Office of Civil Rights Announces Guidance for Disclosures of Information Relating to Abortion Services Following the Dobbs Decision

On June 29, 2022, the Department of Health and Human Services Office of Civil Rights released a guidance document entitled HIPAA Privacy Rule and Disclosures of Information Relating to Reproductive Health Care. This guidance follows the decision of the United States Supreme Court in Dobbs v. Jackson Women’s Health, in which the Court overruled it’s 1973 decision in Roe v. Wade.

The guidance is not a new interpretation of the regulations, it is a reminder of the limitations on disclosure of protected health information and how those limitations continue to apply in states where the Dobbs decision leads to more restrictive laws on abortion or other reproductive services. As such, it underscores limits practitioners should be mindful of before disclosing any information about patients seeking or receiving abortion or other reproductive services, including services that may be criminalized under the post-Dobbs laws of the various states. The overall message is clear: the Department of Health and Human Services is reminding providers that knowledge of a prohibited act does not confer the right to report that act.

HIPAA provides more than a dozen exceptions to its general prohibition on the disclosure of protected health information. The new guidance discusses three of those exceptions. To be clear, none of these exceptions are specific to or newly created as a result of the Dobbs decision; each has existed since the inception of HIPAA.

Disclosures Required by Law

The exception for disclosures required by law is limited to “a mandate contained in law that compels an entity to make a use or disclosure of PHI and that is enforceable in a court of law.” In other words, the law must explicitly require the provider to access and report the specified information. A common example is the requirement to report gunshot injuries. States (including Utah) with post-Dobbs “trigger” laws and those in which new laws are enacted may criminalize conduct, but the guidance affirms that unless that state also enacts a requirement mandating a specific report from providers, those reports would be a violation of federal privacy law. If a provider’s workforce member makes an unauthorized disclosure, failure to notify the Secretary of Health and Human Services, as well as the individual whose protected health information is disclosed, would constitute separate regulatory violations.

Disclosures for Law Enforcement Purposes

This has always been a confusing exception because the definition of “law enforcement purposes” is more limited than providers believe. This exception is limited to disclosures “pursuant to process and as otherwise required by law.” Process includes a court order, a court-ordered warrant, a subpoena or a summons authorized by law. It does not permit disclosures by providers who believe law enforcement should be aware of the conduct; a good faith belief that a crime may have been committed is not a law enforcement purpose. The guidance states: “In the absence of a mandate enforceable in a court of law, the Privacy Rule’s permission to disclose PHI does not permit a disclosure to law enforcement where a hospital or other health care provider’s workforce member chose to report an individual’s abortion or other reproductive health care.” A point often misunderstood by providers is that a verbal request from a law enforcement official is not “pursuant to process,” and if there is no “court order or other mandate” the provider is not permitted to disclose any information. Having a written policy can be helpful in responding to law enforcement requests.

Disclosures to Avert a Serious Threat to Health or Safety

This exception is intended to allow reports “to a person or persons reasonably able to prevent or lessen” a “serious and imminent threat to the health or safety of a person or the public.” For example, a report to the highway patrol that a driver has left the emergency department severely intoxicated. That imminent threat language is critical, but the limitation that reports can only be made to someone in a position to prevent the threat is equally important. The guidance offers the example of a provider who learns of a patient’s intention to travel to another state to undergo a procedure lawful in that other state. While a provider may hold a good faith belief that the possibility of an abortion constitutes a threat to the unborn child, if the procedure is lawful in another state there is nobody “reasonably able to prevent” that patient from traveling to other state, and therefore nobody to whom the disclosure could lawfully be made. Law enforcement cannot arrest someone for expressing an intent to engage in lawful activity in another jurisdiction.

Utah’s Existing Reporting Requirements

In Utah, the status of the “trigger law” is on hold as of this writing, but as written the legislation provides several exceptions, and existing reporting requirements for abortion procedures remain in effect. Those are required vital statistics reports, first mandated by the Utah legislature in 1974, in which both patient and provider remain anonymous. Anonymous vital statistics reports to the State Department of Health are protected under an exception for Public Health Activities.
While states no doubt will be crafting their individual responses to Dobbs for years to come, the federal protection for the privacy of health information remains fully in effect.