Federal agencies issue post-Roe privacy guidelines


Fifty years of case law established by Roe v. Wade, 410 US 113 (1973), and Planned Parenthood of Southern Pa. c. Casey, 505 US 833 (1992), were revoked in Dobbs v. Jackson Women’s Health Organization, holding that the Constitution does not confer the right to abortion and leaving abortion laws to the discretion of the states. This new landscape has introduced a wave of legal issues, and among these are questions regarding the protection of personal information related to abortion and contraceptive services. To address some of these privacy issues, the Office for Civil Rights (“OCR”) of the Department of Health and Human Services (“HHS”) has issued new guidance regarding the Health Information Portability and Accountability Act (HIPAA). ) Rule (“Privacy Rule”). The new HIPAA guidelines generally remind providers of their obligations under the Privacy Rule to protect patients’ protected health information (“PHI”), even in many circumstances where the information has been requested by government officials or in in the context of a dispute. Additionally, recognizing the extent to which patient information is stored on patients’ personal smartphones and is not protected by HIPAA (for exampledata entered into personal health apps, search history related to abortion and other reproductive care, and geolocation data), but may be relevant under new criminal and civil health laws. abortion, HHS has released additional guidance for consumers on how to protect and secure personal information on phones and tablets that are not otherwise protected by HIPAA.

Under the rule of confidentiality, disclosure of PSR without the patient’s permission is only permitted in “narrow circumstances,” and disclosure of PSR to law enforcement is limited based on the facts and the type of requests (for examplecourt-ordered warrant, subpoena, or to prevent or lessen a “serious and imminent threat to health or safety”.)[1] The Privacy Rule expressly defers to a provider’s professional judgment to determine what constitutes a “serious and imminent threat”;[2] however, according to the guidelines, the OCR clarified that it is “inconsistent with professional standards of ethical conduct to disclose such information to law enforcement or others regarding the interest, intent, or an individual’s previous experience with reproductive health care”.[3] Additionally, “narrow circumstances” for disclosure include, but are not limited to, efforts to:

  • Comply with a court order, court-ordered warrant, subpoena, subpoena issued by a court officer, or subpoena to appear before a grand jury (45 CFR 164.512(f)(1)(ii) (A)-(B));

  • Respond to an administrative request[4] ((45 CFR 164.512(f)(1)(ii)(C));

  • Report PHI that a Covered Entity considers in good faith to be evidence of a crime that occurred on the Covered Entity’s premises (45 CFR 164.512(f)(5));

  • Respond to a request from PHI regarding a victim of a crime, and the victim agrees (45 CFR 164.512(f)(3)); and

  • Report PHI to law enforcement when required by law (45 CFR 164.512(f)(1)(i)).

Thus, in the absence of a court order, the exceptions to the confidentiality rule for disclosing PSI for law enforcement purposes do not not allow disclosure to law enforcement when a hospital or health care provider wishes to report a person’s abortion or other reproductive health care. Thus, a hospital employee who suspects a patient of having an abortion in a state where it is illegal cannot report the planned abortion to law enforcement unless a state law n specifically requires such a statement. HHS clarifies that a statement indicating a person’s intent to obtain a legal abortion or other care related to pregnancy loss, ectopic pregnancy, or other complications related to or involving pregnancy does not not qualify as a “serious and imminent threat to the health and safety” of a person or the public.[5] Disclosure of this information to law enforcement in such circumstances would be impermissible and a violation of unsecured PHI, requiring notification to HHS and the affected individual.[6]

And, although the confidentiality rule generally does not protect the privacy or security of an individual’s health information when accessed or stored on a personal cell phone or tablet, guidelines released last week by HHS outlined how individuals can protect themselves. The Privacy Rule applies only when PHI is created, received, maintained or transmitted by Covered Entities and Business Associates (for example, health care providers, and health insurers), and does not extend to protecting the privacy of an individual’s Internet search history, any information one voluntarily shares online, or information geographic location of an individual. Therefore, the guidance sheds light on ways to protect their digital footprint and reduce how devices collect and share personal and health information.

Moreover, in response to the Dobbs decision and growing concerns that personal data will be used to incriminate people seeking abortions, Senator Elizabeth Warren, backed by a slate of five Democratic senators, proposed passage of the Personal Data Protection Act. health and location to prohibit “data brokers from selling or transferring location data and health data. If approved, the bill would allow the Federal Trade Commission and state attorneys general to prosecute brokers found guilty of breaking the law. Notably, the legislation would include exceptions to comply with HIPAA.

The legislative and regulatory landscape regarding abortion and reproductive health services will certainly change in the near future as states respond to Dobbs decision. As granted by Dobbs, states will now have the power to enforce their own abortion rules, creating an opportunity for widely varying statutes, penalties, exceptions, circumstances, and a variety of other consequences across the country. Health care providers who provide a full range of health care services to women, including abortion, will need to review their policies and procedures to ensure compliance with state laws and to understand how Dobbs decision affects the care they can provide to patients. Providers should familiarize themselves with the new guidelines to verify the circumstances under which HIPAA permits the disclosure of PSR without the patient’s permission.


[1] https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/phi-reproductive-health/index.html

[2] https://www.hhs.gov/hipaa/for-professionals/faq/3002/what-constitutes-serious-imminent-threat-that-would-permit-health-care-provider-disclose-phi-to-prevent- harm-patient-public-without-patients-authorization-permission/index.html

[3] https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/phi-reproductive-health/index.html

[4] Provided that: the information sought is relevant and essential to a legitimate law enforcement investigation; the request is specific and limited in scope to the extent possible given the purpose for which the information is sought; and the anonymized information could not reasonably be used.

[5] https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/phi-reproductive-health/index.html

[6] https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/phi-reproductive-health/index.html

© 2022 Proskauer Rose LLP. National Law Review, Volume XII, Number 189


Comments are closed.