Recent HIPAA Amendments and Proposed Regulations - Bim Group

Recent HIPAA Amendments and Proposed Regulations

HIPAA

Share this post:

Linkedin

In the last year, two significant HIPAA regulations were issued, impacting employer group health plans. This article summarizes the new rules – one under the privacy rule provisions and one under the security rule provisions – and what employers need to know about the current legal status of these rules and how to prepare for compliance.

HIPAA Privacy Rule Amendment

There has been significant ongoing litigation surrounding the 2024 reproductive healthcare amendment to the HIPAA Privacy Rule regulations (the “2024 Rule”) issued by the Department of Health and Human Services (HHS) under the Biden administration. Effective June 24, 2024, the 2024 Rule restricts the disclosure of lawfully provided reproductive healthcare information, particularly when sought to investigate or impose liability on individuals or entities merely for seeking, procuring, or facilitating lawful reproductive healthcare. In early January, a Texas court issued an injunction preventing the HHS from enforcing the 2024 Rule against a physician so that she could continue to report cases of child abuse to Child Protective Services. On January 17, 2025, 15 states filed suit to get the regulation completely overturned.

The lawsuit alleges that the rule hindered state investigations into matters such as Medicaid fraud, child and elder abuse, and insurance-related malfeasance by limiting access to reproductive healthcare records. HHS, however, maintains that the 2024 Rule is essential to protect individuals’ privacy considering the evolving legal landscape following the Dobbs v. Jackson Women’s Health Organization decision which overturned Roe v. Wade. While the lawsuits targeted activities of medical providers, group health plan sponsors are equally responsible for compliance with the rule, which is already in effect.

What to Expect

The legal challenges to the 2024 Rule raise questions about its future enforceability. Possible scenarios for handling the challenges include:

  • The administration could decline to defend the litigation, potentially allowing courts to overturn the 2024
  • The Trump administration could issue executive orders limiting enforcement of the rule
  • HHS could initiate new rulemaking to modify or repeal the 2024 Rule, which will likely take some time

Proposed HIPAA Security Rule Amendment

HHS has proposed significant updates to the HIPAA Security Rule (the “Proposed Rule”), aimed at enhancing the protection of electronic protected health information (ePHI) against escalating cybersecurity threats. These changes, if finalized, will require covered entities, including group health plans, to adopt more stringent cybersecurity measures and compliance protocols.

Key Proposed Changes Impacting Group Health Plans

  1. Increase in required obligations. The current Security Rule separates all requirements into two categories – “required” or “addressable,” which are only required in certain Under the Proposed Rule, all implementation specifications will now be mandatory.
  2. Technology asset inventory and network map. Regulated entities will be required create and maintain a detailed inventory of technology assets and a network map to track the movement of ePHI under the Proposed Rule.
  3. Annual risk analysis and risk management plans. The Proposed Rule heightens the standards for the annual risk analysis covered entities must The Proposed Rule also requires entities implement detailed risk management plans to address identified vulnerabilities.
  4. Incident and disaster Entities will be required to develop, test, and update incident response and disaster recovery procedures annually, with a requirement to restore critical IT systems and data within 72 hours.
  5. Restrict terminated employee access. Entities will be required to implement strict procedures to revoke access to ePHI for terminated employees.
  6. Annual compliance audits and training. Regulated entities will be required to conduct annual audits to ensure compliance and provide annual security awareness training for all personnel with ePHI access
  7. Update Business Associate Agreements (BAAs). Plans will be required to update BAAs to require 24- hour notifications for contingency plan activation and annual compliance certifications by business associates
  8. Miscellaneous Regulated entities must also adopt additional measures, such as:
    • Encrypting all ePHI
    • Using multi-factor authentication
    • Conducting vulnerability scanning biannually and annual penetration testing
    • Employing anti-malware protections, and network segmentation
    • Establishing separate technical controls for ePHI backup and recovery

The public comment period is currently open until March 7. HHS is soliciting input, particularly on the impact of making all specifications mandatory and how to best regulate emerging technologies like AI and quantum computing. However, President Trump recently directed federal agencies to pause all rulemaking activity for 60 days.

Employer Action Items

  • Remain compliant with HIPAA Privacy Rule. Until further notice, this new Rule remains in effect. Plan sponsors and their business associates should ensure they comply with the restrictions on reproductive healthcare disclosures but should be ready for change. It is unlikely that the Trump administration will make enforcement of the 2024 Rule a priority, and plan sponsors should anticipate future action regarding the scope and enforcement of the 2024 Rule.

 

This information has been prepared for UBA by Fisher & Phillips LLP. It is general information and provided for educational purposes only. It is not intended to provide legal advice. You should not act on this information without consulting legal counsel or other knowledgeable advisors.

Recent Insights

April 7, 2025
News

Impact of Executive Order on Sex and Gender Identity

On January 20, 2025, the Trump administration issued an executive order redefining the terms sex, gender identity, and related concepts as they pertain to federal law and policy. These changes will affect compliance requirements across various employee benefit provisions and related regulations. Key Provisions of the Executive Order Revised Definitions The Executive Order revised the […]
Read more
April 7, 2025
HIPAA

Recent HIPAA Amendments and Proposed Regulations

In the last year, two significant HIPAA regulations were issued, impacting employer group health plans. This article summarizes the new rules – one under the privacy rule provisions and one under the security rule provisions – and what employers need to know about the current legal status of these rules and how to prepare for […]
Read more
March 28, 2025
FMLA

Navigating Employer Leave under Federal FMLA and State Family and Medical Leave Programs

Employers are increasingly faced with the challenge of managing time-off policies amid a complex web of state, local, and federal laws – specifically the interplay between state paid family and medical leave (PFML) programs and the federal Family and Medical Leave Act (FMLA). An opinion letter issued by the U.S. Department of Labor’s (DOL) Wage […]
Read more
March 27, 2025
Affordable Care Act (PPACA)

Reporting Rules Ease Employer ACA Compliance Obligations

Two new federal laws passed at the end of 2024 bring welcomed updates to benefit plan sponsors. Under the Employer Reporting Improvement Act (ERIA) and the Paperwork Burden Reduction Act (PBRA) plan sponsors are no longer required to distribute Forms 1095-B and 1095-C to all covered individuals. The laws also offer employers new protections related […]
Read more