HIPAA's New Requirements for Reproductive Health Information
NOTE: As of publication, there has been no decision rendered
in the legal challenge to these regulations in the U.S. District Court for the
Northern District of Texas. If a ruling is issued, we will update this
information accordingly.
1. Effective Date December 23, 2024
Effective December 23, 2024, all covered entities and business associates that have protected health information (PHI) that is "potentially related" to reproductive healthcare have new requirements and obligations to fulfill before releasing PHI.
2. Who Is Impacted?
The new HIPAA requirements apply to all covered entities and
business associates whenever you receive a request for medical records not
related to Treatment, Payment, or Healthcare Operations (TPO).
Specifically, if you receive a request for any of the following purposes:
1. For Health Oversight (e.g., requests from state, local, or
federal agencies).
2. For Judicial or Administrative Proceedings (e.g., a subpoena for records or testimony).
3. For Law Enforcement (e.g., requests from a police officer,
district attorney, or attorney general).
4. A Coroners or Medical Examiners, regarding a deceased
person.
Next, you must determine if the records contain information potentially related to reproductive healthcare.
3. Defining "Reproductive Health Information"
The federal register (link below) states reproductive healthcare includes but is not limited to:
"contraception, including emergency contraception; pregnancy-related health care; fertility or infertility-related health care; and other types of care, services, or supplies used for the diagnosis and treatment of conditions related to the reproductive system."
Furthermore, the expanded definition of "health care" in HIPAA (45 CFR 160.103) states:
"health care, as defined in this section, that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes. This definition shall not be construed to set forth a standard of care for or regulate what constitutes clinically appropriate reproductive health care."
If you can verify a record does NOT contain any information potentially related to reproductive health, you do NOT need to continue with the attestation process.
BUT:
4. New Attestation Requirements
If the medical record does contain health information potentially related to reproductive health, then the next step is to obtain an attestation from the requestor that the records will not be used for either or the following activities:
• To conduct a criminal, civil, or administrative investigation into or impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided.
• The identification of any person for the purpose of conducting such investigation or imposing such liability.
You can find a link to the model attestation provided by HHS in the resources section below. HCP strongly recommends using this model as your template because the attestation will be void if it does not contain all the required elements, or if it has too much information. This attestation cannot be combined with any other documents for signature, it must stand alone. However, supporting documentation can be kept with the attestation, such as proof that the care in question was not legal when or where it was provided.
5. Changes to the Notice of Privacy Practices (NPP) & Business Associate Agreement (BAA)
Changes to the Notice of Privacy Practices (NPP) are not
required until February 16, 2026.
PHI held by business associates is subject to these same regulations. Covered entities must update BAAs to either:
• Require the business associate to follow the updated rules, or
• Restrict the release of PHI
potentially related to reproductive healthcare so that only the covered entity
can disclose it.
6. Resources
👉🔗 Federal Register Publication - The official source on the new HIPAA regulations for reproductive health information. Curious how the changes might specifically affect your operations—and the potential consequences of non-compliance? Dive into the details to gain a competitive edge and protect your organization from legal risk.
👉🔗 HHS Summary Page - Wondering how these regulations translate into everyday practice? The HHS offers a concise overview and practical tips, so you can strengthen patient trust and meet compliance standards without feeling overwhelmed.
👉🔗 Model Attestation Document - This ready-to-use attestation template shows exactly what HHS expects. Need more clarity about crucial wording? Using it can streamline your documentation, and reassure your team you're following the rules.
👉🔗 TPO Resource - Curious how HIPAA balances necessary information sharing with privacy? Learn when and how PHI can be disclosed under the Treatment, Payment, and Healthcare Operations (TPO) exception—giving you the confidence to share data appropriately and compliantly.
Conclusion
With these new regulations, it is crucial for covered
entities and business associates to understand and implement the updated HIPAA
requirements around reproductive health information. Ensuring compliance now
will help protect patient privacy, reduce liability, and maintain trust. If and
when the court issues a decision on the legal challenge, HCP will provide
updates promptly.