Many employers wonder whether their employer-sponsored group health plan still needs to update its HIPAA policies and procedures, risk assessment, and training to comply with the HIPAA Privacy Rule to Support Reproductive Health Care (2024 Privacy Rule) for 2026. Most of the 2024 Privacy Rule was struck down nationwide by a Texas court, so covered entities and business associates do not have to follow its requirements right now.
Privacy Rule Background
The 2024 Privacy Rule was issued in April 2024 and amended the HIPAA privacy rule to further protect reproductive health care in the wake of the U.S. Supreme Court’s Dobbs decision. In general, the 2024 Privacy Rule expanded the definition of “health care” to include “reproductive health care,” prohibited certain uses and disclosures of protected health information (PHI), required attestations from requestors for specific disclosures, and mandated updates to privacy notices to reflect the rules on reproductive health care privacy and provisions on confidentiality of medical records relating to individuals with substance use disorders (Part 2 Rule).
A Texas medical provider challenged the 2024 Privacy Rule, arguing that it should be set aside because HHS had exceeded its authority in issuing the 2024 Privacy Rule and that the Rule hindered mandatory child abuse reporting. The court agreed, concluding that HHS exceeded its authority, and that the 2024 Privacy Rule conflicted with Texas law and imposed costly burdens. It issued a nationwide injunction, striking down most of the Rule, and HHS did not appeal the decision.
Moving Forward
Due to the injunction, covered entities and business associates do not need to update HIPAA policies and procedures, risk assessments, business associate agreements, and training for the 2024 Privacy Rule. Covered entities and business associates who took actions to comply with the 2024 Privacy Rule before the nationwide injunction was issued should consult legal counsel regarding further actions. It remains important for organizations to monitor ongoing legal developments in the event of further HHS rulemaking or new state privacy laws that could change the compliance landscape once again.
Although much of the 2024 Privacy Rule was vacated in court with nationwide effect, the requirement to revise the notice of privacy practices under the Part 2 Rule remains in place. Entities subject to Part 2 must update their notice of privacy practices by February 16, 2026. Because group health plans may receive PHI from a provider covered by Part 2, group health plans should update their notice of privacy practices consistent with the 2024 Privacy Rule. Unfortunately, HHS has not yet updated its sample notice of privacy practices to reflect the Part 2 Rule changes. Moreton & Company will keep clients updated on this issue.
