Daily Thread Blog - Thread HCM

eAlert! Federal: HIPAA Privacy Rule Update

Written by HR Pros at HR Support Center | Apr 26, 2024 7:08:00 PM

Law Alert

April 26, 2024

The Department of Health and Human Services (HHS) published an update to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule on April 26, 2024. The final rule, originally drafted in 2023 after the U.S. Supreme Court decision in Dobbs v. Jackson Women’s Health Organization, addresses the use and disclosure of protected health information (PHI) for reproductive health data and is effective on June 25, 2024. Covered entities, including self-funded group health plans, should review their policies, procedures, and business associate agreements to determine where modifications are needed to ensure compliance.

The final rule prohibits the use or disclosure of PHI by a covered entity (a healthcare provider, health plan, or healthcare clearinghouse), or the business associate of a covered entity, from the following:

  • Conducting a criminal, civil, or administrative investigation into or imposing liability on any person for merely seeking, obtaining, providing, or facilitating reproductive healthcare where it is lawful.
  • Identifying any person for the purpose of conducting such investigation or imposing liability.

The prohibition applies where a regulated entity (e.g., a covered entity or their business associate) has reasonably determined one or more of the following conditions exist, as stated in an HHS fact sheet:

  • The reproductive health care is lawful under the law of the state in which such health care is provided under the circumstances in which it is provided. For example, if a resident of one state traveled to another state to receive reproductive health care, such as an abortion, that is lawful in the state where such health care was provided.
  • The reproductive health care is protected, required, or authorized by Federal law, including the U.S. Constitution, regardless of the state in which such health care is provided. For example, if use of the reproductive health care, such as contraception, is protected by the Constitution.

When a regulated entity receives a request for PHI potentially related to reproductive healthcare, a new signed attestation must be obtained. Regulated entities must comply with the new rule by December 23, 2024, and revise their notice of privacy practices by February 16, 2026.
View full post