No ‘slam dunk fix’ in HIPAA privacy law to protect abortion patients
Abortion advocates and Democratic lawmakers are calling on the Biden administration to protect data on patients seeking abortion services as concerns mount that clinic and hospital information could be used to prosecute individuals who seek the procedure in states where it’s illegal.
One possible action involves the Health Insurance Portability and Accountability Act, an oft-cited yet little-understood law that protects sensitive medical information from being disclosed without a patient’s consent or knowledge.
But HIPAA doesn’t provide the sweeping health data protections that many Americans think it does. And there’s little federal agencies can do to strengthen the law without help from Congress, according to multiple data privacy and legal experts interviewed by Healthcare Dive.
Any actions the HHS takes to make HIPAA stricter or prevent abortion-related data from being shared with law enforcement are likely either unenforceable, subject to legal challenges or will take too long to help patients in the near-term, experts said.
In this legal environment, providers — torn between concerns of legal retribution and their duty to patients — should focus on minimizing and protecting the data they collect, while keeping abreast of shifting abortion legality in their state.
“Typically the laws are trying to catch up with where the real world is, in terms of what’s going on. This time we have the inverse of that situation, where the real world is trying to catch up or adjust or modify to the law,” said Bruce Armon, a health law attorney at Saul Ewing Arnstein & Lehr. “The best thing for the provider community is to pay attention to developments almost on a daily basis.”
HIPAA’s law enforcement exception
Following the Supreme Court’s landmark decision to overturn Roe v. Wade in June, dozens of states swiftly restricted access to abortion care. The ruling kickstarted a national conversation about privacy, as digital records like text messages, browser histories and emails have been used to prosecute pregnancy-related criminal charges in the past.
Medical data stored by healthcare providers could also be leveraged to prosecute patients and providers, despite being under HIPAA’s privacy umbrella.
”There’s many gray areas, gaps in it,” said Ashley Thomas, senior counsel at Holland & Knight.
Under HIPAA, law enforcement is allowed to request patient information from covered entities, and covered entities are permitted, but not required, to comply.
According to recent guidance published by the HHS, if a state law prohibits abortion but doesn’t expressly require providers to report it, a provider that reports instances of the procedure is violating HIPAA.
But providers are allowed to report abortion data if they receive a court order or summons. Those could become more frequent as conservative state attorneys general crack down on reproductive healthcare.
“There’s a lot of things that are gray here and they’re overlapping and intersecting and changing very fast,” said Matthew Bernstein, founder of information management consultancy Bernstein Data.
Providers looking to protect their patients from prosecution could decide not to respond to law enforcement requests as a policy, unless they come in the form of a warrant, said Lucia Savage, chief privacy and regulatory officer at Omada Health.
But subpoenas or court orders aren’t something providers can ignore without opening themselves up to a lawsuit, though complicated legal nuances could arise for providers performing abortions on out-of-state patients. Absent federal protection for the procedure, some conservative states, including Missouri, are eyeing ways to prosecute out-of-state providers if they perform abortions on patients from their state of residence.
“It sounds unconstitutional. But a lot of this sounds unconstitutional to me,” said Dianne Bourque, a partner at Mintz specializing in healthcare law.
No ‘nice clean slam dunk fix’
President Joe Biden signed an executive order in July calling on Federal Trade Commission Chair Lina Khan and HHS Secretary Xavier Becerra to consider issuing new HIPAA guidance to protect against digital surveillance.
Some Democratic senators have urged HHS to go further and update the law to limit or explicitly prevent health data from being shared with law enforcement agencies targeting people who have an abortion.
The HHS Office of Civil Rights, which oversees HIPAA, is “going to look at all its options. That’s what an agency does in response to an executive order. But I think its options are going to be limited,” said Savage, who was chief privacy officer of HHS’ health IT arm during the Obama administration.
Regulators could have some authority here. The HIPAA statute is bare-bones, and the bulk of how it’s interpreted today comes from rules and regulations. The OCR could issue nonbinding subregulatory guidance, attempt rulemaking or increase enforcement actions, experts said.
To fully close or mitigate the law enforcement exception with respect to abortion, regulators would have to issue new rules. That takes time — sometimes, years pass between when a rule is proposed and when it’s finalized — and wouldn’t help patients or providers in the interim.
“The regulatory process can take years. We have providers who have literally days, maybe a week or two, to determine how to appropriately care for a patient,” Armon said.
The OCR could also try to cram abortion data protections into a notice of proposed rulemaking on new HIPAA rules from 2021. Regulatory agencies have flexibility between the content of a notice and the content of a final rule, as long as the final rule meets the standard of a logical outgrowth from the original, Savage said.
Among other things, the 2021 NPRM attempts to increase permissible disclosures of personal health information and improve care coordination and case management. Regulators could try to find grounds to argue protecting reproductive health data slots represents a natural outgrowth from that NPRM, Savage said.
The OCR also need to watch out for the parameters for drafting HIPAA regulations, lawyers said. Any change to HIPAA regulations would have to align exactly with the statute to ensure the Biden administration doesn’t overstep in terms of overruling state law.
A section of HIPAA says that nothing in the law can be construed to invalidate or limit the authority or power of a state law in specific circumstances, including providing for the reporting of disease or injury, death or public health intervention.
Conservative states could use these circumstances to sidestep any HHS effort to increase HIPAA protections for abortion patients, Mintz’s Bourque said. For example, if a state attorney general positions a request for abortion data as related to preventing injury, but the OCR has restricted providers’ ability to share that data, the state could say HHS has exceeded the boundaries of what HIPAA allows it to do, likely launching a legal fight.
“It’s impossible to say yes this will work, no this won’t work. But this is the ground for arguing about it,” Bourque said. “There’s not a nice clean slam dunk fix.”
That’s one of many legal twilight zones emerging in the ongoing fight over abortion access, as complications crop up for both pro-choice and anti-abortion factions in federal and state governments.
For example, even if the HHS explicitly says providers can’t share abortion-related data with law enforcement agencies, a public health agency could query and receive that data from providers by framing it as a public health request, and share it with law enforcement, Bourque said.
In addition, providers under HIPAA are allowed to disclose PHI that they think is evidence of a crime that occurred on the premises. In a state where abortion is criminalized, if a healthcare worker believes an illegal abortion has occurred, they are allowed to share that information with authorities without a patient’s permission.
If the HHS moves to restrict abortion data sharing, HIPAA could become contradictory with itself, lawyers said. It could also run afoul of whistleblower protection laws, if medical workers who report abortions are protected in good faith reporting a violation of law.
“I don’t know who wins that,” Bourque said. “It’s this perfect storm.”
Provider best practices
The best solution would be for Congress to act to address gaps in HIPAA and U.S. privacy laws to resolve concerns related to reproductive rights, experts said. But in the absence of comprehensive action, it’s largely falling to providers to protect patient’s medical data — and themselves from legal retribution, especially if they operate in a state where abortion is illegal.
Providers should collect the bare minimum of data they need to provide patient care and be very cognizant of retention obligations, especially for data that could reveal what reproductive health services patients have received, experts suggested.
“If you don’t need to collect it, don’t collect it. And if you no longer need to retain it, dispose of it,” Bernstein said.
Physicians aren’t necessarily required by law to include in the record that a patient showed signs they might have had an abortion. That could mitigate the fallout if they receive an enforceable subpoena from law enforcement, Thomas said.
It’s also important to be knowledgeable about what you can and cannot do under HIPAA, Bourque said.
The lawyer said she’s seen instances where state forms require a lot more to be shared by the provider than what the statute actually authorizes.
“It’s really important that everybody proceeds with caution,” especially in the face of potential overreaching by enforcement authorities, Bourque said. “To comply with HIPAA you have to comply with the bare minimum. Provide what’s asked and not more, otherwise you’ve got a HIPAA problem.”