HIPAA Requirements for Obstetricians: What OB/GYN Practices Must Do to Stay Compliant

HIPAA Privacy Rule Compliance

What counts as PHI in obstetrics

For OB/GYN practices, Protected Health Information (PHI) includes pregnancy status, prenatal labs, ultrasound images and reports, genetic screening results, fertility treatments, delivery details, and postpartum notes when linked to an individual. Treat scheduling data, billing details, and portal messages the same way whenever they identify a patient.

Operational duties you must implement

• Designate a privacy official and implement written policies and procedures covering uses/disclosures, workforce training, sanctions, safeguards, and complaint handling under 45 CFR 164.530.
• Train your workforce, document completion, and re-train when policies or law change; apply and document sanctions for violations.
• Apply the “minimum necessary” standard for routine disclosures and internal uses that are not for treatment, and document role-based access rules.
• Maintain documentation for at least six years from creation or last effective date.

These administrative requirements and the minimum necessary standard are core Privacy Rule obligations for covered providers like OB/GYNs. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.530?utm_source=openai))

Common OB/GYN risk areas

• Front-desk conversations and waiting-room paging that reveal pregnancy status.
• Unverified spouse/partner requests for records; confirm authority before sharing.
• Unsecured texting/photo sharing of ultrasound images from personal devices.

Establish clear verification, call-back, and role-based minimum-necessary procedures to reduce inadvertent disclosures. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/introduction/index.html?utm_source=openai))

Implementing Security Rule Safeguards

Administrative Safeguards

• Conduct and document a risk analysis, then manage identified risks; assign a security official; implement workforce security, security awareness, sanction, and incident response processes.
• Establish contingency plans (backup, disaster recovery, emergency operations) for your EHR, ultrasound archives, fetal monitoring systems, and patient portals.
• Review activity logs and security events regularly; manage vendor security and document Business Associate oversight.

These measures implement 45 CFR 164.308 and align with OCR’s emphasis on risk analysis, monitoring, and recognized security practices. ([hhs.gov](https://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/index.html?utm_source=openai))

Physical Safeguards

• Control facility entry; secure server/network closets; implement workstation positioning and screen privacy; lock down ultrasound rooms after hours.
• Track, re-use, and dispose of devices/media (laptops, probes, portable drives) with encryption and certified wipe procedures.

Physical Safeguards are required by 45 CFR 164.310; build device/media controls into your imaging and EHR lifecycle. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/part-164/subpart-C?utm_source=openai))

Technical Safeguards

• Access control with unique IDs, least privilege, automatic logoff; enable audit logs for EHR, imaging, and portals; implement integrity and transmission security.
• Use strong encryption for ePHI at rest and in transit; deploy phishing‑resistant multi‑factor authentication, especially for remote and email access.
• Harden endpoints and mobile devices (MDM, remote wipe, patching) used for sharing fetal images or telehealth.

Technical Safeguards under 45 CFR 164.312, combined with current OCR cybersecurity guidance, reduce the most common ePHI breach vectors in ambulatory settings. ([hhs.gov](https://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/index.html?utm_source=openai))

Understanding Reproductive Health Care Protection

Where federal protections stand as of 2026

HHS’s 2024 Final Rule that added special HIPAA protections for reproductive health care PHI (including an attestation requirement) was largely vacated nationwide by the U.S. District Court for the Northern District of Texas on June 18, 2025; subsequent appeals were dismissed in September 2025. As a result, the rule’s core reproductive‑privacy provisions and attestation requirement are not in effect. ([caselaw.findlaw.com](https://caselaw.findlaw.com/court/us-dis-crt-n-d-tex-ama-div/117411800.html?utm_source=openai))

However, portions of the Notice of Privacy Practices (NPP) modifications unrelated to those vacated provisions remain, with a February 16, 2026 compliance date (discussed below). OB/GYNs must therefore follow the standard HIPAA Privacy Rule for reproductive health PHI and should not rely on the vacated attestation process. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/special-topics/reproductive-health/final-rule-fact-sheet/index.html))

How to handle sensitive requests now

• Law enforcement, health oversight, or court requests: disclose only when a HIPAA permission applies (e.g., required by law, valid subpoena/court order) and limit to the minimum necessary; escalate novel or multi‑state requests to counsel.
• Public health and abuse/neglect reporting: continue mandated reporting where required by law; document the legal basis for any disclosure.
• Minors’ records: when state law allows a minor to consent to specific services (e.g., certain reproductive or STI care), the parent may not be the minor’s personal representative for that episode; apply state law and professional judgment.

Use the existing HIPAA permissions in 45 CFR 164.512 and parental/guardian rules in 45 CFR 164.502(g), applying the minimum necessary standard where applicable. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/faq/505/what-does-the-privacy-rule-allow-covered-entities-to-disclose-to-law-enforcement-officials/index.html?utm_source=openai))

Managing Permitted and Prohibited PHI Disclosures

Permitted without Patient Authorization

• Treatment, payment, and health care operations (TPO) under 45 CFR 164.506.
• Public health, abuse/neglect, health oversight, judicial/administrative proceedings, certain law enforcement, decedents, organ donation, and workers’ compensation, under 45 CFR 164.512 (conditions apply).

For law enforcement, verify the legal process (warrant, subpoena, court order) and ensure disclosures meet the rule’s conditions; apply minimum necessary except where not required (e.g., treatment). ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.512?utm_source=openai))

Disclosures requiring Patient Authorization

• Most non‑TPO disclosures, marketing, sale of PHI, most research without waiver, and psychotherapy notes require valid Patient Authorization with all elements of 45 CFR 164.508(c).

A valid authorization must specify the information, who is authorized to disclose and receive it, the purpose, expiration, the right to revoke, and other required statements, in plain language and signed by the patient (or personal representative). ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.508?utm_source=openai))

Minimum necessary and documentation

Adopt role‑based access and documented workflows that limit routine internal and external disclosures to the minimum necessary to accomplish the purpose, with reliance provisions where appropriate (e.g., certain requests from public officials or other covered entities). ([hhs.gov](https://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html?utm_source=openai))

Updating Notice of Privacy Practices

What changed and by when

Even after the 2025 court decision, remaining NPP modifications survived and align with 42 CFR Part 2 changes; covered entities had to update their NPPs by February 16, 2026. Ensure your notice reflects surviving HIPAA requirements and Part 2 alignment for SUD records. ([hollandhart.com](https://www.hollandhart.com/update-your-hipaa-notice-of-privacy-practices-by-february-16-2026?utm_source=openai))

Baseline NPP obligations for OB/GYNs

• Provide the NPP no later than the first service date, make a good‑faith effort to obtain written acknowledgment, post it prominently in the office, and post the current version on your website.
• When you materially change privacy practices, update and redistribute/post the revised NPP.

These duties come from 45 CFR 164.520 and continue to apply to all covered providers. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/privacy-practices-for-protected-health-information/index.html?utm_source=openai))

Part 2 alignment your notice should reflect

• Explain that certain SUD records are protected by Part 2 and describe permitted uses/disclosures, redisclosure limits, and patient rights consistent with the 2024 Part 2 Final Rule (compliance required by February 16, 2026).

Use HHS’s models to ensure your NPP and any Part 2 patient notice meet content requirements. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html?utm_source=openai))

Establishing Business Associate Agreements

Who is your Business Associate

Any vendor that creates, receives, maintains, or transmits PHI for your practice—such as your EHR, billing company, cloud backup, appointment reminder/texting service, telehealth platform, ultrasound image host, shredding vendor, or external coding firm—is a Business Associate (BA) and requires a Business Associate Agreement (BAA). ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html?utm_source=openai))

Core BAA provisions to include

• Permitted/required uses and disclosures; a duty to implement safeguards and comply with the Security Rule; prompt breach reporting and cooperation with investigations.
• Downstream subcontractor compliance; access/amendment/accounting assistance; return or secure destruction of PHI at termination; and termination for material breach.

These elements are required under 45 CFR 164.502(e) and 164.504(e); HHS provides model BAA provisions you can adapt with counsel. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.504?utm_source=openai))

Ensuring Patient Rights and Informed Consent

Access, amendments, restrictions, and confidential communications

• Right of access: act on requests within 30 days (one 30‑day extension with written notice); provide e‑copies in the requested form/format if readily producible and charge only reasonable, cost‑based fees.
• Right to request amendment and to receive an accounting of certain disclosures.
• Right to request restrictions—and you must accept a restriction that prevents disclosure to a health plan when the patient pays in full out‑of‑pocket and the disclosure is not otherwise required by law.
• Right to request confidential communications by alternative means or locations.

Build clear workflows and patient‑facing instructions to honor these rights under 45 CFR 164.524, 164.526, 164.528, 164.522. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html?utm_source=openai))

Patient Authorization in OB/GYN settings

When a disclosure isn’t permitted by HIPAA without consent, obtain a valid Patient Authorization that specifies the PHI, the discloser/recipient, purpose, expiration date or event, right to revoke, and required statements in plain language; keep the signed form on file. Train staff to recognize when authorization is needed (e.g., non‑TPO sharing with employers, media, most marketing). ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.508?utm_source=openai))

FAQs.

What are the key HIPAA privacy requirements for OB/GYN practices?

You must implement written privacy policies, designate a privacy official, train and sanction your workforce, apply the minimum‑necessary standard for non‑treatment uses/disclosures, and maintain documentation for six years. Post and distribute a compliant NPP and update it when practices change. These duties derive from 45 CFR 164.530 and 164.520. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.530?utm_source=openai))

How should obstetricians handle patient authorization for PHI disclosures?

When disclosure isn’t allowed under HIPAA’s permissions (e.g., it’s not for TPO or another specific exception), use a written Patient Authorization that meets all elements of 45 CFR 164.508(c): specific description of PHI; who may disclose and receive; purpose; expiration; right to revoke; and signature/date in plain language. Keep records of authorizations and honor revocations prospectively. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.508?utm_source=openai))

What safeguards are required for electronic health records in obstetrics?

Implement Administrative, Physical, and Technical Safeguards: risk analysis and management, workforce security and incident response, facility/workstation controls and device/media handling, and access control, audit logs, integrity, and transmission security. Use MFA and encryption to reduce common breach vectors. These requirements come from 45 CFR 164.308, 164.310, and 164.312 with OCR guidance on current cybersecurity practices. ([hhs.gov](https://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/index.html?utm_source=openai))

How often must Notice of Privacy Practices be updated and provided?

Provide your NPP no later than the first service date, post it prominently in the office, and on your website, and update it whenever you materially change privacy practices. Additionally, remaining NPP modifications tied to the 2024 rulemaking (including Part 2 alignment) required updates by February 16, 2026. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/privacy-practices-for-protected-health-information/index.html?utm_source=openai))

Conclusion

To stay compliant, OB/GYN practices should pair strong Privacy Rule operations with rigorous Security Rule controls, formalize Business Associate Agreements, honor patient rights and authorization standards, and keep NPPs up to date. After the 2025 court decision, treat reproductive health PHI under the baseline HIPAA framework and state law, and ensure your 2026 NPP updates reflect surviving HIPAA and Part 2 requirements. ([caselaw.findlaw.com](https://caselaw.findlaw.com/court/us-dis-crt-n-d-tex-ama-div/117411800.html?utm_source=openai))