Key Dates
- April 26, 2024: HHS published a final rule on reproductive health care privacy.
- December 23, 2024: Covered entities and business associates must comply with the final rule by this date.
- February 16, 2026: Covered entities must update their HIPAA notice of privacy practices for the new protections by this date.
The U.S. Department of Health and Human Services (HHS) updated its webpage on reproductive health care privacy to include additional resources, including a HIPAA model attestation form, that covered entities and business associates may use to comply with new protections for reproductive health care privacy. These new privacy protections will go into effect on December 23, 2024.
New Privacy Protections
On April 26, 2024, HHS published a final rule that strengthens the HIPAA Privacy Rule by prohibiting the disclosure of protected health information (PHI) related to lawful reproductive health care in certain situations. The HIPAA Privacy Rule sets strict limits on the use, disclosure and protection of PHI by covered entities (i.e., health care providers, health plans and health care clearinghouses) and their business associates (collectively, regulated entities). The Privacy Rule also allows regulated entities to use or disclose PHI for certain non-health-care purposes, including certain criminal, civil and administrative investigations and proceedings.
The new protections prohibit regulated entities from using or disclosing PHI related to lawful reproductive health care:
- For a criminal, civil or administrative investigation into (or proceeding against) a person in connection with reproductive health care; or
- To identify an individual, health care provider or other person for purposes related to such an investigation or proceeding.
Regulated entities must presume that reproductive health care provided by another entity was lawful unless they have actual knowledge that the care was unlawful or factual information from the person requesting the use or disclosure of PHI that demonstrates the care was unlawful.
Attestation Requirement
A regulated entity must obtain a valid attestation before it uses or discloses PHI potentially related to reproductive health care for certain purposes, such as health oversight activities, judicial and administrative proceedings, law enforcement purposes, or disclosures to coroners or medical examiners. The attestation is used to verify that the requested use or disclosure of PHI complies with the new privacy protections and is not for a prohibited purpose.
For an attestation to be valid, it must be a standalone document that includes certain information, such as a clear statement that the use or disclosure is not for a prohibited purpose. Regulated entities can use HHS’ model attestation form when they receive requests for PHI potentially related to reproductive health care. The model form also includes instructions for its use. According to these instructions, a regulated entity may not rely on the attestation to disclose the requested PHI in certain circumstances, including if a reasonable, regulated entity in the same position would not believe the requestor’s statement that the use or disclosure is not for a prohibited purpose.
Material posted on this website is for informational purposes only and does not constitute a legal opinion or medical advice. Contact your legal representative or medical professional for information specific to your legal or medical needs.
