How to Prepare Now for Proposed Changes to HIPAA to Protect Confidentiality Around Reproductive Health Care*

On April 12, 2023, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a notice of proposed rulemaking regarding proposed changes to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. As proposed, the modified Privacy Rule would prohibit the use and disclosure of PHI related to lawful reproductive health care in any criminal, civil, or administrative investigation against patients, providers, or others involved in the provision of reproductive health care.

Specifically, OCR seeks to protect this sensitive PHI by prohibiting its use and disclosure when an investigation involves reproductive health care that was:

(1) Provided outside of the state where the investigation or proceeding is pending, and where such health care was lawfully provided;

(2) Protected, required, or authorized by federal law, regardless of the state in which such health care was provided; or

(3) Provided in the state in which the investigation or proceeding is pending, and the health care was permitted by the laws of that state.

Through the Proposed Rule, OCR presents “reproductive health care,” as a new subcategory to “health care,” to be defined broadly as “care, services, or supplies related to the reproductive health of the individual.” OCR recognizes the interests of the federal government and states in protecting the privacy of individuals who seek, obtain, provide, or facilitate lawful reproductive care. OCR asserts that in these circumstances, states lack a substantial interest for obtaining this information, and any state laws that might conflict with the proposed rules are preempted by the Privacy Rule.

Attestation Requirement

To implement this prohibition, OCR places the burden on Covered Entities to obtain a signed attestation from the individual requesting the PHI that the information requested will not be used for an investigation relating to the provision of reproductive health care.

Specific requirements related to the attestation requirement include:

  • An attestation cannot be combined with another document; it must be clearly labeled and separate from the surrounding text.
  • An attestation can be attached to another document, but must be clearly labeled as such.
  • Even with an attestation, the minimum necessary standard would apply to any use or disclosure.
  • Providers may rely on any attestation provided unless such reliance is not objectively reasonable.

Key Considerations

While HHS has not yet issued a final rule regarding the use and disclosure of reproductive health PHI, providers should begin determining what impact the proposed rules would have on their operations, particularly around release of information. There appears to be a substantial operational impact of having to determine (1) when a record includes PHI related to reproductive health; (2) whether the request relates to an investigation; and (3) whether an attestation is required or valid. Providers should familiarize themselves with the proposed changes and bring together appropriate legal, compliance, and medical records stakeholders in order to prepare for necessary policy, training, and workflow changes.

Click here for a Fact Sheet published by OCR with additional information on the Proposed Rule.

*Young Moore attorney David Senter would like to thank summer clerk Sofia Gomez–Ayala, a 2L at Campbell University School of Law, for her assistance in researching and preparing this post.

For additional information on this or other topics, or for questions about your entity’s own compliance with HIPAA generally, please contact Young Moore healthcare attorney, David Senter.

About the Author

David focuses his practice on privacy and data security, particularly within the healthcare industry. He educates and advises clients in matters pertaining to privacy and data security, including breach investigation, notification and reporting requirements, as well as compliance with state, federal, and foreign privacy and data security laws, including HIPAA, FERPA, CCPA, GDPR, and PIPL, among others. David previously served as the Interim Associate Compliance Officer and Director of Privacy of an Academic Medical Center in North Carolina. He has been named to the North Carolina Lawyers Weekly 2023 Power List for Healthcare.


Electronic mail or other oral or written communication to Young Moore and Henderson P.A. in connection with a matter for which we do not already represent you may not be treated as privileged or confidential. Communications are not privileged until the client and lawyer have agreed on legal representation. Please do not send confidential information to us via e-mail or in any other manner without first communicating directly with us about the attorney-client relationship. The transmission of an e-mail request for information does not create an attorney-client relationship. Your initial email should only contain a list of the parties interested in the matter so that we can make sure we have no conflicts before you convey any information about your case.

Accept Decline