In response to the Supreme Court Dobbs vs. Jackson Women’s Health Organization abortion ruling the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued new guidance discussing when the protects patient reproductive health care records and information by health care providers, health plans, health care clearinghouses (“covered entities”) and their business associates.
The HIPAA Privacy Rule and Disclosures of Information Relating to Reproductive Health Care guidance generally addresses when the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule restricts or allows individuals’ private medical information (known as “protected health information” or “PHI”) relating to abortion and other sexual and reproductive health care. The guidance does not discuss responsibilities if any of providers or other covered entities under other federal or state laws. Instead, the guidance directs concerned about their obligations to disclose information concerning abortion or other reproductive health care to seek legal advice regarding their responsibilities under other federal and state laws.
Regiarding HIPAA, the guidance begins with the reminder that HIPAA covered entities and business associates can use and disclose PHI without an individual’s signed authorization, only on the narrow circumstances expressly permitted or required by the Privacy Rule.
The guidance goes on to explain when the Privacy Rule allows disclosures of PHI when required by law, for law enforcement purposes, and to avert a serious threat to health or safety. In keeping with the Biden Administration announced commitment to work to preserve the availability of abortion against restriction by state laws banning or restricting abortion rights following the Supreme Court’s decision, the guidance invites health care providers to resist disclosures HIPAA permits by making a point of saying that these exceptions are permitted but not required in bold language.
Disclosures Required by Law
The Privacy Rule permits but does not require covered entities to disclose PHI about an individual without the individual’s authorization, when the disclosure is required by another law and the disclosure complies with the requirements of the other law.9
The guidance states the HIPAA permission to disclose PHI as “required by law” is limited to “a mandate contained in law that compels an entity to make a use or disclosure of PHI and that is enforceable in a court of law.”10 Further, where a disclosure is required by law, the disclosure is limited to the relevant requirements of such law.11 Disclosures of PHI that do not meet the “required by law” definition in the HIPAA Rules,12 or that exceed what is required by such law, do not qualify as permissible disclosures.13
The guidance provides the following example:
An individual goes to a hospital emergency department while experiencing complications related to a miscarriage during the tenth week of pregnancy. A hospital workforce member suspects the individual of having taken medication to end their pregnancy. State or other law prohibits abortion after six weeks of pregnancy but does not require the hospital to report individuals to law enforcement. Where state law does not expressly require such reporting, the Privacy Rule would not permit a disclosure to law enforcement under the “required by law” permission. Therefore, such a disclosure would be impermissible and constitute a breach of unsecured PHI requiring notification to HHS and the individual affected.
Disclosures for Law Enforcement Purposes
The guidance also discusses when HIPAA allows disclosure of PHI for law enforcement purposes.
The Privacy Rule permits but does not require covered entities to disclose PHI about an individual for law enforcement purposes “pursuant to process and as otherwise required by law” only under certain conditions.14. As an example, the guidance states a covered entity may respond to a law enforcement request made through such legal processes as a court order or court-ordered warrant, or a subpoena or summons, by disclosing only the requested PHI, provided that all of the conditions specified in the Privacy Rule for permissible law enforcement disclosures are met.15
In the absence of a mandate enforceable in a court of law,16 the Privacy Rule’s permission to disclose PHI for law enforcement purposes does not permit a disclosure to law enforcement where a hospital or other health care provider’s workforce member chose to report an individual’s abortion or other reproductive health care. That is true whether the workforce member initiated the disclosure to law enforcement or others or the workforce member disclosed PHI at the request of law enforcement.17 OCR states this is because, state laws generally do not require doctors or other health care providers to report an individual who self-managed the loss of a pregnancy to law enforcement.18 Also, state fetal homicide laws generally do not penalize the pregnant individual, and “appellate courts have overwhelmingly rejected efforts to use existing criminal and civil laws intended for other purposes (e.g., to protect children) as the basis for arresting, detaining, or forcing interventions on pregnant” individuals.19 ,20
OCR illustrates its position with the following examples.
- A law enforcement official goes to a reproductive health care clinic and requests records of abortions performed at the clinic. If the request is not accompanied by a court order or other mandate enforceable in a court of law, the Privacy Rule would not permit the clinic to disclose PHI in response to the request. Therefore, such a disclosure would be impermissible and constitute a breach of unsecured PHI requiring notification to HHS and the individual affected.
- A law enforcement official presents a reproductive health care clinic with a court order requiring the clinic to produce PHI about an individual who has obtained an abortion. Because a court order is enforceable in a court of law, the Privacy Rule would permit but not require the clinic to disclose the requested PHI. The clinic may disclose only the PHI expressly authorized by the court order.
Disclosures to Avert a Serious Threat to Health or Safety
The guidance also points out that the Privacy Rule permits but does not require a covered entity, consistent with applicable law and standards of ethical conduct, to disclose PHI if the covered entity, in good faith, believes the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public, and the disclosure is to a person or persons who are reasonably able to prevent or lessen the threat.21 OCR’s guidance states that the American Medical Association and American College of Obstetricians and Gynecologists and other professional bodies, professional standards of ethical conduct treat as unethical a disclosure of PHI to law enforcement or others regarding an individual’s interest, intent, or prior experience with reproductive health care.22
OCR illustrates its interpretation with the following example:
A pregnant individual in a state that bans abortion informs their health care provider that they intend to seek an abortion in another state where abortion is legal. The provider wants to report the statement to law enforcement to attempt to prevent the abortion from taking place. However, the Privacy Rule would not permit this disclosure of PHI to law enforcement under this permission for several reasons, including:
- A statement indicating an individual’s intent to get a legal abortion, or any other care tied to pregnancy loss, ectopic pregnancy, or other complications related to or involving a pregnancy does not qualify as a “serious and imminent threat to the health or safety of a person or the public.
- It generally would be inconsistent with professional ethical standards as it compromises the integrity of the patient–physician relationship and may increase the risk of harm to the individual.
Accordingly the guidance concludes, such a disclosure would be impermissible and constitute a breach of unsecured PHI requiring notification to HHS and the individual affected.
Disclosures in Litigation
Healthcare providers another covered entities also should anticipate becoming parties to or being asked to provide testimony or records for private litigation among parties over abortion or other reproductive rights as a result of the recent decision.
Whether participating as a party to litigation or responding to request to provide testimony or other evidence that includes confidential health information or other protected health information on reproductive rights, Healthcare providers and other HIPAA covered entities in business associates should be careful to ensure all requirements of HIPAA are met before sharing any information or records.
When a plaintiff or defendant in a legal proceeding, the covered entity may use or disclose protected health information for purposes of the litigation as part of its health care operations under 45 CFR 164.501. Covered entities and business associates must keep in mind, however, that they cannot share protected health information with their legal counsel until the legal counsel enters into a business associate agreement that meets the requirements of HIPAA.
Before sharing PHI in response to a subpoena or other litigation associated request, covered entities and business associates also generally must provide notice to the subject of the PHI and must make reasonable efforts to limit such uses and disclosures to the minimum necessary to accomplish the intended purpose. See 45 CFR 164.502(b), 164.514(d). In light of these requirements, covered entities and business associates dealing with these requests generally will want to seek the advice of a lawyer and may need to consider pursuing a protective order for requests for testimony or evidence containing PHI without authorization from the subject.
Covered Entities Should Use Care To Protect & Prevent Improper Disclosure
Providers, health plans and other covered entities and business associates should exercise height in Care when dealing with the use or disclosure of records or information on abortion or other reproductive rights and their activities associated with that care.
HIPAA is one of many legal land mines providers and other covered entities must avoid when addressing abortion or other reproductive care following the Dobbs decision. The Supreme Court decision holding the Constitution does not guarantee a right to abortion creates many more questions than answers. With parties on all sides of the question energized with activism, covered entities and business associates dealing with abortion and other reproductive health concerns should prepare to defend their actions both against legal challenges and political harassment. In this charged environment, healthcare providers and other covered entities and business associates healthcare providers and other covered entities and business associates handling records or other abortion or reproductive health concerns should prepare to face questions and demands for information regardless of how they choose to proceed. Accordingly, most healthcare providers and other covered entities will want engage legal counsel with experience with HIPAA and other health care experience to discuss these concerns and develop a plan of action within the scope of attorney-client privilege.
We hope this update is helpful. For more information about the these or other health or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.
Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.
About the Author
Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.
A Fellow in the American College of Employee Benefit Counsel, Vice Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on health and managed care industry legal, public policy and operational concerns.
Ms. Stamer’s work throughout her 30 plus year career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns.
About Solutions Law Press, Inc.™
Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here.
IMPORTANT NOTICE ABOUT THIS COMMUNICATION
If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.
NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access of this publication.
Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.
©2022 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™