By: HUB’s EB Compliance Team

Largely in response to the Supreme Court’s Dobbs v. Jackson Women’s Health Organization decision overturning Roe v. Wade, the U.S. Department of Health and Human Services (HHS) proposed changes to the HIPAA privacy rule. These proposed changes applied further restrictions on abortion-related health information disclosures and have now been revised and issued in their final form. The final rules now impose key administrative burdens on plan sponsors that must be put into effect by December 23, 2024.

HHS’s regulatory action also requires changes to an organization’s Notice of Privacy Practices. These changes are at least partially driven by other modifications such as heightened confidentiality of substance use disorder treatment records. The changes to the Notice of Privacy Practices are not required until February 16, 2026, but can be adopted sooner.

Abortion-Related Information

The final rule makes it a HIPAA violation to use or disclose reproductive health care information for a civil or criminal investigation or prosecution if the item or service was legal under federal law or the state where the service was performed. As noted in accompanying FAQs, this is designed to prevent states that prohibit or restrict abortion from seeking information about abortions performed in states where it is legal. Although the final rule defines “reproductive health care” more broadly, the rule’s clear takeaway is that it imposes additional restrictions on the use and disclosure of abortion-related information.

By contrast, use or disclosure abortion-related information in service of permitted civil or criminal matters (i.e., situations where the service was illegal) is permitted under only two circumstances. First, the covered entity or business associate must actually know that the item or service was illegal. Second, if the covered entity or business associate does not have actual knowledge, then the person requesting the information must provide factual information that demonstrates a “substantial factual basis that the health care is not lawful”. The preamble to the rule notes that this standard is, in particular, designed to protect business associates who may not have all the facts surrounding whether a particular item or service was provided legally.

New Attestation

Additionally, the final rule requires health plans and their business associates to obtain a specific attestation from anyone seeking information “potentially related to reproductive health care,” as defined. The attestation contains crucially specific mandatory elements. If an attestation is defective, then any use or disclosure of information “potentially related” to reproductive health care is a HIPAA violation. The HHS decision to word the rule to purposely include the broad phrase of “potentially related” was overt. The regulations do not provide any clarity on what information might be “potentially related” to abortion, which will likely result in health plans and their business associates asking for more attestations than they actually need.

The attestation must include (and only include):

  1. Explanatory description of PHI: A description of the information requested that identifies the information in a specific fashion, including either the names of any individuals or, if that is not practicable, a description of the class of individuals whose information is being sought.
  2. Name of PHI holder: The name or other specific identification of the person(s), or class of persons, who are requested to make the use or disclosure. This could include the name of the health plan and perhaps even the name of the specific person who is being requested to make the disclosure.
  3. Name of PHI requester: The name or other specific identification of the person(s), or class of persons, who will use or receive the information.
  4. Validating statement for compliant use: A clear statement that the use or disclosure is not for a purpose prohibited by these new rules. In other words, it is not for a civil or criminal investigation or prosecution related to reproductive health care.
  5. Criminal Penalty Acknowledgement: A statement that a person may be subject to criminal penalties pursuant to 42 U.S.C. 1320d-6 if that person knowingly and in violation of HIPAA obtains individually identifiable health information relating to an individual or discloses individually identifiable health information to another person.
  6. Signature: Signature of the person requesting the protected health information, which may be an electronic signature, and date. If the attestation is signed by a representative of the person requesting the information, a description of such representative’s authority to act for the person must also be provided.

The attestation will be invalid if any of the above elements are missing or if any elements are added to it. The attestation is also not valid if the health plan or business associate has actual knowledge that the attestation is false (for example, if they know the information will be used for a criminal prosecution). Additionally, the attestation is not valid if a reasonable health plan or business associate in the same position would not believe the attestation is true. Finally, this attestation cannot be combined with any other attestation.

The broad scope of the HHS phrase “potentially related” information combined with the vague standard for evaluating the truth of the attestation will put health plans and their business associates in a difficult position for evaluating requests for protected health information. While some requests will be clear or easy, closer calls will result in likely unnecessary attestations.

Updates to Notice of Privacy Practices

The final rule also puts forth additional changes to the HIPAA Notice of Privacy Practices. These changes center on adjustments made to harmonize separate privacy rules regarding substance use disorder treatment (sometimes called the “Part 2 rules”) with HIPAA in addition to the reproductive health care changes.

In short, the Part 2 rules impose additional protections on substance use disorder treatment or research, in either case, conducted or regulated by the federal government (more information is available here). As a practical matter, this should not be a concern for most plan sponsors as few Part 2-related claims should make their way to a private group health plan.

Even so, employers with self-funded health plans should review their privacy practices with experienced benefits counsel to determine what changes could be required. In addition, updates to training materials may also be required.

Timing

As noted above, these final changes officially go into effect on June 25, 2024, but health plans and their business associates have until December 23, 2024, to come into compliance with most of the rules. This will likely mean instituting a new process for evaluating requests for use or disclosure of protected health information, particularly if the requests come from law enforcement, and updating training to reflect that new process. It will also require developing an attestation form that is consistent with the regulations. Covered entities should also consider whether they need to update their training materials or amend their business associate agreements to capture the new protections and attestation requirements that apply to the disclosure of certain reproductive health information.

Employers who have only fully insured health plans that do not access PHI other than summary health information, will likely rely on their health insurance carrier to make changes to their Notice of Privacy Practices. However, employers that maintain any self-funded health plan (including an FSA or HRA), level-funded plan, or that have fully insured plans where they receive or access PHI including identifiable claims information will need to evaluate what changes are needed to their Notice of Privacy Practices and make sure an updated version is distributed no later than February 16, 2026.

As a practical matter, most health plans will want to update their Notices around the time of their open enrollment so they will not need to send a separate communication.

If you have any questions, please contact your HUB Advisor. View more compliance articles in our Compliance Directory.

NOTICE OF DISCLAIMER

Neither Hub International Limited nor any of its affiliated companies is a law or accounting firm, and therefore they cannot provide legal or tax advice. The information herein is provided for general information only, and is not intended to constitute legal or tax advice as to an organization’s or individual's specific circumstances. It is based on Hub International's understanding of the law as it exists on the date of this publication. Subsequent developments may result in this information becoming outdated or incorrect and Hub International does not have an obligation to update this information. You should consult an attorney, accountant, or other legal or tax professional regarding the application of the general information provided here to your organization’s specific situation in light of your or your organization’s particular needs.