HIPAA Limits Disclosures to Law Enforcement and Others
The guidance makes clear that for disclosures that are not related to an individual’s care, HIPAA-regulated entities can use or disclose PHI, without an individual’s signed authorization, only in limited circumstances and that such disclosures must be narrowly tailored to protect the individual’s privacy and support their access to health services. Through a series of illustrative examples, the guidance specifically addresses the narrow circumstances under which PHI may be disclosed (a) when required by law, (b) to law enforcement, and (c) as required to avert serious threats to health or safety. The U.S. Department of Health and Human Services (HHS) emphasizes that although such disclosures are permitted, they are not required by HIPAA.
Disclosures Required by Law: Disclosures required by law are limited to “a mandate contained in law that compels an entity to make a use or disclosure of PHI and that is enforceable in a court of law.” The guidance states that disclosures of PHI “that do not meet the “required by law” definition in the HIPAA Rules, or that exceed what is required by such law, do not qualify as permissible disclosures. Laws prohibiting abortion, but not expressly requiring reporting to law enforcement do not support a disclosure of PHI under the “required by law” permissible disclosure.
- Disclosures to Law Enforcement: The HIPAA Privacy Rule permits but does not require covered entities to disclose PHI about an individual for law enforcement purposes “pursuant to process and as otherwise required by law”, in some circumstances. For example, in response to a court order or a court-ordered warrant, subpoena, or summons, HIPAA permits disclosure of only the requested PHI, subject to the rule’s minimum necessary standard.
Absent a court order or other mandate enforceable in a court of law, HHS states that HIPAA does not permit disclosures where a hospital or other health care provider’s workforce member chose to report an individual’s abortion or other reproductive health care. The HIPAA prohibition applies regardless of whether a workforce member initiated the disclosure to law enforcement or the workforce member disclosed PHI at the request of law enforcement. Where a law enforcement official presents a court order requiring a clinic to produce PHI about an individual who has obtained an abortion, the Privacy Rule would permit, but not require, the clinic to disclose to the law enforcement official, provided that any disclosure is limited to only the PHI expressly authorized by the court order.
- Disclosures to Avert Serious Health and Safety: The HIPAA provisions permitting the disclosure of PHI to avert serious threat to health or safety are particularly narrow and such disclosures are allowed only if (1) consistent with applicable law and professional ethical standards, (2) the covered entity, in good faith, believes the disclosure is necessary to prevent or lessen the serious and imminent threat to the health or safety of a person or the public, and (3) the disclosure is to a person reasonably able to prevent or lessen the threat. Hence, a pregnant patient’s provider in a state that bans abortion who is told by the patient that the patient intends to seek an abortion in another state would not in HHS’s view be permitted to report the patient to law enforcement under this provision for two reasons. First, an individual’s stated desire to seek a legal abortion or related care does not qualify as “a serious and imminent threat to the health or safety of a person or the public.” Second, it would be inconsistent with the provider’s professional ethics to take action that might increase the risk of harm to the patient and which would compromise the integrity of the patient-physician relationship.
In addition to issuing this guidance, HHS declared that enforcement of privacy protections related to reproductive and sexual health are an enforcement priority.
Additional Guidance Concerning the Privacy and Security of Non-HIPAA-Covered Data
In recognition that HIPAA protections often do not extend to data collected and maintained on personal mobile devices, or consumer-directed applications and health services, HHS also issued separate guidance that helps educate individuals how to safeguard their non-HIPAA-regulated data. The guidance covers practices, such as limiting third parties’ access to location and other sensitive information collected by mobile phones and apps.
Beyond HIPAA, sexual and reproductive health information may be subject to special protections under state laws. In addition, the FTC has taken the position that health data is sensitive and subject to heightened privacy and security standards. As recently as February 2022, the FTC also emphasized that the breach of non-HIPAA-regulated health records are subject to the FTC’s Health Breach Notification Rule.
Recommendations for Best Practices
In light of the legal and political uncertainty created by the Dobbs decision, organizations may consider the following proactive steps to safeguard sexual and reproductive health care information and to address concerns expressed by patients and consumers:
Emphasizing Data Minimization: Evaluate the extent to which the organization collects and maintains sexual and reproductive health information and limit such collection to only the data required for a legitimate business purpose.
Enhancing Administrative, Technical, and Organizational Safeguards: Enhance existing safeguards and access controls to further protect sensitive health information from inadvertent disclosure.
Developing Internal Protocols for Responding to Third Party Requests: Develop and implement clear processes for receiving, evaluating, and responding to third party requests for sexual and reproductive health information, including from law enforcement.
Expand Training Curricula: Organizations that maintain significant amounts of sexual and reproductive health information or that anticipate high volumes of third party requests for such information may expand workforce training to emphasize the protections in place to safeguard the information.
Revisiting Vendor Relationships: Evaluate vendor relationships to make sure vendors have provided sufficient assurance that the organization’s sensitive health information will be appropriately protected.
Revising Privacy Notices, As Appropriate: Issue clear privacy notices indicating what privacy protections are in place to protect information concerning sexual and reproductive health care information—and update existing privacy notices to the extent changes are made to the company’s privacy practices in light of recent events.
Pat Bruny, a Summer Associate in our Washington, D.C. office, contributed to this post.