News and Industry Insights

What steps should we take to comply with the new HIPAA rule on reproductive health care privacy for our company-sponsored health plan?

What steps should we take to comply with the new HIPAA rule on reproductive health care privacy for our company-sponsored health plan?

Question: 

What steps should we take to comply with the new HIPAA rule on reproductive health care privacy for our company-sponsored health plan?

Answer: 

The U.S. Department of Health and Human Services (HHS) has issued a new rule that strengthens the HIPAA Privacy Rule by prohibiting the disclosure of protected health information (PHI) related to lawful reproductive health care in certain situations. As background, the HIPAA Privacy Rule sets strict limits on the use, disclosure and protection of PHI by health care providers, health plans, health care clearinghouses and their business associates (regulated entities). The Privacy Rule also allows regulated entities to use or disclose PHI for certain non-health-care purposes, including certain criminal, civil and administrative investigations and proceedings.

Beginning Dec. 23, 2024, regulated entities must comply with stricter privacy protections for reproductive health care. These new protections prohibit regulated entities from using or disclosing PHI related to lawful reproductive health care:

  • For a criminal, civil or administrative investigation into (or proceeding against) a person in connection with reproductive health care; or
  • To identify an individual, health care provider or other person for purposes related to such an investigation or proceeding.

In addition, regulated entities must obtain a valid attestation when a request is made to use or disclose PHI potentially related to reproductive health care for certain purposes to ensure that the use or disclosure is permissible.

Employers with self-insured health plans or fully insured health plans that have access to PHI from their health insurance issuers (other than certain limited types) should take steps to comply with the new privacy protections. These steps should include updating their HIPAA policies and training affected members of their workforce on the new restrictions for PHI related to reproductive health care.

In addition, employers that receive requests for PHI that include reproductive health care should use a standard attestation form to ensure the disclosure is permitted. HHS has indicated that it will provide a model attestation form before the compliance deadline. Employers must also update their HIPAA privacy notices for the new privacy protections, although employers have until Feb. 16, 2026, to update their notices.

Zywave, Express Update Newsletter, July 11, 2024

Want to learn more?

Request a meeting