HIPAA final rule requires changes for group health plans in supporting reproductive health care privacy

Responding to the U.S. Supreme Court's 2022 ruling in Dobbs v. Jackson Women's Health Organization (Dobbs) (which overturned Roe v. Wade and its constitutional protection of abortion), the federal agency responsible for HIPAA privacy compliance has finalized rules supporting reproductive health care privacy. The Final Rule, among other things, prohibits the disclosure of protected health information (PHI) related to lawful reproductive health care in certain circumstances. The rule takes effect for health plans on Dec. 23, 2024, although changes to the Notice of Privacy Practices (NPP) have a delayed effective date of Feb. 16, 2026.

Executive Summary

The Final Rule does the following:

  • Prohibits the use or disclosure of PHI in particular circumstances where reproductive health care is legally sought, obtained, provided, or facilitated.

  • Requires a health plan (or its business associates) to obtain a signed attestation that certain requests for PHI potentially related to reproductive health care are not for prohibited purposes.

  • Requires health plans to modify their NPP to support reproductive health care privacy.

Lockton Comment. While most PHI related to reproductive health care will remain in the hands of third-party administrators and insurance carriers, the new rules will require action on the part of employers with self-funded group health plans (or insured plans with access to PHI) by Dec. 23, 2024. In particular, employers will need to:

  • Provide training

  • Revise policies and procedures

  • Update the Notice of Privacy Practices (by February 16, 2026)

  • Develop an attestation form

Background

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) applies to “covered entities,” such as employer group health plans, that touch PHI. The HIPAA rules protect the privacy and security of this PHI in the hands of an employer’s group health plan by requiring the plan to jump through numerous hoops and hurdles in order to safeguard PHI (e.g., set up policies and procedures, implement firewalls, train employees with access to PHI, etc.) and by limiting the circumstances in which PHI may be used and disclosed by the plan. In fact, PHI is only required to be disclosed when the Secretary of Health and Human Services (HHS) asks for it as part of a compliance investigation or generally when individuals request their own PHI. Otherwise, all uses and disclosures are either permitted, (e.g., the employer wants it for treatment or payment purposes), or prohibited, (e.g., the employer wants it for employment-related reasons).

After the Supreme Court’s 2022 decision in Dobbs removed the constitutional right to an abortion, HHS (the federal agency in charge of HIPAA) determined that the changing legal landscape necessitated modifications to HIPAA in order to preserve the interests that HIPAA seeks to protect. For example, HHS determined there is an increased likelihood that an individual’s PHI may be disclosed in ways that cause harm to the interests that HIPAA seeks to protect, including the diminishment of individuals’ trust in health care providers and the health care system, the chilling of an individual’s willingness to seek lawful reproductive health care treatment or to provide full information to their health care providers when obtaining that treatment, and the willingness of providers to provide reproductive care. As a result, the HIPAA modifications relate to limiting the circumstances in which the privacy rule permits the use or disclosure of an individual’s PHI about reproductive health care for certain non-health care purposes.

New prohibited use and disclosure

The Final Rule restricts uses and disclosures of PHI for certain non-health care purposes. More specifically, under the Final Rule, a covered entity (e.g., a health plan) or a business associate may not use or disclose PHI for any of the following activities:

  • To conduct a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care.

  • To impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care.

  • To identify any person for any purpose described above.

According to HHS, by limiting the new prohibition to a narrow set of circumstances, it balances the privacy interests of individuals and the interests of society in having an effective health care system, with those interests of society in the use of PHI for non-health care purposes.

Lockton Comment: Where there is a request for disclosure of PHI related to reproductive health care, there is a presumption that the care was lawful unless the plan (or business associate) has actual knowledge it was not, or the person submitting the request “demonstrates a substantial factual basis” that the care was not lawful. The new rule clarifies that reproductive health care received in a state where such care is lawful would still be considered lawful even if the same care received in the person’s home state, for example, is not.

New attestation requirement

Prior to the rule becoming final, HHS intends to publish a model attestation. This attestation will need to be signed (may be signed electronically) and dated by a party requesting PHI “related to” reproductive health care in order to provide assurances that such PHI will not be used or disclosed as prohibited above. In addition to plans, their business associates will also be directly liable to the attestation requirement, regardless of whether its compliance is outlined in the business associate agreement. The attestation must be written in plain English and may not be combined with any other document.

Lockton Comment: The new attestation requirement has teeth. Anyone who knowingly signs an attestation in violation of HIPAA or a plan that knowingly discloses PHI in violation of HIPAA may be subject to criminal liability. In addition, a plan may face civil liabilities for violations of the HIPAA Rules, including a failure to obtain a valid attestation before disclosing PHI, where an attestation is required.

Revisions to the Notice of Privacy Practices (NPP)

New provisions in the NPP will need to explain the above-described prohibition and attestation requirement along with at least one example of each. Along with a few new requirements related to what are known as the “Part 2” rules (related to substance abuse records), there will also be a new statement explaining to individuals that PHI disclosed pursuant to the privacy rule may be redisclosed, at which point, it would no longer be protected.

Lockton Comment: Lockton will be updating its NPP for the required changes and will have it available for fall enrollment. The deadline, however, for providing the new notice is not until February 2026.

Don’t forget to…

With the new changes brought by the HIPAA Final Rule, employers that touch PHI from their fully insured plans or who have self-funded health plans will want to update their policies and procedures, and provide training to certain employees. NPPs for those plans will need updating, and the attestation will be required under circumstances affected by the new prohibition.

Not legal advice: Nothing in this alert should be construed as legal advice. Lockton may not be considered your legal counsel, and communications with Lockton's Compliance Consulting group are not privileged under the attorney-client privilege.

For more alerts, insights and additional information, click here (opens a new window) to visit Lockton's ERISA Compliance Consulting page.

Download alert (opens a new window)