Hospitals Face New Duties to Secure PHI for Reproductive Health Care Under HIPAA Rule

This article was originally published by Louisiana Hospital Association in Volume 39, Issue 4 of Impact Lawbrief.

HHS revised the HIPAA Privacy Rule on April 26, 2024 to add protections for reproductive healthcare information. The HIPAA Privacy Rule to Support Reproductive Health Care Privacy (the final rule) takes effect on June 25, 2024, and hospitals must comply with most requirements by Dec. 23, 2024.

The final rule arises out of the 2022 Supreme Court decision in Dobbs v. Jackson Women’s Health Organization. In response to the decision, state and local governments have taken varying approaches to investigate and regulate reproductive healthcare. The department’s stated purpose for the final rule is to ensure that individuals are not afraid to seek healthcare from, or share important information with, their healthcare providers because of a concern that their sensitive information will be disclosed outside of their relationship with their healthcare provider. HHS is particularly concerned with disclosure of a patient’s protected health information (PHI) about reproductive healthcare for certain non-healthcare purposes, where such use or disclosure could be detrimental to the patient or another individual’s privacy.

The final rule seeks to prohibit hospitals and other regulated entities from using or disclosing PHI to identify an individual, healthcare provider, or other person for the purpose of initiating an investigation or proceeding in connection with seeking, obtaining, providing, or facilitating reproductive healthcare that is lawful under the circumstances in which it is provided.

To that end, the final rule adopts a new definition of “reproductive healthcare” and imposes a requirement that, in certain circumstances, hospitals must first obtain an attestation that a requested use or disclosure is not for a prohibited purpose.

The final rule also changes the required contents of the Notice of Privacy Practices (NPP) that all hospitals must make available to patients and their representatives. These include language relating to new protections for reproductive healthcare and recent changes to privacy laws governing substance use disorder treatment records.

Hospitals should carefully review the final rule and make sure they update their HIPAA policies and procedures and their NPPs to comply with these changes. Keep reading for an outline of the major new requirements.

Definition of “Reproductive Healthcare”

The final rule adopts the new term—"reproductive healthcare”—to mean healthcare “that affects the health of the individual in all matters relating to the reproductive system and its functions and processes.” This definition is intentionally broad in scope.

As part of the final rule, HHS published a non-exclusive list of examples that fit within the definition:

• • Contraception, including emergency contraception;
  • Diagnosis and treatment of conditions that affect the reproductive system (e.g., perimenopause, menopause, endometriosis, adenomyosis);
  • Fertility and infertility diagnosis and treatment, including assisted reproductive technology and its components (e.g., in vitro fertilization);
  • Management of pregnancy and pregnancy-related conditions, including pregnancy screening, prenatal care, miscarriage management, treatment of preeclampsia, hypertension during pregnancy, gestational diabetes, molar or ectopic pregnancy, and pregnancy termination;
  • Other types of care, services, and supplies used for the diagnosis and treatment of conditions related to the reproductive system (e.g., mammography, pregnancy-related nutrition services, postpartum care products); and
  • Preconception screening and counseling.

HHS clarified that information meeting this definition must also meet the definition of PHI to be protected under HIPAA rules.

Attestation for Use or Disclosure of PHI “Potentially Related to Reproductive Healthcare”

1. Attestation

The Privacy Rule currently separates uses and disclosures of PHI into three categories: required, permitted, and prohibited. Under the final rule, HHS is now requiring hospitals to obtain an attestation from persons requesting the use or disclosure of PHI “potentially related to reproductive healthcare,” stating that the use or disclosure is not for a prohibited purpose.

The attestation must meet specific requirements including:

• • Be written in plain language;
  • Include the person requesting the disclosure and confirm the types of PHI that they are requesting;
  • Clearly identify the name of the individual (or class of individuals) whose PHI is being requested;
  • Confirm in writing that the use or disclosure is not for a prohibited purpose; and
  • Include a statement that the attestation is signed with the understanding that a person who knowingly and in violation of HIPAA obtains or discloses individually identifiable health information relating to another individual, or discloses such information to another person, may be subject to criminal liability.

The attestation may be presented in electronic format and be electronically signed by the person requesting the disclosure where such electronic signature is valid under applicable law. However, there are format requirements. The attestation cannot contain any elements that are not specifically required and cannot be combined with other documents. It must be clearly labeled, distinct from any surrounding text, and completed in its entirety. A person requesting PHI is not required to use the specific attestation form provided by the regulated entity, as long as the attestation provided by the requestor is compliant with the regulations.

The regulated entity may use the information on the attestation, combined with any additional documentation provided by the person making the request for PHI, to make a reasonable determination that the attestation is true.

Additionally, both hospitals and their business associates are directly liable for compliance with the attestation requirement, regardless of whether compliance with the new regulations is explicitly mentioned in a business associate agreement.

2. Evaluation of Attestation and Disclosure

HHS is not requiring hospitals to investigate the validity of an attestation provided by a person requesting a use or disclosure of PHI. Rather, hospitals are generally permitted to rely on the attestation if under the circumstances, they reasonably determine that the request is not for investigating or imposing liability for seeking, obtaining, providing, or facilitating allegedly unlawful reproductive healthcare or that the use or disclosure is not for a prohibited purpose.

However, for requests involving allegedly unlawful reproductive healthcare, the extent to which a hospital may reasonably rely on an attestation depends in part on whether it provided the reproductive healthcare at issue. To determine whether it is reasonable to rely on the attestation of a law enforcement official requesting PHI potentially related to reproductive healthcare, HHS directs hospitals to consider, among other things:

• • Who is requesting the use or disclosure of PHI;
  • The permission the person is relying on to make the request;
  • The information provided to satisfy the other conditions of the relevant permission;
  • The PHI requested and its relationship to the stated purpose of the request; and
  • If the reproductive healthcare was supplied by another person, whether the hospital has:
    • Actual knowledge that the reproductive healthcare was not lawful under the circumstances in which it was provided; or
    • Factual information from the petitioner that gives a substantial factual basis that the reproductive healthcare was not lawful under the circumstances in which it was provided.

Lastly, the final rule requires a hospital to cease use or disclosure of PHI if it discovers that the representations in the attestation are materially incorrect, leading to uses or disclosures for a prohibited purpose.

3. Repercussions and Penalties

HHS highlighted that people will be subject to criminal liability if they knowingly and in violation of HIPAA obtain or disclose individually identifiable health information relating to another individual or disclose such information to another person. Thus, a person who knowingly and in violation of HIPAA falsifies an attestation, such as making material misrepresentations about the intended use of PHI requested, to obtain (or caused to be disclosed) an individual’s PHI could be subject to criminal penalties as outlined in the statue. Additionally, once a hospital becomes aware of such misrepresentations, a disclosure made based on that attestation constitutes an impermissible disclosure. This requires the hospital to notify the individual, the HHS Secretary, and in some cases, the media, of the breach.

Changes to Notice of Privacy Practices

The final rule also modifies the required contents for the NPPs outlining hospitals’ legal duties with respect to PHI. Hospitals will need to update their NPPs by Feb. 16, 2026, to include:

1. 1. A description of prohibition on the use or disclosure of PHI for an investigation of a person seeking, obtaining, providing, or facilitating reproductive healthcare;
   2. A description of the types of uses and disclosures of PHI for which an attestation is required under 45 C.F.R. § 164.509 (as described above); and
   3. A statement that PHI disclosed under the HIPAA Privacy Rule is subject to redisclosure by the recipient and is no longer protected by the Privacy Rule.

Additionally, hospitals that create or maintain substance use disorder treatment records subject to 42 C.F.R. Part 2 must also revise their NPPs to include:

1. 1. A description of the permitted uses and disclosures of PHI under HIPAA, reflecting more stringent requirements under Part 2 or other applicable law;
   2. A separate statement that substance use disorder treatment records shall not be used in civil, criminal, administrative, or legislative proceedings without written consent or a court order; and
   3. A separate statement that, if the covered entity intends to use Part 2 records for fundraising, the patient or individual must be provided with a clear and conspicuous opportunity to elect not to receive any fundraising communications.

The Privacy Rule’s requirements for the NPPs have not been updated since the 2013 Omnibus Rule following enactment of the HITECH Act. Hospitals should take this opportunity to revisit their NPPs to ensure they meet current regulatory requirements.