In April, the Department of Health and Human Services (HHS) issued final regulations (the Rule) which modify the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule (Privacy Rule) by implementing protections specific to protected health information (PHI) related to reproductive health care. The Rule requires covered entities to comply with the new privacy protections, obtain attestations from those who request reproductive health care PHI, and update their Notice of Privacy Practices (Privacy Notice). HHS defines “reproductive health care” broadly to include not just termination of pregnancy/abortion, but also contraception, emergency contraception, pregnancy screenings and treatment, reproductive system diagnoses and treatments, fertility diagnoses and treatments, and much more.
Effective Dates
Although generally applicable December 23, 2024, the Rule provides an extended deadline by which covered entities must update their Privacy Notices – February 16, 2026.
Prohibitions on Uses/Disclosures of Certain PHI
The Rule prohibits the use or disclosure of PHI requested for the purposes of:
- Criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating lawful reproductive health care;
- Imposition of criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating lawful reproductive health care;
- Identification of any person for either of the two prohibited reasons above.
Key Features for Group Health Plans
Group health plans are covered entities under HIPAA and therefore must comply with the Rule, as well as all other applicable Privacy Rule obligations.
Attestation
Pursuant to the Rule, when a group health plan receives a request for reproductive health care PHI, it must obtain a signed, dated attestation from the requesting party describing the information requested and confirming the request is not related to a prohibited purpose. Failure to obtain required attestations could put the group health plan in jeopardy of civil or criminal penalties. The HHS model attestation for covered entities and business associates is now available: https://www.hhs.gov/sites/default/files/model-attestation.pdf.
Privacy Notice
Self-funded and insured group health plans with access to PHI are familiar with the required Privacy Notice, which must be provided to newly eligible participants upon enrollment and to all participants upon request. The Privacy Notice must also be updated and redistributed when there is a material change to its terms.
Although group health plans have until February 16, 2026, to update their Privacy Notices to include the new prohibitions on uses and disclosures related to reproductive health care PHI, plan sponsors and third-party administrators should periodically check for model language updates from HHS. In the absence of such model language, plan sponsors should work with their advisors to ensure the required updates to the Privacy Notice are made by the deadline. The updated Privacy Notice should then be distributed to all participants.
Additional Takeaways
- The Rule complicates the application of the “Required by Law” exception for disclosure of certain types of PHI. Group health plans should therefore pay close attention to the new requirements of the Rule, ensure they obtain proper attestations in the event of such requests, and of course avoid newly prohibited disclosures.
- Group health plans should review and update their Business Associate Agreements as necessary to ensure compliance with the Rule by their business associates.
This blog was drafted by Laura Fischer, an attorney in the Spencer Fane Denver, Colorado office. For more information, visit spencerfane.com.
Click here to subscribe to Spencer Fane communications to ensure you receive timely updates like this directly in your inbox.