News Archive

"HIPAA requires covered entities to post and provide individuals with a copy of the provider's NPP no later than the first day services are delivered. The NPP must contain the elements, information and statements specified in 45 CFR 164.520 ... By February 16, 2026, covered entities must update their NPP to also address the following: [1] Notice of Rights Concerning Substance Use Disorder Records.... [2] Limits on Use of SUD Records.... [3] Impact of Other Laws.... [4] Fundraising."  MORE >>

"The guidance that enrolling in a [Direct Primary Care Arrangement (DPCA)] will not cause individuals to lose HSA eligibility is helpful. However, questions remain regarding how DPCA offerings can be structured so that their services can be reimbursed from an HSA, and what services may be treated as primary care services. In addition, [Notice 2026-5] provides some flexibility with respect to individuals enrolling in bronze and catastrophic plans off-Exchange or through an ICHRA."  MORE >>

"Many federal laws create mandates that may apply to your group health plan. Here are some to be aware of: [1] [ACA] ... [2] [MHPAEA] ... [3] Women's Health and Cancer Rights Act (WHCRA) ... [4] Newborns' and Mothers' Health Protection Act (NMHPA) ... [5] [FMLA].... [6] [USERRA] ... [7] Medicare Secondary Payer (MSP) ... [8] Medicare Prescription Drug, Improvement, and Modernization Act (MMA) ... [9] Federal laws prohibiting employment discrimination."  MORE >>

"To comply with HIPAA Privacy Regulations, by February 16, 2026, all HIPAA covered entities are required to update their Notice of Privacy Practices (NPP) to address the use and disclosure of substance use disorder (SUD) treatment records that covered entities may receive from a SUD treatment program subject to 42 CFR Part 2 (Part 2 Program). The updates to the NPP are required even if the covered entity itself does not provide SUD services and is not itself considered a Part 2 Program."  MORE >>

"[1] Health legislation in congress ... [2] Transparency regulations ... [3] OBBB act guidance ... [4] NSA guidance ... [5] Mental Health Parity and Addiction Equity Act (MHPAEA) ... [6] Expansion of fertility benefits ... [7] Direct-to-consumer prescription drug programs ... [8] ERISA preemption of state PBM laws ... [9] Fiduciary breach litigation ... 10. HIPAA wellness/tobacco surcharge litigation."  MORE >>

"If passed, HIPRA would extend 'medical-grade' privacy, security, and breach obligations to a wide swath of consumer-focused digital health companies, such as smartwatches, wearables, health and wellness apps, life science companies with patient apps, health plans and hospitals' online tools, retail clinics, data/AI vendors, and employer wellness programs that sit outside traditional (HIPAA) coverage today.... [It] is paramount that digital health companies engage in a more unified, forward-looking privacy and security program now."  MORE >>

"If your company sponsors a self-insured health plan and hires a TPA to handle administrative tasks -- such as processing claims and making payments -- your health plan is still responsible for complying with HIPAA's electronic transaction standards. The electronic transaction standards apply to a range of financial and administrative activities ... Even if a health plan delegates duties to third parties, the health plan remains ultimately responsible for compliance."  MORE >>

"All HIPAA Covered Entities must update their Notice of Privacy Practices (NPP) by February 16, 2026, to address certain uses and disclosures of Part 2 Records. Additionally, all Part 2 programs (including those that are not HIPAA Covered Entities) must make comprehensive changes to their privacy notices by February 16, 2026, to include additional statements."  MORE >>

"Although the part of the 2024 Privacy Rule pertaining to reproductive disclosures was struck down by a Texas court, a portion of the Rule survived. The surviving portion of the regulations requires covered entities to update their HIPAA Notice of Privacy Practices to add provisions on the confidentiality of medical records relating to individuals with substance use disorders (Part 2 Rule) by February 16, 2026."  MORE >>

"This [checklist] describes annual cost-of-living increases and includes a summary table of penalties, percentages, and premiums under the employer shared responsibility requirements of Code Section 4980H."  MORE >>

"The One Big Beautiful Bill Act has agencies working to create new guidance and regulations for telehealth, health savings accounts, and dependent care assistance programs. Ongoing litigation has paused enforcement of Mental Health Parity and Addiction Equity Act rules. Litigation impacts other aspects of health plan administration and design."  MORE >>

"[C]overed entities and business associates do not need to update HIPAA policies and procedures, risk assessments, business associate agreements, and training for the 2024 Privacy Rule. Covered entities and business associates who took actions to comply with the 2024 Privacy Rule before the nationwide injunction was issued should consult legal counsel regarding further actions."  MORE >>

"If the rule is finalized as proposed, it would mean a radical shift in how the security rule is applied -- moving away from a flexible approach to account for the various types of regulated entities to a more rigid approach with some prescriptive, strict security requirements that could be difficult to fulfill.... [R]egulated entities might not have as much time as they desire from the final rule's publication date to come into compliance -- if finalized as proposed, entities would have just 240 days."  MORE >>

"Compliance with HIPAA is not just about avoiding penalties; it's about demonstrating a commitment to safeguarding data. Organizations must ensure their policies are current and comprehensive, covering all aspects of privacy, security, and breach notification rules. This proactive approach helps prevent incidents and shows regulators that the organization is serious about compliance."  MORE >>

25 pages. Topics: [1] Legislative and regulatory update; [2] Litigation update; [3] HIPAA top 10 current issues; [4] HIPAA deep dive: Recurring issues; [5] Compliance issues: GLP-1s and disease management.  MORE >>

"Despite vacating provisions in the regulations relating to reproductive health care information, the Purl ruling kept intact regulations at 42 CFR part 2, relating to the protection of SUD Records. This means that, effective February 16, 2026, group health plans must update their policies and Privacy Notices to reflect the stringent protections applicable to certain SUD records[.]"  MORE >>

"The federal Reproductive Health Care Privacy Protections are no longer in effect. Covered entities are no longer required to include them in their HIPAA policies and procedures. Covered entities and business associates are no longer required to comply with the related attestation requirements.... [T]he NPP requirements regarding the use and disclosure of Part 2 records remain in effect."  MORE >>

"HHS's decision not to appeal Purl ... does not relieve HIPAA regulated entities from their obligations to protect reproductive health care information. HIPAA regulated entities must still ensure that their existing HIPAA policies and procedures adequately protect PHI, including reproductive health care information, even though the protections that were in the Rule are now defunct."  MORE >>

"Covered entities, including group health plans, must continue to comply with the HIPAA privacy and security requirements that were in place before the 2024 final rule took effect. However, any updates to policies and procedures that specifically address the final rule on reproductive healthcare should not be followed, particularly in response to law enforcement activity."  MORE >>

"The Office for Civil Rights (OCR) at [HHS] released updated FAQ guidance on individuals' rights to access their protected health information (PHI) from their healthcare providers and health plans. An additional FAQ was issued on the disclosure of PHI to value-based care arrangements, such as accountable care organizations, without the individual's authorization."  MORE >>

"The deadline has passed for the Trump Administration to appeal the district court decision vacating the HIPAA Privacy Rule to Support Reproductive Health Care that went into effect at the end of 2024.... As a result, many group health plan sponsors will still need to revise their plan's HIPAA Notice of Privacy Practices ... [T]his 'how‑to guide' [provides] a brief overview of the Privacy Notice requirements for health plan sponsors seeking to comply with their obligations under the HIPAA Privacy Rule."  MORE >>

"[HHS] released an updated version of the Security Risk Assessment Tool (SRA Tool), which is an easy-to-use interactive application that covered entities and business associates can use to create the required security risk assessment.... Employer plan sponsors of group health plans can partner with their internal IT teams to create the required 'security risk assessment' using the SRA Tool -- and significantly reduce their exposure to potential fines and penalties[.]"  MORE >>

"Plan sponsors can take the following steps ... [1] Review service provider agreements.... [2] Audit cybersecurity program documents.... [3] Conduct cybersecurity training.... [4] Evaluate cybersecurity insurance policies.... [5] Review cybersecurity capabilities in the RFP process."  MORE >>

"[The district court] decision significantly changes the HIPAA landscape by eliminating compliance obligations related to reproductive health, such as policies, procedures, attestation forms, and training. However, health care providers and organizations must continue to comply with HIPAA's Privacy Rule regarding the privacy of protected health information (PHI) and heed state laws that may provide enhanced privacy for this specific category of health information." [Purl v. HHS, No. 24-0228 (N.D. Tex. Jun. 18, 2025)]  MORE >>

"The answer depends upon where the information came from, who has it now, and why they have it. The privacy rules only apply to 'covered entities' -- that is, health plans, health care clearinghouses, and health care providers that transmit health information in electronic form in connection with any of the transactions covered by the HIPAA administrative simplification regulations.... [I]nformation that an employer uses or discloses in performing plan administration functions is affected by the privacy rules."  MORE >>