The U.S. Department of Health and Human Services (HHS) has issued a final rule that modifies the Standards for Privacy of Individually Identifiable Health Information ("the Privacy Rule") under the Health Insurance Portability and Accountability Act (HIPAA). The purpose of this rule is to support reproductive healthcare privacy in the post-Dobbs era for both patients and healthcare providers. Although the changes become effective on December 22, 2024, changes to the Notices of Privacy Practices and other policies and procedures that affect group healthcare plans become mandatory on February 16, 2026.
The updated Privacy Rule will require group health insurance plans with access to protected health information (PHI) to alter their Business Associate Agreements, Notices of Privacy Practices, and HIPAA policies and procedures to include new restrictions on reproductive healthcare. Group health plans, including self-funded and fully insured plans, must also update their plan staff training to understand and implement these restrictions. More specifically, these restrictions will affect the use or disclosure of PHI where individuals legally seek, obtain, provide, or facilitate reproductive healthcare.
Furthermore, the final rule will require group health plans and their business associates to seek a written and signed attestation from parties seeking reproductive healthcare-related PHI stating that they may face civil or criminal liability if they use the information for certain prohibited uses. The rule prohibits the use of PHI related to reproductive healthcare for the following purposes:
- Conducting a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care.
- Imposing criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care.
- Identifying an individual for either of the prohibited actions.
HHS will publish a model Notice of Privacy Practices before the rule's effective date. Nonetheless, group health insurance plans must adopt a notice that complies with the final rule's requirements and update other policies, procedures, and training materials as needed. Group health plans should immediately begin familiarizing themselves with the final rule in anticipation of its effective date.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.