Skip to Content

HHS Announces Final Rule on Reproductive Health Care Privacy

On April 22, the Department of Health and Human Services (HHS) announced a final rule to support reproductive health care privacy under HIPAA. The rule aims to support reproductive health care privacy "by prohibiting the disclosure of protected health information related to lawful reproductive health care in certain circumstances," according to HHS and announcements from the Biden administration. The rule introduces a new category of protected health information to the HIPAA Privacy Rule — “reproductive health care” — and imposes new obligations that flow from the collection, use, and disclosure of this information by covered entities and business associates.

Reproductive health care means "health care [as currently defined under HIPAA] that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes." When an individual is "seeking, obtaining, providing, or facilitating reproductive health care" and the covered entity or business associate has determined that the reproductive health care is lawful in the state, protected by federal law, or “presumptively lawful” under the final rule, the covered entity or business associate must take certain actions that restrict the use and disclosure of such information.

When a covered entity or business associate is collecting or using protected health information that pertains to reproductive health care, the entity must ensure that the information is not used for certain prohibited purposes (i.e., for conducting a criminal, civil, or administrative investigation into an individual for their seeking reproductive health care, imposing liability on someone for seeking reproductive health care, or identifying someone for the purpose of such investigation or imposition of liability). In addition, covered entities and business associates must revise their notice of privacy practices and obtain attestations from third parties requesting reproductive health care information from the covered entity or business associate. The final rule lays out specific elements that must be included in such attestations and states that any attestation that fails to include every element or includes statements or information not described in the final rule is defective.

Next Steps

There are steps that covered entities and business associates can take now to mitigate the risk of investigations, fines, and penalties for violating these new reproductive health rules. For example, covered entities and business associates should consider:

  • Updating HIPAA privacy notices to include the new information required by the rule. 
  • Updating law enforcement request policies and procedures to ensure that information is not disclosed in violation of the rule.
  • Creating or updating data maps and data inventories to (1) understand what information would be subject to this rule (2) the basis upon which the information is used or disclosed and (3) any third parties from whom the covered entity would have to obtain an attestation.
  • Updating policies and procedures around disclosing protected health information to third parties and business associates to account for the new attestation requirements.
©2024 Carlton Fields, P.A. Carlton Fields practices law in California through Carlton Fields, LLP. Carlton Fields publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information and educational purposes only, and should not be relied on as if it were advice about a particular fact situation. The distribution of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship with Carlton Fields. This publication may not be quoted or referred to in any other publication or proceeding without the prior written consent of the firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our Contact Us form via the link below. The views set forth herein are the personal views of the author and do not necessarily reflect those of the firm. This site may contain hypertext links to information created and maintained by other entities. Carlton Fields does not control or guarantee the accuracy or completeness of this outside information, nor is the inclusion of a link to be intended as an endorsement of those outside sites.


The information on this website is presented as a service for our clients and Internet users and is not intended to be legal advice, nor should you consider it as such. Although we welcome your inquiries, please keep in mind that merely contacting us will not establish an attorney-client relationship between us. Consequently, you should not convey any confidential information to us until a formal attorney-client relationship has been established. Please remember that electronic correspondence on the internet is not secure and that you should not include sensitive or confidential information in messages. With that in mind, we look forward to hearing from you.