View all Articles

HIPAA Privacy Rule Update 

The Department of Health and Human Services (HHS) published an update to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule on April 26, 2024. The final rule, originally drafted in 2023 after the U.S. Supreme Court decision in Dobbs v. Jackson Women’s Health Organization, addresses the use and disclosure of protected health information (PHI) for reproductive health data and became effective on June 25, 2024. Covered entities, including self-funded group health plans, should review their policies, procedures, and business associate agreements to determine where modifications are needed to ensure compliance. 

The final rule prohibits a covered entity (health plans, healthcare providers, and business associates) from disclosing protected health information (PHI) related to lawful reproductive health care for the following purposes: 

  • Investigations or legal actions against individuals seeking, obtaining, providing, or facilitating lawful reproductive health care. 
  • Identifying individuals for such investigations or actions. 

The prohibition applies where a regulated entity has reasonably determined one or more of the following conditions exist, as stated in an HHS factsheet

  • The reproductive health care is lawful under the state law that the healthcare was provided under. For example, if a resident of one state traveled to another state to receive reproductive health care, such as an abortion, that is lawful in the state where such health care was provided. 
  • The reproductive health care is protected, required, or authorized by Federal law, including the U.S. Constitution, regardless of the state in which such health care is provided. For example, if use of the reproductive health care, such as contraception, is protected by the Constitution. 

When a regulated entity receives a request for PHI potentially related to reproductive health care, a newly signed attestation must be obtained. Regulated entities must comply with the new rule by December 23, 2024, and revise their notice of privacy practices by February 16, 2026

Of note, this does not obligate employers to provide or cover specific reproductive health services in their plans; the focus is on protecting the privacy of individuals’ health information, not restricting access to reproductive health care itself. 

Next Steps 

All employers sponsoring health plans must update their Notice of Privacy Practices by December 23, 2024, to reflect the new privacy protections for reproductive health information. Consider training relevant staff (HR and benefits administrators) on the revised HIPAA privacy rules and how they impact handling employee health information. Employers may want to communicate the changes to employees through company newsletters or benefit updates. 

HR Works will continue to monitor this topic and provide updates on the new rule and availability of the updated sample notice and attestation language as more information becomes available. 

HR Works, headquartered in Upstate New York, is a human resource management outsourcing and consulting firm serving clients throughout the United States for over thirty years. HR Works provides scalable strategic human resource management and consulting services, including: affirmative action programs; benefits administration outsourcing; HRIS self-service technology; full-time, part-time and interim on-site HR managers; HR audits; legally reviewed employee handbooks and supervisor manuals; talent management and recruiting services; and training of managers and HR professionals.