The Biden administration finalized a rule Monday that bars providers, health plans and other entities covered by HIPAA from disclosing protected health information that could be used to investigate abortions.
The regulation from the HHS’ Office for Civil Rights, first proposed last year, aims to strengthen privacy protections for patients who seek reproductive care such as abortion, IVF and birth control and providers who offer legal reproductive healthcare services, administration officials said during a press conference.
The rule aims to help ensure patients don’t delay care or fail to disclose important medical details because they’re afraid the information could be shared with law enforcement or other state agencies, OCR Director Melanie Fontes Rainer said.
“No one should have to live in fear that their conversations with their doctor or that their medical claims data might be used to target or track them for seeking lawful reproductive healthcare,” she said.
Under the rule, HIPAA-covered entities cannot disclose protected health information about reproductive healthcare, like a pregnancy test or ectopic pregnancy treatment, for an investigation or to impose legal liability on the patient or provider if the care is legal in the state where it’s received, Fontes Rainer said. If the care is protected by federal law, the information also can’t be disclosed.
The regulation requires entities like providers, health plans, claims clearinghouses and their business associates to obtain a signed attestation that information requests potentially related to reproductive care won’t be used for prohibited purposes.
A person who falsifies an attestation could face criminal penalties, according to the final rule. Regulated entities could face civil penalties for failing to receive a valid attestation before disclosing protected information as well.
The rule could face legal challenges, said Claire Marblestone, partner at law firm Foley & Lardner. A lawsuit could argue the HHS’ OCR is exceeding the scope allowed to the agency because HIPAA wasn’t put in place to specifically address reproductive healthcare privacy.
“It does seem to me that [the rule] is based on solid legal footing and is in line with OCR’s position on wanting to protect patient privacy and enhance those privacy protections,” she said. “But because it relates to reproductive healthcare privacy, and because there’s somewhat little federal action on this, it could be a target for some scrutiny.”
The final rule, however, is limited. It is aimed at women traveling from states where reproductive care like abortions are banned, Fontes Rainer said. The data-sharing prohibition applies to clinicians who provided the reproductive care in states where abortion is legal, and the patients’ providers in their home state, even though they weren’t involved with the actual procedure, she added.
Interstate travel for abortions has doubled since 2020, according to a report by the Guttmacher Institute, a research group that supports abortion rights. Nearly 1 in 5 abortion patients went out of state to obtain abortion care in the first six months of last year, compared with 1 in 10 during the same period in 2020.
“We have no illusion that everything that the president has urged us to do with our authorities is going to undo Dobbs,” said HHS Secretary Xavier Becerra. “Dobbs took away rights. Until we have a national law that reinstitutes Roe v. Wade, we’re going to have issues.”
The final rule goes into effect two months after it’s published in the federal register. HIPAA entities have 240 days to comply with the regulation, but they have until Feb. 16, 2026, to make required updates to their notices of privacy polices.