Guidance on HIPAA Abortion Privacy Rights Post-Roe-v-Wade
Loss of constitutional abortion rights undermines privacy protection of patients seeking reproductive care.
Regardless of your personal beliefs on the abortion issue, the US Supreme Court’s decision to overturn Roe v. Wade (in a case called Dobbs v. Jackson Women’s Health Organization) will have a direct and dislocating impact on the compliance programs of not only labs but just about all types of providers. For more than four decades, the constitutional reproductive rights recognized by Roe v. Wade have been a central principle of regulatory programs implemented by the Department of Health and Human Services (HHS). Now that those rights are gone, the HHS will have to go back to the drawing board.
Medical Privacy in the Post-Roe-v-Wade World
One of the department’s immediate priorities will be the medical privacy and Health Insurance Portability and Accountability Act (HIPAA) rights of patients seeking reproductive care. Explanation: The HIPAA Privacy Rule bans labs and other covered entities from disclosing an individual’s protected health information (PHI) without signed authorization. However, signed authorization isn’t required when the covered entity is required to disclose the PHI under another law. And after the Supreme Court’s ruling in Dobbs, at least 16 states have or are in the process of adopting laws to ban abortion. If the states were also to mandate that providers disclose PHI to prevent abortion or for purposes of law enforcement, it would strip patients of their HIPAA protection.
The OCR Guidance
On June 29, the HHS Office for Civil Rights (OCR), the agency that oversees implementation of HIPAA laws, took the first steps to address the problem by issuing new Guidance to Protect Patient Privacy in Wake of Supreme Court Roe Decision explaining how HIPAA protections apply to PHI related to abortion and reproductive care. Specifically, the guidance offers clarification on three types of disclosures permitted by the Privacy Rule without authorization.
1. Disclosures Required by Law
Even if disclosure is permitted by law, the Privacy Rule only permits but doesn’t require covered entities to disclose PHI without an individual’s authorization, the guidance stresses. Where disclosure is required by law, it must be limited to the “relevant requirements of such law.” Disclosing more than the minimum necessary is a violation of the Privacy Rule. The guidance lists the following example:
“An individual goes to a hospital emergency department while experiencing complications related to a miscarriage during the tenth week of pregnancy. A hospital workforce member suspects the individual of having taken medication to end their pregnancy. State or other law prohibits abortion after six weeks of pregnancy but does not require the hospital to report individuals to law enforcement. Where state law does not expressly require such reporting, the Privacy Rule would not permit a disclosure to law enforcement under the ‘required by law’ permission. Therefore, such a disclosure would be impermissible and constitute a breach of unsecured PHI requiring notification to HHS and the individual affected.”
2. Disclosures for Law Enforcement Purposes
The Privacy Rule also permits but doesn’t require covered entities to disclose PHI about an individual for law enforcement purposes. But the guidance notes that conditions apply. Disclosure must be “pursuant to process and as otherwise required by law,” such as a court order, court-ordered warrant, subpoena, or summons. Thus, for example, lab employees wouldn’t be able to notify law enforcement about a patient seeking an illegal abortion. State laws generally don’t “require doctors or other health providers to report an individual who self-managed the loss of a pregnancy to law enforcement,” the guidance explains. Nor do fetal homicide laws penalize the pregnant individual.
Example: “A law enforcement official goes to a reproductive health care clinic and requests records of abortions performed at the clinic. If the request is not accompanied by a court order or other mandate enforceable in a court of law, the Privacy Rule would not permit the clinic to disclose PHI in response to the request.”
3. Disclosures to Avert a Serious Threat to Health or Safety
The Privacy Rule permits but doesn’t require a covered entity to disclose PHI when it, in good faith, believes the disclosure to be necessary to prevent or reduce a serious and imminent threat to the health or safety of a person or the public, and the disclosure is to a person or persons who are reasonably able to prevent or lessen the threat. Disclosing PHI to law enforcement or others regarding an individual’s interest, intent, or experience with reproductive health care would be inconsistent with professional standards of ethical conduct, according to the guidance, citing the American Medical Association and American College of Obstetricians and Gynecologists. Example: A pregnant individual in a state that bans abortion tells her doctor that she plans to get an abortion in a state where it’s legal. The Privacy Rule wouldn’t allow the doctor to disclose this information to law enforcement because: 1) A statement of intent to get an abortion isn’t a “serious and imminent threat to the health or safety of a person or the public”; and 2) The disclosure would violate professional ethical standards and compromise the patient-physician relationship.
OCR Guidance on PHI & Mobile Health Technology
Why Guidance Isn’t Enough
Clarifying current privacy protections via a narrow interpretation of required disclosures under current HIPAA rules and state laws the way the guidance does isn’t a whole heckuva lot of assurance for patients seeking abortion and reproductive care. The problem is that even if OCR’s interpretation of current state laws is correct, states can change their laws to expressly require physicians, labs, providers, and even their employees to immediately notify law enforcement of patient plans to terminate their pregnancies. Bottom Line: The HIPAA Privacy Rule as it’s currently constituted isn’t adequate to protect PHI related to abortion now that Roe v. Wade is gone and states can adopt strict abortion bans.
With this in mind, Senators Michael Bennet, D-Colo., and Catherine Cortez Masto, D-Nev., sent a letter urging HHS Secretary Xavier Becerra to take action to bolster the Privacy Rule. The Dobbs ruling has created “profound uncertainty for patients concerning their right to privacy when making the deeply personal decision to have an abortion,” the senators wrote. When the HIPAA Privacy Rule was written back in 2000, the Roe v. Wade constitutional right to abortion was a fixture that nobody imagined the Supreme Court would ever revoke more than 20 years later. While the guidance is helpful, the senators insist that “HHS has the authority to do more” and should “immediately begin the process to update the Privacy Rule…to clarify that information on abortion or other reproductive health services cannot be shared with law enforcement agencies who target individuals who have an abortion.”
Subscribe to view Essential
Start a Free Trial for immediate access to this article