New guidance from the HHS Office for Civil Rights (OCR) about the disclosure of information on reproductive health care under HIPAA is a powerful reminder that the Privacy Rule only allows covered entities (CEs) to disclose protected health information (PHI) without patient consent under narrow circumstances but in most cases doesn’t require them to, and that state law often is the arbiter of what should be disclosed, attorneys said.[1] Compliance and privacy officers might want to revisit their disclosure policies with that in mind in the wake of the June 24 Supreme Court decision that overturned the constitutional right to abortion enshrined in Roe vs. Wade, because emergency room nurses, physicians and other clinicians may be unsure of their obligations in certain situations, including disclosures of PHI.[2]
“Providers need to have heightened awareness of requests for information and the main question is not about HIPAA,” said attorney Katie Ilten, with Fredrikson & Byron in Minneapolis. “It is about whether state laws apply to someone.” But nurses and many other health care professionals who may be mandatory reporters under various state laws can’t be expected to know the nuances of state law, “especially on this topic that is rapidly evolving,” said Richelle Marting, an attorney in Olathe, Kansas.
The OCR guidance, posted June 29, emphasizes that the HIPAA Privacy Rule allows, but doesn’t require, covered entities to disclose PHI without patient authorization. There are limited exceptions, including for disclosures to law enforcement, but they must be backed by something else, such as court orders and state laws.
The message is loud and clear: “HIPAA has never been a law that compels disclosure,” Ilten said.
The guidance is “a great reminder that under HIPAA, a disclosure that is required by law for HIPAA purposes is only permissible and not mandatory,” Marting said. Because that often will be determined by state laws, providers will have to understand what their state laws require, Marting said. “Under HIPAA, where a disclosure meets the ‘required by law’ criteria, HIPAA allows the disclosure but only the minimum necessary information that is required under state law.”
That will get very tricky with abortion care if states enact laws that require disclosure, Ilten noted. “A big question is whether there will be state laws that come about that require reporting to law enforcement,” Ilten said. “I don’t know of any now.” Also, if the covered entity is in a state with an abortion ban, can a law enforcement request for PHI be granted? “State laws typically don’t reach across to people in other states,” Ilten noted.
Already, 46 states and the District of Columbia require hospitals, other facilities and physicians providing abortions to “submit regular and confidential reports to the states,” according to the Guttmacher Institute.[3]
OCR: Limits on Disclosures Without Authorization
Under HIPAA, CEs can only use or disclose PHI without a person’s written authorization as “expressly permitted or required by the Privacy Rule.” OCR described three permitted types of disclosures and gave examples of their application to reproductive care. HIPAA allows CEs to disclose PHI without patient authorization if the disclosure is required by another law. “This permission to disclose PHI as ‘required by law’ is limited to ‘a mandate contained in law that compels an entity to make a use or disclosure of PHI and that is enforceable in a court of law,’” OCR said. “Further, where a disclosure is required by law, the disclosure is limited to the relevant requirements of such law.”
OCR gives the example of a person who goes to the hospital emergency room (ER) because of complications in connection with a miscarriage during the tenth week of pregnancy, and an ER employee suspects the person took medication to end their pregnancy. In her state, abortion is prohibited after six weeks of pregnancy, but there’s no reporting requirement to law enforcement. “Where state law does not expressly require such reporting, the Privacy Rule would not permit a disclosure to law enforcement under the ‘required by law’ permission,” OCR said. “Therefore, such a disclosure would be impermissible and constitute a breach of unsecured PHI requiring notification to HHS and the individual affected.”
The Privacy Rule also permits, but doesn’t require, PHI disclosures to law enforcement under certain circumstances, OCR said. For example, a CE may respond to a law enforcement request that comes with a court order, warrant, subpoena or summons. “In the absence of a mandate enforceable in a court of law, the Privacy Rule’s permission to disclose PHI for law enforcement purposes does not permit a disclosure to law enforcement where a hospital or other health care provider’s workforce member chose to report an individual’s abortion or other reproductive health care,” OCR said. “That is true whether the workforce member initiated the disclosure to law enforcement or others or the workforce member disclosed PHI at the request of law enforcement. This is because, generally, state laws do not require doctors or other health care providers to report an individual who self-managed the loss of a pregnancy to law enforcement.”
The guidance is more complicated when it comes to preventing harm. The Privacy Rule allows (but doesn’t require) CEs to disclose PHI if they believe in good faith it’s necessary “to prevent or lessen a serious and imminent threat to the health or safety of a person or the public, and the disclosure is to a person or persons who are reasonably able to prevent or lessen the threat,” OCR said. However, major professional societies consider it “inconsistent with professional standards of ethical conduct” to disclose PHI to law enforcement or others about a person’s “interest, intent, or prior experience with reproductive health care.” For example, if a pregnant person in a state that bans abortion tells her provider she intends to seek an abortion in a state where it’s legal and the provider wants to inform law enforcement to try to prevent the abortion, the Privacy Rule doesn’t permit this disclosure to law enforcement for several reasons, OCR said. For one thing, “a statement indicating an individual’s intent to get a legal abortion, or any other care tied to pregnancy loss, ectopic pregnancy, or other complications related to or involving a pregnancy does not qualify as a ‘serious and imminent threat to the health or safety of a person or the public.’”
A Good Time to Review Reporting Policies
Ilten said OCR is conveying it would violate HIPAA to disclose a patient’s plan to have an abortion because that’s not considered a threat to the public. “Absent some other law that says you have to disclose, it’s not OK to disclose under HIPAA,” she noted. But the CE is still on the hook for the breach if an employee reports it to law enforcement, she said. “The CE would face potential enforcement by OCR for a disclosure that’s not permitted.”
Hospitals and other CEs may want to revisit their mandatory reporting and state reporting policies because of the OCR guidance, Marting said. Policies should ensure that providers share the minimum necessary information required by law but don’t go too far, and track what’s reported and when. “HIPAA doesn’t get in the way unless you go beyond the information required under the state law. Then it is not permitted under HIPAA and you may have an impermissible disclosure,” Marting said.
Privacy and compliance officers and legal counsel will have to coordinate on these issues, Ilten said. “Compliance will get questions about, ‘Can I do this activity, such as, may I prescribe a pregnancy termination pill?’ Privacy will get questions about whether I can disclose or must disclose, and they will be related because certain activity will be related.” She said, for example, “there may be a question about whether someone may or must disclose that certain abortion-related treatment was provided by someone at the covered entity.”
Also, if a state health department implements a rule on seeking more information about abortion, “there will be more questions about what can be released,” Ilten said. “Anytime an activity that is health care-related is regulated, whether it’s COVID testing or abortion care, there will be requests for information, and when there’s a request for information, it’s always about what laws require disclosure.”
In separate guidance released simultaneously, OCR explained that HIPAA generally doesn’t protect the privacy or security of health information “when it’s accessed or stored on your personal cell phones or tablets.”[4] HIPAA only applies to PHI created, received, maintained or transmitted by CEs and business associates.
Contact Ilten at kilten@fredlaw.com and Marting at rmarting@richellemarting.com.