Summary: On April 26, 2024, the Department of Health and Human Services (HHS) issued an update to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. The final rule, originally released as a proposed rule in 2023 after the U.S. Supreme Court decision in Dobbs v. Jackson Women’s Health Organization, addresses the use and disclosure of protected health information (PHI) for reproductive health data. While this final rule is effective June 25, 2024, the compliance deadlines for the provisions of the rule are later in 2024 and beyond.
Self-funded group health plans will be impacted by this final rule and required to take certain compliance actions by the deadlines detailed below. Read on for more information.
HHS adopted the HIPAA Privacy Rule in 2000, establishing national standards to protect individuals’ medical records and other personal health information. The HIPAA Privacy Rule imposes strict limits on the use, disclosure, and protection of PHI by regulated entities, meaning health care providers, health plans, health care clearinghouses, and their business associates.
The HIPAA Privacy Rule:
The Privacy Rule applies to both self-funded and fully insured group health plans. However, employers that sponsor fully insured plans and do not have access to PHI (other than certain limited types) from their insurance carriers generally have much lighter compliance requirements under the Privacy Rule than self-funded plans.
The final rule arrives after a proposed rule was released in April 2023. Furthermore, in the wake of the Dobbs decision (click here for our previous alert) overturning Roe v. Wade, HHS issued guidance reminding regulated entities that reproductive health care information is protected under HIPAA.
This final rule adds a new category of prohibited uses and disclosures of PHI, prohibiting the use or disclosure of PHI by a regulated entity from the following:
The prohibition applies where a regulated entity reasonably determined that one or more of the following conditions exist, as stated in an HHS fact sheet:
Example: If a resident of one state traveled to another state to receive reproductive health care, such as an abortion, which is lawful in the state where such health care was provided.
Example: If use of the reproductive health care, such as contraception, is protected by the Constitution.
Additionally, when a regulated entity did not provide the reproductive health care at issue, the final rule prohibits the use or disclosure of PHI when the person making the request does not provide sufficient information to overcome a presumption of legality. This presumption may be overcome if the person making the request provides information showing a substantial factual basis that the reproductive health care was unlawful under the circumstances in which it was provided.
Example: A law enforcement official provides a health plan with evidence that the information being requested is reproductive health care that was provided by an unlicensed person where the law requires that such health care be provided by a licensed health care provider.
The final rule includes a new attestation requirement. When a regulated entity receives a request for PHI that might relate to reproductive healthcare, a signed attestation must be obtained confirming that the PHI request is not for a prohibited purpose. This attestation requirement applies when the request is for PHI for any of the following:
Regulated entities must comply with the new attestation requirement by December 23, 2024. HHS published a HIPAA model attestation form for covered entities and business associates to use for compliance purposes. Click here for this model attestation form.
The Privacy Rule generally requires that a covered entity provide individuals with a Notice of Privacy Practices (NPP) to ensure that they understand how a covered entity may use and disclose their PHI, as well as their rights and the covered entity’s legal duties with respect to PHI.[1]
The final rule requires covered entities to inform individuals that their PHI may not be used or disclosed for a purpose prohibited under this final rule by updating their NPPs by February 16, 2026. Moreover, covered entities that handle certain substance use disorder (SUD) patient records must update their NPPs to detail new privacy protections for these records.
HHS intends to publish model NPP language for this purpose.
While the requirements of the final rule will primarily impact health care providers, self-funded group health plans are subject to certain provisions as covered entities under HIPAA.
Self-funded group health plans are advised to begin complying with this final rule by taking the following steps in conjunction with their own counsel and HIPAA compliance partners:
Risk Strategies will provide updates when available, including when HHS publishes model language for updated NPPs.
In the meantime, contact us directly with any questions at benefits@risk-strategies.com.
[1] 4 45 CFR 164.520.