Healthcare providers carry a heavy load and it just got heavier. In the wake of the reversal of Roe v. Wade and the prohibition and criminalization of abortion in some states, healthcare providers are now burdened with being more vigilant than ever in defending patients’ privacy rights.
This is true in all states, even where abortion is legal. For example, officials in states where it is not legal may seek information from healthcare providers in other states where patients are forced to travel for legal abortion care. The question is whether the information sought must be disclosed.
The purpose of this article is to explain existing protections and provide strategies for healthcare providers to use in responding to requests for reproductive health information when the patient has not authorized the disclosure.
I. What Does HIPAA Protect?
Over the past several weeks, there has been a lot of buzz about whether the federal Health Information Portability and Accountability Act of 1996 (HIPAA) adequately protects health information from state inquiry. In overturning the 50+ year precedent of Roe v. Wade, the US Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization (Dobbs Decision) on June 24th holds that there is no constitutional right to abortion and leaves the issue of abortion largely to the states. Several states have or will ban abortion. Others have or will criminalize it.
Whether HIPAA adequately protects information from the demands of state officials, law enforcement or private attorneys acting under state laws is not straight forward. Without question, however, HIPAA provides solid protections for health information and offers only limited exceptions to those safeguards. Understanding those protections and the exceptions is vital.
A. Guidance from the Dept. of Health and Human Services on HIPAA
Shortly after the official release of the Dobbs Decision, the Department of Health and Human Services’ (DHHS) Office for Civil Rights (OCR) issued guidance regarding the disclosure of reproductive healthcare information. The guidance addresses disclosures required by law, disclosures for law enforcement purposes, and disclosures to avert a serious threat to health or safety. It also provides related examples.
This high-level guidance emphasizes that permitted disclosures under HIPAA must be “narrowly tailored to protect the individual’s privacy and support their access to health services.” It further highlights that HIPAA only permits disclosures required by law to the extent of “the relevant requirements of such law.” Finally, with respect to disclosures for law enforcement purposes, OCR points out that HIPAA allows disclosures only under limited circumstances and “pursuant to process and otherwise required by law.”
OCR’s review and reiteration of the language in HIPAA is a good summary and the examples are illustrative. Overall, however, the guidance offers little if any practical direction.
B. Understanding Permitted Disclosures Under HIPAA
It’s important to start here: HIPAA only requires the disclosure of protected health information (PHI) to or at the direction of a patient or the patient’s personal representative. Other than to DHHS for an investigation or compliance assessment, HIPAA requires no other disclosures. In other words, HIPAA will never require the disclosure of PHI to a third party, even when there is a state law requiring it.
On the other hand, HIPAA dedicates more than 5,000 words of regulatory text to the concept of “permissive disclosures” under certain circumstances. Permissive disclosures allow covered entities to disclose PHI without an authorization from the patient. As OCR noted in its guidance, permitted disclosures must be narrowly tailored to support patient privacy and access to care. HIPAA recognizes 12 categories of specifically permitted disclosures in addition to generally permitted uses and disclosures such as those for treatment, payment or healthcare operations. Below are the most relevant permissive disclosure categories:
- Required by another law, but only in compliance with that law and limited to its specific requirements.
- For judicial and administrative proceedings, but only in response to an order of the court or the administrative tribunal and limited to the order.[i]
- For law enforcement purposes, with many caveats. It is most important to understand that, generally, healthcare providers must not turn over information to law enforcement based merely on a demand without an order from a court with jurisdiction. There are very limited exceptions to this general rule.
Again, before a provider is permitted to disclose under one of these categories, it must be able to strictly adhere to the requirements of each category. If the requirements cannot be met, HIPAA prohibits the disclosure. Understanding the permissive nature of HIPAA and the requirements around permissive disclosures will often provide a good faith argument for objecting to a third party’s request for disclosure.
C. HIPAA Controls When it Clashes with Less Protective State Law
HIPAA’s requirements preempt state law when HIPAA provides greater privacy protection than state law.[ii] State law only governs when it provides more protection than HIPAA. This is important. If a state law required the disclosure of PHI in a manner that conflicts with HIPAA, then HIPAA would control, and the disclosure would be prohibited.
There are limited exceptions. State laws mandating public health and safety reporting (e.g., disease, death, abuse, etc.), seeking to prevent healthcare fraud and abuse, and requiring reports on healthcare delivery costs are not preempted. [iii] A less definitive exception allows the Secretary of DHHS to deem that a state law serves a compelling need related to public health, safety or welfare and any intrusion on privacy is warranted. Under the current administration, the Secretary of DHHS is not likely to conclude that the disclosure of reproductive health information serves a compelling need.
The application of the preemption rule may prove to be a useful tool in defending the privacy rights of patients in the months and years to come. This is especially true now that states are taking or considering legislative action to add greater protections to reproductive health information. Connecticut was the first state to take such action, followed by shortly after by Massachusetts and California. [updated Oct. 2022]
Legal counsel should carefully consider the issue of preemption when issues of state law arise.
II. Strategies for Handling Requests for Health Information
Managing third-party requests for PHI can be challenging. That challenge increases exponentially when the request is for sensitive information, and it comes without an authorization from the patient. The first and most important step is to ensure that there is a solid internal process for handling such requests. Next, healthcare providers must understand how to assess the request and when to seek legal counsel.
A. Develop a Process for Handling Third-Party Requests
Establish a process for handling third party requests for PHI that do not include a valid HIPAA authorization signed by the patient. The process should identify a response team that is trained and ready to act.
It is important to assess and respond quickly as requests for information can be time sensitive. While a healthcare provider may have a good argument to withhold information, once compelled via a valid process (e.g., by a subpoena), healthcare providers must respond timely, regardless of the argument. In some states, that timeframe can be short. For example, in Connecticut, subpoenas require only 18 hours’ notice for testimony and/or records.
Train staff on how to identify requests that require special handling and how to effectively and immediately notify the response team (e.g., use of an email distribution list). Use clear guidelines like: (1) any request served by a process server; (2) any request received that appears to be a legal document or issued by an attorney or court; and (3) any other document requesting information that seems out of the ordinary.
Ensure that at least one person on the response team takes responsibility for assessing the request. Use the questions outlined in Section B below to perform an initial assessment. When the request is not routine or the answers to the questions below only raise more questions, seek legal advice.
Be sure to work with in-house and/or outside legal counsel as part of the planning process. It is important that they know the process established and are aware that immediate assistance may be required.
Finally, set up a mechanism to track receipt of requests. Be sure to document due dates, external conversations regarding the request and note any action taken. Of course, always follow HIPAA documentation requirements if the healthcare provider makes the disclosure.
B. Questions to Ask Upon Receipt of Request and Key Considerations
It is critically important to identify the form, format and issuer of the request before deciding how to proceed. The following is a list of questions or checklist to use when examining a request. Answer the questions with as much detail as possible. When the proper action is unclear, consult with legal counsel before deciding how to proceed. Having answers to some or all these questions before talking with the lawyer will be very helpful.[iv]
1. What is the form of the request and who issued it?
a) Subpoena, issued by:
i) Private attorney
ii) Government attorney
iii) Governmental agency
b) Letter, sent by:
i) Private attorney
ii) Government attorney
iii) Governmental agency
c) In-person demand, made by:
i) Private attorney
ii) Government agency
iii) Law enforcement
2. Where does the request originate (i.e., in state or out of state)?
Subpoenas and court orders originating in other states and from state courts in other states may not be effective. Often, private attorneys issue subpoenas to out of state recipients in hopes that they will turn over the information without any questions. Flag any out of state requests for legal counsel.
3. How was the request received?
Generally, subpoenas and other compulsory process must be served in a particular way (i.e., in-person service or through an agent for service). Emailed and mailed subpoenas may be defective for this reason. Keep the envelope and any other packaging in which the request was delivered and consult with legal counsel.
4. If the request is a subpoena, did a court order accompany it?
For subpoenas accompanied by a court order, there are several important considerations: (1) does the court order direct the healthcare provider (and not some other party) to disclose the information?; (2) does the court have jurisdiction (see #2 above)?; (3) are there other laws protecting the information from disclosure (see #6 below)?; (4) does the court order match the request in the subpoena?; and (5) to the extent that the court is relying on a law requiring the disclosure, does the request meet the requirements of the law and does HIPAA preempt it (see #7 below)?
5. Does the request compel disclosure?
Subpoenas are considered compulsory process, which means that the recipient may be compelled to act even if the action is to seek a protective order from a court (consider #2 above). On the other hand, a letter from a private attorney demanding records without a subpoena is not compulsory. Where there is no legal obligation to respond, healthcare providers should choose not to respond. A letter from a government agency or government attorney may require a response depending on the law.
6. What type of information is being requested?
Some health information may be afforded greater protection under other laws than under HIPAA (e.g., substance use disorder information, mental health information and HIV/AIDS related information, depending on state or federal laws). Such laws may prohibit the disclosure of the information even where HIPAA permits it. When other laws provide greater privacy protection, those laws will apply. See Section I.C. above.
As noted above, states have begun passing legislation to provide a heightened degree of protection to reproductive health records, which will help bolster the protection of such records.
7. Does HIPAA permit the disclosure? (Remember, permissive disclosures must be narrowly tailored.)
a) Preemption – is there a state law or rule at issue that jeopardizes patient privacy, which could be preempted by HIPAA? See Section I.C. above.
b) Required by Law – ask whether the specific information sought is truly required by another law. If HIPAA’s specific requirements are not met for a permissive disclosure, then HIPAA would prohibit the disclosure. Also, consider whether the law may be preempted by HIPAA. See (a) above and Section I.C.
c) Court or Administrative Tribunal Order – review the order carefully to ensure that it is in fact an order of the court (and not an unsigned request for a court order and not a qualified protective order agreed to by the parties, see endnote 2 below). Additionally, be sure that any disclosure is limited to the specific information directed in the order. See also the considerations in #4 regarding court orders.
d) Law Enforcement – as noted above, absent an order from a court with jurisdiction, there are very limited circumstances in which healthcare providers can turn PHI over to law enforcement.
C. Consult with Legal Counsel
The issues discussed in this article are complex. They require preparation, awareness, and consultation with legal counsel. Legal counsel, whether in-house or outside, will be a most important resource in wading through the options.
The stakes are higher than ever for avoiding improper release of PHI to a third-party, especially when that third party seeks to use such information to sue or prosecute a patient. This article is by no means a comprehensive analysis of the many potential issues. Rather, the goal is to create a greater awareness of the issues surrounding the release of PHI to third parties and empower healthcare providers to flag issues and seek assistance.
[i] While this section permits a HIPAA covered entity to rely on satisfactory assurances that the PHI will be protected by parties to a legal action without the need for a court order, there is no legal obligation to comply with requests based on satisfactory assurances. This includes qualified protective orders that are not signed by a court. Therefore, the healthcare provider would not be violating any law or a court order by not complying and should exercise its right not to disclose.
[ii] HIPAA statutes and regulations “shall supersede any contrary provision of State law,”42 U.S.C. §1320d-7(a)(1), except that HIPAA regulations “shall not supercede [sic] a contrary provision of State law, if the provision of State law imposes requirements, standards, or implementation specifications that are more stringent than [HIPAA].” 42 U.S.C. §1320d-7(a)(1)(B); P.L. 104-191, sec. 264(c)(2).
[iii] 42 U.S.C. §1320d-7(a)(2); 45 C.F.R. §160.203.
[iv] This section assumes that there was no HIPAA-compliant authorization accompanying the request. Requests with a valid authorization signed by the patient should be processed as directed in the authorization without the need for the in-depth analysis here unless there are concerns about the authorization. Be sure to limit the disclosure to the information the patient specifically authorized, regardless of the information sought in the request.