Issue Brief
Advancing Reproductive Health Privacy, Mitigating Criminalization

Breaking Down the HIPAA Privacy Rule for Reproductive Health

June 2024
Reproductive Rights

The Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) finalized the HIPAA Privacy Rule to Support Reproductive Health Care Privacy on April 26, 2024, in response to the threats to abortion access, health care privacy, and patient-provider trust that the Dobbs v. Jackson Women’s Health Organization decision unleashed.

Pregnant people throughout the country are living under the specter of surveillance and criminalization for their reproductive health decisions and pregnancy outcomes. Members of historically underserved and marginalized communities – and particularly low income, Black, and brown women – are more likely to be subjects of investigations and criminal proceedings related to reproductive health care. With 36 million women living across 26 states that have banned or are likely to ban abortion since Dobbs, the Biden Administration’s rulemaking offers urgently-needed protections for patients.

People deserve safety and confidentiality while accessing health care, but the fall of Roe has exacerbated mistrust between patients and the health care system. One of the driving forces for criminalization related to pregnancy status or outcomes is providers unnecessarily reporting their patients to law enforcement. Post-Dobbs, providers have experienced confusion and pressure surrounding disclosures of PHI regarding reproductive health care to law enforcement in particular, because the Privacy Rule had permitted, but did not require, uses and disclosures of PHI to law enforcement.

The new final rule prohibits regulated entities from using or disclosing protected health information (PHI) for the purposes of conducting a criminal, civil, or administrative investigation into or imposing liability on anyone for the mere act of seeking, obtaining, providing, or facilitating lawful reproductive health care. Regulated entities include covered health care providers, plans, or clearinghouses and their business associates. Ultimately, these changes should lessen the risk of patients being reported to law enforcement and better protect people who are forced to travel to receive care because of state abortion bans.

Prohibition on Disclosures: What is Protected

The new regulation bars any PHI from being used or disclosed for the purposes of investigating or criminalizing any person for reproductive health care that was lawfully provided. Against the backdrop of rising abortion and pregnancy criminalization, this means that providers and other HIPAA-covered entities cannot tell law enforcement about a patient’s reproductive health care if they received that care legally. Providers should never be forced to police and report on the patients who entrust them with their care. This rulemaking should give pregnant people greater assurance that information they disclose to their doctor regarding legal reproductive care will remain confidential, and in turn facilitate deeper trust between patients and providers.

  • OCR adopted this purpose-based prohibition against disclosing any PHI to help give patients greater assurance that information related to their reproductive health reflected throughout their medical record will remain private and not be weaponized against them.
  • The final rule defines reproductive health care broadly to encompass a range of care related to an individual’s reproductive system. It also stipulates that reproductive health care may include care that patients determine is appropriate for themselves, like over-the-counter birth control, in addition to care recommended by providers.
  • The prohibition against disclosures protects patients, clinicians, pharmacists, insurers, or anyone who expresses interest in, receives, administers, authorizes, pays for, counsels about, or otherwise engages in reproductive health care, including abortion care.
  • These privacy protections apply for reproductive health care in the following circumstances:
    • When a patient receives care in a state where it is legal;
    • When it is protected by federal law; or
    • When it is presumed to be lawfully provided by someone other than a regulated entity that receives a request for PHI.

The latter “presumption of lawfulness” helps ensure that a provider in a state that bans abortion who receives a request for PHI is not required to make a determination about the lawfulness of any reproductive care that a patient received outside their practice.

Attestation Requirement: How the Protection Operates

The final rule’s attestation requirement prohibits regulated entities from using or disclosing PHI potentially related to reproductive health care without a valid, signed attestation that the use or disclosure is not for a legal proceeding against someone for seeking, obtaining, providing, or facilitating lawful reproductive health care. The attestation is necessary for requests for PHI for health oversight activities, judicial and administrative proceedings, law enforcement purposes, and disclosures to coroners and medical examiners. Requiring attestation is crucial for safeguarding patients’ reproductive health privacy, mitigating criminalization risks associated with disclosures, and strengthening compliance with the proposed prohibition. Law enforcement will have to attest that they will not use the requested PHI to target pregnant people or providers for lawful reproductive health care. A requester who knowingly and in violation of HIPAA falsifies an attestation to obtain someone’s individually identifiable health information would be subject to potential criminal liability.

The rule does not require a regulated entity to investigate the validity of an attestation, but they are also not permitted to rely exclusively on a requester’s representation as to whether the reproductive health care in question was provided lawfully. Instead, a regulated entity is generally permitted to rely on the attestation if they reasonably determine that the request is not for a prohibited purpose given the full context. The regulation allows regulated entities to consider factors like who is making the request, what the stated purpose of the request is, and the validity of information to overcome the presumption of lawfulness. For instance, it may not be reasonable for a regulated entity to rely on the attestation of a public official that has stated their interest in criminalizing people for reproductive care.

Given the current public health and legal landscape following the Dobbs decision and the ways in which reproductive health care is being criminalized, there is a significant degree of confusion about what reproductive care is and is not legal and when it is or is not legal to provide certain care. Even more problematically, anti-abortion state actors are deliberately weaponizing this confusion in order to threaten criminalization or otherwise chill providers from offering and people from seeking reproductive health care. The final rule’s attestation requirement and reliance standard represent an effort to respond to this reality, balance the interests involved, and protect patients and providers to the extent possible.

Law Enforcement Access and Pregnancy Criminalization

The final rule only allows law enforcement officials to access PHI from regulated entities if they are not investigating or imposing liability on someone for accessing, providing, or facilitating legal reproductive health care; if the disclosure is required by law; and if the disclosure meets all conditions of the Privacy Rule permission to use or disclose PHI as required by law. These requirements should give pregnant people who live in states that ban abortion greater protection to travel to receive the care they need in protective states and know that their health information cannot be disclosed to state authorities back home who may try to investigate them.

The rulemaking also makes clear that PHI may be disclosed pursuant to an administrative request for which response is required by law, including an administrative subpoena or summons or a civil or authorized investigative demand. For example, if a regulated entity receives an administrative subpoena from a federal agency investigating health care fraud, they may disclose PHI in response, provided that the information is relevant to a legitimate law enforcement inquiry, the request is specific and limited in scope, and de-identified information cannot be reasonably used. Despite encouragement from advocates to provide greater patient protections, OCR does not require law enforcement to obtain a warrant in the final rule.

Furthermore, given that the final rule only bars disclosures to law enforcement for the expressed purpose of criminalizing patients for seeking reproductive health care, pregnancy criminalization can still continue unabated. Pregnancy outcomes other than abortion, including stillbirths and miscarriage, have been far more likely to result in criminalization, most often under the guise of addressing substance use during pregnancy. State authorities can target pregnant people with a range of criminal charges like child abuse or endangerment and fetal homicide for adverse pregnancy outcomes like miscarriage and stillbirth. To that end, even with this rulemaking, a law enforcement office could prosecute someone for their pregnancy outcome and circumvent the final rule’s prohibition by seeking records about a pregnant or postpartum patient’s substance use on the pretext of criminalizing them for the illicit use of substances.

Balancing Privacy and Promoting Public Health

The final rule does not prevent disclosures of PHI to public health authorities for public health activities, including surveillance, investigation, and intervention. This means, for instance, that states focused on addressing the maternal health crisis can access necessary PHI to develop strategies to promote better outcomes. Overall, the rulemaking attempts to strike an effective balance between protecting patient privacy and confidentiality and facilitating appropriate information sharing to improve care coordination and health outcomes. Many pregnant people are experiencing new acute needs for safety, support, and privacy given the threat of arrest and prosecution they face related to their pregnancy outcomes. We know that more needs to be done to strengthen privacy protections, and we remain engaged in those efforts with HHS and other federal agencies.

Next Steps for Reproductive Health and Data Privacy Post-Dobbs

It is imperative that patients know what information is protected under the HIPAA Privacy Rule, what their rights are, and what to do if their rights are violated. If patients believe that a HIPAA-covered entity or its business associate violated their health information privacy rights, they can file a complaint with the HHS Office for Civil Rights. It is also important for regulated entities to understand the scope and application of the final rule’s prohibited uses and disclosures, as well as the attestation requirement. Helping regulated entities understand their obligations under the final rule must be a priority, especially given ongoing confusion regarding disclosures of pregnancy-related information. Providers need detailed guidance, education, and training on these changes and conditions for disclosures to ensure compliance. OCR shared that it intends to publish model attestation language before December 23, 2024, to facilitate implementation and reduce the burden on providers. We appreciate all efforts to ensure providers’ interpretation and application of this regulation are consistent with the intent of promoting patient privacy at this critical juncture.

In order for the prohibition on disclosures to be implemented effectively, it must be accompanied by robust, meaningful enforcement of the penalties for HIPAA violations. We urge policymakers to ensure that there is robust enforcement and ongoing monitoring of HIPAA violations. The final rule is effective on June 25, 2024, and compliance with the majority of its provisions will be required by December 23, 2024.

Especially given the heightened risk of criminalization looming over pregnant people post-Dobbs, the need for a more expansive conversation about how to responsibly and ethically collect, use, and share health data urgently persists. Gaps in the current health data regulatory patchwork mean that much of the data currently being generated and used in health care do not have robust privacy and security protections. Any efforts to address data privacy and the complex dynamics inherent in the exchange and use of sensitive information related to abortion and sexual and reproductive health care demand a careful, person-centered approach.



Download the 2-page fact sheet: HIPAA Privacy Rule to Support Reproductive Health Care Privacy

Back to Reproductive Rights