In the wake of the Supreme Court decision in Dobbs v. Jackson Women’s Health Organization, here is a reminder about the protections available for privacy and the confidentiality of health-related information under current law. This bulletin will discuss the Health Insurance Portability and Accountability Act (HIPAA).
First off, it is important to understand that HIPAA, composed of a Privacy Rule, Security Rule, and Data Breach Rule, regulates the use of patient information in the provision of health care in the United States. It only applies to “protected health information” (PHI) that is generated by a “covered entity” — health care provider, payer, or clearing house — in the provision of health care treatment, payment, or operations to a patient. Any other information, even if health-related, does not get the protections of HIPAA.
Secondly, even if the information in question is PHI and even though HIPAA provides robust protections for the confidentiality of said PHI, it is important to note that patient consent is not always needed for all sharing or access to PHI.
The following are purposes for which PHI, including, but not limited to, abortion-related PHI, can be disclosed without prior patient authorization:
- Oversight of the health care system, including licensing and regulation;
- Public health, and in emergencies affecting the life or safety of a patient or others;
- Judicial and administrative proceedings;
- Law enforcement;
- To provide information to next of kin or information on decedents;
- For identification of the body of the deceased person or the cause of death;
- For directories;
- Workers’ compensation;
- Medical examiner;
- Certain research; and
- In other situations where the use or disclosure is mandated by other laws.
It is important to understand that HIPAA’s protections for the confidentiality of PHI, including, but not limited to, abortion-related PHI, are not absolute. Any patient receiving treatment should always receive a Notice of Privacy Practices, which details a covered entity’s practices in the process of PHI. Learn more about the basics of privacy and PHI from the Department of Health and Human Services in its Privacy Rule summary.
If you have questions regarding the privacy of health data, please contact the author or Taft’s Post-Roe v. Wade Task Force.