In the wake of the US Supreme Court overturning Roe v. Wade, some upheaval and change were to be expected. Several states advanced antiabortion laws as was anticipated. Legal cases are being filed left and right in various states as the abortion issue continues to be debated. But amidst it all, some lesser expected dilemmas have emerged as well. One of the most problematic it seems, at least when it comes to healthcare providers, involves patient privacy. For years, the Health Information Portability and Accountability Act (HIPAA) has served as the guide for protecting patient health information. But what is much less clear is just how far HIPAA protection for abortion information extends.
The HIPAA privacy rule has been in effect since 1996. In essence, it prevents healthcare providers from sharing patient health information to parties without patient permission. While this may seem rather straightforward, the abortion issue has created some challenges. For states that now consider abortion a crime, does the HIPAA privacy rule still apply? If HIPAA protection for abortion information exists, are there exceptions? Providers face such dilemmas in the wake of the Supreme Court’s decision in addition to others related to emerging technologies. Without question, patient privacy rights are important. But exactly how far state laws and technological freedoms extend in relation to these rights remains poorly defined.
“We are in such uncharted territory when it comes to this type of [privacy] issue that providers really don’t have guidance.” – Samantha Deans, Associate Medical Director for Planned Parenthood of South, East, and North Florida
The Basics of the HIPAA Privacy Rule
The HIPAA privacy rule, despite its longevity, remains the standard for protecting patient health information. Though complex in its language, the rule effectively defines who can access a patient’s health information and in which contexts. As a general rule, patients must authorize sharing this information either through direct or indirect means of consent. When requests for patient records are made, these almost always involve a written request for documentation purposes. And likewise, HIPAA requires that patients be aware of which entities receive this information. As is evident, the HIPAA privacy rule does its best to protect patients’ privacy rights. But of course, these data protection laws did not anticipate today’s rather complex legal and technological landscape.
Notably, state anti-abortion laws challenge standard HIPAA practices. From one perspective, HIPAA protection for abortion information seems like it should be applied as it would to any health data. But there are exceptions when HIPAA protections might be waved. For example, if a provider receives a court order or subpoena for specific health information, they are allowed to comply. They may also choose to provide such health information if they believe a crime has been committed. Given that some states view abortion as a crime and may seek court orders, these exceptions offer HIPAA loopholes. And since HIPAA also allows information-sharing for public health reasons, state health agencies could similarly request and receive such information. These are where HIPAA protection for abortion information may fail in its ability to preserve patient privacy.
“Typically the laws are trying to catch up with where the real world is, in terms of what’s going on. This time we have the inverse of that situation, where the real world is trying to catch up or adjust or modify to the law.” – Bruce Armon, Health Law Attorney at Saul Ewing Arnstein & Lehr
Other Loopholes in the HIPAA Privacy Rule
Interestingly, law enforcement in some anti-abortion states is finding other creative ways to get around the HIPAA privacy rule. Some have asked for help from any healthcare professional with knowledge of abortion-related crimes. Under HIPAA, providers cannot provide such information unless a patient authorizes it. But in states where there are whistleblower protections, HIPAA protection for abortion information may fail. Should a provider wish to share such information in states with anti-abortion laws, whistleblower statutes offer safe havens. This is yet another way HIPAA legislation falls short of protecting patient privacy.
Other loopholes in HIPAA protection for abortion information involve the use of everyday technologies. Many healthcare apps now exist that are beyond the scope of the HIPAA privacy rule. Some femtech apps, like those that track menstrual cycles, can be readily accessed by law enforcement if subpoenaed or seized. This information can then provide supportive evidence that an abortion may have taken place. Naturally, this is highly private health information that deserves protecting. But because healthcare technologies have advanced faster than laws, such protections do not exist. HIPAA protections certainly do not extend this far based on current legislation.
“To comply with HIPAA you have to comply with the bare minimum. Provide what’s asked and not more, otherwise you’ve got a HIPAA problem.” – Dianne Bourque, Health Law Attorney at Mintz, Levin, Cohn, Ferris, Glovsky, and Popeo, P.C
What’s a Healthcare Provider to Do?
Currently, the best thing healthcare providers can do is to understand what is required of them. Under the HIPAA privacy rule, healthcare professionals must provide what a court order or subpoena demands. However, providers must only offer precisely what is requested and nothing more. Likewise, providers may wish to collect less information about reproductive health unless it is necessary. What isn’t collected and documented is naturally not subject to any discovery. Outside of these guidelines, providers must otherwise abide by HIPAA protections for abortion and other health-related information. For now, these are the basic tenets of HIPAA that determine what information can and cannot be shared.
In looking ahead, clearly the bigger issue involves the need for more comprehensive privacy legislation at a national level. This not only includes laws that protect health information privacy rights from emerging technologies. It involves even broader protections giving the frequency with which cybersecurity threats and violations are occurring. While the Department of Health and Human Services may tweak the current HIPAA privacy rule, it can only go so far. In order to truly provide greater privacy protections, Congressional actions would be required. Regardless of which side of the abortion debate one sits, it is universally important that greater privacy rights protections are needed. The loopholes in HIPAA protections for abortion information highlights this fact. But the same issues exist in many other areas as well, proving that much broader actions are essential.