On June 29, 2022, the Office for Civil Rights (“OCR”) in the U.S. Department of Health & Human Services (“HHS”) released a notice and guidance on the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the protection of patient information relating to reproductive health care (the “Notice”). The Notice also describes example situations involving protected health information (“PHI”) related to reproductive health care and the applicability of 45 CFR Part 164, Subpart E (the “Privacy Rule”).
Background
The Notice is intended to address questions that health care providers may have regarding the use and disclosure of PHI under HIPAA in light of the recent decision by the Supreme Court of the United States in Dobbs v. Jackson Women’s Health. The Court in Dobbs, overturning the landmark decision in Roe v. Wade, held that there is no federal constitutional right to an abortion and returned the regulation of abortion and related issues to the purview of the states. While several state law decisions are pending, the Notice seeks to clarify a health care provider’s obligations to protect PHI under the Privacy Rule by providing examples of situations where the provider may (or may not) be subject to certain state law requirements, including where a provider suspects a patient induced an abortion, where patient information is requested by law enforcement and where a patient expresses intent to seek an abortion or other reproductive health care in a different state where such care is legal.
HHS Guidance on Disclosures of Information Relating to Reproductive Health Care
Below is a high-level summary of the guidance contained in the Notice.
Required By Law
If state law does not include an express mandate that a health care provider report an individual seeking illegal reproductive health care, the disclosure is not considered required by law and the Privacy Rule does not permit the disclosure of PHI.
In the Notice, OCR affirms that the Privacy Rule permits, but does not require, a health care provider to disclose PHI about an individual when such disclosure is required by another law and the disclosure complies with and does not exceed the requirements of that law. OCR emphasizes the ability to disclose PHI as required by law is limited to “a mandate contained in law that compels an entity to make a use or disclosure of PHI and that is enforceable in a court of law.” Additionally, any disclosure for such purpose must be limited to the relevant requirements of such law.
Law Enforcement Purposes
Absent a legal order or specific mandate in state law, the Privacy Rule does not permit the disclosure of PHI related to reproductive health care in response to a request from law enforcement.
The Privacy Rule permits, but does not require, a health care provider to disclose PHI about an individual to law enforcement “pursuant to process and as otherwise required by law,” which would include, to the extent consistent with state law, court orders, subpoenas, summons or other legal process, provided that the disclosure is limited to only the PHI requested. In the Notice, OCR emphasizes the Privacy Rule does not permit disclosure of PHI for law enforcement purposes where the health care provider chooses to report an individual’s abortion or other reproductive health care absent a mandate enforceable in a court of law.
OCR further noted that the Privacy Rule will not permit disclosure of PHI related to reproductive health care to a public health authority or other government authority authorized to receive reports of child abuse or neglect because existing state laws generally do not penalize pregnant individuals for the loss of a pregnancy.
To Avert a Serious Threat to Health or Safety
OCR’s stance is that a statement by an individual indicating an intent to seek legal reproductive health care, including an abortion, is not considered a serious and imminent threat to the health or safety of a person or the public under HIPAA, and therefore, disclosing the PHI of such an individual for such purpose would be impermissible under the Privacy Rule.
The Privacy Rule permits but does not require a health care provider, consistent with applicable law and standards of ethical conduct, to disclose PHI if the provider, in good faith, believes the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public, and the disclosure is to an individual who is reasonably able to prevent or lessen the threat. In the Notice, OCR cites the position of the American Medical Association and the American College of Obstetricians and Gynecologists that it would be inconsistent with professional standards of ethical conduct to disclose PHI to law enforcement or others regarding an individual’s interests, intent or prior experience with reproductive health care.
Practical Takeaways
- The Notice clarifies that the Privacy Rule permits, but does not require, disclosure of PHI about an individual’s reproductive health care where such disclosure is required by law, for law enforcement purposes, or to prevent or lessen a serious threat to health or safety.
- The Notice emphasizes that providers should be cautious and ensure that all relevant requirements of such regulations under HIPAA are fully satisfied prior to making any permitted disclosure or the resulting disclosure could constitute a reportable breach.
- Providers should review their policies and procedures related to the HIPAA regulations cited above to confirm consistency and ensure that all employees are fully trained regarding the ability to make a disclosure or obligation to decline making a disclosure of information related to an individual’s reproductive health care.
- The Notice is limited to the requirements and enforcement of obligations under the Privacy Rule. The Notice is not binding and does not have the force and effect of law.
- Providers should be cautious of the risks of potentially violating other state and federal laws that might require disclosure, including the Information Blocking Rule, if providers choose not to disclose information relating to an individual’s reproductive health care. Notably, as state laws in this area evolve, the applicability and preemption analysis with respect to HIPAA’s requirements could change as well.
For more information, please contact:
- Charise Frazier at (317) 977-1406 or cfrazier@wp.hallrender.com;
- Stephane Fabus at (414) 721-0904 or sfabus@wp.hallrender.com;
- Emily Beukema at (248) 457-7882 or ebeukema@wp.hallrender.com; or
- Your primary Hall Render contact.
Hall Render blog posts and articles are intended for informational purposes only. For ethical reasons, Hall Render attorneys cannot—outside of an attorney-client relationship—answer specific questions that would be legal advice.
