Back to Blog>> Reproductive Health & HIPAA: Key Takeaways from the New Rule

Reproductive Health & HIPAA: Key Takeaways from the New Rule

HIPAA New Rule Reproductive Health

With states weighing in on their own versions of how to handle reproductive health, there’s been confusion about what is and isn’t PHI when it comes to women’s healthcare since the overturn of Roe v Wade – the phrase “clear as mud” comes to mind. The Biden-Harris Administration’s “New Rule” for HIPAA helps clear the waters, and hopefully makes it more straightforward for women seeking care – and the providers giving care – to be able to do so with confidence.

“The (Biden-Harris Administration’s) Final Rule strengthens privacy protections for medical records and health information for women, their family members, and doctors who are seeking, obtaining, providing, or facilitating lawful reproductive health care.

The HIPAA Privacy Rule to Support Reproductive Health Care Privacy – which goes into effect 60 days after the Final Rule is published in the Federal Register – carefully describes how the New Rule strengthens privacy by “prohibiting the disclosure of protected health information (PHI) related to lawful reproductive health care in certain circumstances.”

Before now, medical records privacy has been at risk when it comes to patients seeking legal reproductive healthcare, particularly when care is sought across state lines. The new level of HIPAA privacy does the following:

  • “Prohibits the use or disclosure of PHI when it is sought to investigate or impose liability on individuals, health care providers, or others who seek, obtain, provide, or facilitate reproductive health care that is lawful under the circumstances in which such health care is provided, or to identify persons for such activities.”
    • Translation: If you’re seeking PHI to cause problems for the patient or provider, it’s a no-go.
  • “Requires a regulated health care provider, health plan, clearinghouse, or their business associates, to obtain a signed attestation that certain requests for PHI potentially related to reproductive health care are not for these prohibited purposes.”
    • Translation: If you’re requesting PHI, it can’t be to go after the patient or provider, and you have to sign (documentation!) that it isn’t.
  • “Requires regulated health care providers, health plans, and clearinghouses to modify their Notice of Privacy Practices to support reproductive health care privacy.”
    • Translation: Relevant organizations’ (CEs and BAs) Privacy Practices must reflect the policy (documentation again!).

While the Final Rule is effective 60 days after its publication, compliance isn’t required for an additional 180 days after that – six months after the Effective Date,  the OCR is allowing a deferred date for required Notice of Privacy Practices changes of February 16, 2026, to accommodate other recent regulatory changes that impact NPPs.  If your organization falls under HIPAA, be sure to update your policies – and be ready to train your workforce – to comply with the New Rule.

Note: The current HIPAA Privacy Rule is in effect until the new rule takes effect. If you believe that your (or someone else’s) health information privacy rights or other Privacy, Security, or Breach Notification rules have been violated – go here to file a complaint: https://www.hhs.gov/hipaa/filing-a-complaint/index.html.