Reproductive Care Final Rule: What It Means and What Organizations Need to Do

Marisol Cooke, Director, Health Care Consulting Practice
Glassy lake in the mountains

In April 2024, a federal ruling related to HIPAA privacy around reproductive rights introduced enhanced privacy protections for patients and providers.

Beyond awareness about compliance, integrating upgraded security protocols to safeguard sensitive reproductive health information could help reinforce patient security—and trust.

Background

The Biden-Harris Administration, through the Office of Civil Rights issued the HIPAA Privacy Rule to Support Reproductive Health Care Privacy to support and enhance reproductive health care privacy by prohibiting the disclosure of protected health information (PHI) related to lawful reproductive health care in certain circumstances.

Amendments to the privacy rule will become effective on June 25, 2024, and regulated entities must be in compliance with most of them by December 22, 2024.

Who’s Impacted

  • Regulated health care providers
  • Health plans
  • Health care clearinghouses
  • Business associates of the above
  • Patients

What’s Changed: Law Enforcement Exception

The original rule set out to define protected PHI for individuals, who’s covered, what information is protected, and how this protected information can be used and disclosed. Organizations are prohibited from sharing health information without a patient’s written consent, except in certain situations as with certain public needs, including law enforcement. In such cases, organizations may share patient information with the police if, say, they’re responding to a legal order like a subpoena or warrant.

Following the US Supreme Court’s Dobb’s decision in 2022, overturning Roe v. Wade (which concluded that the constitution doesn’t protect the right to abortion), 21 states have banned abortion and restricted other reproductive rights.

The final rule enhances privacy protections and prohibits the disclosure of PHI related to lawful reproductive health care in certain circumstances, to protect patient confidentiality and prevent medical records from being used against people for providing or obtaining lawful reproductive health care. 

Amendments now prohibit the disclosure of PHI when it’s requested for the purpose of investigating or imposing liability on any person for the act of seeking, obtaining, providing, or facilitating reproductive health care if:

  • Care was received in a state where it’s legal, and outside the state where the investigation is authorized
  • Care is protected or explicitly allowed by federal law, no matter the state it was provided in
  • Organization receiving the request doesn’t know the care was illegal, and no solid evidence was provided to suggest otherwise

Key Provisions and Implications

Some core impacts of the ruling are as follows:

Enhanced Privacy Protections

The rule mandates stricter access controls and sharing protocols requiring health care providers to obtain clear, explicit consent from patients before disclosing reproductive health information.

Patient Rights Expansion

Patients now have greater authority to dictate how their information is shared, particularly concerning disclosures to insurers and other health care entities.

Patients can request that their reproductive health information not be shared with certain entities, including other health care providers or insurers, unless explicitly required by law. This is particularly significant given the varying state laws on reproductive rights.

Upgraded Security Protocols

Implementation of advanced security measures for storing and transmitting reproductive health information electronically is now essential.

Educational Responsibilities

Health care providers must educate their staff and patients about these new protections, ensuring everyone understands their rights and obligations under the new rule.

Attestation

The rule requires covered entities to obtain attestation from the requestor that their written request for the patient’s PHI aren’t for a prohibited purpose.

Preparation for Compliance

Navigating the complexities of health care regulations while maintaining the highest standards of patient privacy can be overwhelming. As health care professionals, compliance with this new rule isn’t about adhering to legal standards—it’s about reinforcing trust with your patients and safeguarding their most sensitive information.

We’re Here to Help

If you have questions about integrating these requirements into your operations or enhancing both compliance and patient confidence, please contact your Moss Adams professional. 

Additional Resources

Ask a Question

Assurance, tax, and consulting offered through Moss Adams LLP. ISO/IEC 27001 services offered through Cadence Assurance LLC, a Moss Adams company. Wealth management offered through Moss Adams Wealth Advisors LLC. Services from India provided by Moss Adams (India) LLP.

Related Topics

Grant Funding Available to California Reproductive Health Services Providers
Women’s Voices in Transforming Health Care Leadership
Denials Management: An Integrated, People-First Approach
Increase Cybersecurity in Health Care with Safety-Boosting Strategies

Contact Us with Questions

Enter security code:
 Security code