New HIPAA Privacy Protections for Reproductive Health Care: What Employers Need to Know

Justice mallet and HIPAA acronym close up. Health insurance portability and accountability act

In April 2024, the U.S. Department of Health and Human Services (HHS) published final HIPAA Privacy regulations designed to enhance protections for reproductive health care information.

These new HIPAA privacy rules, referred to as the “final rules,” introduce critical restrictions on how protected health information (PHI) related to reproductive health care can be used or disclosed—especially in situations that could lead to legal, civil, or administrative penalties against individuals seeking, obtaining, or providing reproductive health services.

This update is highly relevant for:

✔ All employers sponsoring group health plans
✔ Employers with self-insured medical plans (subject to full HIPAA compliance)
✔ Employers with fully insured plans that have access to PHI

Employers should take immediate steps to update their HIPAA policies, training, and compliance materials before the December 23, 2024, effective date.

HIPAA Privacy Rules: A Quick Refresher

HIPAA’s Privacy and Security Rules regulate how covered entities and business associates handle protected health information (PHI).

✅ PHI includes: Any information that can identify a specific individual related to their health condition, treatment, or payment for medical care.
✅ Covered entities include:

Health care providers that conduct electronic transactions
Health plans, including self-insured employer-sponsored medical plans
Health care clearinghouses

Business associates include: Any third-party service provider handling PHI on behalf of a covered entity.

Because self-insured employer health plans qualify as covered entities, many employers must comply fully with HIPAA requirements.

Why Did HHS Update HIPAA for Reproductive Health Care?

Historically, HIPAA allowed the use or disclosure of PHI without patient authorization for certain purposes, including:
📌 Judicial or administrative proceedings
📌 Law enforcement requests
📌 Cases of domestic violence or abuse

However, HHS recognized that uncertainty surrounding HIPAA protections could discourage individuals from seeking reproductive health care—particularly in states where abortion access is legally restricted.

The final rules aim to protect individual privacy and limit the disclosure of reproductive health care information when it could lead to criminal or civil penalties against individuals or providers.

Key Changes Under the New HIPAA Privacy Rules

1. Prohibition on Disclosing PHI for Reproductive Health Care-Related Legal Action

What’s New? Covered entities CANNOT use or disclose PHI related to lawful reproductive health care for:
🚫 Criminal, civil, or administrative investigations into any person seeking, providing, or facilitating reproductive health care.
🚫 Imposing legal penalties on anyone for obtaining or providing reproductive health care.
🚫 Identifying individuals for legal action related to reproductive health care.

What Counts as “Lawful” Reproductive Health Care?

Services legally performed in the state where they occurred.
Services protected under federal law (e.g., contraceptive services required under ACA preventive care mandates).

📌 Key Employer Action Item: Employers with self-insured health plans must review their HIPAA compliance policies to ensure reproductive health PHI is not disclosed improperly.

2. Attestation Requirement for PHI Disclosures Related to Reproductive Health Care

What’s New? If a covered entity or business associate receives a request to disclose PHI related to reproductive health care, they must:
✔ Require the requesting party to submit an attestation confirming the request does not violate HIPAA’s new protections.
✔ Ensure all disclosures comply with HIPAA’s attestation rule.

When Does This Apply?
If PHI is requested for:

Health oversight investigations (state or federal agencies)
Judicial or administrative proceedings
Law enforcement matters
Cases related to a deceased individual

📌 Key Employer Action Item: Employers with self-insured health plans should adopt a compliant attestation form before December 23, 2024.

3. Required Updates to HIPAA Notice of Privacy Practices (NPPs)

What’s New? The final rules require changes to HIPAA Notices of Privacy Practices (NPPs).

What Must Be Updated?
✅ New language explaining the prohibition on reproductive health PHI disclosures.
✅ Examples of how PHI can and cannot be used under the new rules.
✅ Clarification that PHI disclosed to third parties may lose HIPAA protection.

Deadline for Employers:
📅 December 23, 2024 – Update internal HIPAA compliance policies.
📅 February 16, 2026 – Update and distribute HIPAA Notices of Privacy Practices (NPPs).

📌 Key Employer Action Item: Employers should work with legal counsel and benefits consultants to update HIPAA compliance materials before the 2024 deadline.

Employer Compliance Checklist: What to Do Now

To ensure full compliance with the new HIPAA rules, employers should:

✅ Review and Update HIPAA Policies – Ensure reproductive health PHI is not improperly disclosed.
✅ Implement the Attestation Requirement – Require proper documentation before disclosing reproductive health PHI.
✅ Update Business Associate Agreements (BAAs) – Ensure third-party vendors handling PHI comply with the new rules.
✅ Update HIPAA Training Materials – Educate HR and benefits teams on new privacy protections.
✅ Revise HIPAA Notice of Privacy Practices (NPPs) – Meet the February 16, 2026 deadline for updated notices.

📌 Key Deadline: Compliance with the new HIPAA rules is required by December 23, 2024.

How Atria Helps Employers with HIPAA Compliance

At Atria, we specialize in comprehensive benefits consulting and compliance oversight to help employers navigate complex regulations like HIPAA.

Our Expertise Includes:

✔ HIPAA Compliance Audits – Ensuring full adherence to federal regulations.
✔ Policy & Procedure Updates – Implementing new privacy protections for reproductive health care PHI.
✔ Workforce Training – Educating HR teams on new HIPAA restrictions.
✔ Risk Management & Vendor Oversight – Ensuring third-party administrators comply with HIPAA rules.

With Atria, compliance isn’t just about meeting legal requirements—it’s about protecting employees, mitigating risks, and building a benefits strategy that fosters trust.

Final Takeaways: What Employers Need to Do

📌 By December 23, 2024: Ensure internal HIPAA policies and business associate agreements are updated.
📌 By February 16, 2026: Update and distribute HIPAA Notices of Privacy Practices (NPPs).
📌 Ongoing: Train HR and benefits teams on new privacy protections.

🔹 Need help updating your HIPAA compliance strategy?
🔹 Contact Atria today to ensure your organization is fully prepared for these changes.