HHS Releases Guidance on Disclosure of Patients’ Reproductive Health Information | Hogan Lovells

HIPAA limits disclosures to law enforcement and others

The guidelines make it clear that for disclosures that are not related to an individual’s care, HIPAA-regulated entities may use or disclose PHI, without an individual’s signed permission, only in limited circumstances and that these disclosures should be closely tailored to protect privacy and support their access to health services. Through a series of illustrative examples, the guidance specifically addresses the narrow circumstances in which PSI may be disclosed (a) when required by law, (b) to law enforcement, and (c) when necessary to avoid serious threats to health or safety. The US Department of Health and Human Services (HHS) points out that while such disclosures are permitted, they are not required by HIPAA.

  • Disclosures required by law: Disclosures required by law are limited to “a mandate contained in law that requires an entity to use or disclose PSI and that is enforceable in court”. The guidelines state that disclosures by PHI “that do not meet the definition ‘required by law’ in the HIPAA rules, or that exceed what is required by that law, are not considered permitted disclosures. Laws prohibiting abortion, but not expressly requiring reporting to law enforcement do not support the disclosure of PHI as part of the authorized disclosure “required by law.”

  • Disclosures to Law Enforcement: The HIPAA Privacy Rule permits, but does not require Covered Entities, to disclose an individual’s PHI for law enforcement purposes “pursuant to process and otherwise required by law”, in certain circumstances. For example, in response to a court order or a court-ordered warrant, subpoena, or subpoena, HIPAA only permits disclosure of requested PHI, subject to the necessary minimum standard of Rule.

In the absence of a court order or other enforceable court order, HHS states that HIPAA does not permit disclosures when a hospital or other healthcare provider staff member has chosen to report an individual’s abortion or other reproductive health care. The HIPAA prohibition applies regardless of whether a staff member initiated the disclosure to law enforcement or whether the staff member disclosed PSI at the request of law enforcement. When a law enforcement official presents a court order requiring a clinic to provide PSI regarding a person who has obtained an abortion, the confidentiality rule would allow, but not require, the clinic to disclose to the law enforcement official, provided that any disclosure is limited to only those RPS expressly authorized by court order.

  • Disclosures to Avoid Serious Health and Safety Issues: The HIPAA provisions permitting the disclosure of PHI to prevent a serious threat to health or safety are particularly narrow and such disclosures are permitted only if (1) in accordance with applicable law and standards of professional ethics, (2 ) the covered entity, in good faith, believes that the disclosure is necessary to prevent or mitigate a serious and imminent threat to the health or safety of any person or the public, and (3) the disclosure is for a person reasonably capable of preventing or mitigating the threat. Therefore, the provider of a pregnant patient in a state that prohibits abortion and who is informed by the patient that she intends to have an abortion in another state would not, in the opinion of HHS , authorized to report the patient to law enforcement under this provision for two reasons. First, an individual’s stated desire to seek a legal abortion or related care does not constitute “a serious and imminent threat to the health or safety of any person or the public.” Second, it would be unethical for the provider to take actions that could increase the risk of harm to the patient and compromise the integrity of the patient-physician relationship.

In addition to issuing these guidelines, HHS has declared that enforcement of privacy protections related to reproductive and sexual health is an enforcement priority.

Additional Privacy and Security Guidance for Data Not Covered by HIPAA

Recognizing that HIPAA protections often do not extend to data collected and stored on personal mobile devices, or consumer-facing health apps and services, HHS has also issued separate guidelines that help educate individuals on how to protect their non-HIPAA regulated data. The guidance covers practices such as limiting third party access to location and other sensitive information collected by mobile phones and apps.

Beyond HIPAA, sexual and reproductive health information may have special protections under state laws. Additionally, the FTC has taken the position that health data is sensitive and subject to heightened privacy and security standards. As recently as February 2022, the FTC also pointed out that breaching non-HIPAA regulated health records is subject to the FTC’s Health Breach Notification Rule.

Recommendations for best practices

In light of the legal and policy uncertainty created by the Dobbs decision, organizations may consider the following proactive measures to protect sexual and reproductive health care information and to address concerns expressed by patients and consumers:

  • Focus on data minimization: Assess the extent to which the organization collects and retains sexual and reproductive health information and limit this collection to only data required for legitimate business purposes.

  • Reinforcement of administrative, technical and organizational guarantees: Improve existing safeguards and access controls to better protect sensitive medical information from inadvertent disclosure.

  • Development of internal protocols to respond to third-party requests: Develop and implement clear processes for receiving, assessing and responding to requests for sexual and reproductive health information from third parties, including law enforcement.

  • Develop training programs: Organizations that maintain significant amounts of sexual and reproductive health information or that anticipate high volumes of third-party requests for such information can expand workforce training to emphasize safeguards in place to save the information.

  • Revisit supplier relationships: Assess vendor relationships to ensure that vendors have provided sufficient assurance that the organization’s sensitive health information will be appropriately protected.

  • Revise privacy notices, if any: Post clear privacy notices indicating the privacy safeguards in place to protect sexual and reproductive health care information and update existing privacy notices as changes are made to privacy practices. company confidentiality in light of recent events.

Pat Bruny, summer associate in our Washington, DC office, contributed to this post.

Comments are closed.