On April 26, 2024, the U.S. Department of Health and Human Services (HHS) implemented a Final Rule enhancing the HIPAA Privacy Rule to safeguard reproductive health care privacy. Given the recent Dobbs decision, HHS expressed concern that the threat of disclosure of PHI to investigate or impose liability on individuals seeking lawful health care and providers providing such care may ultimately undermine access to and quality of health care generally.

The Final Rule has three main components: first, a bar on certain uses or disclosures of PHI if the request for PHI is made to investigate or impose liability for the mere act of seeking, obtaining, providing, or facilitating lawful reproductive health care, or to identify any person as conducting in such activities (whether the investigation or potential liability is civil, criminal, or administrative); second, regulated entities (both CEs and BAs) are mandated to collect a signed attestation confirming that requests for PHI that potentially relate to reproductive health care are not for these restricted purposes; and third, health care providers, health plans, and clearinghouses must update their privacy notices to align with these measures.

In essence, these changes fortify the HIPAA Privacy Rule, reinforcing confidentiality and privacy rights for individuals seeking and providing lawful reproductive health care, yet questions remain on how effectively HIPAA regulated entities would be able to correctly determine whether PHI was being requested for permitted or prohibited purposes (an issue even HHS recognized).

The Final Rule is effective June 25, 2024, with a compliance date of December 23, 2024. Privacy notice requirements must be met by February 16, 2026.

View the Final Rule on the Federal Register. 

View The Final Rule Fact Sheet here.