The Pendulum Swings Both Ways: State Responses to Protect Reproductive Health Data, Post-Roe
The U.S. Supreme Court is expected to imminently issue its opinion in the case Dobbs v. Jackson Women’s Health Organization (“Dobbs”). If the Court rules in a manner to overturn Roe v. Wade, states will have discretion in determining how to regulate abortion services. Such a ruling would overturn nearly 50 years of precedent, leaving patients, reproductive health providers, health plans, pharmacies, and many other stakeholders to navigate a host of uncharted legal issues. Specifically, stakeholders will likely need to untangle the web of cross-state legal issues that may emerge.
One such issue will be how and whether prosecutors and law enforcement personnel seeking to enforce abortion bans will be able to access patient medical records and use them in a court of law.
A. Making Sense of the Post-Roe Landscape
States have taken different approaches to regulating abortion, and many have existing laws that would become effective if Roe v Wade is overturned. As of June 1, 2022, 22 states had laws to restrict the legality of abortion while 16 states and the District of Columbia have laws that protect the right to abortion before viability. For instance, Texas is one of 13 states with a “trigger law”, or abortion law that will go into effect in the event of an overturn of Roe, that would ban nearly all abortions. Specifically, the Texas Human Life Protection Act of 2021 (“TXHLPA”) would create a felony offense against any person who “knowingly performs, induces, or attempts an abortion.” In addition, the law would (1) require the state attorney general to seek a civil penalty of not less than $100,000 for each violation and (2) require the state medical board to revoke the license of any health care professional who “performs, induces, or attempts” an abortion in violation of the statute.
If trigger laws like TXHLPA take effect, state attorneys general and other law enforcement personnel may seek patient medical records in order to build their cases against providers who perform, induce or attempt abortions. Under certain state laws, those who aid and abet the abortion process may also be subject to criminal prosecution.
B. HIPAA Background
The Health Insurance Portability and Accountability Act (“HIPAA”), the Federal healthcare privacy law, governs the disclosure of protected health information (“PHI”), and generally restricts disclosure absent patient consent. Generally, HIPAA preempts contradictory state law (e.g., a covered entity cannot comply with both the state and federal law or the state law impedes adherence to HIPAA). However, HIPAA does not preempt state law that is more stringent than HIPAA, or in other words, provides greater privacy protections for the individual who is the subject of the PHI.
One may reasonably think that prosecutors and law enforcement would be prevented from accessing PHI, such as those relating to an individual obtaining an abortion or related reproductive health services. However, while HIPAA generally prohibits the disclosure of PHI without the consent of the patient, there are several exceptions. Notably, a covered entity may be compelled to share PHI for law-enforcement purposes, as required by law, or in response to a judicial or administrative proceeding (e.g., a court order, subpoena, discovery request, or summons).
However, it should be noted that HIPAA requires covered entities to only disclose the “minimum necessary” information to fulfill such a request for information. Accordingly, abortion providers and other covered entities, as well as their business associates, must fulfill prosecutors’ and law enforcement agents’ requests for disclosure of medical records and other PHI in the narrowest means possible.
C. Connecticut’s Reproductive Freedom Defense Act
While many trigger laws would quickly criminalize abortion in the event of the overturn of Roe, which would likely lead to requests for PHI disclosures under HIPAA for law enforcement purposes, the pendulum is swinging in the other direction in other states. For example, some states have passed laws or are contemplating taking action to prevent disclosure of PHI related to reproductive health services, including abortion. This may protect patients and providers, among others, who may be subjected to PHI request from prosecutors and law enforcement agents.
Notably, on May 5th, Connecticut Governor Ned Lamont signed the Reproductive Freedom Defense Act (“the Act”), which seeks to protect HIPAA covered entities from liability related to reproductive services legally performed in Connecticut but that may be illegal elsewhere. The purpose of this legislation is not only to shield Connecticut residents from liability for obtaining or receiving reproductive health services, but also to protect travelers from states that have outlawed abortion. It accomplishes this by: (1) preventing HIPAA covered entities from disclosing PHI related to reproductive health services without the written consent of the patient; (2) prohibiting out-of-state judicial requests to issue a subpoena in Connecticut seeking to collect reproductive health PHI; and (3) preventing public agencies from aiding investigations seeking to impose criminal or civil liability for reproductive health care. In addition, the law creates a cause of action that allows persons who were sued in another state for reproductive health care to recover litigation expenses.
D. Reproductive Health Data Privacy Post-Roe: Two Illustrative Scenarios
What happens if a prosecutor or law enforcement agent in a state with an abortion ban seeks the medical records of a patient who received an abortion in Connecticut, for purposes of enforcing that state’s abortion ban?
It is likely that covered entities in Connecticut would not be permitted, absent patient authorization (or other authorized representative consent), to disclose the patient’s reproductive health medical records even if the prosecutor or law enforcement agent had a valid subpoena to obtain such information. This is because Connecticut’s Reproductive Freedom Defense Act requires Connecticut judges to reject a subpoena duces tecum requesting reproductive health information from a Connecticut covered entity. Therefore, due to the Act, a Connecticut covered entity should never receive a subpoena for reproductive health information from an out-of-state court without adequate authorization from the patient or an authorized representative. Additionally, the Act would likely not be preempted by federal law because it is more stringent than HIPAA. The Act meets several criteria of the “more stringent” requirements, as enumerated in HIPAA: (1) the Act “prohibits or restricts a use or disclosure in circumstances under which such use or disclosure otherwise would be permitted under [HIPAA]” because it prohibits disclosure of reproductive health information upon subpoena, which is normally permissible under HIPAA and (2) the Act “provides greater privacy protection for the individual who is the subject of the individually identifiable health information” because it restricts the ability of prosecutors and law enforcement agents to access such individuals’ PHI, which increases the ability of individuals to protect the privacy of their reproductive health information.
However, it should be noted that the Act does not explicitly prohibit HIPAA business associates from disclosing reproductive health information; therefore, such business associates might be compelled by subpoena to disclose such information to a prosecutor or law enforcement agent in a state that criminalizes abortion. This raises an important question of whether business associates, including electronic health record companies, may be permitted under the Act to make disclosures of PHI even where a HIPAA covered entity would not be permitted to do so under the Act.
Additionally, the Connecticut law only protects the data of individuals upon subpoena; it does not make mention of any other methods of compelling traditionally protected PHI, such as law enforcement requests and administrative requests. Therefore, there may be other ways in which an outside party may seek to gain access to this reproductive health data in Connecticut.
What happens if a prosecutor in a state with an abortion ban, such as Texas, seeks the medical records of a patient who received an abortion in a non-safe harbor state?
Covered entities and business associates may be permitted to disclose PHI in this scenario, depending on the type of request. HIPAA allows for disclosure without patient consent, so long as the disclosure responds to judicial or administrative proceedings, or for law enforcement purposes. If the covered entity were to receive an administrative request or authorized investigative demand asking the entity to disclose a patient’s reproductive health information, the entity may be required to disclose the PHI or risk facing contempt of court. However, HIPAA specifies that such requests must: (1) request information that is “relevant and material to a legitimate law enforcement inquiry”; (2) be specific and limited in scope; and (3) be requesting PHI that could not be de-identified. Therefore, if a prosecutor or law enforcement officer requested information that arguably does not fulfill one of the above three criteria, then the covered entity under HIPAA would be required to refuse to provide such information. Additionally, covered entities are required to comply with the “minimum necessary” doctrine in all states, regardless of whether the state protects reproductive health information. It is unlikely that a prosecutor or law enforcement officer could collect identifiable reproductive health information without a valid subpoena or other court-issued document, even in a state without a protective law like Connecticut’s.
If the U.S. Supreme Court overturns Roe v. Wade through its ruling in Dobbs, patients and covered entities should be aware of state laws that impact their rights and obligations around disclosure of abortion-related PHI in the context of out-of-state law enforcement efforts. As illustrated by the Connecticut Reproductive Freedom Defense Act, such disclosures may be barred within states with reproductive health privacy protection laws. Further, the Connecticut law may serve as a model for other states seeking to extend reproductive health privacy protections for their residents and others seeking reproductive health services within their borders.
Attorneys at Epstein Becker & Green are well-positioned to assist with navigating the complexities that may emerge from the Dobbs decision. For additional information about the issues discussed above, or if you have any other legal or regulatory compliance concerns, please contact the Epstein Becker & Green attorney who regularly handles your legal matters, or one of the authors of this blog post.
Ada Peters contributed to this article. Ada is a 2022 Summer Associate for the Washington, DC office who is not admitted to the practice of law.
 Thomas Dobbs v. Jackson Women’s Health Organization, et al., No.19-1392 (leaked May 3, 2022).
 Guttmacher Institute, Abortion Policy in the Absence of Roe, June 1, 2022.
 Tex. Health & Safety Code Ann. § 170A.002 (2021). (also known as “H.B. 1280”).
 Tex. Health & Safety Code Ann. § 170A.005.
 Tex. Health & Safety Code Ann. § 170A.007.
 45 CFR § 160.502.
 45 CFR § 160.512.
 45 CFR §§ 160.512(e)-(f).
 45 CFR § 160.502(b).
 The Office of Gov. Ned Lamont, Gov. Lamont Signs First-in-the-Nation Reproductive Rights Legislation, May 5, 2022). P.A. 22-19.
 The Office of Gov. Ned Lamont, Gov. Lamont Signs First-in-the-Nation Reproductive Rights Legislation, (May 5, 2022).
 2022 Conn. Legis. Serv. P.A. 22-19 § 2 (S.B. 5414), Effective July 1, 2022.
 P.A 22-19 § 3.
 P.A. 22-19 § 6.
 P.A. 22-19 § 1.