HHS announced modifications last week to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule,^[1] that will strengthen privacy protections for reproductive health care information. The Final Rule, HIPAA Privacy Rule to Support Reproductive Health Care Privacy,^[2] enhances patient privacy by prohibiting the use or disclosure of reproductive health care-related Protected Health Information (PHI) for criminal, civil, or administrative actions.

Following the Supreme Court’s 2022 ruling to overturn Roe v. Wade^[3] in Dobbs v. Jackson Women’s Health Organization,^[4] which eliminated the constitutional Right to abortion, the legal landscape for reproductive care has shifted drastically. Widely varying access to reproductive health care from state-to-state has resulted in an increase of women traveling out of state to seek medical care, spurring concerns as to whether that information would be “shared, misused, and disclosed without permission.”^[5] Health and Human Services (“HHS”) Secretary Xavier Becerra stated the “chilling effect” these concerns have on women seeking medical support as a motivator for the new Rule.^[6]

Included in the Rule are requirements for covered entities to revise their Notices of Privacy Practices (NPPs) to “support reproductive health care privacy.”^[7]  

All parts of the Final Rule except for NPP changes become effective 60 days after publication in the Federal Register, and entities will have 180 days following that to comply. The compliance date for changes to NPPs is February 16, 2026. 

HIPAA Privacy Rule to Support Reproductive Health Care Privacy ^[8]

The Final Rule prohibits the use or disclosure of PHI by a HIPAA-covered entity (health care provider, health plan, health care clearinghouse), or business associate for the following activities:

• To conduct a criminal, civil, or administrative investigation into or impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided.; or
• The identification of any person for the purpose of conducting such investigation or imposing such liability.

The prohibition on use or disclosure applies when the entity has reasonably concluded that one or more of the following criteria is true:

• The reproductive health care is lawful under the law of the state where care is provided, under the circumstances in which it is provided.
• The reproductive health care is protected, required, or authorized by Federal law, including the U.S. Constitution, regardless of the state in which such health care is provided.
• The reproductive health care was provided by a person other than the covered health care provider, health plan, or health care clearinghouse (or business associates) that receives the request for PHI and the presumption described below applies.

The Rule includes a presumption that the reproductive health care provided by a person other than the covered health care provider, health plan, or health care clearinghouse (or business associates) receiving the request was lawful. In such cases, the reproductive health care is presumed to be lawful under the circumstances in which it was provided unless one of the following conditions are met:

• The covered health care provider, health plan, or clearinghouse (or business associates) has actual knowledge that the reproductive health care was not lawful under the circumstances in which it was provided.
• The covered health care provider, health plan, or health care clearinghouse (or business associates) receives factual information from the person making the request for the use or disclosure of PHI that demonstrates a substantial factual basis that the reproductive health care was not lawful under the circumstances in which it was provided.

When an entity subject to HIPAA receives a request for PHI potentially related to reproductive care, the Final Rule also requires the entity to obtain a signed attestation that the use or disclosure of PHI is not for a prohibited purpose, and applies when the request is for any of the below:

• Health oversight activities
• Judicial and administrative proceedings
• Law enforcement purposes
• Disclosures to coroners and medical examiners

Organizations impacted by these changes should review and revise their written policies and procedures and provide employee training to ensure compliance with the new requirements.

The Data Privacy and Cybersecurity team at Paul Hastings regularly advises clients on how to comply with requirements of new regulations such as this one. If you have any questions concerning these changes or any other privacy and cybersecurity laws and regulations, please do not hesitate to contact a member of our team.