Navigating HIPAA's reproductive healthcare data privacy rule

Understanding the reproductive healthcare privacy final rule

Prior to the passage of the April 2024 rule, HIPAA-covered entities and business associates were not allowed to use or disclose PHI without authorization from the individual, with limited exceptions. Those exceptions included disclosure in connection with health oversight, judicial or administrative proceedings and law enforcement.

"And after the Dobbs decision overturning Roe v. Wade, there were laws passed outlawing abortion or limiting abortion in a number of states. There was concern about the ability of law enforcement authorities to access reproductive health information and use it to prosecute women who had abortions, healthcare providers who provided abortions," said Roger Cohen, partner in law firm Goodwin's healthcare practice.

"So, the Department of Health and Human Services amended the HIPAA regulations with specific focus on reproductive health information."

The new rule prohibits covered entities from disclosing PHI for the purposes of conducting a criminal, civil or administrative investigation into any person for the act of seeking, obtaining, providing or facilitating legal reproductive healthcare.

Additionally, the rule requires covered entities to obtain a signed attestation that certain requests for PHI related to reproductive healthcare are not for the prohibited purposes. Under the final rule, covered entities must also modify their Notice of Privacy Practices to further bolster reproductive healthcare data privacy.

Legal challenges spur uncertainty

The rule has been met with numerous legal challenges, making its future uncertain. In September 2024, Texas Attorney General Ken Paxton sued HHS over the rule, alleging that it unlawfully prevents states from using their investigative authority.

Paxton argued that the reproductive healthcare data privacy rule, as well as a 2000 rule under HIPAA called the "Standards for Privacy of Individually Identifiable Health Information," go against existing provisions within HIPAA that are meant to preserve states' investigative authority.

The lawsuit alleged that the two rules violate the Administrative Procedure Act, which dictates the federal regulatory process.

"This new rule actively undermines Congress's clear statutory meaning when HIPAA was passed, and it reflects the Biden Administration's disrespect for the law," Paxton stated in an accompanying press release at the time. "The federal government is attempting to undermine Texas's law enforcement capabilities, and I will not allow this to happen."

In addition to the Texas lawsuit, 15 states joined forces to challenge the rule in January 2025, just days before President Trump took office.

The states alleged that the final rule would "hamper States' ability to gather information critical to policing serious misconduct like Medicaid billing fraud, child and elder abuse, and insurance-related malfeasance."

"As another court has indicated, that result flouts HIPAA, which specifically preserves States' longstanding authority to investigate healthcare-related issues," the filing stated.

These legal challenges raised questions about HIPAA's limits, with the states arguing that the new rule interferes with states' ability to conduct public health investigations.

"One other interesting factor here is that agencies, prior to the overturning of Chevron -- or, changing of the law around the deference that agencies get in rulemaking -- an agency would get deference in how it interpreted what public health means. But that's no longer the law," Cohen noted.

"So really, a court gets to decide what Congress intended when it said the law shouldn't interfere with public oversight of public health."

If these cases move forward, it will be up to the courts to decide whether the rule is consistent with provisions of HIPAA. Alternatively, the rule could be changed or rescinded by the current administration. Regardless of what happens to the rule, covered entities can act now to ensure they are in compliance with the rule as it stands today.

Tips for compliance with the rule as it stands

HIPAA compliance is a constant work-in-progress for covered entities and business associates, as they are consistently evaluating and monitoring compliance with HIPAA's many provisions. But when a new rule goes into effect, it presents another opportunity for entities to sharpen their privacy and compliance practices.

"One low-hanging fruit or box to check is to update your notice of privacy practices and distribute the updated notice to patients," Cohen noted. "The regulations are still in effect, and so regulated entities should comply with them."

Updating a notice of privacy practices in accordance with this rule would align with HIPAA's provisions and provide assurances to patients about the entity's privacy practices.

"If you get a request for reproductive health information, consult with your counsel on the request to ensure you're complying with the regulations," Cohen also advised.

As it stands, covered entities and business associates are prohibited from disclosing PHI in certain circumstances, but are permitted to do so in others. For example, if a patient traveled to another state to receive reproductive healthcare that is lawful in that state, the covered entity would not need to disclose that information.

However, there are other circumstances where disclosures are permitted. For example, a covered entity would be allowed to disclose PHI to defend themselves in an investigation related to professional misconduct or negligence related to the provision of reproductive healthcare.

In addition to consulting with legal counsel and updating your notice of privacy practices, covered entities should keep an eye on the status of the final rule and the legal challenges to it. The future of the rule is uncertain, but compliance with HIPAA is a constant.

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.