Reproductive Health Care Requests and the HIPAA Attestation Requirement

Reproductive health information sits at the intersection of everyday record handling and unusually high legal sensitivity. Clinics and health plans receive subpoenas, law enforcement inquiries, oversight audits, and coroner requests that may touch reproductive health care, even when the request is framed broadly as “all records” or “full chart.” The operational problem is not theoretical: front desk staff, medical records personnel, and clinicians often face time pressure, incomplete context, and an implicit expectation to comply quickly.

This article explains what the HIPAA attestation requirement for reproductive health care information was designed to do, how it would have worked in real-world request workflows, and what the landscape looks like today.

Informational note: This report is for informational purposes only and does not constitute legal advice.

Current legal status as of February 16, 2026

The first thing to get right is whether the reproductive health care attestation requirement is currently enforceable. On June 18, 2025, the U.S. District Court for the Northern District of Texas vacated the HIPAA Privacy Rule to Support Reproductive Health Care Privacy at 89 Fed. Reg. 32976, except for certain modifications to the Notice of Privacy Practices requirements at 45 C.F.R. § 164.520. The court also vacated specific subsections of the NPP modifications (164.520(b)(1)(ii)(F), (G), and (H)). 

Later, on September 10, 2025, the Fifth Circuit dismissed an appeal related to that decision, which reinforced that the district court’s vacatur remained in place.  The practical result for regulated entities is straightforward: the special reproductive health care provisions created by the April 2024 final rule, including the reproductive health care attestation requirement (codified at 45 C.F.R. § 164.509) and the associated prohibition and presumption framework (codified within 45 C.F.R. § 164.502), were vacated nationwide and are not currently in force as enforceable HIPAA requirements. 

That does not mean “anything goes.” The baseline HIPAA Privacy Rule structure still applies: disclosures without the patient’s authorization are permitted only when a specific permission applies, and many of the permissions most often invoked for law enforcement and legal process are narrower than people assume. OCR’s guidance on disclosures relating to reproductive health care underscores that covered entities may use or disclose PHI without authorization only as expressly permitted or required by the Privacy Rule, and it gives concrete examples where a disclosure would be impermissible and would constitute a breach requiring notification. 

So, if you came here looking for a simple rule like “always get the attestation form,” the honest answer is: as of today’s date, that special rule is not in effect. The better objective is to understand (1) what the vacated attestation framework required, because it may return in some form later, and (2) what you should do now under the still-operative Privacy Rule permissions that govern subpoenas, law enforcement requests, and required-by-law demands. 

What HIPAA meant by “reproductive health care” and “potentially related” PHI

The attestation requirement hinged on a broad definition of “reproductive health care.” In the 2024 regulatory text, “reproductive health care” was defined as health care that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes, and the definition explicitly stated it was not intended to set a clinical standard of care.  This is intentionally expansive. It covers more than abortion care, and it can touch contraception, pregnancy-related care, fertility or infertility services, miscarriage management, and other diagnosis or treatment connected to reproductive system functions.

The phrase that caused operational heartburn was “PHI potentially related to reproductive health care.” The word “potentially” matters because record requests rarely arrive with a neat label. A subpoena may ask for “all ER records,” an audit request may ask for a “random sample of claims,” or law enforcement may request “billing and visit documentation” for a person. Those categories can easily contain reproductive health data without anyone intending to target it, which is precisely why OCR built a gating mechanism that forced the requester to certify their purpose. 

In a clinic setting, the safest operational interpretation of “potentially related” is not “only OB-GYN charts.” It is “any request where the responsive dataset could reasonably include reproductive health care information.” This is less about the specialty and more about the scope of the request and the structure of your records. If your EHR templates, diagnosis codes, medication lists, or visit summaries intermix reproductive and non-reproductive data, then broad requests often become “potentially related” by design. 

What the 2024 final rule was trying to do

The April 26, 2024 final rule had three core mechanics that worked together: a prohibition on certain uses and disclosures tied to investigations or liability for lawful reproductive health care, a presumption framework to reduce the burden of evaluating lawfulness when the regulated entity did not provide the care, and an attestation requirement that functioned like a “tripwire” on certain categories of third-party requests. 

The prohibition portion, as codified in 45 C.F.R. § 164.502(a)(5)(iii), barred uses and disclosures of PHI for three activities: investigating someone for the act of seeking, obtaining, providing, or facilitating reproductive health care; imposing liability for that act; or identifying any person for those purposes.  It then limited that prohibition to scenarios where the reproductive health care was lawful under the law of the state where provided under the circumstances, protected or authorized by federal law (including constitutional protections) regardless of state, or presumed lawful under the presumption provision. 

The attestation requirement, codified at 45 C.F.R. § 164.509, was explicitly described as a mechanism to implement the prohibition. In plain terms: OCR expected that regulated entities would keep getting subpoenas and law enforcement demands that tried to route around the prohibition using existing Privacy Rule pathways, so OCR required requesters in certain categories to certify that the request was not for the prohibited purpose. 

Even though these provisions were later vacated, the architecture is worth understanding because it reflects OCR’s theory of risk: most improper disclosures happen not because someone hacks your database, but because an ordinary request is processed casually, the workforce member assumes the request is valid, and PHI is disclosed under a misunderstood exception. That is the kind of failure mode that feels mundane in the moment and becomes very expensive afterward.

When the attestation was required

Under 45 C.F.R. § 164.509, the attestation requirement applied only to requests for PHI potentially related to reproductive health care when the request was for one of four purpose categories: health oversight activities, judicial and administrative proceedings, law enforcement purposes, or disclosures regarding decedents to coroners and medical examiners.  The model attestation published by HHS repeats those four categories and ties them to the corresponding Privacy Rule permissions at 45 C.F.R. § 164.512(d), (e), (f), and (g)(1). 

This narrow scope is important because it reveals how OCR saw the threat model. Routine treatment, payment, and health care operations disclosures were not the target. Patient access requests were not the target. The target was legal and quasi-legal pressure applied through subpoenas, investigations, oversight actions, and similar processes where a clinic might feel compelled to comply and might incorrectly assume HIPAA “requires” it. 

It is also important that the attestation requirement was not a standalone permission. Even under the 2024 framework, an attestation did not magically make a disclosure permissible. It was an additional condition layered on top of existing Privacy Rule requirements for those categories, meaning your ordinary analysis of whether a subpoena is valid under HIPAA still mattered, and minimum necessary still mattered. 

What made an attestation “valid” under the regulation

The regulation was unusually rigid about the structure of a valid attestation. A valid attestation had to be a document that met specific content requirements and verified that the use or disclosure was not otherwise prohibited by the reproductive health care prohibition in 45 C.F.R. § 164.502(a)(5)(iii).  It could be electronic, but it still had to meet the same content requirements. 

The required elements were not optional. The attestation had to describe the information requested with specificity, identify either the individual(s) whose PHI was sought or a described class if names were not practicable, identify who was being asked to disclose, identify who would receive the PHI, include a clear statement that the use or disclosure was not for a prohibited purpose, and include a statement about potential criminal penalties under 42 U.S.C. § 1320d-6 for wrongful obtaining or disclosing individually identifiable health information.  The attestation also required a signature and date, and if signed by a representative, it required a description of that person’s authority to act for the requester. 

The regulation also defined “defective attestations.” An attestation was not valid if it was missing required elements, contained extra elements not required, violated the “compound attestation” rule, contained material falsehoods known to the covered entity or business associate, or would not be believed by a reasonable covered entity or business associate in the same position with respect to the required statement about prohibited purpose.  That “reasonable entity” standard is an operational landmine because it implies you cannot rubber-stamp a form when the surrounding facts do not line up.

The model attestation published by HHS made the same point in practical language. It instructed requesters not to add non-required content and instructed regulated entities not to rely on the attestation if it lacked required elements, was improperly combined with other documents, contained false material information, or would not be believed by a reasonable entity in the same position. It also emphasized that if you later discover a material misrepresentation, you must stop making the requested use or disclosure. 

Finally, the regulation included a plain language requirement. That sounds cosmetic until you realize why it exists: OCR was trying to prevent “attestation by ambush,” where a requester embeds the required statement deep inside legalese and claims compliance. Plain language was meant to make the certification explicit and readable by the humans actually processing the request. 

How the attestation fit into real request workflows

To understand how the attestation rule would have worked in practice, it helps to think like an engineer: the attestation was a gate inserted into a pre-existing pipeline. That pipeline begins when the organization receives a request, continues through identity and authority verification, evaluates the request under an applicable Privacy Rule permission, applies minimum necessary, documents the decision, and then releases PHI through an approved channel. The reproductive health attestation requirement inserted a mandatory check into that pipeline, but only when the request purpose matched one of the four specified categories and the requested dataset could include reproductive health care information. 

In concrete terms, if a subpoena arrived asking for records that might include reproductive health care information, the regulated entity would still need to determine whether the subpoena qualified under HIPAA’s judicial and administrative proceeding provision and whether required “satisfactory assurances” or a protective order were present where applicable. The attestation was an extra condition, not a replacement for those existing requirements. 

The operational design goal was to reduce “silent failures.” OCR’s view, expressed in the rule’s preamble, was that regulated entities already must scrutinize requests in these categories because HIPAA already imposes conditions for them, so the incremental burden of obtaining an attestation should be limited.  The attestation, in that sense, acted like an explicit acknowledgment by the requester that they are not using the request to target lawful reproductive health care, paired with a reminder that criminal penalties can apply for wrongful acquisition or disclosure. 

Lawfulness, presumption, and “you are not expected to become a 50-state research service”

One of the most confusing parts of the 2024 framework was the “lawfulness” determination. The prohibition and the attestation logic depended on whether the reproductive health care at issue was lawful under the circumstances. That sounds like it would force clinics to analyze other states’ laws, which is not a realistic expectation for small practices. The rule’s preamble explicitly addressed this by explaining that when the regulated entity receiving the request did not provide the reproductive health care, it was not expected to research other states’ laws or perform deep analysis to determine lawfulness, and the presumption standard was designed to let the entity limit its review to information supplied by the requester when the request addresses care provided by someone else. 

By contrast, when a request was made to the regulated entity that actually provided the reproductive health care, the preamble indicated the entity would be responsible for determining whether it provided care that was lawful under the circumstances, using available relevant evidence bearing on that lawfulness. If the entity reasonably determined the care was lawful, the prohibition would apply and the entity could not make the use or disclosure for the prohibited purpose. 

This difference matters because it clarifies that the system was not meant to force every hospital to become a legal research vendor for every jurisdiction. It was meant to (1) prevent the regulated entity that provided lawful care from being forced to help punish that care and (2) prevent requesters from leveraging broad subpoenas to obtain records from third parties when those third parties cannot realistically validate the legal framing. 

What organizations should do today when they receive reproductive-health-adjacent requests

Because the special reproductive health attestation rule is vacated, the right question is what the still-operative Privacy Rule requires and permits when law enforcement or legal process touches reproductive health care information. OCR’s guidance on PHI disclosures relating to reproductive health care is the most useful official starting point because it describes how existing permissions work and where the boundaries are. 

The first operational principle is that HIPAA often permits but does not require disclosure, even when the request comes from law enforcement. OCR’s guidance explains that the “required by law” pathway is limited to mandates in law that compel the disclosure and are enforceable in court, and it stresses that disclosures that do not meet that definition or that exceed what is required do not qualify.  In other words, “they asked” is not a legal basis, and “it feels safer to comply” is not a HIPAA permission.

The second operational principle is that you should not confuse a workforce member’s personal decision to report with a lawful HIPAA disclosure. OCR’s guidance provides an example where a hospital workforce member suspects a patient of ending a pregnancy with medication, but state law does not require reporting to law enforcement. In that scenario, OCR states that the Privacy Rule would not permit disclosure to law enforcement under the “required by law” permission, and that such a disclosure would be impermissible and would constitute a breach of unsecured PHI requiring notification. 

The third operational principle is that when legal process exists, scope still matters. OCR’s guidance states that a covered entity may respond to law enforcement requests made through legal processes such as a court order, warrant, subpoena, or summons only under the conditions in the Privacy Rule, and it emphasizes that the entity may disclose only the requested PHI and only if the applicable conditions are met.  This is where minimum necessary discipline and a standardized records-release process earn their keep, because “only the requested PHI” is often narrower than “print the chart.”

The fourth operational principle is that “serious and imminent threat” is not a catch-all for reporting pregnancy-related intent. OCR’s guidance explains that a statement indicating intent to obtain a legal abortion does not qualify as a serious and imminent threat to health or safety for purposes of that Privacy Rule permission, and it frames such disclosures as inconsistent with professional ethics according to major professional societies cited in the guidance.  Even if you disagree with the policy posture, the engineering fact remains: you should not build compliance workflows around exceptions that OCR itself describes as inapplicable to common reproductive health scenarios.

In practice, the defensible approach for small clinics is to implement a structured intake and escalation workflow for third-party requests. Your default should be to route requests involving law enforcement, subpoenas, audits, or coroner inquiries to a trained privacy function or designated escalation path, because those are precisely the contexts where permissive disclosures are most often misunderstood. If your organization has no in-house counsel, escalation can still be operational: a defined set of “stop and review” triggers, a checklist aligned to the relevant Privacy Rule permission, and a requirement that the request be documented and retained before PHI leaves the building.

If the attestation requirement returns, what “good” would look like

Even though the attestation requirement is currently vacated, many organizations want to prepare for regulatory whiplash. If a future rule reinstates an attestation requirement, success will depend on whether you treat it as a paperwork add-on or as a controlled process with clearly defined decision points. The 2024 regulation and the HHS model form provide a blueprint for what the controlled process should contain. 

A mature implementation would start with request classification. The system must distinguish between patient access requests, treatment coordination, payer operations, and third-party non-health purposes such as subpoenas, law enforcement, and oversight. The attestation requirement was explicitly tied to four categories of § 164.512 disclosures, so your intake should map requests to those categories instead of relying on free-text “purpose” labels from the requester. 

A mature implementation would also embed attestation validation into the workflow rather than leaving it to memory. The regulation’s “defective attestation” criteria make clear that missing required elements, adding extra clauses, or combining the attestation improperly would defeat validity, and the “reasonable entity” standard suggests you must be able to explain why reliance was reasonable under the circumstances.  A practical control here is a standardized attestation intake template in your ticketing or ROI system that forces entry of the required elements and flags deviations for escalation.

Finally, a mature implementation would treat the attestation as a record that must be retained and auditable. The HHS model instructions emphasize maintaining a written copy of the completed attestation and any relevant supporting documents, and the regulation itself ties the attestation to documentation obligations and cessation of disclosure if material misrepresentations are discovered.  If you cannot reconstruct who requested what, under what claimed authority, with what certified purpose, you are effectively running an unaudited API endpoint for sensitive PHI.

A brief note on Notices of Privacy Practices

The 2024 final rule set two timelines: December 23, 2024 for most provisions and February 16, 2026 for the NPP-related provisions.  After the June 18, 2025 court decision, HHS stated that the court vacated only certain parts of the NPP modifications and that the remaining NPP modifications were undisturbed and remained in effect, with compliance required by February 16, 2026. 

Because the court specifically vacated NPP provisions that referenced the reproductive health care attestation concept (164.520(b)(1)(ii)(F), (G), and (H)), organizations should be careful not to assume that “update the NPP for the reproductive health attestation” is a current requirement. The right move is to align your NPP work to what remains in effect under § 164.520 after the court’s partial vacatur, and to document that decision basis for your compliance file. 

Bottom line

If you are looking for the actionable truth: the attestation requirement was a narrowly targeted control designed to block certain third-party requests from being used to investigate or impose liability for lawful reproductive health care. It imposed specific documentation and validation requirements that would have forced requesters to certify their purpose and would have forced regulated entities to stop treating subpoenas and law enforcement inquiries as automatic “must comply” events. 

As of February 16, 2026, that special attestation regime has been vacated nationwide, and the focus for clinics should be on applying the existing Privacy Rule permissions correctly and conservatively, especially “required by law” and law enforcement related pathways, which OCR describes as limited and frequently misunderstood.  The organizations that do best in this environment are the ones that treat records-release as a controlled process with escalation triggers, documentation discipline, and minimum necessary rigor, because those controls remain valid regardless of which way the regulatory wind is blowing.

Sources

1. HHS OCR, “HIPAA and Reproductive Health” (includes notice of June 18, 2025 vacatur and remaining NPP status). 

2. HHS OCR, “HIPAA Privacy Rule and Disclosures of Information Relating to Reproductive Health Care” (guidance on required-by-law, law enforcement, and serious threat disclosures; includes vacatur notice). 

3. Federal Register (April 26, 2024), “HIPAA Privacy Rule To Support Reproductive Health Care Privacy” (final rule; effective and compliance dates; regulatory rationale). 

4. GovInfo, 45 C.F.R. § 164.509 (text as published; attestation requirements, defects, required elements, signature, and cessation on misrepresentation). 

5. GovInfo, 45 C.F.R. § 164.502(a)(5)(iii) (text as published; prohibition, rule of applicability, presumption, and scope language). 

6. GovInfo, 45 C.F.R. § 160.103 (text as published; definition of “reproductive health care”). 

7. HHS OCR, “Model Attestation for a Requested Use or Disclosure of PHI Potentially Related to Reproductive Health Care” (model form and instructions). 

8. U.S. District Court (N.D. Tex.), Judgment (June 18, 2025), vacating 89 Fed. Reg. 32976 except limited § 164.520 modifications; vacating 164.520(b)(1)(ii)(F), (G), (H). 

9. U.S. Court of Appeals for the Fifth Circuit, Order/Judgment materials (September 10, 2025), dismissing appeal. 

10. U.S. Code, 42 U.S.C. § 1320d-6 (wrongful disclosure of individually identifiable health information; penalties referenced in the attestation rule).