Skip to content

Find resources to help with recovery if you’ve been impacted by Hurricanes Milton and Helene. Learn More

Baldwin Bulletin

HIPAA Privacy Rule to Support Reproductive Health Care Privacy

The Baldwin Group
|
Updated: October 15, 2024
|
3 minute read

On June 20, 2024, the Department of Health and Human Services (“HHS”) released additional educational resources related to its Final Rule modifying certain provisions of the HIPAA Privacy Rule to support reproductive health care privacy in response to the U.S. Supreme Court’s holding in Dobbs v. Jackson Women’s Health Organization, as well as to several subsequent state-level abortion bans. The new rulemaking strengthens protections concerning the use and disclosure of reproductive health care information. In doing so, the Final Rule seeks to protect access to and the privacy of, reproductive health care and bolster patient-provider confidentiality.

Employer Action Items

The Final Rule has significant implications for covered entities and business associates that handle reproductive health information, such as health plans, health care providers, health care clearinghouses, their contractors, and other vendors. These entities should take the following steps to ensure compliance with the new requirement before the deadline:

  • Review the brief educational summary provided by HHS at this link;
  • Review and update policies and procedures regarding the use and disclosure of protected reproductive health information and provide training where appropriate to their workforce members regarding such changes no later than December 23, 2024;
  • Revise notices of privacy practices and other communications to inform individuals of their rights and responsibilities related to reproductive health information no later than February 16, 2026;

Obtain written authorizations from individuals before using or disclosing such information for purposes other than treatment, payment, health care operations, or as required by law. A model consent form and template plan amendment are available at this link.

Summary

On April 22, 2024, HHS’ Office for Civil Rights (“OCR”) issued a final rule to modify certain provisions of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule. These modifications aim to support reproductive health care privacy in response to the U.S. Supreme Court’s holding in Dobbs v. Jackson Women’s Health Organization and to subsequent state-level abortion bans. The Final Rule is effective June 25, 2024.

Covered health care providers, health plans, health care clearinghouses, and their business associates (collectively, “Regulated Entities) must comply with all provisions of the Final Rule by December 23, 2024, except for updating their Notice of Privacy Practices, which they have until February 16, 2026, to perfect.

In response to the Dobbs decision, OCR released guidance materials in June 2022 emphasizing HIPAA’s role in safeguarding women’s protected health information (“PHI”). The purpose-based motivations are to ensure that developments in federal and state law do not diminish individuals’ expectations of privacy regarding their health information, leading to distrust and refusal to access health care.

The Final Rule prohibits covered entities from using or disclosing PHI for the criminal, civil or administrative investigation of (or any other proceeding against) any person in connection with seeking, obtaining, providing or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided. It also prohibits the identification of any person for the purpose of initiating an investigation or proceeding. This prohibition applies where a regulated entity reasonably determines that:

  • The reproductive health care is lawful under the law of the state in which such health care is provided (and under the circumstances in which it is provided); or
  • The reproductive health care is protected, required or authorized by federal law, including the U.S. Constitution, regardless of the state in which such health care is provided.

When a covered entity did not provide the reproductive health care at issue, the final rule prohibits the use or disclosure of PHI if the person making the request does not provide sufficient information to overcome a presumption of illegality. To implement the prohibition, when a regulated entity receives a request for PHI potentially related to reproductive health care, the regulated entity must obtain a signed attestation that the use or disclosure is not for a prohibited purpose.


Related Insights

Stay in the know

Our experts monitor your industry and global events to provide meaningful insights and help break down what you need to know, potential impacts, and how you should respond.

Baldwin Bulletin
Updated Cybersecurity Guidance for Employee Benefit Plans
In Compliance Assistance Release No. 2024-01, the U.S. Department of Labor’s Employee Benefits Security Administration (“EBSA”) confirmed that the cybersecurity...
Baldwin Bulletin
Upcoming Compliance Deadlines - November
Employers must comply with numerous reporting and disclosure requirements in connection with their group health plans.  Please note the following...
Baldwin Bulletin
2024-2025 ACA Reporting Office Hours with BRCC Compliance Experts
The BRCC announces a new series of open office hours with our ACA compliance experts, designed specifically for the 2024-2025...
Baldwin Bulletin
2025 Open Enrollment Checklist
To prepare for open enrollment, employers who sponsor group health plans should be aware of compliance changes affecting the design...
Baldwin Bulletin
2024 ACA Reporting Forms and Instructions Finalized
The Internal Revenue Service (“IRS”) has released the final 2024 forms for reporting under Internal Revenue Code (“IRC”) Sections 6055...
Let's make it possible

Partner with us to build solutions that align with your business, individual, or employee needs and open new possibilities for your future.

Connect with us