Wiggin
Find a Person
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z View All

Publications

Home 9 Publication 9 HIPAA’s New Regulations Protecting Reproductive Health Care

HIPAA’s New Regulations Protecting Reproductive Health Care

December 19, 2024

On April 26, 2024, the United States Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) published new HIPAA regulations regarding protection of reproductive health care information.  The new regulations became effective on June 25, 2024, but covered entities and business associates were provided until December 23, 2024, to comply, with the exception of making required revisions to the Notice of Privacy Practices (“NPP”). Covered entities were provided with an extended compliance deadline of February 16, 2026, to make required changes to their NPPs.

In the Federal Register comments to the Final Rule, OCR explained that promulgation of these regulations directly resulted from the Supreme Court decision in Dobbs v. Jackson Women’s Health Organization, 597 U.S. 2015 (2022), overturning precedent that protected a constitutional right to abortion. According to OCR, that decision increased “the potential that use and disclosure of protected health information about reproductive health will undermine access to and the quality of health care generally.” Therefore, OCR deemed it necessary to limit the circumstances in which the Privacy Rule permits the use or disclosure of an individual’s protected health information (“PHI”) when the PHI includes reproductive health care. OCR focused on circumstances under which use or disclosure of the reproductive health care information could be detrimental to the privacy of the individual or the individual’s trust in their health care providers.

What is reproductive health care?

The new regulations broadly define “reproductive health care” as “health care . . . that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes.”

The definition is certainly not limited to pregnancy or abortion related care. In fact, the definition is broad enough to encompass PHI about men and women, including contraception, fertility related care, pregnancy related care, menopause, vasectomies, or even behavioral health treatment notes related to an individual’s reproductive health experiences. Because this definition is so wide-ranging, the new HIPAA regulations can apply to practically any type of health care provider and can potentially be spread throughout the provider’s records, including in medication lists, records from other providers, surgical histories, or even routine physical examination notes. Because most providers cannot operationally manually check every record for reproductive health care information, virtually all PHI should be assumed to contain reproductive health care information.

What is the scope of the new HIPAA prohibition regarding reproductive health care?

OCR opted not to place blanket protections on reproductive health care records, but instead create new purpose-based prohibitions related to PHI. Both covered entities and business associates are now prohibited from using or disclosing PHI for the following three purposes:

  • To conduct a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care;
  • To impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care; or
  • To identify any person for the purpose of conducting such investigation or imposing such liability.

Seeking, obtaining, providing, or facilitating reproductive health care includes, but is not limited to, any of the following: expressing interest in, using, performing, furnishing, paying for, disseminating information about, arranging, insuring, administering, authorizing, providing coverage for, approving, counseling about, assisting, or otherwise taking action to engage in reproductive health care; or attempting any of the same.

According to OCR, any request for PHI that is made by a patient or patient’s authorized representative, by HHS, or by another third party for treatment, payment, or health care operations is not a prohibited purpose. Covered entities may continue to disclose under those circumstances as it did before the promulgation of these new regulations. For example, in guidance, OCR specifies that a covered entity can use or disclose PHI to defend itself in an investigation or proceeding related to professional misconduct or negligence where the alleged professional misconduct or negligence involved the provision of reproductive health care.

In addition, these three prohibited purposes only apply where the covered entity or business associate that received the request for PHI has reasonably determined that:

  • the reproductive health care was lawful under the law of the state in which such health care was provided under the circumstances in which it was provided OR
  • the reproductive health care was protected, required, or authorized by Federal law, including the United States Constitution, under the circumstances in which such health care was provided, regardless of the state in which it was provided.

OCR established these rules of applicability to balance protecting the use and disclosure of reproductive health information while allowing law enforcement to pursue illegal activity. The HIPAA prohibitions related to reproductive health care do not apply to reproductive health care that was illegal or unprotected under the circumstances under which it was provided.

How will covered entities and business associates determine the legality of reproductive health care?

To allay concerns about covered entities and business associates making legal determinations, the regulations allow reproductive health care to be presumed lawful unless the covered entity or business associate has either: (1) actual knowledge that the reproductive health care was not lawful under the circumstances in which it was provided or (2) factual information supplied by the person requesting the PHI that demonstrates a substantial factual basis that the reproductive health care was not lawful under the specific circumstances in which it was provided.

For example, if a patient tells her physician that she received an abortion from an unlicensed individual, then the covered entity cannot rely on the presumption that the reproductive health care was lawful because abortion in every state must be performed by a licensed individual. Therefore, the provider’s record documenting the patient’s statement would not be prohibited from disclosure by the new HIPAA regulations. Or for example, consider a law enforcement official in Texas that sends a subpoena to a provider in Connecticut requesting reproductive health care information for the purpose of bringing a criminal case against a Texas provider that performed an abortion illegally in Texas. The Texas law enforcement official sends along with the subpoena, substantial factual evidence that the reproductive health care was not lawful under the circumstances under which it as performed. In that case, the HIPAA prohibition on disclosing reproductive health care information does not apply.

Note that the inapplicability of the new HIPAA reproductive health care regulation does not mean that the health care provider must or may disclose the PHI. An analysis must still be performed to determine if there is a HIPAA exception allowing the disclosure of the PHI pursuant to the third party request. In addition, depending on the circumstances, other state law and/or the provider’s policies may still prohibit the disclosure.

How will covered entities and business associates determine whether a request is being made pursuant to a prohibited purpose?

Covered entities and business associates must make a fact specific determination as to whether each request for reproductive health care information is being made pursuant to a prohibited purpose. That determination can be made based on a number of factors, including whether the person requesting the use or disclosure of PHI reasonably articulates a basis for the request that is not related to the mere act of seeking, obtaining, providing, or facilitating reproductive health care.

As mentioned above, a request for PHI that is made by a patient or patient’s authorized representative, by HHS, or by another third party for treatment, payment, or health care operations is not a request for a prohibited purpose.  However, when other HIPAA exceptions are relied upon to make the disclosure, covered entities and business associates must make independent evaluations of the request to reasonably determine whether it is for a prohibited purpose.

When are signed attestations required?

The new regulations require that covered entities and business associates receive a signed attestation that the use or disclosure is not for a prohibited purpose from the requestor before making a disclosure of PHI pursuant to the following HIPAA exceptions: (1) health oversight activities; (2) judicial and administrative proceedings; (3) law enforcement purposes; or (4) disclosures to coroners and medical examiners. The signed attestation makes it clear that the request is not being made for a prohibited purpose. All of the elements of the HIPAA exception must be met, but in addition, a signed attestation must be obtained from the requestor before reproductive health care information can be disclosed.

For example, a covered entity is permitted to disclose PHI to the Connecticut Department of Public Health (“DPH”) during a license survey pursuant to HIPAA’s exception permitting disclosures for health oversight activities. However, if the PHI potentially contains reproductive health care information, the covered entity must obtain a signed attestation from DPH prior to providing any PHI.

A valid attestation must contain certain required elements and statements. In addition, a valid attestation cannot be combined with any other document. If the covered entity or business associate knows that material information in the attestation is false or if a reasonable covered entity or business associate in the same position would not believe the requestor’s statement that the use or disclosure is not for a prohibited purpose, then the attestation is defective. OCR provided a model attestation at: https://www.hhs.gov/sites/default/files/model-attestation.pdf.

How will this work?

Before these new regulations became effective, a covered entity or business associate was permitted to use and disclose PHI as permitted by HIPAA, other state and federal law, and its own policies.

Pursuant to the new regulations, as part of its HIPAA analysis, the covered entity or business associate must also evaluate whether the request for PHI is being made by the third party to conduct a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care; to impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care; or to identify any person for the purpose of conducting such investigation or imposing such liability.

If the third party request is being made for any of those prohibited purposes, then the covered entity must determine whether the reproductive health care that is the subject of the third party’s request for PHI was lawful under the law of the state in which it was provided and/or whether the reproductive health care is protected, required, or authorized by Federal law. The covered entity can assume that the reproductive health care was lawful unless it has either actual knowledge that the reproductive health care was not lawful or factual information that demonstrates a substantial factual basis that the reproductive health care was not lawful.

If the third party request is being made for a prohibited purposes and the reproductive health care was lawful under the law of the state in which it was provided and/or is protected, required, or authorized by Federal law – then the covered entity cannot make the disclosure to the requesting third party.

If, however, the third party request is being made for a prohibited purpose, but the covered entity determines that the reproductive health care was not lawful under the law of the state in which it was provided and is not protected, required, or authorized by Federal law – then the covered entity may make the disclosure.

If the analysis of the purpose of the request and the lawfulness of the reproductive health care permits the covered entity or business associate to make the disclosure, then the covered entity or business associate must then also determine if an attestation from the requestor is required. If an attestation is required, the covered entity or business association must ensure that the attestation contains all required elements and statements.

Notice of Privacy Practices

The Final Rule also requires that covered entities change their Notice of Privacy Practices to reflect the new protections for reproductive health care information, including the prohibited purposes and when attestations are required. The new regulations further mandate that changes be made to the Notice of Privacy Practices in accordance with changes made to the 42 CFR Part 2 regulations governing substance abuse disorder records. Compliance is required by February 16, 2026, and additional federal guidance regarding the required changes is expected.

A Word About Connecticut Law

Any determination regarding the disclosure of health information must include an analysis of applicable state law. In 2022, the Connecticut legislature enacted Connecticut General Statutes § 52-146w, which prohibits the disclosure of reproductive health care in any civil action or any proceeding or in any probate, legislative or administrative proceeding, pursuant to certain exceptions. Because Connecticut law is limited to disclosures in any civil action or any proceeding or in any probate, legislative or administrative proceeding, it has narrower applicability than the HIPAA regulations, which applies potentially to any disclosure to a third party.

The definition of reproductive health care in the Connecticut law is similar in breadth to the HIPAA definition, and includes, “all medical, surgical, counseling or referral services relating to the human reproductive system, including, but not limited to, services relating to pregnancy, contraception or the termination of a pregnancy and all medical care relating to treatment of gender dysphoria as set forth in the most recent edition of the American Psychiatric Association’s ‘Diagnostic and Statistical Manual of Mental Disorders’ and gender incongruence, as defined in the most recent revision of the ‘International Statistical Classification of Diseases and Related Health Problems’”

The Connecticut statute prohibits a HIPAA covered entity from disclosing (1) any communication made to such covered entity, or any information obtained by such covered entity from, a patient or the conservator, guardian or other authorized legal representative of a patient relating to reproductive health care services that are permitted under Connecticut law, or (2) any information obtained by personal examination of a patient relating to reproductive health care services that are permitted under Connecticut law. Such disclosures are allowed only if the patient or that patient’s conservator, guardian or other authorized legal representative “explicitly consents in writing.” Moreover, the covered entity must inform the patient or the patient’s conservator, guardian or other authorized legal representative of the patient’s right to withhold written consent.

The exceptions to this consent requirement are limited and include disclosures only (1) required pursuant to state law; (2) made by a covered entity against whom a claim has been made, or there is a reasonable belief will be made, in such action or proceeding, to the covered entity’s attorney or professional liability insurer or such insurer’s agent for use in the defense of such action or proceeding, (3) to DPH for records of a patient of a covered entity in connection with an investigation of a complaint, if such records are related to the complaint, or (4) if child abuse, abuse of an elderly individual, abuse of an individual who is physically disabled or incompetent or abuse of an individual with intellectual disability is known or in good faith suspected.

Action Steps

Some predict that HHS will not be actively enforcing the new regulations amending the Privacy Rule to protect reproductive health care due to the recent Presidential election and the upcoming changes in leadership at HHS and OCR. Also, there is pending lawsuit filed by the Texas Attorney General against HHS challenging not only the new HIPAA regulations regarding reproductive health care, but also the entirety of the HIPAA Privacy Rule, arguing that the regulations exceed the scope of the authorizing statute. Nevertheless, the December 23, 2024, compliance deadline is looming, and providers should make good faith efforts to implement policies and training in accordance with the regulations.

Related People

Jody Erdfarb

Related Services

Health Care Compliance, Fraud and Abuse

HIPAA

Health Care

Firm Highlights

News

Recognized for Excellence: Wiggin and Dana Named Law Firm of the Year, Attorney of the Year, and Earns 8 Additional Honors at the 2025 New England Legal Awards

Wiggin and Dana is proud to announce an extraordinary achievement at The American Lawyer’s 2025 New England Legal Awards, where the firm earned 10 top honors and was recognized as a finalist in additional categories. These awards celebrate excellence across the legal profession, and this year’s results underscore Wiggin and Dana’s commitment to delivering exceptional […]
Read More
News

Wiggin and Dana Celebrates Top Honors in Benchmark Litigation’s 2026 Rankings

Wiggin and Dana is proud to announce that Benchmark Litigation has once again recognized the firm’s excellence in litigation, naming 13 attorneys as “Litigation Stars” and three attorneys as “Future Stars” in its 2026 edition. The firm also earned Benchmark’s highest distinction, being ranked as a “Highly Recommended” firm. Benchmark Litigation praised Wiggin and Dana […]
Read More
News

The National Law Journal Shortlists Wiggin and Dana for Litigation Departments of the Year – White Collar

Wiggin and Dana is proud to announce that its White Collar Defense, Investigations, and Corporate Compliance Practice Group has been selected by The National Law Journal as a finalist for Litigation Departments of the Year, White Collar. The firm’s White Collar Defense, Investigations, and Corporate Compliance Practice Group includes former federal prosecutors from the U.S. […]
Read More
News

Benchmark Litigation Names Wiggin and Dana Partners to the 2025 “40 & Under List”

Wiggin and Dana Litigation Partners, Laura Ann K. Froning, Robyn E. Gallagher, and David Norman-Schiff were named to Benchmark Litigation’s 2025 “40 & Under List”. The Benchmark Litigation team bestows this distinction upon the nation’s most accomplished litigators aged 40 and younger who are considered the top emerging talent in litigation. The list is compiled based […]
Read More
News

Wiggin and Dana Expands Real Estate Practice with Addition of Vasiliki Yiannoulis-Riva

Wiggin and Dana LLP is pleased to announce that Vasiliki (Vasi) Yiannoulis-Riva has joined the firm as a Partner in the Real Estate, Environmental, Construction and Facilities Department, based in both the Stamford, CT and New York, NY offices. Vasi brings more than a decade of experience advising clients on commercial real estate transactions, leasing, […]
Read More
News

Chambers High Net Worth 2025 Honors Wiggin and Dana Lawyers and Private Client Services Practice

Wiggin and Dana is pleased to announce that the firm’s Private Client Services practice and its partners, Michael T. Clear, Daniel L. Daniels, Jevera K. Hennessey, Leonard Leader, Vanessa L. Maczko, Steven B. Malech, and Carolyn A. Reers, have been ranked in the ninth edition of the annual Chambers High Net Worth (HNW) 2025 Guide. Additionally, Jonathan […]
Read More