In the wake of the recent Supreme Court decision overturning Roe v. Wade, the Department of Health and Human Services (HHS) published guidance on June 29, 2022, regarding an individual’s privacy rights for reproductive health and abortion services under the Health Information Portability and Accountability Act (HIPAA). The guidance reminds HIPAA regulated entities (health plans, health care clearinghouses and most health care providers), and to some extent their vendors assisting them in providing such health care services (business associates), that an individual’s protected health information (PHI), including reproductive and abortion care, must be kept private and not disclosed without the individual’s authorization unless expressly permitted or required by the Privacy Rule. HHS reiterates that such exceptions are narrowly tailored to protect the individual’s privacy and access to health services and if improperly applied could result in a privacy violation. The guidance focuses on three types of permitted exceptions and provides specific examples of their application in the context of reproductive health.
Disclosures Required by Law
HIPAA permits disclosures as required by law provided the information disclosed is limited to the information requested by such law.1 HHS notes the permission to disclose is limited to “a mandate contained in law that compels an entity to make a use or disclosure of protected health information and that is enforceable in a court of law.”2 For example, disclosures of individuals receiving an abortion to law enforcement in states where abortions are prohibited would not be permitted under this exception unless the state law expressly required such reporting.
Disclosures for Law Enforcement Purposes
Per HHS guidance, HIPAA regulated entities are permitted to disclose an individual’s PHI for law enforcement purposes “pursuant to process and as otherwise required by law” under certain conditions.3 Such legal process may include (i) a court order or court-ordered warrant, or a subpoena or summons issued by a judicial officer, (ii) a grand jury subpoena, or (iii) if certain conditions are met, a legally authorized administrative request, subpoena or summons, a civil or investigative demand, or similar process.4 Again, the extent of the information disclosed must be limited to the information expressly authorized by a mandate enforceable in a court of law5 or the legal process. Any disclosures provided absent such mandate or process or beyond the requested information when expressly authorized by such mandate or process violates the Privacy Rule. For example, disclosures in response to law enforcement requests without a court order or other mandate enforceable in a court of law would not be permitted under this exception.
Disclosures to Avert a Serious Threat to Health or Safety
HIPAA permits disclosures “if the covered entity, in good faith, believes the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public, and the disclosure is to a person or persons who are reasonably able to prevent or lessen the threat.”6 Such disclosures must be "consistent with applicable law and standards of ethical conduct.”7 For example, disclosures to law enforcement of individuals intending to seek an abortion in an attempt to prevent the abortion where abortions are prohibited would not be permitted under this exception because, as HHS explains, a statement of an individual's intent to get an abortion does not qualify as a “serious and imminent threat to the health or safety of a person or public” and reporting such intent “generally would be inconsistent with professional ethical standards as it compromises the integrity of the patient-physician relationship and may increase risk of harm to the individual.”
HHS has made clear that use of these exceptions for disclosure without the individual’s authorization are only permitted if all the conditions for disclosure are met. Moreover, HHS has declared that protection of an individual’s reproductive health care information is an enforcement priority. Accordingly, HIPAA regulated entities should carefully assess whether the request for PHI meets all the required conditions for disclosure prior to disclosing the PHI under the permitted exceptions. Disclosures outside the limited context of these exceptions could result in a privacy violation subject to breach notification and remediation requirements, HHS enforcement actions and fines or penalties.
Furthermore, for each of these permissible categories of disclosure, HHS reminds HIPAA regulated entities that disclosure is permitted but not required. Accordingly, HIPAA regulated entities should carefully consider the impacts associated with disclosing or refusing to disclose under these exceptions, including any legal repercussions associated with a failure to disclose when subject to an enforceable legal mandate or process.
Although the guidance does not change the requirements of the Privacy Rule, it does provide clarity and insight on how those requirements will be applied with respect to use and disclosure of reproductive or abortion care information. HIPAA regulated entities may want to review their existing policies, procedures and training materials for any updates in light of this guidance.
1Citing 45 C.F.R. § 164.512(a)(1).
2Citing 45 C.F.R. § 164.103 defining “Required by Law.”
3Citing 45 C.F.R. § 164.512(f)(1).
4See 45 C.F.R. § 164.512(f)(1)(ii).
5Citing 45 C.F.R. § 164.103 defining “Required by Law.”
6Citing 45 C.F.R. § 164.512(j).