Understanding Employee Benefits and key developments in the employee benefits field and items of interest to our clients. MORE

The Department of Health and Human Services’ (“HHS”) Office for Civil Rights recently published a final rule (the “Final Rule“) which provides additional privacy protections related to the use and disclosure of reproductive health care information.  Covered entities (e.g., health plans) and their business associates must comply with all of the provisions of the Final Rule by December 22, 2024, except for the requirement to update their Notice of Privacy Practices, which must be updated by February 16, 2026.

At a high level, the Final Rule amended the privacy regulations promulgated under HIPAA (the “Privacy Rule”) to:

  • Prohibit the use or disclosure of protected health information (“PHI”) when it is requested to identify, investigate, or impose liability on individuals who seek, obtain, provide, or facilitate reproductive health care that is lawful under the circumstances in which the health care is provided;
  • Require that covered entities and business associates obtain a valid attestation from the person or entity requesting PHI that is potentially related to reproductive health care if the request is for: (a) health care activities, (b) judicial and administrative proceedings, (c) law enforcement purposes, and (d) disclosures to coroners and medical examiners; and
  • Require covered entities to modify their Notice of Privacy Practices to implement the changes made to reproductive health care privacy.

Below are a few important takeaways related to the Final Rule:

Presumption of Lawful Health Care – Reproductive health care is presumed to be lawful unless the covered entity or business associate either (a) has actual knowledge that the care was unlawful, or (b) receives information from the person requesting the use or disclosure of PHI and the information provides a substantial factual basis that the care was unlawful.

Attestation Requirement – The attestation may not be combined with any other document. While covered entities and business associates can develop their own attestation form, the HHS has indicated that it will publish a model attestation form prior to the compliance date.

Compliance Considerations for Covered Entities and Business Associates – If you are a covered entity or business associate, you should take the following steps to remain HIPAA compliant after the Final Rule’s compliance dates:

  • HIPAA Policies and Procedures:  You should review and update your HIPAA policies and procedures regarding the use and disclosure of PHI related to reproductive health care.
  • Attestation:  You should develop an attestation form, or use the HHS’s model attestation form, which should be published prior to the compliance date.
  • Workforce Training:  You should update workforce training materials and provide workforce training to describe the limitations on the use and disclosure of PHI related to reproductive health care and the new attestation requirement.
  • Notice of Privacy Practices:  You should update the Notice of Privacy Practices to include the new Final Rule requirements no later than February 16, 2026.  

 Please contact Lisa Rippey or Tom Dowling if you have any questions about the Final Rule or what impact it may have on your group health plan.