U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES

Office for Civil Rights

June 25, 2024


The HIPAA Privacy Rule to Support Reproductive Health Care Privacy Final Rule is Effective Today


On April 26, 2024, the Biden-Harris Administration, through the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) published a Final Rule, entitled the HIPAA Privacy Rule to Support Reproductive Health Care Privacy. 

The Final Rule strengthens the Health Insurance Portability Act of 1996 (HIPAA) Privacy Rule by prohibiting the use and disclosure of protected health information (PHI) in certain circumstances. 

The Final Rule includes the following changes:
  • Prohibits the use or disclosure of PHI when it is sought to investigate or impose liability on individuals, health care providers, or others who seek, obtain, provide, or facilitate lawful reproductive health care, or to identify persons for such activities.

  • Requires covered entities or business associates to obtain a signed attestation that certain requests (health oversight activities, judicial and administrative proceedings, law enforcement purposes, and disclosures about decedents to coroners and medical examiners) for PHI potentially related to reproductive health care are not for these prohibited purposes.
  • Requires covered entities to modify their Notice of Privacy Practices to support reproductive health care privacy.

“OCR encourages HIPAA covered entities and business associates to begin implementing the new Privacy Rule requirements today,” said OCR Director Melanie Fontes Rainer. “Patients deserve to have these privacy protections in place as soon as possible.”

The effective date of the Final Rule is June 25, 2024. This is the date that HIPAA covered entities and their business associates may begin implementing the new requirements. 

Covered entities and business associates are not required to comply with the new requirements until December 23, 2024, except for the new changes to the HIPAA Notice of Privacy Practices which has a compliance date of by February 16, 2026.

The Final Rule may be viewed here.

The Fact Sheet may be viewed here.

If you believe that your (or someone else’s) health information privacy rights or other Privacy, Security, or Breach Notification rules have been violated, you may file a complaint with the HHS Office for Civil Rights at: https://www.hhs.gov/hipaa/filing-a-complaint/index.html.

This email is being sent to you from the OCR-Security-List listserv, operated by the Office for Civil Rights (OCR) in the US Department of Health and Human Services.

For additional information on a wide range of topics about the Privacy and Security Rules, please visit the OCR Privacy website at http://www.hhs.gov/ocr/privacy/index.html

You can also call the OCR Privacy toll-free phone line at (866) 627-7748. Information about OCR's civil rights authorities and responsibilities can be found on the OCR home page at http://www.hhs.gov/ocr/office/index.html.

If you believe that a person or organization covered by the Privacy and Security Rules ("a covered entity") violated your health information privacy rights or otherwise violated the Privacy or Security Rules, you may file a complaint with OCR. 

For additional information about how to file a complaint, visit OCR's web page on filing complaints at http://www.hhs.gov/ocr/privacy/hipaa/complaints/index.html.