Imagine you are a corporate Human Resources/Total Rewards leader who receives a request from a state’s law enforcement agency for health plan records about a plan participant’s abortions or other reproductive health care. How should you respond? Since most company health plans are considered a “HIPAA covered entity,” the request should be generally be denied, subject to certain limited exceptions, as addressed in a new HIPAA Privacy Rule which takes effect June 25, 2024.

It is critical for employers and plan fiduciaries/administrators to stay informed of HIPAA privacy and security-related legal developments because most employer sponsored group health plans – regardless of the employer’s industry or size – are considered covered entities under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Therefore, individually identifiable medical information that group health plans create, use, store, or transmit is “protected health information” (PHI) pursuant to HIPAA. In the newly updated HIPAA Privacy Rule, reproductive health care records have received enhanced protection from disclosure, including as to attempted access by state law enforcement agencies. Employers should take note of upcoming compliance deadlines and obligations imposed by this new HIPAA Privacy Rule.

HIPAA Privacy Rule

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) recently published a final rule updating the HIPAA Privacy Rule to address the privacy of “reproductive health information” (the “Final Rule”), which covers entities including group health plans and their business associates like outside administrators (collectively, Regulated Entities), giving them until December 23, 2024, to comply with most aspects of the Final Rule, except for the Notice of Privacy Practices (NOPP” requirements, which must be in place by February 16, 2026.

Plan sponsors will need to contractually obligate certain outside service providers of their plans to comply with the Final Rule by the applicable deadlines and will need to watch for the sample OCR attestation language that is expected to be released later this year.

New Definition of “Reproductive Health Care”

Technically the new definition of “reproductive health care,” which takes effect June 25, 2024, is exceedingly broad and includes certain male as well as female reproductive health. Specifically, the Final Rule defines “reproductive health care” as “health care … that affects the health of an individual in matters relating to the reproductive system and its functions and processes.” According to commentary from OCR, reproductive health care includes services such as contraception, preconception screening and counseling, pregnancy screening, miscarriage management, fertility and infertility diagnosis and treatment, and broad care related to the reproductive system (e.g., perimenopause, menopause, and mammography). Absent additional clarification to the contrary, “reproductive health care” may arguably include male reproductive health care services such as vasectomies and erectile dysfunction treatments.

Restrictions on Using Reproductive Health Care Information for Investigations

Under the new Final Rule, by the December 23, 2024, compliance deadline, Regulated Entities may NOT use or disclose PHI for either of the following purposes:

• To conduct a criminal, civil, or administrative investigation into or to impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating “reproductive health care,” where such health care is lawful under the circumstances in which it is provided
• To identify any person for the purpose of conducting such investigation or imposing such liability

To address concerns about Regulated Entities being obligated to determine whether reproductive health care provided by others is lawful, the Final Rule creates a presumption that the reproductive health care was lawful under the circumstances in which such care was provided when it was provided by someone other than the Regulated Entity receiving the request. To illustrate the presumption, OCR describes a scenario where an investigator requests information from a health plan about claims for coverage of certain reproductive health care provided by a particular physician. In this case, the health plan must presume that the reproductive health care was lawful and cannot release the information unless the plan has actual knowledge that the care in question was not lawful or the investigator provides the plan with documentation sufficient to overcome the presumption.

Interestingly, the additional restrictions on the use and disclosure of this particular type of PHI within the Privacy Rule apply directly to covered entities and business associates. This is noteworthy because the Privacy Rule has not generally applied directly to business associates in the past; rather, the historic Privacy Rule obligations are imposed through business associate agreements. This means that health plan TPAs, cloud service providers, health and welfare consultants, and other vendors will have direct responsibility for complying with the Final Rule. Employer group health plans contracting with these types of businesses should update their service agreements and Business Associate Agreements by December 23, 2024, to comply with the Final Rule and to insulate themselves from such responsibility. Employer group health plans should also ask their business associates about policies and procedures they have in place to identify PHI that is “potentially related to reproductive health care” so all parties can comply with the Final Rule. Given the expansive definition of “reproductive health care,” this may be a challenge for plans and their business associates.

Obligations of Regulated Entities

Once the Final Rule takes effect, upon receiving a request for PHI potentially related to reproductive health care for:

• health oversight activities,
• judicial and administrative proceedings,
• law enforcement purposes, and/or
• authorized duties and activities of coroners and medical examiners,

the Regulated Entity must obtain asigned, written attestation from the person or entity making the request that the intended use or disclosure of the requested PHI is not for one of the prohibited purposes described above. OCR has said it will publish a model form of attestation, which must be a standalone document, before the December 2024 compliance date.

Revisions to the Notice of Privacy Practices

Since revisions to the NOPP are not required until February 16, 2026, employer plan sponsors should simply monitor the area for developments over time. Covered entities, including group health plans, must eventually update their NOPPs to include certain additional information, including detailed information about the prohibitions on uses and disclosures of PHI related to reproductive health care.

Stayed Tuned for More Developments

This is an evolving and politically charged area, and accordingly, we expect that there will be legal challenges to the Final Rule that could delay the compliance dates. Akerman Employee Benefits and Healthcare lawyers will be monitoring the situation as it develops.