The United States Supreme Court recently issued its decision in Dobbs v. Jackson Women's Health Org., ––– U.S. –––, 2022 WL 2276808 (2022), overturning Roe v. Wade, 410 U.S. 113 (1973), and Planned Parenthood of Southeastern Pennsylvania v. Casey, 505 U.S. 833 (1992). In holding that the U.S. Constitution does not protect a right to abortion, the court “returned” regulating abortion to the individual states.
Aside from the obvious systematic implications of the decision, Dobbs has now created various challenges for pharmaceutical retailers and raised questions about how to comply with Health Insurance Portability and Accountability Act (“HIPAA”) privacy requirements.
Key Considerations for Pharmaceutical Retailers and Beyond
HIPAA is a comprehensive federal law that created national standards to prevent certain health information from being disclosed without a patient’s knowledge or consent.1 The U.S. Department of Health and Human Services (“HHS”) issued regulations to implement HIPAA requirements, which are collectively known as the Privacy Rule, Security Rule, and Breach Notification Rule.2 Although the Privacy Rule poses the most risk post-Dobbs, pharmaceutical retailers should still be mindful of the Breach Notification Rule, which may come into play if a covered entity discloses personal health information (“PHI”) without an adequate basis.
The Privacy Rule sets forth standards on the use and disclosure of PHI by “covered entities.”3 PHI includes information that may be used to identify an individual (e.g., name, address, birth date, and Social Security Number) and relates to an individual’s physical or mental health or condition, the provision of health care to the individual, or payment for health care.4 Pursuant to the Privacy Rule, a covered entity may not use or disclose PHI except as permitted by the regulations.5
Such permitted disclosures, outlined in the regulations, include disclosures required by law, for law enforcement purposes, to avert a serious threat to health or safety, and for judicial and administrative proceedings.6 Many of these instances involve reporting crimes, child abuse, domestic violence, and threats to the health or safety of an individual and providing PHI to law enforcement to identify a fugitive. Id.
In the wake of Dobbs, however, pharmaceutical retailers that fill prescriptions used to end a pregnancy might now be served with subpoenas, search warrants, or discovery requests from state or local prosecutors in states that ban abortion, seeking to obtain an individual’s PHI.7 Left at a crossroads, businesses may soon face challenging questions about how to comply with HIPAA in responding to such data requests. Although there are some avenues for challenging these information-seeking tools, law enforcement agencies may have strong arguments to require pharmaceutical retailers to comply. And importantly, businesses may also have to consider the additional risk of whether filling prescriptions, such as misoprostol—which can also be used to treat stomach ulcers—would create exposure to civil or criminal liability.
On June 29, 2022, HHS’s Office of Civil Rights (“OCR”) released guidance that “[a]ddresses the circumstances under which the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule permits disclosure of [protected health information] without an individual's authorization[.]”8 OCR stated that, in the event a covered entity can disclose PHI, the Privacy Rule permits, but does not require, disclosure.9 Further, OCR emphasized that the exception permitting disclosure of PHI when “required by law” is limited to “a mandate contained in law that compels an entity to make a use or disclosure of PHI and that is enforceable in a court of law.”10 Such disclosures must be limited to the relevant requirements of that law.11 OCR’s guidance also provided examples of situations in which providers may question their responsibility regarding protected health information, including if a provider suspects a patient has induced an abortion, if law enforcement requests patient information, and if a patient tells a provider they plan to seek an abortion elsewhere.
|Disclosures required by law||An individual goes to a hospital emergency department while experiencing complications related to a miscarriage during the 10th week of pregnancy. A hospital workforce member suspects the individual of having taken medication to end their pregnancy. State or other law prohibits abortion after six weeks of pregnancy but does not require the hospital to report individuals to law enforcement. Where state law does not expressly require such reporting, the Privacy Rule would not permit a disclosure to law enforcement under the “required by law” permission. Therefore, such a disclosure would be impermissible and constitute a breach of unsecured PHI requiring notification to HHS and the individual affected.|
|Disclosures for law enforcement purposes||A law enforcement official goes to a reproductive healthcare clinic and requests records of abortions performed at the clinic. If the request is not accompanied by a court order or other mandate enforceable in a court of law, the Privacy Rule would not permit the clinic to disclose PHI in response to the request. Therefore, such a disclosure would be impermissible and constitute a breach of unsecured PHI requiring notification to HHS and the individual affected.
A law enforcement official presents a reproductive healthcare clinic with a court order requiring the clinic to produce PHI about an individual who has obtained an abortion. Because a court order is enforceable in a court of law, the Privacy Rule would permit but not require the clinic to disclose the requested PHI. The clinic may disclose only the PHI expressly authorized by the court order.
|Disclosures to avert a serious threat to health of safety||
A pregnant individual in a state that bans abortion informs their health care provider that they intend to seek an abortion in another state where abortion is legal. The provider wants to report the statement to law enforcement to attempt to prevent the abortion from taking place. However, the Privacy Rule would not permit this disclosure of PHI to law enforcement under this permission for several reasons, including:
Although OCR’s new guidance could bring some clarity in the short term, significant questions remain. For instance, although OCR’s guidance limits the disclosures to a mandate “contained in law,” or “enforceable in law,” and permits disclosure only “where the disclosure of PHI is limited to the relevant requirements of such law,” this still puts businesses in a position of having to conduct a case-by-case analysis of any incoming subpoenas, court orders, or warrants. And in cases where a subpoena isn’t signed by a judge of the court, although covered entities have the right to request assurances before turning over PHI, law enforcement agencies could pressure businesses to comply. Without a formal rule codifying OCR’s June 29 guidance, or creating an objective standard for responding to subpoenas or court orders, businesses will face challenging questions on how to comply with HIPAA.
Looking Ahead – Strategies During an Uncertain Time
To the extent a state that prohibits abortion seeks to compel a healthcare provider in another state to turn over records, the requesting state’s authority could be subject to additional limitations stemming from, for example, the federal Constitution’s dormant commerce clause and its protection of the right to travel. But businesses faced with a valid subpoena would have to decide whether to go to court to raise such arguments in seeking protection against the requesting state’s subpoena.
Data privacy laws will continue evolving in the aftermath of the Dobbs decision. Pharmaceutical retailers, and businesses generally, should start to consult with legal counsel to stay updated on the legal landscape and guidance before making informed decisions on the disclosure of PHI.
2 Summary of the HIPPA Privacy Rule, Office for Civil Rights, U.S. Dep’t of Health & Human Services (2003), https://www.hhs.gov/sites/default/files/privacysummary.pdf; 45 C.F.R. §§ 164.500-164.534 (Privacy Rule); 45 C.F.R. §§164.302-164.318 (Security Rule); 45 C.F.R. §§ 164.400-414 (Breach Notification Rule).
7 As of June 30, 2022, there are 17 states that criminalize, or will soon criminalize, abortions. See Megan Messerly, Abortion laws by state: Where abortions are illegal after Roe v. Wade overturned, Politico, June 24, 2022.
8 Department of Health and Human Services, Office for Civil Rights, HIPAA Privacy Rule and Disclosures of Information Relating to Reproductive Health Care, June 29, 2022, https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/phi-reproductive-health/index.html.