Does HIPAA need to be revised to adjust to the recent Supreme Court decision that overturned Roe v. Wade? (Dobbs v. Jackson Women’s Health Organization issued June 24, 2022) Some believe HIPAA needs to be modified to clarify and secure privacy around reproductive health. Others believe HIPAA still provides adequate privacy protections in all health matters and does not need to be updated.
Arguing for change are two Senators who recently wrote a letter to HHS asking it to update the HIPAA Privacy Rule to better defend reproductive rights. In addition, a new article in the JAMA Health Forum discusses how HIPAA may not go far enough in certain scenarios to protect patient privacy, and even places providers in jeopardy where a state’s laws allow for the prosecution of providers in relation to abortion services. Where abortion services have been criminalized, anyone who violates the law could be subject to civil penalties, criminal fines, or imprisonment.
The Office for Civil Rights (OCR) at HHS takes the position that HIPAA still provides patients with privacy protections after Dobbs. OCR issued guidance on June 29 underscoring these protections to help providers understand how current HIPAA law applies. Their guidance also included suggestions for patients on how to keep their medical information more secure.
Privacy is a hot topic recently in Congress. Even before questions were raised from the Dobbs decision, two new potential federal privacy laws were being discussed. The proposed American Data Privacy and Protection Act and the Health and Location Data Protection Act are both designed to strengthen personal privacy in all aspects of life, not just health.
Why Dobbs Changes the Privacy Discussion
Those who argue for stronger HIPAA protection in the wake of Dobbs point out that reproductive healthcare is different from other kinds of care, like cardiology, orthopedics or cancer, because some states have criminalized abortions. No other healthcare service has been criminalized after having been provided for so many years.
Moreover, the laws among the states vary, with some more strict than others. In some cases, the laws restricting abortion also restrict other kinds of reproductive healthcare, like treatment for miscarriage, birth control, IVF, or pregnancy counseling. Patients who seek care and providers who treat them are both at risk for their private conversations and records being obtained by law enforcement, courts or even private citizens, in an effort to enforce state law.
As of today, nine states have banned abortions since Dobbs, but in coming weeks more are expected to follow. The situation is in flux both in the courts and state legislatures. Ultimately about half the states will likely restrict abortion access.
Potential Gaps in HIPAA
According to the authors of the JAMA article, there are three scenarios in which HIPAA is either ambiguous or simply does not apply:
- Using a patient’s medical records to support legal action against those seeking, obtaining, or abetting an abortion may be possible.
- The potential use of health care facility records to incriminate an institution or its clinicians for providing abortion services.
- Information generated from a person’s online activity could be used to show that they sought an abortion or helped someone do so.
Complicating the issue is the fact that states’ laws related to reproductive health services vary so widely. In Texas for example, where abortion is now a crime, the law incentivizes civilians with $10,000 cash payments for successfully suing individuals performing or aiding with the procedure. This adds to the concern that both patients’ and providers’ privacy is in jeopardy.
Stay the Course and Comply with HIPAA
Even though state laws are in flux, covered entities and business associates should continue to follow HIPAA. Review OCR’s recent guidance underscoring how to apply HIPAA in reproductive health care situations. Consult with counsel familiar with laws of your state if you have additional questions. The HIPAA E-Tool® stays up to date, and we’ll let you know whether and how HIPAA may change in response to new concerns.