The often misspelled and widely misunderstood HIPAA health privacy law will offer little protection to patients who defy anti-abortion laws and later seek treatment for complications post-Roe.
The US Supreme Court decision to overturn Roe v. Wade will likely block abortion access in much of the country. About half of the states had laws teed up to ban abortions, and those laws are expected to increase the number of people traveling to other states for the procedure or self-inducing via medications. While surgical and medical abortions are highly safe, complications occasionally occur that could expose patients to legal risk if they seek help in states with abortion bans.
Many patients believe the Health Insurance Portability and Accountability Act of 1996 guarantees them a right to absolute privacy, allowing them to tell their doctor anything without legal repercussions. But patients in states with bans would need to be careful what they disclose because HIPAA allows providers to report health information to law enforcement.
1. What is HIPAA?
The HIPAA Privacy Rule blocks covered health-care providers and insurers from disclosing protected health information without a patient’s consent. The rule applies to all health-care providers that transmit health records electronically, as well as health plans like Medicare and Medicaid. It doesn’t apply to entities that don’t bill for insurance.
The law also applies to health-care clearinghouses, which work within the health-care reimbursement system like a billing service, as well as business associates, who work on behalf of a provider, insurer, or clearinghouse and are involved with the use or disclosure of an individual’s identifiable health information.
2. What are some misconceptions around HIPAA?
HIPAA came under the spotlight in the debate around Covid-19 vaccine mandates and the disclosure of vaccination status, with some politicians and pro-athletes falsely believing they couldn’t freely share their own health information.
Health-care facilities also tend to be overly cautious around what kind of health information they disclose because they don’t want to subject themselves to civil fines or criminal penalties for violating the law. Sometimes, that means they won’t even give patients their own health information.
HIPAA doesn’t apply to entities outside of health care that might have access to a person’s medical information. “If you told your friends you were going to the abortion clinic, if you posted it on social media, if you requested a vacation day from work,” none of that information is protected by HIPAA, said Kirk Nahra, co-chair of the cybersecurity and privacy practice at WilmerHale.
3. When can providers share health information?
Health-care providers may disclose protected health information to law enforcement when they believe it’s evidence of a crime conducted on the premises, or to alert law enforcement of a death when they suspect it was associated with a crime. HIPAA doesn’t require providers to disclose this information, but a handful of state laws require that providers report to law enforcement any injury that appears related to a criminal offense.
They can also disclose information when it’s required by law for public health surveillance. Almost every state requires facilities to send confidential reports for every abortion performed, and 28 states require facilities to report post-abortion complications, according to the Guttmacher institute.
Doctors who illegally perform abortions aren’t likely to report themselves or their patients, but the situation is murkier for doctors faced with a patient who discloses that they self-induced an abortion or obtained one out of state.
If a state law requires reporting of a crime, “it’s up to the physician” to decide whether they will comply with state law, said Dianne Bourque, a health privacy lawyer at Mintz. They couldn’t use HIPAA as an excuse not to share the information, since the privacy law would permit it.
4. Is HIPAA affected now that Roe v. Wade is overturned?
The Supreme Court’s decision to overturn Roe hinges on the belief there is no express right to privacy in the US Constitution.
Congress passed HIPAA because the informational privacy protections it offers don’t come from the Constitution. HIPAA is “not at all tied to the constitutional justifications that Roe v. Wade relies on,” Allison Hoffman, a professor who specializes in health-care law and policy at the University of Pennsylvania, said.
To Learn More:
—From Bloomberg Law:
In Focus: HIPAA (Bloomberg Law subscription required)
—From Bloomberg News: