//WebSights Header HTML Script Skip to Main Content
Blog

Health Plans Must Update HIPAA Policies for New Reproductive Health Care Rights


Beginning Dec. 23, 2024, covered entities and their business associates must comply with stricter HIPAA privacy protections for reproductive health care. These new protections prohibit regulated entities from using or disclosing protected health information (PHI) related to lawful reproductive health care:

  • For a criminal, civil or administrative investigation into (or proceeding against) a person in connection with reproductive health care; or
  • To identify an individual, health care provider or other person for purposes related to such an investigation or proceeding.

In addition, regulated entities must obtain a valid attestation when a request is made to use or disclose PHI potentially related to reproductive health care for certain purposes to ensure that the use or disclosure is permissible.

Affected Health Plans

The new privacy protections impact:

  • Employers with self-insured health plans; and
  • Employers with fully insured health plans that have access to PHI (other than enrollment information, summary health information and information released pursuant to a HIPAA authorization) from their issuers.

The new privacy protections do not impact employers with fully insured health plans that do not have access to PHI (other than the limited types listed above).

Important Dates

Dec. 23, 2024
Regulated entities must comply with the new privacy restrictions for reproductive health care.

Feb. 16, 2026
Covered entities must update their HIPAA notice of privacy practices for the new requirements.

Action Steps

Employers with self-insured health plans and employers with fully insured health plans that have access to PHI (other than certain limited types) should update their HIPAA policies and train affected members of their workforce on the new restrictions for PHI related to reproductive health care. Although the new privacy protections do not specifically require updates to business associate agreements, employers should review the terms of their agreements to determine if updates should be made.

In addition, the U.S. Department of Health and Human Services has provided a model attestation form that employer-sponsored health plans may use to ensure a requested use or disclosure of PHI complies with the new privacy protections. Health plans must also update their HIPAA privacy notices for the new privacy protections, although they have until  Feb. 16, 2026, to make these updates. 

Contact us for more employee benefits resources.