OCR Guidance on Reproductive Care Emphasizes Limits on Disclosures

By Nina Youngstrom

New guidance from the HHS Office for Civil Rights (OCR) about the disclosure of information on reproductive health care under HIPAA is a powerful reminder that the Privacy Rule only allows covered entities (CEs) to disclose protected health information (PHI) without patient consent under narrow circumstances but in most cases doesn’t require them to, and that state law often is the arbiter of what should be disclosed, attorneys said.[1] Compliance and privacy officers might want to revisit their disclosure policies with that in mind in the wake of the June 24 Supreme Court decision that overturned the constitutional right to abortion enshrined in Roe vs. Wade, because emergency room nurses, physicians and other clinicians may be unsure of their obligations in certain situations, including disclosures of PHI.[2]

“Providers need to have heightened awareness of requests for information and the main question is not about HIPAA,” said attorney Katie Ilten, with Fredrikson & Byron in Minneapolis. “It is about whether state laws apply to someone.” But nurses and many other health care professionals who may be mandatory reporters under various state laws can’t be expected to know the nuances of state law, “especially on this topic that is rapidly evolving,” said Richelle Marting, an attorney in Olathe, Kansas.

The OCR guidance, posted June 29, emphasizes that the HIPAA Privacy Rule allows, but doesn’t require, covered entities to disclose PHI without patient authorization. There are limited exceptions, including for disclosures to law enforcement, but they must be backed by something else, such as court orders and state laws.

The message is loud and clear: “HIPAA has never been a law that compels disclosure,” Ilten said.

The guidance is “a great reminder that under HIPAA, a disclosure that is required by law for HIPAA purposes is only permissible and not mandatory,” Marting said. Because that often will be determined by state laws, providers will have to understand what their state laws require, Marting said. “Under HIPAA, where a disclosure meets the ‘required by law’ criteria, HIPAA allows the disclosure but only the minimum necessary information that is required under state law.”

That will get very tricky with abortion care if states enact laws that require disclosure, Ilten noted. “A big question is whether there will be state laws that come about that require reporting to law enforcement,” Ilten said. “I don’t know of any now.” Also, if the covered entity is in a state with an abortion ban, can a law enforcement request for PHI be granted? “State laws typically don’t reach across to people in other states,” Ilten noted.

Already, 46 states and the District of Columbia require hospitals, other facilities and physicians providing abortions to “submit regular and confidential reports to the states,” according to the Guttmacher Institute.[3]

OCR: Limits on Disclosures Without Authorization

Under HIPAA, CEs can only use or disclose PHI without a person’s written authorization as “expressly permitted or required by the Privacy Rule.” OCR described three permitted types of disclosures and gave examples of their application to reproductive care. HIPAA allows CEs to disclose PHI without patient authorization if the disclosure is required by another law. “This permission to disclose PHI as ‘required by law’ is limited to ‘a mandate contained in law that compels an entity to make a use or disclosure of PHI and that is enforceable in a court of law,’” OCR said. “Further, where a disclosure is required by law, the disclosure is limited to the relevant requirements of such law.”

OCR gives the example of a person who goes to the hospital emergency room (ER) because of complications in connection with a miscarriage during the tenth week of pregnancy, and an ER employee suspects the person took medication to end their pregnancy. In her state, abortion is prohibited after six weeks of pregnancy, but there’s no reporting requirement to law enforcement. “Where state law does not expressly require such reporting, the Privacy Rule would not permit a disclosure to law enforcement under the ‘required by law’ permission,” OCR said. “Therefore, such a disclosure would be impermissible and constitute a breach of unsecured PHI requiring notification to HHS and the individual affected.”

The Privacy Rule also permits, but doesn’t require, PHI disclosures to law enforcement under certain circumstances, OCR said. For example, a CE may respond to a law enforcement request that comes with a court order, warrant, subpoena or summons. “In the absence of a mandate enforceable in a court of law, the Privacy Rule’s permission to disclose PHI for law enforcement purposes does not permit a disclosure to law enforcement where a hospital or other health care provider’s workforce member chose to report an individual’s abortion or other reproductive health care,” OCR said. “That is true whether the workforce member initiated the disclosure to law enforcement or others or the workforce member disclosed PHI at the request of law enforcement. This is because, generally, state laws do not require doctors or other health care providers to report an individual who self-managed the loss of a pregnancy to law enforcement.”

The guidance is more complicated when it comes to preventing harm. The Privacy Rule allows (but doesn’t require) CEs to disclose PHI if they believe in good faith it’s necessary “to prevent or lessen a serious and imminent threat to the health or safety of a person or the public, and the disclosure is to a person or persons who are reasonably able to prevent or lessen the threat,” OCR said. However, major professional societies consider it “inconsistent with professional standards of ethical conduct” to disclose PHI to law enforcement or others about a person’s “interest, intent, or prior experience with reproductive health care.” For example, if a pregnant person in a state that bans abortion tells her provider she intends to seek an abortion in a state where it’s legal and the provider wants to inform law enforcement to try to prevent the abortion, the Privacy Rule doesn’t permit this disclosure to law enforcement for several reasons, OCR said. For one thing, “a statement indicating an individual’s intent to get a legal abortion, or any other care tied to pregnancy loss, ectopic pregnancy, or other complications related to or involving a pregnancy does not qualify as a ‘serious and imminent threat to the health or safety of a person or the public.’”

A Good Time to Review Reporting Policies

Ilten said OCR is conveying it would violate HIPAA to disclose a patient’s plan to have an abortion because that’s not considered a threat to the public. “Absent some other law that says you have to disclose, it’s not OK to disclose under HIPAA,” she noted. But the CE is still on the hook for the breach if an employee reports it to law enforcement, she said. “The CE would face potential enforcement by OCR for a disclosure that’s not permitted.”

Hospitals and other CEs may want to revisit their mandatory reporting and state reporting policies because of the OCR guidance, Marting said. Policies should ensure that providers share the minimum necessary information required by law but don’t go too far, and track what’s reported and when. “HIPAA doesn’t get in the way unless you go beyond the information required under the state law. Then it is not permitted under HIPAA and you may have an impermissible disclosure,” Marting said.

Privacy and compliance officers and legal counsel will have to coordinate on these issues, Ilten said. “Compliance will get questions about, ‘Can I do this activity, such as, may I prescribe a pregnancy termination pill?’ Privacy will get questions about whether I can disclose or must disclose, and they will be related because certain activity will be related.” She said, for example, “there may be a question about whether someone may or must disclose that certain abortion-related treatment was provided by someone at the covered entity.”

Also, if a state health department implements a rule on seeking more information about abortion, “there will be more questions about what can be released,” Ilten said. “Anytime an activity that is health care-related is regulated, whether it’s COVID testing or abortion care, there will be requests for information, and when there’s a request for information, it’s always about what laws require disclosure.”

In separate guidance released simultaneously, OCR explained that HIPAA generally doesn’t protect the privacy or security of health information “when it’s accessed or stored on your personal cell phones or tablets.”[4] HIPAA only applies to PHI created, received, maintained or transmitted by CEs and business associates.

Contact Ilten at kilten@fredlaw.com and Marting at rmarting@richellemarting.com.

 
2 Dobbs v. Jackson Women’s Health Organization, 597 U.S. ____ (2022), https://bit.ly/3aehyqx.
3 “Abortion Reporting Requirements,” Guttmacher Institute, July 1, 2022, https://bit.ly/3uuOaTz.
4 Office for Civil Rights, “Protecting the Privacy and Security of Your Health Information When Using Your Personal Cell Phone or Tablet,” U.S. Department of Health & Human Services, June 29, 2022, https://bit.ly/3P5LLXf.
1 Office for Civil Rights, “HIPAA Privacy Rule and Disclosures of Information Relating to Reproductive Health Care,” U.S. Department of Health & Human Services, June 29, 2022, https://bit.ly/3R7suGJ.


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. The Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA) uses the information you provide us to contact you about our relevant content, products, and services. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings