HHS Issues Guidance Regarding Privacy of Reproductive Health Information
On June 29, 2022, in the wake of the Supreme Court’s ruling in Dobbs v. Jackson Women’s Health Organization, No. 19-1392 (U.S. June 24, 2022), the U.S. Department of Health & Human Services (HHS) issued guidance regarding the applicability of the HIPAA Privacy Rule to reproductive health information. HHS’s guidance appears to be intended to assure women that such information will be treated as confidential, and that it will not be disclosed by health care providers, even in states that have passed laws banning abortion, except under limited circumstances. Nevertheless, the fact that HIPAA permits providers to disclose PHI where “required by law” and to law enforcement means that women seeking an abortion cannot be assured that their health information will remain out of reach of prosecutors, and creates potential ethical challenges for providers.
As emphasized in the guidance, protected health information (PHI) related to an abortion or other sexual or reproductive health care can only be disclosed with the individual’s signed authorization, or as expressly authorized or permitted by the Privacy Rule. In pertinent part, the Privacy Rule permits (but does not require) a health care provider to disclose PHI (i) when the disclosure is required by law, or (ii) for law enforcement purposes, under certain conditions.
With respect to disclosures as “required by law,” the Privacy Rule permits (but does not require) a provider to disclose PHI when there is a law that requires the disclosure, and the provider’s disclosure complies with the law. 45 C.F.R. 164.512(a)(1). The permission to disclose PHI under this exception is limited to circumstances where there is a mandate that compels an entity to make a use or disclosure of PHI that is enforceable in court. Id. For example, a health care provider who suspects that a patient has taken an abortion-inducing medication in a state that prohibits abortions cannot report the patient to law enforcement or a state agency if there is no state law requiring that they do so. However, if the state passed a law requiring reporting in that circumstance, HIPAA would permit the disclosure.
With respect to disclosures for law enforcement purposes, the Privacy Rule also permits (but does not require) covered entities to disclose PHI “pursuant to process and as otherwise required by law.” 45 C.F.R. 164.512(f)(1). This means that HIPAA does not prohibit a provider from responding to a court order, warrant, subpoena, summons, grand jury subpoena, administrative subpoena or summons, or similar process requesting PHI for law enforcement purposes.
In states where abortion is criminalized, providers may face conflicting obligations – to maintain the confidentiality of communications with their patients, and to comply with court orders, subpoenas, or other process. And, even in states where abortion is legal, providers may face complicated privacy issues – such as whether to produce medical records to law enforcement in a patient’s home state where records indicate that a patient has traveled to the physician’s state for purposes of obtaining an abortion.
In the current climate, providers with questions about their obligations under HIPAA or other privacy authorities should consult with counsel. If you have questions, please reach out to a member of Post & Schell's Health Care Practice Group.
Disclaimer: This post does not offer specific legal advice, nor does it create an attorney-client relationship. You should not reach any legal conclusions based on the information contained in this post without first seeking the advice of counsel.