Last year, the Office for Civil Rights (OCR) at the U.S. Department of Health & Human Services (HHS) issued a Final Rule to modify the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule to protect access to and privacy of reproductive health care.
The Final Rule imposes new limitations on disclosures of information relating to reproductive health care, which took effect on December 23, 2024, and requires covered entities and business associates to make certain updates to their Notice of Privacy Practices with respect to reproductive health care, and additionally substance use disorder records subject to 42 CFR Part 2 by February 2026. This article provides a summary of the Final Rule and steps practices should take to ensure compliance.
Limitations on Disclosures of Information Related to Reproductive Health Care
Physicians and other covered entities and their business associates are prohibited from disclosing protected health information (PHI) in response to a request made for the purpose of conducting a criminal, civil, or administrative investigation or imposing liability for the mere act of seeking, obtaining, providing or facilitating reproductive health care (where such health care is lawful under the circumstance provided), or to identify a person for purposes of such investigation or imposing such liability.
The Final Rule clarifies that the prohibition applies whenever the covered entity or business associate reasonably determines that the reproductive health care at issue (1) is lawful under the circumstances in which it is provided, (2) is protected, required or authorized by Federal law, including the U.S. Constitution, or (3) was provided by a person other than the covered entity or business associate that received the request for the PHI. Thus, practices that do not necessarily render reproductive health care but may receive medical records from physicians and other providers that do render reproductive health care should be especially mindful of this prohibition. Importantly, the prohibition does not apply if the request is not made to investigate or impose liability for the mere act of seeking, obtaining, providing or facilitating reproductive health care.
The Final Rule allows the presumption that the reproductive health care provided a person other than the covered entity or business associate receiving the request was lawful. This presumption can be overcome if the covered entity or business associate has actual knowledge or receives factual information from the requestor that the reproductive health care was not lawful as provided.
Written Attestation Requirement
If a covered health care provider receives a request for PHI potentially related to reproductive healthcare for the purpose of (1) health oversight activities, (2) judicial and administrative proceedings, (3) law enforcement purposes, or (4) disclosures to coroners and medical examiners, the covered provider must first obtain a signed attestation from the requestor that their request is not for a prohibited purpose. OCR has provided model attestation language to meet this requirement which is available on the HHS website.
Updates to HIPAA Notice of Privacy Practices
The HIPAA Privacy Rule requires covered entities to provide individuals with a Notice of Privacy Practices document that allows individuals to understand how the covered entity may use and disclose their PHI, as well as their rights and the covered entity’s legal duties regarding PHI. By February 16, 2026, the Final Rule requires covered entities to update their Notice of Privacy Practices to address the requirements related to reproductive health. For covered entities who receive or maintain records that are subject to 42 CFR Part 2 (substance use disorder patient records) the Final Rule additionally requires updates to the Notice of Privacy Practices related to uses and disclosures of these records. Specifically, the Notice of Privacy Practices must additionally include:
- A description, including at least one example, of the types and uses and disclosures prohibited under the Privacy Rule relating to reproductive health care.
- A description, including at least one example, of the types of uses and disclosure for which an attestation is required.
- A statement to put the individual on notice of the potential for information disclosed under HIPAA to be subject to redisclosure by the recipient and no longer protected.
Covered entities that engage in certain activities related to records subject to 42 CFR Part 2 must additionally include separate statements informing the individual of such activities as set forth in 45 CFR §164.520(b)(iii).
Updates to Practice Documents
Physicians and medical practices should review their obligations under the Final Rule and consult with experienced legal counsel to ensure that their Notice of Privacy Practices are timely updated, and that they appropriately obtain the required written attestation when receiving requests for PHI that may be subject to the Final Rule limitations.
In addition to these updates, when making updates to any practice forms or documents, it is prudent to additionally consult with experienced legal counsel to consider other updates that may be necessary and appropriate to other practice forms and documents to ensure the practice’s compliance with the latest laws and regulations, including, but not limited to:
- Informed Consent and General Consent to Treatment forms
- Telehealth Consent forms
- Practice Policy forms
- HIPAA Release of Information/Authorization forms
- Surprise billing disclosures, consent and good faith estimate forms
- Financial Responsibility forms
- Electronic Medical Record access forms
Finally, consideration should also be given to updates to any written policies and protocols related to these documents.
This article originally appeared in the Second Quarter 2025 edition(goes to new website) of the Detroit Medical News. Republished With Permission.
