HIPAA Privacy Policies, Procedures and Notices of Privacy Practices

 Under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), final privacy rules set basic limitations on the use or disclosure by covered entities (such as employer health benefit plans) and their business associates of reproductive health care information.  The final rules state that reproductive care is presumed to be legal unless the employer health benefit plan or its business associate has "actual knowledge" that the care was not lawful under the circumstances.

The final rules generally require compliance on December 23, 2024.  Effective February 16, 2026, covered entities (such as employer health benefit plans) will be required to update their notices of privacy practices. 

Additionally, the 2024 rules modify the HIPAA rules on disclosure of PHI to report abuse or neglect and for public health purposes to limit access to reproductive care information. For example, under current rules, a health benefit plan can refuse to treat an individual as a personal representative when it has a “reasonable belief” that the person has abused or may abuse or neglect the relevant individual. The new rules clarify that the basis for that reasonable belief cannot be the seeking of reproductive health care for and at the request of the individual.

Health benefit plans and their business associates will have to get written attestations before releasing PHI potentially related to reproductive care to officials such as health or law enforcement officials.  The attestations will need to clearly state that the requested disclosure did not violate the new HIPAA rules on reproductive health care that criminal penalties could be imposed for improper uses and disclosures of PHI

Source(s): Olgetree Deakins, received on May 6, 2024; Federal Register, accessed on May 21, 2024