HHS Sets New Provider Duties to Secure PHI for Reproductive Health Care

The U.S. Department of Health and Human Services (HHS) revised the HIPAA Privacy Rule on April 26 to add protections for reproductive health care information. The HIPAA Privacy Rule to Support Reproductive Health Care Privacy (the final rule) takes effect on June 25, 2024, and HIPAA-covered entities and business associates (regulated entities) must comply with most requirements by Dec. 23, 2024.

The final rule arises out of the 2022 Supreme Court decision in Dobbs v. Jackson Women’s Health Organization. In response to the decision, state and local governments have taken varying approaches to investigate and regulate reproductive health care. The department’s stated purpose for the final rule is to ensure that individuals are not afraid to seek health care from, or share important information with, their health care providers because of a concern that their sensitive information will be disclosed outside of their relationship with their health care provider. HHS is particularly concerned with disclosure of a patient’s protected health information (PHI) about reproductive health care for certain non-health care purposes, where such use or disclosure could be detrimental to the patient or another individual’s privacy.

The final rule seeks to prohibit a regulated entity from using or disclosing PHI to identify an individual, health care provider or other person for the purpose of initiating an investigation or proceeding in connection with seeking, obtaining, providing or facilitating reproductive health care that is lawful under the circumstances in which it is provided.

To that end, the final rule adopts a new definition of “reproductive health care” and imposes a requirement that, in certain circumstances, regulated entities must first obtain an attestation that a requested use or disclosure is not for a prohibited purpose.

The final rule also changes the required contents of the Notice of Privacy Practices (NPP) all covered entities must make available to patients and their representatives. These include language relating to new protections for reproductive health care and recent changes to privacy laws governing substance use disorder treatment records.

All health care providers who are HIPAA-covered entities, and their business associates, should carefully review the final rule and make sure they update their HIPAA policies and procedures and their NPPs to comply with these changes. We have outlined the major new requirements below.

Definition of “Reproductive Health Care”

The final rule adopts the new term—"reproductive health care”—to mean health care “that affects the health of the individual in all matters relating to the reproductive system and its functions and processes.” This definition is intentionally broad in scope.

As part of the final rule, HHS published a non-exclusive list of examples that fit within the definition:

• Contraception, including emergency contraception
• Diagnosis and treatment of conditions that affect the reproductive system (e.g., perimenopause, menopause, endometriosis, adenomyosis)
• Fertility and infertility diagnosis and treatment, including assisted reproductive technology and its components (e.g., in vitro fertilization (IVF))
• Management of pregnancy and pregnancy-related conditions, including pregnancy screening, prenatal care, miscarriage management, treatment of preeclampsia, hypertension during pregnancy, gestational diabetes, molar or ectopic pregnancy, and pregnancy termination
• Other types of care, services and supplies used for the diagnosis and treatment of conditions related to the reproductive system (e.g., mammography, pregnancy-related nutrition services, postpartum care products)
• Preconception screening and counseling

HHS clarified that information meeting this definition must also meet the definition of PHI to be protected under HIPAA rules.

Attestation for Use or Disclosure of PHI “Potentially Related to Reproductive Health Care”

1. Attestation

The Privacy Rule currently separates uses and disclosures of PHI into three categories: required, permitted, and prohibited. Under the final rule, HHS is now requiring regulated entities to obtain an attestation from persons requesting the use or disclosure of PHI “potentially related to reproductive health care,” stating that the use or disclosure is not for a prohibited purpose.

The attestation must meet specific requirements including:

1. Be written in plain language
2. Include the person requesting the disclosure and confirm the types of PHI that they are requesting
3. Clearly identify the name of the individual (or class of individuals) whose PHI is being requested
4. Confirm in writing that the use or disclosure is not for a prohibited purpose
5. Include a statement that the attestation is signed with the understanding that a person who knowingly and in violation of HIPAA obtains or discloses individually identifiable health information relating to another individual, or discloses such information to another person, may be subject to criminal liability

The attestation may be presented in electronic format and be electronically signed by the person requesting the disclosure where such electronic signature is valid under applicable law. However, there are format requirements. The attestation cannot contain any elements that are not specifically required and cannot be combined with other documents. It must be clearly labeled, distinct from any surrounding text, and completed in its entirety. A person requesting PHI is not required to use the specific attestation form provided by the regulated entity, as long as the attestation provided by the requestor is compliant with the regulations.

The regulated entity may use the information on the attestation, combined with any additional documentation provided by the person making the request for PHI, to make a reasonable determination that the attestation is true.

Additionally, both covered entities and business associates are directly liable for compliance with the attestation requirement, regardless of whether compliance with the new regulations is explicitly mentioned in a business associate agreement.

2. Evaluation of Attestation and Disclosure

HHS is not requiring a regulated entity to investigate the validity of an attestation provided by a person requesting a use or disclosure of PHI. Rather, a regulated entity is generally permitted to rely on the attestation if under the circumstances, the regulated entity reasonably determines that the request is not for investigating or imposing liability for seeking, obtaining, providing or facilitating allegedly unlawful reproductive health care or that the use or disclosure is not for a prohibited purpose.

However, for requests involving allegedly unlawful reproductive health care, the extent to which a regulated entity may reasonably rely on an attestation depends in part on whether the regulated entity provided the reproductive health care at issue. To determine whether it is reasonable to rely on the attestation of a law enforcement official requesting PHI potentially related to reproductive health care, HHS directs regulated entities to consider, among other things:

• Who is requesting the use or disclosure of PHI
• The permission the person is relying on to make the request
• The information provided to satisfy the other conditions of the relevant permission
• The PHI requested and its relationship to the stated purpose of the request
• If the reproductive health care was supplied by another person, whether the regulated entity has:
  • Actual knowledge that the reproductive health care was not lawful under the circumstances in which it was provided
  • Factual information from the petitioner that would give a reasonable regulated entity a substantial factual basis that the reproductive health care was not lawful under the circumstances in which it was provided

Lastly, the final rule requires a regulated entity to cease use or disclosure of PHI if it discovers that the representations in the attestation are materially incorrect, leading to uses or disclosures for a prohibited purpose.

3. Repercussions and Penalties

HHS highlighted that people will be subject to criminal liability if they knowingly and in violation of HIPAA obtain or disclose individually identifiable health information relating to another individual or disclose such information to another person. Thus, a person who knowingly and in violation of HIPAA falsifies an attestation, such as making material misrepresentations about the intended use of PHI requested, to obtain (or caused to be disclosed) an individual’s PHI could be subject to criminal penalties as outlined in the statue.

Additionally, once the regulated entity becomes aware of such misrepresentations, a disclosure made based on that attestation constitutes an impermissible disclosure. This requires notification of a breach to the individual, the HHS Secretary, and in some cases, the media.

Changes to Notice of Privacy Practices

The final rule also modifies the required contents for the Notice of Privacy Practices outlining a covered entity’s legal duties with respect to PHI. As part of these changes, all covered entities will need to update their NPPs by Feb. 16, 2026.

All covered entities are required to update the NPP to include:

1. A description of prohibition on the use or disclosure of PHI for an investigation of a person seeking, obtaining, providing or facilitating reproductive health care
2. A description of the types of uses and disclosures of PHI for which an attestation is required under 45 C.F.R. 164.509 (as described above)
3. A statement that PHI disclosed under the HIPAA Privacy Rule is subject to redisclosure by the recipient and is no longer protected by the Privacy Rule

Additionally, covered entities that create or maintain substance use disorder treatment records subject to 42 C.F.R. Part 2 must also revise their NPPs to include:

1. A description of the permitted uses and disclosures of PHI under HIPAA, reflecting more stringent requirements under Part 2 or other applicable law
2. A separate statement that substance use disorder treatment records shall not be used in civil, criminal, administrative or legislative proceedings without written consent or a court order
3. A separate statement that, if the covered entity intends to use Part 2 records for fundraising, the patient or individual must be provided with a clear and conspicuous opportunity to elect not to receive any fundraising communications

The Privacy Rule’s requirements for the Notice of Privacy Practices have not been updated since the 2013 Omnibus Rule following enactment of the HITECH Act. Covered entities should take this opportunity to revisit their NPPs to ensure they meet current regulatory requirements.

Please reach out to Courtney Hurtig, Matt Harrell, Beau Haynes or any member of the Phelps Health Care team with questions or for guidance.