associate agreement for example. Because self-insured health plan sponsors are responsible for HIPAA privacy compliance, the revised Part 2 regulations may need to be addressed in the HIPAA policies and procedures due to the revised interaction between Part 2 and the HIPAA privacy rules. The NPP also will need to be updated as well. Last, conservative health plan sponsors will want to address the Part 2 regulations in their health plan HIPAA privacy plan document language. This is because technically the sponsor could obtain the records as part of plan administration. So, a blanket statement that a health plan sponsor does not maintain or create any records that are subject to Part 2 should be sufficient to indicate that Part 2 should not apply to a self-insured sponsor, as it relates to HIPAA plan administration.HIPAA Proposed Regulations regarding Reproductive Health CareIn April 2023, OCR issued HIPAA privacy proposed regulations to strengthen reproductive health care privacy. See, 88 Fed Reg 23506 (April 17, 2023). These proposed regulations were issued in response to the United States Supreme Court’s ruling in Dobbs v. Jackson Women’s Health Organization, which pushed the purview of abortion regulation back to each individual state. These regulations should also be finalized in early 2024.Health Breach Notification Rule Proposed RegulationsThe FTC recently issued proposed regulations to the health breach notification rule (“HBNR”), including a proposal to clarify the HBNR application to health applications and similar technologies. See, 88 Fed Reg 37819 (June 9, 2023). As background, the HBNR requires vendors of personal health records (“PHR”) and related entities that are not covered by the HIPAA privacy rules to notify individuals, the FTC, and, in some cases, the media of a breach of unsecured personally identifiable health data. It also requires third-party service providers to vendors of PHRs and PHR-related entities to provide notification to such vendors and PHR-related entities followi
the notice under a clear and conspicuous header.Creation of a centralized platform that provides education on reproductive care and related privacy rights. The Letter calls for OCR to emphasize patient education through the establishment of a nationally available, online platform, that would outline information on reproductive health care and related privacy rights.As the Proposed Rule is not final, providers, payors, and other HIPAA-regulated entities should be attentive to ongoing developments as they will almost certainly impact day-to-day compliance operations. We will continue to monitor and provide updates to keep you informed about new developments.FOOTNOTES Specifically, the State Attorneys General represented Arizona, California, Colorado, Connecticut, Delaware, Hawaii, Illinois, Maine, Maryland, Massachusetts, Michigan, Minnesota, Nevada, New Jersey, New York, New Mexico, North Carolina, Oregon, Pennsylvania, Rhode Island, Vermont, Washington, Wisconsin, and Washington D.C. 88 Fed. Reg. 23506, et seq. 88 Fed. Reg. 23519. 88 Fed. Reg. 23522. Letter, at pp. 7-8. Letter, at p. 8. Letter, at pp. 8-9. Letter, at p. 9.Id. 88 Fed. Reg. 23522. Letter, at p. 10.Id. (citing 88 Fed. Reg. 23552-53) 88 Fed. Reg. 23532-33. Letter, at p. 10. Letter, at p. 12.Id.Id. Letter, at pp. 12-15. 88 Fed. Reg. 23553. Letter, at p. 15. Letter, at p. 17. Letter, at p. 18. Letter, at p. 19.