Insights

Action Items as a Result of HIPAA Privacy Rule Modifications

Action Items as a Result of HIPAA Privacy Rule Modifications

Sep 04, 2024
Download PDFDownload PDF
Print
Share

Summary

On April 22, 2024, the U.S. Department of Health and Human Services (“HHS”) issued new regulations under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) that impose new restrictions on the use and disclosure of “reproductive health care” by covered entities, including employer-sponsored health plans.

These changes will require most employer-sponsored health plans to update their HIPAA policies and procedures and training practices by December 23, 2024 their Notice of Privacy Practices by February 16, 2026.

Purpose and Applicability

The new regulations expand the prohibitions on the use or disclosure of protected health information (“PHI”) to include any of the following purposes:

  • To conduct a civil, criminal, or administrative investigation into any person for the mere act of seeking, obtaining, providing or facilitating reproductive healthcare;
  • To impose liability on a person for the mere act of seeking, obtaining, providing or facilitating reproductive health care; or
  • To identify any person described in the above two bullet points.

However, the expanded prohibitions outlined above apply only if:

  • The activity relates to a person seeking, obtaining, providing, or facilitating reproductive health care; and
  • The health plan or any of its business associates that receives a request for PHI reasonably determines that:
    • the reproductive health care was lawful in the state where it was provided;
    • the reproductive health care was protected by federal law; or
    • the reproductive healthcare was presumed to be lawful.

Since the new regulations provide that reproductive health care is presumed to be lawful unless the health plan or business associate has actual knowledge it was unlawful or factual information that provides a substantial basis that it was unlawful, we expect that it will often be the case that the expanded prohibitions apply.

Attestation

When a use or disclosure of reproductive health care-related PHI would not be a prohibited use or disclosure as described above, the requestor must attest to the health plan that the information will not be used for a prohibited purpose before reproductive health care-related PHI may be disclosed for any of the following reasons:

  • Health oversight activities conducted by health oversight agencies;
  • Judicial and administrative proceedings;
  • Law enforcement purposes; or
  • Disclosures to coroners or medical examiners.

HHS has released a model form of attestation for this purpose. 

Action Items by December 23, 2024

  • Revise the health plan’s HIPAA privacy policies and procedures to incorporate the new regulations’ requirements regarding using and disclosing reproductive health care-related PHI.
  • Be prepared to require requestors’ attestations when reproductive health care-related PHI is requested for a non-prohibited purpose.
  • Train applicable workforce members to ensure they know and understand the new use and disclosure restrictions, including being able to identify when an attestation is required.
  • Update business associate agreements to ensure no PHI related to reproductive health care will be released without the correct authorizations.
  • Review forms and templates used in communications or otherwise (e.g., template risk assessments used for breach responses) to ensure that all HIPAA references reflect any applicable modifications.

Action Item by February 16, 2026

  • Update Notice of Privacy Practices to include the newly enacted protections discussed above. Additionally, employers will be required to distribute and post the revised Notice of Privacy Practices for employees to view. It is anticipated that HHS will provide a model form before this compliance date.

Meet The Team

Meet The Team

Meet The Team

This material is not comprehensive, is for informational purposes only, and is not legal advice. Your use or receipt of this material does not create an attorney-client relationship between us. If you require legal advice, you should consult an attorney regarding your particular circumstances. The choice of a lawyer is an important decision and should not be based solely upon advertisements. This material may be “Attorney Advertising” under the ethics and professional rules of certain jurisdictions. For advertising purposes, St. Louis, Missouri, is designated BCLP’s principal office and Kathrine Dixon (kathrine.dixon@bclplaw.com) as the responsible attorney.