In a final rule published on April 26, the U.S. Department of Health and Human Services (“HHS”) amends the HIPAA Privacy Rule to bolster protections for individuals’ reproductive health information. This final rule comes almost exactly a year after HHS published its draft rule on the subject.

The rule is part of the Biden administration’s effort to address the Supreme Court’s 2022 decision in Dobbs v. Jackson Women’s Health Organization. Dobbs’ reversal of Roe v. Wade resulted in a patchwork of state laws governing abortion, some of which require or permit health care providers to release personal information about reproductive health care to state authorities for patients who sought an abortion.

The rule is scheduled to take effect on June 25, 2024 and most provisions will be enforceable as of December 23, 2024. Below, we summarize in more detail some of the notable changes to the HIPAA Privacy Rule. 

Definitions of “Person” and “Reproductive Health Care”

HHS has revised and clarified certain definitions within the Privacy Rule, including the following terms:

Person

The definition of “person” now includes language that establishes that a natural person under the HIPAA Privacy Rule means “a human being who is born alive,” which aligns with the definition of the same term in the Born-Alive Infants Protection Act (1 U.S.C. § 8).

This change in definition is significant because the HIPAA Privacy Rule permits health care providers and other covered entities to release PHI to authorities in cases where the entity reasonably believes that a person is a victim of abuse, neglect or domestic violence, and in cases of serious and imminent threat to a person.

Since the Dobbs decision (and even prior to it), several states have passed laws regulating reproductive health care that define “person” or “human” to include fertilized eggs, fetuses, and embryos. This definitional clarification in the HIPAA Privacy Rule is aimed at prohibiting state authorities from gaining access to reproductive health information by claiming that an individual seeking an abortion is placing a fetus, fertilized egg or embryo in serious and imminent threat.

By defining “person” to include only persons who have been born alive, an argument to disclose records due to potential harm to an unborn child would not be subject to the exceptions governing permissible disclosures under HIPAA.

Reproductive Health Care

The Privacy Rule now includes a definition of “reproductive health care” to include health care “that affects the health of the individual in all matters relating to the reproductive system and to its functions and processes.” The definition indicates that reproductive health care is a subset of “health care” as defined within the HIPAA rules.

In the preamble to the rule, HHS provides a non-exhaustive list of types of care that would qualify as reproductive health care under the law, which includes contraception, preconception screening and counseling, prenatal care, fertility and infertility diagnosis and treatment (including, for example, IVF), and diagnosis and treatment of other conditions affecting the reproductive system.

Prohibition on Disclosures of PHI Related to Reproductive Health Care

The rule has added a new category of prohibited uses and disclosures of PHI to the HIPAA Privacy Rule. Entities regulated by HIPAA are now generally prohibited from using or disclosing PHI for activities with the purpose of investigating (whether in a criminal, civil, or administrative context) or imposing liability on any person for the act of seeking, obtaining, providing, or facilitating lawful reproductive health care.

Regulated entities also are now prohibited from using or disclosing PHI for the purpose of identifying an individual, health care provider, or other person in connection with seeking, obtaining, providing, or facilitating lawful reproductive health care.

The “mere act of” seeking care

These new purpose-based prohibitions against the use or disclosure of PHI related to reproductive health care are limited by the use of the phrase “the mere act of” seeking reproductive health care. The applicable section of the Privacy Rule (45 C.F.R.§ 164.502(a)(5)(iii)(A) now reads as follows:

“a covered entity or business associate may not use or disclose protected health information for any of the following activities:

  1. To conduct a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care.
  2. To impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care.
  3. To identify any person for any purpose described in [the prior two paragraphs].” (emphasis added)

According to HHS, this phrase is an important distinction in that the rule does not prohibit the release of any PHI for investigations “in connection to” seeking, obtaining, providing, or facilitating reproductive health care, as that would be too broad. However, HHS does state that an investigation into the reasons that the patient sought the care in the first place would still qualify under the prohibition.

Rule of applicability & presumption of lawfulness

In deciding whether release of reproductive health care information is permitted under the revised rule, a regulated entity must make a reasonable determination about whether the reproductive health care at issue was lawfully provided or obtained.

This “rule of applicability” requires a regulated entity to evaluate the facts and circumstances for the health care, including, among other aspects, the diagnosis and prognosis of the patient, the laws of the location where the health care was provided, and the particular health care provider who provided the care.

Note, however, that the rule includes a presumption that any health care provided was lawful unless the regulated entity has actual knowledge that the health care provided was not lawful, or the state authority provides documentation to show that the care was not lawful, at the time it was received.

Preemption of State Laws

Under the rule, consistent with existing regulatory guidance and statutory authority, any state law that requires a release of reproductive health information is subject to the general preemption provision of the Social Security Act (Section 1178(a)), which provides that HIPAA preempts contrary state laws, with limited exceptions.

The new rule does not codify any clarifications to existing exemptions from preemption, including those applying to reporting public health information. However, in the preamble to the rule, HHS clarifies that it is understood in the context of the Privacy Rule that those public health exemption provisions do not permit release of information for individuals seeking reproductive health care.

Notice of Privacy Practices Changes and Attestations

The final rule also addresses changes that covered entities will be required to make to their notices of privacy practices (NPP) that they distribute to patients and post on their websites and the rule also implements a pre-release attestation requirement for requesting parties.

Going forward, the NPP must contain a description with at least one example of the types of uses and disclosures prohibited under 45 CFR § 164.502(a)(5)(iii), which are the prohibited disclosures of PHI related to reproductive health information (as described above). In addition to changes necessary to alert patients to the new provisions of the HIPAA Privacy Rule, HHS has also required changes to reflect the wholesale overhaul that the agency made earlier this year to the substance use disorder record privacy rules (known as Part 2).

To avoid duplication of efforts by regulated entities seeking to make the required changes to their NPP forms, HHS has made the compliance date for both sets of changes February 16, 2026.

Additionally, in this rule, HHS implements a new requirement that, prior to disclosure of PHI related to reproductive health care, a covered entity or business associate must obtain an attestation from the requesting entity that confirms that the PHI is not being sought for a prohibited purpose. This requirement is designed to prove that the requesting entity understands use or disclosure of PHI in violation of HIPAA could result in criminal liability. HHS has indicated that it will release model attestations for seekers of information to use at a later date.

Reed Smith will continue to follow developments with regard to reproductive health care and privacy. If you have any questions about how this final rule applies to your business, please reach out to the authors or to the health care lawyers at Reed Smith.