April 26, 2024
The Department of Health and Human Services (HHS) published an update to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule on April 26, 2024. The final rule, originally drafted in 2023 after the U.S. Supreme Court decision in Dobbs v. Jackson Women’s Health Organization, addresses the use and disclosure of protected health information (PHI) for reproductive health data and is effective on June 25, 2024. Covered entities, including self-funded group health plans, should review their policies, procedures, and business associate agreements to determine where modifications are needed to ensure compliance.
The final rule prohibits the use or disclosure of PHI by a covered entity (a healthcare provider, health plan, or healthcare clearinghouse), or the business associate of a covered entity, from the following:
The prohibition applies where a regulated entity (e.g., a covered entity or their business associate) has reasonably determined one or more of the following conditions exist, as stated in an HHS fact sheet:
When a regulated entity receives a request for PHI potentially related to reproductive healthcare, a new signed attestation must be obtained. Regulated entities must comply with the new rule by December 23, 2024, and revise their notice of privacy practices by February 16, 2026.