HIPAA guidance on disclosures relating to reproductive healthcare: Risk mitigation and strategies
Following the US Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization, No. 19-1392 (U.S. June 24, 2022), the Office for Civil Rights of the US Department of Health and Human Services (HHS-OCR) issued guidance on June 29, 2022 regarding disclosures of protected health information (PHI) relating to reproductive healthcare subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This guidance reminds covered entities and their business associates that, absent an individual’s authorization, they may use and disclose PHI only as expressly permitted or required by HIPAA and that HIPAA’s exceptions for disclosures of PHI without an individual’s authorization are narrowly tailored.
HHS-OCR specifically provided guidance on the following three HIPAA exceptions:
- Disclosures required by law. Under this exception, covered entities may, but are not required to, disclose PHI if the disclosure is “required by law.” Because “required by law” is narrowly defined by HIPAA, covered entities must ensure that they only disclose PHI under this exception if the law (including, for example, a court order) compels a covered entity to do so. Any request for a disclosure under this exception must be carefully reviewed prior to disclosure and limited to the requirements of the law.
As an example in the context of reproductive health, HHS-OCR described a situation where a hospital workforce member suspects that a patient experiencing a miscarriage took medication to end the pregnancy despite a state law that would prohibit the abortion. The state law does not expressly require the hospital to report the individual to law enforcement. If the patient was to be reported to law enforcement in this situation, HHS-OCR believes that it would be not only a violation of HIPAA but also a breach of unsecured PHI requiring notification to HHS and the affected individual.
Disclosures for law enforcement purposes. Under this exception, covered entities may, but are not required to, disclose PHI for law enforcement purposes pursuant to process and as otherwise required by law. As with the “required by law” exception, HHS-OCR notes that HIPAA does not permit any disclosures under this exception in the absence of a mandate enforceable in a court of law. HHS-OCR warns covered entities that, in its assessment, state laws generally do not require healthcare providers to report individuals who self-manage the loss of a pregnancy to law enforcement and that state fetal homicide laws generally do not penalize pregnant individuals. It further suggests, based on a publication from 2013, that appellate courts have “overwhelmingly” rejected efforts to use existing criminal and civil laws intended for other purposes as the basis for arresting, detaining, or forcing interventions on pregnant individuals.
HHS-OCR provided two examples to illustrate the application of this exception in the context of reproductive healthcare:
- A law enforcement official goes to a reproductive healthcare clinic and requests records of abortions performed at the clinic. If the request is not accompanied by a court order or other mandate enforceable in a court of law, HHS-OCR concludes that HIPAA would not permit the clinic to disclose PHI in response to the request and that such a disclosure would be impermissible and constitute a breach of unsecured PHI requiring notification to HHS-OCR and the individual affected.
- A law enforcement official presents a reproductive healthcare clinic with a court order requiring the clinic to produce PHI about an individual who has obtained an abortion. Because a court order is enforceable in a court of law, HHS-OCR concludes that HIPAA would permit, but not require, the clinic to disclose the requested PHI and that the clinic may disclose only the PHI expressly authorized by the court order.
Disclosures to avert a serious threat to health or safety. Under this exception, HIPAA permits, but does not require, a covered entity to disclose PHI if the covered entity believes, in good faith, the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public and the disclosure is to a person who is reasonably able to prevent or lessen the threat.
HHS-OCR opposes reliance on this exception to disclose an individual’s interest, intent or prior experience with reproductive healthcare to law enforcement or others based on the position statements of various professional associations.
In HHS-OCR’s example illustrating the application of this exception in the context of reproductive healthcare, it describes a pregnant individual in a state that bans abortion who informs their healthcare provider that they intend to seek an abortion in another state where abortion is legal. The provider wants to report the statement to law enforcement to attempt to prevent the abortion from taking place. HHS-OCR concludes that HIPAA would not permit this disclosure of PHI to law enforcement under this exception for “several” reasons and provides the following two examples:
- A statement indicating an individual’s intent to get a legal abortion, or any other care tied to pregnancy loss, ectopic pregnancy, or other complications related to or involving a pregnancy does not qualify as a “serious and imminent threat to the health or safety of a person or the public.”
- It generally would be inconsistent with professional ethical standards as it compromises the integrity of the patient–physician relationship and may increase the risk of harm to the individual.
Based on these reasons, HHS-OCR concludes that a disclosure would be impermissible and constitute a breach of unsecured PHI requiring notification to HHS and the individual affected.
Conclusion: an organization-specific approach
While this new guidance is intended to provide examples on how to interpret HIPAA in light of the Dobbs decision, covered entities and their business associates should keep in mind that such informal guidance does not have the force and effect of law.
Courts and other authorities may disagree with HHS-OCR’s guidance for one or more of the above exceptions and require or otherwise demand the disclosure of PHI about an individual’s reproductive healthcare. They may even point to other exceptions under HIPAA, such as disclosures for public health purposes or related to child abuse or neglect, which this HHS-OCR guidance only addresses briefly in a footnote.
Some states require healthcare providers to report injuries that may have resulted from the commission of a crime, and HIPAA would not interfere with any such mandatory requirements. Any refusal to provide the information could potentially expose the covered entities, their business associates and possibly their workforce members to criminal, civil or other penalties and repercussions.
As recommended by HHS-OCR in this guidance, legal advice should be sought to better understand any obligations to disclose information about abortion or other reproductive healthcare. Given the uncertainty posed by the impact of Dobbs on the application of HIPAA’s exceptions, covered entities and their business associates should proactively review and update their privacy policies and procedures to ensure their workforce members, patients and health plan members understand how HIPAA will apply to requests for and disclosures of PHI related to reproductive healthcare. Healthcare entities with an organization-specific approach to address PHI disclosures in relation to reproductive health will have a stronger foundation for handling any upcoming legal and legislative challenges and changes in a post-Dobbs world.
To find out more, please contact any of the authors or reach out to us via DobbsTaskForce@dlapiper.com