Update: On June 27, 2024, HHS posted the official webinar recording. HHS also published a model attestation form to support compliance with the Rule.
On Thursday, June 20, 2024, the Department of Health and Human Services’ Office of Civil Rights and Office of Health Information Technology (collectively, “HHS”) jointly presented a webinar on the HIPAA Privacy Rule to Support Reproductive Health Privacy (the “Reproductive Health Privacy Rule” or “Rule”). HHS published the final Reproductive Health Privacy Rule on April 26, 2024, and provided the webinar as part of building out the agency’s guidance on the Rule’s novel requirements. The presentation was recorded and will likely soon be posted to HHS’s reproductive health privacy guidance and resource page ahead of its first compliance date of December 23, 2024. This post summarizes some of the key requirements of the Rule for covered entities and business associates (“regulated entities”) and corresponding important insights from the webinar, including HHS’s application of the Rule in example scenarios.
Sweeping Definition of Reproduction Health Care
In amending the HIPAA Privacy Rule, the Reproductive Health Privacy Rule defines “reproductive health care” as “health care, as defined in [45 C.F.R. § 160.103], that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes.” HHS emphasized that without setting out a standard of care or defining appropriate care, the term includes any and all health care that supports an individual’s reproductive health. HHS’s preamble in the final Rule also clarifies that, in addition to reproductive health care deemed appropriate by a health care professional, the term further includes reproductive health care the individual determines is appropriate (such as over-the-counter contraceptives).
Restrictions on Using and Disclosing PHI Related to “Reproductive Health Care”
Regulated entities will be required to comply with the Rule if a person requests to use or disclose protected health information (“PHI”) in connection with “any person seeking, obtaining, providing, or facilitating reproductive health care,” and the regulated entity determines that one or more of the following conditions exists:
The reproductive health care is lawful in the state and circumstances in which it was provided,
The reproductive health care is protected, required, or authorized by federal law (including the U.S. Constitution) in the circumstances in which it was provided, regardless of the state where it was provided, or
The presumption of lawful health care applies. This presumption states that reproductive health care is presumed lawful for purposes of the Reproductive Health Privacy Rule unless the regulated entity has either a substantial factual basis supplied by the person requesting the use or disclosure, or actual knowledge, that the reproductive health care was not lawful in the circumstances in which it was provided.
If the relevant reproductive health care was performed by the regulated entity receiving the request, HHS stated that the regulated entity must review the information in its possession and determine for themselves whether the reproductive health care was lawful, and not automatically rely on another party’s representations of its lawfulness. Otherwise, where the regulated entity receives a request for information about reproductive health care that was rendered by another provider but is in their patient’s medical record, they should rely on the presumption of lawfulness instead of investigating or analyzing the other provider’s practices.
Where the regulated entity determines one of these scenarios apply, they will be unilaterally prohibited from using or disclosing protected health information (PHI) in response to the request to the extent that the use or disclosure is intended to “conduct a criminal, civil, or administrative investigation into” or “impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care.” It also prohibits use or disclosure to identify a person for such purposes, whether in connection with a third-party, civil claim, law enforcement, professional licensure, or family court-related request.
To illustrate these layered requirements, HHS’s webinar applied the Rule to the following fictional fact patterns:
Imagine a law enforcement agency requests PHI from a regulated entity as part of investigating whether an abortion was necessary to save the parent’s life (this purpose is described in the request’s attestation, discussed below). The regulated entity performed the abortion and now determines it was lawful in the state and circumstances in which it was performed. The investigation is related to the “mere act” of the patient obtaining an abortion, so the use and disclosure prohibition applies.
Similarly, consider a law enforcement request that represents to a regulated entity that a patient received reproductive health care that was unlawful from another provider, and relevant information is in the patient’s medical record with the regulated entity. The requestor refuses to provide more information because doing so would jeopardize an ongoing investigation into the other provider. The presumption of lawfulness applies and the investigation is related to the “mere act” of the patient obtaining reproductive health care, so HHS would argue the intended use or disclosure is for a prohibited purpose.
Strict Use and Disclosure Purpose Attestation Requirements
Under the Reproductive Health Privacy Rule, if the requested use or disclosure of PHI related to reproductive health care concerns certain types of disclosures, such as health oversight activities, judicial or administrative proceedings, or law enforcement purposes, regulated entities must obtain a written attestation from the requestor prior to fulfilling the request. A valid attestation features several specific elements, including identification of the requestor and intended data subject(s), a “clear statement” that the intended use or disclosure is not for a prohibited purpose, and the requestor’s signature. Additionally, an attestation will only be valid if it is in plain language, limited to a specific use or disclosure, not combined with any other documentation (supporting information, such as law enforcement background to the request, may be appended). If a regulated entity uses or discloses PHI related to uses or disclosures pursuant to an invalid attestation, HHS stated the regulated entity may be subject to notice obligations under the HIPAA Breach Notification Rule.
Modifying the example from the previous section, imagine that instead of withholding further details, the requestor appended an affidavit from another individual that they obtained unlawful reproductive health care from the same investigated provider. The regulated entity could arguably overcome the presumption of lawfulness and fulfill the use or disclosure request if the attestation is otherwise valid. Note that the HIPAA Privacy Rule’s normal use or disclosure requirements, including the “minimum necessary” standard, would still apply.
HHS also emphasized in its briefing that, for uses and disclosures with law enforcement purposes, the Rule’s attestation requirement only applies when the regulated entity’s response is Required by Law. This includes subpoenas, summons, civil investigative demands, and other requests that are based on a legal mandate compelling the regulated entity to respond.
Practical Considerations for Regulated Entities
Regulated entities reviewing potential obligations under the Reproductive Health Privacy Rule should take away important action items from this briefing:
Evaluate whether PHI in their possession is arguably subject to the Reproductive Health Privacy Rule, given the sweeping scope of what constitutes “reproductive health care.”
Build methods for tracking and validating attestations into existing PHI use and disclosure processes, and ensure breach response teams are aware of this new potential trigger.
Review the final Rule for detailed implementation requirements, such as updating existing Notice of Privacy Practices to reflect the Rule’s newly prohibited uses and disclosures (this update has a delayed compliance date of February 16, 2026).
* * *
In closing the webinar, HHS explained that it will enforce the Rule as it enforces the existing HIPAA Privacy Rule: through education, investigation, and enforcement. As part of that education, HHS has updated its reproductive health privacy guidance page with links to the final Rule, a fact sheet and video for the Rule available in English and Spanish, and existing guidance on reproductive health privacy under HIPAA. HHS promises to continue to update the page with more details and resources as it builds out its guidance for this new Rule.
Cameron Cantrell is an Associate at Hintze Law PLLC representing companies on AI, privacy, and cybersecurity issues.
Sheila Sokolowski is a Partner at Hintze Law PLLC, Co-Chair of the firm’s Health and Biotech Privacy Group, and is ranked by Chambers USA.
Hintze Law PLLC is a Chambers-ranked and Legal 500-recognized boutique privacy firm that provides counseling exclusively on global AI & data protection. Its attorneys and data consultants support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of AI, privacy & data security.