HIPAA Final Rule Strengthening Reproductive Health Care Privacy

HIPAA Privacy Rule Background

HHS adopted the HIPAA Privacy Rule in 2000, establishing national standards to protect individuals’ medical records and other personal health information. The HIPAA Privacy Rule imposes strict limits on the use, disclosure, and protection of PHI by regulated entities, meaning health care providers, health plans, health care clearinghouses, and their business associates.

The HIPAA Privacy Rule:

• Imposes limits and conditions on the uses and disclosures of PHI that can be made without an individual’s authorization;
• Provides individuals with rights over their PHI, including the right to receive a notice from covered entities about their privacy practices; and
• Requires appropriate safeguards to protect the privacy of PHI.

The Privacy Rule applies to both self-funded and fully insured group health plans. However, employers that sponsor fully insured plans and do not have access to PHI (other than certain limited types) from their insurance carriers generally have much lighter compliance requirements under the Privacy Rule than self-funded plans.

Final Rule

The final rule arrives after a proposed rule was released in April 2023. Furthermore, in the wake of the Dobbs decision (click here for our previous alert) overturning Roe v. Wade, HHS issued guidance reminding regulated entities that reproductive health care information is protected under HIPAA.

This final rule adds a new category of prohibited uses and disclosures of PHI, prohibiting the use or disclosure of PHI by a regulated entity from the following:

• Conducting a criminal, civil, or administrative investigation into or imposing liability on any person for merely seeking, obtaining, providing, or facilitating reproductive healthcare where it is lawful.
• Identifying any person for the purpose of conducting such investigation or imposing liability.

The prohibition applies where a regulated entity reasonably determined that one or more of the following conditions exist, as stated in an HHS fact sheet:

• The reproductive health care is lawful under the law of the state in which such health care is provided under the circumstances in which it is provided.

  Example: If a resident of one state traveled to another state to receive reproductive health care, such as an abortion, which is lawful in the state where such health care was provided.

• The reproductive health care is protected, required, or authorized by Federal law, including the U.S. Constitution, regardless of the state in which such health care is provided.

  Example: If use of the reproductive health care, such as contraception, is protected by the Constitution.

Additionally, when a regulated entity did not provide the reproductive health care at issue, the final rule prohibits the use or disclosure of PHI when the person making the request does not provide sufficient information to overcome a presumption of legality. This presumption may be overcome if the person making the request provides information showing a substantial factual basis that the reproductive health care was unlawful under the circumstances in which it was provided.

New Attestation Requirement

The final rule includes a new attestation requirement. When a regulated entity receives a request for PHI that might relate to reproductive healthcare, a signed attestation must be obtained confirming that the PHI request is not for a prohibited purpose. This attestation requirement applies when the request is for PHI for any of the following:

• Health oversight activities
• Judicial and administrative proceedings
• Law enforcement purposes
• Disclosures to coroners and medical examiners

Regulated entities must comply with the new attestation requirement by December 23, 2024. HHS published a HIPAA model attestation form for covered entities and business associates to use for compliance purposes. Click here for this model attestation form.

Updated Notice of Privacy Practices

The Privacy Rule generally requires that a covered entity provide individuals with a Notice of Privacy Practices (NPP) to ensure that they understand how a covered entity may use and disclose their PHI, as well as their rights and the covered entity’s legal duties with respect to PHI.^[1]

The final rule requires covered entities to inform individuals that their PHI may not be used or disclosed for a purpose prohibited under this final rule by updating their NPPs by February 16, 2026. Moreover, covered entities that handle certain substance use disorder (SUD) patient records must update their NPPs to detail new privacy protections for these records.

HHS intends to publish model NPP language for this purpose.

Next Steps for Self-Funded Plans

While the requirements of the final rule will primarily impact health care providers, self-funded group health plans are subject to certain provisions as covered entities under HIPAA.

Self-funded group health plans are advised to begin complying with this final rule by taking the following steps in conjunction with their own counsel and HIPAA compliance partners:

1. Updating HIPAA Privacy Rule policies and procedures, as necessary
   • This includes incorporating the requisite attestation form into these policies and procedures to use when the plan receives requests potentially related to reproductive health care (Click here for the HHS model attestation form).
2. Updating business associate agreements (BAAs), as necessary
3. Conducting HIPAA training for workforce members
4. Updating and distributing NPPs when HHS publishes model language for this purpose by February 16, 2026

Risk Strategies will provide updates when available, including when HHS publishes model language for updated NPPs.

In the meantime, contact us directly with any questions at benefits@risk-strategies.com.

[1] 4 45 CFR 164.520.