Search
Go Back

HIPAA guidance on reproductive health care

31 Jul 2022

Key takeaways from OCR on PHI sharing



By: Sue Kathy Xiong, MHA, CHC, corporate integrity and safety manager; and Ellen Hampton, chief corporate and integrity risk officer

The Office of Civil Rights (OCR) recently released this reproductive health guidance on Protected Health Information (PHI).

OCR affirmed that access to comprehensive reproductive health care services, including abortion care, is essential to individual health and well-being. The HIPAA Privacy Rule supports such access by giving individuals confidence that their PHI, including information relating to abortion and other sexual and reproductive health care, will be kept private.

OCR administers and enforces the HIPAA Privacy Rule, which establishes requirements on the use, disclosure, and protection of PHI by covered entities (health plans, health care clearinghouses, and most health care providers and, to some extent, by their business associates). These regulated entities can use or disclose PHI, without an individual’s signed authorization, only as expressly permitted or required by the Privacy Rule.

Key takeaways from the guidance:

  1. A provider may violate HIPAA by disclosing information to law enforcement about a patient’s reproductive services, including abortion treatment, without express consent unless requirements under State law expressly require reporting such information to law enforcement. The permission to disclose PHI as required by law is limited to a mandate in the law that compels an entity to make a use or disclosure of PHI and that is enforceable in a court of law.

  2. If law enforcement initiates a request for PHI, without a mandate enforceable by law, a provider may violate HIPAA by disclosing information about a patient’s reproductive services without express consent. For example, a court order (subpoena) is enforceable in a court of law, and therefore, the Privacy Rule permits but does not require a provider to disclose the requested PHI. The provider may disclose only the PHI expressly authorized by the court order.

  3. Disclosure to law enforcement to reasonably prevent or lessen the threat of a patient intent to seek abortion is not permitted as a means of preventing or lessening a “serious or imminent” threat under the HIPAA Privacy Rule. According to OCR, a statement indicating an individual’s intent to get a legal abortion, or any other care tied to pregnancy loss, ectopic pregnancy, or other complications related to or involving a pregnancy does not qualify as a serious and imminent threat to the health or safety of a person or the public.

Questions, comments, concerns regarding this information and/or the HIPAA Privacy Rule?  Please contact Ellen Hampton, chief corporate integrity and risk officer at 503-814-2828.