Compliance News to Know

Resources: HIPAA Privacy Rule

SUPPORTING REPRODUCTIVE HEALTH CARE

In April, the Office of Civil Rights (OCR), the enforcement entity for Health & Human Services (HHS), issued a Final Rule that strengthens the HIPAA Privacy Rule by prohibiting the disclosure of Protected Health Information (PHI) related to lawful reproductive health care in certain situations. In June, OCR released several resources to assist Covered Entities in complying with Rule changes: a Fact Sheet, guidance on updating the Notice of Privacy Practices, a Social Media Kit, and a Model Attestation. Details below.

2nd Wednesday monthly at 1 pm EST?????????????????????????????????????????????

August 15 – Federal FMLA

September 11 - Cafeteria Plans & Nondiscrimination Testing

October 9th – HIPAA Privacy Rule ??

Click here to join!

Compliance Reminders

• September – Fully insured plans may receive Medical Loss Ratio (MLR) Rebates. Use within 3 months.
• September 30 – Summary Annual Report (SAR) due to participants for 1/1 plans
• October 15 - Medicare Part D Notices due. ?
• December 31 – Gag Clause Attestation due via CMS?

Access the 2024 Benefits Compliance Checklist or ask your Patriot Advisor.

The Rundown

• ?DOL: FMLA PowerPoint Presentation Slides
• CMS: Updated Submission Instructions amp; User Manual for the Gag Clause Prohibition Compliance Attestation (GCPCA)
• IRS: DRAFT of 2024 Form 1095-C
• Blog: 2024 U.S. Supreme Court Decisions Impacting Group Health Plans
• Blog: Healthcare claims audits for self-insured plan sponsors
• Blog: Changes to the HIPAA Privacy Rules for Self-Insured Group Health Plans
• Blog: COBRA Continuation for Health Care Flexible Spending Accounts
• Blog: Medicare Part D Creditable Coverage Changes in 2025

Benefits Watch Webinar

August 15 – Federal Family & Medical Leave Basics & 1 PM EST (60 min.)

Another FMLA basics webinar? Yes. Since States are enhancing the federal “floor” by offering various versions of paid & unpaid protected leave, let’s review the process. Join Patriot’s Benefits Compliance Counsel, Olivia Ash, for a one-hour webinar to outline the FMLA process. This month Olivia welcomes a guest Leave of Absence expert to reveal how federal leave interacts with state leave (or not), including a quick glance at current & upcoming leave laws.

HIPAA Privacy Rule – Reproductive Healthcare

Final Rule Changes

The [HIPAA Privacy] Final Rule strengthens privacy protections for medical records & health information for women, their family members, & doctors who are seeking, obtaining, providing, or facilitating lawful reproductive health care. – HHS

The Final Rule requires the following of health plans & Business Associates (BAs):

1. Prohibit the use or disclosure of PHI when it is sought to investigate or impose liability on individuals, health care providers, or others who seek, obtain, provide, or facilitate reproductive health care that is lawful under the circumstances in which such health care is provided, or to identify persons for such activities.
2. Require health plans or their BAs to obtain a signed attestation that certain requests for PHI potentially related to reproductive health care are not for these prohibited purposes.
3. Require health plans to modify their Notice of Privacy Practices to support reproductive health care privacy.

In a Nutshell: What does it mean to use or disclose PHI without a person’s signed authorization?

?Resources: HIPAA Privacy Rule

Per HHS Guidance: “Covered Entities, including health plans and, to an extent, their Business Associates, may use or disclose PHI, without a person’s signed authorization, only as expressly permitted or required by the Privacy Rule.”

Required by Law: The Privacy Rule permits plans to disclose PHI about a person without their authorization when required by law & as long as it complies with that law.

HHS Example: “An individual goes to a hospital emergency department while experiencing complications related to a miscarriage during the tenth week of pregnancy. A hospital workforce member suspects the individual of having taken medication to end their pregnancy. State or other law prohibits abortion after six weeks of pregnancy but does not require the hospital to report individuals to law enforcement. Where state law does not?expressly require such reporting, the Privacy Rule would?not?permit a disclosure to law enforcement under the “required by law” permission. Therefore, such a disclosure would be impermissible and constitute a breach of unsecured PHI requiring notification to HHS and the individual affected.”

Review additional applications of the Final Rule for other situations at HHS’ website.

Final Rule Resources

• Press Release
• Fact Sheet?(en espa?ol)
• Director’s message on YouTube??(en espa?ol?)
• Guidance for Covered Entities & Business Associates
• Social Media Toolkit:?HIPAA Privacy Rule to Support Reproductive Health Care Privacy?- PDF
• June 20, 2024, Presentation on Final Rule (Slides)?- PDF
• For HIPAA Covered Entities or Business Associates:?Model Attestation for a Requested Use or Disclosure of PHI Potentially Related to Reproductive Health Care?- PDF

?Employer-Required Actions

What actions does the Final Rule require of plan sponsors?

Employer compliance with privacy standards include updates to the following:

• The plan’s Notice of Privacy Practices (this deadline is February 16, 2026);
• The health plan’s HIPAA privacy policies & procedures;
• Any template risk assessments used for breach responses; and
• Applicable Business Associate Agreements.

Employers must comply with these updates & train the health plan’s workforce on the new use & disclosure restrictions & when an attestation is required by December 23, 2024.

Sources for additional compliance details with the Final Rule for employers & Business Associates: ?

• Kilpatrick
• McAfee & Taft
• Frost Brown Todd
• Model Attestation at HHS

• 6 attestation elements