Contact

A recently issued HIPAA Final Rule governs the use and disclosure of protected health information (PHI) potentially related to reproductive health care. This rule has a compliance deadline of December 23, 2024, and introduces new requirements designed to safeguard the privacy of individuals receiving reproductive health care services.

While this rule is currently facing legal challenges, covered entities and business associates must be prepared to comply with its requirements by the deadline. It is understandable if organizations wish to wait for the resolution of the legal challenges before overhauling their HIPAA policies, procedures, and related documents. However, compliance with the attestation requirement is mandatory starting December 23, 2024.

Key Compliance Requirement: Attestation for Certain Disclosures

Under the Final Rule, covered entities and business associates must obtain a signed attestation from a requestor before disclosing PHI potentially related to reproductive health care for purposes such as health oversight, judicial or administrative proceedings, law enforcement, or coroner and medical examiner requests. This requirement extends not only to requests from governmental entities, but also to requests from private parties because certain state laws related to reproductive health care may be enforced by private individuals.

The attestation must confirm the PHI will not be used for prohibited purposes, such as investigating or penalizing lawful reproductive health care. HHS has published a model attestation for reference.

Example Situations

  • A mental health counselor receives a subpoena for session notes about a patient who mentioned anxiety related to an unplanned pregnancy. Even if the notes do not explicitly mention an abortion or other reproductive procedures, the fact that the counseling sessions addressed pregnancy-related concerns means the PHI is “potentially related to reproductive health care.” The counselor must obtain a signed attestation from the requestor confirming the PHI will not be used to investigate or impose liability for reproductive health decisions before disclosing the session notes.
  • A radiology center receives a request from a coroner for imaging records of a deceased patient. The patient underwent a pelvic ultrasound during her pregnancy, which could pertain to decisions about her reproductive health. Even if the records do not specifically indicate abortion or contraception, the imaging is “potentially related to reproductive health care.” The radiology center must secure an attestation from the requestor confirming the PHI will not be used for prohibited purposes under the Final Rule.
  • A hospital receives a subpoena from a private individual requesting information about medications prescribed to a patient. The requested information includes progesterone, a medication commonly prescribed for various reproductive health conditions. Before disclosing this information, the hospital must obtain a signed attestation from the requestor confirming that the information will not be used for prohibited purposes, in compliance with the Final Rule.

Steps to Prepare for Compliance

  • Revise Policies and Procedures: Covered Entities and business associates must incorporate the attestation requirement into their policies and procedures for processing PHI requests related to reproductive health care. As stated above, we understand that organizations may wish to wait for the resolution of legal challenges before revising their policies and procedures, but it is critical to ensure that the organization complies with the attestation requirement starting December 23, 2024.
  • Train Staff: Train relevant staff on how to identify requests that fall under the Final Rule and ensure they understand the attestation process.
  • Update Business Associate Agreements: Business associate agreements should be updated to ensure that business associates agree to comply with the Final Rule.
  • Update Notice of Privacy Practices: The Final Rule require updates to each covered entity’s Notices of Privacy Practices related to the reproductive health care requirements. The compliance date for implementing those changes is February 16, 2026.
  • Monitor Legal Developments: Organizations should continue monitoring the legal challenges to the Final Rule.


This summary is a broad overview of a complex topic, and it does not constitute legal advice. If you have any questions, please contact Casey Moriarty (cmoriarty@omwlaw.com), Katherine Robertson (krobertson@omwlaw.com), or any other attorney at Ogden Murphy Wallace if you have any questions. 

Return to main
Author(s)
Casey Moriarty

Casey Moriarty

Member
Katherine Robertson

Katherine Robertson

Associate
Related Attorneys
Steve Burgon

Steve Burgon

Member
Madeleine Haller

Madeleine Haller

Member
M. Re Knack

M. Re Knack

Member
Lee Kuo

Lee Kuo

Member
David Schoolcraft

David Schoolcraft

Member
Adam Snyder

Adam Snyder

Member
Carrie Soli

Carrie Soli

Member
Practices & Industries

Health Law

Hospitals, Health Systems, and Provider Entities

Related News & Events

Image for HIPAA Deadline Approaching: What to Know About Reproductive Health Privacy Rules
Update

HIPAA Deadline Approaching: What to Know About Reproductive Health Privacy Rules