Enter to open, tab to navigate, enter to select
In Post-Dobbs Guidance, HHS Addresses Disclosures of Abortion-Related Information
Practical Law Legal Update w-036-1317 (Approx. 8 pages)
In Post-Dobbs Guidance, HHS Addresses Disclosures of Abortion-Related Information
by Practical Law Employee Benefits & Executive Compensation
| Published on 02 Jul 2022 • USA (National/Federal) |
In guidance addressing the Supreme Court's Dobbs ruling, which overturned Roe v. Wade, the Department of Health and Human Services (HHS) has addressed when covered entities under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) can disclose an individual's information regarding abortion and other sexual and reproductive health care without the individual's authorization.
In guidance addressing the Supreme Court's Dobbs ruling, which overturned Roe v. Wade, HHS's Office for Civil Rights (OCR) has addressed the extent to which HIPAA's Privacy Rule permits disclosures of an individual's information regarding abortion and other sexual and reproductive health care without the individual's authorization (HIPAA Privacy Rule and Disclosures of Information Relating to Reproductive Health Care (June 29, 2022); Dobbs v. Jackson Women's Health Org., (June 24, 2022); see also Legal Update, Supreme Court's Overruling of Roe v. Wade Raises Health Plan and Employment Implications and Abortion and Contraceptives Services for Group Health Plans Toolkit).
For more information on compliance with the HIPAA Privacy Rule, see HIPAA Privacy, Security, and Breach Notification Toolkit and Practice Note, HIPAA Privacy Rule.
HIPAA Privacy Rule and Disclosures of Reproductive Health Care Information
As background, the Privacy Rule permits HIPAA covered entities (CEs)—which include health plans and most health providers—to use or disclose protected health information (PHI), without an individual's signed authorization, only as expressly permitted or required by the Privacy Rule (see Practice Note, HIPAA Privacy Rule: Permitted and Prohibited Uses and Disclosures of Health Information: Authorizations). The Privacy Rule provides that authorization is not needed for permitted disclosures, which are uses and disclosures of PHI required by laws other than HIPAA. In what HHS characterizes as "narrowly tailored" situations, the Privacy Rule permits disclosures of PHI without an individual's authorization for reasons not related to health care—for example, disclosures to law enforcement officials. HHS's guidance addresses permitted disclosures of information about an individual's abortion and other sexual and reproductive health care in the following three contexts:
- Disclosures required by law (see Disclosures Required by Law).
- Disclosures for law enforcement purposes (see Disclosures for Law Enforcement Purposes).
- Disclosures to avert a serious threat to health or safety (see Disclosures to Avert a Serious Threat to Health or Safety).
Disclosures Required by Law
HHS's guidance provides that the Privacy Rule permits—but does not require—CEs to disclose an individual's PHI without the individual's authorization, when the disclosure:
- Is required by another law.
- Complies with the requirements of the other law.
- Is limited to the other law's requirements.
These required-by-law disclosures of PHI are limited to mandates contained in laws that:
- Compel an entity to make a use or disclosure of PHI.
- Are enforceable in a court of law.
Under the Privacy Rule, such required-by-law disclosures include (but are not limited to):
- Court orders and court-ordered warrants.
- Subpoenas or summons issued by a court, grand jury, governmental or tribal inspector general, or administrative body authorized to require the production of information.
- A civil or an authorized investigative demand.
- Medicare conditions of participation regarding health providers participating in Medicare.
- Statutes or regulations that require the production of information (including statutes or regulations that require this information if payment is sought under a government program that provides public benefits).
HHS's guidance notes that required-by-law disclosures are limited to the relevant law's requirements. Moreover, a disclosure of PHI is not permitted if it:
- Does not meet the HIPAA Rules' definition of required by law.
- Exceeds what is required by the relevant law.
Example of Disclosure Required by Law and Breach Notification
HHS's guidance includes an example in which:
- An individual goes to a hospital emergency department while experiencing complications related to a miscarriage during the tenth week of pregnancy (see generally Surprise Medical Billing for Health Plans, Health Insurers, and Health Care Providers and Facilities Toolkit).
- A hospital workforce member suspects that the individual took medication to end the pregnancy—in violation of a law of the state in which the hospital is located.
The example posits that the relevant state law:
- Prohibits abortion after six weeks of pregnancy.
- Does not require the hospital to report individuals to law enforcement.
According to HHS, because the state law at issue does not explicitly require reporting, the Privacy Rule would not permit a disclosure to law enforcement under the required-by-law provisions. If a hospital (as a HIPAA CE) made this disclosure, it would be a breach of unsecured PHI requiring notification to HHS and the affected individual (see Practice Note, HIPAA Breach Notification Rules).
Disclosures for Law Enforcement Purposes
Under HHS's guidance, the Privacy Rule permits—but does not require—CEs to disclose PHI about an individual, without the individual's authorization, for law enforcement purposes pursuant to process and as otherwise required by law (45 C.F.R § 164.512(f)). For example, a CE may respond to law enforcement requests (disclosing only the requested PHI) using legal processes that include:
- A court order or court-ordered warrant.
- A subpoena or summons.
- Certain administrative requests.
The HIPAA Rules set out several conditions governing disclosures for certain law enforcement purposes (for example, certain restrictions involving identification and location purposes).
HHS's guidance clarifies that without a legally enforceable mandate, the Privacy Rule does not allow a health provider to disclose PHI to law enforcement where a provider's workforce member has chosen to report an individual's abortion or other reproductive health care. According to HHS, this rule applies whether the workforce member either:
- Initiates the disclosure to law enforcement or others.
- Discloses PHI at law enforcement's request.
According to HHS, this is because most state laws do not require doctors or other health providers to report an individual who has self-managed the loss of a pregnancy to law enforcement. HHS also indicates in its guidance that:
- State fetal homicide laws generally do not penalize the pregnant individual.
- Most appellate courts have rejected attempts to use existing criminal and civil laws designed for other purposes (such as protecting children) as grounds to arrest, detain, or force interventions on pregnant individuals.
HHS takes the view that the ability to disclose an individual's PHI (under the Privacy Rule) to a public health authority or other government authority authorized by law to receive reports of child abuse or neglect would not apply to disclosures of PHI about reproductive health care.
Example of Disclosure for Law Enforcement Purposes
The guidance includes an example in which a law enforcement official goes to an abortion clinic and requests records of abortions performed at the clinic. The example concludes that if this request is not accompanied by a court order or other mandate enforceable in a court of law, the Privacy Rule would not permit the clinic to disclose PHI in response to the request. As a result, the disclosure would be:
- Impermissible.
- A breach of unsecured PHI requiring breach notification to HHS and the individual affected (see Practice Note, HIPAA Breach Notification Rules).
Disclosures to Avert a Serious Threat to Health or Safety
HHS's guidance also notes that the Privacy Rule permits—but does not require—CEs to disclose PHI about an individual without the individual's authorization. This rule applies if the CE, in good faith, believes that:
- A use or disclosure is necessary to prevent or reduce a serious and imminent threat to the health or safety of a person or the public.
- The disclosure is to person(s) who are reasonably able to prevent or lessen the threat.
The guidance includes an example in which:
- A pregnant individual in a state that prohibits abortion informs their health provider that they intend to seek an abortion in a state where abortion is legal.
- The provider wants to report the individual's statement to law enforcement to try to prevent the abortion from taking place.
According to HHS, the Privacy Rule would not permit this disclosure of PHI to law enforcement because (among other reasons):
- A statement indicating an individual's intent to obtain a legal abortion or any other care tied to pregnancy loss, ectopic pregnancy, or other complications concerning a pregnancy is not a serious and imminent threat to the health or safety of a person or the public.
- The disclosure generally would be inconsistent with professional standards of ethical conduct in that it:
- compromises the integrity of the patient-physician relationship; and
- may increase the risk of harm to the individual.
As a result, the disclosure would be:
- Impermissible.
- A breach of unsecured PHI requiring breach notification to HHS and the affected individual (see Practice Note, HIPAA Breach Notification Rules).
Protecting Health Information on Personal Cell Phones and Tablets
In accompanying guidance addressing personal devices, HHS discusses how individuals can protect the privacy and security of their health information when using personal cell phones or tablets (Protecting the Privacy and Security of Your Health Information When Using Your Personal Cell Phone or Tablet (June 29, 2022)). The guidance observes that the HIPAA Privacy, Security, and Breach Notification Rules do not protect the privacy or security of individuals' health information that is accessed or stored on personal cell phones or tablets. The guidance also explains how individuals can better protect their health data on their devices.
Practical Impact
It should be noted that some of the state laws referenced in HHS's guidance and examples may be in a state of flux over the coming months as state legislatures enact new abortion-related laws in response to the Dobbs ruling (and existing laws are either triggered or revived because of the Court's ruling).
.