On April 26, 2024, the U.S. Department of Health and Human Services (HHS) issued a final rule that strengthens the HIPAA Privacy Rule by prohibiting the disclosure of protected health information (PHI) related to lawful reproductive health care in certain situations. The final rule requires covered entities, including health plans, to update their privacy notices to:
- Describe the new privacy rights for reproductive health care and provide examples of the new disclosure restrictions; and
- Explain that PHI disclosed pursuant to the Privacy Rule may be subject to redisclosure and is no longer protected.
In addition, covered entities that handle certain substance use disorder (SUD) patient records must update their privacy notices to describe new privacy protections for these records.
The deadline for covered entities to update their privacy notices for these changes is Feb. 16, 2026.
Action Steps
Employers that maintain privacy notices for their health plans will need to update them for these changes by Feb. 16, 2026. Employers with self-insured health plans must also distribute their updated privacy notice by this deadline. Many employers with fully insured health plans are not required to maintain or distribute their own privacy notice, as this responsibility is primarily imposed on the health insurance issuer. However, employers with fully insured health plans must maintain their own privacy notice and provide it upon request if they have access to PHI (other than enrollment and summary health information) from the plan.
HHS provides model privacy notices for health care providers and health plans to use. It is expected that HHS will update its model notices to incorporate the new requirements.
For a copy of this notice, click here: New HIPAA Rule Will Require Updates to Privacy Notices