfee.com.

Calfee First Alerts and other educational content are intended to inform and educate readers about legal developments and are not intended as legal advice for any specific individual or specific situation. Updates related to government regulations, assistance programs, etc. are provided with the most current information made available to Calfee at the time of publication or presentation. Clarifications and further guidance may be disseminated by government authorities on an ongoing basis. All information should be reaffirmed prior to taking any action. Please consult with your attorney regarding any legal questions you may have. With regard to all content including case studies or descriptions, past outcomes do not predict future results.

Calfee, Halter & Griswold LLP | The Calfee Building, 1405 East Sixth Street, Cleveland, Ohio 44114 | 216.622.8200

SUBSCRIBE | UNSUBSCRIBE