In the wake of the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization and subsequent state abortion bans, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services issued a Final Rule (Final Rule) modifying the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule in order to support reproductive health care privacy. As with prior HIPAA rules, the Final Rule applies to covered healthcare providers, health plans, or healthcare clearing houses (each, a Covered Entity) and their business associates.

The Final Rule seeks to strengthen protections concerning the use and disclosure of “reproductive health care” information. For purposes of the Final Rule, “reproductive health care” includes services such as receipt of contraception, management of pregnancy and pregnancy-related conditions, miscarriage management, pregnancy termination, and infertility diagnosis and treatment. 

The protections under the Final Rule include:

  • A prohibition on the use or disclosure of protected health information (PHI) by a Covered Entity or their business associate(s) to conduct a criminal, civil, or administrative investigation into or impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating lawful reproductive health care, or to identify any person for the purpose of conducting such an investigation.
    • Reproductive health care is considered lawful under the Final Rule if a Covered Entity reasonably determines either of the following:
      • It is lawful under the law of the state in which such healthcare is provided under the circumstances in which it is provided.
      • The reproductive health care is protected, required, or authorized by federal law, including the U.S. Constitution, regardless of the state in which such healthcare is provided.
  • A presumption that the reproductive health care provided by a person other than the Covered Entity (or business associate) receiving the request was lawful unless the Covered Entity has actual knowledge or factual information that it was unlawful.
  • A requirement that Covered Entities and business associates obtain a signed and dated attestation when receiving a request for PHI potentially related to reproductive health care. The attestation is required when the request is for PHI for any of the following:
    • Health oversight activities.
    • Judicial and administrative proceedings.
    • Law enforcement purposes.
    • Disclosures to coroners and medical examiners.

The attestation must state that the requested use and disclosure of PHI is not for a prohibited purpose, and it puts persons making requests for the use and disclosure of PHI on notice of the potential criminal penalties for knowingly violating the Final Rule. OCR has published a model attestation for use.

Key Compliance Steps and Dates

Due by December 23, 2024   

Revise HIPAA Policies and Procedures

Covered Entities will need to revise their HIPAA policies and procedures to incorporate the Final Rule, including to ensure that an attestation is provided under the appropriate circumstances.

Conduct Compliance Training

All workforce members must be trained on the revised HIPAA policies and procedures to ensure compliance with the Final Rule, including the attestation requirement and other considerations when responding to a request for the use or disclosure of PHI potentially related to reproductive health care.

Update Business Associate Agreements (BAAs)

Covered Entities should review and update their BAAs to the extent the Final Rule is not addressed or if the BAAs do not adequately address their respective responsibilities for requests for uses or disclosures of PHI related to reproductive health care.

Due by February 16, 2026

Update Notice of Privacy Practices (NPPs)

Covered Entities will be required to revise their NPPs to reflect the new protections under the Final Rule. Covered Entities will need to revise their NPPs further to address proposals made in the Notice of Proposed Rulemaking for the Confidentiality of Substance Use Disorder (SUD) Patient Records. Because these required changes are extensive, the deadline for revising NPPs is not until February 2026. 

Takeaways

Covered Entities (and business associates), particularly employers sponsoring self-funded health plans, should take steps now to ensure compliance with the Final Rule by the end of the year. For questions or additional information, contact any of the Bass, Berry & Sims employee benefits attorneys.  

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Susie Bilbro Susie Bilbro

Susie Bilbro advises clients on all aspects of employee benefit plan design and administration including compliance with ERISA, the Patient Protection and Affordable Care Act (healthcare reform), COBRA and the Internal Revenue Code. She has counseled public and private clients on employee welfare…

Susie Bilbro advises clients on all aspects of employee benefit plan design and administration including compliance with ERISA, the Patient Protection and Affordable Care Act (healthcare reform), COBRA and the Internal Revenue Code. She has counseled public and private clients on employee welfare and pension benefits issues, both in connection with corporate transactions and on day-to-day administration. In addition, Susie has prepared submissions to the IRS and Department of Labor for qualified retirement and welfare benefit plans. Susie also has experience advising clients on executive compensation arrangements.

Photo of Catherine Simpson Catherine Simpson

Catherine Simpson works with clients on the design, administration, and compliance of qualified benefit plans, health and welfare benefit plans, and deferred compensation packages. She also provides diligence and support on employee benefits and compensation issues arising in corporate transactions.

Photo of David Thornton David Thornton

David Thornton helps employers deliver retirement, health and welfare benefits to their executives and employees. With more than 30 years of experience, he has developed a diverse practice counseling hundreds of public and private employers and non-profit organizations in drafting, maintaining and administering…

David Thornton helps employers deliver retirement, health and welfare benefits to their executives and employees. With more than 30 years of experience, he has developed a diverse practice counseling hundreds of public and private employers and non-profit organizations in drafting, maintaining and administering retirement plans ranging from $1 million to several billion dollars in assets, including many in the $100 million to $500 million asset range. He has deep experience in ESOP transactions, successfully navigating the significant fiduciary duty considerations and tax code requirements involved with these transactions.