In post-Dobbs litigation, a district court has addressed the interaction of HIPAA's Privacy Rule and a recently enacted Kentucky law banning abortion after 15 weeks (HB 3) (Planned Parenthood Great Nw., Haw., Ak., In., & Ky., Inc. v. Cameron, (W.D. Ky. Sept. 2, 2022)). The Supreme Court's Dobbs decision overruled the federal right to obtain an abortion recognized in Roe v. Wade and Planned Parenthood v. Casey (Dobbs v. Jackson Women's Health Org., 142 S. Ct. 2228 (2022); see Legal Update, Supreme Court's Overruling of Roe v. Wade Raises Health Plan and Employment Implications). As background, HB 3 revised Kentucky's abortion regulations and established additional requirements that include:

(For more information on post-Dobbs compliance considerations, see Abortion and Contraceptives Services for Group Health Plans Toolkit.)

After its enactment in March 2022, HB 3 was the subject of a preliminary injunction (issued in May 2022) that prohibited enforcement of certain of its provisions. Kentucky's attorney general sought to lift the preliminary injunction (post-Dobbs), arguing that Kentucky had since revised the forms required for parties to comply with HB 3. The plaintiffs, consisting of the two remaining abortion providers in Kentucky, asserted that the state's updated forms:

The district court's ruling lifted the existing preliminary injunction as to several specific provisions of HB 3.

Among other HB 3 provisions, the district court addressed whether the preliminary injunction should be lifted regarding a section of the law requiring health providers to collect demographic and health information before performing an abortion. This provision requires the reporting of at least 19 distinct items, including information about the address at which either:

However, a related exceptions provision states that providers must not include:

The section also includes a provision under which providers are subject to civil penalties for failing to submit complete reports.

The providers in the case argued that:

Specifically, the providers cited HIPAA Privacy Rule standards requiring them to ensure the confidentiality, integrity, and availability of electronic protected health information (PHI) that a covered entity (CE) (or business associate (BA)) creates, receives, maintains, or transmits (see Practice Notes, HIPAA Privacy Rule and HIPAA Security Rule: Overview and Administrative Safeguards).

In addressing the providers' arguments, the court observed that HIPAA's regulations also permit CEs to de-identify PHI by removing information such as names and all geographic subdivisions smaller than a state (for example, street addresses, cities, counties, precincts, zip codes, and geocodes) (45 C.F.R. § 164.514). The court also noted that HIPAA's requirements and implementing standards generally preempt contrary state-law provisions.

Given Kentucky's population demographics and distribution, the court found that a patient's identity could potentially be determined based on information collected and published under HB 3. This would especially be the case, the court reasoned, for members of certain racial minorities who live in one of Kentucky's many zip codes with a population of less than 1,000 (often rural), when combined with other personal (and publicly available) information—for example, previous pregnancies. The court therefore read the exceptions provision as a safeguard to protect individuals from being identified, regardless of the information required under the general demographic and health information disclosure provision. The court expressly found that the exceptions provision allows providers to omit information from their reporting that could be used (including together with publicly available information) to identify their patients. Under this interpretation, the court did not need to hold that HIPAA preempted HB 3's demographic and general disclosure provision.

This reading of HB 3, the court added, could still result in providers incurring liability under the provision requiring submission of complete reports. The court reasoned, for example, that providers might need to omit city or town, county, zip, race, age, or previous live births to avoid violating HIPAA or HB 3's exceptions provision, even if these items were required under the demographic and general disclosure provision.

The court therefore concluded that:

As this case illustrates, certain abortion-related disclosures under state laws enacted in anticipation of the Dobbs ruling or thereafter may place HIPAA covered entities in the difficult position of having to choose between complying with HIPAA or state law. Although this court avoided having to hold that the state law at issue was HIPAA-preempted, this may not always be the outcome. Given how rapidly some states' abortion laws are changing post-Dobbs, there will likely be future reported decisions addressing the interaction of HIPAA's privacy requirements and state-law abortion disclosures. For more information on HIPAA preemption, see Practice Note, HIPAA Breach Notification Rules: Preemption and HIPAA Privacy, Security, and Breach Notification Toolkit.