The Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) recently issued its Final Rule to modify HIPAA “to support reproductive health care privacy.” The Final Rule is in response to Executive Order 14076, where President Biden directed HHS to take actions to protect reproductive health information following Dobbs v. Jackson Women’s Health Organization and the following restrictive state laws enacted on abortion services.

The Final Rule strengthens privacy protections of reproductive health information by prohibiting the access, use, or disclosure of the information by a covered entity or business associate for the following activities:

  • To conduct a criminal, civil, or administrative investigation into or impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided.
  • The identification of any person for the purpose of conducting such investigation or imposing such liability.

Covered entities or business associates who receive a request for reproductive health information are required to obtain a signed attestation from the individual/entity requesting protected health information (PHI) “potentially related to reproductive health care” that the request and associated disclosure is not for one of the prohibited purposes. The attestation will be required when the request is for PHI for any of the following:

  • Health oversight activities.
  • Judicial and administrative proceedings.
  • Law enforcement purposes.
  • Disclosures to coroners and medical examiners.

Compliance with the Final Rule may be tricky for covered entities and business associates. In particular, medical records custodians must be vigilant when receiving requests for PHI to determine whether the request could be for a prohibited purpose and request the signed attestation before the records are released. A process for assessing whether a request for PHI falls into one of the four categories above and whether it relates to reproductive health care information, as well as obtaining an attestation before the release of the records, will be necessary. In addition, the Final Rule requires covered entities to update their Notice of Privacy Practices to include protections on the use and disclosure of reproductive health information. Remember that the Notice of Privacy Practices must also be posted on the organization’s website.

This post is also being shared on our Data Privacy + Cybersecurity Insider blog. If you’re interested in getting updates on developments affecting data privacy and security, we invite you to subscribe to the blog.