MSMS logo, to home page

Update to MSMS HIPAA Guide: New Final Rule Enhances Privacy Protections for Reproductive Health Care

News & Media

Update to MSMS HIPAA Guide: New Final Rule Enhances Privacy Protections for Reproductive Health Care

Last year, the Office for Civil Rights (OCR) at the U.S. Department of Health & Human Services (HHS) issued a Final Rule to modify the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule to protect access to and privacy of reproductive health care. The Final Rule further responds to evolving legal landscapes following the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization, by imposing new limitations on disclosures of information relating to reproductive health care. The Final Rule further requires covered entities and business associates to make certain updates to their Notice of Privacy Practices with respect to reproductive health care.

The following are some of the key requirements under the Final Rule:

  • “Reproductive Health Care” Defined: The Final Rule broadly defines “reproductive health care” as health care that “affects the health of an individual in all matters relating to the reproductive system and to its functions and processes.”
  • Limitations on Disclosures of Information Related to Reproductive Health Care: Physicians and other covered entities and their business associates are prohibited from disclosing protected health information (PHI) in response to a request made for the purpose of conducting a criminal, civil, or administrative investigation or imposing liability for the mere act of seeking, obtaining, providing or facilitating reproductive health care (where such health care is lawful under the circumstance provided), or to identify a person for purposes of such investigation or imposing such liability.

The Final Rule clarifies that the prohibition applies whenever the covered entity or business associate reasonably determines that the reproductive health care at issue (1) is lawful under the circumstances in which it is provided, (2) is protected, required or authorized by Federal law, including the U.S. Constitution, or (3) was provided by a person other than the covered entity or business associate that received the request for the PHI. Thus, practices that do not necessarily render reproductive health care but may receive medical records from physicians and other providers that do render reproductive health care should be especially mindful of this prohibition. Importantly, the prohibition does not apply if the request is not made to investigate or impose liability for the mere act of seeking, obtaining, providing or facilitating reproductive health care.

The Final Rule includes a presumption that reproductive health care provided by a person other than the covered entity or business associate receiving the PHI request was lawful. However, this presumption may be rebutted if the covered entity or business associate has actual knowledge or receives factual information indicating otherwise.

Attestation Requirement: When PHI related to reproductive health care is requested for health oversight activities, judicial or administrative proceedings, law enforcement purposes, or disclosure to coroners or medical examiners, covered entities (and business associates) must first obtain a signed attestation from the requestor affirming that the use or disclosure of such PHI is not for any Prohibited Purpose. Attestations for reproductive health care information may be provided and executed electronically. Importantly, a new attestation is required for each use or disclosure request.

OCR issued a Model Attestation for a Requested Use or Disclosure of Protected Health Information Potentially Related to Reproductive Health Care, which may be used by a covered entity or business associate when it receives a request for PHI potentially related to reproductive health care that requires a signed attestation. Covered entities and business associates may develop their own attestation form, so long such form includes the required elements as set forth in the Final Rule.

Updates to Notice of Privacy Practices (“NPP”): Covered entities must revise their NPPs before February 16, 2026 to reflect the new prohibitions and attestation requirements. The updates must include clear descriptions and examples of the types of uses and disclosures that are prohibited by the Final Rule or which require attestation by the requestor that the use or disclosure is not for any Prohibited Purpose.

Updated HIPAA Guide: MSMS has updated its HIPAA Guide which provides physicians with additional information regarding the Final Rule, as well as sample language physicians may use to update their NPP and comply with the attestation requirement.

Physicians should review the HIPAA Guide and consider updates to their practice forms, policies to comply with the new requirements of the Final Rule. Medical practices should additionally ensure that staff members who handle and respond to requests for medical records and other requests for protected health information receive training on the new requirements.