HIPAA Privacy Rule and Disclosures of Information Relating to Reproductive Health Care

Access to comprehensive reproductive health care services, including abortion care, is essential to individual health and well-being.1 The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule2 (Privacy Rule) supports such access by giving individuals confidence that their protected health information (PHI),3 including information relating to abortion and other sexual and reproductive health care, will be kept private.

The Office for Civil Rights (OCR) administers and enforces the Privacy Rule, which establishes requirements with respect to the use, disclosure, and protection of PHI by covered entities (health plans, health care clearinghouses, and most health care providers)4 and, to some extent, by their business associates.5 These regulated entities can use or disclose PHI, without an individual’s signed authorization,6 only as expressly permitted or required by the Privacy Rule.7 ,8

The Privacy Rule permissions for disclosing PHI without an individual’s authorization for purposes not related to health care, such as disclosures to law enforcement officials, are narrowly tailored to protect the individual’s privacy and support their access to health services. This guidance addresses these types of permitted disclosures and their limitations.

Disclosures Required by Law

The Privacy Rule permits but does not require covered entities to disclose PHI about an individual, without the individual’s authorization, when such disclosure is required by another law and the disclosure complies with the requirements of the other law.9 This permission to disclose PHI as “required by law” is limited to “a mandate contained in law that compels an entity to make a use or disclosure of PHI and that is enforceable in a court of law.”10 Further, where a disclosure is required by law, the disclosure is limited to the relevant requirements of such law.11 Disclosures of PHI that do not meet the “required by law” definition in the HIPAA Rules,12 or that exceed what is required by such law, do not qualify as permissible disclosures.13

Example:

• An individual goes to a hospital emergency department while experiencing complications related to a miscarriage during the tenth week of pregnancy. A hospital workforce member suspects the individual of having taken medication to end their pregnancy. State or other law prohibits abortion after six weeks of pregnancy but does not require the hospital to report individuals to law enforcement. Where state law does not expressly require such reporting, the Privacy Rule would not permit a disclosure to law enforcement under the “required by law” permission. Therefore, such a disclosure would be impermissible and constitute a breach of unsecured PHI requiring notification to HHS and the individual affected.

Disclosures for Law Enforcement Purposes

The Privacy Rule permits but does not require covered entities to disclose PHI about an individual for law enforcement purposes “pursuant to process and as otherwise required by law”, under certain conditions.14 For example, a covered entity may respond to a law enforcement request made through such legal processes as a court order or court-ordered warrant, or a subpoena or summons, by disclosing only the requested PHI, provided that all of the conditions specified in the Privacy Rule for permissible law enforcement disclosures are met.15

In the absence of a mandate enforceable in a court of law,16 the Privacy Rule’s permission to disclose PHI for law enforcement purposes does not permit a disclosure to law enforcement where a hospital or other health care provider’s workforce member chose to report an individual’s abortion or other reproductive health care. That is true whether the workforce member initiated the disclosure to law enforcement or others or the workforce member disclosed PHI at the request of law enforcement.17 This is because, generally, state laws do not require doctors or other health care providers to report an individual who self-managed the loss of a pregnancy to law enforcement.18 Also, state fetal homicide laws generally do not penalize the pregnant individual, and “appellate courts have overwhelmingly rejected efforts to use existing criminal and civil laws intended for other purposes (e.g., to protect children) as the basis for arresting, detaining, or forcing interventions on pregnant” individuals.19 ,20

Examples:

• A law enforcement official goes to a reproductive health care clinic and requests records of abortions performed at the clinic. If the request is not accompanied by a court order or other mandate enforceable in a court of law, the Privacy Rule would not permit the clinic to disclose PHI in response to the request. Therefore, such a disclosure would be impermissible and constitute a breach of unsecured PHI requiring notification to HHS and the individual affected.
• A law enforcement official presents a reproductive health care clinic with a court order requiring the clinic to produce PHI about an individual who has obtained an abortion. Because a court order is enforceable in a court of law, the Privacy Rule would permit but not require the clinic to disclose the requested PHI. The clinic may disclose only the PHI expressly authorized by the court order.

Disclosures to Avert a Serious Threat to Health or Safety

The Privacy Rule permits but does not require a covered entity, consistent with applicable law and standards of ethical conduct, to disclose PHI if the covered entity, in good faith, believes the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public, and the disclosure is to a person or persons who are reasonably able to prevent or lessen the threat.21 According to major professional societies, including the American Medical Association and American College of Obstetricians and Gynecologists, it would be inconsistent with professional standards of ethical conduct to make such a disclosure of PHI to law enforcement or others regarding an individual’s interest, intent, or prior experience with reproductive health care.22

Example:

• A pregnant individual in a state that bans abortion informs their health care provider that they intend to seek an abortion in another state where abortion is legal. The provider wants to report the statement to law enforcement to attempt to prevent the abortion from taking place. However, the Privacy Rule would not permit this disclosure of PHI to law enforcement under this permission for several reasons, including:
  • A statement indicating an individual’s intent to get a legal abortion, or any other care tied to pregnancy loss, ectopic pregnancy, or other complications related to or involving a pregnancy does not qualify as a “serious and imminent threat to the health or safety of a person or the public”.
  • It generally would be inconsistent with professional ethical standards as it compromises the integrity of the patient–physician relationship and may increase the risk of harm to the individual.

Therefore, such a disclosure would be impermissible and constitute a breach of unsecured PHI requiring notification to HHS and the individual affected. 

Other Laws

Providers who may be concerned about their obligations to disclose information concerning abortion or other reproductive health care should seek legal advice regarding their responsibilities under other federal and state laws.

Filing a Privacy Complaint

If you believe that your (or someone else’s) health privacy rights have been violated, visit the OCR complaint portal at https://ocrportal.hhs.gov/ocr/smartscreen/main.jsf to file a complaint online.

DISCLAIMER: The contents of this document do not have the force and effect of law and are not meant to bind the public in any way. This document is intended only to provide clarity to the public regarding existing requirements under the law or the Departments’ policies.

To obtain this information in an alternate format, contact the HHS Office for Civil Rights at (800) 368-1019, TDD toll-free: (800) 537-7697, or by emailing [email protected].  Language assistance services for OCR matters are available and provided free of charge.

1. American College of Obstetricians and Gynecologists (ACOG) position statement, Restrictions to Comprehensive Reproductive Health Care, https://www.acog.org/clinical-information/policy-and-position-statements/position-statements/2018/restrictions-to-comprehensive-reproductive-health-care.
• back to note 1
2. 45 CFR part 160 and subparts A and D of part 164.
• back to note 2
3. See 45 CFR 160.103 (definition of “Protected health information”).
• back to note 3
4. See 45 CFR 160.103 (definition of “Covered entity”).
• back to note 4
5. See 45 CFR 160.103 (definition of “Business associate”). See also OCR’s Fact Sheet on Direct Liability of Business Associates at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/factsheet/index.html
• back to note 5
6. See the requirements for a HIPAA authorization at 45 CFR 164.508.
• back to note 6
7. See 45 CFR 164.502. In addition, a business associate may use or disclose PHI only as permitted or required by its business associate agreement with a covered entity (or, in the case of a subcontractor, with another business associate) or as required by law. A business associate agreement generally may not permit or require a business associate to use or disclose PHI in a manner that would violate the Privacy Rule if done by a covered entity. See 45 CFR 164.502(a)(3).
• back to note 7
8. OCR has announced multiple investigations resolved with a settlement or civil money penalty for potential HIPAA violations where a health care provider impermissibly disclosed a patient’s protected health information (PHI) without the patient’s signed authorization or an applicable Privacy Rule permission or requirement.  See  Dr. U. Phillip Igbinadolor, D.M.D. & Associates, P.A., where OCR found that a dental practice impermissibly disclosed a patient’s PHI on a webpage in response to a negative online review; Elite Dental Associates, where OCR found that Elite had impermissibly disclosed the PHI of multiple patients in response to patient reviews on the Elite Yelp review page; Boston Medical Center, Brigham & Women’s Hospital, Massachusetts General Hospital, where OCR found multiple hospitals compromised the privacy of patients’ PHI by inviting film crews onto their premises to film a documentary series, without first obtaining authorization from the patients; and Memorial Hermann Health System (MHHS), where OCR found that MHHS impermissibly disclosed a patient’s PHI, when it published the patient’s name in a press release after the patient presented an allegedly fraudulent identification card to office staff.
• back to note 8
9. See 45 CFR 164.512(a)(1).
• back to note 9
10. See 45 CFR 164.103 (definition of “Required by law”).The definition further states that “Required by law includes, but is not limited to, court orders and court-ordered warrants; subpoenas or summons issued by a court, grand jury, a governmental or tribal inspector general, or an administrative body authorized to require the production of information; a civil or an authorized investigative demand; Medicare conditions of participation with respect to health care providers participating in the program; and statutes or regulations that require the production of information, including statutes or regulations that require such information if payment is sought under a government program providing public benefits.”
• back to note 10
11. See 45 CFR 164.512(a)(1).
• back to note 11
12. See Footnote 10.
• back to note 12
13. The Privacy Rule permits but does not require covered entities to disclose PHI in response to an order of a court or administrative tribunal. The Privacy Rule also permits but does not require covered entities to disclose PHI in response to a subpoena, discovery request, or other lawful process, but only when certain conditions are met. See 45 CFR 164.512(e)(1). These provisions cannot be used to make disclosures to law enforcement officials that are restricted by 45 CFR 164.512(f). See 45 CFR 164.512(e)(2).
• back to note 13
14. See 45 CFR 164.512(f)(1).
• back to note 14
15. Disclosures of PHI to law enforcement are permitted in certain other situations, but these are unlikely to apply to disclosures about an individual based on the individual seeking or obtaining reproductive health care. See 45 CFR 164.512(f)(2) Limited information for identification and location purposes; (f)(3) Victims of a crime; (f)(4) Decedents; (f)(5) Crime on premises; (f)(6) Reporting crime in emergencies.
• back to note 15
16. See footnote 10.
• back to note 16
17. Other Privacy Rule permissions also are unlikely to apply. For example, the permission for disclosures of PHI for health oversight activitiesper 45 CFR 164.512(d) can be made for oversight of the health care system, certain governmental benefit programs, and entities subject to regulatory programs. However, these permissions do not apply here because they are intended to be limited to health care fraud. See 65 FR 82462, 82529 (December 28, 2000). Also, the permission for disclosures of PHI by whistleblowers and workforce member crime victims per 45 CFR 164.502(j) does not apply to disclosures to law enforcement of an individual’s PHI related to reproductive health care for purposes of investigating or prosecuting the individual.
• back to note 17
18. If/When/How, https://www.reprolegalhelpline.org/sma-know-your-rights/.
• back to note 18
19. Lynn M. Paltrow and Jeanne Flavin, Forced Interventions on Pregnant Women in the US, Journal of Health Politics, Policy and Law, Vol. 38, No. 2, April 2013, p 322.
• back to note 19
20. Consistent with this analysis, the Privacy Rule permission at 45 CFR 164.512(b)(1)(ii) to disclose an individual’s PHI to a public health authority or other government authority authorized by law to receive reports of child abuse or neglect would not apply to disclosures of PHI relating to reproductive health care.
• back to note 20
21. See 45 CFR 164.512(j).
• back to note 21
22. For example, the American College of Obstetricians and Gynecologists (ACOG) states that “obstetrician–gynecologists should protect patient autonomy, confidentiality, and the integrity of the patient–physician relationship.” As such, ACOG “opposes administrative policies that interfere with the legal and ethical requirement to protect private medical information by mandating obstetrician–gynecologists and other clinicians to report to law enforcement” information related to individuals and their care. ACOG position statement, Decriminalization of Self-Induced Abortion, https://www.acog.org/clinical-information/policy-and-position-statements/position-statements/2017/decriminalization-of-self-induced-abortion. The American Medical Association (AMA) notes that “free, open and honest communication between physicians and patients is a cornerstone of effective health care” and that the “medical profession’s integrity is safeguarded when physicians are permitted to exercise their duty to counsel and care for patients based on “objective professional judgment” and ultimately respect patients’ autonomy to make decisions about their own bodies and health.” Gerald E Harmon, MD, President, AMA, Unconstitutional attack on reproductive health must not stand, OCT 13, 2021, https://www.ama-assn.org/about/leadership/unconstitutional-attack-reproductive-health-must-not-stand. See also AMA, Patient Rights, Code of Medical Ethics Opinion 1.1.3. https://policysearch.ama-assn.org/policyfinder/detail/E-1.1.3?uri=%2FAMADoc%2FEthics.xml-E-1.1.3.xml.   Indeed, “the threat of prosecution may result in negative health outcomes by deterring women from seeking needed care.” See Brief Amici Curiae, American College of Obstetricians and Gynecologists, et al at 32, Dobbs v Jackson, https://www.supremecourt.gov/DocketPDF/19/19-1392/193074/20210920174518042_19-1392%20bsacACOGetal.pdf.
• back to note 22