The HIPAA Privacy Rule Provides Limited Protection Against State Subpoenas Seeking Reproductive PHI
Overview of HIPAA Applicability Generally
The HIPAA Privacy Rule provides a limited shield against a state’s access to reproductive health data. HIPAA is not universally applicable. HIPAA requirements apply to a “covered entity,” which is a health plan, healthcare clearinghouse, or healthcare provider that electronically transmits health information in connection with a standard transaction.13 Additionally, HIPAA covers “protected health information” (PHI), which is individually identifiable information relating to the past, present, or future health of an individual or payment for provision of healthcare services for that individual.14
Generally, covered entities cannot disclose PHI without patient authorization for purposes other than those delineated in the HIPAA regulations.15 However, the Privacy Rule regulations provide a few exceptions permitting release of PHI without patient authorization.16
HIPAA Permits Release of Health Data Without Authorization if an Express Exemption is Met
The Four Exemptions
HIPAA provides four exemptions that permit a covered entity to release an individual’s health data without authorization: when (1) required by law, (2) pursuant to a court order, (3) needed for law enforcement purposes, or (4) pursuant to civil subpoena.
First, a covered entity may disclose PHI without a patient’s authorization to the extent required by law if the disclosure is limited to the “relevant requirements” of such law.17
Second, a covered entity may disclose PHI without authorization pursuant to a court order, but the disclosed PHI is limited to the information expressly authorized in that order.18 Department of Health and Human Services (HHS) guidance explains that court-ordered disclosures fall within the “required by law” exception and are not subject to the “minimum necessary requirements” discussed in the following section.19
Third, a covered entity may release PHI for law enforcement purposes requested through (1) a court order, court-ordered warrant, subpoena, or summons issued by a judicial officer; (2) a grand jury subpoena; or (3) an administrative request20 if the sought PHI is material to a legitimate law enforcement inquiry, limited in scope to the extent reasonably practicable for the sought purpose, and de-identified health data could not reasonably be used.21
Fourth, a covered entity may release PHI pursuant to civil subpoena, discovery request, or other lawful process that is unaccompanied by a court order provided that the covered entity receives “satisfactory assurance” from the requesting party that it made reasonable efforts to provide the patient notice of its request or to obtain a qualified protective order.22
Under each exemption, HIPAA permits but does not mandate PHI disclosure without the patient’s consent.23 Therefore, if an exemption is lawfully satisfied and a covered entity refuses to disclose PHI, HIPAA would neither penalize nor protect that covered entity for its noncompliance.24
The Content of PHI Disclosed Pursuant to an Express Exemption
The extent of the PHI disclosed pursuant to an exemption differs depending on whether the disclosure is in response to a court order or a party other than a court. For a court order, the covered entity is solely permitted to disclose the PHI explicitly authorized within the order.25 For a disclosure requested by a party other than a court of law, the covered entity may disclose only the “minimum necessary” information needed to satisfy the purpose of that request.26
Summary of HIPAA's Effect on Reproductive PHI Protection and HIPAA Enforcement Mechanisms
HIPAA does not shield reproductive PHI from a state subpoena that satisfies a Privacy Rule exemption; the statute merely adds regulatory impediments that a state must satisfy to access the data.27
For lawful state subpoena requests of reproductive PHI, resisting the request would be inadvisable for covered entities. While the covered entity may refuse to disclose PHI under HIPAA and face no federal consequences, the state could charge the covered entity with obstruction of justice or seek other penalties.28
HIPAA’s enforcement mechanism for unlawful disclosure of PHI does not penalize a state directly for an improper subpoena of reproductive PHI. HIPAA utilizes a four-tier penalty structure, encompassing both criminal and civil penalties, that increase with the culpability of a violation.29 The regulation specifies that a “person” may be subject to liability for improper disclosure of PHI and defines a person as an “individual, a trust or estate, a partnership, or a corporation.”30 A state would not be considered a “person” unless the state was acting in its capacity as a covered entity (such as by offering a health plan).31 Therefore, for PHI improperly released to a state despite a flawed subpoena request, the state would receive no penalty under HIPAA disallowing its usage of the data.32 Additionally, if a state improperly obtained PHI, HIPAA does not provide a mechanism for leveraging the exclusionary rule to suppress that PHI,33 and the majority of jurisdictions do not require exclusion of PHI from evidence due to a HIPAA violation.34
Important to note is that other privacy risks to reproductive data exist in addition to the exemptions within HIPAA itself. Reproductive data is also collected, stored, and sold by entities not subject to HIPAA’s privacy protections—and individuals may be unaware of this privacy risk.35 Health applications are a salient example. Covered entities and covered entities’ business associates must comply with HIPAA.36 However, health app developers that did not create or offer the app on behalf of a covered entity (or a contractor of a covered entity) are not subject to HIPAA PHI protections.37 Therefore, a patient could input the same reproductive health data that satisfies the HIPAA definition of PHI into a health app, which is not covered by HIPAA, and that health app could potentially lawfully sell that information to third parties or share it with a state for a criminal prosecution.38 No national protections exist to prevent health applications that are not subject to HIPAA from selling such information; however, some states do provide users ownership rights over their data, which could prevent sale of reproductive health data to third parties.39
A Brief Survey of Enacted and Proposed Privacy Legislation Designed to Protect Reproductive Health
Federal Efforts to Protect Reproductive Health Data
Congressional action is required to provide comprehensive and nationally uniform protection of reproductive health data. President Biden reaffirmed his administration’s commitment to protecting reproductive health data post-Dobbs.40 Through an executive order, the president directed the HHS Secretary to “consider actions,” including new HIPAA guidance, “to strengthen the protection of sensitive information related to reproductive healthcare services…”41 The HHS Office for Civil Rights (OCR)42 released guidance on June 29, 2022, affirming that reproductive PHI may only be released without patient authorization pursuant to one of HIPAA’s express exemptions, and that HIPAA does not mandate its release. 43 Even if the OCR released more rigorous guidance for reproductive PHI protection, such action would merely have persuasive value, as any federal agency’s guidance lacks the force of law to be binding.44
To create legally binding reform without Congressional assistance, the OCR could seek to heighten the requirements for patient-unauthorized release of reproductive PHI under HIPAA through the rulemaking process, since the Privacy Rule exemptions are contained in regulations, not the HIPAA statute itself.45 However, Congress solely retains the authority to alter HIPAA itself, which offers the most powerful mechanism to uniformly protect reproductive PHI.46
The current Congressional proposal to safeguard reproductive health data fails to adequately shield data from state prosecutors. The My Body, My Data Act, proposed by Senators Mazie Hirono (D-HI) and Ron Wyden (D-OR) and Representative Sara Jacobs (D-CA), is designed to protect reproductive data “collect[ed], retain[ed], use[d], or disclose[d]” by regulated entities through requiring the “express written consent of the individual” or releasing such information only as “strictly necessary to provide a requested product or service.”47 This proposal explicitly specifies its inapplicability to HIPAA-covered entities and thus neglects to address how states could continue to access reproductive PHI using the Privacy Rule exemptions.48 As of September 1, 2022, the bill has not been passed by the House.49
State Protection of Reproductive Health Data
States are also taking measures to safeguard reproductive services data. An obvious limitation to any state action is that its protections are limited to patients or conveyors of health data located within its jurisdiction alone. Moreover, states choosing to criminalize abortions are logically unlikely to cripple their law enforcement’s ability to access key evidence by enacting such privacy protections. Thus, while state privacy laws can function as a “laboratory of democracy” and serve as a model for future legislation, persons most at risk of criminal prosecution for abortions will not be effectively protected until federal legislation is passed.50
An exemplary state statute for building upon HIPAA’s national floor of reproductive PHI protection is Connecticut’s Reproductive Freedom Defense Act.51 The Connecticut Reproductive Freedom Defense Act, enacted May 5, 2022, augments HIPAA protections52 by (1) shielding in-state HIPAA-covered entities from liability for lawfully performed in-state abortions and (2) protecting both Connecticut citizens and out-of-state travelers who receive lawful abortion services in-state.53 The act prohibits in-state HIPAA-covered entities from disclosing reproductive PHI without the patient’s written authorization, prohibits Connecticut public agencies from assisting with civil or criminal investigations related to abortion, and prohibits the Connecticut judiciary from complying with other states’ judicial orders issuing subpoenas for in-state reproductive PHI.54 With these elements in place, the Connecticut Act provides additional privacy protections where HIPAA lapses. However, the Connecticut Act also contains shortcomings, including: (1) the lack of clarity regarding whether HIPAA business associates could disclose reproductive PHI without patients’ written authorization and (2) its failure to address the HIPAA law enforcement and administrative request exemptions.55 Future reform efforts modeled after the Reproductive Freedom Defense Act should consider addressing the ongoing lapses in protection.
Uncertainty in Protection of Reproductive Health Data Calls for Reform
After Dobbs, patients, providers, and other stakeholders face uncertainty in navigating the 50 states’ unique abortion laws. The need for national uniform protection of reproductive health data is evident: HIPAA provides limited protection against state prosecutors’ access to reproductive health data, and states have already expressed their strong interests in either prosecuting or protecting abortion patients and providers. As civil lawsuits and criminal prosecutions commence, policymakers will receive heightened calls for reform in the privacy-health sector and face complex challenges in placating the competing federal, state, and private interests inherently intertwined with reproductive healthcare.