The Department of Health and Human Services Issues HIPAA Final Rule Providing Additional Reproductive Health Safeguards

On April 26, 2024, the Department of Health and Human Services (HHS) published the final HIPAA Privacy Rule to Support Reproductive Health Care Privacy (Final Rule). The Final Rule became effective June 25, 2024.

The Final Rule modifies the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule to provide additional protections by prohibiting the use or disclosure of protected health information (PHI) by HIPAA covered entities or their business associates in response to certain reproductive health-related requests. The Final Rule originated in response to the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization and the state abortion bans that followed. The Final Rule seeks to address the privacy concerns of those who seek, obtain, or provide reproductive health care.

Covered entities and business associates must comply with much of the Final Rule by December 22, 2024, but have until February 16, 2026 to update their Notice of Privacy Practices.

Protections of PHI

Under the Final Rule, the use or disclosure of PHI is prohibited for the following activities:

  • To conduct a criminal, civil, or administrative investigation into or impose a criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided.
  • The identification of any person for the purpose of conducting such investigation or imposing such liability.

The prohibitions are imposed on HIPAA covered entities—health plans, health care providers, and health care clearinghouses—and their business associates. The above prohibition on sharing PHI exists where the covered entity or business associate has “reasonably determined” that one of the following exists:

  • The reproductive health care is lawful in the state in which the health care is provided under the circumstances in which it is provided.
    • For example, where the resident of a state travels to another state to receive reproductive health care, such as an abortion, that is lawful in the state where the health care is provided.
  • The reproductive health care is protected, required, or authorized by federal law, including the US Constitution, regardless of the state in which such health care is provided.
  • The reproductive health care was provided by a person other than the covered entity or business associate that receives the request for PHI. There is a presumption that the health care provided was lawful unless the covered entity or business associate has:
      • actual knowledge that the reproductive health care was not lawful under the circumstances in which it was provided, or
      • receives factual information from the person making the request for PHI that demonstrates a substantial factual basis that the reproductive health care was not lawful under the circumstances in which it was provided.

The Final Rule also defined “reproductive health care” to mean health care that affects the health of an individual in all matters relating to the reproductive system (including its functions and processes). This includes contraception (e.g., emergency contraception and preconception screening and counseling), management of pregnancy and pregnancy-related conditions (e.g., prenatal care and miscarriage management), and other types of care, services, and supplies used for the diagnosis and treatment of conditions related to the reproductive system (e.g., mammography and pregnancy-related nutrition services).

Attestation

The Final Rule introduces a new attestation requirement on covered entities and business associates that receive a request for PHI that may be related to reproductive health care. The attestation will help ease the burden on entities that receive a request for PHI to identify which requests fall under the prohibition because it relates to reproductive health care.

When a covered entity or business associate receives a request for PHI that is potentially related to reproductive health care, it must obtain a signed and dated attestation that the use or disclosure is not for a prohibited purpose discussed above. An attestation is required when PHI is requested for: health oversight activities, judicial and administrative proceedings, law enforcement purposes, or disclosures to coroners and medical examiners.

The attestation requirements include a specific description of the information requested, a statement that the use or disclosure is not for a prohibited purpose, and a statement that the person may be subject to criminal penalties if they knowingly violate HIPAA through their request of prohibited information.

The attestation gives a covered entity or business associate an opportunity to obtain a written representation from the requestor of the PHI that the request is not for a prohibited purpose.

HHS has published a model attestation that can be used to comply with the requirement which can be accessed here.

Notice of Privacy Practices

The Final Rule requires covered entities to revise their Notice of Privacy Practices (NPPs) to reflect the strengthening of reproductive health care privacy protections. This will include reflecting the prohibitions on the use and disclosure of PHI discussed above. As mentioned above, compliance with this requirement will be mandatory effective February 16, 2026.

Next Steps

Covered entities should take steps now to prepare for compliance in late December of this year:

  • Policies and Procedures: Review and revise HIPAA policies and procedures to reflect the changes and attestation discussed in the Final Rule.
  • HIPAA Training: Revise HIPAA training materials to reflect the changes and attestation discussed in the Final Rule.
  • Attestation: Although HHS has provided a model attestation, covered entities will need to develop and implement a process to solicit attestations where necessary.

Additionally, with the overturning of Chevron deference this past Supreme Court Term in Loper Bright Enterprises v. Raimondo and Relentless, Inc. v. Department of Commerce, any challenge to the Final Rule may be viewed with less deference to HHS than was accorded under Chevron.  A court facing such a challenge will likely look to HIPAA and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) to evaluate whether HHS adopted the best interpretation of these statutes.

If your company requires assistance complying with the new Final Rules, reach out to your Jenner & Block contact for assistance.

Related Capabilities

© 2026 Jenner & Block LLP. Attorney Advertising. Jenner & Block LLP is an Illinois Limited Liability Partnership including professional corporations. This publication, presentation, or event is not intended to provide legal advice but to provide information on legal matters and/or firm news of interest to our clients and colleagues. Readers or attendees should seek specific legal advice before taking any action with respect to matters mentioned in this publication or at this event. The attorney responsible for this communication is Brent E. Kidwell, Jenner & Block LLP, 353 N. Clark Street, Chicago, IL 60654-3456. Prior results do not guarantee a similar outcome. Jenner & Block London LLP, an affiliate of Jenner & Block LLP, is a limited liability partnership established under the laws of the State of Delaware, USA and is authorised and regulated by the Solicitors Regulation Authority with SRA number 615729. Information regarding the data we collect and the rights you have over your data can be found in our Privacy Notice. For further inquiries, please contact dataprotection@jenner.com.

The Department of Health and Human Services Issues HIPAA Final Rule Providing Additional Reproductive Health Safeguards

On April 26, 2024, the Department of Health and Human Services (HHS) published the final HIPAA Privacy Rule to Support Reproductive Health Care Privacy (Final Rule). The Final Rule became effective June 25, 2024.

The Final Rule modifies the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule to provide additional protections by prohibiting the use or disclosure of protected health information (PHI) by HIPAA covered entities or their business associates in response to certain reproductive health-related requests. The Final Rule originated in response to the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization and the state abortion bans that followed. The Final Rule seeks to address the privacy concerns of those who seek, obtain, or provide reproductive health care.

Covered entities and business associates must comply with much of the Final Rule by December 22, 2024, but have until February 16, 2026 to update their Notice of Privacy Practices.

Protections of PHI

Under the Final Rule, the use or disclosure of PHI is prohibited for the following activities:

  • To conduct a criminal, civil, or administrative investigation into or impose a criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided.
  • The identification of any person for the purpose of conducting such investigation or imposing such liability.

The prohibitions are imposed on HIPAA covered entities—health plans, health care providers, and health care clearinghouses—and their business associates. The above prohibition on sharing PHI exists where the covered entity or business associate has “reasonably determined” that one of the following exists:

  • The reproductive health care is lawful in the state in which the health care is provided under the circumstances in which it is provided.
    • For example, where the resident of a state travels to another state to receive reproductive health care, such as an abortion, that is lawful in the state where the health care is provided.
  • The reproductive health care is protected, required, or authorized by federal law, including the US Constitution, regardless of the state in which such health care is provided.
  • The reproductive health care was provided by a person other than the covered entity or business associate that receives the request for PHI. There is a presumption that the health care provided was lawful unless the covered entity or business associate has:
      • actual knowledge that the reproductive health care was not lawful under the circumstances in which it was provided, or
      • receives factual information from the person making the request for PHI that demonstrates a substantial factual basis that the reproductive health care was not lawful under the circumstances in which it was provided.

The Final Rule also defined “reproductive health care” to mean health care that affects the health of an individual in all matters relating to the reproductive system (including its functions and processes). This includes contraception (e.g., emergency contraception and preconception screening and counseling), management of pregnancy and pregnancy-related conditions (e.g., prenatal care and miscarriage management), and other types of care, services, and supplies used for the diagnosis and treatment of conditions related to the reproductive system (e.g., mammography and pregnancy-related nutrition services).

Attestation

The Final Rule introduces a new attestation requirement on covered entities and business associates that receive a request for PHI that may be related to reproductive health care. The attestation will help ease the burden on entities that receive a request for PHI to identify which requests fall under the prohibition because it relates to reproductive health care.

When a covered entity or business associate receives a request for PHI that is potentially related to reproductive health care, it must obtain a signed and dated attestation that the use or disclosure is not for a prohibited purpose discussed above. An attestation is required when PHI is requested for: health oversight activities, judicial and administrative proceedings, law enforcement purposes, or disclosures to coroners and medical examiners.

The attestation requirements include a specific description of the information requested, a statement that the use or disclosure is not for a prohibited purpose, and a statement that the person may be subject to criminal penalties if they knowingly violate HIPAA through their request of prohibited information.

The attestation gives a covered entity or business associate an opportunity to obtain a written representation from the requestor of the PHI that the request is not for a prohibited purpose.

HHS has published a model attestation that can be used to comply with the requirement which can be accessed here.

Notice of Privacy Practices

The Final Rule requires covered entities to revise their Notice of Privacy Practices (NPPs) to reflect the strengthening of reproductive health care privacy protections. This will include reflecting the prohibitions on the use and disclosure of PHI discussed above. As mentioned above, compliance with this requirement will be mandatory effective February 16, 2026.

Next Steps

Covered entities should take steps now to prepare for compliance in late December of this year:

  • Policies and Procedures: Review and revise HIPAA policies and procedures to reflect the changes and attestation discussed in the Final Rule.
  • HIPAA Training: Revise HIPAA training materials to reflect the changes and attestation discussed in the Final Rule.
  • Attestation: Although HHS has provided a model attestation, covered entities will need to develop and implement a process to solicit attestations where necessary.

Additionally, with the overturning of Chevron deference this past Supreme Court Term in Loper Bright Enterprises v. Raimondo and Relentless, Inc. v. Department of Commerce, any challenge to the Final Rule may be viewed with less deference to HHS than was accorded under Chevron.  A court facing such a challenge will likely look to HIPAA and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) to evaluate whether HHS adopted the best interpretation of these statutes.

If your company requires assistance complying with the new Final Rules, reach out to your Jenner & Block contact for assistance.

Related Capabilities

© 2026 Jenner & Block LLP. Attorney Advertising. Jenner & Block LLP is an Illinois Limited Liability Partnership including professional corporations. This publication, presentation, or event is not intended to provide legal advice but to provide information on legal matters and/or firm news of interest to our clients and colleagues. Readers or attendees should seek specific legal advice before taking any action with respect to matters mentioned in this publication or at this event. The attorney responsible for this communication is Brent E. Kidwell, Jenner & Block LLP, 353 N. Clark Street, Chicago, IL 60654-3456. Prior results do not guarantee a similar outcome. Jenner & Block London LLP, an affiliate of Jenner & Block LLP, is a limited liability partnership established under the laws of the State of Delaware, USA and is authorised and regulated by the Solicitors Regulation Authority with SRA number 615729. Information regarding the data we collect and the rights you have over your data can be found in our Privacy Notice. For further inquiries, please contact dataprotection@jenner.com.

News and Insights

Podcasts

Partner Laurel Loomis Rimon Discusses Fintech Enforcement, Debanking, and Regulatory Risk on Fintech Layer Cake Podcast

Partner Laurel Loomis Rimon was featured on the Fintech Layer Cake podcast, where she discussed how fintech enforcement and prosecution actually work in practice, and what exposes fintechs and banks to regulatory risk.

July 15, 2026

Publications

Supreme Court Clarifies Scope of Private Rights of Action Under the Investment Company Act, Private Equity Law Report

Partners Charles Riely, Todd C. Toral, and Martin Glass authored a guest article for Private Equity Law Report examining the US Supreme Court's June 11, 2026, ruling on the scope of private rights of action under the Investment Company Act of 1940.

July 14, 2026

Publications

Emily Loeb Discusses Congressional Oversight Preparedness in Bloomberg Law

Partner Emily Loeb, co-chair of Jenner & Block's Congressional Investigations Practice, spoke with Bloomberg Law article about how companies can prepare for potential oversight exposure ahead of this fall's midterm elections.

July 7, 2026

Publications

In New York Law Journal, The True Lender Doctrine and the OppFi Decision

Partners Jeremy Creelan, Michael Ross, Megan Poetzel, and Laurel Loomis Rimon, and Associate Molly Oberstein-Allen authored an article for the New York Law Journal examining the "True Lender" doctrine in light of a May 2026 California decision that provides the most detailed judicial framework to date for evaluating bank-nonbank lending partnerships.

July 1, 2026

Event

Partner Michael Vernick to Speak at NACUA's 2026 Annual Conference

On July 1, Partner Michael Vernick will speak on a panel at the National Association of College and University Attorneys (NACUA) 2026 Annual Conference in Nashville.

July 1, 2026