Quick Hits

  • Final privacy rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) set basic limitations on the use or disclosure by covered entities (such as employer health benefit plans) and their business associates of reproductive health care information.
  • The final rules state that reproductive care is, for HIPAA purposes, presumed to be legal unless the employer health benefit plan or its business associate has “actual knowledge” that the care was not lawful under the circumstances.
  • The final rules generally require compliance on December 23, 2024. Effective February 16, 2026, covered entities will be required to update their notices of privacy practices.

Eagerly anticipated final rules by the U.S. Department of Health and Human Services (HHS), requiring compliance no later than December 23, 2024, set basic limitations on the use or disclosure by covered entities (such as employer health benefit plans) and their business associates of reproductive health care information. The limitations cover the use or disclosure of reproductive health care information to conduct civil, criminal, or administrative investigations or to impose such liability on individuals for “seeking, obtaining, providing, or facilitating” reproductive health care, so long as that care was legal where provided and was protected, required, or authorized by federal law in the relevant circumstances. The limitations also apply to uses or disclosures designed to identify any person for either of these purposes.

These rules come two years after the Supreme Court of the United States, in Dobbs v. Jackson Women’s Health Organization, expressly overruled the two key rulings that established and upheld a constitutional right to abortion and gave states the authority to regulate abortion. The 2024 rules also come eleven years after final regulations last significantly modified the fundamental rules governing the privacy, security, and breaches of protected health information (PHI) under HIPAA.

Importantly, the 2024 rules indicate that reproductive care is, for HIPAA purposes, presumed to be legal unless the employer health benefit plan or its business associate has “actual knowledge” that the care was not lawful under the circumstances, or factual information provided by the requester indicates that there is a “substantial factual basis” to believe that the care was not lawful.

The 2024 rules apply a broad definition of “seeking, obtaining, providing or facilitating” reproductive health care to include “expressing interest in, using, performing, furnishing, paying for, disseminating information about, arranging, insuring, administering, authorizing, providing coverage for, approving, counseling about, assisting or otherwise taking action to engage in reproductive health care,” or attempting to do so.

Additionally, the 2024 rules modify the HIPAA rules on disclosure of PHI to report abuse or neglect and for public health purposes to limit access to reproductive care information. For example, under current rules, a health benefit plan can refuse to treat an individual as a personal representative when it has a “reasonable belief” that the person has abused or may abuse or neglect the relevant individual. The new rules clarify that the basis for that reasonable belief cannot be the seeking of reproductive health care for and at the request of the individual.

Health benefit plans and their business associates will also have to get written attestations before releasing PHI potentially related to reproductive care to officials such as health or law enforcement officials. Such attestations will have to clearly state that the requested disclosure did not violate the new HIPAA rules on reproductive health care and that criminal penalties could be imposed for improper uses and disclosures of PHI.

Finally, the rules will require plans and their business associates to update their notices of privacy practices. The notices will have to describe and give an example of both the uses and disclosures of reproductive health care PHI prohibited under the new HIPAA rules, and the types of uses and disclosures for which an attestation would be required. An extended deadline applies to updating notices of privacy practices; modifications will not be due until February 16, 2026.

The final regulations also modify the HIPAA privacy rules related to substance abuse disorder patient information to reflect recent changes to the 2024 Confidentiality of Substance Use Disorder (SUD) Patient Records Final Rule (2024 Part 2 Rule) to better align these rules with HIPAA.

Ogletree Deakins’ Employee Benefits and Executive Compensation Practice Group will continue to monitor developments and will provide updates on the Cybersecurity and Privacy and Employee Benefits and Executive Compensation blogs as additional information becomes available.

Follow and Subscribe

LinkedIn | Instagram | Webinars | Podcasts


Browse More Insights

Practice Group

Employee Benefits and Executive Compensation

Ogletree Deakins has one of the largest teams of employee benefits and executive compensation practitioners in the United States. As part of a firm that focuses on labor and employment law, our Employee Benefits Practice Group has a special ability to relate technical experience to the client’s “big picture” issues.

Learn more
Modern dark data center, all objects in the scene are 3D
Practice Group

Cybersecurity and Privacy

The attorneys in the Cybersecurity and Privacy Practice Group at Ogletree Deakins understand that data now accumulates quickly and transmits easily. As the law adapts to technical advancements, we effectively advise our clients as they work to comply with new developments and best practices for protecting the privacy of the data that their businesses collect and retain.

Learn more

Sign up to receive emails about new developments and upcoming programs.

Sign Up Now