Executive Summary

HHS has issued new HIPAA privacy rules designed to support reproductive health care privacy and particularly to minimize the risk of concerns for individuals crossing state lines to seek an abortion where it is lawfully available under the circumstances.

The primary changes imposed by these new rules are:

• Prohibits HIPAA covered entities and business associates from using or disclosing PHI to conduct any form of criminal, civil, or other legal proceeding related to an individual’s reproductive health care that is lawful under the circumstances in which it is provided.

• Prohibits HIPAA covered entities and business associates from identifying any person for the purpose of conducting any such investigation or imposing any such liability.

The action items imposed by these new rules are:

• December 23, 2024 Compliance Date: A new attestation that must be signed by any party requesting PHI that is potentially related to reproductive health care to confirm the use or disclosure is not for a prohibited purpose.

• February 16, 2026 Compliance Date: Updates to the HIPAA Notice of Privacy Practices with descriptions and examples of the new reproductive health rules, as well as additional new restrictions related to the confidentiality of substance use disorder treatment records.

New HIPAA Reproductive Health Rules

HHS has published a new set of HIPAA privacy rules to support reproductive health care privacy. The new regulations come in response to President Biden’s Executive Order 14076. The order, which was issued to by the Administration following the June 2022 Dobbs v. Jackson decision that overturned Roe v. Wade, directed HHS to issue new HIPAA rules “to strengthen the protection of sensitive information related to reproductive healthcare services and bolster patient-provider confidentiality.”

The full rule and supplemental guidance are available here:

• HIPAA Privacy Rule to Support Reproductive Health Care Privacy

• HHS Fact Sheet for New Reproductive Health Rule

Covered entities (health plans, health care providers, health care clearinghouses) and business associates (entities working for covered entities with access to PHI) must comply with most aspects of the rule beginning 240 days after publication (60-day period for rule to take effect, 180 days after rules take effect as a compliance period), which is December 23, 2024. Nonetheless, the rules provide an additional extended compliance period timeframe until February 16, 2026 to incorporate newly required modifications to the Notice of Privacy Practices.

The New Reproductive Health Restrictions on the Use or Disclosure of PHI

Covered entities and their business associates can use or disclose an individual’s protected health information (PHI) only as permitted by HIPAA. All employer-sponsored group health plans are HIPAA covered entities, and any vendors working on their behalf with access to PHI are business associates.

• For more details: Newfront HIPAA Training for Employers

Prohibition of Certain Uses and Disclosures of PHI

The new HIPAA rules provide that covered entities and business associates cannot use or disclose PHI for either of the following:

• To conduct a criminal, civil, or administrative investigation into or impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided; or

• The identification of any person for the purpose of conducting such investigation or imposing such liability.

These restrictions apply where the covered entity or business associate has reasonably determined that one or more of the following conditions exist:

• The reproductive health care is lawful in the state and under the circumstances in which it is provided (e.g., travelling to another state to seek lawful abortion access);

• The reproductive health care is lawful regardless of the state in which it is provided (e.g., constitutionally protected contraception access); or

• The care was not provided by the entity that receives the PHI request, and the presumption described below applies.

Presumption of Lawful Activity

Covered entities and business associates receiving a request for PHI must presume that any reproductive health care obtained was lawful under the circumstances in which it was provided unless one of the following conditions are met:

• The covered entity or business associate has actual knowledge that the care was not lawful under the circumstances provided; or

• The covered entity or business associate receives factual information from the person making the request that demonstrates the care was not lawful under the circumstances provided.

The Attestation Requirement: Compliance Date December 23, 2024

The new HIPAA rules impose an attestation requirement when a covered entity or business associate receives a request for PHI that is potentially related to reproductive health care. The attestation is designed to provide assurances that the use or disclosure of PHI will not be for one of the prohibited non-healthcare purposes listed above.

Upon a request for potentially reproductive health-related PHI for the purposes of health oversight activities, judicial or administrative proceedings, law enforcement purposes, or a disclosure to coroners and medical examiners, the covered entity or business associate must obtain a signed attestation that the use or disclosure is not for a prohibited purpose under the new reproductive health rules.

• Note: The proposed rules did not extend the attestation requirement to business associates, which would have required revised business associate agreement (BAAs). The final rules apply the attestation requirement directly to business associates, which avoids the need to also amend existing BAAs.

The attestation ensures that the covered entity or business associate responding to the request has obtained a written representation that the persons requesting the PHI are not doing so for a prohibited purpose. Furthermore, the attestation ensures that the persons requesting the PHI are aware of the criminal penalties that may apply for knowingly violating these restrictions, which generally consist of a fine of up $50,000 and/or imprisonment of up to one year.

Action Item: Model Attestation Language

HHS has pledged to publish a model attestation that covered entities and business associates can use to comply with this new obligation. They have stated the model language will be available by the December 23, 2024 compliance date.

Notice of Privacy Practices Required Updates: Compliance Date February 16, 2026

Covered entities have an extended compliance period until February 16, 2026 to update their Notice of Privacy Practices to reflect the new reproductive health rules. In general, the Notice of Privacy Practices describes the uses and disclosures of PHI that may be made by the covered entity, the individual’s rights with respect to PHI, and the covered entity’s legal duties with respect to PHI.

General Notice of Privacy Practices Rules for Employers

Employers with a self-insured health plan must provide employees with a Notice of Privacy Practices describing the plan’s use and disclosure of PHI upon enrollment and within 60 days of a material change to the notice. They must also inform employees of the availability of the Notice of Privacy Practices at least once every three years.

Employers with a fully insured health plan generally do not need to provide a Notice of Privacy Practices because the requirement does not apply to employers sponsoring a fully insured health plan where they receive only summary health information and enrollment/disenrollment information. This is because only the insurance carrier will have direct access to claims information without an employee’s authorization, and enrollment/disenrollment information held by the employer is considered an employment record maintained by the employer (which is not subject to HIPAA) rather than plan information maintained by the covered entity.

Employers with a fully insured health plan that have access to PHI beyond summary health information and enrollment/disenrollment information do not have to distribute a Notice of Privacy Practices (because the insurance carrier is required to do so), but they must make one available upon an employee’s request.

• For more details: HIPAA Notice of Privacy Practices

Action Item: New Reproductive Health Updates to the NPP

The Notice of Privacy practices must be updated by February 16, 2026 to address these new reproductive health protections as well as additional new substance use disorder protections added by the CARES Act.

Required revisions:

• A description (with at least one example) of the new rules prohibiting criminal, civil, or other forms of legal proceedings based on the act of seeking, obtaining, providing, or facilitating reproductive health care where such care is lawful under the circumstances in which it is provided;

• A description (with at least one example) of the types of uses and disclosures for which an attestation is required under the new reproductive health care rules; and

• A description of the new limitations (referred to as the “Part 2” rules) added by the CARES Act to protect the confidentiality of substance use disorder treatment records.

We recommend that employers required to update the Notice of Privacy Practices consider waiting to revise the document until the model attestation language becomes available. That model language will likely provide a framework for the Notice of Privacy Practices revisions. HHS has stated it will make that language available by December 23, 2024, which will still leave employers over a year to review the language and incorporate any useful (and, more significantly, HHS-approved) provisions by the February 16, 2026 deadline.

For more details on HIPAA generally, see our Newfront HIPAA Training for Employers Guide.

Disclaimer: The intent of this analysis is to provide the recipient with general information regarding the status of, and/or potential concerns related to, the recipient’s current employee benefits issues. This analysis does not necessarily fully address the recipient’s specific issue, and it should not be construed as, nor is it intended to provide, legal advice. Furthermore, this message does not establish an attorney-client relationship. Questions regarding specific issues should be addressed to the person(s) who provide legal advice to the recipient regarding employee benefits issues (e.g., the recipient’s general counsel or an attorney hired by the recipient who specializes in employee benefits law).