HHS issues HIPAA guidance after abortion ruling
Providers shouldn’t cite the Health Insurance Portability and Accountability Act as a reason to disclose a patient’s abortion plan to law enforcement, the Health and Human Services Department said Wednesday.
Under HIPAA, healthcare providers are allowed to disclose—including to law enforcement— a patient’s medical information if they believe it’s needed to prevent or lessen a “serious and imminent threat” to health or safety.
HHS previously said it defers to providers to determine what constitutes such a threat, but a disclosure must be “consistent with applicable law and standards of ethical conduct.”
In guidance released Wednesday, HHS said a patient’s plan to get a legal abortion does not qualify as a serious or imminent threat. Providers are advised not to tell law enforcement about a patient’s intention to receive an abortion in a state where abortion is legal by citing that standard, even if the provider and patient are based in a state that bans abortion.
Disclosing such information to law enforcement would be “inconsistent” with ethical standards from medical groups including the American Medical Association and American College of Obstetricians and Gynecologists, and could compromise the “integrity of the patient–physician relationship,” HHS wrote in its guidance.
“Therefore, such a disclosure would be impermissible and constitute a breach of unsecured [protected health information],” HHS wrote.
HHS said providers may only share medical data with law enforcement when expressly required under state law and when responding to mandates such as a court order or subpoena. The agency also said providers may only share the medical data that’s required—not a patient’s entire medical record.
HHS’s guidance was released in response to the Supreme Court’s decision last week overturning Roe v. Wade, which has left abortion laws up to the states. Navigating federal and state laws can be confusing for doctors in states that restrict or outlaw abortion, and doctors have minimal legal protection as state courts grapple with potential civil, administrative and criminal charges.
“Anyone who believes their privacy rights have been violated can file a complaint with [Office for Civil Rights] as we are making this an enforcement priority,” HHS Secretary Xavier Becerra said in a news release. “Today’s action is part of my commitment to President [Joe] Biden to protect access to health care, including abortion care and other forms of sexual and reproductive health care.”
Becerra earlier this week said HHS would enforce standing policies that protect access to reproductive healthcare.
HHS on Wednesday also released guidance on how patients can protect health information held on smartphones that’s not covered by HIPAA, such as data entered into personal health apps, search history related to abortion and other reproductive care, and geolocation data. Privacy advocates in the wake of the Supreme Court’s decision have called on technology companies to limit personal details they collect on users.
The AMA, which has previously raised concern over mobile apps collecting health data, voiced support for HHS’s HIPAA guidance.
“That medical information was previously being siphoned off and monetized was always a concern,” AMA President Dr. Jack Resneck Jr. said in a statement. “Now, it’s a legal threat as zealous prosecutors can track patients and access their medical records to determine what medical services were provided.”