News

"Covered entities must revise their Notice of Privacy Practices to include, among other things, information regarding the types of uses and disclosures prohibited by the Final Rule , as well as the scenarios in which an attestation will be required. Covered entities have until February 16, 2026 to comply with the updated Notice of Privacy Practices requirements."

"Self-insured group health plan sponsors must incorporate the terms of the new final rule into their HIPAA privacy compliance program. This involves ... amending policies and procedures, particularly those addressing use and disclosure and authorization policies; implementing compliant attestation forms; amending Notices of Privacy Practices; and training staff and business associates on the new policies."

"Due to this broad regulatory definition of 'reproductive health care,' the Final Rule requirements apply broadly to a wide scope of PHI, which Regulated Entities, including Business Associates, likely create and maintain in non-structured formats in many different systems and applications, such that automating the identification and tagging of PHI about 'reproductive health care' will not be feasible."

"It is critical for all entities who create, receive, maintain or transmit PHI to ensure they have [business associate agreements (BAAs)] in place. [Covered entities (CEs)] must ensure they have BAAs with all of their [business associates (BAs)]; BAs must ensure they have BAAs with CE customers and BA subcontractors; subcontractors also need to ensure they have BAAs in place with their BA customers (often known as sub-BAAs). All parties need to ensure their BAAs comply with the statutory requirements, at a minimum."

"Many group health plans have made it clear that they will only cover reproductive health care that is legal in the state in which it is obtained. Therefore, in most circumstances, it is expected that group health plans would generally not have knowledge of illegally obtained reproductive health care."

"Employers sponsoring self-insured health plans will want to pay particular attention.... Consider implementing a system to identify and track PHI that is potentially related to reproductive health care.... Once the model attestation has been published, customize it as needed, but keep in mind an attestation will not be valid if combined with other documents or if it contains elements or statements not otherwise required under the Reproductive Health Care Rule.... Incorporate the Reproductive Health Care Rule into annual HIPAA training, ... Review business associate agreements to determine whether any updates are needed[.]"

"The Reproductive Health Care Rules limit when a group health plan can disclose reproductive health care protected health information (PHI) for non-health care purposes.... A group health plan must receive an attestation for certain uses or disclosures of PHI that potentially relate to reproductive health care."

"In light of a recent final rule issued by HHS, all group health plans will need to update their Notice of Privacy Practices and redistribute the updated notice by February 16, 2026 to incorporate [1] notice requirements for covered entities creating or maintaining records protected under 42 CFR part 2 (related to substance use disorder patient records) and [2] a description of the new prohibition on use or disclosure of certain protected health information related to reproductive health care."

"[The FTC] finalized changes to modernize the Health Breach Notification Rule by clarifying its applicability to health and wellness apps and other similar technologies ... [Many] digital health and wellness companies ... are not subject to the strict privacy and security regulations under [HIPAA] ... since they do not submit electronic claims for insurance billing purposes[.]"

"The Final Rule modifies the Privacy Rule to limit circumstances in which an individual's PHI about reproductive health care may be used or disclosed for non-health care purposes ... The PHI covered by the Final Rule includes information related to reproductive health care services ... that was lawfully obtained."

"At [the May 1 hearing ] held by the House Energy & Commerce Committee, United CEO Andrew Witty said, 'we are offering to take full responsibility for all notification obligations for everyone involved in this.' [AHIP supports] this approach and agree that guidance from the Office of Civil Rights should clearly state that only Change has an obligation to perform breach notification in this context. That clarity would avoid tens of millions of Americans being left confused, frustrated and inundated by multiple notifications."

"In a tense Senate hearing  ... lawmakers sharply criticized UnitedHealth Group's handling of the cyberattack that paralyzed the U.S. health care system ... [S]enators questioned whether the cyberattack of Change Healthcare, which manages a third of all U.S. patient records and some 15 billion transactions a year, was so vast because UnitedHealth is too deeply embedded in nearly every aspect of the nation's medical care.... In the afternoon, House lawmakers outlined their concerns, especially given the corporation's enormous scale."

"The FAQs specifically point to OCR's ransomware guidance, which has information on actions for regulated entities to take to determine if a ransomware incident is a breach (which is a fact-specific determination). OCR highlights that if covered entities are aware of a potential breach by a business associate, there is an obligation to proactively investigate whether a breach occurred, and report the breach to HHS, impacted individuals, and in certain cases, the media."

"While most PHI related to reproductive health care will remain in the hands of third-party administrators and insurance carriers, the new rules will require action on the part of employers with self-funded group health plans (or insured plans with access to PHI) by Dec. 22, 2024.... [E]mployers will need to: [1] Provide training; [2] Revise policies and procedures; [3] Update the Notice of Privacy Practices (by February 16, 2026); [4] Develop an attestation form."

"Although the Final Rule requires a covered entity to collect an attestation from requesters of PHI potentially related to reproductive health care, HHS makes clear that group health plans and business associates cannot rely on the attestation and must make an independent determination on the use or disclosure of PHI.... The attestation will be limited to the specific use or disclosure, so each use or disclosure request will require its own attestation."

"Covered entities and business associates should carefully review [OCR's] FAQ webpage , in conjunction with all UHG/Change statements, and consider taking the following steps: [1] Contact Change/UHG about notifications and compromised data.... [2] Prepare to evaluate whether patients are impacted.... [3] Review BAAs with Change.... [4] Conduct a dark web investigation.... [5] Continue to monitor relevant sites for updates."

"[T]he Final Rule inserts a new definition of Reproductive Health Care, and amends the definition of Person to state a natural person is 'a human being who is born alive'.... The prohibition on the use or disclosure of PHI applies where that health care is lawful under federal law or the laws of the state in which it is provided."

"UnitedHealth Group (UHC) announced on April 22, 2024, that it had paid a ransom to protect patient data potentially acquired in a late February cyberattack on its subsidiary Change Healthcare.... UHC has not officially notified affected health plans and their participants that a breach had occurred.... UHC reported that it has found files containing protected health information (PHI) or personally identifiable information (PII), which could cover a substantial portion of people in America.... To mitigate any harm resulting from the CHC breach, [the authors] recommend that ERISA-regulated plans which may be impacted by the breach inform their plan participants of the CHC event."

"In order to continue to protect privacy in a manner that promotes trust between individuals and health care providers and advances access to, and improves the quality of, health care, [HHS has] determined that the Privacy Rule must be modified to limit the circumstances in which provisions of the Privacy Rule permit the use or disclosure of an individual's PHI about reproductive health care for certain non-health care purposes, where such use or disclosure could be detrimental to privacy of the individual or another person or the individual's trust in their health care providers."

"Why is OCR initiating an investigation now and what does it cover? ... Has OCR received breach reports from Change Healthcare, UHG, or any affected health care entities? A: No ... Is OCR's 2016 ransomware guidance applicable to the Change Healthcare cyberattack? A: Yes ... Are covered entities that are affected by the cyberattack involving Change Healthcare and UHG required to file breach notifications? A: Yes ... What HIPAA breach notification duties do covered entities have with respect to the Change Healthcare cyberattack? ... What HIPAA breach notification duties do business associates have with respect to the Change Healthcare cyberattack?"

29 presentation slides. Topics: [1] Washington update; [2] STLDI and fixed indemnity regulations; [3] Wellness incentives/surcharges: benefits areas of concern; [4] Updates to HIPAA online tracking; and [5] Compliance corner.

"As a group health plan sponsor, an employer's responsive obligations arising in the context of certain cybercrime events depends largely upon the underlying funding status of the employer's core employee benefit plans ... Additional privacy and security related obligations for the employer may be detailed in various state-level statutory mandates or even within certain international laws or other global-scope regulations.... Several notifications may be required as a consequence of a data breach.... Communication with employees is important[.]"

"Part 2 imposes requirements for substance use disorder (SUD) treatment records ... The Part 2 regulations will come into play typically with employee assistance programs, as well as mental health and substance abuse disorder vendors for a medical plan.... Even though a self-insured health plan sponsor contracts with an EAP or SUD vendor and requires the EAP and SUD vendor to comply with Part 2 and the HIPAA privacy rules (as well as signing a BAA), under the HIPAA privacy rules, self-insured health plans remain responsible for HIPAA privacy compliance."

"Notwithstanding the challenges faced by OCR in enforcing HIPAA compliance amidst rising cybersecurity threats and increasing regulatory responsibilities, the Report provides valuable insight into the OCR investigation process.... [The] steeper penalties resulting from failure to maintain recognized security practices should serve as a cautionary tale to covered entities and business associates. Based on the findings highlighted in the Report, here are ... recommendations for entities regulated by HIPAA to improve compliance and enhance data protection efforts."

"[As of March 27,] CHC is still determining the contents of the 'data that was taken by the threat actor.' ... A third-party vendor has been engaged to assist with data analysis.... It could be some time before CHC announces the scope of data involved.... CHC data has not been found on the dark web.... CHC will be offering to provide notifications for customers 'where permitted.' ... The latest statement from CHC itself does not start any covered entity's '60-day timeline.' "