By Mason Fitch
The Supreme Court’s reversal of Roe v. Wade amplifies attention to concerns around the privacy of abortion-related services, including the provision of healthcare, period tracking apps, and even payment methods and mobile location data. In a direct response to Roe’s reversal, the Department of Health and Human Services (HHS) released guidance underscoring the protections applicable to protected health information (PHI) relating to abortion and other reproductive care under the Health Insurance Portability & Accountability Act (HIPAA), which we outline below. HIPAA, however, is limited in scope and does not protect a vast swath of information relating to abortion care.
The HIPAA Privacy Rule prohibits Covered Entities (such as most health care practitioners, hospitals, and insurance plans) from disclosing PHI without a patient’s consent unless the Rule otherwise permits the disclosure. Relevant disclosures authorized by the Privacy Rule include:
Disclosures required by law;
Disclosures for law enforcement purposes; and
Disclosures to avert a serious threat to health or safety.
The Privacy Rule permits but does not require Covered Entities to disclose PHI without the patient’s authorization for the purposes listed above. HHS provided an example of an individual who goes to the emergency room for a miscarriage and is suspected of having taken medication to end their pregnancy: in a state without a mandatory reporting law, disclosure of the individual’s PHI is prohibited. In a state with a mandatory reporting law, the healthcare provider (or other Covered Entity) may (and likely would have to) disclose the individual’s PHI. This is also true of law enforcement inquiries: Covered Entities may not disclose PHI absent a court-enforceable order (such as a subpoena or a warrant), but likely would disclose PHI pursuant to such an order.
Covered Entities should exercise extreme caution should they receive requests for information relating to abortion care. Even where disclosure is permissible under HIPAA and required under state law, the Privacy Rule requires that Covered Entities disclose only the information subject to the order and nothing more. Workforce members should be reminded of their obligations under HIPAA and instructed to forward any legal or law enforcement requests to the appropriate team.
In the aftermath of Roe’s reversal, we expect HHS and the Office of Civil Rights to actively wield their authority under HIPAA to ensure patient privacy and nondiscrimination for patients seeking reproductive health care.
In the words of HHS Secretary Xavier Bacerra: “This is a critical moment in history. How we respond will speak to how we view the rights, dignity and wellbeing of women everywhere. This is a moment of crisis in health care. We will leave no stone unturned. All options are on the table. We will do everything within the legal limit of the law to reach patients and support providers.”
While HIPAA provides considerable protection to PHI relating to abortion care, the universe of data that can be used to track abortions is far broader than what is covered by HIPAA and the protections applicable to that data are far weaker. Many online healthcare services—those that are often most accessible to individuals looking for alternative abortion services—are not covered by HIPAA, which only applies to health care providers who engage in “standard transactions,” namely, those that accept insurance. For example, if you order abortion pills online and pay cash, the company you ordered from may not be a Covered Entity under HIPAA. In that case, the company may not be prohibited from disclosing information about you even without a court-enforceable order.
A significant amount of data could be used to infer that someone sought or received an abortion outside of the healthcare context and, therefore, outside of the protection of HIPAA. For example, online searches for abortion providers are not protected by HIPAA, nor is an individual’s location information. Entities that maintain this information have significantly fewer (and less strenuous) restrictions when it comes to disclosing information to third parties, including law enforcement.
The Electronic Frontier Foundation has published tips on how to minimize privacy and security risks for people seeking an abortion.
Mason Fitch is a Senior Associate at Hintze Law PLLC and a member of the firm’s Health and Biotech Privacy Group.
About Hintze Law Hintze Law PLLC is a boutique privacy firm that provides counseling exclusively on global data protection. The firm’s attorneys and privacy analysts support technology, health, biotech, advertising, social networking, media, gaming, ecommerce, and mobile companies, organizations, and industry associations in all aspects of privacy and data security.