On June 25, 2024, the Final Rule issued by the Office of Civil Rights (OCR) that amended the Privacy Rule of the Health Insurance Portability and Accountability Act (HIPAA) became effective as a means of further protecting personal health information (PHI) related to reproductive healthcare privacy. Following the 2022 U.S. Supreme Court decision in Dobbs v. Jackson Women’s Health Organization holding that the right to an abortion is not a fundamental right protected by the U.S. Constitution, OCR responded by promulgating new regulations to protect the integrity of the provider-patient relationship as a means of preserving a person’s expectation of privacy for reproductive healthcare services. As of this date, covered entities and business associates have 180 days, or until December 22, 2024, to comply with the provisions of the Final Rule.
The first part of the Final Rule limits the use and disclosure of PHI related to healthcare if it is for certain non-healthcare purposes. A covered healthcare provider, health plan, or healthcare clearinghouse, or its business associate, is prohibited from using this PHI to (1) conduct a criminal, civil, or administrative investigation into, or to impose criminal, civil, or administrative liability on any person seeking, obtaining, providing, or facilitating reproductive healthcare if, under the circumstance, such healthcare is lawful in the state in which it is provided, or (2) from identifying any person for the purpose of conducting such investigation or imposing such liability.
This prohibition applies when one or more of the following has been reasonably determined:
- The type of reproductive healthcare is lawful in the state where such healthcare is provided and under the circumstances under which it is provided;
- The type of reproductive healthcare is protected, required, or authorized by federal law, including the U.S. Constitution, regardless of the state in which such healthcare is provided; and
- The type of reproductive healthcare is provided by a person other than the covered healthcare provider, health plan, or healthcare clearinghouse (or business associates) that has received the request for PHI with the presumption that the reproductive health care provided is lawful.
In other words, a healthcare provider, health plan, or healthcare clearinghouse, or its business associate, is prohibited from disclosing PHI related to reproductive healthcare received by a resident of one state who traveled to another state to receive reproductive healthcare, such as an abortion, when it is lawful in the state where such healthcare was provided. A covered entity and business associate is also prohibited from disclosing PHI related to reproductive healthcare if the use of the reproductive healthcare, such as contraception, is protected by the U.S. Constitution.
Alternatively, the Final Rule does not prohibit the use or disclosure of PHI related to reproductive healthcare if the purpose is to investigate alleged violations of the False Claims Act, federal nondiscrimination laws, or abusive conduct, such as sexual assault, if it occurs in connection with reproductive healthcare, in addition to audits conducted by the Office of Inspector General initiated to protect the integrity of the Medicare or Medicaid programs.
The second part of the Final Rule requires attestation from the requestors that they are not seeking PHI related to reproductive healthcare for a prohibited purpose. It also requires providers to obtain attestation before using or disclosing PHI related to reproductive healthcare for health oversight activities, judicial and administrative proceedings, law enforcement purposes, or to aid coroners and medical examiners. Concisely stated, the provider is required to obtain an attestation before using or disclosing PHI for audits, and investigations, a court order, laws requiring reporting of certain types of wounds or injuries, and before identifying a deceased person or cause of death.
Lastly, the Final Rule requires changes to the Notice of Privacy Practice (NPP) provisions of the regulated entities by February 16, 2026.