Complying with the HIPAA Privacy Rule to Support Reproductive Health Care Privacy

The U.S. Department of Health & Human Services (HHS) Office for Civil Rights (OCR) recently finalized changes to the HIPAA Privacy Rule to support reproductive health care privacy.¹ To comply with these new regulations, medical practices and other HIPAA covered entities and business associates will need to revise their written policies, implement workflow changes, and provide education for staff who process requests for protected health information.

The modifications were effective June 25, 2024, and the compliance deadline for most of the requirements is December 23, 2024.² In a nutshell, the changes:

• • Create a broad definition of “reproductive health care;”
    
    
  • Prohibit the use or disclosure of protected health information (PHI) for the purpose of investigating or punishing patients, clinicians, or others for seeking, obtaining, providing, or facilitating lawful reproductive health care;
    
    
  • Require HIPAA covered entities, when processing certain requests for PHI, to obtain from the requester a signed attestation form affirming the PHI will not be used for prohibited purposes;
    
    
  • Require modifications to the Notice of Privacy Practices (compliance deadline for this provision only is February 16, 2026).

Physicians, advanced practice providers (APPs), and their practices should act now to ensure compliance with these changes by December. In certain situations, the regulations will change the way your practice responds to requests for PHI. Understanding the substance of the new requirements is key to revising your policies and workflows and designing training to achieve compliance. To help you get started, this article summarizes the most significant provisions and uses hypothetical situations to illustrate implementation.

Why Are These Changes Necessary?

OCR says these Privacy Rule modifications are a necessary response to the “changing legal landscape” that has evolved since Roe v. Wade was overturned in 2022. According to OCR,

As a result of the changed legal landscape for reproductive health care broadly, including abortion, the range of circumstances in which PHI about legal reproductive health care could be sought and used in investigations or to impose liability expanded significantly. Now that states have much broader power to criminalize and regulate reproductive choices – and that some states have already exercised that power in a variety of ways (citation omitted) – individuals legitimately have a far greater fear that especially sensitive information about lawful health care will not be kept private.

OCR notes that individuals are not alone in their fears, citing accounts that some providers are afraid to provide lawful health care or prescribe certain medications due to uncertainty about evolving legal risks.

According to OCR, doubts about privacy and security contribute to a lack of trust in individual providers and the health care system. Patients concerned about confidentiality may forego necessary treatment. Others may omit information from their medical history or be reluctant to discuss their health concerns fully, negatively impacting a clinician’s ability to diagnose and treat. In addition, clinicians with privacy concerns may restrict the information they discuss with patients, limit treatment recommendations, or be reluctant to document freely. By strengthening HIPAA privacy protections, OCR hopes to promote trust, optimize health outcomes, and protect access to care.

Use/Disclosure of Reproductive Health Care PHI is Prohibited for Specific Purposes

HIPPA has always prohibited regulated entities from using or disclosing patient PHI for certain purposes without patient permission. For instance, HIPAA prohibits the sale of PHI.³

The latest modifications to the Privacy Rule build on this framework by adding a new category of purpose-based prohibited uses and disclosures. The new regulations prohibit HIPAA covered entities from using or disclosing PHI for the following purposes:

• • Conducting a criminal, civil, or administrative investigation of any person for the mere act of seeking, obtaining, providing, or facilitating lawful reproductive health care;
    
    
  • Imposing criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating lawful reproductive health care; or
    
    
  • Identifying any person for either of the above purposes.⁴

Medical practices implementing these new prohibitions should note the importance of two new statutory definitions and should include them in revised policies and procedures. First, “reproductive health care” means health care that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes.⁵ According to OCR, it includes but is not limited to:

• • Emergency contraception;
    
    
  • Preconception screening and counseling;
    
    
  • Management of pregnancy and pregnancy-related conditions including pregnancy screening, prenatal care, miscarriage management; treatment for preeclampsia, hypertension during pregnancy, gestational diabetes, molar or ectopic pregnancy, and pregnancy termination;
    
    
  • Fertility and infertility diagnosis and treatment, including assisted reproductive technology and its components (e.g., in vitro fertilization);
    
    
  • Diagnosis and treatment of conditions that affect the reproductive system (e.g., perimenopause, menopause, endometriosis, adenomyosis); and
    
    
  • Other types of care, services, and supplies used for the diagnosis and treatment of conditions related to the reproductive system (e.g., mammography, pregnancy-related nutrition services, postpartum care products).

Second, the new regulations clarify that “seeking, obtaining, providing, or facilitating reproductive health care” includes, but is not limited to:

• • Expressing an interest in;
  • Using;
  • Performing;
  • Furnishing;
  • Paying for;
  • Disseminating information about;
  • Arranging;
  • Insuring;
  • Administering;
  • Authorizing;
  • Providing coverage for;
  • Approving;
  • Counseling about;
  • Assisting or otherwise taking action to engage in reproductive health care; or
  • Attempting any of these actions.⁶

Whether Disclosure is Permitted Depends on the Request’s Purpose

Medical practices implementing these new regulations must build into their workflows a procedure for determining the purpose of the requested use or disclosure.

• • Use or disclosure is prohibited when the purpose is to investigate, impose liability on, or identify a person for the “mere act” of seeking, obtaining, providing, or facilitating lawful reproductive health care.
    
    
  • In contrast, use or disclosure may not be prohibited if PHI is sought for an investigation or a judicial or administrative proceeding with a different purpose.

OCR offered some of these real-world examples to illustrate application of the new prohibition.

Investigating or prosecuting the “mere act” – use or disclosure prohibited:

• • Law enforcement states it needs the PHI to investigate whether a particular abortion was necessary to save a mother’s life.
    
    
  • An attorney states she needs the PHI as evidence in a civil lawsuit brought in state court by a private citizen against an individual who obtained or facilitated lawful reproductive health care.

Investigation is for another purpose - Use/disclosure potentially permitted (if other applicable HIPAA Privacy Rule requirements are met):

• • Health oversight agency is investigating substandard care by the clinician.
    
    
  • Government agency is investigating potential fraudulent billing practices connected to reproductive health care procedures performed on practice patients.
    
    
  • Licensing board is investigating alleged sexual assault by a physician when he was providing reproductive health care.
    
    
  • Law enforcement is investigating sexual assault of a patient who sought treatment from the medical practice for her injuries.
    
    
  • Government agency is investigating unusual prescribing or billing patterns for erectile dysfunction medications.
    
    
  • Law enforcement is investigating the lawfulness of reproductive health care because a PA allegedly performed abortions in violation of state law that requires physicians to provide abortions.
    
    
  • Department of Justice is investigating whether a person physically obstructed, intimidated, or interfered with persons providing reproductive health services in violation of federal law protecting access to clinic entrances.

Who Decides Whether the Care was “Lawful”?

The new prohibition is limited in scope. It applies ONLY when:

• • the use or disclosure is for the purpose of investigating or imposing liability on an individual for “the mere act” of seeking, obtaining, providing, or facilitating reproductive health care and
    
    
  • the care was lawful.

Under the new regulations, the medical practice or other HIPPA covered entity that receives and processes a PHI request is responsible for making a “reasonable” determination of lawfulness.⁷

You may be concerned that medical records staff are not qualified to decide what is “lawful,” or you might assume staff would need to consult an attorney, research statutes and laws, or analyze facts they don’t have. However, OCR says none of this is necessary. OCR likens the lawfulness determination to decisions medical records staff have been making for years about whether the Privacy Rule allows a particular use or disclosure. For example, according to OCR, medical practices already evaluate their state’s relevant laws when deciding how to respond to PHI requests made under the “required by law” permission (which allows disclosure without patient authorization or notification when “required by law”).⁸

Making the “Lawfulness” Determination

To decide whether reproductive health care is “lawful” for HIPAA Privacy Rule purposes, practice staff must evaluate the facts and circumstances under which the care was provided and determine whether certain regulatory conditions are satisfied. If at least one of the following conditions exists, then HIPAA prohibits use or disclosure of PHI when the purpose of the use/disclosure is to investigate or prosecute an individual for the “mere act” of seeking, obtaining, providing, or facilitating reproductive health care:

• • The reproductive health care is lawful under the law of the state where it was provided and under the circumstances in which it was provided;
    
    
  • Regardless of the state where it was provided, the reproductive health care is protected, required, or authorized by Federal law, including the U.S. Constitution, under the circumstances in which it is provided; or
    
    
  • The reproductive health care was provided by someone else (i.e., a clinician not affiliated with the medical practice/other regulated entity that received the PHI request) and HIPAA’s presumption of lawfulness applies (learn more about this presumption below).⁹

When making the lawfulness determination, HIPAA requires medical practices and their staff to act “reasonably.”¹⁰ A decision is “reasonable” when another similarly situated medical practice could reach the same conclusion.¹¹

The Presumption in Favor of Lawfulness

Usually, patient medical records maintained by physician practices contain a mix of documentation. Some is created by practice providers to describe care rendered by the practice, and some is received from hospitals and other practices or facilities that provided care to the patient.

Under the new Privacy Rule regulations, a medical practice responding a request for PHI about reproductive health care provided by another clinician (outside your medical practice) must presume the care is lawful unless practice staff have:

• • Actual knowledge that the care was unlawful under the circumstances in which it was provided; or

• • Factual information provided by the person requesting PHI which demonstrates a “substantial factual basis” that the care was unlawful under the circumstances in which it was provided^.12

OCR points out that when the presumption applies, medical practices are not expected to review PHI details or research other states’ laws. Rather, an individual seeking the PHI has the burden to provide information demonstrating a substantial factual basis that the care was unlawful.

OCR offers this example:

• • A facility has PHI about reproductive health care provided at an out of state hospital. In response to a request for the PHI, the facility is not expected to review the PHI, conduct research, or perform analysis of other states’ laws. Law enforcement did not provide information in the subpoena that would allow the hospital to reasonably determine the care was unlawful. Therefore, the facility must presume the care was lawful and refuse disclosure.

New Attestation Requirement

According to OCR, there is a risk that those seeking PHI for prohibited purposes may try to disguise their requests by framing them as within the scope of existing HIPAA disclosure permissions, like the law enforcement or health oversight permissions.¹³ Under these various permissions, HIPAA permits (but does not require) disclosure without patient authorization or notification when the PHI is requested for certain non-health care purposes.¹⁴ To address this risk, OCR created a new attestation requirement and developed a model Attestation for covered entities and PHI requesters to use.

The new regulation requires covered entities processing PHI requests “potentially related to reproductive health care” to obtain a valid, signed Attestation from the requester when the request is based on one of the following Privacy Rule permissions:

• • Health oversight activities;
  • Judicial and administrative proceedings;
  • Law enforcement purposes; or
  • Disclosures to coroners and medical examiners.¹⁵

Notably, the new regulations do not require an Attestation when PHI is sought under the public health exception, which permits disclosure without patient authorization or notification when the information is sought for “public health activities and purposes.”¹⁶ Instead, to guard against the risk that public agencies and others might try to use the public health exception to obtain reproductive health care PHI for prohibited purposes, OCR changed HIPAA’s definition of “public health.” Under the new definition, public health “surveillance,” “investigation,” and “intervention” do not include investigating or imposing liability on individuals for seeking, obtaining, providing, or facilitating lawful reproductive health care.¹⁷

Attestation Form Requirements

To be valid, Attestations must meet specific regulatory requirements. Using OCR’s model Attestation will ensure compliance, but the regulations do not require requesters to use the model. Practices should develop a workflow that addresses situations where the Requester does not use the model. In these cases, practice staff processing the request should carefully compare the requester’s Attestation to the model to confirm validity.  

To be valid, signed Attestations cannot be combined with other documents¹⁸ and must include ONLY the following information:

• • Describe the types of PHI requested;
    
    
  • Clearly identify the name of the person whose PHI is requested or if not possible, then use general terms to describe a class of individuals;

• • State the purpose of the request and confirm the request is not for investigating, imposing liability for, or identifying someone for the mere act of seeking, obtaining, providing, or facilitating reproductive health care;

• • Identify who the PHI request is addressed to;

• • Identify who is to receive the PHI;

• • Acknowledgement that the signer/requester understands that a person who knowingly and in violation of HIPAA obtains or discloses individually identifiable health information to another person may be subject to criminal liability; and

• • Signature of requester and date.¹⁹

Additional information besides that listed above is NOT permitted.²⁰ Attestations must be written in plain language.²¹ They may be in electronic format and may contain electronic signatures if allowed by applicable law.²²

Practice staff are not required to investigate the validity of Attestation statements. They are allowed to rely on the statements as true and correct provided reliance is “reasonable”²³ under the circumstances.²⁴ OCR offers two examples to illustrate this reasonable reliance requirement:

• • Law enforcement is investigating reproductive health care provided by the medical practice that receives a request for PHI. An officer signs an Attestation stating the care was “unlawful” and therefore the prohibition against use/disclosure does not apply. It is not reasonable for staff to simply accept the statement as true. Under these circumstances, the practice has an obligation to review its own records and make a reasonable determination about whether the care it provided was lawful.
    
    
  • A medical practice receives a request for PHI from law enforcement. The officer’s Attestation states he is investigating the patient for obtaining unlawful care. The practice did not provide the care at issue but has records concerning the care. It is not reasonable for the practice to rely on the officer’s unsupported statement that the care was unlawful. The practice must presume the care provided by another is lawful, unless the officer provides additional details to demonstrate a “substantial factual basis” that the care was unlawful under the circumstances.

Changes to Notices of Privacy Practices

The new regulations also require medical practices and other regulated entities to review and update their Notice of Privacy Practices (NPP) no later than February 16, 2026. OCR has not yet updated its Model NPP form online, but when it does, using the Model will provide the easiest route to compliance.

Final Takeaway

Practices should consider that the new definition of “reproductive health care” is extremely broad. As a result, many practices regardless of specialty likely maintain patient medical records containing PHI related to reproductive health care. In addition, HIPAA mandates that all medical practices must develop written policies and procedures describing how the practice complies with HIPAA requirements. Therefore, all practices will need to revise their policies and procedures to capture these recent regulatory changes.

^{[1] https://www.federalregister.gov/documents/2024/04/26/2024-08503/hipaa-privacy-rule-to-support-reproductive-health-care-privacy#h-10}

^{[2] https://www.federalregister.gov/d/2024-08503/p-105}

^{[3] 45 CFR §164.502(a)(5)(ii)}

^{[4] Id. at §164.502(a)(5)(iii)(A)-(D)}

^{[5] Id. at §160.103}

^{[6] Id. at §164.502(a)(5)(iii)(D)}

^{[7] Id. at §164.502(a)(5)(iii)(A)-(B)}

^{[8] Id. at §164.512(a)}

^{[9] Id. at §164.502(a)(5)(iii)(B)}

^{[10] Id.}

^{[11] https://www.federalregister.gov/d/2024-08503/p-644}

^{[12] 45 CFR §164.502(a)(5)(iii)(C)}

^{[13] https://www.federalregister.gov/d/2024-08503/p-841}

^{[14] 45 CFR §164.512}

^{[15] Id. at §164.509(a)(1)}

^{[16] Id. at §164.512(b)(1)-(2)}

^{[17] Id. at §160.103}

^{[18] Id. at §164.509(b)(3)}

^{[19] Id. at §164.509(c)(1)}

^{[20] Id. at §164.509(b)(2)(ii)}

^{[21] Id. at §164.509((c)(2)}

^{[22] Id. at §164.509(b)(1)(iii) & (c)(1)(vi)}

^{[23] Id. at §164.509(b)(2)(v)}

^{[24] https://www.federalregister.gov/d/2024-08503/p-865}