On June 29, in response to the U.S. Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization, the U.S. Department of Health & Human Services Office for Civil Rights (HHS OCR) issued guidance on when entities covered by the Health Insurance Portability and Accountability Act (HIPAA) are permitted to share protected health information (PHI) without a patient’s authorization. HHS OCR focused specifically on disclosures required by law, disclosures for law enforcement purposes and disclosures to avert a serious threat to health or safety – among the few disclosures HIPAA expressly permits without first obtaining patient consent – likely in response to concerns that providers would be required to disclose patients’ impending or recent pregnancy terminations (spontaneous or otherwise) to law enforcement in states where abortions are banned or significantly restricted.
Key Takeaway: The guidance highlights the permissive – rather than compulsory – nature of 45 CFR § 164.512, reminding providers that the section does not require the disclosure of PHI to the third parties identified therein.
45 CFR § 164.512 identifies nine scenarios in which HIPAA-covered entities and business associates can disclose PHI without a patient’s authorization. See 45 CFR § 164.512 (“A covered entity may use or disclose protected health information without the written authorization of the individual … or the opportunity for the individual to agree or object … in the situations covered by this section … .”)(emphasis added).
Disclosures Required by Law
45 CFR § 164.512(a) permits the use and disclosure of PHI if required by law. 45 CFR § 164.103 defines “required by law” as “a mandate contained in law that compels an entity to make a use or disclosure of protected health information and that is enforceable in a court of law.” Mandates include court orders; court-ordered warrants; subpoenas or summons issued by a court, a grand jury, an inspector general or an administrative body; and civil or authorized investigative demands. 45 CFR § 164.103. If an entity is served with such a mandate, Subsection 512 requires that the disclosure “complies with and is limited to the relevant requirements of such law.” 45 CFR § 164.512(a)(1).
The guidance reminds entities that “disclosures of PHI that do not meet the ‘required by law’ definition in the HIPAA Rules, or that exceed what is required by such law, do not qualify as permissible disclosures.”
As an example, the guidance provides the following scenario:
An individual goes to a hospital emergency department while experiencing complications related to a miscarriage during the tenth week of pregnancy. A hospital workforce member suspects the individual of having taken medication to end their pregnancy. State or other law prohibits abortion after six weeks of pregnancy but does not require the hospital to report individuals to law enforcement. Where state law does not expressly require such reporting, the Privacy Rule would not permit a disclosure to law enforcement under the “required by law” permission. Therefore, such a disclosure would be impermissible and constitute a breach of unsecured PHI requiring notification to HHS and the individual affected (emphasis in original).
While helpful, this still leaves open the question some providers may have: If the disclosure meets the definition of “required by law” and it cannot be argued that HIPAA prevents such a disclosure, are there any other grounds to refuse to produce abortion records? That will depend on individual state laws.
Disclosures for Law Enforcement Purposes
Subsection 512(f) permits a covered entity to disclose PHI for law enforcement purposes if certain conditions are met. Summarily, the conditions permitting disclosure are:
- Pursuant to legal process or as otherwise required by law and 1) the information sought is relevant, 2) the information sought is specific and limited in scope, and 3) deidentified data could not reasonably be used.
- In response to a law enforcement official’s request for the purpose of identifying a suspect, witness or missing person. While the categories of information that can be released are limited, “type of injury” and “date and time of treatment” are included as PHI that can be released.
- In response to a law enforcement official’s request for the purpose of providing information about an individual who is the victim of a crime. If the individual is unable to provide consent, then the disclosure must be in the best interest of the patient, as determined by the provider, and cannot be used against the patient.
- To law enforcement, if the patient is deceased, for purpose of alerting law enforcement of the patient’s death because the covered entity suspects the death may have resulted from criminal conduct.
- To law enforcement if the covered entity believes that the PHI disclosed constitutes evidence of criminal conduct occurring on the premises of the covered entity.
- To law enforcement if the disclosure of PHI is necessary to alert law enforcement to the commission and nature of a crime, the location of the crime and/or victims thereof, and the identity, description or location of the perpetrator.
The guidance confirms that, in the absence of a mandate (as discussed above) requiring disclosure, “the Privacy Rule permission to disclose PHI for law enforcement purposes does not permit a disclosure to law enforcement where a hospital or other health care provider’s workforce member chose to report an individual’s abortion or other reproductive health care” (emphasis added). In other words, unless a state’s abortion laws require disclosure to law enforcement of a woman’s abortion, a workforce member voluntarily disclosing such information to law enforcement is not within the permissible uses and disclosures itemized in Subsection 512.
The guidance provided the following examples:
- A law enforcement official goes to a reproductive healthcare clinic and requests records of abortions performed at the clinic. If the request is not accompanied by a court order or other mandate enforceable in a court of law, the Privacy Rule would not permit the clinic to disclose PHI in response to the request. Therefore, such a disclosure would be impermissible and constitute a breach of unsecured PHI requiring notification to HHS and the individual affected.
- A law enforcement official presents a reproductive healthcare clinic with a court order requiring the clinic to produce PHI about an individual who has obtained an abortion. Because a court order is enforceable in a court of law, the Privacy Rule would permit but not require the clinic to disclose the requested PHI. The clinic may disclose only the PHI expressly authorized by the court order.
Given the current administration’s vehement opposition to Dobbs, we may see HIPAA’s individual criminal liability section leveraged to punish such voluntary disclosures by workforce members. See 42 U.S.C. § 1320d-6(a) (making it a federal criminal offense to knowingly and in violation of HIPAA disclose PHI to a third party); and see 42 U.S.C. § 1320d-6 (setting out penalties of imprisonment ranging from not more than one to not more than 10 years, and fines ranging from not more than $50,000 to not more than $250,000).
Disclosures to avert a serious threat to health or safety
Subsection 512(j) permits a covered entity to disclose PHI, “consistent with applicable law and standards of ethical conduct,” if the covered entity has a good faith belief that the disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public, and the disclosure is made to someone who can prevent or lessen the threat. The guidance states, “According to major professional societies, including the American Medical Association and American College of Obstetricians and Gynecologists, it would be inconsistent with professional standards of ethical conduct to make such a disclosure of PHI to law enforcement or others regarding an individual’s interest, intent, or prior experience with reproductive health care.” See guidance, footnote 22, for citations.
The guidance provided the following example:
- A pregnant individual in a state that bans abortion informs their healthcare provider that they intend to seek an abortion in another state where abortion is legal. The provider wants to report the statement to law enforcement to attempt to prevent the abortion from taking place. However, the Privacy Rule would not permit this disclosure of PHI to law enforcement under this [Subsection 512(j)] for several reasons, including:
- A statement indicating an individual’s intent to get a legal abortion, or any other care tied to pregnancy loss, ectopic pregnancy or other complications related to or involving a pregnancy, does not qualify as a “serious and imminent threat to the health or safety of a person or the public.”
- It generally would be inconsistent with professional ethical standards as it compromises the integrity of the patient–physician relationship and may increase the risk of harm to the individual.
- Therefore, such a disclosure would be impermissible and constitute a breach of unsecured PHI requiring notification to HHS and the individual affected.
Entities in states that have enacted or will be enacting bans on abortion services should reiterate to their workforce members that voluntarily disclosing PHI to law enforcement could violate the Privacy Rule and result in criminal prosecution of the workforce member. BakerHostetler is supporting clients through these considerations.