View Rule

View EO 12866 Meetings Printer-Friendly Version     Download RIN Data in XML

HHS/OCR RIN: 0945-AA20 Publication ID: Fall 2023 
Title: Proposed Modifications to the HIPAA Privacy Rule to Support Reproductive Health Care Privacy 

This final rule will modify the Standards for Privacy of Individually Identifiable Health Information (Privacy Rule) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act). These modifications will modify existing standards permitting uses and disclosures of protected health information (PHI) by limiting uses and disclosures of PHI for certain purposes.

Agency: Department of Health and Human Services(HHS)  Priority: Section 3(f)(1) Significant 
RIN Status: Previously published in the Unified Agenda Agenda Stage of Rulemaking: Final Rule Stage 
Major: Yes  Unfunded Mandates: No 
CFR Citation: 45 CFR 160    45 CFR 164   
Legal Authority: Health Insurance Portability and Accountability Act (PL 104-191)    Executive Order 14076, Protecting Access to Reproductive Healthcare Services   
Legal Deadline:  None

Statement of Need:

HIPAA and the HIPAA Rules promote access to health care by establishing standards for the privacy of PHI to protect the confidentiality of individuals’ health information. These protections promote the development and maintenance of confidence and trust between individuals and covered entities, and help to improve the completeness and accuracy of individual medical records. The Privacy Rule, as it has been amended over time, carefully balances the interests of individuals and society in identifiable health information by establishing when and how such information may be used and disclosed, with and without the individual’s permission. The Department has received communications from members of Congress and the public and reviewed media reports indicating concerns and confusion regarding the role of the Privacy Rule in protecting the privacy of individual’s health information, given the evolution of state law in the area of reproductive health care.

Summary of the Legal Basis:

The current HIPAA Privacy Rule has not been updated to reflect the evolution in state law that undermines the privacy of individuals’ protected health information, particularly for use in investigations into or legal proceedings against persons in connection with reproductive health care. The final rule is consistent with Executive Order 14076, which directed the Secretary of Health and Human Services to consider actions to strengthen the protection of sensitive information related to reproductive healthcare services and bolster patient-provider confidentiality.


HHS considered whether these policy changes could be implemented through guidance. However, the Department determined that this would be insufficient to address the concerns that have arisen in the wake of the recent evolution in state law pertaining to reproductive health care that has jeopardize the privacy of individuals’ protected health information and affected individuals’ relationship with their health care providers and the U.S. health care system. Revisions to the existing HIPAA Privacy Rule are necessary to reestablish that trust and to ensure the privacy of individuals’ protected health information.

Anticipated Costs and Benefits:

HHS estimates that the effects of the requirements for regulated entities would result in new costs of $611,831,396 within 12 months of implementing the final rule, followed by approximately $67,831,396 of recurring annual costs in years two through five. The Department anticipates that this rulemaking will result in significant benefits that are difficult to quantify because the area of health care the proposed rule addresses is among the most sensitive for patients and providers if privacy is violated. Additionally, the value of privacy, which cannot be recovered once lost, and trust that privacy will be protected by others, is difficult to quantify fully. The rule would prevent or reduce numerous harms, resulting in non-quantifiable benefits to patient and providers.


To be determined.

Action Date FR Cite
NPRM  04/17/2023  88 FR 23506   
NPRM Comment Period End  06/16/2023 
Final Action  03/00/2024 
Regulatory Flexibility Analysis Required: Undetermined  Government Levels Affected: Federal, Local, State, Tribal 
Small Entities Affected: Businesses, Governmental Jurisdictions, Organizations  Federalism: Yes 
Included in the Regulatory Plan: Yes 
RIN Data Printed in the FR: No 
Agency Contact:
Marissa Gordon-Nguyen
Senior Advisor for Health Information Privacy, Data, and Cybersecurity Policy
Department of Health and Human Services
Office for Civil Rights
200 Independence Avenue SW,
Washington, DC 20201
Phone:800 368-1019
TDD Phone:800 537-7697