Post-Dobbs Alert: HHS Issues Abortion HIPAA Disclosure Information in Response to Business Group and Other Requests

HHS issued post-Dobbs nonbinding clarifications of HIPAA’s requirements applicable to covered entities (generally including employer plans) in-light of abortion-related state law and law enforcement circumstances.

June 30, 2022

On June 29, 2022 HHS issued HIPAA Privacy Rule and Disclosures of Information Relating to Reproductive Health Care in order to assist HIPAA covered entities in understanding their responsibilities under the privacy law in-light of the Dobbs v. Jackson Women’s Health Organization Supreme Court (SCOTUS) decision and expected state abortion bans and enforcement action. Business Group on Health urged Secretary Becerra at an in-person meeting earlier this week to provide guidance for employer plans to help ensure plans are prepared to successfully navigate expected inquiries and privacy issues. While the information provided is helpful and characterized as an explanation of existing law and policy, we note that it is disclaimed as nonbinding and expect it may be the subject of future disputes or litigation.

HIPAA’s current rules around private health information (PHI) disclosure for “law enforcement purposes” contain a number of intertwined legal factors describing a covered entity’s obligations. The analysis of whether a plan is required, merely permitted, or prohibited from such disclosure is circumstance-specific and should be undertaken with appropriate legal counsel. While the clarification provided by HHS may be helpful and give plans some basis for questioning or resisting automatically providing abortion-related PHI to state officials, it should not be solely relied on. We urge plan sponsors to start or continue their discussions with legal counsel to help navigate HIPAA and other uncertainties arising from the Dobbs decision.

Separate from the PHI-related clarification, HHS also issued Protecting the Privacy and Security of Your Health Information When Using Your Personal Cell Phone or Tablet. This educational piece provides suggestions for individuals on how to keep their data private (e.g., adjusting privacy and location settings), with HHS emphasizing that that HIPAA Rules do not protect information when access or stored through personal devices. This information is aimed at encouraging individuals to take personal action and does not appear to apply to or interact with plan-related requirements.

We expect to continue to engage with HHS and other Departments on this and other open questions facing employer plan sponsors. The Departments have indicated that they value our input and wish to partner as the industry moves forward. We would welcome your comments, experiences, observations, and requests so that we can effectively advocate on behalf of our members.

Business Group on Health will continue to monitor these and related matters, and provide updates on future developments. For any questions or comments, please feel free to contact Garrett Hohimer, Director, Policy & Advocacy at hohimer@businessgrouphealth.org.

We provide this material for informational purposes only; it is not a substitute for legal advice.

More Topics

Articles & Guides icon_right_chevron_dark Health Accounts icon_right_chevron_dark
More in Policy & Advocacy