The U.S. Department of Health and Human Services (HHS) has updated the Standards for Privacy of Individually Identifiable Health Information (otherwise known as the Privacy Rule) set by the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
The change restricts the circumstances under which HIPAA-regulated bodies can disclose a person’s reproductive health information to investigate or impose liability on any individual “seeking, obtaining, providing, or facilitating” reproductive healthcare. It also restricts the identification of individuals related to this purpose.
This update comes after significant changes to U.S. abortion laws in the post-Dobbs era. The ruling from the Dobbs v. Jackson Women’s Health Organization case overturned the Roe v. Wade case, removing federal protection for abortion rights in the U.S. Some states enacted heavier restrictions against abortion, while others expanded access.
These developments prompted concerns from the Office for Civil Rights (OCR), which pointed out that the previous law enforcement exception in the HIPAA Privacy Rule creates fear of liability for involvement in reproductive healthcare. OCR says this can discourage people from seeking medical care, jeopardizing the effectiveness of the healthcare system.
The rules were finalized on April 26, 2024 and took effect on June 25, 2024.
What it means for businesses and healthcare providers
The amendments to the HIPAA Privacy Rule are already in effect, but HIPAA-regulated firms have until December 22, 2024 to prepare for compliance.
Regulated bodies must update their HIPAA privacy compliance policies and procedures in accordance with the updated Privacy Rule. Further, they must reeducate employees on the circumstances under which they can give productive health information to law enforcement authorities who request it.
Group health insurance plans, particularly those with access to protected health information (PHI), must include the new restrictions on reproductive healthcare in their Business Associate Agreements and Notices of Privacy Practices.
HIPAA-regulated organizations must coordinate with their business process outsourcing (BPO) providers regarding the updated Privacy Rule. Outsourcing policies should also be updated to ensure compliance with the new restrictions.
Read more Unity Communications and BPO news on our main page.
Alder, S. (2024, April 28). New HIPAA Regulations in 2023-2024. The HIPAA Journal. Retrieved August 8, 2024, from https://www.hipaajournal.com/new-hipaa-regulations/#changesproposedafterdobbs
Bertolini, G., Folliard, M., & Hoffman, J. (2022, July 14). Privacy of Health Information After Dobbs: OCR Guidance on Disclosures of PHI and the Privacy of Personal Information on Devices. K&L Gates. Retrieved August 8, 2024, from https://www.klgates.com/Privacy-of-Health-Information-After-Dobbs-OCR-Guidance-on-Disclosures-of-PHI-and-the-Privacy-of-Personal-Information-on-Devices-7-14-2022
Hall Benefits Law. (2024, August 1). HHS Updates HIPAA Privacy Rule to Protect Reproductive Healthcare Privacy: What Group Health Plans Need to Know. JD Supra. Retrieved from https://www.jdsupra.com/legalnews/hhs-updates-hipaa-privacy-rule-to-7834549/
Blackman, A., Cavalier, G., Dorner, E., Machometa, J., & Perkins, N. (2024, April 30). HHS Modifies the HIPAA Privacy Rule To Protect Reproductive Health Information. Arnold & Porter. Retrieved August 8, 2024, from https://www.arnoldporter.com/en/perspectives/advisories/2024/04/hhs-modifies-the-hipaa-privacy-rule
