The 2022 Dobbs v. Jackson Women’s Health Organization ruling, which overturned Roe V. Wade, prompted modifications to the Privacy Rule (45 CFR Parts 160 and 164). The Biden-Harris administration, partially through President Biden’s Executive Order (EO) 14076, aimed to better protect information related to reproductive health care, to bolster patient-provider confidentiality, and promote trust between patients and their health care providers. Subsequent to EO 14076, the HIPAA Privacy Rule was updated to limit the circumstances in which the use or disclosure of PHI related to reproductive health care is permitted. The final rule (“2024 Privacy Rule”) became effective June 25, 2024, with compliance enforcement effective December 23, 2024; except for the requirement to update the covered entity’s Notice of Privacy Practices which is delayed until Feb. 16, 2026.

The 2024 Privacy Rule strengthens privacy protections by prohibiting the use or disclosure of PHI by a covered entity (e.g., pharmacy), or business associate, for either of the following activities:

1. To conduct a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating lawful reproductive health care.
2. To impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating lawful reproductive health care.
3. To identify any person for any purpose described in (1) or (2).
   

Under this rule, the prohibition applies where a covered entity or business associate has reasonably determined that one or more of the conditions exists:

• The reproductive health care is lawful under the law of the state in which such health care is provided under the circumstances in which it is provided.
  
• The reproductive health care is protected, required, or authorized by Federal law, including the U.S. Constitution, regardless of the state in which such health care is provided.
  
• The reproductive health care was provided by a person other than the covered entity (e.g., pharmacy), or business associate, that receives the request for PHI and the presumption described below applies.
  

The Final Rule includes a presumption that the reproductive health care provided by a person other than the covered entity (e.g., pharmacy), or business associate, receiving the request was lawful. In such cases, the reproductive health care is presumed to be lawful under the circumstances in which it was provided unless one of the following conditions are met:

• The covered health care provider, health plan, or clearinghouse (or business associates) has actual knowledge that the reproductive health care was not lawful under the circumstances in which it was provided.
  
• The covered health care provider (e.g., pharmacy), health plan, or health care clearinghouse (or business associates) receives factual information from the person making the request for the use or disclosure of PHI that demonstrates a substantial factual basis that the reproductive health care was not lawful under the circumstances in which it was provided. (For example, a law enforcement official provides a pharmacy with evidence that the information being requested is reproductive health care that was provided by an unlicensed person where the law requires that such health care be provided by a licensed health care provider.)
  

To implement the prohibition, the Final Rule requires a covered entity (e.g., pharmacy), or business associate, when it receives a request for PHI potentially related to reproductive health care, to obtain a signed attestation that the use or disclosure is not for a prohibited purpose. This attestation requirement applies when the request is for PHI for any of the following:

• Health oversight activities
  
• Judicial and administrative proceedings
  
• Law enforcement purposes
  
• Disclosures to coroners and medical examiner

The requirement to obtain a signed attestation gives a covered entity (e.g., pharmacy), or business associate, a way of obtaining written representations from persons requesting PHI that their requests are not for a prohibited purpose. Additionally, the attestation includes language that federal law prohibits any individual from improperly obtaining PHI and that knowingly, and in violation of HIPAA, obtaining PHI under false pretenses or disclosing the PHI to another person can result in criminal penalties. A covered entity receiving a PHI request related to reproductive health care should evaluate the request and all available data and circumstances surrounding the request to make a reasonable determination to substantiate the validity of the request.

If you’re not a member of PAAS’ FWA/HIPAA compliance program, contact us today at (608) 873-1342 or info@paasnational.com to add the program for a discounted rate.

By Trenton Thiede, PharmD, MBA, President at PAAS National®, expert third party audit assistance, FWA/HIPAA and USP 800 compliance.

Copyright © 2025 PAAS National, LLC. Unauthorized use or distribution prohibited.

All use subject to terms at https://paasnational.com/terms-of-use/.