Keeping an Eye on PHI: OCR Guidance Concerning Permissible Disclosures of Reproductive Health PHI following Dobbs
On June 29, 2022, the U.S. Department of Health and Services’ Office for Civil Rights (OCR) issued guidance for health care providers and patients concerning the privacy protections afforded to a patient’s health information concerning abortion and other sexual and reproductive health services. From the outset, the OCR emphasized:
Access to comprehensive reproductive health care services, including abortion care, is essential to individual health and well-being. The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule (Privacy Rule) supports such access by giving individuals confidence that their protected health information (PHI), including information relating to abortion and other sexual and reproductive health care, will be kept private.
OCR stressed that regulated entities, such as health plans, health care clearinghouses, and most health care providers and their business associates, can use and disclose PHI without an individual’s signed authorization but only as permitted or required by the Privacy Rule. Much of the guidance focuses on permitted disclosures versus required disclosures.
The Privacy Rule sets forth various circumstances in which covered entities are permitted, but not required, to disclose PHI without an individual’s signed authorization. See 45 CFR § 164.512. In light of the recent Dobbs v. Jackson Women’s Health Organization decision, there is much speculation as to what PHI a hospital may be required to disclose given that some states limit reproductive health services while others permit such services to a varying degree.
The OCR guidance specifically addressed what disclosures are permitted as “required by law” and in response to judicial and administrative proceedings, such as a response to a court order, subpoena or discovery request. See 45 CFR § 164.512(a) & (e). The definition of the phrase required by law “is limited to ‘a mandate contained in law that compels an entity to make a use or disclosure of PHI and that is enforceable in a court of law.’” See 45 CFR § 164.103. This may include disclosure of PHI in response to a court order, court-ordered warrant, subpoena or summons issued by a court, etc. According to the guidance, any permitted disclosure “required by law” should be limited to the relevant requirements of the law at issue. Further, if disclosing PHI in response to a subpoena, discovery request or court order, certain conditions must be met, particularly written assurance from the requesting party that the individual whose PHI is requested has been provided written notice of the request to enable the individual to raise an objection. See 45 CFR § 164.512(e).
The guidance discussed, as an example, a situation where an individual seeks emergency care at a hospital in a state prohibiting abortion after the sixth week of pregnancy following complications from a miscarriage in the tenth week of pregnancy. A hospital worker suspects the individual took medication to end the pregnancy, but the state does not require hospitals or health care workers to report individuals obtaining an abortion to law enforcement. Because the state law does not expressly require reporting, the Privacy Rule would not permit a disclosure to law enforcement under the “required by law” section. Any disclosure would be impermissible and constitute a breach of unsecured PHI requiring notification to HHS and to the individual. However, the converse of this is that if a state law exists requiring health care workers to report an abortion, this may fall into the “required by law” permissive disclosure section. However, health care workers should then be mindful of whether disclosure is appropriate based on mere suspicion that the patient has had an abortion.
The guidance further clarifies that while the Privacy Rule has a permissive disclosure for law enforcement purposes, which is usually where state law requires the reporting of certain types of wounds or injuries, such disclosure must meet certain conditions set forth in § 164.512(f) of the Privacy Rule and should be specifically limited to the information the law requires. For example, the law may only require the name and address of the patient, type of injury and date and time of treatment but not require disclosure concerning what treatment was provided. In the absence of a state law requiring such disclosure to law enforcement, the disclosure would be impermissible.
Finally, the OCR guidance addresses situations where disclosure is permitted to avert a serious threat to health and safety and clarifies that an “an individual’s interest, intent, or prior experience with reproductive health care” is not a circumstance qualifying for a permissible disclosure of PHI without authorization. In other words, seeking information about abortion services is not enough to permit disclosure of an individual’s PHI under the permissible disclosure exception for a serious and imminent threat to the health or safety of a person or the public. A provider who discloses to law enforcement that an individual sought information about, or expressed an intention to seek, an abortion would be impermissible under the Privacy Rule and constitute a breach, requiring notification to HHS and to the individual affected.
In this environment of uncertainty following the Dobbs ruling and varying state laws concerning reproductive health, we encourage any health care provider to seek legal advice and counsel when considering a disclosure of PHI related to reproductive health.