Recent HIPAA Amendments and Proposed Regulations - Bim Group

Recent HIPAA Amendments and Proposed Regulations

HIPAA

Share this post:

Linkedin

In the last year, two significant HIPAA regulations were issued, impacting employer group health plans. This article summarizes the new rules – one under the privacy rule provisions and one under the security rule provisions – and what employers need to know about the current legal status of these rules and how to prepare for compliance.

HIPAA Privacy Rule Amendment

There has been significant ongoing litigation surrounding the 2024 reproductive healthcare amendment to the HIPAA Privacy Rule regulations (the “2024 Rule”) issued by the Department of Health and Human Services (HHS) under the Biden administration. Effective June 24, 2024, the 2024 Rule restricts the disclosure of lawfully provided reproductive healthcare information, particularly when sought to investigate or impose liability on individuals or entities merely for seeking, procuring, or facilitating lawful reproductive healthcare. In early January, a Texas court issued an injunction preventing the HHS from enforcing the 2024 Rule against a physician so that she could continue to report cases of child abuse to Child Protective Services. On January 17, 2025, 15 states filed suit to get the regulation completely overturned.

The lawsuit alleges that the rule hindered state investigations into matters such as Medicaid fraud, child and elder abuse, and insurance-related malfeasance by limiting access to reproductive healthcare records. HHS, however, maintains that the 2024 Rule is essential to protect individuals’ privacy considering the evolving legal landscape following the Dobbs v. Jackson Women’s Health Organization decision which overturned Roe v. Wade. While the lawsuits targeted activities of medical providers, group health plan sponsors are equally responsible for compliance with the rule, which is already in effect.

What to Expect

The legal challenges to the 2024 Rule raise questions about its future enforceability. Possible scenarios for handling the challenges include:

  • The administration could decline to defend the litigation, potentially allowing courts to overturn the 2024
  • The Trump administration could issue executive orders limiting enforcement of the rule
  • HHS could initiate new rulemaking to modify or repeal the 2024 Rule, which will likely take some time

Proposed HIPAA Security Rule Amendment

HHS has proposed significant updates to the HIPAA Security Rule (the “Proposed Rule”), aimed at enhancing the protection of electronic protected health information (ePHI) against escalating cybersecurity threats. These changes, if finalized, will require covered entities, including group health plans, to adopt more stringent cybersecurity measures and compliance protocols.

Key Proposed Changes Impacting Group Health Plans

  1. Increase in required obligations. The current Security Rule separates all requirements into two categories – “required” or “addressable,” which are only required in certain Under the Proposed Rule, all implementation specifications will now be mandatory.
  2. Technology asset inventory and network map. Regulated entities will be required create and maintain a detailed inventory of technology assets and a network map to track the movement of ePHI under the Proposed Rule.
  3. Annual risk analysis and risk management plans. The Proposed Rule heightens the standards for the annual risk analysis covered entities must The Proposed Rule also requires entities implement detailed risk management plans to address identified vulnerabilities.
  4. Incident and disaster Entities will be required to develop, test, and update incident response and disaster recovery procedures annually, with a requirement to restore critical IT systems and data within 72 hours.
  5. Restrict terminated employee access. Entities will be required to implement strict procedures to revoke access to ePHI for terminated employees.
  6. Annual compliance audits and training. Regulated entities will be required to conduct annual audits to ensure compliance and provide annual security awareness training for all personnel with ePHI access
  7. Update Business Associate Agreements (BAAs). Plans will be required to update BAAs to require 24- hour notifications for contingency plan activation and annual compliance certifications by business associates
  8. Miscellaneous Regulated entities must also adopt additional measures, such as:
    • Encrypting all ePHI
    • Using multi-factor authentication
    • Conducting vulnerability scanning biannually and annual penetration testing
    • Employing anti-malware protections, and network segmentation
    • Establishing separate technical controls for ePHI backup and recovery

The public comment period is currently open until March 7. HHS is soliciting input, particularly on the impact of making all specifications mandatory and how to best regulate emerging technologies like AI and quantum computing. However, President Trump recently directed federal agencies to pause all rulemaking activity for 60 days.

Employer Action Items

  • Remain compliant with HIPAA Privacy Rule. Until further notice, this new Rule remains in effect. Plan sponsors and their business associates should ensure they comply with the restrictions on reproductive healthcare disclosures but should be ready for change. It is unlikely that the Trump administration will make enforcement of the 2024 Rule a priority, and plan sponsors should anticipate future action regarding the scope and enforcement of the 2024 Rule.

 

This information has been prepared for UBA by Fisher & Phillips LLP. It is general information and provided for educational purposes only. It is not intended to provide legal advice. You should not act on this information without consulting legal counsel or other knowledgeable advisors.

Recent Insights

June 12, 2025
ERISA

Navigating State PBM Laws: Understanding ERISA Preemption and Compliance

READ TIME: 6 MINUTES Pharmacy benefit managers (PBMs) play a pivotal role in the U.S. healthcare system, managing prescription drug benefits on behalf of insurers and employer-sponsored health plans. However, rising concerns over PBM transparency, pricing practices, and reimbursement rates have led to an expanding patchwork of state-level legislation. For employers – especially those offering […]
Read more
June 12, 2025
News

Federal Agencies Announce Pause in Enforcement of 2024 Mental Health Parity Rule

READ TIME: 5 MINUTES On May 15, 2025, the U.S. Departments of Labor (DOL), Health and Human Services (HHS), and the Treasury (IRS) (collectively, “the Departments”) issued an anticipated nonenforcement policy regarding the 2024 Final Rule implementing the Mental Health Parity and Addiction Equity Act (MHPAEA). This follows a legal challenge to the 2024 Final […]
Read more
June 12, 2025
Compliance Alert

May 2025 Compliance Recap

In May, applicable large employers were focused on RxDC reporting, due in June, and the PCORI filing, due in July. The U.S. Departments of Labor, Health and Human Services, and the Treasury jointly announced a pause in enforcement of the 2024 Final Rule implementing the Mental Health Parity and Addiction Equity Act (MHPAEA), and a […]
Read more
May 20, 2025
News

FAQs about the Patient Centered Outcomes Research Institute (PCORI) Fee

The Patient-Centered Outcomes Research Institute (PCORI) fee initially applied from 2012 to 2019. However, in December 2019, the Further Consolidated Appropriations Act, 2020 extended the fee to 2029. The PCORI fee applies to all plans that provide medical coverage to employees. Medical coverage includes preferred provider (PPO) plans, health maintenance organization (HMO) plans, point-of-service (POS) […]
Read more