The Regulation
The 2024 HIPAA Privacy Rule, which went into effect on June 25, 2024, is intended to “strengthen privacy protections for highly sensitive PHI about the reproductive health care of an individual, and directly advances the purposes of HIPAA by setting minimum protections for PHI and providing peace of mind that is essential to individuals’ ability to obtain lawful reproductive health care.” The 2024 HIPAA Privacy Rule defines “reproductive health care” as “health care … that affects the health of an individual in matters relating to the reproductive system and its functions and processes.” View the final ruling here.
Next Steps for Employers
Both self-funded group health plans and fully insured group health plans that have access to PHI must comply with the Final Rule. A self-insured health plan (includes FSAs and most HRAs in addition to Health, Dental, Vision, Wellness and EAP) sponsor is responsible for HIPAA compliance even where most of the plan administration is contracted with a third party. Compliance with this new HIPAA Final rule is required by Dec. 23, 2024, except with respect to the revised NPP (Notice of Privacy Practices), which is required by Feb. 16, 2026.
Employer plan sponsors of plans action items include:
- Revise HIPAA policies and procedures manual.
- Revise operational workflow to respond to requests for PHI potentially related to reproductive healthcare, including who will determine whether the request is for a prohibited purpose.
- Develop a process for obtaining (and retaining) a written attestation when a request for PHI potentially related to reproductive healthcare is received, including what vendor will handle and when legal counsel should be involved.
- Provide updated HIPAA training to relevant workforce members.
- Review health plan documents for changes to the HIPAA privacy rule and the Part 2 rules (Confidentiality of Substance Use Disorder (SUD) issued February 8, 2024) and determine whether a plan amendment is required.
- Review plan member communications to ensure HIPAA references are accurate and up to date.
- Consider developing (or discuss with plan administrators about developing) a procedure for identifying and tracking PHI potentially related to reproductive healthcare, which could be instrumental in responding to requests for PHI.
- Prepare to update and distribute the NPP, as required by February 16, 2026.
TASC to the Rescue!
At TASC, we’re proud to be the industry leader in compliance services, which includes our HIPAA Compliance offering. We strongly encourage all TASC FSA/HRA clients with a self-funded plan to consider adding our HIPAA offering to ensure the protection you need during these times of unprecedented change and scrutiny. Request a Quote Today!
Not a TASC FSA or HRA client, no worries. We offer our HIPAA Compliance at a stand-alone service as well! Learn More!