On April 26, 2024, the Office for Civil Rights (“OCR”) at the U.S. Department of Health & Human Services (“HHS”) published a final rule to amend the HIPAA Privacy Rules to support reproductive health care privacy (the “Reproductive Health Care Rules”). The Agency also issued a Press Release, Fact Sheet, and Message from the Director of OCR. Here are five important takeaways:
- The Reproductive Health Care Rules limit when a group health plan can disclose reproductive health care protected health information (“PHI”) for non-health care purposes. More specifically a group health plan may not disclose such PHI: (a) to conduct a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care; (b) to impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care; or (c) to identify any person for such purposes.
- The Reproductive Health Care Rules’ protections only apply when the reproductive health care is lawful. Reproductive health care is health care that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes. It is lawful when it is permitted under the state law in which such health care is provided, or when it is authorized by Federal law. A group health plan must assume reproductive health care is lawful unless it has actual knowledge or factual information from the person requesting the information that it is not.
- A group health plan must receive an attestation for certain uses or disclosures of PHI that potentially relate to reproductive health care. Existing HIPAA Privacy Rules allow a group health plan to: (a) use and disclose PHI for health oversight activities; (b) disclose PHI for judicial and administrative proceedings; (c) disclose PHI for law enforcement purposes; and (d) use and disclose PHI about decedents to coroners and medical examiners. However, under the Reproductive Health Care Rules, a group health plan cannot use or disclose PHI potentially related to reproductive health care for these purposes unless it obtains a valid attestation from the requester. The Reproductive Health Care Rules specify the information a valid attestation must have, and HHS indicated that it intends to publish model attestation language. An individual who falsifies an attestation would be subject to potential criminal liability and a group health plan that fails to obtain a valid attestation before disclosing such PHI would be subject to potential civil penalties.
- The Reproductive Health Care Rules clarify when a group health plan may disclose reproductive health care PHI pursuant to an administrative request (e.g., an administrative subpoena or summons). Existing HIPAA Privacy Rules allow a group health plan to disclose PHI pursuant to an administrative process if: (a) the information sought is relevant and material to a legitimate law enforcement inquiry; (b) the request is specific and limited in scope; and (c) de-identified information could not reasonably be used. The Reproductive Health Care Rules additionally provide that such disclosures must be required by law and not otherwise subject to the prohibition outlined in takeaway #1 above.
- A group health plan must take actions to comply with the Reproductive Health Care Rules. Effective December 23, 2024, a group health plan may want to consider taking the following actions to comply with the Reproductive Health Care Rules: (a) adopting a standard attestation form to use when the group health plan receives requests for reproductive health care PHI; (b) reviewing and revising their HIPAA privacy policies and procedures to ensure compliance with the Reproductive Health Care Rules; (c) providing updated training to workforce members with access to PHI that address new requirements under the Reproductive Health Care Rules; and (d) reviewing and revising business associate agreements to ensure such agreements address the Reproductive Health Care Rules. Effective February 16, 2026, a group health plan must update its Notice of Privacy Practices to support reproductive health care privacy rights and address confidentiality of substance use disorder patient records as required under the CARES Act of 2020.