HHS Issues Guidance on Post-Dobbs Protections Under HIPAA Privacy Rule
Many states have enacted or revived statutes limiting or barring access to abortion in the wake of the Supreme Court of the United States’ ruling in Dobbs v. Jackson Women’s Health Organization and further legislative or regulatory initiatives on this subject are likely. However, enforcement of these limitations will generally require state officials to obtain information on abortion-related health services from the parties that are most directly involved, and the protections provided by the privacy requirements adopted under the Health Insurance Portability and Accountability Act (HIPAA) may significantly complicate that task.
In response to concerns about the impact of the Dobbs decision on healthcare privacy, on June 29, 2022, the U.S. Department of Health and Human Services (HHS) issued guidance addressing how the HIPAA privacy requirements (the Privacy Rule) will limit access to private medical information relating to abortion and other sexual and reproductive healthcare held by HIPAA-covered entities like hospitals and clinics and the vendors that assist them in providing healthcare services.
The Privacy Rule states that covered entities (health plans, healthcare clearinghouses, and most healthcare providers) and entities that perform certain services on their behalf may use or disclose an individual’s protected health information (PHI) without the “individual’s signed authorization, only as expressly permitted or required by the Privacy Rule.” The HHS guidance outlines the types of non-healthcare disclosures of PHI that are permitted without an individual’s authorization. The guidance also describes how the Privacy Rule applies to such disclosures in the context of PHI that contains abortion and other sexual and reproductive healthcare information. For each such disclosure, HHS emphasizes that covered entities are permitted, but not required, to disclose the PHI.
Types of Permitted Disclosures
Disclosures Required by Law
The Privacy Rule permits the disclosure of PHI, including information related to abortion and other reproductive healthcare, when the disclosure is required by another law that is enforceable in a court of law, and if such disclosure complies with the requirements of the other law. The guidance provides that where abortion prohibitions do not impose an express reporting requirement, the Privacy Rule would not permit disclosure under this exception.
Disclosures for Law Enforcement Purposes
Disclosure of PHI is permitted for law enforcement purposes “pursuant to process and as otherwise required by law” such as via a court order, subpoena, or warrant. For example, the Privacy Rule would not permit disclosure of abortion records requested by a law enforcement official without a valid warrant or other legally enforceable mandate.
Disclosures to Avert a Serious Threat to Health or Safety
Disclosure of PHI is permitted “if the covered entity, in good faith, believes the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public, and the disclosure is to a person or persons who are reasonably able to prevent or lessen the threat.” Such disclosure must be made in accordance with applicable law and standards of ethical conduct. For many healthcare professionals, it is inconsistent with ethical and professional standards of conduct to disclose reproductive healthcare information for law enforcement or other non-healthcare purposes without an authorization from the individual involved or valid court order.
HHS also issued guidance addressing the extent to which PHI is protected on mobile devices such as cell phones and tablets. Although the HIPAA Privacy Rule and Security Rule (protecting PHI when maintained or transmitted electronically) provide protections for the use and disclosure of PHI held or maintained by covered entities and their business associates, they do not address PHI accessed through or stored on personal devices owned by individual patients. For example, although PHI maintained on electronic devices owned by a covered entity would be protected from disclosure by HIPAA, once a patient downloads that information to a personal device, HIPAA would no longer protect it. The guidance does provide tips to help individuals protect their own PHI, such as:
avoiding downloads of unnecessary or random apps to personal devices; and
avoiding (or turning off) permissions for apps to access an individual’s location data. (This reduces information about a person’s activities that can be used by the app or sold to third parties, such as the name and address of healthcare providers a person visits.)
The HHS guidance does not change the requirements under the Privacy Rule but does provide clarity on how those requirements will be applied with respect to the use and disclosure of abortion information and other sexual and reproductive healthcare information. In light of these developments, covered entities may wish to review their existing HIPAA policies, procedures, and training materials to assess whether updates are desirable, especially for permissive disclosures for public policy and law enforcement purposes.
The HHS guidance is also an important reminder for covered entities that if PHI is used or disclosed in violation of the Privacy Rule, breach notification and remediation requirements are likely to be triggered, potentially resulting in adverse publicity and fines and penalties under HIPAA’s tiered civil penalty structure starting at $120 per violation due to lack of knowledge and increasing to up to $60,226 per violation for uncorrected violations due to willful neglect and that are not corrected within thirty days.
Additional developments in this area are possible following the July 8, 2022, executive order issued by President Biden outlining a number of federal initiatives supporting reproductive health rights. Among other things, the executive order directs HHS to consider additional guidance under HIPAA to protect the privacy of information relating to reproductive healthcare and to bolster protections for patient-provider confidentiality.