A new HIPAA privacy rule protecting reproductive health care disclosures begins enforcement shortly before Christmas, and many providers may be caught off guard by its broad application.
On April 22, 2024, the U.S. Department of Health and Human Services (HHS) announced a Final Rule restricting the disclosure of patient records that may relate to reproductive health care. Reproductive health care typically focuses on pregnancy, but this new restriction applies more broadly to individuals across all age groups and both sexes. Enforcement of this rule begins on December 23, 2024, and introduces new procedures for disclosing certain patient records.
This new rule strengthens privacy protections under the Health Insurance Portability and Accountability Act (HIPAA) by prohibiting the disclosure of individuals’ health information for purposes of investigating or imposing liability related to lawful reproductive health care. Specifically, the rule aims to prevent access to reproductive health data for use in criminal, civil, or administrative proceedings based solely on seeking, obtaining, or facilitating reproductive health care. This regulation responds to concerns about individuals facing investigations or penalties for accessing reproductive health services that are lawful in one state but penalized in another. To ensure comprehensive protection, HHS utilized broad language in the rule.
The new rule defines “reproductive health care” as health care affecting an individual’s reproductive system, its functions, and processes.[i] This sweeping definition means that an expanded array of healthcare providers must ensure that data disclosures are not made for prohibited purposes. For instance, pregnancy clinics must ensure compliance alongside pediatric and geriatric providers. Reproductive health care, as defined, includes vasectomy procedures, fertility medications, hormone treatments, pap smears, STD prevention and treatment, counseling, and more.[ii] As a result, the rule’s applicability extends broadly across the healthcare industry.
Covered Entities, such as healthcare providers, and their Business Associates, are now required to obtain a written attestation stating that the information requested is not for a prohibited purpose. This attestation must adhere to specific requirements, including assurances that the recipient is not seeking protected health information to identify, investigate, or impose liability for seeking, obtaining, providing, or facilitating lawful reproductive health care.
Any Covered Entity or Business Associate receiving a request for patient data disclosure potentially affected by this rule must secure the written attestation before proceeding. Consequently, healthcare providers must determine when a patient’s record may relate to reproductive health care. Initial considerations by some providers to limit this requirement to female patients will prove inadequate, as the rule applies regardless of sex. Similarly, age-based qualifiers are ineffective as children and elderly individuals can also receive treatment related to their reproductive systems. As a result, providers should adopt a broad application of the attestation requirement to ensure compliance.
The implications of this rule extend beyond compliance procedures. It introduces new challenges for providers in identifying affected records and balancing privacy concerns with operational efficiency. Providers are encouraged to invest in staff training, review their data-sharing protocols, and consult legal experts to navigate this evolving landscape effectively. SKO’s Healthcare practice offers skilled healthcare regulatory and compliance guidance to a wide range of healthcare clients. Our team follows these
[i] Reproductive health care is defined as health care “that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes.” 42 CFR 160.103.
[ii] “[S]eeking, obtaining, providing, or facilitating reproductive health care includes, but is not limited to, any of the following: expressing interest in, using, performing, furnishing, paying for, disseminating information about, arranging, insuring, administering, authorizing, providing coverage for, approving, counseling about, assisting, or otherwise taking action to engage in reproductive health care; or attempting any of the same.” 42 CFR 164.502(a)(5)(iii)(D).
