HIPAA Turns 26: Time to Review New Guidance!

Maybe the 26th anniversary (coming up on August 21, 2022) of the Health Insurance Portability and Accountability Act (HIPAA) isn’t as noteworthy a milestone year as last year’s 25th, but the act remains in the headlines in 2022. HIPAA, the cornerstone patient privacy law, limits the circumstances under which covered entities (health plans, health care clearinghouses, and most health care providers) may disclose protected health information (PHI). Without an individual’s signed authorization, these regulated entities can only disclose PHI as expressly permitted or required by the privacy rule. Recently, the U.S. Department of Health and Human Services (HHS) guidance addressed disclosures to law enforcement officials as state abortion laws are changing after the Dobbs v. Jackson Women’s Health Organization ruling (Dobbs). As with any new guidance, compliance may cause disruption to business operations, so HIPAA-covered entities will want to pay attention to requirements and timeframes identified.

HIPAA Privacy Updates in 2022, So Far

The HIPAA Privacy Rule is intended to support individuals’ access to health services and give individuals confidence that their PHI will be kept private. In 2022, HHS clarified how the privacy rule applies to PHI related to gender affirming care and reproductive health care.

  • In March, the HHS Office of Civil Rights (OCR) issued clarification titled, “Guidance on Gender Affirming Care, Civil Rights, and Patient Privacy” under Section 1557 of the Affordable Care Act and privacy rules under HIPAA. This reviews existing rules to prohibit discrimination on the basis of sexual orientation or gender identity in a health program or activity that receives financial assistance from HHS.
  • In June, in response to the Supreme Court’s ruling on Dobbs, HHS issued guidance titled “HIPAA Privacy Rule and Disclosures of Information Relating to Reproductive Health Care”. The HHS guidance:
    • Identifies when HIPAA permits disclosure of PHI without authorization
    • Reminds HIPAA-covered entities and business associates that they can use and disclose PHI, without an individual’s signed authorization, only as expressly permitted or required by HIPAA
    • Explains HIPAA’s restrictions on disclosures of PHI when required by law, for law enforcement purposes, and to avert a serious threat to health or safety.

How Are Plan Sponsors Affected by HIPAA Privacy Post-Dobbs?

For a fully insured plan regulated by state law, an insurer issuing coverage in the state would likely be prohibited from selling a plan in violation of state laws related to medical services for termination of pregnancy.  A self-funded plan governed by ERISA and ERISA would generally pre-empt state laws.  HIPAA could apply to various aspects of a health plan including medical travel benefits.

Regardless of the plan health funding status, plan sponsors should review their plans for the following:

  • Changes to state laws where they have operations
  • Plan documents
  • Data privacy policies and procedures
  • Travel and lodging benefits under EAPs or HRAs
  • Mental health parity considerations if changes are made to health benefits
  • Relocation benefits

Finally, additional guidances issued on reproductive health include an Executive Order (EO) released July 8, and FAQs addressing ACA preventive care and contraception in FAQ Part 54.  The EO asks HHS to consider further guidance under HIPAA to protect confidentiality and privacy related to reproductive healthcare.

Plan sponsors should continue to monitor any new HIPAA developments for implications to their plans. Stay tuned to the International Foundation for additional HIPAA-related guidance as its released.

Anne Newhouse, CEBS
Information/Research Specialist at the International Foundation of Employee Benefit Plans

Keep up with Word on Benefits: