President Joe Biden’s administration recently moved to limit the circumstances in which healthcare entities can share patients’ private reproductive health information.
A final rule issued by the Department of Health and Human Services (HHS) on April 22 modifies the 1996 Health Insurance Portability and Accountability Act (HIPAA) by prohibiting healthcare providers and plans from disclosing protected health information “related to lawful reproductive healthcare” in certain cases.
The overhaul of the privacy law is a response to the evolving legal landscape shaped by the 2022 Supreme Court ruling in Dobbs v. Jackson Women’s Health Organization, which has prompted more than a dozen states to make abortion unlawful in most cases. As a result, “many Americans are scared their private medical information will be shared, misused, and disclosed without permission,” HHS Secretary Xavier Becerra said in a statement.
Here’s what healthcare pros should know about the rule, which goes into effect June 25.
Who’s affected by the rule? Any healthcare plans, providers, or clearinghouses—as well as their business associates—that are subject to the federal law must comply with this rule. This group is also referred to as “regulated entities.”
What does the rule do? Covered entities are barred from disclosing protected health information related to reproductive healthcare that is lawful, either under federal or state law, in some cases. This means if a resident traveled out of state to receive reproductive care, the rule would apply so long as the jurisdiction where they received care legally permits it.
Regulated entities may not disclose protected health information related to lawful reproductive healthcare if it’s being requested for either of the following reasons:
- To conduct an investigation into or hold responsible an individual “for the mere act of seeking, obtaining, providing, or facilitating reproductive healthcare” in a place where the care is legal. This applies to investigations or liabilities that are criminal, civil, or administrative.
- To identify a person for an investigation or liability of this nature.
To comply with the rule, regulated entities must get a signed attestation from the party requesting the protected health information to verify it’s not being used for a “prohibited purpose.”
How should healthcare professionals prepare? Part of the rule will require regulated entities to assess whether the reproductive care in question was lawful. Staying up to date on this may be complicated, “given the patchwork of state laws that restrict or attempt to criminalize the provision of certain forms of reproductive healthcare,” Jill Steinberg, a partner at Arent Fox Schiff who heads up the law firm’s reproductive health task force, told Healthcare Brew via email.
Navigate the healthcare industry
Healthcare Brew covers pharmaceutical developments, health startups, the latest tech, and how it impacts hospitals and providers to keep administrators and providers informed.
“Providers should stay informed about the laws of the states where they operate, and consider the extent to which they provide reproductive healthcare to patients from other states with more restrictive reproductive health laws,” Steinberg wrote.
Healthcare pros affected by the rule should also work with their legal and compliance teams to update their privacy policies and procedures, revising their notice of privacy practices, and updating their compliance training so employees understand “acceptable uses and disclosures” of protected health information under the new rule, Steinberg said. They should also “proactively develop and implement a process” for using the attestation required by the rule. The HHS Office for Civil Rights is expected to release a model attestation by the end of the year, Steinberg noted.
Regulated entities have until December 23, 2024, to comply with most components of the rule, though notice of privacy practices won’t need to be updated until February 16, 2026. It’s likely the federal government will release a template for notice of privacy practices that align with the rule as well, Valerie Montague, a partner in the healthcare practice of law firm Nixon Peabody, told Healthcare Brew.
It will be important for HIPAA-regulated entities to have an understanding of the reproductive health data they possess to determine if a private health information request falls under these new regulations, Montague said.
“A lot of it is going to come down to training and communication, and making sure your frontline team who handles these requests understand what the obligations are,” she said. Updating disclosure policies will be particularly important for organizations working with third-party associates, “because you don’t want anyone disclosing when they shouldn’t—or not disclosing when they should—when they’re asking on your behalf,” she added.