Reproductive health information, which includes information related to contraception, fertility treatments, pregnancy, or sexually transmitted infections, is considered protected health information (PHI) under HIPAA. Reproductive rights, however, are not covered under HIPAA, which allows for possible loopholes if other laws, regulations, and legal frameworks, such as state laws, contradict it.
Under HIPAA, covered entities and business associates must follow specific guidelines when handling and disclosing reproductive health information. They can only use or disclose PHI for purposes permitted or required by the Privacy Rule.
Individuals can expect that their reproductive health information will be kept confidential and protected. The Privacy Rule gives them control over their health information and allows them to access their medical records, request amendments if needed, and determine how their information is shared.
Related: Is Flo HIPAA compliant?
Under HIPAA, sharing reproductive health information is generally prohibited without the individual's authorization. However, there are specific circumstances in which healthcare providers can share this information without explicit consent. These include:
Following the Supreme Court's decision in Dobbs on June 24, 2022, which overturned Roe v. Wade and Planned Parenthood of Southeastern Pennsylvania v. Casey, states have taken actions that could interfere with individuals' privacy rights regarding their reproductive rights.
The case allows states to impose prohibitions on abortions at various stages of pregnancy. In states where the legislation was altered based on this decision, healthcare providers are required to disclose patients' reproductive information concerning planned terminations of pregnancies outside state law.
The Dobbs decision and overturning of the decisions in Roe v Wade may create a situation in some states where regulated entities, such as healthcare providers, could be compelled to disclose reproductive health information to law enforcement or other parties. This could result in the sharing of individuals' private medical information without their consent, potentially compromising their privacy and confidentiality.
State laws can differ from state to state regarding the scope of protection, consent requirements, notification obligations, and exceptions related to reproductive health information. Some states have enacted specific laws that impact the privacy and confidentiality of sensitive health information, including reproductive health information.
In 2022, the Department of Health and Human Services (HHS) issued guidance to clarify the interpretation of the Privacy Rules provisions regarding disclosures to law enforcement officials. The guidance emphasizes that disclosures for non-healthcare purposes, including law enforcement, are only permitted in limited circumstances to protect individuals' privacy and ensure access to healthcare, including abortion care.
For example, if state law does not explicitly mandate reporting suspicions of self-managed reproductive health care, the Privacy Rule would not permit a hospital workforce member to disclose such suspicions to law enforcement under the "required by law" permission.
Several states have already established laws restricting reproduction rights. This extends to the disclosure of PHI as the act of getting an abortion at various stages of pregnancy or at all has been prohibited by 14 states. Healthcare providers are required to disclose patient information relating to this matter to avoid liability.
HHS is proposing a rule to prohibit the disclosure of individuals' PHI related to reproductive health care, including abortion, under certain circumstances. This rule aims to safeguard sensitive information, strengthen patient-provider confidentiality, and ensure that healthcare providers can provide complete and accurate information to patients.
Furthermore, the Federal Communications Commission (FCC) is launching a guide for consumers on best practices for protecting personal data on mobile phones. This guide aims to explain existing FCC requirements that protect against the disclosure of consumers' sensitive information, including geolocation data, which is relevant to accessing reproductive health care. The FCC is also working on updating and strengthening data breach rules to provide greater protection for personal data.
Note: At present reproductive rights and the disclosure of related information are subject to the laws of each state.