On April 26, 2024, the Department of Health and Human Services finalized the HIPAA Privacy Rule to Support Reproductive Health Care Privacy. The rule is effective June 25, 2024, with a general compliance deadline of December 23, 2024 for most provisions and February 16, 2026 for the Notice of Privacy Practices updates. For Ambulatory Surgery Centers, the substantive lift is not large, but it is procedural and it cannot be done at the last minute.
What the rule actually does
The rule prohibits covered entities and business associates from using or disclosing protected health information for either of the following purposes:
- To conduct a criminal, civil, or administrative investigation into, or impose liability on, any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care that is lawful under the circumstances in which it is provided
- To identify any person for those purposes
This applies when the reproductive health care was lawful in the state in which it was provided, or was protected, required, or authorized by federal law, regardless of the state where it was provided. The default presumption sits with lawfulness.
The attestation requirement
The operational centerpiece of the rule is a new attestation obligation. When a covered entity receives a request for PHI potentially related to reproductive health care for one of the following purposes, it must obtain a signed attestation from the requester before disclosing:
- Health oversight activities
- Judicial and administrative proceedings
- Law enforcement purposes
- Disclosures to coroners and medical examiners
The attestation must confirm that the requested use or disclosure is not for one of the prohibited purposes. HHS will publish a model form, but covered entities can develop their own, provided it meets the specified content requirements: a description of the information requested, the name of the person whose information is sought, the name of the person to whom disclosure is made, a clear statement that the use or disclosure is not for a prohibited purpose, the signature of the requester, and the date.
A defective attestation, or a disclosure made without one when one was required, is a Privacy Rule violation.
What ASCs should be doing now
Even ASCs that do not perform reproductive health procedures fall under the rule, because the prohibition is triggered by the purpose of the request, not the nature of the underlying care. A facility that performs only orthopedic procedures can still receive a request for medical history that touches on reproductive health, and the same attestation logic applies.
Three workstreams matter between now and December:
- Policy update. Revise the HIPAA disclosure policy to incorporate the prohibited-purpose language, the attestation workflow, and the documentation requirements. Identify who reviews incoming requests and who is authorized to sign off on disclosure.
- Staff training. Every staff member who handles records requests, including front desk, medical records, and any clinical staff who responds to subpoenas or law enforcement inquiries, needs to recognize a triggering request and route it appropriately. This is exactly the workflow that breaks under pressure if the training is generic.
- Notice of Privacy Practices. The NPP must be updated to reflect the new restrictions and patient rights. The compliance deadline for NPP changes is February 16, 2026, which is later than the rest of the rule, but most ASCs will update the NPP alongside the December changes rather than maintain two versions.
Quick win
Pull your last 12 months of law enforcement and subpoena requests. Categorize each by the underlying purpose. The exercise tells you which staff members already field these requests, how often, and where the attestation step needs to live in the workflow.
Documentation and retention
Attestations, like other Privacy Rule documentation, must be retained for six years from the date of creation or the date last in effect, whichever is later. The retention obligation is straightforward, but the discovery obligation under audit is not. You need to be able to produce the attestation tied to the specific disclosure, not just the file folder.
Civil monetary penalties under HIPAA continue to scale with culpability and remain meaningful, particularly where a pattern of disclosures without attestations could be characterized as willful neglect.
How DocForms helps
HIPAA Compliance captures the attestation workflow, ties each attestation to the specific disclosure it authorized, and maintains the six-year retention trail in a form that is producible on request.
Policies and Procedures tracks the revised disclosure policy and NPP through their approval cycle, with attestations of staff acknowledgment that prove the policy was distributed and understood.
Learning Management delivers the targeted training to records, front desk, and clinical staff, and records completion in a form that is defensible when OCR asks who knew what, and when.