On April 22, 2024, the White House announced, through the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) a Final Rule entitled HIPAA Privacy Rule to Support Reproductive Health Care Privacy (Final Rule). In particular, the OCR highlighted that it administers the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, and requested comments on proposed modifications to the HIPAA Privacy Rule in April 2023. The Final Rule takes onboard results from this public consultation.

What are the contents of the Final HIPAA Privacy Rule?

The Final Rule prohibits the use or disclosure of protected health information (PHI) by a covered healthcare provider, health plan, or healthcare clearinghouse, or their business associate (regulated entities) for:

• conducting a criminal, civil, or administrative investigation into or imposing criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive healthcare, where such healthcare is lawful under the circumstances in which it is provided; or
• identifying any person for the purpose of conducting such investigation or imposing such liability.

The above prohibition applies where the regulated entities have reasonably determined the reproductive healthcare:

• is lawful under the law of the State in which healthcare is provided under the circumstances in which it is provided;
• is protected, required, or authorized by Federal law;
• was provided by a person other than a regulated entity that receives the request for PHI.

Notably, regulated entities may continue to use or disclose PHI for purposes otherwise permitted under the HIPAA Privacy Rule where the request for use or disclosure of PHI is not made to investigate or impose liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive healthcare. The Final Rule clarifies that the reproductive healthcare provided by a person other than the regulated entity receiving the request was lawful.

What are the notice requirements under the Final HIPAA Privacy Rule?

The Final Rule stipulates that regulated entities, when receiving a request for PHI potentially related to reproductive healthcare, must obtain a signed attestation that the use of disclosure is not for a prohibited purpose. This attestation applies when the request for PHI is for health oversight activities, judicial and administrative proceedings, law enforcement purposes, and disclosures to coroners and medical examiners.

Finally, regulated entities, including their workforce members, are only permitted to disclose PHI for law enforcement purposes where they suspect an individual of obtaining reproductive healthcare if the regulated entity is required by law and all applicable conditions are met. Disclosures are only permitted where the disclosure:

• is not subject to the prohibition above;
• is required by law; and
• meets all applicable conditions of the HIPAA Privacy Rule to use or disclose PHI.

You can read the White House press release here, the OCR press release here, and the Final Rule here.