Updated DHHS OCR Guidance on Health Information Privacy After Dobbs

Medical providers across the United States have been scrambling to make sense of their professional responsibilities and corresponding liability risks in the wake of the Supreme Court’s ruling on Dobbs v. Jackson Women’s Health Organization. As was discussed here previously, the decision threatens to undermine the healthcare system as a whole, jeopardizing health information privacy by reducing trust between patients and their physicians and chilling both the communication of health issues and access to essential healthcare services.

On June 29, 2022, the Department of Health and Human Services Office for Civil Rights (OCR) issued new guidance to clarify how obligations under the Health Insurance Portability and Accountability Act (HIPAA) interacts with, and prevails over, conflicting state laws that might circumvent, undermine, or otherwise attempt to weaken data privacy and security requirements for protected health information.

In addition to offering guidance for individuals to improve the privacy and security of health data outside of HIPAA’s reach (such as health data managed by the individual on his/her/their smartphone), OCR issued guidance titled “HIPAA Privacy Rule and Disclosures of Information Relating to Reproductive Health Care.” In the guidance, OCR explained its interpretation of the HIPAA Privacy Rule and the exceptions that allow disclosures of PHI to occur without requiring the patient to first have an opportunity to consent or object if those disclosures required by law (as defined by 45 CFR 164.102); if the disclosures are made for law enforcement purposes (45 CFR 164.512(f)); and if the disclosures are made to “avert a serious threat to health or safety” (45 CFR 164.512(j)). OCR emphasized that these exceptions to the HIPAA Privacy Rule are to be construed narrowly, offered example scenarios to illustrate its points, and underscored its commitment to enforcing the HIPAA Privacy Rule against covered entities and business associates that violate the federal law. OCR’s key message is that covered entities can lawfully use or disclose protected health information “without an individual’s signed authorization, only as expressly permitted or required by the Privacy Rule.” [bold emphasis and internal citations omitted]. Moreover, the guidance underscored that the HIPAA Privacy Rule allows but does not mandate disclosures when the conditions necessary for the applicable exceptions are present. The guidance is straightforward and, by itself, should not to be the source of much controversy.

That said, at the end, the guidance contains a critical disclaimer as follows that deserves a bit of attention:

The contents of this document do not have the force and effect of law and are not meant to bind the public in any way. This document is intended only to provide clarity to the public regarding existing requirements under the law or the Departments’ policies.

While guidance (whether a policy statement or interpretive rule) technically is considered “nonbinding,” it is generally not wise to deviate from the practices advised in agency guidance. Doing so could invite both individual complaints alleging violations and agency enforcement actions. For this reason, guidance has been described by some as having “quasi-binding character.” Governance by guidance—as opposed to agencies’ use of formal rulemaking under, e.g., the Administrative Procedure Act—has long been the subject of debate by law scholars. Critics have argued that guidance is “coercive” and undermines accountability, but supporters have countered that guidance enables agencies to provide clarity on the current interpretation of existing rules without requiring the agency to unnecessarily deplete agency resources for formal rulemaking involving notice and comment. As explained by a 2021 CRS Report, ultimately Congress has powers to rescind agency guidance, require an agency to follow its own guidance and impose procedural requirements for issuing guidance to keep agencies “in check.”

Disputes over access to protected health information must be anticipated by attorneys representing healthcare providers and healthcare providing organizations. The recent OCR guidance highlights what HIPAA requires, which should help with institutional decisions on how best to preserve health information privacy given local sociopolitical circumstances and how best to resist or respond to requests by law enforcement or others for health information. Nevertheless, it remains to be seen whether courts adjudicating disputes will find that the HIPAA Privacy Rule successfully shields patients’ protected health information from disclosure to law enforcement even in such states where forced birth laws have taken effect to target licensed healthcare professionals for providing medical services pursuant to prevailing standards of care.

Jennifer K. Wagner, J.D., Ph.D., is a solo practicing attorney and also is Assistant Professor of Law, Policy and Engineering at the Pennsylvania State University. She has been a member of the PBA Cybersecurity & Data Privacy Committee since 2018, is a former contributing editor of the Genomics Law Report and has published scholarly articles in prominent legal and scientific journals, including the Journal of Law & Biosciences; Journal of Law, Medicine, & Ethics; Albany Law Journal of Science & Technology; Virginia Sports and Entertainment Law Journal; North Carolina Journal of Law and Technology; Science; Nature Communications; Nature Medicine; American Journal of Human Genetics; Human Genetics and Genomics Advances; Genetics in Medicine; and PLOS Genetics. She served as a AAAS Congressional Fellow in a U.S. Senator’s office in 2014-2015, and her work has been cited by the Supreme Court of the United States. You may follow her on Twitter as @DNAlawyer. Views expressed are her own.