HHS Releases New Guidelines Regarding Confidentiality of Reproductive Health Information – Health
To print this article, all you need to do is be registered or log in to Mondaq.com.
Following the recent Supreme Court decision overturning
Roe vs. Wade, the Department of Health and Human Services (HHS) released guidance on June 29, 2022 regarding an individual’s right to privacy for reproductive health and abortion services under HIPAA (Health Information Portability and Accountability Act). The guidelines remind HIPAA-regulated entities (health plans, healthcare clearinghouses, and most healthcare providers) and, to some extent, their vendors who help them provide these health care (business associates), that an individual’s protected health information (PHI), including reproductive and abortion care, should be kept confidential and not disclosed without the individual’s permission, except express authorization or requirement of the confidentiality rule. HHS reiterates that these exceptions are narrowly designed to protect individual privacy and access to health services and, if improperly applied, could result in a breach of privacy. The guidance focuses on three types of permitted exceptions and provides specific examples of their application in the context of reproductive health.
Disclosures required by law
HIPAA permits disclosures required by law provided that the information disclosed is limited to the information required by that law.1 HHS notes that authorization to disclose is limited to “a warrant contained in law that requires an entity to use or disclose protected health information and that is enforceable in court.”2 For example, disclosure of individuals who have had abortions to law enforcement in states where abortions are prohibited would not be permitted under this exception unless state law specifically requires disclosure. such statement.
Disclosures for Law Enforcement Purposes
According to HHS guidelines, HIPAA-regulated entities are permitted to disclose an individual’s PHI for law enforcement purposes “according to process and otherwise required by law” under certain conditions.3 Such legal process may include (i) a court order or warrant issued by a court, or a subpoena or subpoena issued by a court officer, (ii) a subpoena to appear before a grand jury, or ( (iii) if certain conditions are met, a legally authorized administrative order. request, subpoena or subpoena, civil or investigative request, or similar process.4 Again, the extent of information disclosed should be limited to information expressly authorized by a warrant enforceable in court.5 or legal process. Any disclosure provided in the absence of such mandate or process or beyond the information requested when expressly authorized by such mandate or process violates the rule of confidentiality. For example, disclosures in response to law enforcement requests without a court order or other enforceable warrant in court would not be permitted under this exception.
Disclosures to Avoid a Serious Threat to Health or Safety
HIPAA permits disclosures “if the Covered Entity, in good faith, believes that the use or disclosure is necessary to prevent or mitigate a serious and imminent threat to the health or safety of any person or the public, and that the disclosure is intended for one or more persons who are reasonably capable of preventing or mitigating the threat.”6 Such disclosures must be “in accordance with applicable law and standards of ethical conduct”.seven For example, disclosure to law enforcement of persons intending to have an abortion for the purpose of preventing abortion where abortions are prohibited would not be permitted under this exception because, as the explains the HHS, a declaration of a person’s intention to have an abortion does not mean characterizing a “serious and imminent threat to the health or safety of any person or the public” and noting such an intention “would generally inconsistent with professional ethical standards as it compromises the integrity of the patient-physician relationship and may increase the risk of harm to the individual.”
Key points to remember
HHS has made it clear that the use of these exceptions for disclosure without the individual’s permission is only permitted if all conditions for disclosure are met. Additionally, HHS has declared that protecting an individual’s reproductive health care information is an enforcement priority. Accordingly, HIPAA-regulated entities should carefully assess whether the PHI request meets all of the requirements for disclosure before disclosing PHI under the permitted exceptions. Disclosures outside the limited context of these exceptions could result in a breach of privacy subject to breach notification and correction requirements, HHS enforcement action, and fines or penalties.
In addition, for each of these permitted categories of disclosure, HHS reminds HIPAA-regulated entities that disclosure is permitted but not required. Accordingly, HIPAA-regulated entities should carefully consider the impacts associated with disclosing or withholding disclosure under these exceptions, including any legal repercussions associated with failure to disclose when subject to a warrant. or binding legal process.
Although the guidelines do not change the requirements of the Privacy Rule, they do provide clarification and insight into how these requirements will be applied with respect to the use and disclosure of reproductive or health care information. abortion. HIPAA-regulated entities may wish to review their existing policies, procedures, and training materials for any updates in light of these guidelines.
1. Citing 45 CFR § 164.512(a)(1).
2. Citing 45 CFR § 164.103 defining “Required by law”.
3. Citing 45 CFR § 164.512(f)(1).
4. See 45 CFR § 164.512(f)(1)(ii).
5. Citing 45 CFR § 164.103 defining “Required by law”.
6. Citing 45 CFR § 164.512(j).
The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.
POPULAR ARTICLES ON: US Food, Drugs, Healthcare, Life Sciences