Using HIPAA To Protect Patient Privacy and Fight Abortion Criminalization

In the aftermath of the U.S. Supreme Court’s decision to overturn Roe v. Wade, the U.S. Department of Health and Human Services (HHS) issued new guidance clarifying the Health Insurance Portability and Accountability Act (HIPAA) privacy rule as it relates to state efforts to criminalize abortion.

This guidance is an important step forward in protecting abortion patients’ privacy and the patient-provider relationship against inappropriate intrusions, particularly as an increasing number of states begin enforcing their criminal bans on abortion. Moving forward, while recognizing that the scope of HIPAA’s privacy protections have some notable limitations, the administration can further bolster individuals’ knowledge of their rights and encourage entities to put in place best practices to protect individuals’ private medical information from being shared with politically motivated law enforcement and prosecutors.

The basics of HIPAA’s privacy rule

At its core, HIPAA’s privacy rule protects an individual’s personal health information from being shared or used without that person’s consent. Not every entity in possession of health information is required to adhere to HIPAA, but the vast majority of health plans, as well as health care providers, including hospitals, are subject to the rule.

At the same time, it is important to note that HIPAA’s privacy protections are not all-encompassing.

First, the rule prohibits only “individually identifiable health information” from being shared—meaning information that “identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.” Such information is considered “protected health information” (PHI).

In addition, there are exceptions to HIPAA’s prohibitions. Most relevant in the abortion criminalization context, unless very explicitly required by state law, those bound by HIPAA are allowed, but not required, to disclose personal health information to law enforcement when the request is accompanied by a legally enforceable mandate such as a court order. Disclosures are also allowed—though again, not required—to avert an imminent, serious health or safety threat; however, in such cases, the disclosure must be to someone who is reasonably able to lessen or avert that threat.

The vulnerable nature of abortion-related personal health information

Most abortion bans are enforced via criminal penalties and even jail time for health care professionals who provide abortion care. While most states explicitly shield those who have had, or are seeking, an abortion from prosecution, confusion abounds in states with abortion bans in place. For example, in April 2022, a hospital in Texas reported to law enforcement a woman for ending her own pregnancy. She was charged with murder and put in jail for three days. Though prosecutors ultimately dropped the charges when the district attorney realized he did not have authority to charge the woman, being prosecuted and/or charged can having devastating impacts by exposing the person to job loss as well as public harassment. Further, as the public may be unlikely to follow the details of a case or know the ultimate result, the high-profile nature of these arrests can have a chilling effect on people in need of health care following an abortion or miscarriage.

Taken together, patients’ personal health information is left extremely vulnerable in three key ways:

• Law enforcement or prosecutors may request such information as evidence in an investigation or trial; in pre-Roe investigations of abortion, prosecutors routinely sought patient records as sources of evidence to prove legal violations.
• The steep penalties that accompany today’s abortion bans—with more than one state allowing for lifetime sentences for providing abortion care—may prompt health care professionals to share information with law enforcement that they wouldn’t otherwise disclose under HIPAA, due to fear of being prosecuted or penalized for covering up a crime.
• Some health care workers may personally agree with their state’s abortion ban and seek to help enforce it through their own initiative.

HHS’ guidance on the privacy rule and abortion

The post-Roe HIPAA guidance used examples to illustrate the parameters of the law in regard to reproductive health information that may be of interest to law enforcement or prosecutors attempting to bring criminal charges for abortion care. More specifically, the guidance explains:

• If an employee or volunteer at a hospital suspects an individual of having an abortion, absent any express mandatory reporting requirement in the state, any disclosure of health information would violate HIPAA.

  Even if the state has a mandatory reporting requirement, HIPAA would only permit, not require, any disclosure. Furthermore, to satisfy HIPAA, any disclosure must be limited to only the express reporting requirements in law.

• If a law enforcement officer asks a clinic or hospital for records of patient care that might reference an abortion, or a clinic or hospital is suspected of disclosing such information outside those parameters, any such disclosures would violate HIPAA, absent a legally enforceable mandate such as a court order.

  Even if the request is accompanied by a court order, HIPAA would only permit, not require, any disclosure.

• If a patient were to tell their provider they want an abortion, that provider could not independently report the statement to law enforcement without violating HIPAA.

  The administration explained in its guidance that such statements do not qualify as a “serious and imminent” threat, and disclosure would compromise professional ethical standards as well as increase risk of harm to the patient seeking an abortion.

The HHS guidance also linked to the online portal available to those who believe their privacy rights have been violated and who want to file a complaint under HIPAA.

Needed next steps for the administration to bolster HIPAA’s privacy protections

While HIPAA does allow for information to be turned over in legal proceedings in some circumstances, it is important for both patients and individuals to know how to best safeguard their privacy. To further HIPAA’s privacy protections, the administration could:

• Use the Reproductiverights.gov website as a platform to prominently explain to the general public HIPAA’s privacy rights in an accessible format. While some health care providers may be well versed in HIPAA’s rules, many patients and health care workers and hospital volunteers are not.
• Work with state and local health departments supportive of abortion to post similar know-your-rights information. Doing so will both benefit those in hostile states seeking accurate information and better inform in-state health care workers who may experience requests for information from in- and out-of-state law enforcement agencies.
• Ensure patients know they do not have to disclose any information about their desire to have an abortion or if they had an abortion, self-managed or otherwise, to their health care provider.
• With leading medical groups and experts, release a series of best practices for health care entities when law enforcement seeks medical information. Ensure they know that HIPAA does not mandate disclosure on its own, and, if forced to respond to a court mandate via the state’s legal system, any disclosures should be as narrow as possible to protect the privacy of patients. In addition, health care entities should detail only medically necessary information in patient records.
• Consider establishing a legal hotline for suspected privacy violations in addition to the existing online portal, likely in partnership with the U.S. Department of Justice. Such a hotline would not only benefit those whose privacy rights have been violated, but also enable the government to further understand where and how such violations are occurring in real time.

Conclusion

While HIPAA is far from a cure-all for the threats to privacy that exist in states banning abortion, it is still an important protection against unnecessary intrusions into people’s medical histories—as the administration has recognized through its HHS guidance. Erecting buffers against these intrusions whenever possible will help to protect privacy, as well as to bolster protections against law enforcement becoming an omnipresent force in doctor’s offices and discouraging people fearful of prosecution from seeking medical care.