Criminalization of Healthcare
Even before the Dobbs decision, people were improperly criminalized for their pregnancy outcomes, and the most common way that a person became targeted for such criminalization was a report from a care provider. From 2000 to 2020, the organization If/When/How “identified 61 cases [across 26 states] of people criminally investigated or arrested for allegedly ending their own pregnancy or helping someone else do so”; 39% of these cases resulted from a report by a healthcare provider, with an additional 6% reported by social workers. These reports were not legally supportable and likely violated healthcare providers’ ethical duties, and some of these instances did not result in conviction. But, once law enforcement became involved, the vast majority of cases involving adults resulted in an arrest, and 43 cases proceeded through the criminal court system. Four of these 43 cases went to trial and ended with a guilty verdict, and 19 ended with a guilty plea. Prosecutors invoked all manner of laws in these cases, including laws prohibiting mishandling of human remains, concealment of a birth, practicing medicine without a license, child abuse and assault, and murder and homicide. Further, the “racial disparity” in negative outcomes “was striking and statistically significant: a homicide consideration was two times more frequent in cases involving people of color compared to those involving non-Hispanic white individuals.”
Being charged with a crime and investigated can cause irreparable damage to an individual beyond criminalization. Some of these cases resulted in other far-reaching legal consequences—in several cases, people lost custody of their existing children temporarily or permanently. In one case, prosecutors ultimately “declined to prosecute after acknowledging the self-managed abortion was not unlawful, but the woman was still turned over to immigration authorities for deportation.” Some cases also resulted in “people being shamed and ostracized in their communities, including needing to move due to threats at their homes or changing their names because they were unable to get or keep jobs.” All of these reverberations are particularly grave for Black women and other people of color.
Dobbs has only amplified the likelihood of healthcare information being used for criminalization or harassment. Abortion bans and transgender medicine bans for young people have induced widespread fear of criminalization by healthcare providers even regarding activities that are not criminalized, causing a severe, chilling effect on the provision of care and information, including in the most dire circumstances, and overcompliance with state laws. This is occurring despite the fact that no current state law explicitly criminalizes legal out-of-state abortion care or a patient who receives an illegal abortion regardless of how they accessed care, prohibits the sharing of truthful information about legal abortions, requires clinicians to report such patients to law enforcement or child welfare agencies, or mandates that providers elicit information about abortion. Nevertheless, this widespread fear and the resulting overcompliance means that information about whether a person accessed an abortion legally in another state or illegally in a ban state can become risky for patients and providers. Anti-abortion actors have sought to use information about abortion-seeking against patients, their supporters, and their providers. Similarly, the outing of records relating to transgender medicine or gender identity can have dramatic effects given the level of discrimination and stigma transgender people face in the healthcare system generally.
The Scope of the Information Blocking Rule
The Information Blocking Rule exists within the space of communication between providers. For this reason, it is consistent with HIPAA, which largely permits such activity without the same protections that exist for the sharing of protected health information (PHI) with third parties. Under most circumstances, this may not be objectionable and may be beneficial. The Information Blocking Rule was designed to remedy real barriers to accessing EHI in order to better support patients’ access to their own medical records and continuity of care. These are important goals. In the context of the criminalization of abortion and transgender medicine, however, some healthcare providers themselves can be opposed to the interests of the patient with respect to the use of their EHI. Acknowledging the risks associated with disclosure of abortion-related PHI to enforcers in ban states, the Biden Administration has proposed a new HIPAA regulation to provide greater protection to reproductive health records that may be sought for the purpose of criminalization But, significantly, that rule does nothing to address how interoperability will continue to threaten this goal and pose a problem for providers of criminalized and stigmatized services. The proposal also does not apply to gender-affirming care records.
Under the Cures Act, information blocking means “a practice that… is likely to interfere with access, exchange, or use of electronic health information.” Violations of the Information Blocking Rule occur when the provider “knows that such practice is unreasonable and is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information.” A practice is “likely to interfere” if there is a “reasonably foreseeable risk that the practice will interfere with access, exchange, or use of EHI.”
The Rule applies to users of EMR. If a provider uses paper records, for example, they do not come within the scope of the rule. If a provider uses EMR, and their particular system does not have the capability to be interoperable with other systems, the provider does not need to obtain an interoperable system that comes within the ambit of the Rule. If, however, a provider uses EMR, and their system is interoperable with others outside the facility, it must comply with the Information Blocking Rule. Disabling that interoperability requires a provider to fall within an exception to the Rule because it is “likely to interfere” with the “ability for electronic information to be transmitted between and among different technologies, systems, platforms, or networks.”
On November 1, 2023, the Office of the National Coordinator for Health Information Technology (ONC) proposed significant penalties for providers, which could range from around $600 to many thousands of dollars depending on the type of actor and practice.
Exceptions to the Information Blocking Rule for Providers
Abortion providers or providers of transgender medicine to youth may want to disable interoperability to some degree within their EMR system’s capability in order to protect their patients and themselves from criminalization and harassment. They can do so by meeting one of the exceptions to the Rule, although complying with the contours of these exceptions is not straightforward, especially for small healthcare providers like independent abortion clinics that lack significant resources to devote to EMR management and whose services are nearly all criminalized or stigmatized in other jurisdictions. The most significant challenge can be how to document the exceptions when nearly all of a provider’s patients face risks associated with their EHI because of the nature of their practice.
ONC finalized five exceptions available to providers. Two exceptions are most relevant here—the preventing harm and privacy exceptions.
Preventing Harm Exception
In order to meet the preventing harm exception, a provider must “hold a reasonable belief that the practice will substantially reduce a risk of harm to a patient or another natural person that would otherwise arise from the access, exchange, or use of electronic health information affected by the practice.” The primary challenge providers have had with this exception is that the “risk of harm” must generally be “determined on an individualized basis in the exercise of professional judgment by a licensed health care professional who has a current or prior clinician-patient relationship with the patient whose electronic health information is affected by the determination.” The “type of harm” must also be “one that could serve as grounds for an entity covered” under HIPAA to “deny access… to an individual’s protected health information,” such as where “[a] licensed health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to endanger the life or physical safety of the individual or another person.”
Providers must document how each patient faces a risk of harm from their EHI being subject to interoperable sharing. A provider can use an institutional policy to meet the documentation requirement if the policy meets a set of separate requirements. Alternatively, they must document a “case by case determination” of harm. Even if the provider uses an institutional policy to meet the documentation requirements, they must still have determined the risk of harm “on an individualized basis,” which makes the institutional policy option not significantly less burdensome. Providers intending to rely on this exception should consider how they can best document their determination. This could look like adding a field to a patient’s intake.
Privacy Exception
The sub-exception of the privacy exception that is typically easiest for a clinic to meet is where an individual “request[s]” that the clinic not share the information. To meet this exception, the patient must make the request orally or in writing, and the provider must document the request within a reasonable period of time (a note in the patient’s EHR or similar notation will suffice). The challenge that providers have faced with this option is in counseling patients on what it means to share EHI via EMR interoperability. Providers report that their patients’ assumption is that their records can only be shared with their consent and not as a default, and this counseling can be disturbing and confusing for patients. Nevertheless, some providers have implemented an additional element to their consent process in order to rely on this exception. This could be adding an additional form or part of a form to the standard information provided to patients alongside a HIPAA notice.
Another privacy sub-exception applies when a state or federal law prevents disclosure. A few states have enacted protections explicitly for abortion- or transgender-medicine related EHI—California, Connecticut, Delaware, Maryland, MassachusettsMinnesota, New Jersey, New York, and Vermont. All of these provisions are distinct, and providers should seek legal advice about the extent to which they can rely on these protections or other general state statutory protections for EHI to underpin activity defined as information blocking, such as disabling interoperability.
Call to Action
At bottom, the Information Blocking Rule does not work very well in the context of care that is criminalized and stigmatized in some states and not others. As described above, patients traveling from ban states to receive care face serious risks of harm if their home state providers were to report their care and have strong interests in ensuring that their abortion- or gender-affirming-care-related EHI is not shared with clinicians in hostile states. The risks associated with unwanted disclosure are extraordinarily high.
The documentation requirements are a challenge for providers of criminalized and stigmatized healthcare, since we are not talking about a handful of patients who need their EHI protected. It is also a challenge practically to use EMR systems to disable interoperability. EPIC, one of the most used EMR systems in the nation, can be very sophisticated and allow for a provider to easily share or not share particular records, depending on the “instance” of EPIC that is customized for the facility. Other clinics use less complex EMR and have found that there is no easy way to use their system to document and determine on an individualized basis how records are shared.
For these reasons, if the Biden Administration were to modify or interpret the Information Blocking Rule to ease the burdens of compliance on providers of criminalized and stigmatized medicine, providers would be better able to ensure needed confidentiality, and reproductive health and gender-affirming care records would be more secure. At the same time, states should continue to enact laws that allow providers to information block with respect to these categories of EHI since that gives providers the best option for complying with the Rule while protecting their patients.