Preparing for Enforcement of the 2024 HIPAA Amendments on Reproductive Health

Preparing for Enforcement of the 2024 HIPAA Amendments on Reproductive Health

The 2024 HIPAA amendments introduce significant changes for covered entities, such as healthcare providers, insurers, and their business associates. According to an article by Davis Wright Tremaine, compliance deadlines are looming, with most provisions taking effect by December 23, 2024, and updates to notices of privacy practices (NPP) required by February 16, 2026. These amendments are expected to create operational challenges and raise new legal risks for regulated entities.

Under the revised rules, using or disclosing protected health information (PHI) related to lawful reproductive health care is prohibited for investigating or imposing liability on individuals who seek, provide, or facilitate such care. Entities may only disclose PHI if the care is deemed unlawful under state or federal law, and even then, disclosures must comply with the Privacy Rule’s existing criteria. 

Notably, healthcare providers must refuse to disclose reproductive health-related PHI under certain court orders, law enforcement requests, or health oversight inquiries unless the requestor provides an attestation affirming the information will not be used for prohibited purposes. This attestation process introduces additional administrative burdens, as regulated entities must assess the validity of attestations in light of surrounding circumstances and could face penalties for improper disclosures.

Operational adjustments will be necessary to comply with these requirements. Covered entities must develop and implement policies to identify and block inappropriate disclosures of reproductive health-related PHI. Staff training will be essential to ensure compliance, particularly in handling requests that conflict with the new rules. Additionally, entities must update their NPPs to reflect the enhanced privacy protections for reproductive health care and align with recent changes to the Part 2 Rule.

These amendments carry significant risk for entities operating in states with restrictive reproductive health laws. Conflicts between federal and state requirements may arise, potentially forcing regulated entities to challenge requests for PHI in court. 

For instance, healthcare providers may face contempt charges for refusing to disclose reproductive health information as required by state law, placing them in a difficult position of either violating HIPAA or contesting judicial rulings. Business associates, particularly cloud service providers, face unique challenges in managing compliance, as they may lack visibility into PHI and must decide whether to treat all customer data as potentially sensitive.

The 2024 HIPAA amendments represent the most substantial changes to the Privacy Rule since 2013. By addressing the contentious issue of reproductive health privacy, these updates are likely to generate ongoing legal and operational complexities. While they aim to enhance patient confidence in reproductive healthcare privacy, they also present compliance challenges that regulated entities must navigate carefully in the months and years ahead.