HHS finalized the HIPAA Privacy Rule To Support Reproductive Health Care Privacy on April 22, 2024, published it in the Federal Register on April 26, 2024, and made most provisions effective on June 25, 2024, with a compliance deadline of December 23, 2024. One provision, the Notice of Privacy Practices update, has a separate compliance deadline of February 16, 2026. For practices providing reproductive health care (OB/GYN, fertility, primary care, urgent care, behavioral health), the rule creates new restrictions on how reproductive health information can be disclosed in response to certain requests, and it adds an attestation requirement that should be built into every workflow that handles disclosures.
What the 2024 rule changed
The rule prohibits HIPAA-covered entities and business associates from using or disclosing protected health information for three categories of activity: conducting a criminal, civil, or administrative investigation into a person for seeking, obtaining, providing, or facilitating reproductive health care; imposing criminal, civil, or administrative liability on a person for the same; and identifying a person for one of those purposes. The prohibition applies when the reproductive health care was lawful in the state where it occurred, was lawful under federal law, or is presumed lawful in the absence of contrary information. The rule reaches state agencies, law enforcement, attorneys general, courts, and any other party seeking PHI for the prohibited purposes.
The attestation requirement
Practices receiving a request for PHI that is potentially related to reproductive health care must obtain an attestation from the requestor before disclosing. The attestation must state that the requested use or disclosure is not for any of the three prohibited purposes. HHS published a model attestation in the rule, and practices should use either the model or a substantively equivalent version. The attestation must be in writing, signed under penalty of perjury, and retained for the standard six-year HIPAA retention period. Practices that disclose without obtaining the attestation when one was required face HIPAA enforcement under the standard penalty framework.
The Notice of Privacy Practices update
The compliance deadline for the Notice of Privacy Practices (NPP) update is February 16, 2026. Practices must add language describing the reproductive health privacy provisions to their NPP, distribute the updated NPP to new patients at the first encounter on or after the deadline, and post the updated NPP on the practice website if one is maintained. Practices that have not updated by February 16, 2026, are out of compliance and exposed to enforcement on each new patient who receives the outdated NPP. The fix is straightforward (NPP template update), but it requires staff training so the new NPP is the version distributed at the front desk.
Workflow changes for OB/GYN and primary care
Practices that handle reproductive health care need to update three operational areas. First, a written disclosure protocol that flags any request potentially related to reproductive health care for attestation review before release. Second, a designated staff member or compliance contact who reviews each flagged request and obtains the attestation. Third, training for front-desk and medical records staff on which requests trigger the protocol. The categories that almost always trigger include subpoenas naming a patient, requests from law enforcement, requests from state agencies investigating an individual, and requests from attorneys representing parties adverse to the patient.
State law interaction
Some states have laws that conflict with the federal rule, particularly in states that have criminalized aspects of reproductive health care. The federal rule preempts contrary state law in most cases, but the practical operation is more complex when state authorities issue subpoenas or court orders. Practices receiving a court order or subpoena should consult counsel before disclosing, even when the order appears facially valid. The HHS Office for Civil Rights has indicated that compliance with the federal rule is the safer course when in doubt, and that providers acting in good faith reliance on the rule are protected.
Audit and complaint risk
HHS Office for Civil Rights handles HIPAA enforcement and accepts complaints from patients and others. The 2024 rule has elevated reproductive health privacy as an enforcement priority, and OCR has indicated it will follow up on complaints alleging improper disclosure of reproductive health information. Penalties for non-compliance follow the standard HIPAA tiered structure, ranging from $137 to over $2 million per violation depending on level of culpability and the nature of the disclosure. Practices that build the attestation workflow, update the NPP on time, and train staff substantially reduce their enforcement exposure.
How MHB helps practices stay compliant
For practices that want their disclosure workflow, NPP update, and staff training reviewed against the 2024 reproductive health privacy rule, our team supports end-to-end medical billing operations with HIPAA compliance review built into the daily workflow.
The bottom line
The reproductive health privacy rule is not abstract. It changes how practices respond to subpoenas, law enforcement requests, and state agency inquiries, with a near-term Notice of Privacy Practices update due February 16, 2026. Practices that update on time and train staff stay clean. Practices that miss the deadline create enforcement exposure on every new patient encounter that follows.
Authoritative sources
This article cites the following primary sources for billing-code and regulatory guidance. Always confirm current rules and codes with the publishing authority before applying to a specific claim.
