On April 22, 2024, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced the HIPAA Privacy Rule to Support Reproductive Health Care Privacy, modifying the privacy rules of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (hereinafter, the “2024 Privacy Rule”). This final rule establishes a regulatory framework aimed at safeguarding privacy as well as ensuring access to reproductive health care in response to the Supreme Court’s ruling in Dobbs v. Jackson Women’s Health Organization. The 2024 Privacy Rule went into effect on June 25, 2024; however, it established a timeline for covered health care providers, health plans, health care clearinghouses (“Covered Entity” or “Covered Entities”) and their business associates until December 23, 2024, to comply with the provisions of the 2024 Privacy Rule.1
Below is a summary of the key developments:
Prohibitions under the 2024 Privacy Rule
Covered Entities and their business associates are prohibited from using or disclosing protected health information (“PHI”) for the following purposes: (i) conducting a criminal, civil, or administrative investigation or imposing liability on anyone for simply seeking, obtaining, providing, or facilitating reproductive health care; or (ii) identifying individuals for the purpose of conducting such investigations or imposing such liability.
The prohibition applies only when the activity relates to someone seeking, obtaining, providing, or facilitating reproductive health care, and when: (i) the reproductive health care is lawful under state law in which such health care is provided; (ii) the reproductive health care is protected, required, or authorized by federal law, including the U.S. Constitution, regardless of the state law where the health care is provided; or (iii) the reproductive health care was provided by someone other than a Covered Entity, and that person has no knowledge that the care was unlawful.
Attestation
Covered Entities must obtain a valid attestation when receiving a request for PHI potentially related to reproductive health care. The attestation must confirm that the requestor will not use or disclose the PHI for prohibited purposes. This requirement applies when the request is for health oversight activities, judicial and administrative proceedings, law enforcement, or disclosures to coroners and medical examiners.
This Notice to Clients and Friends has been prepared for information purposes only and is not intended,
and should not be relied upon, as legal advice. To further discuss or obtain additional information, please
contact us at your convenience.
Víctor Rodríguez Reyes
vrodriguez@ferraiuoli.com
Karla-In Encarnación Pak
kencarnacion@ferraiuoli.com
- Covered entities must update their Notice of Privacy Practices (NPP) to reflect changes in both the 2024 Privacy Rule and the Part 2 regulation (a separate rulemaking). The compliance date for these NPP requirements is February 16, 2026. ↩︎