Summary
On April 22, 2024, the U.S. Department of Health and Human Services (“HHS”) issued new regulations under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) that impose new restrictions on the use and disclosure of “reproductive health care” by covered entities, including employer-sponsored health plans.
These changes will require most employer-sponsored health plans to update their HIPAA policies and procedures and training practices by December 23, 2024 their Notice of Privacy Practices by February 16, 2026.
Purpose and Applicability
The new regulations expand the prohibitions on the use or disclosure of protected health information (“PHI”) to include any of the following purposes:
- To conduct a civil, criminal, or administrative investigation into any person for the mere act of seeking, obtaining, providing or facilitating reproductive healthcare;
- To impose liability on a person for the mere act of seeking, obtaining, providing or facilitating reproductive health care; or
- To identify any person described in the above two bullet points.
However, the expanded prohibitions outlined above apply only if:
- The activity relates to a person seeking, obtaining, providing, or facilitating reproductive health care; and
- The health plan or any of its business associates that receives a request for PHI reasonably determines that:
- the reproductive health care was lawful in the state where it was provided;
- the reproductive health care was protected by federal law; or
- the reproductive healthcare was presumed to be lawful.
Since the new regulations provide that reproductive health care is presumed to be lawful unless the health plan or business associate has actual knowledge it was unlawful or factual information that provides a substantial basis that it was unlawful, we expect that it will often be the case that the expanded prohibitions apply.
Attestation
When a use or disclosure of reproductive health care-related PHI would not be a prohibited use or disclosure as described above, the requestor must attest to the health plan that the information will not be used for a prohibited purpose before reproductive health care-related PHI may be disclosed for any of the following reasons:
- Health oversight activities conducted by health oversight agencies;
- Judicial and administrative proceedings;
- Law enforcement purposes; or
- Disclosures to coroners or medical examiners.
HHS has released a model form of attestation for this purpose.
Action Items by December 23, 2024
- Revise the health plan’s HIPAA privacy policies and procedures to incorporate the new regulations’ requirements regarding using and disclosing reproductive health care-related PHI.
- Be prepared to require requestors’ attestations when reproductive health care-related PHI is requested for a non-prohibited purpose.
- Train applicable workforce members to ensure they know and understand the new use and disclosure restrictions, including being able to identify when an attestation is required.
- Update business associate agreements to ensure no PHI related to reproductive health care will be released without the correct authorizations.
- Review forms and templates used in communications or otherwise (e.g., template risk assessments used for breach responses) to ensure that all HIPAA references reflect any applicable modifications.
Action Item by February 16, 2026
- Update Notice of Privacy Practices to include the newly enacted protections discussed above. Additionally, employers will be required to distribute and post the revised Notice of Privacy Practices for employees to view. It is anticipated that HHS will provide a model form before this compliance date.
[View source.]
