The compliance deadline for changes to the privacy of reproductive health information is fast approaching, with the new rules taking effect on December 23, 2024. Earlier this year, new regulations under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) were published. These regulations address the privacy of protected health information (“PHI”) that concerns reproductive health care.

As defined, reproductive health or reproductive health care is health care that affects the health of an individual in all matters relating to the reproductive system and its functions and processes.

Under the new regulations, information regarding reproductive health care may not be used or disclosed to investigate (criminally, civilly, or administratively) or to impose liability on anyone who seeks, obtains, provides or facilitates reproductive health care that is lawful under the circumstances in which such health care is provided, or to identify persons engaging in such lawful reproductive health care-related activities.

The aforementioned prohibition applies when the reproductive health care is lawful under the law of the state in which such health care is provided under the circumstances in which it is provided; the reproductive health care is protected, required, or authorized by federal law; or the reproductive health care is provided by a person other than the covered entity and the covered entity has no actual knowledge or substantial factual basis that the reproductive health care was not lawful under the circumstances in which it was provided.

If the use or disclosure of the reproductive health information is not for a prohibited purpose, the covered entity may continue to use or disclose the information in accordance with HIPAA.

If the covered entity receives a request for PHI potentially related to reproductive health care, it must first obtain a signed attestation that the use or disclosure of such PHI is not for a prohibited purpose, if the request is for any of the following:

• health oversight activities;
• judicial and administrative proceedings;
• law enforcement purposes; or
• disclosures to coroners and medical examiners.

A new attestation form is required for each specific use and disclosure request. The Office for Civil Rights (“OCR”) has published a model attestation form that can be used.

Thus, covered entities must take the following steps to ensure compliance with these new rules as of December 23, 2024:

1. Review HIPAA policies and procedures. Update those policies that address the use and disclosure of health information to account for the new restrictions.
2. Adopt an attestation form to be utilized when the disclosure of reproductive health information is for specified purposes (namely, health oversight activities; judicial and administrative proceedings; law enforcement purposes; or disclosures to coroners and medical examiners).
3. Review existing Business Associate Agreements (“BAAs”) to determine if any revisions are necessary as a result of the new regulations. Some BAAs may require revision and some may not.
4. Review and update the Notice of Privacy Practices (“NPP”). This provision of the new rule does not take effect until February 16, 2026, and changes to the NPP can be made alongside the changes that are required as a result of the Part 2 regulations.
5. Conduct training on the new requirements.

If you need assistance with any of these steps or have questions regarding the rule changes, feel free to reach out to any of the health care attorneys at our firm.