Reproductive Health Issues for Employers Series, Part 3: HHS Guidance on HIPAA and Other Privacy Issues | Dickinson Wright


After the decision of the United States Supreme Court in Dobbs v. Jackson Women’s Health Organization overruling the constitutionally protected right to abortion, federal agencies issued guidelines intended to help protect patient privacy. Employers should carefully consider this advice, as it affects their responsibilities as a group health plan sponsor and the privacy rights of their employees.

As part of our ongoing “Reproductive Health Issues for Employers” series, I will summarize guidance from the Office of Civil Rights (“OCR”) of the Department of Health and Human Services (“HHS”) and highlight the elements most critical for employers.

HHS Guidelines under the Health Insurance Portability and Accountability Act (“HIPAA”)

June 29, 2022, OCR issued new guidelines to protect patients seeking reproductive health care, as well as their providers. In general, this guide does two things:

  1. Addresses how federal law and regulations protect an individual’s private medical information (protected health information or “PHI” under HIPAA) related to abortion and other sexual and reproductive health care – clearly stating that providers are not required to disclose private medical information to third parties such as as law enforcement; and
  2. Addresses the extent to which private medical information is protected on personal cell phones and tablets. It also provides guidance for protecting individuals’ privacy when using period trackers and other health information apps.

HIPAA Privacy Protections Related to Reproduction Laws and Law Enforcement

OCR administers and enforces the HIPAA Privacy Rule (“Privacy Rule”), which establishes requirements for the use, disclosure, and protection of PHI by Covered Entities (including group health plans and most providers). healthcare providers) and, to some extent, their business associates. These entities may use or disclose PSI without an individual’s signed permission, only as expressly permitted by the Privacy Policy.

Disclosures “required by law”

The rule of confidentiality allows but does not require covered entities to disclose PSI about an individual without that individual’s authorization where such disclosure is required by another law and the disclosure complies with the requirements of the other law. This authorization to disclose PSI as “required by law” is limited to “a mandate contained in law that requires an entity to use or disclose PSI and is enforceable in court.” Further, where disclosure is required by law, disclosure is limited to the relevant requirements of that law.

Example: A person visits a hospital emergency department as they experience complications from a miscarriage in the tenth week of pregnancy. A hospital staff member suspects the person of having taken medication to terminate the pregnancy. State or other law prohibits abortion after six weeks of pregnancy, but does not require the hospital to report individuals to law enforcement. Where state law does not expressly require such reporting, the confidentiality rule would not allow disclosure to law enforcement under the authority “required by law”. Therefore, such disclosure would be inadmissible.

Disclosures for “Law Enforcement Purposes”

The rule of confidentiality allows but does not require Covered Entities to Disclose PSI About an Individual for Law Enforcement Purposes “as due process and as otherwise required by law”, under certain conditions. For example, a Covered Entity may respond to a law enforcement request made through legal process such as a court order or court-ordered warrant, subpoena or summons by not disclosing only the requested PHI – provided that all conditions specified in the Privacy Policy for Permissible Law Enforcement Disclosures are met.

In the absence of an enforceable warrant in court, the confidentiality rule’s authorization to disclose PHI for law enforcement purposes does not permit a hospital or other staff member of a health care provider to report an individual’s abortion or other reproductive health care to law enforcement. This is true whether the staff member initiated the disclosure to law enforcement or others or whether the staff member disclosed PSI at the request of law enforcement. This is because, generally, state laws not requiring physicians or other health care providers to report to law enforcement a person who has self-managed pregnancy loss. Further, state fetal homicide laws generally do not criminalize the pregnant woman, and “appeals courts have overwhelmingly rejected efforts to use existing criminal and civil statutes intended for other purposes (for exampleto protect children) as a basis for arresting, detaining or forcing interventions on pregnant women.

Example: A law enforcement official presents a group health plan sponsor with a court order requiring the plan to file PHIs on people who have had abortions. Since a court order is enforceable in court, the confidentiality rule would allow but does not require the group health insurance plan to disclose the PHI requested. The group health plan can only disclose the PSI expressly authorized by the court order if he chooses to comply with the command.

Disclosures to Avoid a Serious Health or Safety Threat

The rule of confidentiality allows but does not require a Covered Entity, consistent with applicable law and standards of ethical conduct, to disclose PSI if the Covered Entity, in good faith, believes that use or disclosure is necessary to prevent or mitigate a serious and imminent threat to the health or safety of a person or the public, and the disclosure is made to a person or persons who are reasonably capable of preventing or mitigating the threat. According to major professional societiesincluding the American Medical Association and American College of Obstetricians and Gynecologistsit would be inconsistent with professional standards of ethical conduct to make such disclosure of PHI to law enforcement or others regarding an individual’s interest, intent, or prior health care experience reproductive health.

Example: A pregnant employee in a state that prohibits abortion informs the claims administrator of a group health plan that she intends to have an abortion in another state where abortion is legal. An employee of the Claims Administrator, a business associate of the group health plan, wants to report the statement to state law enforcement in an attempt to prevent the abortion. The rule of confidentiality would not allow this disclosure of PHI to law enforcement under this authorization because, according to HHS, a statement of intent to obtain a legal abortion is “not a serious and imminent threat to the health and safety of ‘a person or the public’, and would be contrary to professional ethical standards and may increase the risk of harm to the employee. Therefore, such disclosure would be inadmissible.

HIPAA generally does not protect the privacy or security of health information on apps.

Generally, HIPAA rules apply only when PHI is created, received, maintained, or transmitted by a covered entity or business associate. For example, HIPAA does not protect the privacy of an employee’s Internet search history, information an employee voluntarily shares online, or their geographic location, unless the application is provided to the employee by a covered entity (such as the group health plan) or its business associate. HIPAA also does not protect the privacy of data that an employee has uploaded or entered into mobile applications for personal use, regardless of the source of the data.

Although HIPAA rules do not protect this information, employers may consider communicating with employees about steps they can reasonably take to protect information when using a personal mobile device:

  • Avoid downloading unnecessary or random apps.
  • Avoid, when asked, allowing access to a device’s location data, other than apps where location is absolutely necessary (for example, navigation and traffic apps).

While the steps outlined above can reduce a person’s digital footprint, they will not eliminate it. The very nature of cell phones (and some tablets) allows tracking because the cellular service provider’s network logs identifying information (such as subscriber and device information) when connected to it.

Ultimately, the best way to protect health and personal information from being collected and shared without an individual’s knowledge is to limit the personal information that is sent and stored with a device.


Much of the guidance issued by HHS should be good news for employers, who may be concerned about the specter of local law enforcement officials asking for their employees’ protected private health care data. Nonetheless, these interpretations provided by HHS come in the form of sub-regulatory guidance, so the Biden administration (or a new administration) could quickly change its mind on these matters. In particular, one can easily imagine a different administration taking a very different view of whether abortion “is a serious and imminent threat to the health and safety of any person or the public.” Employers will need to keep abreast of developments in this area.

Dickinson Wright’s Benefits and Executive Compensation group has been monitoring and will continue to monitor the impact of these issues as they evolve to advise clients on how best to respond to this changing landscape.

See Part 1 of our “Reproductive Health Issues for Employers” series: Can abortions be reimbursed tax-free from a Flexible Health Spending Account, Health Reimbursement Agreement, or Health Spending Account?

See Part 2 of our “Reproductive Health Issues for Employers” series: Avoid costly “employer payment plan” status for travel benefits

[View source.]


About Author

Comments are closed.