In the wake of the Supreme Court's decision in Dobbs v. Jackson Women's Health Organization and the evolving legal patchwork now confronting both patients accessing reproductive health care and their health care providers, the U.S. Department of Health and Human Services' Office for Civil Rights issued guidance on June 29, 2022 regarding the disclosure of both HIPAA- and non-HIPAA-covered health information and data. The HIPAA Privacy Rule governs the disclosure of protected health information (PHI) by health plans, health care clearinghouses, and most health care providers (Covered Entities). The Guidance attempts to clarify the rights and obligations of Covered Entities that may be presented with local or state laws, or even legal process, that demands access to reproductive health care PHI for purposes of prosecuting persons for violating state laws restricting access to reproductive health care.
The Guidance specifically discusses three scenarios:
- Disclosures required by law;
- Disclosures for law enforcement purposes; and
- Disclosures to avert a serious threat to health or safety
In all three situations, the Guidance explains that the Privacy Rule permits but does not require a Covered Entity to disclose PHI pursuant to an applicable law or pursuant to legal process. All HIPAA Covered Entities and their "business associates" must revisit their policies and procedures and make sure they are prepared for requests in the next few weeks.
Whether a local or state law or legal process is sufficient to permit the disclosure of PHI can involve a complex legal and fact-specific analysis. Covered Entities and their business associates who may be concerned about their obligations to disclose information concerning reproductive health care should seek legal advice. Employer-sponsored health plans, in particular, are Covered Entities under HIPAA and should take steps to ensure compliance with the Privacy Rule.
The same issues and considerations apply for those organizations operating in the e-health and wellness space. The complexities of the ways in which apps communicate with other apps and systems require a robust understanding of the privacy controls that must be implemented. Digital health and wellness organizations must be prepared for inquiries, as they are likely to receive as many, if not more, requests for information.
