On June 24, 2022, the United States Supreme Court issued a decision in Dobbs v. Jackson Women’s Health Organization, overturning Roe v. Wade, essentially ceding to individual states wholesale authority to regulate abortion. As a response, the Department of Health and Human Services (HHS), Office of Human Rights (OCR) issued new guidance regarding the application of HIPAA’s Privacy Rule to the information of patients seeking reproductive health care. In general, covered entities may not disclose private health information (PHI) without express patient authorization, unless expressly permitted or required by the Privacy Rule. OCR’s post-Dobbs guidance primarily focuses on three provisions under the Rule: (1) disclosures that are required “by law”; (2) disclosures “for law enforcement purposes”; and (3) averting serious threats to health and safety.
Disclosures Required by Law
OCR emphasizes that disclosures that meet this exception are limited to federal or state legal mandates that require entities to disclose PHI. In these cases, the Privacy Rule permits, but does not require, entities to disclose PHI without patient authorization. However, when a state does not expressly require reporting, the Privacy Rule does not permit disclosure of PHI to law enforcement. For example, if a state prohibits abortions past six weeks but does not expressly require providers to report suspected incidences, disclosure of PHI would be in violation of the HIPAA Privacy Rule.
Disclosures for Law Enforcement Purposes
Further, OCR clarifies that disclosures to law enforcement are only permitted when they are pursuant to a legal process, such as a warrant, subpoena, or summons. For example, if PHI is requested by law enforcement in the absence of a court order or other enforceable mandate, disclosure would not be permissible under the Privacy Rule.
Averting Serious Threats to Health and Safety
Although disclosures may be made to law enforcement in the presence of a serious threat to health and safety of a person or the public, OCR states that it would be inconsistent with professional standards of ethical conduct to disclose PHI “regarding an individual’s interest, intent, or prior experience with reproductive health care.” Such disclosures, OCR stresses, would not constitute a “serious or imminent threat” under the Privacy Rule and could compromise the integrity of patient-physician relationships.
As each state enacts specific abortion legislation, health care providers should take care to ensure their disclosure policies, procedures, and actions are in full compliance with the HIPAA Privacy Rule.
If you have questions or concerns about the HIPAA Privacy Rule, please do not hesitate to reach out to any member of Gardner Skelton’s healthcare team.