OCR’s Final Rule strengthens privacy protection for reproductive health care
Reproductive privacy has received a boost with additional protections. The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services recently issued a final rule, the 2024 Privacy Rule, to modify the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule to support reproductive health care privacy.
As a result of the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization that led to many state abortion bans and other restrictions on reproductive freedom, the Final Rule is aimed at strengthening protection for individuals seeking reproductive health care. The application of its changes is narrowly tailored to certain limited circumstances involving lawful reproductive health care and clarifies that covered entities and business associates are not expected to know or be aware of laws other than those with which they are required to comply with. The Final Rule underscores the importance of safeguarding patients’ rights and ensuring equitable access to reproductive health services.
The Final Rule also expands protections for individuals accessing reproductive health care services, particularly concerning privacy and nondiscrimination. It defines reproductive health broadly to include healthcare “that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes.” It prohibits covered entities and business associates from discriminating against individuals based on their reproductive health decisions or the types of health care services they receive. It also prohibits covered entities and business associates from “conducting a criminal, civil, or administrative investigation into or impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided; or the identification of any person for the purpose of conducting such investigation or imposing such liability.”
Under the new rule, covered entities and business associates are required to implement robust privacy safeguards to protect individuals' sensitive health information related to reproductive health care. This includes implementing secure communication channels and strict confidentiality measures to prevent unauthorized access or disclosure of such information. By strengthening privacy protections, the Final Rule aims to instill confidence among patients and encourage them to seek the care they need without fear of their sensitive information being disclosed outside of their relationship with their health care provider.
One of the primary goals of this rule is to ensure equitable access to reproductive health care services for all individuals, regardless of their gender identity, sexual orientation, or reproductive choices. Covered entities and business associates are prohibited from denying services, imposing additional costs, or restricting access based on discriminatory practices.
To ensure compliance with the new rule, the OCR will conduct audits and investigations to assess how well covered entities adhere to HIPAA regulations regarding reproductive health care. The Final Rule requires covered entities and business associates to revise their Notice of Privacy Practices to support reproductive health care privacy. Compliance is required by Dec. 23, 2024, except for updates to the Notice of Privacy Practices, which must be completed by Feb. 16, 2026. Non-compliance may result in penalties, corrective action plans, or other enforcement measures
Covered entities and business associates should identify where reproductive health is located in the protected health information, review and update policies and procedures, implement secure communication channels, provide staff training and education on these changes, and monitor and audit compliance with HIPAA regulations regarding reproductive health information.
For more updates on data privacy law from McDonald Hopkins, please subscribe to receive our publications or view the links below for recent updates on other state data privacy legislative updates. If you have questions about your company’s compliance with cyber regulations, concerns about vulnerability to a ransomware attack or other breach, or if you want to learn more about proactive cybersecurity defense, contact a member of McDonald Hopkins' national data privacy and cybersecurity team.