On April 26, 2024, the Office for Civil Rights (OCR) published the HIPAA Privacy Rule to Support Reproductive Health Care Privacy.¹ The rule enhances the existing HIPAA Privacy Rule by prohibiting the use or disclosure of protected health information (PHI) related to lawful reproductive healthcare.¹ Specifically, it restricts healthcare providers and insurers from sharing information about legal reproductive healthcare where the requested purpose is to investigate or assert a civil, administrative, or criminal claim.¹ The rule took effect on June 25, 2024,¹ and required general compliance by December 23, 2024. A violation of the rule can lead to criminal liability.¹
Some have expressed concerns that the new rule will impact reporting of suspected abuse or neglect.² There are also concerns about the costs associated with updating Notice of Privacy Practices (NPP), policies, and staff training.²
Compliance with the new rule can be achieved by obtaining an attestation from the individual requesting PHI and updating the practice’s NPP.
Attestation
The attestation requirement notes that healthcare providers who receive a request for PHI potentially related to reproductive healthcare must obtain a signed attestation that the use or disclosure is not for a prohibited purpose.¹ The attestation must be obtained if the request is for health oversight activities, judicial and administrative proceedings, law enforcement purposes, and coroners’/medical examiners’ disclosures.¹ The United States Department of Health and Human Services (HHS) has published model attestation language that will satisfy the rule’s requirements and can be obtained at https://www.hhs.gov/sites/default/files/model-attestation.pdf.
Notice of Privacy Practices (NPP)
Healthcare providers should revise their NPP to support reproductive health care privacy.¹ The NPP should include a description of the new use or disclosure prohibitions. The compliance date for the NPP is February 16, 2026. Therefore, healthcare providers will need to ensure their NPP is updated and distributed to their patients. HHS has not yet published a revised model NPP.
Lastly, you should provide staff training on the rule requirements, NPP changes, and any procedural changes as it relates to the release of medical records. HHS has published several short videos on the HIPAA Privacy Rule and Reproductive Health, including a general overview and attestation compliance. These videos are available at https://www.hhs.gov/hipaa/for-professionals/special-topics/reproductive….
Training can also be accessed at: https://evolveelearning.com/product/hipaa-training-course-covered-entit…
CAP members can enter discount code cap10off to receive a 10% discount.
By implementing the attestation requirement, updating your NPP, and providing staff training, you can ensure that you are in compliance with this new HIPAA rule. An overview of the HIPAA Privacy Rule to Support Reproductive Health Care Privacy can be found at https://www.hhs.gov/hipaa/for-professionals/special-topics/reproductive….
Bryan Dildy, MPA, CPHRM, CPPS, is a Senior Risk Management and Patient Safety Specialist. Questions or comments related to this article should be directed to BDildy@CAPphysicians.com.
¹Health and Human Services. Final Rule HIPAA Privacy Rule to Support Reproductive Health Care Privacy. 2024, December 4. https://www.hhs.gov/hipaa/for-professionals/special-topics/reproductive…
²Purl v. United States Dep’t of Health and Hum. Services, et al., 2:2024cv00228 (D. Tex. 2024) at 13