chevron-down Created with Sketch Beta.
October 31, 2022

Reproductive Health Data as an Evidentiary Tool in State Criminal Prosecutions

Whether HIPAA Protects Reproductive Health Data from State Subpoenas

By Elizabeth LaPaugh

 

After Dobbs, State Criminalization of Abortion Gives Rise to Privacy Concerns for Patients, Providers, and Stakeholders

On June 24, 2022, the United States Supreme Court voted in Dobbs v. Jackson Women’s Health Organization to return the question of abortion constitutionality to the states, reversing nearly 50 years of precedent set by Roe v. Wade and Planned Parenthood v. Casey.1 The right to an abortion was previously deemed to fall within the penumbras of privacy guaranteed by the Bill of Rights and was viewed as “implicit in the concept of ordered liberty” under the Fourteenth Amendment.2 The lawfulness of abortion now differs dramatically by jurisdiction as trigger laws3 became effective upon the Dobbs ruling and new abortion legislation is passed post-Dobbs.4 Depending on where an individual is located, abortion services can be legal,5 limited,6 banned and enforceable through private civil actions,7 or codified as a crime punishable by a lengthy prison sentence.8 States enforcing their abortion bans via the penal system have primarily targeted healthcare providers for criminal liability.9 However, even if a state did not explicitly reserve its right to prosecute patients who sought or received an unlawful abortion, the state could pursue alternative penal avenues.10 Other criminal statutes, such as feticide, homicide, aggravated assault, conspiracy, or attempt crimes, could potentially be utilized for prosecution of in-state abortion recipients or residents who travel out of state for abortion services.11

Patients, providers, insurers, and other stakeholders are now faced with critical questions regarding how reproductive health data is protected and accessed by states for use in criminal prosecutions. This article examines the limited protection offered by the Health Insurance Portability and Accountability Act (HIPAA) against state subpoenas for reproductive protected health information, and surveys recent efforts by the federal government and states to safeguard this data.12

 

The HIPAA Privacy Rule Provides Limited Protection Against State Subpoenas Seeking Reproductive PHI

Overview of HIPAA Applicability Generally

The HIPAA Privacy Rule provides a limited shield against a state’s access to reproductive health data. HIPAA is not universally applicable. HIPAA requirements apply to a “covered entity,” which is a health plan, healthcare clearinghouse, or healthcare provider that electronically transmits health information in connection with a standard transaction.13 Additionally, HIPAA covers “protected health information” (PHI), which is individually identifiable information relating to the past, present, or future health of an individual or payment for provision of healthcare services for that individual.14

Generally, covered entities cannot disclose PHI without patient authorization for purposes other than those delineated in the HIPAA regulations.15 However, the Privacy Rule regulations provide a few exceptions permitting release of PHI without patient authorization.16

HIPAA Permits Release of Health Data Without Authorization if an Express Exemption is Met

The Four Exemptions

HIPAA provides four exemptions that permit a covered entity to release an individual’s health data without authorization: when (1) required by law, (2) pursuant to a court order, (3) needed for law enforcement purposes, or (4) pursuant to civil subpoena.

First, a covered entity may disclose PHI without a patient’s authorization to the extent required by law if the disclosure is limited to the “relevant requirements” of such law.17

Second, a covered entity may disclose PHI without authorization pursuant to a court order, but the disclosed PHI is limited to the information expressly authorized in that order.18 Department of Health and Human Services (HHS) guidance explains that court-ordered disclosures fall within the “required by law” exception and are not subject to the “minimum necessary requirements” discussed in the following section.19

Third, a covered entity may release PHI for law enforcement purposes requested through (1) a court order, court-ordered warrant, subpoena, or summons issued by a judicial officer; (2) a grand jury subpoena; or (3) an administrative request20 if the sought PHI is material to a legitimate law enforcement inquiry, limited in scope to the extent reasonably practicable for the sought purpose, and de-identified health data could not reasonably be used.21

Fourth, a covered entity may release PHI pursuant to civil subpoena, discovery request, or other lawful process that is unaccompanied by a court order provided that the covered entity receives “satisfactory assurance” from the requesting party that it made reasonable efforts to provide the patient notice of its request or to obtain a qualified protective order.22

Under each exemption, HIPAA permits but does not mandate PHI disclosure without the patient’s consent.23 Therefore, if an exemption is lawfully satisfied and a covered entity refuses to disclose PHI, HIPAA would neither penalize nor protect that covered entity for its noncompliance.24

The Content of PHI Disclosed Pursuant to an Express Exemption

The extent of the PHI disclosed pursuant to an exemption differs depending on whether the disclosure is in response to a court order or a party other than a court. For a court order, the covered entity is solely permitted to disclose the PHI explicitly authorized within the order.25 For a disclosure requested by a party other than a court of law, the covered entity may disclose only the “minimum necessary” information needed to satisfy the purpose of that request.26

Summary of HIPAA's Effect on Reproductive PHI Protection and HIPAA Enforcement Mechanisms

HIPAA does not shield reproductive PHI from a state subpoena that satisfies a Privacy Rule exemption; the statute merely adds regulatory impediments that a state must satisfy to access the data.27

For lawful state subpoena requests of reproductive PHI, resisting the request would be inadvisable for covered entities. While the covered entity may refuse to disclose PHI under HIPAA and face no federal consequences, the state could charge the covered entity with obstruction of justice or seek other penalties.28

HIPAA’s enforcement mechanism for unlawful disclosure of PHI does not penalize a state directly for an improper subpoena of reproductive PHI. HIPAA utilizes a four-tier penalty structure, encompassing both criminal and civil penalties, that increase with the culpability of a violation.29 The regulation specifies that a “person” may be subject to liability for improper disclosure of PHI and defines a person as an “individual, a trust or estate, a partnership, or a corporation.”30 A state would not be considered a “person” unless the state was acting in its capacity as a covered entity (such as by offering a health plan).31 Therefore, for PHI improperly released to a state despite a flawed subpoena request, the state would receive no penalty under HIPAA disallowing its usage of the data.32 Additionally, if a state improperly obtained PHI, HIPAA does not provide a mechanism for leveraging the exclusionary rule to suppress that PHI,33 and the majority of jurisdictions do not require exclusion of PHI from evidence due to a HIPAA violation.34

Important to note is that other privacy risks to reproductive data exist in addition to the exemptions within HIPAA itself. Reproductive data is also collected, stored, and sold by entities not subject to HIPAA’s privacy protections—and individuals may be unaware of this privacy risk.35 Health applications are a salient example. Covered entities and covered entities’ business associates must comply with HIPAA.36 However, health app developers that did not create or offer the app on behalf of a covered entity (or a contractor of a covered entity) are not subject to HIPAA PHI protections.37 Therefore, a patient could input the same reproductive health data that satisfies the HIPAA definition of PHI into a health app, which is not covered by HIPAA, and that health app could potentially lawfully sell that information to third parties or share it with a state for a criminal prosecution.38 No national protections exist to prevent health applications that are not subject to HIPAA from selling such information; however, some states do provide users ownership rights over their data, which could prevent sale of reproductive health data to third parties.39

A Brief Survey of Enacted and Proposed Privacy Legislation Designed to Protect Reproductive Health

Federal Efforts to Protect Reproductive Health Data

Congressional action is required to provide comprehensive and nationally uniform protection of reproductive health data. President Biden reaffirmed his administration’s commitment to protecting reproductive health data post-Dobbs.40 Through an executive order, the president directed the HHS Secretary to “consider actions,” including new HIPAA guidance, “to strengthen the protection of sensitive information related to reproductive healthcare services…”41 The HHS Office for Civil Rights (OCR)42 released guidance on June 29, 2022, affirming that reproductive PHI may only be released without patient authorization pursuant to one of HIPAA’s express exemptions, and that HIPAA does not mandate its release. 43 Even if the OCR released more rigorous guidance for reproductive PHI protection, such action would merely have persuasive value, as any federal agency’s guidance lacks the force of law to be binding.44

To create legally binding reform without Congressional assistance, the OCR could seek to heighten the requirements for patient-unauthorized release of reproductive PHI under HIPAA through the rulemaking process, since the Privacy Rule exemptions are contained in regulations, not the HIPAA statute itself.45 However, Congress solely retains the authority to alter HIPAA itself, which offers the most powerful mechanism to uniformly protect reproductive PHI.46

The current Congressional proposal to safeguard reproductive health data fails to adequately shield data from state prosecutors. The My Body, My Data Act, proposed by Senators Mazie Hirono (D-HI) and Ron Wyden (D-OR) and Representative Sara Jacobs (D-CA), is designed to protect reproductive data “collect[ed], retain[ed], use[d], or disclose[d]” by regulated entities through requiring the “express written consent of the individual” or releasing such information only as “strictly necessary to provide a requested product or service.”47 This proposal explicitly specifies its inapplicability to HIPAA-covered entities and thus neglects to address how states could continue to access reproductive PHI using the Privacy Rule exemptions.48 As of September 1, 2022, the bill has not been passed by the House.49

State Protection of Reproductive Health Data

States are also taking measures to safeguard reproductive services data. An obvious limitation to any state action is that its protections are limited to patients or conveyors of health data located within its jurisdiction alone. Moreover, states choosing to criminalize abortions are logically unlikely to cripple their law enforcement’s ability to access key evidence by enacting such privacy protections. Thus, while state privacy laws can function as a “laboratory of democracy” and serve as a model for future legislation, persons most at risk of criminal prosecution for abortions will not be effectively protected until federal legislation is passed.50

An exemplary state statute for building upon HIPAA’s national floor of reproductive PHI protection is Connecticut’s Reproductive Freedom Defense Act.51 The Connecticut Reproductive Freedom Defense Act, enacted May 5, 2022, augments HIPAA protections52 by (1) shielding in-state HIPAA-covered entities from liability for lawfully performed in-state abortions and (2) protecting both Connecticut citizens and out-of-state travelers who receive lawful abortion services in-state.53 The act prohibits in-state HIPAA-covered entities from disclosing reproductive PHI without the patient’s written authorization, prohibits Connecticut public agencies from assisting with civil or criminal investigations related to abortion, and prohibits the Connecticut judiciary from complying with other states’ judicial orders issuing subpoenas for in-state reproductive PHI.54 With these elements in place, the Connecticut Act provides additional privacy protections where HIPAA lapses. However, the Connecticut Act also contains shortcomings, including: (1) the lack of clarity regarding whether HIPAA business associates could disclose reproductive PHI without patients’ written authorization and (2) its failure to address the HIPAA law enforcement and administrative request exemptions.55 Future reform efforts modeled after the Reproductive Freedom Defense Act should consider addressing the ongoing lapses in protection.

Uncertainty in Protection of Reproductive Health Data Calls for Reform

After Dobbs, patients, providers, and other stakeholders face uncertainty in navigating the 50 states’ unique abortion laws. The need for national uniform protection of reproductive health data is evident: HIPAA provides limited protection against state prosecutors’ access to reproductive health data, and states have already expressed their strong interests in either prosecuting or protecting abortion patients and providers. As civil lawsuits and criminal prosecutions commence, policymakers will receive heightened calls for reform in the privacy-health sector and face complex challenges in placating the competing federal, state, and private interests inherently intertwined with reproductive healthcare.

Endnotes:

  1.  Dobbs v. Jackson Women’s Health Org., 142 S. Ct. 2228 (2022); Planned Parenthood v. Casey, 505 U.S. 833 (1992); Roe v. Wade, 410 U.S. 113 (1973).
  2.  Supra n. 1, Roe, 410 U.S. at 153; Griswold v. Connecticut, 381 U.S. 479, 484–485.
  3.  Abortion Policy in the Absence of Roe, Guttmacher Institute (Aug. 1, 2022), https://www.guttmacher.org/state-policy/explore/abortion-policy-absence-roe (explaining 13 states enacted legislation post-Roe that was designed to become effective upon the constitutional right to an abortion being overturned); see also Robert A. What are abortion trigger laws, and where do they stand?, ABA Journal (June 30, 2022), https://www.abajournal.com/web/article/what-are-abortion-trigger-laws-and-where-do-they-stand (explaining the function of trigger laws).
  4.  Termination of Pregnancy (Abortion): State Access Immediately After Overturning Roe v. Wade, 0100 SURVEYS 100 (last updated July 22, 2022); see e.g., After Roe Fell: Abortion Laws by State, Center for Reproductive Rights, https://reproductiverights.org/maps/abortion-laws-by-state/ (last visited Aug. 3. 2022) (noting the distinction among states that not only ban abortion but enforce those bans via criminal prosecution).
  5.  See e.g., Colo. Rev. Stat. Ann. § 25-6-404 (West 2022) (Colorado enacted the Reproductive Health Equity Act on April 4, 2022, which provides that a Colorado governmental entity may not “deny, restrict, interfere with or discriminate against an individual’s fundamental right to use or refuse contraception or to continue a pregnancy and give birth or to have an abortion ...”).
  6.  For example, on April 15, 2022, Florida enacted legislation designed to add a 15-week gestational limitation, which would have gone into effect July 1, 2022, but for a circuit court’s injunction. Fla. Stat. Ann. § 390.0111 (West 2022); Planned Parenthood of Sw. and Cent. Florida v. State, No. 2022 CA 912, 2022 WL 2436704, at *25-26 (Fla. Cir. Ct. July 05, 2022).
  7.  Idaho, Oklahoma, and Texas have each passed legislation providing damages (or as opponents have dubbed a “cash reward” or “bounty”) to their citizens who are successful in suit against persons or entities who aided an individual who received an abortion unlawfully. The states differ in who may have standing for suit and the defendant who could be held liable (ranging from the direct provider or third parties who provided assistance during some step of the process). See Idaho Code Ann. § 18-8807 (West 2022); Okla. Stat. Ann. tit. 63, § 1-745.39 (West 2022); Tex. Health & Safety Code Ann. § 171.208 (West 2021).
  8.  See e.g., Miss. Code. Ann. § 41-41-45 (West 2007) (making provision of an abortion by a healthcare provider a felony punishable by up to 10 years imprisonment); see also Ind. Code Ann. § 16-34-2-7 (West 2019); Large employers express opposition after Indiana approves abortion ban, NPR (Aug. 6, 2022), https://www.npr.org/2022/08/06/1116132623/indiana-becomes-1st-state-to-approve-abortion-ban-post-roe (discussing how Indiana was the first state post-Dobbs to enact legislation banning abortions and to make performing an abortion a felony, unless the patient’s life was at risk).
  9.  Supra n. 4, 0100 Surveys 100.
  10.  Abortion in America: How Legislative Overreach is Turning Reproductive Rights into Criminal Wrongs National Association of Criminal Defenses Lawyers, 24-27, (2021), https://www.nacdl.org/getattachment/ce0899a0-3588-42d0-b351-23b9790f3bb8/abortion-in-america-how-legislative-overreach-is-turning-reproductive-rights-into-criminal-wrongs.pdf.
  11.  Id.
  12.  Health Insurance Portability and Accountability Act §§ 261-264, Pub. L. 104–191, 110 Stat. 1936 (1996) (codified as 42 U.S.C. § 1320d-2); 45 C.F.R. pt. 160, 164(A), (D) (the Privacy Rule).
  13.  45 C.F.R. § 160.103.
  14.  45 C.F.R. § 164.501.
  15.  45 C.F.R. § 164.502(a).
  16.  45 C.F.R. § 164.512(a), (e), (f).
  17.  45 C.F.R. § 164.512(a).
  18.  45 C.F.R. § 164.512(e)(1)(i).
  19.  Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. 82529 (Dec. 28, 2000) (to be codified 45 C.F.R. pt. 160, 164).
  20.  The administrative request could take the form of a subpoena, summons, civil or authorized investigative demand, or other lawfully authorized process. 45 C.F.R. § 164.512(f).
  21.  45 C.F.R. § 164.512(f)(1)(ii) (there are other law enforcement exceptions as well).
  22.  45 C.F.R. § 164.512(e)(1)(v).
  23.  Department of Health and Human Services. HIPAA Privacy Rule and Disclosures of Information Relating to Reproductive Health Care. June 29, 2022, https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/phi-reproductive-health/index.html#footnote7_m0k8xn7.
  24.  Id.
  25.  45 C.F.R. § 164.512(e)(1)(i).
  26.  45 C.F.R. § 164.502(b).
  27.  Supra n 23.
  28.  See Stanger, K., HIPAA: Responding to Orders, Subpoenas, and Law Enforcement, Holland & Hart LLP 1, 69 (Aug. 2017), https://www.hollandhart.com/pdf/HIPAA-Orders-Subpoenas-Law-Enforcement.pdf (mentioning an obstruction of justice charge as a potential repercussion for covered entities which refuse to comply with a HIPAA law enforcement request).
  29.  42 U.S.C. § 1320d-5; 42 U.S.C. § 1320d-6; Adjustment of Civil Monetary Penalties for Inflation and the Annual Civil Monetary Penalties Inflation Adjustment for 2021, 86 Fed. Reg. 62928 (Nov. 15, 2021) (to be codified 45 C.F.R. pt. 303).
  30.  42 U.S.C. § 1301(a)(3).
  31.  Department of Health and Human Services. Are state, county or local health departments required to comply with the HIPAA Privacy Rule? Dec. 20, 2002, https://www.hhs.gov/hipaa/for-professionals/faq/358/are-state-county-or-local-health-departments-required-to-comply-with-hipaa/index.html.
  32.  Id.; 42 U.S.C. § 1320d-5; 42 U.S.C. § 1320d-6.
  33.  Standards for Privacy of Individually Identifiable Health Information, Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. 82462, 82596 (Dec. 28, 2000).
  34.  See Clark, J., HIPAA as an Evidentiary Rule? An Analysis of Miguel M. and Its Impact, 26 J.L. & Health 1, 2, 12 (2013) (identifying courts in states such as Florida, Georgia, Idaho, Illinois, Indiana, Kansas, Michigan, and Wisconsin that held HIPAA itself does not include suppression of evidence as a remedy and thus a court cannot properly suppress the PHI of its own volition under HIPAA).
  35.  For example, Representatives Maloney, Krishnamoorthi, and Jacobs launched a probe into how data brokers and personal health application companies use and sell their users’ reproductive data. The representatives cited a study that discussed how “87% of the 23 most popular women’s health apps—including reproductive health apps—shared user data with third parties, yet just over 50% requested [user] consent ...” Maloney, Krishnamoorthi, and Jacobs Launch Probe of Reproductive Health Data Privacy, House Committee on Oversight and Reform (July 8, 2022), https://oversight.house.gov/news/press-releases/maloney-krishnamoorthi-and-jacobs-launch-probe-of-reproductive-health-data.
  36.  A “business associate” is defined by the HHS to be a “person or entity,” who is not employed within the covered entity’s workforce, “that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.” 45 CFR 164.502(e); Department of Health and Human Services, Business Associates. May 24, 2019, https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html.
  37.  Health App Use Scenarios & HIPAA, Department of Health and Human Services Office of Civil Rights (Feb. 2016), 1, https://www.hhs.gov/sites/default/files/ocr-health-app-developer-scenarios-2-2016.pdf.
  38.  Id. (listing hypotheticals of whether the data input into a health app would be covered by HIPAA or not); Norman H, Knight V, Should you worry about data from your period-tracking app being used against you?, KHN. May 13, 2022, https://khn.org/news/article/period-tracking-apps-data-privacy/ (explaining reproductive health information in a health app could be used by state in a criminal prosecution).
  39.  Supra n. 38, Norman & Knight, (mentioning California and Virginia provide an ownership right for individuals in their app data); Cal. Code Regs. tit. 11, § 7013(a)(1); Va. Code Ann. § 59.1-577 (West).
  40.  FACT SHEET: President Biden to Sign Executive Order Protecting Access to Reproductive Health Care Services, The White House (July 8, 2022), https://www.whitehouse.gov/briefing-room/statements-releases/2022/07/08/fact-sheet-president-biden-to-sign-executive-order-protecting-access-to-reproductive-health-care-services/.
  41.  Executive Order on Protecting Access to Reproductive Healthcare Services, The White House (July 9, 2022), https://www.whitehouse.gov/briefing-room/presidential-actions/2022/07/08/executive-order-on-protecting-access-to-reproductive-healthcare-services/.
  42.  Department of Health and Human Services, HHS’ Office for Civil Rights is responsible for enforcing the Privacy and Security Rules, HIPAA Enforcement. July 25, 2017, https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/index.html#:~:text=HHS’%20Office%20for%20Civil%20Rights,privacy%20practices%20of%20covered%20entities.
  43.  Supra note 23.
  44.  Government Accountability Office, Guidance Documents from Federal Agencies. https://www.gao.gov/assets/670/669721.pdf (last visited Aug. 10, 2022).
  45.  Federal agencies possess authority to promulgate regulations consistent with purpose of the related federal enabling statute via the standard notice and comment process. See A Guide to the Rulemaking Process, Office of the Federal Register, 10, https://www.federalregister.gov/uploads/2011/01/the_rulemaking_process.pdf; Summary of the HIPAA Privacy Rule, HHS.gov https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html#:~:text=The%20Health%20Insurance%20Portability%20and%20Accountability%20Act%20of%201996%20(HIPAA,and%20security%20of%20health%20information (last visited Sept. 1, 2021) (“Sections 261 through 264 of HIPAA require the Secretary of HHS to publicize standards for the electronic exchange, privacy and security of health information. Collectively these are known as the Administrative Simplification provisions.”).
  46.  See id. at 2.
  47.  My Body, My Data Act of 2022, H.R. 8111, 117th Cong. (2022).
  48.  Id., Entities that would be covered by this proposal include search engines, applications, and cellphones; 100 members of the House support rep. Sara Jacobs’ My Body, My Data Act, Congresswoman Sara Jacobs (Aug. 25, 2022), https://sarajacobs.house.gov/news/documentsingle.aspx?DocumentID=590.
  49.  H.R.8111 - My Body, My Data Act of 2022, Congress.gov, https://www.congress.gov/bill/117th-congress/house-bill/8111?r=2&s=1 (last visited Sept. 1., 2022).
  50.  New State Ice Co. v. Liebmann, 285 U.S. 262, 311 (1932) (Brandeis, J., dissenting) (“[A] single courageous state may, if its citizens choose, serve as a laboratory; and try novel social and economic experiments without risk to the rest of the country.”).
  51.  45 C.F.R. § 160.202; Centers for Disease Control and Prevention, FAQs About HIPAA Privacy Rule. Jan. 27, 2015, https://www.cdc.gov/nhsn/hipaa/index.html.
  52.  Supra n. 51, 45 C.F.R. § 160.202.
  53.  S.B. 5414, 2022 Gen. Assemb., Reg. Sess. (Conn. 2022).
  54.  Id.
  55.  Supra n. 23..

Elizabeth LaPaugh, JD

LLM Candidate 2023, Georgetown University Law Center, Washington, DC

Elizabeth LaPaugh is a Master of Law student at Georgetown University Law Center. She attended Georgetown for her Juris Doctor, graduating cum laude, and the undergraduate institution of the University of Alabama, graduating summa cum laude. Elizabeth works as a healthcare associate for a Washington, D.C.-based law firm. While in law school, Elizabeth worked as a judicial intern and an extern for a federal agency, served as a student attorney for a clinic, and was the senior executive editor of her journal. She can be reached at [email protected]

Entity:
Topic:
The material in all ABA publications is copyrighted and may be reprinted by permission only. Request reprint permission here.