By Katie Gu
In the post-Dobbs fight to safeguard reproductive healthcare, a new spotlight has been placed on two existing federal laws: the Health Insurance Portability and Accountability Act (HIPAA) and the Emergency Medical Treatment and Active Labor Act (EMTALA).
Guidance documents issued over the summer by federal agencies emphasize how these laws can be used to protect reproductive health privacy and access.
The New Context
In the wake of Dobbs, states have now passed laws that add new reporting requirements for abortions.
Physicians in Arizona are now required to file a report with the state’s Department of Health Services documenting the specific indications supporting the medical emergency determination that an abortion was needed, as well as the abortion’s probable health consequences. Under Kentucky’s House Bill 3, patients seeking medication- or surgical-abortion care are required to file “birth-death certificates” for abortions performed after 20 weeks of pregnancy. In Oklahoma, abortion providers are now required to submit written confirmation that abortion-related rape or incest was reported to the police before abortion procedures can be performed.
These reporting requirements have been enacted alongside a general rise in state laws criminalizing abortions (at least 13 states currently ban most abortion procedures). In this new context, clarity surrounding existing legal protections is urgently needed.
Protections are needed not only for patients seeking abortions, but also for practitioners providing abortion procedures. The three guidances published this summer have shed varying degrees of clarity on existing legal protections situated within the new post-Dobbs context.
The Old Laws
Passed in 1996, HIPAA created national standards to protect the privacy of sensitive patient health information, including medical records and other individually identifiable health information (considered “protected health information,” or PHI). The law applies to health care providers, health plans, and health care clearinghouses (considered “covered entities”) that transmit PHI electronically. Importantly, HIPAA establishes limitations on the use and disclosure of PHI made without patient authorization or consent.
Passed in 1986, EMTALA requires hospitals accepting Medicaid or Medicare payments from HHS or CMS to provide abortion care necessary to address emergency medical conditions. Because most hospitals rely on Medicaid and Medicare payments, the law currently applies to nearly all hospitals in the U.S. EMTALA further establishes civil monetary penalties and potential termination of Medicare-participation agreements in cases of violation. The law is enforced by CMS’ regional offices and HHS’ Office of Inspector General.
In June 2022, the U.S. Department of Health & Human Services’ (HHS) Office for Civil Rights (OCR) issued two guidances reaffirming privacy protections guaranteed by HIPAA. The following month, in July 2022, the Centers for Medicare & Medicaid (CMS) issued a guidance reiterating federal obligations placed on hospitals and health care providers by EMTALA.
OCR HIPAA Privacy Rule Guidance
OCR’s June 2022 “HIPAA Privacy Rule and Disclosures of Information Relating to Reproductive Health Care” guidance adds the lowest degree of legal protections within the post-Dobbs landscape of restrictive new state laws.
The guidance clarifies three situations in which the HIPAA Privacy Rule permits covered entities to disclose PHI without patient authorization: 1) disclosures required by law (under 45 CFR § 164.512(a)); 2) disclosures for law enforcement purposes (under 45 CFR § 164.512(f)); and 3) disclosures to avert a serious threat to health or safety (under 45 CFR § 164.512(j)). OCR emphasizes that even under these three circumstances, disclosures are only permitted, not required, by HIPAA.
Ultimately, the guidance does little to protect patients or providers in states that have passed laws explicitly requiring the reporting of reproductive health data related to abortions. While HIPAA is drafted with a strong preemption provision, the Privacy Rule has been interpreted to grant a significant degree of deference to state laws. In practice, hospitals are also less likely to pay attention to the difference between permitted and required disclosures when faced with a court-issued order, warrant, or subpoena, and more likely to lean in favor of disclosure to reduce their own liability risks.
OCR HIPAA Personal Device Guidance
OCR’s second June 2022 guidance, “Protecting the Privacy and Security of Your Health Information When Using Your Personal Cell Phone or Tablet,” provides more concrete privacy advice for individuals with reproductive health data stored on mobile devices.
Because HIPAA doesn’t apply to technology companies, the guidance emphasizes that data stored on mobile applications or personal devices (e.g., phones, tablets, laptops) would not be protected against disclosure. This data can include not only reproductive health data, but also information related to Internet search histories and geographic locations.
The guidance helps raise critical consumer awareness by suggesting key steps individuals can take to protect their own data privacy. Further, the guidance may also help encourage technology companies to revise their data tracking, management, and retention policies.
CMS EMTALA Guidance
Finally, CMS’ July 2022 “Reinforcement of EMTALA Obligations Specific to Patients who are Pregnant or are Experiencing Pregnancy Loss” guidance reminds hospitals of their existing obligations under EMTALA. Specifically, CMS clarifies that EMTALA preempts state laws prohibiting abortion without an exception for the life and health of the pregnant individual. Further, the guidance specifies that state actions against a physician performing a stabilizing abortion under an emergency medical condition also would be preempted by EMTALA.
However, just one month after the guidance was published, two cases reached opposite conclusions regarding the question of whether EMTALA can preempt state law.
In United States v. Idaho, a federal judge struck down Idaho’s strict abortion ban, which criminalized abortions provided in emergency medical contexts, as a violation of EMTALA. In other words, EMTALA was determined to preempt Idaho’s state law. In contrast, the federal judge in Texas v. Becerra prevented the enforcement of CMS’ EMTALA Guidance in Texas. The judge determined that there is currently no direct conflict between EMTALA and Texas law, and struck down the CMS EMTALA Guidance as unauthorized.
Despite HHS’ efforts to find new applications of old federal laws in the post-Dobbs fight for reproductive justice, clear gaps remain.
Rather than relying on old laws, lawmakers also have introduced new bills that provide stronger protections for reproductive health privacy and access.
The My Body, My Data Act is a proposed federal bill that would extend privacy protections to data collected by mobile applications, cell phones, and search engines (entities not currently covered by HIPAA). Further, the Act directs the Federal Trade Commission (FTC) to enforce these protections and would create a private right of action for individuals to hold regulated entities liable for privacy violations. Another federal bill introduced by Sen. Elizabeth Warren (D-MA), the “Health and Location Data Protection Act,” would ban the sale of sensitive health and location data by third-party data brokers. The Act would similarly rely on the FTC for its enforcement.
While the three HHS guidances discussed provide important clarification for existing federal laws, they also illuminate those laws’ shortcomings in the post-Dobbs context. New federal bills are needed to address the privacy gaps left by HIPAA and the challenges in reproductive health care access, even under EMTALA. These bills could also provide guiding frameworks for new state laws, which may broaden the scope of reproductive justice protections moving forward.
Thanks to Joelle Boxer and Rachel Landauer for their valuable discussions.