Hogan Lovells 2024 Election Impact and Congressional Outlook Report
In the wake of the Supreme Court’s seismic decision in Dobbs v. Jackson Women’s Health Organization, the U.S. Department of Health and Human Services (HHS) has issued guidance to help patients, providers, and other health care entities address privacy concerns in a complex and rapidly evolving legal and regulatory environment concerning sexual and reproductive health care. The guidance sends a clear message: under HIPAA, with limited exceptions, providers and health care entities are not required to disclose to third parties private medical information relating to abortions and other sexual and reproductive health services, absent a signed authorization from the individual who the information concerns. The guidance also provides a reminder that non-HIPAA-regulated products and services, including health applications, may not offer the same protections and offers guidance to patients about steps they can take to protect their privacy.
The guidance makes clear that for disclosures that are not related to an individual’s care, HIPAA-regulated entities can use or disclose PHI, without an individual’s signed authorization, only in limited circumstances and that such disclosures must be narrowly tailored to protect the individual’s privacy and support their access to health services. Through a series of illustrative examples, the guidance specifically addresses the narrow circumstances under which PHI may be disclosed (a) when required by law, (b) to law enforcement, and (c) as required to avert serious threats to health or safety. The U.S. Department of Health and Human Services (HHS) emphasizes that although such disclosures are permitted, they are not required by HIPAA.
Disclosures Required by Law: Disclosures required by law are limited to “a mandate contained in law that compels an entity to make a use or disclosure of PHI and that is enforceable in a court of law.” The guidance states that disclosures of PHI “that do not meet the “required by law” definition in the HIPAA Rules, or that exceed what is required by such law, do not qualify as permissible disclosures. Laws prohibiting abortion, but not expressly requiring reporting to law enforcement do not support a disclosure of PHI under the “required by law” permissible disclosure.
Absent a court order or other mandate enforceable in a court of law, HHS states that HIPAA does not permit disclosures where a hospital or other health care provider’s workforce member chose to report an individual’s abortion or other reproductive health care. The HIPAA prohibition applies regardless of whether a workforce member initiated the disclosure to law enforcement or the workforce member disclosed PHI at the request of law enforcement. Where a law enforcement official presents a court order requiring a clinic to produce PHI about an individual who has obtained an abortion, the Privacy Rule would permit, but not require, the clinic to disclose to the law enforcement official, provided that any disclosure is limited to only the PHI expressly authorized by the court order.
In addition to issuing this guidance, HHS declared that enforcement of privacy protections related to reproductive and sexual health are an enforcement priority.
In recognition that HIPAA protections often do not extend to data collected and maintained on personal mobile devices, or consumer-directed applications and health services, HHS also issued separate guidance that helps educate individuals how to safeguard their non-HIPAA-regulated data. The guidance covers practices, such as limiting third parties’ access to location and other sensitive information collected by mobile phones and apps.
Beyond HIPAA, sexual and reproductive health information may be subject to special protections under state laws. In addition, the FTC has taken the position that health data is sensitive and subject to heightened privacy and security standards. As recently as February 2022, the FTC also emphasized that the breach of non-HIPAA-regulated health records are subject to the FTC’s Health Breach Notification Rule.
In light of the legal and political uncertainty created by the Dobbs decision, organizations may consider the following proactive steps to safeguard sexual and reproductive health care information and to address concerns expressed by patients and consumers:
Emphasizing Data Minimization: Evaluate the extent to which the organization collects and maintains sexual and reproductive health information and limit such collection to only the data required for a legitimate business purpose.
Enhancing Administrative, Technical, and Organizational Safeguards: Enhance existing safeguards and access controls to further protect sensitive health information from inadvertent disclosure.
Developing Internal Protocols for Responding to Third Party Requests: Develop and implement clear processes for receiving, evaluating, and responding to third party requests for sexual and reproductive health information, including from law enforcement.
Expand Training Curricula: Organizations that maintain significant amounts of sexual and reproductive health information or that anticipate high volumes of third party requests for such information may expand workforce training to emphasize the protections in place to safeguard the information.
Revisiting Vendor Relationships: Evaluate vendor relationships to make sure vendors have provided sufficient assurance that the organization’s sensitive health information will be appropriately protected.
Revising Privacy Notices, As Appropriate: Issue clear privacy notices indicating what privacy protections are in place to protect information concerning sexual and reproductive health care information—and update existing privacy notices to the extent changes are made to the company’s privacy practices in light of recent events.
Authored by Marcy Wilder, Donald DePass, Fleur Oké, and Erik Lampmann.
Pat Bruny, a Summer Associate in our Washington, D.C. office, contributed to this post.