By Dannae Delano
In further response[i] to the Supreme Court ruling in Dobbs v. Jackson Women’s Health Organization, which overturned Roe v. Wade, the U.S. Department of Health and Human Services (“HHS”) has made final modifications to the HIPAA privacy rules designed to help protect patients and their providers with respect to reproductive health care. These changes are effective December 22, 2024, but changes to Notices of Privacy Practices are not required until February 16, 2026.
The changes to the privacy rule will require group health plans, including self-funded plans and fully insured plans, with access to protected health information (“PHI”) to make changes to their Business Associate Agreements, Notices of Privacy Practices and HIPAA policies and procedures, and to update the training of plan personnel to include new restrictions on the uses or disclosures of PHI where reproductive health care is legally sought, obtained, provided, or facilitated. In addition, there is a new attestation requirement that will require group health plans and their business associates to demand an attestation from parties seeking PHI related to reproductive health care that the PHI will not be used or disclosed as prohibited by the new rule. Attestations must be in writing and signed by the party seeking the PHI or there may be civil or even criminal liability. HHS intends to publish a model notice before the effective date. Prohibited uses and disclosures include:
- Conducting a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care;
- Imposing criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care; or
- Identifying an individual for either of the prohibited actions.
Group health plans that are either self-funded or fully insured and have access to PHI need to act immediately to understand the changes that will be necessary to their plan’s HIPAA compliance documentation, including Business Associate Agreements, Notice of Privacy Practices, and HIPAA Policies and Procedures. An attestation form and policies will need to be adopted. Training of plan personnel on the new requirements should occur before the effective date, and all changes will need to be made before training can occur.
Please contact Dannae Delano or your Wagner Law Group counsel for help complying with these new HIPAA requirements.
__________________________________________________________________________________________________________________________________________________
[i] See our HHS Releases Guidance on HIPAA Protections, https://www.wagnerlawgroup.com/blog/2022/07/hhs-issues-guidance-on-hipaa-protections/, July 13, 2022.