HHS Issues Final Rule to Strengthen HIPAA Protections for Reproductive Health Information

HIPAA Reproductive Health Information Privacy

The HHS’ Office for Civil Rights (OCR) has published a Final Rule that updates HIPAA to strengthen reproductive health information privacy for individuals who cross state lines to seek care and for the providers who assist with abortion care. The decision of the Supreme Court in Dobbs v. Jackson Women’s Health Organization in 2022 overturned Roe v. Wade, removing the federal right to an abortion that had existed for 5 decades. Some states immediately introduced laws prohibiting or severely restricting abortion care for state residents, and many other states have followed suit. Women who live in states with abortion bans such as Alabama, Arkansas, Idaho, Indiana, Kentucky, Louisiana, North Dakota, Missouri, Mississippi, Oklahoma, South Dakota, Tennessee, Texas, and West Virginia must cross state lines to obtain care in more permissive states where abortions can be legally provided.

Those individuals, and the healthcare providers that facilitate or provide abortion care, could potentially be investigated and prosecuted for providing abortion care. The Privacy Rule of the Health Insurance Portability and Accountability Act (HIPAA) was intended to prevent disclosures of protected health information that could cause harm to individuals; however, the HIPAA Privacy Rule does not prohibit disclosures of health information to law enforcement, when those disclosures are permitted by other laws. Following the overturning of Roe v. Wade, OCR issued guidance to healthcare providers confirming that while HIPAA permits such disclosures, they are not required by HIPAA. Healthcare providers could refuse to provide PHI to law enforcement to support investigations of individuals who obtained legal abortions in permissive states without falling afoul of the HIPAA Rules.

“Many Americans are scared their private medical information will be being shared, misused, and disclosed without permission. This has a chilling effect on women visiting a doctor, picking up a prescription from a pharmacy, or taking other necessary actions to support their health,” said HHS Secretary Xavier Becerra, hence the need for an update to the HIPAA Privacy Rule. In April 2023, OCR issued a Notice of Proposed Rulemaking (NPRM) about an update to the HIPAA Privacy Rule to strengthen privacy protections for reproductive healthcare information and received more than 300,000 comments about the proposed changes. After considering those comments, consulting with the Department of Justice, and meeting with healthcare industry stakeholders, OCR issued its Final Rule that implements the proposed changes.

According to a statement from the HHS, the Final Rule will “bolster patient-provider confidentiality and help promote trust and open communication between individuals and their healthcare providers or health plans, which is essential for high-quality healthcare.” Specifically, the Final Rule updates HIPAA to prohibit the use and disclosure of protected health information when it is sought to investigate or impose liability on individuals, healthcare providers, or others who seek, obtain, provide, or facilitate reproductive healthcare that is lawful.”

The update clarifies the definition of “person”, adds new definitions for “reproductive health care”; and “public health” with respect to surveillance, investigation, or intervention, and requires regulated entities, in certain circumstances, to first obtain an attestation that a requested use or disclosure of protected health information is not for a prohibited purpose. HIPAA-covered entities are also required to modify their Notices of Privacy Practices to inform individuals that their PHI may not be used or disclosed for a purpose prohibited under the Final Rule.

The Final Rule was published in the Federal Register on April 26, 2024, and is effective on June 25, 2024. Compliance with the requirements of the Final Rule is required no later than 180 days after the effective date (January 1, 2025), aside from the Notice of Privacy Practices requirement, which has a compliance date of February 16, 2026. The Final Rule is expected to be published in the Federal Register this week. A PDF copy of the Final Rule is available here.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

“Since the fall of Roe v. Wade, providers have shared concerns that when patients travel to their clinics for lawful care, their patients’ records will be sought, including when the patient goes home. Patients and providers are scared, and it impedes their ability to get and to provide accurate information and access safe and legal health care,” said OCR Director Melanie Fontes Rainer. “Today’s rule prohibits the use of protected health information for seeking or providing lawful reproductive health care and helps maintain and improve patient-provider trust that will lead to improved health outcomes and protect patient privacy.”

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/