As a result of the Supreme Court’s decision in the Dobbs case (Dobbs v. Jackson Women's Health Organization ), many employers, employees, and health care providers have questions concerning a patient’s right to privacy. Access to comprehensive reproductive health care services, including abortion services, is essential to individual health and well-being. The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule supports such access by giving individual confidence that their protected health information (PHI), including information relating to abortion services, will be kept private.
The Office for Civil Rights (OCR) establishes requirements with respect to the use, disclosure, and protection of PHI by covered entities (health plans, health care clearinghouses, and most health care providers) as well as their business associates. These entities can use or disclose PHI, without an individual’s signed authorization, only as expressly permitted or required by the Privacy Rule.
There are certain scenarios where the disclosure of PHI to law enforcement agencies keeps an individual’s privacy in the forefront, so the guidance regarding the disclosure is narrow in focus.
- Disclosures Required by Law: The Privacy Rule permits but does not require covered entities to disclose PHI about an individual, without the individual’s authorization, when such disclosure is required by another law and the disclosure complies with the requirements of the other law. The permission to disclose PHI as “required by law” is limited to a mandate contained in law that compels an entity to make a disclosure of PHI and that is enforceable in a court of law. Where a disclosure is required by law, the disclosure is limited only to the relevant requirements. Disclosures of PHI that do not meet the “required by law” definition in the HIPAA Rules, or that exceed what is required by such law, are not permissible.
Example: An individual goes to a hospital emergency department while experiencing complications related to a miscarriage during the tenth week of pregnancy. A hospital workforce member suspects the individual of having taken medication to end their pregnancy. State or other law prohibits abortion services after six weeks of pregnancy but does not require the hospital to report individuals to law enforcement. Where state law does not expressly require such reporting, the Privacy Rule would not permit a disclosure to law enforcement under the “required by law” permission.
- Disclosures for Law Enforcement Purposes: The Privacy Rule permits but does not require covered entities to disclose PHI about an individual for law enforcement purposes “pursuant to process and as otherwise required by law”, under certain conditions. A covered entity may respond to a law enforcement request made through a court order, court-ordered warrant, a subpoena, or summons, by disclosing only the requested PHI, provided that all of the conditions specified in the Privacy Rule for permissible law enforcement disclosures are adhered to. The Privacy Rule’s permission to disclose PHI for law enforcement purposes does not allow for a disclosure to law enforcement where a hospital or other health care provider’s workforce member chose to report an individual’s abortion or other reproductive health care. That is true whether the workforce member initiated the disclosure to law enforcement or others or the workforce member disclosed PHI at the request of law enforcement.
- A law enforcement official goes to a reproductive health care clinic and requests records of abortion services performed at the clinic. If the request is not accompanied by a court order or other mandate enforceable in a court of law, the Privacy Rule would not permit the clinic to disclose PHI in response to the request. That disclosure would be impermissible and constitute a breach of unsecured PHI requiring notification to HHS and the individual affected.
- A law enforcement official presents a reproductive health care clinic with a court order requiring the clinic to produce PHI about an individual who has obtained abortion services. Because a court order is enforceable, the Privacy Rule would permit but not require the clinic to disclose the requested PHI. The clinic may disclose only the PHI expressly authorized by the court order.
- Disclosures to Avert a Serious Threat to Health or Safety: The Privacy Rule permits but does not require a covered entity to disclose PHI if the covered entity, in good faith, believes the disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public.
Example: A pregnant individual in a state that bans abortion services informs their health care provider that they intend to seek out abortion services in another state where it is legal. The provider wants to report the statement to law enforcement to attempt to prevent the abortion services from taking place. The Privacy Rule would not permit this disclosure of PHI to law enforcement for these reasons:
- A statement indicating an individual’s intent to utilize legal abortion services, or any other care tied to pregnancy loss, ectopic pregnancy, or other complications related to or involving a pregnancy does not qualify as a “serious and imminent threat to the health or safety of a person or the public.”
- It generally would be inconsistent with professional ethical standards as it compromises the integrity of the patient–physician relationship and may increase the risk of harm to the individual.
As recently as July 7, 2022, a couple of senators sent a letter to HHS requesting an update of the HIPAA Privacy Rule. The goal is to seek clarification as to the definition of a “covered entity” and to limit the information shared by that entity.
We strongly recommend that any covered entity looking to disclose any information should seek legal counsel.
For more information, please contact firstname.lastname@example.org.