Advocate Team   |   Client/Member Login

Compliance in Motion – November 2024

Dec 3, 2024

Click here to download this PDF!

FAQ: How do employers comply with the HIPAA Reproductive Health Care rules by December 23, 2024?

Employers must conduct HIPAA training to incorporate these new requirements. The updated HIPAA course, which includes the recent changes, is available in the LMS section of the MB Client Portal.

To access the course:

  • Log into the MB Client Portal
  • Select “LMS” from the navigation bar on the left
  • Select “Course Catalog” from the navigation bar on the left
  • Search for “HIPAA” and select the course

The primary changes imposed by the new HIPAA rules are:

  • Prohibits the use or disclosure of PHI in particular circumstances where reproductive health care is legally sought, obtained, provided, or facilitated.
  • Requires a health plan (or its business associates) to obtain a signed attestation that certain requests for PHI potentially related to reproductive health care are not for prohibited purposes.
  • Requires health plans to modify their notice of privacy practices to support reproductive health care privacy.

From a health plan perspective, most PHI related to reproductive health care will remain in the hands of third-party administrators and insurance carriers. However, the new rules will require action on the part of employers with self-funded group health plans (or insured plans with access to PHI) by Dec. 22, 2024. In particular, employers will need to:

  • Conduct HIPAA training to incorporate the new requirements.
  • Revise HIPAA policies and procedures and BAAs.
  • Update & distribute the new Notice of Privacy Practices (by February 16, 2026).
  • Develop an attestation form.

Note: Many employers with fully insured health plans are not required to maintain or distribute their own privacy notice, as this responsibility is primarily imposed on the health insurance issuer. However, fully insured health plans with access to PHI (other than enrollment and summary health information) would also have to comply with the above obligations.

In addition, HHS provides model privacy notices for health care providers and health plans to use. It is expected that HHS will update its model notices to incorporate the new requirements for 2026. However, at this time, new model notices have not yet been issued.

https://www.hhs.gov/sites/default/files/model-attestation.pdf

Attestations for Gag Clause Prohibition Compliance
Due to CMS by December 31, 2024

The Departments issued joint FAQ guidance related to compliance with the prohibition of “gag clauses” as required under the Consolidated Appropriations Act of 2021 (CAA). Specifically, the rules require plans and issuers to submit a compliance attestation no later than December 31, 2024 and annually each year by December 31st.

WHO THIS APPLIES TO:

  • Large employers with fully-insured and self-funded health plans
  • Small employers with fully-insured and level-funded health plans

What is a gag clause and what is prohibited?

The CAA prohibits group health plans and insurance carriers from entering into agreements with providers, TPAs, or other service providers whose agreements include language that would constitute a “gag clause,” specifically:

  1. Restrictions on the disclosure of provider-specific cost or quality of care information or data to referring providers, the employer plan sponsor, participants, beneficiaries, or enrollees, or individuals eligible to become participants, beneficiaries, or enrollees of the plan or coverage.
  2. Restrictions on electronic access to de-identified claims and encounter information or data for each participant, beneficiary, or enrollee upon request and consistent with the privacy regulations promulgated pursuant to section 246(c) of HIPAA, GINA, and the ADA.
  3. Restrictions on sharing information or data described in (1) and (2), or directing that such information or data be shared, with a business associate, as defined in 45 CFR 160.103, consistent with applicable privacy regulations.

For example, if a contract between a TPA and a group health plan states that the plan will pay providers at rates designated as “Point of Service Rates,” but the TPA considers those rates to be proprietary and therefore includes language in the contract stating that the plan may not disclose the rates to participants, that language prohibiting disclosure would be considered a prohibited gag clause (would not be allowed).

GO DEEPER:
https://www.cms.gov/files/document/aca-part-57.pdf