2026 Employee Benefits Market Outlook 8 HIPAA Privacy and Cybersecurity Employers with self-insured health plans, as well as those with fully insured health plans that have access to protected health information (PHI), may need to update their administrative policies and privacy notices in light of recent HIPAA developments. In June 2025, a federal district court in Texas invalidated a final rule that had expanded HIPAAs privacy protections for repro- ductive health care. That rule barred health plans and other regulated entities from using or disclosing PHI related to lawful reproductive health care in certain situations. The courts decision eliminated these pro- tections nationwide, and the Trump administration chose not to appeal, effectively ending HIPAAs spe- cial privacy safeguards for reproductive health care for now. While HIPAAs general privacy protections remain in place, employers should review their HIPAA policies and privacy notices and remove any provisions tied to reproductive health care protections. In addition, employers that maintain HIPAA privacy notices for their health plans should update them for special privacy protections for patient records regarding substance use disorder treatment provided by a federally assisted treatment program (that is, a Part 2 program). The deadline for updating privacy notices for the additional privacy protections for Part 2 program records is Feb. 16, 2026. Employers with self-insured health plans should also distribute their updated privacy notices by this deadline. Note that while self-insured health plans must maintain and pro- vide their own privacy notices, fully insured health plans are not required to maintain or provide privacy notices unless the plan sponsor has access to PHI. In that case, fully insured health plans that have access to PHI must maintain a privacy notice and provide it upon request. It is unclear if HHS will update its model notices to incorporate the new requirements before the compli- ance deadline. Employers that handle PHI should also monitor devel- opments related to HIPAA cybersecurity. In early 2025, at the end of the Biden administration, HHS proposed significant updates to the HIPAA Security Rule to strengthen cybersecurity protections for elec- tronic PHI (ePHI). According to HHS, the proposed rule would modernize existing standards to better respond to the growing cybersecurity threats facing the health care industry. It remains uncertain whether the Trump administration will finalize these changes in 2026, although cybersecurity generally has bipartisan support. Employers with self-insured health plans and those with fully insured health plans that have access to ePHI should monitor developments and be pre- pared to improve safeguards for ePHI if the changes are finalized. In 2026, employers face a compliance landscape marked by both change and uncertainty. Simplified ACA reporting requirements will ease some administra- tive burdens, yet potential revisions to federal mental health parity rules and enforcement remain important to watch. Shifts in regulatory priorities under the Trump administration, ongoing benefits related litigation, and federal budget and staffing changes add further unpredictability. For employers, staying informed and adaptable will be essential to navigating health plan compliance in the year ahead.