How do employers comply with the HIPAA Reproductive Health Care rules by December 23, 2024?
The primary changes imposed by the new HIPAA rules are:
- Prohibits the use or disclosure of PHI in particular circumstances where reproductive health care is legally sought, obtained, provided, or facilitated.
- Requires a health plan (or its business associates) to obtain a signed attestation that certain requests for PHI potentially related to reproductive health care are not for prohibited purposes.
- Requires health plans to modify their notice of privacy practices to support reproductive health care privacy.
From a health plan perspective, most PHI related to reproductive health care will remain in the hands of third-party administrators and insurance carriers. However, the new rules will require action on the part of employers with self-funded group health plans (or insured plans with access to PHI) by Dec. 22, 2024. In particular, employers will need to:
- Conduct HIPAA training to incorporate the new requirements
- Revise HIPAA policies and procedures and BAAs
- Update & distribute the new Notice of Privacy Practices (by February 16, 2026)
- Develop an attestation form
Note: Many employers with fully insured health plans are not required to maintain or distribute their own privacy notice, as this responsibility is primarily imposed on the health insurance issuer. However, fully insured health plans with access to PHI (other than enrollment and summary health information) would also have to comply with the above obligations.
Also, HHS provides model privacy notices for health care providers and health plans to use. It is expected that HHS will update its model notices to incorporate the new requirements for 2026. However, at this time, new model notices haven’t yet been issued.
COMMENTS