//WebSights Header HTML Script Skip to Main Content
Blog

New HIPAA Rule Will Require Updates to Privacy Notices


On April 26, 2024, the U.S. Department of Health and Human Services (HHS) issued a final rule that strengthens the HIPAA Privacy Rule by prohibiting the disclosure of protected health information (PHI) related to lawful reproductive health care in certain situations. The final rule requires covered entities, including health plans, to update their privacy notices to:

  • Describe the new privacy rights for reproductive health care and provide examples of the new disclosure restrictions; and
  • Explain that PHI disclosed pursuant to the Privacy Rule may be subject to redisclosure and is no longer protected.

In addition, covered entities that handle certain substance use disorder (SUD) patient records must update their privacy notices to describe new privacy protections for these records.

The deadline for covered entities to update their privacy notices for these changes is Feb. 16, 2026.

Privacy Notice Requirements

  • Self-insured health plans must maintain and provide their own privacy notice at enrollment time, when there is a material change and upon request.
  • Fully insured health plans that do not have access to PHI are not required to maintain or provide a privacy notice.
  • Fully insured health plans that have access to PHI must maintain a privacy notice and provide it upon request.

Important Dates

Dec. 23, 2024
Deadline for covered entities and business associates to comply with the new privacy protections for reproductive health care.

Feb. 16, 2026
Deadline for covered entities to update their privacy notices for the new requirements. This is also the compliance deadline for the new privacy protections for SUD records.

Action Steps

Employers that maintain privacy notices for their health plans will need to update them for these changes by Feb. 16, 2026. Employers with self-insured health plans must also distribute their updated privacy notice by this deadline. Many employers with fully insured health plans are not required to maintain or distribute their own privacy notice, as this responsibility is primarily imposed on the health insurance issuer. However, employers with fully insured health plans must maintain their own privacy notice and provide it upon request if they have access to PHI (other than enrollment and summary health information) from the plan.

HHS provides model privacy notices for health care providers and health plans to use. It is expected that HHS will update its model notices to incorporate the new requirements. 

Contact a SSG Benefits Advisor to learn more.