Reproductive healthcare privacy protections require employer action
A new rule from the Department of Health and Human Services — the HIPAA Privacy Rule to Support Reproductive Health Care Privacy — requires heightened privacy protections for protected health information involving reproductive healthcare.
The Final Rule is the agency’s response to President Biden’s Executive Order 14076 directing the agency to strengthen the protection of sensitive information related to reproductive healthcare services and to bolster patient-provider confidentiality.
With the increase in state laws criminalizing reproductive healthcare following the Dobbs decision, HHS expressed concern that the permissible use or disclosure of PHI for law enforcement purposes or when required by another law could “cause harm to the interests that HIPAA seeks to protect, including the trust of individuals in health care providers and the health care system.”
To address these concerns, the Final Rule modifies existing regulations implementing the Health Insurance Portability and Accountability Act of 1996, known as the privacy rule, to limit the circumstances in which an individual’s reproductive PHI can be used or disclosed for certain non-healthcare purposes.
Both self-funded group health plans and fully insured group health plans that have access to PHI must comply with the Final Rule. A self-insured health plan sponsor is responsible for HIPAA compliance even where most of the plan administration is delegated to business associates.
Compliance is required by Dec. 23, 2024, except with respect to the revised HIPAA notice of privacy practices, which is required by Feb. 16, 2026.
Actions self-insured plan sponsors need to take by December 23, 2024:
-
Revise your HIPAA policies and procedures manual.
-
Provide updated HIPAA training to relevant workforce members.
-
Review and revise your Business Associate Agreements as needed.
-
Review health plan documents for changes to the HIPAA privacy rule and determine whether a plan amendment is required.
-
Review plan member communications to ensure HIPAA references are accurate and up to date.
-
Develop a process for responding to requests for PHI potentially related to reproductive healthcare, including:
- Who will determine whether the request is for a prohibited purpose.
- Obtaining (and retaining) a written attestation when a request for PHI potentially related to reproductive. healthcare is received.
- Roles and responsibilities when third party vendors are involved.
- When to involve legal counsel.
-
Prepare to update the HIPAA notice of privacy practices by 2/16/2026.
If your organization has already met existing HIPAA requirements — which include written HIPAA Privacy and Security policies, documented HIPAA Security risk analysis, a designated HIPAA Privacy and Security Official, business associate agreements and documented HIPAA training — then you’ll want to update your documents as required by the new regulations. If your organization is missing some of the existing HIPAA requirements, now is a great time develop the required documentation inclusive of all updates required by the new regulations.
For more analysis, read our recent GRIST: New HIPAA privacy protections for reproductive healthcare.