On April 26, 2024, the U.S. Department of Health and Human Services (HHS) issued a final rule that strengthens the HIPAA Privacy Rule by prohibiting the disclosure of protected health information (PHI) related to lawful reproductive health care in certain situations. The final rule requires covered entities, including health plans, to update their privacy notices to:
- Describe the new privacy rights for reproductive health care and provide examples of the new disclosure restrictions; and
- Explain that PHI disclosed pursuant to the Privacy Rule may be subject to redisclosure and is no longer protected.
In addition, covered entities that handle certain substance use disorder (SUD) patient records must update their privacy notices to describe new privacy protections for these records.
The deadline for covered entities to update their privacy notices for these changes is Feb. 16, 2026.
Action Steps
Employers that maintain privacy notices for their health plans will need to update them for these changes by Feb. 16, 2026. Employers with self-insured health plans must also distribute their updated privacy notice by this deadline. Many employers with fully insured health plans are not required to maintain or distribute their own privacy notice, as this responsibility is primarily imposed on the health insurance issuer. However, employers with fully insured health plans must maintain their own privacy notice and provide it upon request if they have access to PHI (other than enrollment and summary health information) from the plan.
HHS provides model privacy notices for health care providers and health plans to use. It is expected that HHS will update its model notices to incorporate the new requirements.
Privacy Notice Requirements
- Self-insured health plans must maintain and provide their own privacy notice at enrollment time, when there is a material change and upon request.
- Fully insured health plans that do not have access to PHI are not required to maintain or provide a privacy notice.
- Fully insured health plans that have access to PHI must maintain a privacy notice and provide it upon request.
Important Dates
- Dec. 23, 2024 – Deadline for covered entities and business associates to comply with the new privacy protections for reproductive health care.
- Feb. 16, 2026 – Deadline for covered entities to update their privacy notices for the new requirements. This is also the compliance deadline for the new privacy protections for SUD records.
Previous SIMA Benefits News:
Employers Should Start Preparing for 2024 RxDC Reporting
Health FSA Limit Increases for 2024
The Crucial Role of a Comprehensive Group Disability Plan
Disclosures This content is not intended to be exhaustive, nor should it be viewed as legal or tax advice. Information presented is believed to be current and is provided for general information and educational purposes based upon publicly available information from sources believed to be reliable. We cannot assure the accuracy or completeness of this information. It is not intended as a thorough, in-depth analysis of specific issues, nor a substitute for a formal opinion, nor is it sufficient to avoid any penalties. You should always consult an attorney or tax professional regarding your specific legal or tax situation. This information may change at any time and without notice. All opinions represent the judgment of the author on the date of the post and are subject to change. Content should not be viewed as personalized advice. SIMA reserves the right to edit blog entries and delete comments that contain offensive or inappropriate language. ©2022 Zywave, Inc. All rights reserved.