Reproductive Healthcare Rule Compliance Will Be Challenging
By Greg Freeman
The new HIPAA Privacy Rule to Support Reproductive Healthcare Privacy will require covered entities to review and update some policies and procedures. The rule was promulgated in response to the U.S. Supreme Court’s Dobbs decision that overturned Roe v. Wade.
Health and Human Services (HHS) published the rule to prohibit the use or disclosure of protected health information (PHI) related to lawful reproductive healthcare in certain circumstances, explains Daniel Guggenheim, JD, partner with the Quarles law firm in San Diego. HHS said that the Final Rule responds to public concern following the Dobbs decision that overturned Roe v. Wade about the need to protect patient confidentiality and to prevent the use of medical records to identify, investigate, or punish people for providing or obtaining lawful reproductive healthcare.
The rule is intended to generally support trust and enable open communication between patients and their healthcare providers, Guggenheim says. The Final Rule requires regulated entities to assess whether a request to use or disclose protected health information potentially is related to reproductive healthcare.
“If it is, and the use or disclosure is for the purpose of health oversight activities, judicial, or administrative proceedings, law enforcement purposes, or to a coroner or medical examiner, then, before releasing the information, the regulated entity must obtain from the requester a valid attestation that the information is not sought for a prohibited purpose,” Guggenheim says. “If it is requested for another purpose permitted by the Privacy Rule, the reproductive health information may be disclosed.”
If the use or disclosure is sought for the purpose of investigating or imposing liability in connection with any person seeking, obtaining, providing, or facilitating reproductive healthcare, or to identify any person for such purposes, then the regulated entity must determine if the reproductive healthcare was lawful, where and under the circumstances provided, or if it is protected, required, or authorized by federal law, he says.
Furthermore, it must determine whether the investigation, imposition of liability, or identification of an individual is for the mere act of seeking, obtaining, providing, or facilitating reproductive healthcare, Guggenheim says. If the reproductive healthcare was unlawful and is not protected by federal law, the requested information may be used or disclosed to the extent permitted by existing HIPAA requirements, he says.
“If the reproductive healthcare was lawful or protected by federal law, but the inquiry is in regard to the mere act of seeking, obtaining, providing, or facilitating reproductive healthcare, the information may not be used or disclosed,” Guggenheim says. “If it is sought for another or additional purpose, for example to prosecute healthcare fraud or to investigate a sexual assault, and if the regulated entity has obtained a valid attestation from the requester, the information may be disclosed to the extent permitted by existing HIPAA requirements.”
Covered entities are not restricted in disclosing reproductive healthcare information pursuant to a valid authorization or request for access by a patient or their personal representative, he says. Regulated entities must comply with the use and disclosure restrictions by Dec. 23, 2024. Additionally, HIPAA-covered entities are required to update their Notice of Privacy Practices by Feb. 16, 2026, Guggenheim notes.
“The first challenge is navigating the language of the Final Rule and its intersection with the existing language of the Privacy Rule and applicable state law. It is drafted with layered definitions and double-negatives and includes rules of applicability, implementation specifications, and exceptions that need to be parsed to get an accurate understanding of what the Final Rule prohibits and which potential uses or disclosures remain permissible,” he says. “Additionally, the 291 pages of the Final Rule include interpretative guidance about the intentions of Health and Human Services and what is expected of regulated entities.”
Reviewing existing policies, procedures, and training materials to determine where and how they should be updated, and how to align new requirements with existing operating procedures, also can be challenging, he says.
“Moreover, the topic can be sensitive and political in nature, which may make decisions about how to apply the Final Rule and how to discuss it within the organization more difficult. With careful attention to the Final Rule and how it intersects with the general requirements for permissive disclosure of protected health information, regulated entities can strike the balance of complying with the enhanced protections of reproductive health information without unduly burdening their current practices.”
Steps to Take Now
With the compliance date approaching, Guggenheim recommends covered entities take these steps:
- Update internal policies and train workforce members on protocols for assessing and potentially disclosing reproductive health information for regulated purposes;
- Prepare an attestation form that meets the criteria of the rule;
- Define a protocol for receiving and reviewing attestations;
- Preview scenarios in which PHI may be requested and consider default/presumptive positions on what is lawful in the state, under the circumstances, and/or protected, required, or authorized by federal law;
- Review business associate agreements for possible revision;
- Update Notice of Privacy Practices before Feb. 16, 2026;
- Be prepared for conflicting obligations (state vs. state and state vs. federal laws). If encountered, what is the action plan?
“Based on our experience, law enforcement and state regulators have not yet been trained on the Final Rule, so regulated entities may wish to proactively reach out to contacts to get on the same page before they are faced with a subpoena or other urgent request,” Guggenheim says.
The State of Texas has sued to invalidate the Final Rule, but he says regulated entities should continue to prepare for the December compliance date. Healthcare providers and other regulated entities also should assess their obligations under state laws that may be more restrictive than HIPAA. For example, the California Confidentiality of Medical Information Act was amended to provide greater protection for abortion-related medical information, Guggenheim notes. (The California law also brings providers of mobile apps and websites that collect information about a consumer’s reproductive health or sexual health within the scope of the law for this purpose.)
“Particularly, if the protections promised by the Final Rule are not available, regulated entities should expect to see enhanced enforcement efforts by those states that seek to protect the confidentiality of such information.”
New Definition
The rule adds a new definition to HIPAA regulations for “reproductive healthcare” and restricts how covered entities and business associates can use and disclose related PHI, says Claire O’Brien, JD, partner with the Brooks Pierce law firm in Greensboro, NC. The term is defined broadly to cover care that affects the health of an individual “in all matters relating to the reproductive system,” including the provision of medication and devices.
HHS’s goal with the new rule is to promote trust between individuals and healthcare providers in the post-Dobbs era by reinforcing HIPAA’s basic tenets of patient-provider confidentiality, she explains. HHS expressed concern that, absent these changes, the threat of disclosure of PHI could chill individuals’ willingness to seek lawful reproductive health-related treatment — and the willingness of healthcare providers to provide such care.
“Covered entities and business associates are now prohibited from using or disclosing PHI if the request for PHI is made to investigate or impose liability for the mere act of seeking, obtaining, providing, or facilitating lawful reproductive healthcare, or to identify any person for the purpose of conducting such an investigation or imposing such liability,” O’Brien says. “The prohibition applies regardless of whether the investigation or potential liability is civil, criminal, or administrative.”
When a covered entity or business associate receives a request for PHI, they must now consider whether the request potentially relates to reproductive healthcare, she says. If it does, they must determine whether disclosure is permitted under the new rule, including whether a signed attestation is necessary and whether any attestation received is sufficient.
“This will require careful attention to future requests for PHI, especially because the rule requires attestations to contain specific elements and statements,” she says. “Failure to comply could subject a regulated entity to civil penalties.”
O’Brien notes that some aspects of the rule will reduce compliance challenges. For example, the rule permits a covered entity to presume that reproductive healthcare provided by another person or entity was lawful. This means that a covered entity does not need to independently review the medical record or consult counsel to determine the lawfulness of care it did not provide, she says.
“Covered entities should revise their policies and procedures to ensure they have processes in place to identify requests for PHI that potentially relate to reproductive healthcare and facilitate an appropriate response if so,” O’Brien says. “This may include confirming that existing business associate agreements contain language reflecting the new rule.”
This rule introduces a new prohibited use and disclosure of PHI that is applicable to all HIPAA-regulated entities — both covered entities and their business associates, says Melissa Soliz, JD, an attorney with the Coppersmith Brockelman law firm in Phoenix.
The most challenging compliance aspect of this new rule is implementing the attestation requirement, she says.
Because the definition of reproductive care is very broad, covering any healthcare relating to the reproductive system and its functions and processes, and because HIPAA-regulated entities must obtain the attestation when certain requests involve PHI that potentially could relate to reproductive healthcare, health information management teams will want to collect these attestations whenever they receive requests for PHI for health oversight activities, judicial/administrative proceedings, law enforcement, or coroners/medical examiners purposes, Soliz says.
“That’s because it will be practically infeasible for health information management teams to know with any certainty whether the protected health information being requested could potentially relate to reproductive systems and its functions and processes,” she says.
This requirement also may significantly affect the ability of health oversight agencies and coroners/medical examiners to participate in health information networks/exchanges because of the lack of automated technology solutions to support interoperable attestations, she says.
“Because failure to obtain an attestation is tantamount to a HIPAA violation and potentially a reportable breach, healthcare providers will most likely want to be conservative and cautious with respect to when they obtain these attestations,” Soliz says.
Soliz notes that HHS released a model attestation that is available at https://www.hhs.gov/sites/default/files/model-attestation.pdf.
Because business associates are directly subject to this new rule, covered entities should not have to update their HIPAA business associate agreements to require compliance with the new requirements, Soliz says.
“However, covered entities may want to specify in their [business associate agreements] what measures their business associates must have in place to demonstrate their compliance and to require that their business associates indemnify them to the extent the business associate is not compliant with these requirements, she says.
Special Category of PHI
This is the first time in more than two decades that HHS has afforded a particular category of PHI special protection under the law, says Vicki J. Tankle, JD, partner with the Reed Smith law firm in Philadelphia. Aside from psychotherapy notes, the HIPAA Privacy Rule otherwise applies uniformly to all PHI.
Operationalizing compliance with the rule’s new attestation requirement likely will be the most challenging aspect of compliance, she says. In particular, how will the HIPAA-regulated entity assess requests for PHI potentially related to reproductive healthcare? Should the organization tag any such PHI in its systems? Should the organization adopt a requestor type-based approach in obtaining attestations? Who within the organization will be responsible for determining whether an attestation is needed and obtaining signed attestations from requestors?
HIPAA-regulated entities that have not yet begun to unpack or implement these new standards should develop a compliance implementation checklist that is tailored to the organization and conforms to the rule’s requirements, Tankle says. This checklist should consider, for example, the circumstances in which the organization may create, maintain, use, or disclose PHI potentially related to reproductive healthcare, and current practices around receiving and responding to requests for PHI.
The updated HIPAA Privacy Rule is long overdue, but it will not entirely change the paradigm around compliance and organizational requirements, says Gal Ringel, CEO of MineOS, a company based in Boston that provides compliance assistance. If organizations go about best data privacy practices and can demonstrate proper oversight of the data lifecycle, they likely will not draw enforcement, he says.
“The main reason why these updates were needed, aside from the fact that there hadn’t been a major revision to the law in decades, was to crack down on bad data sharing/selling practices and serve as a warning to companies not taking the matter seriously,” he says. “The overturning of Roe v. Wade has turned health data into a highly sensitive and politicized commodity, and with companies like Flo Health allegedly sharing user data with third parties like Google and Facebook without user consent, new controls needed to be put in place to minimize individual privacy harms while trying to hold organizations more accountable for data privacy.”
Differences in state laws may come into play, says Melissa M. Crespo, JD, partner with the Morrison Foerster law firm in Washington, DC. The prohibition is subject to rules of applicability, which consider whether reproductive healthcare is legal under state or federal law, she says.
“For example, a patient who lived in a state that prohibited reproductive healthcare services such as abortion, like Texas, if they traveled to New York to seek an abortion that is lawful under that law, then this restriction on this information would apply,” she says. “But it would not apply if the state, let’s say Texas, was seeking information about an abortion performed in another state at seven weeks, but the state law prohibited an abortion after six weeks. If it’s unlawful under that state law, then the prohibition wouldn’t apply, and HIPAA would allow for that information to be disclosed for an investigation related to violation of a law that spans seeking reproductive healthcare or imposing liability with respect to that healthcare.
The prohibition also applies if the reproductive healthcare is protected or authorized under federal law, such as the Emergency Medical Treatment and Active Labor Act, she notes.
The new rule will pose compliance challenges, says Andrea Frey, JD, partner with the Hooper Lundy Bookman law firm in San Francisco.
“It will require internal mechanisms to ensure compliance with the final rule requirements, but then also to assess what information do we have that falls under this bucket of reproductive health information. We have these covered data sets with whatever code was assigned to the service provided, but that’s a lot of lot of data,” she says. “Healthcare providers’ medical record system is also uncoded, so how do you do that without having to assign somebody to manually scroll through a patient’s medical record anytime a request like this comes in? One of the challenges here is going to be figuring out an efficient process to identify and locate records subject to this final rule.”
Sources
- Melissa M. Crespo, JD, Partner, Morrison Foerster, Washington, DC. Telephone: (202) 887-8768. Email: [email protected].
- Andrea Frey, JD, Partner, Hooper Lundy Bookman, San Francisco. Telephone: (415) 875-8507. Email: [email protected].
- Daniel Guggenheim, JD, Partner, Quarles, San Diego. Telephone: (619) 822-1474. Email: [email protected].
- Claire O’Brien, JD, Partner, Brooks Pierce, Greensboro, NC. Telephone: (336) 271-3141. Email: [email protected].
- Gal Ringel, CEO, MineOS, Boston.
- Melissa Soliz, JD, Coppersmith Brockelman, Phoenix. Telephone: (602) 381-5484. Email: [email protected].
- Vicki J. Tankle, JD, Partner, Reed Smith, Philadelphia. Telephone: (215) 241-7974. Email: [email protected].
Greg Freeman has worked with Relias Media and its predecessor companies since 1989, moving from assistant staff writer to executive editor before becoming a freelance writer. He has been the editor of Healthcare Risk Management since 1992 and provides research and content for other Relias Media products. In addition to his work with Relias Media, Greg provides other freelance writing services and is the author of seven narrative nonfiction books on wartime experiences and other historical events.
The new HIPAA Privacy Rule to Support Reproductive Healthcare Privacy will require covered entities to review and update some policies and procedures. The rule was promulgated in response to the U.S. Supreme Court’s Dobbs decision that overturned Roe v. Wade.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.