Following the U.S. Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization, the Department of Health and Human Service (HHS) has issued several pieces of guidance regarding protections for an individual’s access to abortion and other reproductive health care. The first piece of guidance, released on June 29, 2022, addresses when the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule allows an unauthorized disclosure of an individual’s protected health information (PHI) relating to abortion and other reproductive health care for non-health care purposes. This could include, for example, a disclosure which is made to a state agency pursuant to state law or law enforcement in a state which restricts abortion access. While the guidance does not break new ground, it provides a helpful framework as to how the Privacy Rule applies in a post-Roe world.
Under the Privacy Rule, covered entities, including health plans and most health care providers, are not permitted to use or disclose an individual’s PHI without the individual’s signed authorization except as expressly permitted or required by the Privacy Rule. The guidance addresses three situations in which an individual’s PHI relating to an abortion may be disclosed without authorization for non-health care purposes. Each of these situations is to be narrowly construed to protect the individual’s privacy and support access to health services.
Disclosures Required by Law
The Privacy Rule allows – but does not require – a covered entity to disclose an individual’s PHI, without authorization, when the disclosure is “Required by Law” and the disclosure complies with the requirements of such law. A disclosure is Required by Law if there is a legal mandate enforceable in court that compels an entity to make a use or disclosure of PHI. This includes, for example, (1) court orders and court-ordered warrants; (2) subpoenas or summons issued by a court, grand jury or an administrative body authorized to require the production of information; (3) a civil or an authorized investigative demand; and (4) statutes or regulations that require the production of information. Any disclosure which is made pursuant to this provision must be limited to that required in order to comply with the applicable law.
Some disclosures which are permitted under the Required by Law exception must meet additional requirements before the disclosure is allowed. For example, disclosures by a covered entity who is not a party to a proceeding in response to a subpoena or discovery request must meet additional requirements before the disclosure is permitted.
The guidance provides the following example:
- An individual goes to a hospital emergency department while experiencing complications related to a miscarriage during the tenth week of pregnancy. A hospital workforce member suspects the individual of having taken medication to end their pregnancy. State or other law prohibits abortion after six weeks of pregnancy but does not require the hospital to report individuals to law enforcement. Where state law does not expressly require such reporting, the Privacy Rule would not permit a disclosure to law enforcement under the “required by law” permission. Therefore, such a disclosure would be impermissible and constitute a breach of unsecured PHI requiring notification to HHS and the individual affected.
Disclosures for Law Enforcement Purposes
The Privacy Rule allows – but does not require – covered entities to disclose PHI about an individual for a law enforcement purposes “pursuant to process and as otherwise required by law”, but only if certain conditions are met. For example, a covered entity may respond to a law enforcement request for PHI which is made through a legal process, such as a court order or court-ordered warrant, or a subpoena or summons provided all of the requirements for law enforcement disclosures are met. In addition, the disclosure must be limited to that which is required for law enforcement purposes.
Under this rule, a hospital or health care provider may not disclose to law enforcement information about an individual’s abortion unless there is an enforceable legal requirement to do so, such as a court-ordered warrant or subpoena. This is true regardless of whether the covered entity initiates the disclosure, or the disclosure is made in response to a law enforcement request. The guidance also notes that the Privacy Rule provisions which allow disclosure of an individual’s PHI to a public health authority or other government authority authorized to receive reports of child abuse or neglect would not apply to disclosures of PHI relating to reproductive health care.
The guidance provides the following examples:
- A law enforcement official goes to a reproductive health care clinic and requests records of abortions performed at the clinic. If the request is not accompanied by a court order or other mandate enforceable in a court of law, the Privacy Rule would not permit the clinic to disclose PHI in response to the request. Therefore, such a disclosure would be impermissible and constitute a breach of unsecured PHI requiring notification to HHS and the individual affected.
- A law enforcement official presents a reproductive health care clinic with a court order requiring the clinic to produce PHI about an individual who has obtained an abortion. Because a court order is enforceable in a court of law, the Privacy Rule would permit but not require the clinic to disclose the requested PHI. The clinic may disclose only the PHI expressly authorized by the court order.
Disclosures to Avert a Serious Threat to Health or Safety
The Privacy Rule permits – but does not require – a covered entity, consistent with applicable law and standards of ethical conduct, to disclose PHI if the covered entity, in good faith, believes the disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public, and the disclosure is to a person(s) who are reasonably able to prevent or lessen the threat. The guidance expresses the view that it would be inconsistent with professional standards of ethical conduct for a covered entity to disclose an individual’s interest, intent, or prior experience with reproductive health care to law enforcement
The guidance provides the following example:
- A pregnant individual in a state that bans abortion informs their health care provider that they intend to seek an abortion in another state where abortion is legal. The provider wants to report the statement to law enforcement to attempt to prevent the abortion from taking place. However, the Privacy Rule would not permit this disclosure of PHI to law enforcement under this permission for several reasons, including:
- A statement indicating an individual’s intent to get a legal abortion, or any other care tied to pregnancy loss, ectopic pregnancy, or other complications related to or involving a pregnancy does not qualify as a “serious and imminent threat to the health or safety of a person or the public”.
- It generally would be inconsistent with professional ethical standards as it compromises the integrity of the patient–physician relationship and may increase the risk of harm to the individual.
- Therefore, such a disclosure would be impermissible and constitute a breach of unsecured PHI requiring notification to HHS and the individual affected.
While the HIPAA Privacy Rule provides some protections with respect to participant PHI relating to abortions and other reproductive health care, it will not prevent states from accessing that information. If various states become more aggressive in their enactment and enforcement of laws which are intended to restrict abortions, the scope of information that can be obtained from health plans and providers will likely end up in the courts, adding it to a long list of legal issues to be addressed. In the interim, employers who are providing travel-related expenses for out-of-state abortions may want to consider steps that they can take to minimize the amount of PHI that it holds relating to those expenses.
