Reproductive Health & HIPAA’s Privacy Final Rule: What ABA Companies Need to Know

This article is intended as information only. Please don't consider it legal advice. ABA Compliance Solutions doesn't provide legal services. While we strive to offer accurate and up-to-date information, we always suggest consulting with an attorney for advice tailored to your specific needs.

The new rule, which is part of the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy Rule, focuses on disclosures of information relating to reproductive health care and became effective in June 25, 2024. Applied Behavior Anlaysis (ABA) companies that are covered entities under HIPPAA will have until December 23, 2024 to comply with the new requirements.

The new reproductive healthcare privacy rule change to HIPAA was introduced against a backdrop of increasing concerns about the protection of sensitive health information, particularly regarding reproductive health services.

What’s the New Rule?

The new rule covers Protected Health Information (PHI) related to lawful reproductive health care. The Office of Civil Rights (OCR) emphasizes that access to comprehensive reproductive health care services, including abortion and other sexual and reproductive care, is crucial for individual health and well-being.

The final rule aims to strengthen client-provider confidentiality for reproductive health care information, including abortion, birth control, and in vitro fertilization. Key provisions include:

• Presumption of Lawfulness: Reproductive health care is presumed lawful unless proven otherwise.

• Prohibition on Use or Disclosure: Covered entities—like many ABA agencies—may not use or disclose PHI if the PHI is being requested for the purpose of investigating or imposing liability on individuals for seeking, obtaining, providing, or facilitating lawful reproductive health care.

• Attestation Requirement: Covered entities must obtain an attestation from the person or agency requesting the iinformation that the PHI use or disclosure is not for a prohibited purpose.

Why Do ABA Providers Need to Know About the New HIPAA Rule?

The new rule defines reproductive health care as "health care that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes". Health and Human Services (HHS) wrote this definition so that it was intentionally broad. While ABA providers likely don’t provide services commonly understood as reproductive care (such as prescribing birth control or providing abortion or fertility services), many behavior analysts very well may provide health care related to providing clients with information, education, and training related to their clients’ reproductive systems and how those systems work. Services such as these may be considered reproductive care under the intentionally broad definition HHS laid out.

New Attestation Form Requirement

When a HIPAA covered entity (like many ABA companies) or business associate receives a request for protected health information (PHI) potentially related to reproductive health care, it must obtain a signed attestation that clearly states the requested use or disclosure is not for any of the prohibited purposes listed below:

• To conduct a criminal, civil, or administrative investigation into anyone because they sought, received, provided, or facilitated legal reproductive health care.

• To impose criminal, civil, or administrative liability on anyone because they sought, received, provided, or facilitated legal reproductive health care.

• To identify any person as part of an investigation or punishment because they sought, received, provided, or facilitated legal reproductive health care.

The goal of the attestation requirements is to require covered entities to try and determine what the information will be used for so that ABA agency knows whether it is or isn’t permitted to release the information. ABA agencies have to get a signed attestation when they receive requests for PHI for health oversight activities, judicial and administrative proceedings, law enforcement purposes, and disclosures to coroners and medical examiners.

HHS has created a sample attestation form that ABA companies might consider using or modifying to fit their needs.

Changes to Notices of Privacy Practices

The new HIPAA privacy rule also requires several changes to the Notices of Privacy Practices (NPPs) ABA agencies use. These changes are designed to ensure the NPP adequately reflects the enhanced privacy protections for reproductive health information. These changes aim to improve transparency and inform clients about their rights and how their information is used and protected.

Here are the key requirements:

• Inclusion of Specific Provisions for Reproductive Health Information:

  • NPPs must now explicitly mention the protections for reproductive health information, including any specific rights and restrictions related to the use and disclosure of this type of information.

  • The NPP should clarify that reproductive health care information is protected and detail the circumstances under which it can and cannot be disclosed.

• Explanation of New Attestation Requirements:

  • The NPP must explain the new requirement for obtaining a signed attestation from requesters seeking to use or disclose reproductive health information. This attestation confirms that the request is not for a prohibited purpose.

• Updated Definitions and Examples:

  • The NPP should include updated definitions that reflect the broad scope of reproductive health care as defined by the new rule. This includes services related to sterilization, fertility treatments, and other reproductive health services.

  • Providing examples of what constitutes reproductive health information and how it is protected can help clients understand their rights better.

• Highlighting Clients' Rights:

  • The NPP must clearly outline clients' rights regarding their reproductive health information, including the right to request restrictions on certain uses and disclosures and the right to access and amend their health information.

  • Clients should be informed about their right to receive confidential communications and to file complaints if they believe their privacy rights have been violated.

• Compliance Deadlines:

  • The NPP should specify the effective dates for the new privacy rule and compliance deadlines for implementing these changes. This helps ensure clients are aware of when the new protections will be in place.

• Contact Information for More Information:

  • The NPP should provide updated contact information for clients who have questions or need further information about their privacy rights, including how to contact the ABA agency’s privacy officer or the Office for Civil Rights (OCR).

Timelines for Complying with the New Rule

The new reproductive health care privacy rule went into effect of June 25, 2025 and ABA companies that are covered entities under HIPAA have until December 23, 2024 to comply with it, with the exception of issuing updated Notices of Privacy Practices to their new and existing clients. ABA companies have until February 16, 2026 to send updated Notices of Privacy Practices to their clients.

ABA Compliance Solution’s Recommendations Related to the New Rule

To help small- and medium-sized ABA companies comply with the new rule, we here at ABA Compliance Solutions recommend you take several steps:

1. Bring together key stakeholders in your organization and determine whether your ABA company provides any services that would likely qualify under the very broad definition of reproductive health care contained in the new rule. If you’re sure that your company doesn’t provide any services that would qualify as reproductive health care, then you probably don’t need to change anything else, but we recommend that you document the meeting where that determination was made, including who attended the meeting and how and why you reached the decision you did.

2. If you determine that your ABA company provides services that would likely qualify as reproductive health care, we recommend that you describe those services, including how often your company provides them, the nature of those services, and where those services are documented and that you include that information in a new policy.

3. As part of that new policy, we recommend that you identify a process for handling requests for PHI in a way that complies with the new rule. You should include information such as who will receive and process such information requests, how your company will issue and collect the required attestation, and how your company will maintain records of your activities related to such requests. You might consider incorporating records (such as client treatment plans) that contain information related to reproductive health care into your data classification systems to help your staff easily identify which records contain reproductive health care information.

4. We recommend that you update your Notice of Privacy Practices to comply with the requirements of the new rule. While HHS hasn’t provided a model (example) Notice of Privacy Practices as of the date of this post, they likely will in the future. In the meantime, our Compliance Connect members will have access to an editable sample Notice of Privacy Practices they can use and customize to fit their organizations.

5. Consider adding compliance with the new rule to your business associate vetting process to ensure that the companies who provide your ABA agency with support services related to health care are complying with the new rule.

6. Finally, we recommend that you develop, roll out, and document training to your ABA practice’s staff and that you do that well ahead of the December 23, 2024 deadline for full compliance with the new rule on privacy of reproductive health care. Our Compliance Connect members will soon have access to training from us that they can use to provide training to their staff.