Recent amendments to the HIPAA Privacy Rule strengthening the rule’s protections for reproductive health care records require group health plan sponsors to update their HIPAA compliance materials by December 23, 2024.
Limits on Use and Disclosure. Issued in response to the U.S. Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization and subsequent state legislative activity, the intent of the new rule is to protect the privacy of a person seeking reproductive health care services, including contraception, abortion care, and assisted reproductive technology services.
Specifically, the rule prohibits a group health plan from disclosing plan records related to lawfully obtained reproductive health care services if the records are sought to investigate or impose liability on a patient or health care provider for seeking or providing reproductive health care services. The rule includes a general presumption that reproductive health care services were lawfully obtained unless the plan (i) has actual knowledge to the contrary, or (ii) is provided with sufficient information from the person requesting the records that the services were unlawful.
New Attestation Requirement. To bolster these protections, if reproductive health care records are requested for certain purposes, such as in connection with a judicial or administrative proceeding or for law enforcement purposes, the new rule requires a group health plan to obtain a signed attestation that the use or disclosure is not for a prohibited purpose. Notably, an attestation is not required for uses or disclosures related to the plan’s benefit claim payment activities.
Required Updates to HIPAA Compliance Materials. Plan sponsors generally will need to update their HIPAA compliance materials to reflect these amendments to the Privacy Rule by December 23, 2024. However, under a special delayed effective date, plan sponsors have until February 16, 2026, to update the plan’s Notice of Privacy Practices.
- HIPAA Privacy Policies and Procedures. The plan’s HIPAA privacy policies and procedures will need to be updated to reflect the new protections for reproductive health care records.
- Valid Attestation. The plan will need to prepare a valid attestation in the event reproductive health care records are requested from the plan. The new rule lists specific requirements that must be met for an attestation to be valid.
- Workforce Training. The plan sponsor’s benefits team and other workforce members should be trained on the new rule so that they are prepared to respond in the event the plan (or a plan service provider) receives a request for reproductive health care records.
- Business Associate Agreement. Business associate agreements with plan service providers should be reviewed to determine whether any amendments are needed based on the services provided.
- Notice of Privacy Practices. The plan’s Notice of Privacy Practices will need to be updated to address the new rule by February 16, 2026. Plan sponsors may wish to consider making these updates when preparing the open enrollment materials for the 2025 plan year to ensure the updates are made timely.
- The plan’s Notice of Privacy Practices will also need to be updated to reflect recent changes to the 42 C.F.R. Part 2 regulations addressing substance use disorder patient records.