News Archive

"[C]overed entities and business associates do not need to update HIPAA policies and procedures, risk assessments, business associate agreements, and training for the 2024 Privacy Rule. Covered entities and business associates who took actions to comply with the 2024 Privacy Rule before the nationwide injunction was issued should consult legal counsel regarding further actions."  MORE >>

"If the rule is finalized as proposed, it would mean a radical shift in how the security rule is applied -- moving away from a flexible approach to account for the various types of regulated entities to a more rigid approach with some prescriptive, strict security requirements that could be difficult to fulfill.... [R]egulated entities might not have as much time as they desire from the final rule's publication date to come into compliance -- if finalized as proposed, entities would have just 240 days."  MORE >>

"Compliance with HIPAA is not just about avoiding penalties; it's about demonstrating a commitment to safeguarding data. Organizations must ensure their policies are current and comprehensive, covering all aspects of privacy, security, and breach notification rules. This proactive approach helps prevent incidents and shows regulators that the organization is serious about compliance."  MORE >>

25 pages. Topics: [1] Legislative and regulatory update; [2] Litigation update; [3] HIPAA top 10 current issues; [4] HIPAA deep dive: Recurring issues; [5] Compliance issues: GLP-1s and disease management.  MORE >>

"Despite vacating provisions in the regulations relating to reproductive health care information, the Purl ruling kept intact regulations at 42 CFR part 2, relating to the protection of SUD Records. This means that, effective February 16, 2026, group health plans must update their policies and Privacy Notices to reflect the stringent protections applicable to certain SUD records[.]"  MORE >>

"The federal Reproductive Health Care Privacy Protections are no longer in effect. Covered entities are no longer required to include them in their HIPAA policies and procedures. Covered entities and business associates are no longer required to comply with the related attestation requirements.... [T]he NPP requirements regarding the use and disclosure of Part 2 records remain in effect."  MORE >>

"HHS's decision not to appeal Purl ... does not relieve HIPAA regulated entities from their obligations to protect reproductive health care information. HIPAA regulated entities must still ensure that their existing HIPAA policies and procedures adequately protect PHI, including reproductive health care information, even though the protections that were in the Rule are now defunct."  MORE >>

"Covered entities, including group health plans, must continue to comply with the HIPAA privacy and security requirements that were in place before the 2024 final rule took effect. However, any updates to policies and procedures that specifically address the final rule on reproductive healthcare should not be followed, particularly in response to law enforcement activity."  MORE >>

"The Office for Civil Rights (OCR) at [HHS] released updated FAQ guidance on individuals' rights to access their protected health information (PHI) from their healthcare providers and health plans. An additional FAQ was issued on the disclosure of PHI to value-based care arrangements, such as accountable care organizations, without the individual's authorization."  MORE >>

"The deadline has passed for the Trump Administration to appeal the district court decision vacating the HIPAA Privacy Rule to Support Reproductive Health Care that went into effect at the end of 2024.... As a result, many group health plan sponsors will still need to revise their plan's HIPAA Notice of Privacy Practices ... [T]his 'how‑to guide' [provides] a brief overview of the Privacy Notice requirements for health plan sponsors seeking to comply with their obligations under the HIPAA Privacy Rule."  MORE >>

"[HHS] released an updated version of the Security Risk Assessment Tool (SRA Tool), which is an easy-to-use interactive application that covered entities and business associates can use to create the required security risk assessment.... Employer plan sponsors of group health plans can partner with their internal IT teams to create the required 'security risk assessment' using the SRA Tool -- and significantly reduce their exposure to potential fines and penalties[.]"  MORE >>

"Plan sponsors can take the following steps ... [1] Review service provider agreements.... [2] Audit cybersecurity program documents.... [3] Conduct cybersecurity training.... [4] Evaluate cybersecurity insurance policies.... [5] Review cybersecurity capabilities in the RFP process."  MORE >>

"[The district court] decision significantly changes the HIPAA landscape by eliminating compliance obligations related to reproductive health, such as policies, procedures, attestation forms, and training. However, health care providers and organizations must continue to comply with HIPAA's Privacy Rule regarding the privacy of protected health information (PHI) and heed state laws that may provide enhanced privacy for this specific category of health information." [Purl v. HHS, No. 24-0228 (N.D. Tex. Jun. 18, 2025)]  MORE >>

"The answer depends upon where the information came from, who has it now, and why they have it. The privacy rules only apply to 'covered entities' -- that is, health plans, health care clearinghouses, and health care providers that transmit health information in electronic form in connection with any of the transactions covered by the HIPAA administrative simplification regulations.... [I]nformation that an employer uses or discloses in performing plan administration functions is affected by the privacy rules."  MORE >>

"[T]he IRS issued Revenue Procedure 2025-25, announcing the 2026 indexed contribution percentage amount for determining the affordability of an Applicable Large Employer's plan under the [ACA]. The IRS also announced the 2026 inflationary adjustment to the employer shared responsibility payment amounts a few days later. Employers should be aware of the significant increase in both the affordability percentage and the employer shared responsibility payment amounts for 2026."  MORE >>

"As a result of the court's ruling, it appears that plans are no longer required, and may not be permitted, to apply the presumption of lawfulness or to obtain an attestation before disclosing PHI related to reproductive healthcare in response to criminal, civil or administrative investigations. Further, no updates would be required to plans' HIPAA privacy policies, notices of privacy practices and business associate agreements to reflect the disclosure restrictions with respect to reproductive healthcare PHI." [Purl v. HHS, No. 24-0228 (N.D. Tex. Jun. 18, 2025)]  MORE >>

"Covered entities that have already updated their [Notices of Privacy Practices (NPPs)] to incorporate the 2024 rule's reproductive health provisions should now remove those disclosures and revert to the prior NPP language. The district court's decision likely constitutes a 'material change' under HIPAA and triggers a requirement to redistribute the revised NPP within 60 days.... All other NPP modifications contained in the 2024 rule unrelated to reproductive health remain in effect, and covered entities must comply with these by the February 2026 deadline." [Purl v. HHS, No. 24-0228 (N.D. Tex. Jun. 18, 2025)]  MORE >>

"The settlement involved a ransomware attack that affected the electronic protected health information (ePHI) of nearly 24,900 individuals. The CE/health provider must pay $250,000 and comply with a two-year corrective action plan."  MORE >>

"This decision only impacts the changes to the Privacy Rule related to Reproductive Health Care Privacy Protections included in the Final Rule. It does not impact Covered Entities' or Business Associates' other obligations under the HIPAA privacy and security rules, nor does it impact any state law protections that may limit the disclosure of this information, which vary from state to state."  [Purl v. HHS, No. 24-0228 (N.D. Tex. Jun. 18, 2025)]  MORE >>

"Next steps for covered entities: [1] Update HIPAA policies and procedures.... [2] Update HIPAA training.... [3] Eliminate attestation requirement.... [4] Revise business associate agreements.... [5] Revise Notice of Privacy Practices.... [6] Coordinating with third party administrators." [Purl v. HHS, No. 24-0228 (N.D. Tex. Jun. 18, 2025)]   MORE >>

"[T]he Supreme Court's recent decision in Trump v. CASA, Inc., which invalidated nationwide injunctions related to certain Executive Orders, likely would [not] apply here because ... the Purl decision vacated the rule under section 706(2) of the Administrative Procedure Act. However, these decisions are new -- and the political landscape is fluid[.]" [Purl v. HHS, No. 24-0228 (N.D. Tex. Jun. 18, 2025)]  MORE >>

"Employers were previously required to revise their HIPAA policies, procedures, and training materials as of Dec. 22, 2024, to account for the new category of prohibited use or disclosure of Protected Health Information. Those changes should now be undone, reverting to the pre-2024 requirements." [Purl v. HHS, No. 24-0228 (N.D. Tex. Jun. 18, 2025)]  MORE >>

"The checklist covers 15 best-practice compliance to-dos, organized into six key categories: [1] HIPAA/HITECH risk assessment; [2] Policies, procedures and business associate agreements; [3] Staff training; [4] Processes to detect and report PHI data breaches; [5] Business associate monitoring; [6] System access control and activity reviews."  MORE >>

"The ruling ... essentially eliminates the enhanced federal privacy protection for reproductive health care information.... [C]ertain regulated entities are still required to comply with applicable state privacy and consumer laws regarding the disclosure of reproductive health care information." [Purl v. HHS, No. 24-0228 (N.D. Tex. Jun. 18, 2025)]  MORE >>

"PHI generally can be disclosed directly by one business associate to another business associate of the same covered entity without having to use the covered entity as a conduit or intermediary, so long as certain conditions are met."  MORE >>