DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
Introduction
This article discusses the 2024 HIPAA Privacy Rule to Support Reproductive Healthcare Privacy, including the requirements of the law and the law's subsequently being vacated (set aside) in 2025.
What is the HIPAA Privacy Rule to Support Reproductive Healthcare Privacy (Final Rule)?
In April of 2024, HHS issued a Final Rule, the HIPAA Privacy Rule to Support Reproductive Healthcare Privacy. In a press release accompanying the Final Rule, HHS reports that “The Final Rule strengthens the Health Insurance Portability Act of 1996 (HIPAA) Privacy Rule by prohibiting the disclosure of protected health information (PHI) related to lawful reproductive healthcare in certain circumstances.”
The law does became official ("went on the books") on June 25, 2024. Enforcement of the Final Rule began on December 23, 2024.
What Does the Final Rule Do?
The Final Rule modifies the existing Privacy Rule by changing the definition of the term “person.” The Final Rule also adds definitions for the terms “public health” and “reproductive healthcare.”
According to a Fact Sheet accompanying the Final Rule, the Final Rule “strengthens privacy protections by prohibiting the use or disclosure of protected health information (PHI) by a covered health care provider, health plan, or health care clearinghouse—or their business associate—for either of the following activities:
"To conduct a criminal, civil, or administrative investigation into or impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive healthcare, where such health care is lawful under the circumstances in which it is provided.
The identification of any person for the purpose of conducting such investigation or imposing such liability.”
What Are Permitted Uses or Disclosures of PHI?
Per the Fact Sheet, “The Final Rule continues to permit covered health care providers, health plans, or health care clearinghouses (or business associates) to use or disclose PHI for purposes otherwise permitted under the Privacy Rule where the request for the use or disclosure of PHI is not made to investigate or impose liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive healthcare,” or where the request is not made to identify someone for the purpose of conducting such an investigation or imposing such liability.
Other Final Rule Requirements: Attestations and Notices of Privacy Practices (NPPs)
The Fact Sheet reports that the Final Rule “requires a covered health care provider, health plan, or health care clearinghouse (or business associates), when it receives a request for PHI potentially related to reproductive healthcare, to obtain a signed attestation that the use or disclosure is not for a prohibited purpose.”
The Fact Sheet also reports that the Final Rule “requires covered health care providers, health plans, and health care clearinghouses to revise their Notices of Privacy Practices (NPPs) to support reproductive healthcare privacy.”
What Other Changes Does the Final Rule Make to the Notice of Privacy Practices (NPP) Requirement?
The Final Rule requires covered entities to revise their Notices of Privacy Practices to cover patient rights with respect to the confidentiality of substance use disorder records under 42 CFR Part 2. This requirement will not be enforced until February 16, 2026, at the earliest.
Where Can I Find the Final Rule?
The Final Rule itself can be viewed here. This document includes the actual changes to the Privacy Rule regulations, information relating to the impact of the regulatory changes, as well as HHS commentary and response to comments received. The actual text of the Final Rule begins on the page marked “33062” and ends on the page marked “33066”.
Update (8/13/24):
HHS has published a Model Attestation for a Requested Use or Disclosure of Protected Health Information Potentially Related to Reproductive Health Care. The model attestation can be found here.
Update (9/4/24):
On September 4, 2024, the state of Texas filed a lawsuit in federal District Court seeking a declaration from a District Court judge that the Final Rule should be declared illegal – stricken from the law books – because, as Texas claims, no legal authority gave HHS the right to issue the Final Rule in the first place. The case was been assigned to U.S. District Judge James Wesley Hendrix. There is no specific timeline by which Judge Hendrix must issue a decision. Compliancy Group will monitor developments in the litigation and will post updates about those developments as they occur.
Update (10/21/24):
On October 21, 2024, a Texas family physician filed a lawsuit seeking to invalidate the HIPAA Reproductive Healthcare Privacy Rule. In the lawsuit, Dr. Carmen Purl alleges that the rule requires her to bear the risk that complying with a lawfully issued subpoena will be deemed a violation of HIPAA.
In her lawsuit against HHS, Dr. Purl seeks declaratory and injunctive relief against enforcement of the rule. When someone seeks "declaratory relief," that person seeks to have a court issue an order - here, an order that the rule is illegal. When someone seeks "injunctive relief," that person seeks to have a court issue an injunction. An injunction is an order that orders a party to either take action or to refrain from taking action. Dr. Purl seeks to have a court issue an injunction preventing HHS from enforcing the rule.
The case has been assigned to U.S. District Judge Matthew Kacsmaryk. There is no specific timeline by which Judge Kacsmaryk must issue a decision. Compliancy Group will monitor developments in the lawsuit and will post updates about those developments as they occur.
UPDATE (6/18/25):
On June 18, 2025, Judge Kacsmaryk issued an order declaring unlawful and vacating sections of the 2024 Privacy Rule concerning heightened requirements for sharing PHI relating to reproductive health care.
Judge Kacsmaryk's decision is effective for anyone needing to comply with the HIPAA Privacy Rule.
Impact on Policies and Programs:
The 2024 Privacy Rule changes are included only in programs created on or after December 23, 2024. If your HIPAA Risk Assessment, HIPAA for Small Practices, or Privacy Program was created before that date, it does not contain the content reflecting the now vacated regulation.
For information on how to update your Privacy Program or HIPAA Risk Assessment following the Vacated Privacy Rule Regulation, please view this knowledge base article, Updating Policies and Programs for Privacy Rule Changes.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article