Skip to main content

Protecting Health Information Post Roe – Part 2: Steps for Health Care Providers

State laws that restrict or criminalize abortions will require significant amounts of health information to enforce, putting new pressure on health care providers caught in the middle of competing obligations to their patients and to regulatory and law enforcement authorities making lawful requests for this information.

In this second of our two-part blog series on protecting health information post Roe, we discuss legal and practical strategies that health care providers can take to protect the information of their patients.

Formal Requests for PHI

As discussed previously, there are a number of provisions under HIPAA that permit health care providers to disclose protected health information (or “PHI”) to regulatory or law enforcement authorities.  However, these HIPAA provisions aren’t open-ended and there are requirements that must be met before a provider may disclose PHI.  If a government request fails to meet criteria, the provider is not obligated to respond and in fact, is at risk of violating HIPAA if he or she responds to a request outside the parameters of the rule.

The chart below depicts examples of HIPAA provisions permitting the disclosure of PHI to regulatory authorities and questions for providers to ask themselves to ensure that any disclosure complies with HIPAA requirements.

HIPAA Provision

Questions to Consider

Disclosures Required By Law (such as state laws requiring the reporting of abortion complications)

  • Does state law require or merely permit disclosure?  If the state law is only permissive, PHI may be withheld.
  • Does the request exceed what is authorized under state law? Look carefully at the scope of the request as compared to state law.  Make sure that state reporting forms only request data points expressly required under state law.

Disclosures in Response to an Administrative Subpoena, Summons, Civil Investigative Demand or Similar Request (such as a request from a state agency enforcing abortion prohibitions)

  • Is the requested information relevant and material to a legitimate law enforcement inquiry?
  • Is the request specific and limited in scope in light of the purpose for which the information is sought?
  • Could de-identified information be used?

Disclosures of Information Regarding Suspected Victims of a Crime (such as a patient suspected of receiving an illegal abortion)

  • Has the patient agreed to the disclosure?
  • If the patient does not agree, PHI may not be disclosed.
  • If the patient is unable to agree, PHI may only be disclosed if law enforcement represents that:
    • The information is not intended to be used against the patient
    • Law enforcement activity depends on the immediate disclosure of the information
    • Law enforcement would be adversely affected by a delay in waiting for the patient to agree
    • Disclosure is in the best interests of the patient as determined by the provider

In response to a court order, court-ordered warrant, subpoena, summons or grand jury subpoena

The document must be validly served and valid under state law.

Informal Requests for PHI

As state abortion bans become effective, providers are also likely to receive informal requests for PHI from regulatory authorities, law enforcement and others.  HIPAA does not permit the disclosure of PHI in response to an informal request, even if the individual making the request appears to have some sort of authority, such as a uniform or agency credentials. An inappropriate disclosure results in a HIPAA breach.     

Providers must educate staff and make sure that employees understand that there is a difference between lawful requests for PHI and informal requests that may seem official.  Employees must understand the importance of not being threatened or bullied into providing PHI.  Providers should have policies and procedures for directing third party requests for PHI to a single point of contact within the organization, such as a Privacy Officer, who is qualified to evaluate them or who has access to support necessary to evaluate them.  It’s important for staff to understand what to do when a purported “authority” shows up in the office making demands.

In some states, pressure from authorities or laws incentivizing private citizens to report illegal abortions may increase the risk of employee snooping, in violation of HIPAA and state law.  Accordingly, providers should regularly audit workforce member access to PHI to ensure that access is authorized and to identify and address instances of snooping.  Providers should make workforce members aware of ongoing auditing activity as well as the consequences of violating patient privacy in order to dissuade snooping.   

Finally, in our last blog post, we discussed rights under HIPAA that patients may use to protect their PHI to the greatest extent possible.  Providers should take steps to educate patients about their rights and make it easier for them to understand and exercise those rights, especially patients who are younger or who have other challenging circumstances.  A provider’s HIPAA Notice of Privacy Practices provides an excellent basis for the discussion of patient rights.  Providers could consider developing forms to make it easier for patients to exercise these rights.

Pay Attention to Details

As discussed above, providers need to take affirmative protective actions to dissuade (and identify) medical record “snooping.”  It is difficult for practices to keep up with technology advances and ever-growing amounts and sources of data.  Mitigating snooping has always been important to avoid HIPAA violations, but in states with abortion bans, it is now even more critical to protect patients.

Here are some steps to help mitigate snooping.

  • Take stock of the data.   The first step to data security is to understand where the data lives within the organization and why you have it.   By doing so, organizations gain a clear understanding of who should be accessing what and why.  For example, email systems should never be used as a “storage” place for patient data.
  • Implement data monitoring software – and tell your employees about it.  With the sheer amount of patient data and records handled by the typical practice, automation is a necessity.   This type of technology can identify unusual access behaviors (such as time of access and other key details).
  • Communicate policies & train employees. Transparency about what monitoring procedures are in place reaffirm a culture of privacy and also reinforces the idea that privacy breaches – regardless of existing law – are unacceptable and offenders will be identified.

To repeat: Email is not document storage.  This is a good time to review your email practices and how your staff uses email.  Email should not be used as storage for documents containing PHI or even for calendar services for practice administration.   As a general rule, free and Internet-based web mail services (Gmail, Hotmail, AOL) are not secure for the transmission of PHI, whether in an attachment to an email or in the body of an email itself.  OCR has imposed penalties on providers for not taking steps to protect PHI and for using Internet-based email and calendar services.  Utilization of secure services like patient portals for the transmission of communications containing PHI or relating to treatment reduces the documentation you have on premises.

Some Resources

HHS:  When does the Privacy Rule allow covered entities to disclose protected health information to law enforcement officials?

JAMA:  Effectiveness of Email Warning on Reducing Hospital Employees’ Unauthorized Access to Protected Health Information

Subscribe To Viewpoints

Authors

Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.
Dianne specializes in counseling researchers and research sponsors in matters related to FDA and OHRP regulated clinical research, and counsels health care clients on the HIPAA Privacy Rule and Security Standards.