The Office for Civil Rights (OCR), the federal agency within HHS that enforces HIPAA, issued a final rule modifying portions of the HIPAA Privacy Rule with respect to reproductive health care privacy, particularly as many Health Centers participate in the HHS family planning grants or otherwise provide services that could fall under the category of reproductive health care.

Specifically, the final rule prohibits the use or disclosure of PHI by a Covered Entity, or their Business Associate, related to:

a) reproductive health care that is: i) lawful under the law of the state where the health care is provided, and ii) lawful under the circumstances in which it is provided (of note the new rule states Covered Entities should presume the reproductive health care is lawful unless: i) the Covered Entity (or Business Associate) has actual knowledge that the reproductive health care was not lawful under the circumstances in which it was provided, or ii) the Covered Entity (or Business Associate) receives factual information from the person making the request for the use or disclosure of PHI that demonstrates a substantial factual basis that the reproductive health care was not lawful under the circumstances in which it was provided);

b) reproductive health care that is protected, required, or authorized by Federal law, including the U.S. Constitution, regardless of the state in which such health care is provided; and

c) reproductive health care provided by a person other than the Covered Entity (or Business Associate) that receives the request for PHI

under the following circumstances:

1. To conduct a criminal, civil, or administrative investigation into or impose criminal, civil, or administrative liability on any person for the act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided, or

2. To identify any person for the purpose of conducting such investigation or imposing such liability.

(1. and 2. are collectively referred to under the new rule as a “prohibited purpose(s)”).

In terms of how this relates to disclosures to law enforcement, disclosures of PHI related to reproductive health care to law enforcement are only permitted when: a) the Covered Entity is required, as opposed to permitted, by law to make the disclosure, and b) the disclosure is not for a prohibited purpose.  Most PHI disclosures to law enforcement fall under Section 512 of  the HIPAA Privacy Rule, which permit, but do not require, disclosures to law enforcement, so Section 512 would generally not allow for a disclosure of PHI related to reproductive health care to law enforcement.

The final rule states that the HIPAA Privacy Rule continues to permit the use or disclosure of PHI related to reproductive health care for purposes otherwise permitted under the HIPAA Privacy Rule when the request for the use or disclosure of PHI is not made to investigate or impose liability on a person for the act of seeking, obtaining, providing, or facilitating reproductive health care.

In terms of how this new rule impacts Health Centers, the new rule requires Health Centers to do the following:

1. When a Health Center receives a request for PHI that is: a) potentially related to reproductive health care, and b) for health oversight activities, judicial and administrative proceedings, law enforcement purposes, or disclosures to coroners and medical examiners, the Health Center must obtain a signed attestation from the requestor that the requestor will not use or disclosure the requested PHI for either of the two prohibited purposes listed above. This provision will take effect on December 23, 2024 and the OCR has stated it intends to provide template attestation language for Covered Entities prior to the effective date, which we will distribute to the Members once available.

2. Health Centers must revise their Notice of Privacy Practices (NPP) to reference the reproductive health care specific patient privacy protections outlined in the new rule by February 16, 2026, and we will be circulating a revised NPP template for Health Centers shortly.

Here is a link to the OCR final rule: Federal Register :: HIPAA Privacy Rule To Support Reproductive Health Care Privacy 

Additional guidance on the OCR final rule can be found on the HHS website at: HIPAA and Reproductive Health | HHS.gov

 

Sarah Benator, Esq.
Southern Health Lawyers, LLC
sbenator@southernhealthlawyers.com