New benefits law may affect HIPAA compliance systems

On July 4, 2025, the One Big Beautiful Bill Act (OBBBA) was enacted, introducing major changes to employer-sponsored benefits, including telehealth, HSAs, DCFSAs, and executive compensation. While OBBBA doesn’t modify HIPAA directly, it may affect how organizations handle employee health data and protected health information (PHI).

What happened

The One Big Beautiful Bill Act, 2025 (OBBBA), signed into law on July 4, 2025, introduces changes to employer-provided benefits. These include:

• High-Deductible Health Plans (HDHPs): Starting in 2025, HDHPs must provide first-dollar coverage of most telehealth services, even those not tied to preventive care, before employees meet their deductibles.
• Health Savings Accounts (HSAs): As of January 1, 2026, employees enrolled in direct primary care arrangements are eligible to contribute to HSAs. Fees up to $150/month for an individual or $300/month for a family are now reimbursable and indexed for inflation.
• Dependent care FSAs: The annual contribution limit increases to $7,500 (from $5,000), starting in 2026. This amount is not indexed for inflation.
• Fringe benefits: Bicycle commuting reimbursements and most moving expense exclusions will no longer be tax-free after 2025.
• Executive compensation: Tax-exempt organizations must include all compensation earned across controlled groups, and all highly compensated employees (HCEs) are now subject to the excess compensation excise tax.

Going deeper

While the OBBBA does not directly amend HIPAA, several provisions may interact with PHI:

• Telehealth coverage expansion will likely increase the volume of digital health communications. If employers use email to coordinate these services or communicate benefit changes, they must use HIPAA compliant solutions, like Paubox.
• Direct primary care eligibility for HSAs may lead employers to collect more health-related information. If these arrangements are handled through third-party platforms, those systems should be assessed for HIPAA compliance.
• System updates to payroll, benefits, or HR platforms in response to OBBBA may involve handling PHI or sensitive personal data, requiring secure administrative and technical safeguards.

Read also: Should employee assistance programs (EAPs) be HIPAA compliant?

Why it matters

Employers and healthcare organizations must understand how benefits modernization may affect data privacy practices. More specifically, as more services move online, the systems used to manage them must align with HIPAA standards.

Additionally, administrative teams updating reimbursement or FSA records should avoid accidental disclosures or insecure communication channels. These areas are frequently scrutinized in HIPAA enforcement actions.

The bottom line

The One Big Beautiful Bill Act may require organizations to revisit both their benefits infrastructure and their HIPAA compliance posture. Providers must double-check their systems for secure data handling and communication to avoid costly privacy lapses during this transition.

Related: HIPAA Compliant Email: The Definitive Guide

FAQs

Does OBBBA change HIPAA law?

No. OBBBA doesn’t change HIPAA directly, but some of its provisions (e.g., expanded telehealth) require HIPAA compliant communication solutions.

Can employers email employees about new benefits?

Yes, but if those communications include protected health information (PHI), they must be sent through HIPAA compliant email systems like Paubox.

What kind of data is considered PHI?

Names, diagnoses, treatments, medical conditions, and any health information tied to an individual’s identity are considered PHI.