On April 22, the Department of Health and Human Services (HHS) announced a final rule to support reproductive health care privacy under HIPAA. The rule aims to support reproductive health care privacy "by prohibiting the disclosure of protected health information related to lawful reproductive health care in certain circumstances," according to HHS and announcements from the Biden administration. The rule introduces a new category of protected health information to the HIPAA Privacy Rule — “reproductive health care” — and imposes new obligations that flow from the collection, use, and disclosure of this information by covered entities and business associates.

Reproductive health care means "health care [as currently defined under HIPAA] that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes." When an individual is "seeking, obtaining, providing, or facilitating reproductive health care" and the covered entity or business associate has determined that the reproductive health care is lawful in the state, protected by federal law, or “presumptively lawful” under the final rule, the covered entity or business associate must take certain actions that restrict the use and disclosure of such information.

When a covered entity or business associate is collecting or using protected health information that pertains to reproductive health care, the entity must ensure that the information is not used for certain prohibited purposes (i.e., for conducting a criminal, civil, or administrative investigation into an individual for their seeking reproductive health care, imposing liability on someone for seeking reproductive health care, or identifying someone for the purpose of such investigation or imposition of liability). In addition, covered entities and business associates must revise their notice of privacy practices and obtain attestations from third parties requesting reproductive health care information from the covered entity or business associate. The final rule lays out specific elements that must be included in such attestations and states that any attestation that fails to include every element or includes statements or information not described in the final rule is defective.

Next Steps

There are steps that covered entities and business associates can take now to mitigate the risk of investigations, fines, and penalties for violating these new reproductive health rules. For example, covered entities and business associates should consider:

• Updating HIPAA privacy notices to include the new information required by the rule. 
• Updating law enforcement request policies and procedures to ensure that information is not disclosed in violation of the rule.
• Creating or updating data maps and data inventories to (1) understand what information would be subject to this rule (2) the basis upon which the information is used or disclosed and (3) any third parties from whom the covered entity would have to obtain an attestation.
• Updating policies and procedures around disclosing protected health information to third parties and business associates to account for the new attestation requirements.