The Department of Health and Human Services (HHS) recently released a major Final Rule for all covered entities and business associates under HIPAA under 45 CFR Parts 160 and 164 (link).
The Final Rule includes the following highlights, all of which have a compliance date of December 23, 2024:
- Reproductive Health Care: New term defined as health care that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes.
- Increased Disclosure Protections: PHI related to reproductive health care may not be used or disclosed for certain investigations or imposition of penalties where that reproductive health care was lawful or otherwise allowed under Federal law. It also may not be used to identify any person for such purposes.
- Presumption of Legality: Generally required to presume that any reproductive healthcare at issue was lawful under the circumstances in which it was provided when considering requests for use of disclosure of reproductive PHI.
- Mandatory Reporting Excludes Reproductive Health Care: Reproductive health care may not be used as a basis for a reasonable belief that domestic violence, abuse, or neglect has occurred.
- Attestation Required for Some Uses and Disclosures: Required to obtain an attestation from individuals requesting the use or disclosure of PHI potentially related to reproductive healthcare. The requested PHI may then only be disclosed if attestation states that the information will not be used against a provider or patient in legal cases related to providing or receiving reproductive health care.
- Defective Attestations: If this PHI is used or disclosed in reliance on a defective attestation, then the covered entity or business associate that used or disclosed that PHI will be in non-compliance with HIPAA.
- Materially False Attestations: If it is discovered that any representation in an attestation is materially false, then the covered entity or business associate must cease any use or disclosure of reproductive PHI for that attestation.
- Administrative Requests: Reproductive PHI may only be disclosed in response to an administrative request when a response is required by law.
OMW will continue to stay on top of these new rules and is available should any questions arise. We will also continue to provide updates with additional details about associated rules, which include required updates to Providers’ Notice of Privacy Practices in early 2026.