If you are impacted by wildfires, know that CDA and TDIC are here to support you. Contact CDA or call TDIC at 877.269.8844 to file a claim or explore resources.
CDA Websites

More results...

Content from
Content to
MenuClose Menu
Article

Dentists must comply with new HIPAA rule supporting reproductive health care privacy

Rule takes effect Dec. 23; providers must obtain signed attestation with requests for specific PHI
December 18, 2024
963
Close up of woman's hand holding a pen and filling out a form that appears to be a medical history form. The form is titled Patient Questionnaire and there are spaces to fill out name, DOB and a list of symptoms to check.
QUICK SUMMARY: CDA resources can help dentists comply by Dec. 23 with a new HIPAA rule that strengthens privacy protections for highly sensitive protected health information about individuals’ reproductive health care. As part of the requirement, a HIPAA-covered entity that receives a request for PHI that is potentially related to reproductive health care must obtain from the requestor an attestation that the use or disclosure is not for a prohibited purpose.

Most health care providers, including dentists, are required to comply by Dec. 23 with the HIPAA Privacy Rule to Support Reproductive Health Care Privacy — and CDA’s regulatory compliance analysts have updated resources to help members comply.

The final rule amends provisions of the Privacy Rule to strengthen privacy protections for highly sensitive protected health information about individuals’ reproductive health care.

Under the rule, covered health care providers, health plans and health clearinghouses along with their business associates are prohibited from:

  • Investigating or imposing criminal, civil or administrative liability on any person who seeks, obtains, provides or facilitates reproductive health care where the health care is legal under state or federal law.
  • Identifying an individual for the purpose of conducting such an investigation or imposing such a liability.

Setting these minimum protections for PHI “directly advances the purposes of HIPAA by setting minimum protections for PHI and providing peace of mind that is essential to individuals’ ability to obtain reproductive health care,” the rule states.

Signed attestation must accompany requests for PHI

A HIPAA-covered entity that receives a request for PHI that is potentially related to reproductive health care is required to obtain from the requestor an attestation that the use or disclosure is not for a prohibited purpose, including:

  • Health oversight activities
  • Judicial and administrative proceedings
  • Law enforcement purposes
  • Disclosures to coroners and medical examiners

The final rule includes a presumption that the reproductive health care provided was lawful under the circumstances it was provided unless one of two specific conditions is met, such as if the HIPAA-covered entity has actual knowledge that the health care was not lawful.

A fact sheet on the final rule from the U.S. Department of Health and Human Services gives this example: “An individual discloses to their doctor that they obtained reproductive health care from an unlicensed person and the doctor knows that the specific reproductive health care must be provided by a licensed health care provider.”

Notice of Privacy Practices must be updated by February 2026

HIPAA-covered entities are required to update their Notice of Privacy Practices to reflect the amended HIPAA Privacy Rule by Feb. 16, 2026. CDA will have an updated sample Notice of Privacy Practices available online before that date.

CDA members can log in now to use these two updated resources from CDA:

The updated resources include a link to a model attestation form that covered entities can use when they receive a third-party’s request for PHI that may potentially be related to an individual’s reproductive health care.

Feedback

Was this resource helpful?