When a HIPAA covered entity1 or business associate2 receives a request for protected health information (PHI)3 potentially related to reproductive health care,4 it must obtain a signed attestation that clearly states the requested use or disclosure is not for the prohibited purposes described below, where the request is for PHI for any of the following purposes:
-
Health oversight activities5
-
Judicial or administrative6 proceedings
-
Law enforcement7
-
Regarding decedents, disclosures to coroners and medical examiners8
Prohibited Purposes. Covered entities and their business associates may not use or disclose PHI for the following purposes:
(1) To conduct a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating lawful reproductive health care.
(2) To impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating lawful reproductive health care.
(3) To identify any person for any purpose described in (1) or (2).9
The prohibition applies when the reproductive health care at issue (1) is lawful under the law of the state in which such health care is provided under the circumstances in which it is provided, (2) is protected, required, or authorized by Federal law, including the United States Constitution, under the circumstances in which such health care is provided, regardless of the state in which it is provided, or (3) is provided by another person and presumed lawful.10