*New* HIPAA Prerequisite to Sharing PHI that is Potentially Related to Reproductive Healthcare

The Department of Health and Human Services Office for Civil Rights (OCR) published a Final Rule on April 26, 2024, outlining additional requirements that HIPAA-covered entities and business associates must follow before sharing individuals’ protected health information (PHI) potentially related to reproductive healthcare. The Final Rule became effective on December 23, 2024.

NEW PREREQUISITES TO DISCLOSURES OF CERTAIN PHI

The Final Rule prohibits Regulated Entities (covered entities and business associates) from using or sharing PHI with a third party to investigate, prosecute, or fine someone “for the mere act of seeking, obtaining, providing, or facilitating” lawful reproductive healthcare (RHC). Regulated Entities also may not use or share PHI to identify someone for such investigations or to impose such liability.

Before disclosing PHI, a Regulated Entity should seek an attestation from any third-party seeking PHI that is potentially related to RHC when the request for PHI is for:

• Health oversight activities
• Judicial or administrative proceedings
• Law enforcement
• Disclosures about decedents to coroners

Requests for PHI from state licensing boards, government agencies, attorneys issuing subpoenas, sheriff’s offices, and coroners and medical examiners should be carefully reviewed to determine whether the PHI requested is potentially related to RHC. If it is, the Regulated Entity may not share the PHI unless it first obtains a signed attestation from the requestor. The attestation must clearly state that the information will not be used for a prohibited purpose.

However, the rule against sharing information only applies if the Regulated Entity believes the RHC provided followed state and federal laws. RHC is generally assumed to be legal unless the Regulated Entity either knows or has evidence that it was not. There are two circumstances where this prohibition would not apply:

• If a person obtains reproductive healthcare that is not legal under state or federal law, the healthcare would not be “lawful under the circumstances in which it was provided.” For example, if the PHI sought pertains to pregnancy termination services of a woman who is 14 weeks pregnant, but the state law prohibits abortions after 8 weeks, then the prohibition against disclosure would not apply. The Regulated Entity should release the PHI per HIPAA’s other provisions.
• If a person requesting PHI identifies a legal basis for the request beyond the mere act of a person having sought, obtained, provided, or facilitated RHC that was lawful under the circumstances in which it was provided, the prohibition would not apply.

EXAMPLES OF PERMISSIBLE DISCLOSURES

In the preamble to the Final Rule, OCR provides several examples of how PHI potentially related to RHC may be shared for health oversight, law enforcement, or judicial or administrative purposes:

• A covered healthcare provider may disclose PHI to a medical licensing board investigating a healthcare provider’s actions related to its obligation to report suspected elder abuse. This is assuming the disclosure meets the conditions of an applicable Privacy Rule permission. This disclosure is permitted because the Final Rule does not bar the use or disclosure of PHI for health oversight purposes unrelated to the mere act of seeking, obtaining, providing, or facilitating RHC.
• The Final Rule does not prohibit the disclosure of PHI for investigating allegations of – or imposing liability for – sexual assault, sex trafficking, or coercing minors into obtaining RHC, assuming that law enforcement provided a valid attestation and met the other conditions of the applicable HIPAA permission.

PRACTICAL CONCERNS AND NEXT STEPS

The definition of RHC is comprehensive and includes contraception, fertility diagnosis and treatment, and diagnosis and treatment of conditions that affect the reproductive system. These services provided to persons of any gender technically qualify as RHC.

The Final Rule was enacted to address concerns about state laws seeking to investigate or prosecute individuals who search or arrange for abortion care in another state. A practical approach to compliance would be to obtain attestations only when the PHI relates to women.

Regulated entities should:

• Carefully review and utilize the Model Attestation form prepared by Health and Human Services
• Establish a process for obtaining signed attestations in appropriate circumstances
• Update their business associate agreements to ensure that their business associates (including, without limitation, medical record transfer companies) also comply with the Final Rule
• Consult with their legal counsel regarding what constitutes lawful RHC in their states of operation to assist them in responding to third-party requests

Release of information personnel should receive specific training regarding the form’s requirements and the Final Rule to ensure that PHI potentially related to RHC is not improperly disclosed.

There has been broad speculation that the Trump Administration will seek to reverse or not enforce the Final Rule. However, until any such official action is taken, healthcare providers and their business associates must seek and obtain attestations and otherwise comply with the new requirements.

RESOURCES

1. S. Department of Health and Human Services, Final Rule HIPAA Privacy Rule to Support Reproductive Health Care Privacy. https://www.hhs.gov/hipaa/for-professionals/special-topics/reproductive-health/index.html
2. S. Department of Health and Human Services, HIPAA Privacy Rule and Disclosures of Information Relating to Reproductive Health Care. https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/phi-reproductive-health/index.html