The U.S. Department of Health and Human Services (HHS) has issued a final rule that modifies the Standards for Privacy of Individually Identifiable Health Information (“the Privacy Rule”) under the Health Insurance Portability and Accountability Act (HIPAA). The purpose of this rule is to support reproductive healthcare privacy in the post-Dobbs era for both patients and healthcare providers. Although the changes become effective on December 22, 2024, changes to the Notices of Privacy Practices and other policies and procedures that affect group healthcare plans become mandatory on February 16, 2026.

The updated Privacy Rule will require group health insurance plans with access to protected health information (PHI) to alter their Business Associate Agreements, Notices of Privacy Practices, and HIPAA policies and procedures to include new restrictions on reproductive healthcare. Group health plans, including self-funded and fully insured plans, must also update their plan staff training to understand and implement these restrictions. More specifically, these restrictions will affect the use or disclosure of PHI where individuals legally seek, obtain, provide, or facilitate reproductive healthcare.

Furthermore, the final rule will require group health plans and their business associates to seek a written and signed attestation from parties seeking reproductive healthcare-related PHI stating that they may face civil or criminal liability if they use the information for certain prohibited uses. The rule prohibits the use of PHI related to reproductive healthcare for the following purposes:

  • Conducting a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care.
  • Imposing criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care.
  • Identifying an individual for either of the prohibited actions.

HHS will publish a model Notice of Privacy Practices before the rule’s effective date. Nonetheless, group health insurance plans must adopt a notice that complies with the final rule’s requirements and update other policies, procedures, and training materials as needed. Group health plans should immediately begin familiarizing themselves with the final rule in anticipation of its effective date.

HBL has experience in all areas of benefits and employment law, offering a comprehensive solution to all your business benefits and HR/employment needs. We help ensure you are in compliance with the complex requirements of ERISA and the IRS code, as well as those laws that impact you and your employees. Together, we reduce your exposure to potential legal or financial penalties. Learn more by calling 470-571-1007.