HHS Seeks to Strengthen Confidentiality Around Reproductive Healthcare Services
In June of 2022, the U.S. Supreme Court issued the Dobbs decision, which overruled Roe v. Wade. Shortly after Dobbs was handed down, HHS issued guidance to providers, reminding them that the HIPAA Privacy Rule permits but does not require covered entities to disclose PHI about an individual for law enforcement purposes.
For example, a provider in a state where abortion is outlawed may respond to a law enforcement request made through such legal processes as a court order or court-ordered warrant, or a subpoena or summons, by disclosing only the requested PHI (e.g., specifics about the provision of reproductive healthcare). However, providers may not, under HIPAA, be forced to provide this information.
Since June of 2022, OCR has been contacted by panicked providers, who have expressed fear that they or their patients may be jailed for providing or obtaining evidence-based and medically appropriate care – or jailed even for discussing abortion services with their patients.
In April of 2023, OCR issued a Notice of Proposed Rulemaking (“NPRM”) to strengthen HIPAA’s protections around reproductive healthcare privacy. Under the NPRM, the use or disclosure of PHI would be prohibited for a criminal, civil, or administrative investigation into, or proceeding against, any person seeking, obtaining, providing, or facilitating lawful reproductive health care, in the following circumstances:
- Where reproductive health care is sought, obtained, provided, or facilitated in a state where healthcare is lawful, and outside of the state where an investigation or proceeding is authorized (e.g., if a resident of one state traveled to another state to receive a legal abortion).
- Where reproductive health care is protected, required, or expressly authorized under federal law, such as miscarriage management required under the federal Emergency Medical Treatment and Active Labor Act (EMTALA).
- Where reproductive health care is lawfully provided in the state where the investigation or proceeding is authorized.
OCR clarified that the proposed rule would continue to allow uses and disclosures of PHI permitted by HIPAA, with the caveat that the request for PHI is not made to investigate or impose liability in connection with seeking, providing, or facilitating health care.