The U.S. Department of Health and Human Services (HHS) recently released guidance on the Health Insurance Portability and Accountability Act (HIPAA), clarifying that the HIPAA Privacy Rule still applies to abortion records. In brief, this ensures that protected health information (PHI), including that related to abortion, remains private, except in specific circumstances. The HHS’s guidance explains these particular circumstances in detail and provides examples. The U.S. Supreme Court’s earlier decision on Roe v. Wade has impacted access to reproductive care benefits. Consequently, employers and health plan participants have faced uncertainty about how the abortion ruling affects current laws like the HIPAA Privacy Rule. Undoubtedly, the HHS’s guidance will help clear up how the law applies amid the recent ruling.
What Is the HIPAA Privacy Rule?
HIPAA is a federal law that requires the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. In turn, the HHS issued the HIPAA Privacy Rule to implement requirements under HIPAA. Standards under the HIPAA Privacy Rule address the use and disclosure of protected health information (including abortion) by covered entities. Additionally, it protects an individual’s rights to understand and control how covered entities use their health information. In detail, covered entities include:
- most healthcare providers,
- health plans,
- business associates, and
- healthcare clearinghouses.
These covered entities may disclose personal health information only as expressly permitted or required by the HIPAA Privacy Rule.
Disclosures Required Under the Law
The HIPAA Privacy Rule permits but does not require covered entities to disclose an individual’s personal health information without the individual’s consent whenever another law requires such disclosure. However, permission to disclose this information is limited to “a mandate contained in law that compels an entity to make a use or disclosure of PHI and that is enforceable in a court of law.” For example:
- An individual takes abortion medication in the tenth week of pregnancy. However, their state’s law prohibits abortion after six weeks. Still, it does not require covered entities to report the individual to law enforcement. The disclosure would breach the HIPAA Privacy Rule where the law does not require such reporting.
Disclosures to Law Enforcement
Likewise, the HIPAA Privacy Rule permits but does not require entities to disclose PHI for law enforcement purposes under specific conditions. In this case, the covered entity would require a mandate enforceable in a court of law. For example:
- A law enforcement officer presents a covered entity with a court order to produce PHI about an individual who had an abortion. Under this condition, the rule would permit but not require the entity to disclose only the PHI specifically related to the abortion.
Disclosures to Prevent a Serious Threat to Health
Finally, the HIPAA Privacy Rule permits but does not require covered entities to disclose PHI if the entity believes, in good faith, that such disclosure is necessary to prevent or lessen a serious, imminent threat to the health or safety of an individual or the public. In this case, the entity may only disclose to a person reasonably able to prevent or lessen the threat. Further, the American Medical Association and American College of Obstetricians and Gynecologists established that disclosing PHI to law enforcement, in this case, would be inconsistent with professional standards of ethical conduct. For example:
- A pregnant individual tells their provider they intend to get an abortion in another state. The provider may not report them to law enforcement because the individual’s intent to get a legal abortion is not a “serious and imminent threat.” Also, it would be inconsistent with professional and ethical standards as it compromises the patient-physician relationship. Finally, it could increase the risk of harm to the individual.
Employers should also remember that the HIPAA Privacy Rule protects an employee’s PHI from unlawful disclosure related to employment. Possible instances may include when offering reasonable accommodations or when interviewing and hiring. In addition, individuals may report HIPAA violations through the Office for Civil Rights complaint portal.