Group health plans and the enhanced HIPAA privacy rights for reproductive health care

On June 25, the U.S. Department of Health and Human Services Office of Civil Rights’ (HHS) HIPAA Privacy Rule to Support Reproductive Health Care took effect, enhancing HIPAA privacy protections for protected health information (PHI) relating to an individual’s reproductive health care. This new rule modifies certain privacy and security protections provided by the Health Insurance Portability and Accountability Act of 1996 and its related regulations as they apply to the use and disclosure of PHI that relates to “reproductive health care” (the HIPAA RHC Rule).

While they can choose to start applying the HIPAA RHC Rule now, employer-sponsored group health plans, health care providers, health care clearinghouses and other covered entities, as well as their business associates (collectively, regulated entities), are permitted to delay until December 23 to bring their practices, policies and procedures into compliance with the HIPAA RHC Rule. Additional time is allowed for regulated entities to update their HIPAA Notice of Privacy Practices (HIPAA Notice) – they can wait until as late as February 16, 2026, to revise their HIPAA Notice to reflect changes mandated by the HIPAA RHC Rule.

This article addresses the impact of the HIPAA RHC Rule on employer-sponsored group health plans (and their business associates).

What does “reproductive health care” encompass?

Initially intended as a means of responding to the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization and the state abortion bans that followed, the HIPAA RHC Rule’s protections go far beyond abortion rights. HHS recognized that Dobbs would have far-reaching implications for reproductive health care beyond access to abortion and stated that its intent in issuing the HIPAA RHC Rule is to ensure that individuals will not forgo necessary reproductive health care out of fear that their information regarding that health care will be disclosed or used in any investigations or legal proceedings against them.

HHS further stated that it recognizes that information about reproductive health care is particularly sensitive, necessitating heightened privacy protection in order to encourage information sharing so that individuals’ medical records can be as complete as possible and so that proper health care can be provided.

To accomplish these goals, HHS broadly defined “reproductive health care” in the HIPAA RHC Rule as health care that “affects the health of an individual in all matters relating to the reproductive system and its functions and processes.” The rule provides a nonexclusive list of examples that fit within the definition of “reproductive health care,” which include:

• Contraception (including emergency contraception).
• Preconception screening and counseling.
• Management of pregnancy and pregnancy-related conditions, including pregnancy screening, prenatal care, miscarriage management, treatment for preeclampsia, hypertension during pregnancy, gestational diabetes, molar or ectopic pregnancy, and pregnancy termination.
• Fertility and infertility diagnosis and treatment, including assisted reproductive technology and its components (e.g., in vitro fertilization (IVF)).
• Diagnosis and treatment of conditions that affect the reproductive system (e.g., perimenopause, menopause, endometriosis, adenomyosis).
• Other types of care, services and supplies used for the diagnosis and treatment of conditions related to the reproductive system (e.g., mammography, pregnancy-related nutrition services, postpartum care products).

Based on the examples and comments provided by HHS, it is clear that the definition of “reproductive health care” was intended to be broad.

What protections are provided?

Rather than create a whole new subset of PHI (like psychotherapy notes) that cannot be easily segregated, HHS instead adopted a purpose-based prohibition against uses or disclosures of an individual’s PHI relating to reproductive health care in specified non-health care settings. As such, the HIPAA RHC Rule prohibits a group health plan from using or disclosing PHI relating to an individual’s reproductive health care where the health care is lawful under the circumstances in which it is provided and the use or disclosure is being sought for any of the following purposes:

1. To conduct a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing or facilitating reproductive health care.
2. To impose criminal, civil or administrative liability on any person for the mere act of seeking, obtaining, providing or facilitating reproductive health care.
3. The identification of any person for the purpose of conducting such an investigation or imposing such a liability.

The HIPAA RHC Rule includes a nonexclusive list of what “seeking, obtaining, providing, or facilitating” reproductive health care includes, such as expressing interest in, using, performing, furnishing, paying for, disseminating information about, arranging, insuring, administering, authorizing, providing coverage for, approving, counseling about, assisting or otherwise taking action to engage in reproductive health care, or attempting to do any of these things.

Thus, the HIPAA RHC Rule not only protects against situations where the PHI is being sought to investigate, prosecute or penalize the individual patient but also against situations where the PHI is being sought to investigate, prosecute, or penalize the provider or medical facility.

Unlawful reproductive health care is not protected

The HIPAA RHC Rule’s protections do not apply if the responsible HIPAA privacy officer reasonably determines that the reproductive health care was not lawful under the circumstances (based on the law of the state in which the health care is provided). If the HIPAA privacy officer determines that the reproductive health care was unlawful under the circumstances, the group health plan (or its business associate) is permitted to disclose the health care information in accordance with HIPAA’s normal privacy and security requirements.

Presumptions available to group health plans

Group health plans (and their business associates) may presume that the health care provided was lawful unless the group health plan (or business associate) has actual knowledge to the contrary or the person making the request provides factual information demonstrating a substantial factual basis that the health care was not lawful. In addition, regardless of the applicable state law, the group health plan (or business associate) may refuse to disclose the PHI relating to reproductive health care in any situation where the reproductive health care would otherwise be required to be protected, or to the extent its use or disclosure is restricted, by federal or state law.

Additional attestation requirements for certain requests

When a group health plan (or its business associate) receives a request for PHI relating to reproductive health care for (1) health care oversight activities, (2) judicial or administrative proceedings, (3) law enforcement purposes, or (4) disclosures to coroners and medical examiners, the group health plan (or business associate) is required to obtain a signed and dated attestation from the person or entity requesting the use or disclosure. A new attestation must be obtained for each specific use or disclosure request.

Generally, the attestation must identify the types of PHI being requested and state that the requested use or disclosure is not for a prohibited purpose. In addition, the attestation must contain a notice that persons who knowingly obtain or disclose PHI in violation of HIPAA’s privacy or security rules are subject to criminal penalties. Material misrepresentations on the attestation could also trigger potential criminal liability for the person or entity completing it. HHS has provided a model attestation form for use by those requesting PHI relating to reproductive health care. The model attestation contains instructions regarding completion of the form and reliance on the form. The attestation may be provided electronically and signed electronically to the extent consistent with applicable federal and state law.

A group health plan or business associate’s failure to obtain a required attestation could lead to civil penalties. The group health plan (or business associate) must retain a written copy of the completed attestation and any relevant supporting documents.

Related: HHS office explains UnitedHealth data breach notice responsibility

Changes to HIPAA notice?

Each group health plan must update its HIPAA Notice to include information about and examples of how PHI relating to reproductive health care may be used or disclosed. This update must occur no later than February 16, 2026, but group health plans may want to consider updating their HIPAA Notice before their open enrollment period commencing prior to this deadline so that it can be distributed with open enrollment materials and does not have to be redistributed midyear.

Action items:

To ensure compliance with the HIPAA RHC Rule, group health plans should consider the following action items:

• Update the plan’s HIPAA policies and procedures to address the disclosure requirements applicable to PHI relating to reproductive health care.
• Update any business associate agreements to ensure business associates agree to comply with the HIPAA RHC Rule.
• Update the plan’s HIPAA Notice to reflect the plan’s prohibition of any use or disclosures that would violate the HIPAA RHC Rule and to provide the required examples.
• Redistribute the updated HIPAA Notice by February 16, 2026.
• Adopt an attestation form for use by persons requesting PHI relating to reproductive health care (or use the HHS model form).
• Train workforce members with access to PHI on the new prohibitions, use of appropriate attestation forms, and changes to the plan’s HIPAA policies and procedures, and document the training.

Employer-sponsored group health plans (and their business associates) should take time to understand how the requirements of the HIPAA RHC Rule will affect their operations and begin implementing the required changes. They will also need to be mindful of the state-by-state differences that apply to reproductive health care. As issues arise, consult legal counsel with experience regarding HIPAA.

Ann Murray is a partner of Nelson Mullins Riley & Scarborough’s Atlanta office. Deborah Hembree is of counsel with the firm.