Enhanced HIPAA privacy protections include:Philippines) will come into effect on June 25, 2024.
of New Rules Department of Health and Human Services Office for Civil Rights (Ministry of Health and Human Services) provides that certain privacy and security protections provided by the Health Insurance Portability and Accountability Act of 1996 and its related regulations are to be applied to “reproductive health” (HIPAA RHC RulesThe HIPAA RHC Rule, which goes into effect on June 25, applies to employer-sponsored group health plans, health care providers, health care clearinghouses, other covered entities, and their business associates (collectively, “Regulated Entities) have until December 22, 2024 to comply with the HIPAA RHC Rule, with an exception that they must make required updates to their HIPAA Notice of Privacy Practices by February 16, 2026.
This Client Alert explains how the HIPAA RHC Rule affects employer-sponsored group health insurance plans (and their business associates).
What does reproductive medicine include?
The HIPAA RHC Rule was originally intended as a response to the Supreme Court decision. Dobbs v. Jackson Women’s Health Organization Compared to subsequent state anti-abortion laws, HIPAA’s protections go far beyond the right to an abortion. HHS has stated that it recognizes that Dobbs has far-reaching implications for reproductive health care beyond access to abortion, and that it wants to ensure that individuals cannot forgo needed reproductive health care only to have their health care information leaked or used in investigations or legal proceedings against them. HHS has also indicated that it recognizes that reproductive health information is particularly sensitive and that enhanced privacy protections are needed to ensure the integrity of medical records and to facilitate the sharing of such sensitive information so that individuals can receive appropriate medical care.
As a result, “reproductive health care” is broadly defined in the HIPAA RHC Rule as health care that “affects the health of an individual in all matters related to the reproductive system and its functions and processes.” The rule lists a non-exclusive list of examples that fall within the definition of “reproductive health care,” including:
- Contraception (including emergency contraception)
- Preconception Screening and Counseling
- Management of pregnancy and pregnancy-related conditions, including pregnancy screening, prenatal care, miscarriage management, treatment of preeclampsia, hypertension during pregnancy, gestational diabetes, hydatidiform or ectopic pregnancy, and termination of pregnancy
- Diagnosis and treatment of infertility, including assisted reproductive techniques and their components (e.g., in vitro fertilization (IVF))
- Diagnosis and treatment of diseases affecting the reproductive system (e.g. perimenopause, menopause, endometriosis, adenomyosis)
- Other types of care, services, and supplies used to diagnose and treat conditions related to the reproductive system (e.g., mammograms, pregnancy-related nutritional services, postpartum care products)
Based on the examples and comments provided by HHS when it released the HIPAA RHC rule, it is clear that the definition was intended to be broad.
What protection does it provide?
Rather than creating an entirely new subset of PHI that cannot be easily separated, such as psychotherapy notes, HHS decided to prohibit uses and disclosures of PHI related to reproductive health care on a purpose-based basis: Thus, uses and disclosures of an individual’s PHI related to reproductive health care will be restricted in certain non-healthcare settings.
Specifically, the HIPAA RHC Rule prohibits a group health plan from using or disclosing an individual’s PHI related to his or her reproductive health care if the use or disclosure is required for any of the following purposes:
- Conduct criminal, civil, or administrative investigations into the mere act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided.
- Impose criminal, civil, or administrative liability only for the act of seeking, obtaining, providing, or facilitating reproductive care when such care is lawful under the circumstances in which it is provided.
- Identifying any person for the purposes of conducting such investigations or imposing such liability.
The HIPAA RHC rule includes a non-exclusive list of what is included in “seeking, obtaining, providing, or facilitating” reproductive health care, including expressing an interest in, using, performing, providing, paying for, disseminating information about, arranging for, insuring, administering, authorizing, providing compensation for, approving, counseling, assisting, or taking any other action to engage in reproductive health care, or attempting any of these.
Illegal reproductive medicine will not be protected
It is important to understand that if the group health plan’s HIPAA Privacy Officer reasonably determines that the reproductive care was not lawful under the circumstances (based on the laws of the state in which the care was provided), the protections of the HIPAA RHC Rule do not apply. If the HIPAA Privacy Officer determines that the reproductive care was unlawful under the circumstances, the group health plan will be permitted to disclose medical information in these non-medical settings in accordance with HIPAA’s normal privacy and security requirements.
Presumptions Applicable to Group Health Insurance
A group health plan may presume that the medical care provided was lawful unless it has actual knowledge to the contrary or the requester provides factual information showing a substantial factual basis indicating that the medical care was not lawful.In addition, regardless of applicable state law, a group health plan may refuse to disclose PHI related to reproductive health care in circumstances where the reproductive health care is protected, required, or permitted by federal law.
Additional certification requirements for specific requests
If a group health plan receives a request for PHI related to reproductive health care for health care oversight activities, judicial or administrative proceedings, law enforcement purposes, or disclosure to a coroner or medical examiner, the group health plan must obtain a signed and dated certification from the person or entity requesting the use or disclosure. The certification must generally identify the type of PHI being requested and state that the requested use or disclosure is not for a prohibited purpose. In addition, the certification must include a notice that any person who knowingly obtains or discloses PHI in violation of the HIPAA Privacy or Security Rules is subject to criminal penalties.
Notably, the HIPAA RHC rule provides that material misrepresentations may result in criminal liability. Additionally, group health plans may be subject to civil penalties if they fail to obtain the required attestations. HHS has announced that it plans to provide model attestations prior to the December compliance date.
Changes to our HIPAA Notice of Privacy Practices
By February 16, 2026, group health plans must update their Notice of Privacy Practices to include information about how PHI related to reproductive health care may be used or disclosed. Instances in which such uses or disclosures may occur must be included in the notice.
Action items:
To ensure compliance with the HIPAA RHC rule, group health insurance plans should consider the following action items:
- Update the plan’s HIPAA policies and procedures detailing permitted uses and disclosures to include disclosure requirements applicable to PHI related to reproductive health care.
- Update your business associate agreements and ensure that your business associates agree to comply with HIPAA RHC rules.
- Update the plan’s HIPAA Notice of Privacy Practices to include prohibitions on and provide examples of uses and disclosures of PHI related to reproductive health care.
- Redistribute the updated HIPAA Notice of Privacy Practices
- Develop an attestation form to be used by anyone requesting PHI that may be related to reproductive health care (HHS will provide a model form, but any attestation that complies with HIPAA RHC regulations will do).
- Train employees with access to PHI on new prohibitions, use of proper attestations, and changes to the plan’s HIPAA policies and procedures, and document the training.
Employer-sponsored group health insurance plans should take the time now to understand how the requirements of the HIPAA RHC Rule will affect their operations and begin implementing any necessary changes. Group health insurance plans should be aware of state-by-state variations that apply to reproductive health care and should consult with legal counsel if issues arise.