On April 26, 2024, the U.S. Department of Health and Human Service Office for Civil Rights issued a final privacy rule to support reproductive health privacy.[1] The rule does not allow the sharing of reproductive health information if it is for a prohibited purpose defined as:
-
To investigate into or impose liability on any person for merely seeking, obtaining, providing, or facilitating lawful reproductive healthcare.[2]
-
To identify an individual or provider to initiate an investigation against the individual or provider in connection with seeking, obtaining, providing, or facilitating lawful reproductive healthcare.[3]
An attestation must be received from the requestor if the covered entity or business associate reasonably believes specific conditions apply regarding reproductive healthcare, which are:
-
The reproductive healthcare is lawful under the circumstances and in the state in which the healthcare is provided; and/or
-
The reproductive healthcare is protected, required, or authorized by federal law regardless of the state in which it is provided; and/or[4]
-
A presumption that the reproductive healthcare identified in a request is lawful under the circumstances in which it was provided when the care is provided by a person other than the entity receiving the request for the protected health information (PHI). The presumption can be overcome if:
-
The entity has actual knowledge that the care was not lawful.
-
“Factual information” provided by the requestor demonstrating a “substantial factual basis” the care was not lawful.[5]
-
The required attestation needed before PHI related to reproductive healthcare can be shared must include:
-
A specific description of the information sought, including the name of the individual whose PHI is requested, or if not practicable, a description of the class of individuals whose PHI is sought.
-
The name or specific identity of the person or entity
-
being requested to share the PHI and
-
with whom the PHI will be shared.
-
-
A clear statement that the request is not for a prohibited purpose.
-
A statement the requestor may be subject to criminal penalties for knowingly obtaining or disclosing PHI in violation of HIPAA.
-
A signature of the requestor.[6]
The compliance date for the attestation provision of the rule is December 23, 2024.[7] Other provisions of the rule require changes to the notice of privacy practices; however, they will not be effective until February 16, 2026. Entities covered by the rule will need to craft an attestation and process for addressing requests for reproductive health information now to meet the compliance date.