Biden admin releases final rule to shield reproductive health information from law enforcement

Under a new rule, patients and healthcare providers will be further protected from investigations and liability relating to reproductive healthcare services when they were legally obtained and provided. 

Monday, the Biden administration released its final rule that updates the Health Insurance Portability and Accountability Act's (HIPAA's) Privacy Rule to shield sensitive information contained in medical records from law enforcement seeking to use it against a patient or provider.

The administration released the rule in direct response to the Dobbs v. Jackson Women's Health decision that took away a federal right to abortion, Department of Health and Human Services (HHS) Secretary Xavier Becerra said at a press conference. The new rule will protect the privacy of information on abortion, contraception and fertility treatments provided to Americans in states where the services are legal. It will also protect healthcare providers in abortion-restrictive states whose patients seek healthcare services out of state.

The final rule, the HIPAA Privacy Rule to Support Reproductive Health Care Privacy, prohibits healthcare providers and health data holders covered by HIPAA from using or disclosing a patient’s reproductive health-related information to law enforcement when the information is obtained for the purpose of investigating or imposing liability on individuals or healthcare providers. Patients will be able to file a complaint with HHS’ Office for Civil Rights (OCR) if their reproductive healthcare information has been obtained unlawfully or used against them when the care was legally provided.

Under the former HIPAA Privacy Rule, healthcare providers were allowed, but not required, to provide reproductive health information to law enforcement.

The rule does not offer protection of reproductive health information in instances where the services were not legal. It also does not cover information outside of HIPAA such as a patient’s location data or health information stored on their phone.

The final rule goes into effect in two months, and the compliance date is eight months from the publishing of the rule. Covered entities must comply with the applicable requirements of 45 CFR 164.520, the HIPAA Privacy Rule, by Feb. 16, 2026.

The new rule only applies when reproductive healthcare has been lawfully provided in a state where the care is legal. Becerra said at a press conference Monday the rule strengthens privacy protections for medical records and health information for women, their family members and doctors who are seeking, providing or facilitating lawful reproductive healthcare. The rule upholds a patient’s right to interstate travel to seek healthcare.

The rule also enforces a patient’s right to receive emergency reproductive healthcare services, such as for a miscarriage or ectopic pregnancy, under the Emergency Medical Treatment & Labor Act (EMTALA), even in abortion-restrictive states. Supreme Court arguments on EMTALA and reproductive health are being heard Wednesday, April 24.

Melanie Fontes-Rainer, director of OCR, said the final rule does not diverge much from the proposed version released in April 2023. When asked by Fierce Healthcare what the Office changed in the final rule based on stakeholder feedback, Fontes-Rainer said many commenters urged for more protections for doctors when their patients travel out of state to receive reproductive healthcare services. Fontes-Rainer said the final rule “has a presumption of legality in those instances to help take some of the burden off providers and to make it more workable.”

“When a woman goes home, her medical records will be protected … for home providers who literally had nothing to do with the care she received in the first instance. They will be protected and they’ll be able to say, 'No, you cannot have this information' and the provider in the state where she traveled will also be protected from folks reaching in to go after that type of medical care,” Fontes-Rainer said.

When the proposed rule was published last year, law firm Ropes & Gray said hospitals and health systems may have to re-train staff to understand when health information can be given to law enforcement and other officials. Healthcare providers may also need to rethink how they store reproductive healthcare information, the blog post said.

Reproductive healthcare information can be obtained by public health entities, auditors and some other parties when the information is not being used against the patient. Parties will need to provide an attestation to the healthcare organization that the information is not being used for such purposes.  

Regulated healthcare providers, health plans and clearinghouses must modify their Notice of Privacy Practices to support reproductive healthcare privacy in accordance with the rule, OCR said in a press release.