On June 24, 2022, the United States Supreme Court issued its decision in Dobbs v. Jackson Women's Health Organization,¹ opening a legal path to state laws restricting or prohibiting access to certain reproductive health services. To enforce these laws, law enforcement officials may attempt to access individuals' health information, including from technology platforms that process health information on behalf of individuals or other businesses.

In response to Dobbs, President Biden issued an Executive Order on Protecting Access to Reproductive Health Services. Among other things, the Executive Order² called on the Department of Health and Human Services (HHS) and the Federal Trade Commission (FTC) to undertake initiatives to protect the privacy of individuals seeking reproductive health services. This advisory discusses guidance issued by HHS for entities regulated by the Health Insurance Portability and Accountability Act (HIPAA),³ as well as FTC initiatives in this area that would address privacy practices of non-HIPAA covered entities.

When Do HIPAA and the FTC Act Apply?

Understanding when health information is protected by HIPAA or the FTC Act (among other laws) is a threshold issue for organizations to determine their legal obligations and restrictions with respect to providing health-related information to the government.

HIPAA does not protect all health-related personal information, but rather protects only information that is created, received, maintained, or transmitted by "covered entities" or their "business associates." Covered entities are defined as healthcare providers (who engage in a standard transaction electronically, such as submitting a claim for reimbursement to a payor), health plans, and healthcare clearinghouses (specialized entities that process nonstandard health information). Business associates are covered entities' service providers. Because HIPAA's jurisdiction attaches based on an entity's status as a covered entity or business associate, and not to the information itself, health information could be covered by HIPAA in one scenario (e.g., where a hospital maintains a medical record), and the same information will not be covered by HIPAA in another scenario (e.g., where a medical record is input by an individual into a personal health app). Whether HIPAA applies does not turn on the degree of perceived sensitivity of the health information.

The FTC, while not responsible for enforcing HIPAA, plays a large role in regulating the privacy and data security practices of organizations that collect health information. The FTC Act is the primary federal statute used by the FTC to bring enforcement actions regarding an organization's privacy and security practices related to health information that is not covered by HIPAA. The FTC uses its authority under Section 5 of the FTC Act to bring enforcement actions where it believes an organization has: made false or misleading statements about the organization's privacy or data security procedures; engaged in a practice that caused substantial injury to consumers; or that failed to employ reasonable security measures. It also enforces, as may be relevant here, the Health Breach Notification Rule.⁴

Organizations that receive requests for health information from state officials or other law enforcement agencies should be aware that even if HIPAA or the FTC Act permit the disclosure of certain health information, other privacy laws—such as the Electronic Communication Privacy Act (ECPA)—may place additional restrictions on the organization's disclosure of this information. In addition, various state laws regulate health information, and HIPAA does not preempt state law that is more restrictive or protective of uses or disclosures of health information.

OCR Guidance: HIPAA Privacy Rule and Disclosures of Information Relating to Reproductive Healthcare

In the weeks following the Supreme Court's decision, HHS voiced its intent to marshal existing regulations and resources to "take action to protect access to sexual and reproductive health care, including abortion, pregnancy complications, and other related care."⁵ Specifically, HHS' Office for Civil Rights (OCR) concurrently issued two separate privacy-focused guidance documents. In one of the guidance documents, OCR spoke directly to individuals about HIPAA's limitations in protecting their health information, and encouraged consumers to take steps to safeguard their data when using smartphones, tablets, and other devices for personal use.⁶ This section focuses on the other guidance document, in which OCR advises HIPAA-regulated entities on when they may (and may not) disclose protected health information (PHI) to state officials or law enforcement entities (referred to here as the "OCR Guidance").⁷

HIPAA-regulated entities may only use or disclose PHI as expressly permitted by the Privacy Rule,⁸ unless they obtain a HIPAA authorization from the individual (i.e., a specific document identifying and providing consent for particular uses or disclosures of health information that is executed by the patient). OCR emphasized that while there are instances when PHI may be used and disclosed for purposes unrelated to healthcare, including disclosures required by law, these instances are narrowly tailored and must meet the specific requirements set forth in the Privacy Rule. OCR also underscored that while HIPAA may permit disclosures required by law, HIPAA itself does not require these disclosure—rather, it is the applicable law that compels the disclosure.

The following three instances described in the OCR Guidance advise when covered entities are permitted to disclose PHI when required by law, or to avert serious threat to health and safety, without obtaining the patient's prior authorization.

Disclosures Required by Law

The HIPAA Privacy Rule permits, but does not require, covered entities to disclose PHI without an individual's authorization when another law (i) compels the covered entity to do so, (ii) the request for the PHI is enforceable in a court of law, and (iii) the disclosure of the PHI complies with the requirements of such law.⁹ OCR states it would consider disclosures that do not meet all three elements or exceed the scope of the request to be impermissible and a violation of the Privacy Rule.

HHS Example

• An individual goes to a hospital emergency department while experiencing complications related to a miscarriage during week ten of pregnancy. A hospital workforce member suspects the individual has taken medication to end the pregnancy. State law prohibits abortion after six weeks but does not require the hospital to report individuals to law enforcement. Where state law does not expressly require such reporting, the Privacy Rule would not permit a disclosure to law enforcement under the "required by law" permission, and HHS states that such a disclosure would be impermissible and constitute a breach of unsecured PHI requiring notification to HHS and the individual affected.

Disclosures for Law Enforcement Purposes

The Privacy Rule permits, but does not require, covered entities to disclose PHI for law enforcement purposes under certain conditions where the request is "pursuant to process and as otherwise required by law."¹⁰ For example, a covered entity may respond to a request from law enforcement made through a court-ordered warrant, subpoena, or summons by disclosing only the requested PHI. In the absence of a mandate enforceable in a court of law, the Privacy Rule does not permit disclosure of PHI for law enforcement purposes. In the absence of such a mandate, the Privacy Rule does not permit a covered entity (or any member of its workforce) to voluntarily disclose PHI to law enforcement.

HHS Examples

• A law enforcement official goes to a reproductive healthcare clinic and requests records of abortions performed at the clinic. If the request is not accompanied by a court order or other mandate enforceable in a court of law, the Privacy Rule would not permit the clinic to disclose PHI in response to the request. Therefore, such a disclosure would be impermissible and constitute a breach of unsecured PHI requiring notification to HHS and the individual affected.
• A law enforcement official presents a reproductive healthcare clinic with a court order requiring the clinic to produce PHI about an individual who has obtained an abortion. Because a court order is enforceable in a court of law, the Privacy Rule would permit but not require the clinic to disclose the requested PHI. The clinic may disclose only the PHI expressly authorized by the court order.

While the OCR Guidance focuses on "covered entities," business associates appear to be subject to the same permissions and restrictions with respect to disclosing PHI processed on behalf of a covered entity when the disclosure is "required by law." HIPAA permits business associates to use PHI as permitted or required by the business associate agreement and underlying contract, or as required by law. The implication, although not addressed in the OCR Guidance, is that law enforcement could compel a business associate to produce health information if the request is valid under applicable law. There is no provision within HIPAA that would automatically require a business associate to defer such requests to the covered entity who ultimately controls the PHI.

Disclosures to Avert a Serious Threat to Health or Safety

The Privacy Rule permits, but does not require, a covered entity to disclose PHI if the covered entity believes in good faith that the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public, and the disclosure is to a person or persons reasonably able to prevent or mitigate the threat. ¹¹

HHS Example

• A pregnant individual in a state that bans abortion informs their healthcare provider of their intent to seek an abortion in another state where abortion is legal. The provider wants to report this to law enforcement to attempt to prevent the abortion from taking place. HHS considers this an impermissible disclosure of PHI under the Privacy Rule for several reasons, including (i) the intended legal abortion does not qualify as a "serious and imminent threat to the health and safety of a person or the public," and (ii) such disclosure would be inconsistent with professional ethical standards.

FTC Actions

The FTC has also issued guidance related to the topic of protecting the privacy of individuals seeking reproductive services (referred to here as the "FTC Guidance"). The guidance states that the FTC will continue to "vigorously enforce the law" related to misuse of individuals' location, health, and other sensitive data.¹² The strong implication is that the FTC will be looking to bring enforcement actions to protect the privacy of individuals seeking such services, among other actions to protect location and health data. Here are some of the types of actions the FTC may pursue:

• In the FTC Guidance, the FTC takes the position that claims that location data is "anonymous" or "has been anonymized" may be deceptive and violate the FTC Act when untrue. The FTC Guidance points to research that shows that "anonymized" data can often be re-identified, especially in the context of location data, and states that "companies that make false claims about anonymization can expect to hear from the FTC."
• The FTC Guidance suggests that the FTC would consider certain collection, use, and sharing of information that identifies people who visit abortion clinics to be an unfair practice. The FTC Guidance cites a Massachusetts case alleging that the practice of selling such data for targeted advertising would violate state consumer protection laws.
• In terms of other actions the FTC could take to protect the privacy of people seeking information about reproductive services, the agency recently received a letter from U.S. Rep. Anna Eshoo, D-California, and Sen. Ron Wyden, D-Oregon urging investigations and actions against virtual private network providers. The letter notes that individuals are being "increasingly told that installing a VPN is an important step for protecting themselves when seeking information on abortion." VPN providers that make claims about the privacy protective nature of their services could also be in the crosshairs of the FTC.
• Finally, the FTC has undertaken numerous initiatives to promote data minimization. It has brought enforcement actions under the Children's Online Privacy Protection Act (COPPA) alleging that an indefinite data retention period violated the statute's data minimization requirements. Chair Lina Khan announced her intention to focus on the substantive privacy protections in COPPA (as opposed to the notice and consent provisions), including data minimization. Given the FTC's focus on sensitive location and health data in the blog post, the FTC may focus on companies that collect and retain such data expansively.

[1] Dobbs v. Jackson Women's Health Org., 142 S. Ct. 2228 (2022).

[2] Exec. Order No. 14,076, 87 Fed. Reg. 42,053 (July 8, 2022).

[3] Pub. L. 104-191, as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH Act) under Title XIII of the American Recovery and Reinvestment Act of 2009 (Pub. L. 111–5), and including the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.

[4] The Health Breach Notification Rule is a rule promulgated by the FTC that applies to entities that maintain, offer, or provide products or services related to personal health records. The Health Breach Notification Rule does not apply to HIPAA-covered entities, or to any other entity to the extent that entity engages in activities as a business associate under HIPAA.

[5] U.S. Dep’t of Health & Hum. Servs., Off. for Civ. Rts., HHS Issues Guidance to Protect Patient Privacy in Wake of Supreme Court Decision on Roe (June 29, 2022), https://www.hhs.gov/about/news/2022/06/29/hhs-issues-guidance-to-protect-patient-privacy-in-wake-of-supreme-court-decision-on-roe.html.

[6] U.S. Dep’t of Health & Hum. Servs., Off. for Civ. Rts., Protecting the Privacy and Security of Your Health Information When Using Your Personal Cell Phone or Tablet (June 29, 2022), https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/cell-phone-hipaa/index.html.

[7] U.S. Dep’t of Health & Hum. Servs., Off. for Civ. Rts., HIPAA Privacy Rule and Disclosures of Information Relating to Reproductive Health Care (June 29, 2022), https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/phi-reproductive-health/index.html.

[8] 45 C.F.R. Part 160 and Part 164, Subparts A and E. The Privacy Rule is the part of HIPAA that establishes requirements for the use, disclosure, and protection of PHI by covered entities and, by extension, their business associates.

[9] 45 C.F.R. § 164.512(a); see 45 C.F.R. §§ 164.103, 164.512(e), (f).

[10] 45 C.F.R. § 164.512(f)(1).

[11] 45 C.F.R. § 164.512(j).

[12] Fed. Trade Comm’n, Location, Health, and Other Sensitive Information: FTC Committed to Fully Enforcing the Law Against Illegal Use and Sharing of Highly Sensitive Data (July 11, 2022), https://www.ftc.gov/business-guidance/blog/2022/07/location-health-other-sensitive-information-ftc-committed-fully-enforcing-law-against-illegal-use.