On the heels of the Dobbs decision overruling Roe v. Wade, President Joe Biden directed the Secretary of Health and Human Services (HHS) to provide guidance under the Health Insurance Portability and Accountability Act (HIPAA) and other statutes to protect reproductive rights and abortion access by strengthening “the protection of sensitive information related to reproductive healthcare services” and bolstering patient-provider confidentiality under the HIPAA Privacy Rule. The Privacy Rule prohibits the use or the disclosure of an individual’s Protected Health Information (PHI) without the individual’s consent unless expressly permitted or required by the Privacy Rule.
On June 28, 2022, HHS Secretary Xavier Becerra announced a number of steps that included ensuring patient privacy for individuals seeking reproductive health care. The Office of Civil Rights (OCR) within HHS responded with guidance addressing several scenarios that included HIPAA’s exception for disclosure when “required by law.” In relevant part, OCR explained:
The Privacy Rule permits but does not require covered entities to disclose PHI about an individual, without the individual’s authorization, when such disclosure is required by another law and the disclosure complies with the requirements of the other law. This permission to disclose PHI as “required by law” is limited to “a mandate contained in law that compels an entity to make a use or disclosure of PHI and that is enforceable in a court of law.” Further, where a disclosure is required by law, the disclosure is limited to the relevant requirements of such law. Disclosures of PHI that do not meet the “required by law” definition in the HIPAA Rules, or that exceed what is required by such law, do not qualify as permissible disclosures. [Emphasis in original.]
Implicit in the guidance is that the HIPAA Privacy Rule does not prevent compelled disclosure when required by state law. The Ohio Supreme Court recognized this proposition in State ex rel. Cincinnati Enquirer v. Daniels, where it reviewed the Cincinnati Health Department’s denial of a request for records listing property owners who received notices of contamination based on blood tests received by the Department showing elevated lead levels. The Court disagreed with the Department’s refusal to produce the information based on the HIPAA Privacy Rule because the records contained PHI. Furthermore, the Court stated that “even if the records did contain protected health information, they would still be subject to release in accordance with the ‘required by law’ exception to HIPAA.” Thus, while the guidance by the federal government under HIPAA provides some additional assurances for providers and patients, it cannot ensure that PHI related to reproductive health services will not be disclosed.
Thus far, none of the states that have banned abortion in the aftermath of Dobbs have criminalized the conduct of the woman seeking the abortion. However, if abortion were to be criminalized, an example of a disclosure that might not meet the “required by law” standard would be an emergency room staff reporting a woman presenting for care related to a miscarriage following an attempted self-induced abortion where no statute existed requiring that a report be made. Such an instance occurred in Texas and resulted in a grand jury charging a woman with murder under its “heartbeat law.” The charges, however, were eventually dropped as the Texas law explicitly exempts pregnant women who get an abortion from criminal consequences.
The enactment of “fetal personhood” abortion laws, such as that in Georgia, present a further risk that women who undergo an abortion will be prosecuted for child abuse or feticide. This places physicians in a difficult position as physicians are mandated to report child abuse in all states.
A recent article entitled “Supporting, Not Reporting – Emergency Department Ethics in a Post-Roe Era” in the September 8, 2022, issue of the New England Journal of Medicine analyzes this tension between the physician’s duty of care and confidentiality against his/her obligation to comply with legal requirements. The article’s authors reject the applicability of the mandatory child abuse paradigm in connection with a woman having undergone an abortion and find support in a footnote to the OCR guidance indicating that HIPAA exceptions regarding “reports of child abuse or neglect would not apply to disclosures of PHI relating to reproductive health care.” They further contend that “[t]he justification for breaching confidentiality to report child abuse is not punishment but prevention of harm, which doesn’t apply in abortion cases.” More specifically, they urge Emergency Department staff to be guided by ethical principles that would preclude any disclosure:
[T]he American College of Emergency Physicians’ code of ethics, which states, “Personal information may only be disclosed when such disclosure is necessary to carry out a stronger conflicting duty, such as a duty to protect an identifiable third party from serious harm or to comply with a just law.”
Mandatory reporting laws are ethically justified under the principle of non-maleficence because they prevent harm to a patient or other individuals, or under the principle of beneficence because they directly benefit patients by protecting them from specific harms. Either situation overrides the ethical principle of patient autonomy.
However, requiring mandatory reporting concerning abortions presents a circumstance of something being legal but unethical. There is guidance from the American Medical Association that “[i]n circumstances of unjust laws, ethical responsibilities should supersede legal duties.” This conundrum with the potential for civil disobedience is not unique, but is a variation on the “conscience” claim for refusing to provide abortion. Here, the ethical decision involves supporting the choice to have an abortion. The refusal to perform an abortion, as a matter of conscience, has frequently been asserted and legislatively recognized. But not performing an action required by one’s core beliefs can be just as harmful to an individual’s moral integrity. This “conscientious objection” should also be recognized.
New Jersey has already taken steps to enhance the HIPAA protection of PHI with the enactment of Bill A3975 on July 1, 2022. This new law prohibits any disclosures related to reproductive health care services that are permitted under the laws of this state without written consent of the patient or the patient’s authorized legal representative. This protection covers not only New Jersey residents but also a person who resides in a jurisdiction where abortion is illegal.