HIPAA and Infertility Treatment Records: What Patients and Fertility Clinics Need to Know

Infertility treatment records are protected health information, and how clinics handle them affects patient trust, legal exposure, and day‑to‑day operations. This guide explains what the HIPAA Privacy Rule requires today, how the now‑vacated 2024 “reproductive health” Final Rule fit in, and what fertility practices and their patients should expect—especially for telehealth and third‑party vendors. ([hhs.gov](https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/summary/privacysummary.pdf?source=post_page---------------------------&utm_source=openai))

HIPAA Privacy Rule Final Rule Overview

In April 2024, HHS finalized the “HIPAA Privacy Rule to Support Reproductive Health Care Privacy,” which took effect on June 25, 2024 with an initial compliance date of December 23, 2024. The Final Rule introduced four mechanisms: a prohibition on certain disclosures, a presumption of lawfulness, a written attestation requirement for specified disclosures, and updates to Notices of Privacy Practices (NPPs). ([dlapiper.com](https://www.dlapiper.com/en-us/insights/publications/2024/05/ocr-finalizes-hipaa-privacy-rule-to-support-reproductive-healthcare-privacy))

On June 18, 2025, the U.S. District Court for the Northern District of Texas declared most of that Final Rule unlawful and vacated it nationwide. HHS has stated that certain NPP modifications remain in effect, with compliance required by February 16, 2026; the court vacated the rest, including the prohibition and attestation provisions. Clinics should monitor appeals or subsequent agency action, but as of May 1, 2026, most reproductive‑health‑specific amendments are not enforceable. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/special-topics/reproductive-health/final-rule-fact-sheet/index.html))

Definition of Reproductive Healthcare in HIPAA

Under the 2024 Final Rule (now largely vacated), “reproductive health care” was defined broadly as health care affecting the reproductive system and its functions and processes—expressly encompassing services such as infertility evaluation, IVF, and fertility preservation. While that definition is not presently operative as regulatory text due to the court’s decision, it remains a useful framing for privacy programs. ([dlapiper.com](https://www.dlapiper.com/en-us/insights/publications/2024/05/ocr-finalizes-hipaa-privacy-rule-to-support-reproductive-healthcare-privacy))

Regardless of that vacatur, infertility treatment records are still PHI under the long‑standing HIPAA Privacy Rule because they are individually identifiable information relating to health care or payment, created or received by a covered entity or business associate. That baseline protection—and the “minimum necessary” standard—continues to apply. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/160.103?utm_source=openai))

Compliance Requirements for Fertility Clinics

What remains required today

• Honor core HIPAA Privacy and Security Rule duties: limit uses/disclosures, apply “minimum necessary,” maintain administrative/technical safeguards, conduct risk analysis, and provide patient rights (access, amendments, accounting). ([hhs.gov](https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/summary/privacysummary.pdf?source=post_page---------------------------&utm_source=openai))
• Update the NPP to reflect remaining, undisturbed changes by February 16, 2026, and ensure alignment with 42 CFR Part 2 final rule updates. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/special-topics/reproductive-health/final-rule-fact-sheet/index.html))
• Execute business associate agreements (BAAs) with all vendors that create, receive, maintain, or transmit PHI (for example, telehealth platforms, EHRs, billing, cloud, storage, labs). ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions?utm_source=openai))

What changed—and what did not

• The Final Rule’s special prohibition on using or disclosing PHI to investigate or impose liability for lawful reproductive healthcare was vacated; clinics revert to the standard HIPAA permissions and requirements. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/special-topics/reproductive-health/final-rule-fact-sheet/index.html))
• If your clinic implemented extra controls (e.g., specialized request routing, enhanced logging) in 2024, you may keep them as risk‑reduction measures, but they are not federally required by the vacated provisions. Continue to follow state law and baseline HIPAA. ([ropesgray.com](https://www.ropesgray.com/en/insights/alerts/2025/07/us-district-court-ruling-vacates-hipaa-final-rule-that-strengthened-privacy-protections?utm_source=openai))

Attestation Procedures for Information Disclosure

The 2024 Final Rule had required a signed attestation—separate from other documents—before disclosing PHI potentially related to reproductive health care for four request types: health oversight, judicial/administrative proceedings, law enforcement purposes, and disclosures to coroners/medical examiners. That “written attestation requirement” was designed to ensure requests were not for prohibited purposes. ([dlapiper.com](https://www.dlapiper.com/en-us/insights/publications/2024/05/ocr-finalizes-hipaa-privacy-rule-to-support-reproductive-healthcare-privacy))

Following the June 18, 2025 ruling, the federal attestation requirement is vacated and not currently enforceable. Clinics should revert to HIPAA’s existing disclosure pathways (for example, “required by law,” court orders, or other 45 CFR 164.512 permissions) and their standard verification processes. If you retain an internal attestation step as a best practice, ensure it does not delay urgent, legally required disclosures. ([faegredrinker.com](https://www.faegredrinker.com/en/insights/publications/2025/6/texas-federal-district-court-invalidates-the-hipaa-reproductive-health-rule?utm_source=openai))

Telehealth Privacy Considerations in Infertility Care

Use HIPAA‑compliant telehealth platforms that offer encryption, access controls, audit logging, and will sign BAAs. OCR’s telehealth guidance reinforces that covered providers must select vendors capable of meeting HIPAA requirements and formalize responsibilities in a BAA. ([telehealth.hhs.gov](https://telehealth.hhs.gov/providers/telehealth-policy/hipaa-for-telehealth-technology?utm_source=openai))

The COVID‑19 telehealth enforcement discretion ended at 11:59 p.m. on August 9, 2023; full HIPAA compliance has been required since then. Reassess any interim workflows, disable legacy non‑compliant tools, and confirm secure configurations for video, messaging, scheduling, and file exchange. ([aha.org](https://www.aha.org/news/headline/2023-08-09-covid-19-hipaa-transition-period-telehealth-expires?utm_source=openai))

Review tracking technologies on patient‑facing sites and telehealth pages. Disclosing PHI via pixels, analytics, or chat widgets generally requires either a BAA with the vendor or a HIPAA‑compliant authorization; otherwise, remove or reconfigure these tools. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html?_cldee=lPZ1lOU9AuHulJ0xqModDJuyExHQY6_wqJ4C6DsPCabicfXRKDOJUzmsIhOE52Rw&esid=7c836209-e52f-ef11-840a-000d3a36cb89&recipientid=contact-e224ab3ac7cfe81180d102bfc0a80172-1fd998d7b4884ba8a419b2663c1759da&utm_source=openai))

Strengthen cybersecurity hygiene (MFA, patching, network segmentation, device hardening) to protect ePHI across remote care workflows and connected devices used in fertility treatment. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity-newsletter-january-2026/index.html?utm_source=openai))

Ethical Obligations Regarding Patient Confidentiality

Even where specific reproductive‑health amendments are vacated, patient confidentiality in fertility treatment remains an ethical and operational imperative. Be transparent with patients about data flows, apply “minimum necessary” to non‑treatment disclosures, and train staff to escalate sensitive or out‑of‑state requests for records to privacy counsel. ([hhs.gov](https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/summary/privacysummary.pdf?source=post_page---------------------------&utm_source=openai))

Ethical stewardship also means anticipating heightened sensitivities around donor information, embryo and gamete storage details, and genetic testing results. Clear consent processes and conservative disclosure practices reinforce reproductive health information protection and foster trust. ([hhs.gov](https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/summary/privacysummary.pdf?source=post_page---------------------------&utm_source=openai))

Examples of Protected Reproductive Health Information

• Infertility evaluations and diagnostic results (e.g., AMH, FSH/LH, semen analysis, ultrasound findings).
• IVF cycle records (stimulation protocols, oocyte retrieval notes, fertilization data, embryo grading, transfer notes).
• Embryo/gamete cryostorage status, inventory logs, chain‑of‑custody documentation, and storage location metadata.
• Preimplantation genetic testing (PGT‑A/PGT‑M) reports and associated counseling notes.
• Third‑party reproduction documentation (donor/gestational carrier screening results, consents, and matching records).
• Telehealth visit recordings/transcripts, secure messages, and image/file uploads exchanged for fertility care.
• Claims, prior authorizations, superbills, CPT/HCPCS/ICD coding, and payer correspondence related to infertility services.

All of the above constitute PHI when they can identify a patient and are created or received by a covered entity or business associate. Apply HIPAA’s Privacy and Security Rules accordingly. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/160.103?utm_source=openai))

Conclusion

Bottom line: infertility treatment records remain protected under core HIPAA rules. The 2024 reproductive‑health Final Rule introduced additional safeguards (including an attestation), but most were vacated on June 18, 2025; selected NPP changes still require attention by February 16, 2026. Keep BAAs tight, telehealth fully compliant, and request‑handling disciplined to safeguard lawful reproductive healthcare information. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/special-topics/reproductive-health/final-rule-fact-sheet/index.html))

FAQs.

What protections does HIPAA provide for infertility treatment records?

HIPAA protects individually identifiable infertility records as PHI. Covered entities may use/disclose PHI for treatment, payment, and health care operations, and in other limited circumstances specified by the Privacy Rule. Patients retain key rights, including to access and obtain copies of their records. Security safeguards are required for ePHI. ([hhs.gov](https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/summary/privacysummary.pdf?source=post_page---------------------------&utm_source=openai))

How does the HIPAA Privacy Rule affect telehealth infertility services?

Telehealth encounters must use HIPAA‑compliant platforms and be supported by BAAs with any vendor that handles PHI. Since August 9, 2023, providers must meet full HIPAA requirements for remote communications; review tracking tools, harden systems, and ensure encryption, access controls, and audit logging are in place. ([telehealth.hhs.gov](https://telehealth.hhs.gov/providers/telehealth-policy/hipaa-for-telehealth-technology?utm_source=openai))

What types of reproductive health information are protected under HIPAA?

Any identifiable information about a patient’s reproductive health—such as IVF cycle notes, PGT results, embryo storage records, donor documentation, and related billing—qualifies as PHI when created or received by a covered entity or its business associate. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/160.103?utm_source=openai))

When must fertility clinics comply with the updated HIPAA rule?

Historically, the 2024 Final Rule took effect on June 25, 2024, with a compliance date of December 23, 2024. However, most of that rule was vacated by a federal court on June 18, 2025. Certain NPP changes remain, with a compliance deadline of February 16, 2026. Monitor ongoing litigation and agency updates for any changes. ([dlapiper.com](https://www.dlapiper.com/en-us/insights/publications/2024/05/ocr-finalizes-hipaa-privacy-rule-to-support-reproductive-healthcare-privacy))