On April 26, 2024, the Office for Civil Rights (OCR) at the U.S. Department of Health & Human Services (HHS) published its Final Rule to Support Reproductive Health Care Privacy.¹ According to OCR, adopting these rules aims to create a “purpose-based prohibition” on specific uses and disclosures of reproductive health Protected Health Information (PHI). Although the Health Insurance Portability and Accountability Act (HIPAA) applies to multiple covered entity types, such as healthcare providers and health plans, this article discusses the final rules specifically relating to employer-sponsored healthcare plans.

Background

HIPAA Privacy

The HIPAA Privacy Rule, which falls under HIPAA’s administrative simplification provisions, regulates the use and disclosure of an individual’s protected health information (PHI) by a covered entity (i.e., healthcare provider, health plan and data clearinghouse). Health plans, specifically employer-sponsored group health plans, are considered covered entities and subject to the HIPAA Privacy and Security Rules.

Abortion Coverage Services and Dobbs v. Jackson Women’s Health Organization (Dobbs)

On June 24, 2022, the Supreme Court of the United States (SCOTUS) issued a ruling in Dobbs v. Jackson Women’s Health Organization (Dobbs), which allowed states to create laws that could restrict access to reproductive healthcare needs. Due to these restrictions, certain healthcare providers felt compelled to disclose the PHI of covered patients to agencies that could use the information against a patient or the involved provider/facility assisting with reproductive healthcare needs. This risk to both the individual and the provider existed even if the individual obtained such services legally in a state that did not prohibit such services. Due to the impact of these issues faced by patients traveling across state lines to receive legal reproductive health services from a provider that was outside of their state of residence, OCR believed protections for patients and providers were needed at the national level for the promotion of trust between patients and their healthcare providers.

HIPAA Final Rule Prohibiting Access to Records Related to Reproductive Healthcare

Use and Disclosure of Reproductive Healthcare Related Information in Investigations/Imposing Liability

As stated earlier in this article, the final rule adopts a “purpose-based prohibition” on the disclosure and use of reproductive healthcare related information of covered individuals under HIPAA. This prohibition amends the current privacy rules under HIPAA.³ The new privacy protections prohibit a health plan (or other covered entity) and its business associates from using or disclosing PHI of a covered individual for the following purposes:

1. When conducting a criminal, civil or administrative investigation into, or to impose criminal, civil or administrative liability on, any individual that seeks, obtains, provides or facilitates reproductive healthcare, so long as such healthcare is lawful under the circumstances for which such services are provided, in the jurisdiction where reproductive health services are received (i.e., subject to applicable local, state and federal rules) and/or the reproductive health care is protected, required, or authorized by Federal law, including the United States Constitution, under the circumstances in which such health care is provided, regardless of the state in which it is provided.
2. When identifying any individual for the purpose of investigating or imposing liability on any covered entity concerning the above listed matters in bullet point 1.

These new prohibitions will be referred to as “new privacy protections” for ease of understanding throughout this article.

Application of the New Privacy Protections

• The effective date of the final rule is June 25, 2024.
• Covered entities will have until December 23, 2024, to fully comply with the final rules.
  • A later deadline of February 16, 2026, applies for compliance with the Notice of Privacy Practices changes, which are further explained below.

The above new privacy protections for the use and disclosure of reproductive healthcare PHI only apply to the reproductive service/activity when a person and/or covered entity is seeking, obtaining, providing or facilitating reproductive healthcare. Some examples of when these rules would not apply, even if the information is related to reproductive healthcare PHI, include:

1. When a healthcare provider uses/discloses PHI to help defend itself against an investigation related to professional misconduct or negligence involving reproductive healthcare.
2. A covered entity using/disclosing PHI to help defend anyone involved in a criminal, civil or administrative proceeding where liability could exist in providing reproductive healthcare.
3. A covered entity or a related business associate uses/discloses PHI to a Statutory Inspector General⁴ that seeks to conduct an audit for health oversight purposes.,

Presumption in Favor of Reproductive Healthcare Provided by a Person that is a Non-Covered Entity

If reproductive healthcare is provided by a person other than the covered entity (or business associate of a covered entity) receiving the request for reproductive healthcare PHI, there is a presumption that such services were lawful unless the covered entity or business associate:

1. Has actual knowledge that such reproductive healthcare services were not legal under the circumstances they were provided (e.g., the covered individual did not receive healthcare from a licensed individual/doctor).
2. Receives factual information from the person requesting the covered individual’s PHI, which “demonstrates a substantial factual basis” that the reproductive healthcare was not legally performed.

Required Documents under HIPAA for Reproductive Healthcare Information

The final rule requires covered entities and business associates to:

• Obtain attestations from persons/agencies requesting reproductive healthcare PHI that such use/disclosure of PHI is not for prohibited use.

When information requests are made to a covered entity (e.g., healthcare provider/health plan) or a business associate for information related to reproductive healthcare PHI, under certain circumstances, the covered entity or business associate must receive a signed attestation from the person/entity requesting such PHI, attesting that the PHI will not be used for a prohibited purpose and assuring the covered entity or business associate that the release of the requested PHI is made in compliance under the law. This applies to requests for PHI in the following circumstances:

• Health-related oversight activities
• Judicial and administrative proceedings
• Law enforcement activities
• Disclosure to medical examiners and coroners

HHS will release model attestation language for covered entities before the final rule’s effective date on June 25, 2024.

Notice of Privacy Practices

The guidance regarding modifications to a covered entity’s Notice of Privacy Practices (NPP) is limited regarding how a covered entity must modify the NPP to account for reproductive healthcare and substance use and disorder treatment PHI records. Therefore, covered entities should work with their legal counsel to modify their current HIPAA Notice of Privacy Practices. The compliance deadline for the NPP to include these updated provisions related to reproductive health protections is February 16, 2026.

Disclosure to Law Enforcement under HIPAA

Uses or disclosures of PHI without an individual’s authorization are only permitted in very limited circumstances under the HIPAA Privacy Rule. The disclosure of PHI to law enforcement does not require a covered individual’s authorization. Under the HIPAA Privacy Rule, so long as disclosure of PHI is required under the law, covered entities and business associates may disclose PHI for law enforcement purposes where they suspect an individual of obtaining reproductive health care (lawful or otherwise) if all applicable conditions are met. Under the final rule as it relates to reproductive healthcare PHI, all three of the following conditions must be met for this type of PHI to be disclosed to law enforcement agencies without a covered individual’s authorization:

• Final rule does not prohibit such disclosure (as discussed above).
• Law requires such disclosure.
• Satisfaction of all applicable conditions under the HIPAA Privacy Rule.

Conclusion

Health plan sponsors should exercise caution when disclosing reproductive health-related PHI to a person/entity requesting such information in light of the restrictions set forth in the final rule under HIPAA. It will be necessary to obtain an attestation from individuals legally requesting reproductive healthcare PHI from the health plan. To ensure compliance with the new rules, plan sponsors should speak to their legal counsel if information is ever requested about the reproductive healthcare information of its plan participants/employees.

Health plan sponsors covering reproductive healthcare services as part of their group health plan or providing travelrelated benefits to employees for reproductive health services sought outside of their state of residence/employment should include these new restrictions within their HIPAA Policies and Procedures and review and update any Business Associate Agreements with their Business Associates pursuant to these new rules and seek advice from their legal counsel to ensure compliance under these final rules.

Additionally, health plan sponsors should ensure that they update their Notice of Privacy Practices in a timely fashion.

¹ https://www.govinfo.gov/content/pkg/FR-2024-04-26/pdf/2024-08503.pdf
² https://www.supremecourt.gov/opinions/21pdf/19-1392_6j37.pdf
³ https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/combined-regulation-text/index.html
⁴ Statutory Inspector Generals are established by law and are intended to be an independent, nonpartisan officials that work in specific governmental agencies that focus on the prevention and detection of waste, fraud and abuse of federal governmental resources.

Regulatory and Legislative Strategy Group