HHS Issues Post-Dobbs HIPAA Privacy Guidance for Employer Health Plans, Other Covered Entities

Baker Donelson

Baker Donelson

In the wake of the Supreme Court's decision in Dobbs v. Jackson Women's Health Organization and the evolving legal patchwork now confronting both patients accessing reproductive health care and their health care providers, the U.S. Department of Health and Human Services' Office for Civil Rights issued guidance on June 29, 2022 regarding the disclosure of both HIPAA- and non-HIPAA-covered health information and data. The HIPAA Privacy Rule governs the disclosure of protected health information (PHI) by health plans, health care clearinghouses, and most health care providers (Covered Entities). The Guidance attempts to clarify the rights and obligations of Covered Entities that may be presented with local or state laws, or even legal process, that demands access to reproductive health care PHI for purposes of prosecuting persons for violating state laws restricting access to reproductive health care.

The Guidance specifically discusses three scenarios:

  • Disclosures required by law;
  • Disclosures for law enforcement purposes; and
  • Disclosures to avert a serious threat to health or safety

In all three situations, the Guidance explains that the Privacy Rule permits but does not require a Covered Entity to disclose PHI pursuant to an applicable law or pursuant to legal process. All HIPAA Covered Entities and their "business associates" must revisit their policies and procedures and make sure they are prepared for requests in the next few weeks.

Whether a local or state law or legal process is sufficient to permit the disclosure of PHI can involve a complex legal and fact-specific analysis. Covered Entities and their business associates who may be concerned about their obligations to disclose information concerning reproductive health care should seek legal advice. Employer-sponsored health plans, in particular, are Covered Entities under HIPAA and should take steps to ensure compliance with the Privacy Rule.

The same issues and considerations apply for those organizations operating in the e-health and wellness space. The complexities of the ways in which apps communicate with other apps and systems require a robust understanding of the privacy controls that must be implemented. Digital health and wellness organizations must be prepared for inquiries, as they are likely to receive as many, if not more, requests for information.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Baker Donelson | Attorney Advertising

Written by:

Baker Donelson

Baker Donelson on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.