WANAN YOSSINGKUM/istock via Gett
Abortion Restrictions Clash With HIPAA, Patient Privacy Protections
A JAMA Health Forum article discussed the Supreme Court’s decision to overturn Roe v. Wade and how HIPAA fails to protect patient privacy in certain circumstances.
HIPAA clashes with patient privacy and health data protections relating to newly imposed abortion restrictions in several major ways, experts suggested in a recent JAMA Health Forum article. The Supreme Court’s decision to overturn Roe v. Wade, which will give individual states the ability to restrict abortions, has further accentuated the limitations of HIPAA and other federal and state privacy laws.
“The most pressing concerns for physicians and health care facilities are how to minimize these laws’ adverse effects on patients and provide quality reproductive health care within legal limits,” the article stated.
“Yet, another vital issue also merits attention: How can clinicians and facilities protect their patients—and themselves—from having reproductive health information used to incriminate them?”
The experts argued that HIPAA’s scope and that of other privacy laws provide little protection against certain scenarios relating to abortion care and data privacy. This sentiment is shared by many others, including a pair of US Senators who recently penned a letter to HHS asking it to consider updating the HIPAA Privacy Rule to better defend reproductive rights.
Notably, the HHS Office for Civil Rights (OCR) recently issued guidance on patient privacy and rights under the HIPAA Privacy Rule that can help patients maintain security and privacy in light of the recent Roe v. Wade ruling.
The guidance contained information on how and when the HIPAA Privacy Rule restricts disclosures of protected health information (PHI) and how patients can safely and securely use their personal cell phones or tablets to access their health information.
“The Privacy Rule permissions for disclosing PHI without an individual’s authorization for purposes not related to health care, such as disclosures to law enforcement officials, are narrowly tailored to protect the individual’s privacy and support their access to health services,” the guidance stated.
Even with this clarification, there are still some gray areas when it comes to the Privacy Rule’s permitted versus required uses and disclosures.
The JAMA Health Forum article cited three major privacy concerns that HIPAA and other state and federal laws have little power over.
“First, using a patient’s medical records to support legal action against those seeking, obtaining, or abetting an abortion may be possible,” the article suggested.
HIPAA safeguards protected health information (PHI) that is under the care of a HIPAA-covered entity and outlines a specific set of circumstances under which that information can be used without a patient’s authorization. However, there are significant exceptions that present privacy concerns, experts suggested.
“These include reporting child abuse or neglect to an ‘appropriate government authority’; responding to a court order, subpoena, or discovery request for information relating to a lawsuit; and giving information to law enforcement officials ‘as required by law,’” the article explained.
“Thus, HIPAA does not bar compliance with child abuse or neglect reporting requirements, nor will it shield entities that defy investigative demands for information for law enforcement or other legal purposes.”
The experts suggested that law enforcement officials may be able to use a subpoena to obtain medical records relating to abortions.
Some state laws have designated patient-physician communications as inadmissible in legal proceedings.
“However, this privilege is not absolute, its scope varies greatly across states,2 and in many cases medical record information has been successfully used to substantiate a criminal charge, such as child abuse,” the article continued.
“Thus, there is substantial uncertainty about how courts will address assertions of physician-patient privilege relating to reproductive health care records.”
In OCR’s recent guidance, it presented several scenarios that shed light on a provider’s obligations under the HIPAA Privacy Rule and how it might inform a covered entity’s interactions with law enforcement.
For example, if a law enforcement official went to a reproductive health clinic and requested abortion records without a court order or other mandate enforceable by law, the Privacy Rule would not permit the clinic to respond to the request. If they did comply and provide PHI, it would be considered a breach of unsecured PHI.
However, if the law enforcement official had a court order requiring the clinic to produce PHI about an individual who obtained an abortion, the Privacy Rule would permit but not require the clinic to disclose the PHI. Therefore, HIPAA does not wholly prevent PHI about abortion care from being obtained by law enforcement.
Second, the JAMA Health Forum article brought attention to the potential use of healthcare facility records to incriminate clinicians or institutions for providing abortion services.
“Relevant records could include electronic health records, employee emails or paging information, and mandatory reports to state agencies,” the article stated.
“Furthermore, HIPAA permits disclosure of protected health information to a health care regulatory agency in connection with civil, administrative, or criminal investigations or disciplinary actions relating to a practitioner’s or facility’s health care provision—for instance, a state board of medical licensing investigating whether a physician provided illegal abortions.”
Additionally, state Freedom of Information Act (FOIA) laws allow any citizen to request public records “related to an official function from employees of government hospitals and clinics.”
There are significant exceptions to FOIA requests that would prevent the person who issued the request from viewing individual patient health information, but FOIA requests could ask for information contained in email discussions regarding abortion care in a more general sense.
“As to mandatory reporting, most states require facilities to send detailed data on the volume and nature of abortion services provided, and some require the reason for providing abortions. Although patients’ names are removed, many potentially identifying characteristics remain,” the experts wrote.
“This information, too, is useful for law enforcement and may be subject to FOIA requests. In addition, state mandatory reporting laws for child abuse might be interpreted to cover abortions—particularly if life is defined as beginning at fertilization.”
Third, a significant amount of health information falls outside HIPAA’s purview due to the increasing popularity of third-party health apps. For example, many women use period tracking apps that collect information on sexual activity and menstruation.
“There are many instances of internet service providers sharing user data with law enforcement and prosecutors obtaining and using cell phone data in criminal prosecutions. Commercially collected data are also frequently sold to or shared with third parties,” the article explained.
“Even putatively deidentified data often contain sufficient information to reidentify individuals or facilities when triangulated with other data. Thus, pregnant persons may unwittingly create incriminating documentation that has scant legal protection and is useful for enforcing abortion restrictions.”
With this in mind, the article asked, how can clinicians protect themselves and their patients?
The article suggested that clinicians should educate patients on the risks of “generating pregnancy-related information online” and encourage them to minimize their digital footprint. Providers should also take caution during clinical documentation processes and “avoid word choices that could be construed as evidence of illegal activity,” the experts suggested.
“As states splinter on abortion rights after the Dobbs Supreme Court decision, the stakes for providing robust federal protection for reproductive health information have never been higher,” the article concluded.