Special thanks to Taft summer associate Tanner Wilburn for his significant contributions to this post.
Earlier this year, we provided a law bulletin on changes coming to the Health Insurance Portability and Accountability Act (HIPAA). To recap briefly, in April 2024, the Department of Health and Human Services (HHS) issued a final regulation that modified the HIPAA Privacy Rule to safeguard individuals’ protected health information (PHI) concerning reproductive health care.
The regulations go into effect on June 25, 2024, and those subject to the regulations must comply with the requirements by December 23, 2024. HHS also set a special compliance date of February 16, 2026, for the regulations’ changes involving HIPAA notices of privacy practices (NPPs).
With the law going into effect this week and the compliance deadline coming in six months, we’ve put together a breakdown of what must happen, and when.
HHS’ Rationale
In issuing the new regulations, HHS expressed concern that in the post-Dobbs environment, law enforcement and others may seek to obtain individuals’ reproductive health information from HIPAA-covered entities to use against those individuals or their providers for obtaining previously lawful reproductive care. HHS indicated such disclosures could cause individuals to conceal or forgo needed care due to privacy concerns, potentially leading to adverse health outcomes and exacerbating health disparities for communities historically subject to discrimination. The regulations aim to balance individual privacy with other societal interests by prohibiting disclosures based on the purpose, not the type of information.
What’s Changing: Three Areas of Note
- New Disclosure Prohibitions. The amended Privacy Rule prohibits HIPAA-regulated entities and their business associates from disclosing an individual’s PHI for purposes of investigating or imposing liability on that person for obtaining lawful reproductive health care. The regulations define “reproductive health care” broadly to include contraception, fertility services, pregnancy care, and treatment of reproductive system conditions. These prohibitions are purpose-based, meaning they focus on the reason for the disclosure rather than the type of information. The regulations continue to allow disclosures for treatment, payment, health care operations, and still allow individuals to authorize disclosures of their own PHI that would otherwise be prohibited.
- A Presumption of Lawfulness. The regulations also create a presumption that reproductive care delivered by someone other than the HIPAA covered entity receiving the disclosure request was lawful, unless there is actual knowledge or factual information showing otherwise. To overcome this presumption, the person requesting PHI must provide the HIPAA covered entity or business associate with adequate factual evidence demonstrating that the care was unlawful under the circumstances in which it was provided.
- Attestation Requirements. The regulations require HIPAA-regulated entities and business associates to obtain a signed attestation from the requesting party before disclosing PHI potentially related to reproductive care for certain purposes.
The attestation must include:
- a description of the requested information;
- the name or specific identification of the person(s) or class of persons asked to make the disclosure and to whom the disclosure is to be made;
- a statement that the disclosure is not for a prohibited purpose involving reproductive health care under the regulations;
- a statement acknowledging that a person may face criminal penalties under HIPAA for knowingly obtaining or disclosing individually identifiable health information in violation of the law; and
- the signature of the requester (which may be electronic) and date.
What Must Happen by December 23: The Impact on HIPAA-Covered Entities & Business Associates
The new HIPAA Privacy Rule regulations require covered entities and business associates to update their policies, procedures, agreements, and practices by the December 23, 2024, compliance date. Recommended next steps for those covered by the new regulations include the following:
- Review and update HIPAA policies and procedures to reflect the new prohibitions on disclosures related to reproductive health care and develop processes for evaluating disclosure requests and obtaining required attestations.
- Review and revise business associate agreements to incorporate the new Privacy Rule requirements, prohibiting disclosures for prohibited purposes and requiring necessary attestations.
- Train workforce members to understand and apply the new requirements, including identifying and evaluating disclosure requests, obtaining attestations, and handling conflicts with other laws.
- Assess and implement necessary technical or administrative safeguards to support compliance, such as access controls and encryption, to secure reproductive health PHI and prevent impermissible disclosures.
- Revise HIPAA notices of privacy practices before February 16, 2026, to inform individuals of the new prohibitions and attestation requirements.
Contact Us
Taft’s Privacy & Data Security team has extensive experience counseling clients on HIPAA, consumer data privacy laws, data minimization strategies, and data governance program development. For more data privacy & security-related updates, please visit Taft’s Privacy & Data Security Insights blog and the Taft Privacy & Data Security Mobile Application