Earlier this year, the U.S. Department of Health and Human Services (HHS) issued new regulations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The rules impose new restrictions on the use and disclosure of “reproductive health care” by covered entities, such as employer-sponsored health plans, and were issued in response to the U.S. Supreme Court overturning the federal constitutional right to an abortion in Dobbs v. Jackson Women’s Health Org. The regulators say that the rules were necessary in order to protect plan participants from civil, criminal, and administrative liability for lawfully obtaining reproductive health care services.
Covered entities must comply with the new privacy standards beginning on December 23, 2024. The delayed compliance date allows time for employers to revise HIPAA privacy policies, procedures, notices, and other HIPAA documentation, as well as train employees who work with protected health information (PHI).
What constitutes reproductive health care?
The HIPAA privacy rules regulate the use and disclosure of PHI. The new regulations impose stricter standards on reproductive health care that constitutes PHI. Reproductive health care is very broadly defined as health care affecting an individual’s health in all matters relating to the reproductive system and its functions or processes. Examples of reproductive health care that could constitute PHI are: contraception (including emergency contraception), prenatal care, fertility and infertility diagnoses and treatments (e.g., IVF), ectopic pregnancies, and abortion-related services.
What are the new privacy standards for reproductive health care?
The final regulations prohibit covered entities (such as employer-sponsored health plans) and their business associates (i.e. health plan vendors) from using or disclosing reproductive health care PHI for the following three reasons:
- Conducting a criminal, civil, or administrative investigation into any person for seeking, obtaining, providing, or facilitating reproductive health care;
- Imposing criminal, civil, or administrative liability on any person for seeking, obtaining, providing, or facilitating reproductive health care; and
- Identifying any person for any purpose described in the two categories above.
For example, the rules say an investigation into whether a particular abortion was necessary to save a pregnant woman’s life would be an investigation into the act of seeking, obtaining, providing, or facilitating reproductive health care.
Some states have passed civil laws giving individuals a private cause of action against individuals who obtain or provide abortions. The HHS rules would generally prohibit employer plans from disclosing reproductive health care PHI for that purpose.
It is important to note that the rules do not prohibit the use and disclosure of reproductive health care PHI when the services or procedures were illegal under the circumstances (assuming there is another basis under HIPAA for the use or disclosure). The prohibition is intended to apply to uses and disclosures when the purpose is to:
- Use the information against a person for seeking, obtaining, providing, or facilitating reproductive health care that is lawful under the circumstances in which it was provided; or
- Identify any person for doing so.
When does the rule apply?
The three categories of prohibited uses and disclosures only apply if:
- The activity relates to a person seeking, obtaining, providing, or facilitating reproductive health care; and
- The health plan or its business associate that receives a request for PHI reasonably determines that at least one of the following exists:
- The reproductive health care is lawful in the state where it was provided;
- For example, the resident of one state traveled to another state to receive reproductive health care that is lawful in the state where furnished.
- The reproductive health care was protected by federal law; or
- A presumption of lawfulness applies.
When is the reproductive health care presumed to be lawful?
Reproductive health care is presumed to be lawful (and, therefore, generally may not be used or disclosed for the prohibited purposes) unless the plan or its business associate has:
- Actual knowledge that the reproductive health care was unlawful under the circumstances in which it was furnished; or
- Factual information furnished by the requester of the information provides a substantial basis that the reproductive health care was not lawful.
The presumption of lawfulness is intended to avoid the need for health plans to do independent research into whether certain services or procedures were lawful under applicable law.
When is an attestation required by the requestor?
Where a disclosure of reproductive health care PHI would not be prohibited, the new rule now requires an attestation by the requestor confirming that the information requested will not be used for a prohibited purpose. Health plans are prohibited from disclosing PHI that is potentially related to reproductive health care for the following reasons unless an attestation is first obtained:
- For health oversight purposes;
- For judicial and administrative proceedings;
- For law enforcement purposes; or
- About decedents to coroners or medical examiners.
There are detailed content requirements for a valid attestation, but HHS recently issued a model attestation (downloadable PDF).
What next steps should employer plans take?
Employer-sponsored health plans should take the following actions ahead of the final rule’s compliance date:
- Update the plan’s Notice of Privacy Practices;
- The deadline to do this is February 16, 2026, but changes could be incorporated sooner than that.
- Update the health plan’s HIPAA privacy policies and procedures;
- Update template risk assessments used for breach responses;
- Update business associate agreements; and
- Train the health plan’s workforce on the new use and disclosure restrictions and when an attestation is required.
