Skip to Content
Alerts

Navigating the 2024 HIPAA Final Rule: Key Compliance Requirements for Group Health Plans

Feb 4, 2025 - Alerts by

As of December 23, 2024, employer-sponsored group health plans that are subject to the HIPAA Privacy Rule must begin complying with new obligations created by the Final HIPAA Privacy Rule to Protect Reproductive Health Care (the Final Rule). The Final Rule, which was issued by the Department of Health and Human Services (HHS) in April of 2024, introduces new restrictions and requirements related to reproductive health information (R-PHI).

To read this Alert in PDF format, click here.

Key updates include:

  • Prohibitions on certain uses and disclosures of R-PHI;
  • A requirement for covered entities to obtain a signed attestation from requesting parties confirming R-PHI will not be used for prohibited purposes; and
  • Updates to notices of privacy practices (NPP).

December 23 marked the effective date for these first two requirements. However, plans do not need to update their notices of privacy practices until February 16, 2026.

As described at the end of this Alert, it is possible that the Trump administration could take certain measures (or affirmatively not take certain measures) that might blunt the impact of these regulations. But for now, the regulations are in place, binding, and must be complied with.

Background – The HIPAA Privacy Rule Generally

As a reminder, self-funded welfare benefit plans, such as self-funded medical plans or health flexible spending accounts, are “covered entities” that are subject to the HIPAA Privacy Rule. This means that those plans, and the business associates who have access to the plans’ HIPAA-protected information, must adhere to the HIPAA Privacy Rule’s requirements to safeguard protected health information (PHI), establish policies and procedures showing how the plan is protecting PHI, enter into business associate agreements with entities that have access to the plan’s PHI, and undergo training on these obligations.

Prohibitions Under the Final Rule

The Final Rule adds to the HIPAA Privacy Rule’s existing obligations by prohibiting plans from using or disclosing R-PHI for the following reasons:

  • To conduct a criminal, civil, or administrative investigation against a person for the person’s mere act of seeking, obtaining, providing, or facilitating reproductive health care, where the health care is lawful;
  • To impose criminal, civil, or administrative liability on any person for the person’s mere act of seeking, obtaining, providing, or facilitating reproductive health care, where the health care is lawful; and
  • To identify an individual, health care provider, or other person for these purposes.

Note that the Final Rule only prohibits these disclosures when the health care provided is lawful. This means that if, for example, a resident of a state in which abortion is illegal travels to and obtains abortion services in another state in which it is legal, then those services are lawful and therefore subject to the above-listed prohibitions. Additionally, the Final Rule requires covered entities and business associates to presume reproductive health care was lawful unless (1) the plan or business associate has actual knowledge that it was unlawful or (2) the person seeking the R-PHI provides enough information to demonstrate a “substantial factual basis” that it was unlawful.

As far as what types of R-PHI this Final Rule protects, it is important to note that the Final Rule broadly defines “reproductive health care” as care that “affects the health of the individual in all matters related to the reproductive system and to its functions and processes.” Even though HHS issued the Final Rule in response to Dobbs v. Jackson Women’s Health Organization, which overturned Roe v. Wade, the reproductive health care contemplated by the Final Rule is not limited to abortion-related PHI. Reproductive health care also encompasses services like pregnancy-related health care, contraception, menopausal treatments, and fertility services.

Attestation Requirement

The Final Rule also requires covered entities to obtain a signed attestation form in certain circumstances in which they receive requests for R-PHI. Specifically, if a plan receives a request for R-PHI relating to health oversight activities, judicial or administrative proceedings, law enforcement purposes, or disclosures to coroners or medical examiners, the plan must obtain a signed attestation from the requesting party in which the requesting party confirms that the R-PHI will not be used for purposes prohibited by the Final Rule. The Final Rule requires the attestation to be written in plain language and to include the following:

  • A specific description of the information requested;
  • The name or specific identification of the person or class of persons who are requested to make the disclosure;
  • A clear statement that the use or disclosure is not for a prohibited purpose under the Final Rule;
  • A statement that a person may be subject to penalties if that person knowingly obtains or discloses PHI to another person; and
  • A signature of the person requesting the PHI, along with the date of signature.

Plans that are subject to the HIPAA Privacy Rule should be sure to have an attestation form on hand in case it receives a request that may involve R-PHI. If we draft your HIPAA policies and procedures, we will be in contact with you to provide an attestation form that you can include in your HIPAA notebook.

Updates to Notices of Privacy Practices

In addition to the attestation form, the Final Rule requires plans to update their notices of privacy practices by February 16, 2026 to include the following information:

  • A description of the new R-PHI safeguards;
  • The uses and disclosures of R-PHI that are prohibited by the Final Rule, including at least one example;
  • A description of the uses and disclosures of R-PHI for which an attestation is required, including at least one example; and
  • A statement notifying the individual that PHI disclosed pursuant to the HIPAA Privacy Rule may be redisclosed by the recipient and no longer protected by HIPAA.

We are monitoring what impact, if any, the change in Administration could have on this Final Rule. It is conceivable that HHS’s Office for Civil Rights could choose not to enforce these new regulations, either through a formal notice of non-enforcement discretion and/or via new notice-and-comment rulemaking to formally revoke the Privacy Rule amendments. Moreover, a number of state attorneys general have challenged the amendments in court. It is possible that the administration will choose not to defend the amendments, potentially leading to courts declaring the amendments unlawful. But none of that has happened so far. We will continue to provide updates as we learn more.

In the meantime, if we draft your HIPAA policies and procedures, we will contact you later this year regarding changes to those documents. We are waiting to update the policies and procedures until closer to February 2026 in case the government makes changes to these requirements.

If you have any questions about the Final Rule or would like to discuss its requirements, please do not hesitate to contact Eric Namee, Steve Smith, Brad Schlozman, or Blair Bohm.

To read this Alert in PDF format, click here.
  • Super Lawyers
  • Best Law Firms
  • ALFA
  • Chambers